README: Fix docker-compose mention

Previously rendered poorly on both GitHub and Docker Hub.

README.md

@@ -40,6 +40,10 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq).
 
         docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
 
+## Docker Compose
+
+If you prefer to use `docker-compose` please refer to the [documentation](docs/docker-compose.md).
+
 ## Debugging Tips
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").

bin/ovpn_genconfig

@@ -4,11 +4,10 @@
 # Generate OpenVPN configs
 #
 
-USE_DEFAULT_ROUTE=true
-
 TMP_PUSH_CONFIGFILE=$(mktemp -t vpn_push.XXXXXXX)
 TMP_ROUTE_CONFIGFILE=$(mktemp -t vpn_route.XXXXXXX)
 TMP_EXTRA_CONFIGFILE=$(mktemp -t vpn_extra.XXXXXXX)
+TMP_EXTRA_CLIENT_CONFIGFILE=$(mktemp -t vpn_extra_client.XXXXXXX)
 
 #Traceback on Error and Exit come from https://docwhat.org/tracebacks-in-bash/
 set -eu
@@ -47,6 +46,7 @@ on_exit() {
   rm -f $TMP_PUSH_CONFIGFILE
   rm -f $TMP_ROUTE_CONFIGFILE
   rm -f $TMP_EXTRA_CONFIGFILE
+  rm -f $TMP_EXTRA_CLIENT_CONFIGFILE
   local _ec="$?"
   if [[ $_ec != 0 && "${_showed_traceback}" != t ]]; then
     traceback 1
@@ -85,6 +85,7 @@ usage() {
     echo "usage: $0 [-d]"
     echo "                  -u SERVER_PUBLIC_URL"
     echo "                 [-e EXTRA_SERVER_CONFIG ]"
+    echo "                 [-E EXTRA_CLIENT_CONFIG ]"
     echo "                 [-f FRAGMENT ]"
     echo "                 [-n DNS_SERVER ...]"
     echo "                 [-p PUSH ...]"
@@ -129,6 +130,13 @@ process_extra_config() {
 
 }
 
+process_extra_client_config() {
+  local ovpn_extra_config=''
+  ovpn_extra_config="$1"
+  echo "Processing Extra Client Config: '${ovpn_extra_config}'"
+  [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CLIENT_CONFIGFILE"
+}
+
 if [ "${DEBUG:-}" == "1" ]; then
   set -x
 fi
@@ -155,12 +163,13 @@ OVPN_TLS_CIPHER=''
 OVPN_CIPHER=''
 OVPN_AUTH=''
 OVPN_EXTRA_CONFIG=''
+CUSTOM_ROUTE_CONFIG=''
 
 # Import defaults if present
 [ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
 
 # Parse arguments
-while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
+while getopts ":a:e:E:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
     case $opt in
         a)
             OVPN_AUTH="$OPTARG"
@@ -168,6 +177,9 @@ while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
         e)
             process_extra_config "$OPTARG"
             ;;
+        E)
+            process_extra_client_config "$OPTARG"
+            ;;
         C)
             OVPN_CIPHER="$OPTARG"
             ;;
@@ -175,7 +187,7 @@ while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
             OVPN_TLS_CIPHER="$OPTARG"
             ;;
         r)
-            USE_DEFAULT_ROUTE=false
+            CUSTOM_ROUTE_CONFIG=1
             process_route_config "$OPTARG"
             ;;
         s)
@@ -239,7 +251,7 @@ done
 [ ${#TMP_DNS_SERVERS[@]} -gt 0 ] && OVPN_DNS_SERVERS=("${TMP_DNS_SERVERS[@]}")
 
 # Server name is in the form "udp://vpn.example.com:1194"
-if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
+if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
     OVPN_PROTO=${BASH_REMATCH[2]};
     OVPN_CN=${BASH_REMATCH[3]};
     OVPN_PORT=${BASH_REMATCH[5]};
@@ -253,7 +265,12 @@ fi
 # Apply defaults
 [ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
 [ -z "$OVPN_PORT" ] && OVPN_PORT=1194
-[ $USE_DEFAULT_ROUTE ] && process_route_config "192.168.254.0/24"
+[ -z "$CUSTOM_ROUTE_CONFIG" ] && process_route_config "192.168.254.0/24"
+
+# Save extra client config from temp file only if temp file is not empty
+if [ -s "$TMP_EXTRA_CLIENT_CONFIGFILE" ]; then
+  OVPN_ADDITIONAL_CLIENT_CONFIG=$(cat $TMP_EXTRA_CLIENT_CONFIGFILE)
+fi
 
 export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE
 export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT
@@ -262,6 +279,7 @@ export OVPN_TLS_CIPHER OVPN_CIPHER OVPN_AUTH
 export OVPN_COMP_LZO
 export OVPN_OTP_AUTH
 export OVPN_FRAGMENT
+export OVPN_ADDITIONAL_CLIENT_CONFIG
 
 # Preserve config
 if [ -f "$OVPN_ENV" ]; then
@@ -269,7 +287,18 @@ if [ -f "$OVPN_ENV" ]; then
     echo "Backing up $OVPN_ENV -> $bak_env"
     mv "$OVPN_ENV" "$bak_env"
 fi
-export | grep OVPN_ > "$OVPN_ENV"
+
+# Like `export | grep OVPN_ > "$OVPN_ENV"` but handles multiline variables
+set +u
+while read var ; do
+  eval value=\$$var
+  if [ -n "$value" ]; then
+    echo "declare -x $var=\"$value\"" >> "$OVPN_ENV"
+  else
+    echo "declare -x $var" >> "$OVPN_ENV"
+  fi
+done < <(export | egrep -o '(OVPN_[^=]+)')
+set -u
 
 conf=${OPENVPN:-}/openvpn.conf
 if [ -f "$conf" ]; then
@@ -329,6 +358,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
 if [ -n "${OVPN_OTP_AUTH:-}" ]; then
     echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
     echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
+    echo "reneg-sec 0" >> "$conf"
 fi
 
 echo -e "\n### Extra Configurations Below" >> "$conf"

bin/ovpn_getclient

@@ -38,7 +38,14 @@ dev $OVPN_DEVICE
 key-direction 1
 remote-cert-tls server
 
-remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
+remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"
+    if [ "$OVPN_PROTO" == "udp6" ]; then
+        echo "remote $OVPN_CN $OVPN_PORT udp"
+    fi
+    if [ "$OVPN_PROTO" == "tcp6" ]; then
+        echo "remote $OVPN_CN $OVPN_PORT tcp"
+    fi
+    echo "$OVPN_ADDITIONAL_CLIENT_CONFIG
 "
     if [ "$mode" == "combined" ]; then
         echo "
@@ -62,7 +69,6 @@ key ${cn}.key
 ca ca.crt
 cert ${cn}.crt
 tls-auth ta.key 1
-$OVPN_ADDITIONAL_CLIENT_CONFIG
 "
     fi
 
@@ -94,6 +100,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
     if [ -n "$OVPN_COMP_LZO" ]; then
         echo "comp-lzo"
     fi
+
+    if [ -n "$OVPN_OTP_AUTH" ]; then
+	echo reneg-sec 0
+    fi
 }
 
 dir="$OPENVPN/clients/$cn"

bin/ovpn_run

@@ -35,6 +35,21 @@ function addArg {
     fi
 }
 
+# set up iptables rules and routing
+# this allows rules/routing to be altered by supplying this function
+# in an included file, such as ovpn_env.sh
+function setupIptablesAndRouting {
+    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
+      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
+    }
+    for i in "${OVPN_ROUTES[@]}"; do
+        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
+          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
+        }
+    done
+}
+
+
 addArg "--config" "$OPENVPN/openvpn.conf"
 
 source "$OPENVPN/ovpn_env.sh"
@@ -53,14 +68,10 @@ fi
 
 # Setup NAT forwarding if requested
 if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
-    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
-      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
-    }
-    for i in "${OVPN_ROUTES[@]}"; do
-        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
-          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
-        }
-    done
+	# call function to setup iptables rules and routing
+	# this allows rules to be customized by supplying
+	# a replacement function in, for example, ovpn_env.sh
+	setupIptablesAndRouting
 fi
 
 # Use a hacky hardlink as the CRL Needs to be readable by the user/group
@@ -85,4 +96,3 @@ fi
 
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
-

docs/backup.md

@@ -18,4 +18,4 @@ I'd recommend encrypting the archive with something strong (e.g. gpg or openssl
 Creates an volume container named `$OVPN_DATA` to extract the data to.
 
     docker volume create --name $OVPN_DATA
-    xzcat openvpn-backup.tar.xz | docker run $OVPN_DATA:/etc/openvpn -i kylemanna/openvpn tar -xvf - -C /etc
+    xzcat openvpn-backup.tar.xz | docker run -v $OVPN_DATA:/etc/openvpn -i kylemanna/openvpn tar -xvf - -C /etc

docs/docker-compose.md

@@ -2,41 +2,67 @@
 
 * Add a new service in docker-compose.yml
 
-        version: '2'
-        services:
-          openvpn:
-            cap_add:
-             - NET_ADMIN
-            image: kylemanna/openvpn
-            ports:
-             - "1194:1194/udp"
-            restart: always
-            volumes:
-             - ./openvpn/conf:/etc/openvpn
+```yaml
+version: '2'
+services:
+  openvpn:
+    cap_add:
+     - NET_ADMIN
+    image: kylemanna/openvpn
+    container_name: openvpn
+    ports:
+     - "1194:1194/udp"
+    restart: always
+    volumes:
+     - ./openvpn-data/conf:/etc/openvpn
+```
+
 
 * Initialize the configuration files and certificates
 
-        docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
-        docker-compose run --rm openvpn ovpn_initpki
+```bash
+docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
+docker-compose run --rm openvpn ovpn_initpki
+```
 
 * Fix ownership (depending on how to handle your backups, this may not be needed)
 
-        sudo chown -R $(whoami): ./openvpn
+```bash
+sudo chown -R $(whoami): ./openvpn-data
+```
 
 * Start OpenVPN server process
 
-        docker-compose up -d openvpn
+```bash
+docker-compose up -d openvpn
+```
 
-* Generate a client certificate without a passphrase
+* You can access the container logs with
 
-        docker-compose run --rm openvpn easyrsa build-client-full CLIENTNAME nopass
+```bash
+docker-compose logs -f
+```
+
+* Generate a client certificate
+
+```bash
+export CLIENTNAME="your_client_name"
+# with a passphrase (recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
+# without a passphrase (not recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass
+```
 
 * Retrieve the client configuration with embedded certificates
 
-        docker-compose run --rm openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+```bash
+docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn
+```
 
 ## Debugging Tips
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
 
-        docker-compose run -e DEBUG=1 openvpn
+```bash
+docker-compose run -e DEBUG=1 openvpn
+```

docs/ipv6.md

@@ -91,4 +91,11 @@ Fire up a web browser and attempt to navigate to [https://ipv6.google.com](https
 
 ## Connect to the OpenVPN Server Over IPv6
 
-Not implemented, yet.
+This feature requires a docker daemon with working IPv6 support.
+
+This will allow connections over IPv4 and IPv6.
+
+Generate server configuration with the udp6 or tcp6 protocol:
+
+    docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp6://VPN.SERVERNAME.COM
+    docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp6://VPN.SERVERNAME.COM

docs/otp.md

@@ -11,9 +11,11 @@ and use this image to generate user configuration.
 
 In order to enable two factor authentication the following steps are required.
 
-* Generate server configuration with `-2` option
+* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
 
-        docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
+* Generate server configuration with `-2` and `-C $CIPHER` options
+
+        docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER
 
 * Generate your client certificate (possibly without a password since you're using OTP)
 

init/docker-openvpn@.service

@@ -64,7 +64,7 @@ ExecStartPre=-/usr/bin/docker pull $IMG
 ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1'
 
 # Main process
-ExecStart=/usr/bin/docker run --rm --privileged -v ${DATA_VOL}:/etc/openvpn:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS
+ExecStart=/usr/bin/docker run --rm --privileged -v ${DATA_VOL}:/etc/openvpn --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS
 
 # IPv6: Add static route for IPv6 after it starts up
 ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0'

test/config.sh

@@ -12,5 +12,6 @@ imageTests+=(
         basic
         dual-proto
         otp
+	iptables
 	'
 )

test/tests/conf_options/container.sh

@@ -163,3 +163,32 @@ then
 else
   abort "==> Config match not found: $CONFIG_REQUIRED_ROUTE_2 != $CONFIG_MATCH_ROUTE_2"
 fi
+
+# Test generated client config
+
+# gen udp client with tcp fallback
+ovpn_genconfig -u udp://$SERV_IP -E "remote $SERV_IP 443 tcp" -E "remote vpn.example.com 443 tcp"
+# nopass is insecure
+EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass
+easyrsa build-client-full client-fallback nopass
+ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn
+
+CONFIG_REQUIRED_TCP_REMOTE="^remote $SERV_IP 443 tcp"
+CONFIG_MATCH_TCP_REMOTE=$(busybox grep "remote $SERV_IP 443 tcp" /etc/openvpn/config-fallback.ovpn)
+
+CONFIG_REQUIRED_TCP_REMOTE_2="^remote vpn.example.com 443 tcp"
+CONFIG_MATCH_TCP_REMOTE_2=$(busybox grep "remote vpn.example.com 443 tcp" /etc/openvpn/config-fallback.ovpn)
+
+if [[ $CONFIG_MATCH_TCP_REMOTE =~ $CONFIG_REQUIRED_TCP_REMOTE ]]
+then
+  echo "==> Config match found: $CONFIG_REQUIRED_TCP_REMOTE == $CONFIG_MATCH_TCP_REMOTE"
+else
+  abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE != $CONFIG_MATCH_TCP_REMOTE"
+fi
+
+if [[ $CONFIG_MATCH_TCP_REMOTE_2 =~ $CONFIG_REQUIRED_TCP_REMOTE_2 ]]
+then
+  echo "==> Config match found: $CONFIG_REQUIRED_TCP_REMOTE_2 == $CONFIG_MATCH_TCP_REMOTE_2"
+else
+  abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2"
+fi

test/tests/iptables/run.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -e
+
+[ -n "${DEBUG+x}" ] && set -x
+OVPN_DATA=basic-data
+IMG="kylemanna/openvpn"
+NAME="ovpn-test"
+SERV_IP=$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
+
+# generate server config including iptables nat-ing
+docker volume create --name $OVPN_DATA
+docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP -N
+docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
+
+# Fire up the server
+docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
+
+# check default iptables rules
+docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE'
+
+# append new setupIptablesAndRouting function to config
+docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh'
+
+# kill server in preparation to modify config
+docker kill $NAME
+docker rm $NAME
+
+# check that overridden function exists and that test iptables rules is active
+docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
+docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIptablesAndRouting && iptables -t nat -C POSTROUTING -m comment --comment "test"'
+
+#
+# kill server
+#
+
+docker kill $NAME
+docker rm $NAME
+docker volume rm $OVPN_DATA

test/tests/otp/run.sh

@@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::'
 # Configure server with two factor authentication
 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
 
+# Ensure reneg-sec 0 in server config when two factor is enabled
+docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'
+
 # nopass is insecure
 docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
 
@@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
 # Override the auth-user-pass directive to use a credentials file
 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
 
+# Ensure reneg-sec 0 in client config when two factor is enabled
+grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'
+
 #
 # Fire up the server
 #