[DOC] update documentation

[DBUG] correct the basic VPN address
[DEV] specify the network ardress of the docker interface
2019-05-22 22:41:09 +02:00 · 2019-05-22 17:51:14 +02:00 · 2019-05-22 17:50:54 +02:00 · 2019-05-22 17:50:24 +02:00 · 2019-05-22 17:49:57 +02:00 · 2019-05-22 17:49:36 +02:00
25 changed files with 1195 additions and 451 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,33 @@
 # Disallowing packages: openvpn
 # If you require these packages, please review the package approval process at: https://github.com/travis-ci/apt-package-whitelist#package-approval-process
 #addons:
 #    apt:
 #        sources:
 #            - ubuntu-toolchain-r-test
 #        packages:
 #            - openvpn
 services:
    - docker
 before_install:
    - docker --version
 install:
    - git clone https://github.com/docker-library/official-images.git official-images
 # Assist with ci test debugging:
 #   - DEBUG=1
 before_script:
    - image="kylemanna/openvpn"
    - docker build -t "$image" .
    - docker inspect "$image"
    - docker run --rm "$image" openvpn --version || true # why does it return 1?
    - docker run --rm "$image" openssl version
 script:
    - official-images/test/run.sh "$image"
    - test/run.sh "$image"
 after_script:
    - docker images
--- a/30
+++ b/30
@@ -1,30 +0,0 @@
 # Original credit: https://github.com/jpetazzo/dockvpn
 # Leaner build then Ubunutu
 FROM debian:jessie
 MAINTAINER Kyle Manna <kyle@kylemanna.com>
 RUN apt-get update && apt-get install -y openvpn iptables git-core
 # Update checkout to use tags when v3.0 is finally released
 RUN git clone https://github.com/OpenVPN/easy-rsa.git /usr/local/share/easy-rsa
 RUN cd /usr/local/share/easy-rsa && git checkout -b tested 89f369c5bbd13fbf0da2ea6361632c244e8af532
 RUN ln -s /usr/local/share/easy-rsa/easyrsa3/easyrsa /usr/local/bin
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 ENV EASYRSA /usr/local/share/easy-rsa/easyrsa3
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap using docker
 EXPOSE 1194/udp
 WORKDIR /etc/openvpn
 CMD ["ovpn_run"]
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
 The MIT License (MIT)
 Copyright (c) 2014 Kyle Manna
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@@ -1,120 +1,152 @@
-# OpenVPN for Docker
+OpenVPN for Docker-compose
 ============================
 OpenVPN server in a Docker container complete with an EasyRSA PKI CA.
-## Quick Start
+Check if your port is availlable
 ================================
-* Create the `openvpn-data` volume container
+On your server:
 ```{.sh}
 nc -ul -p 1194
 ```
-        docker run --name openvpn-data -v /etc/openvpn busybox
+On your computer
-
+```{.sh}
-* Initalize the `openvpn-data` container that will hold the configuration files and certificates
+nc -u __SERVER_IP__ 1194
-
+```
        docker run --volumes-from openvpn-data kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194
        docker run --volumes-from openvpn-data -it kylemanna/openvpn ovpn_initpki
 * Start OpenVPN server process
        docker run --volumes-from openvpn-data -d -p 1194:1194/udp --privileged kylemanna/openvpn
 * Generate a client certificate without a passphrase
        docker run --volumes-from openvpn-data --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
 * Retrieve the client configuration with embedded certificates
        docker run --volumes-from openvpn-data --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
-## How Does It Work?
+Remove other VPN local:
-Initialize the volume container using the `kylemanna/openvpn` image with the
+In case an other service is started :
-included scripts to automatically generate:
+```
-
+sudo systemctl stop openvpn@server.service
- Diffie-Hellman parameters
+```
 - a private key
 - a self-certificate matching the private key for the OpenVPN server
 - an EasyRSA CA key and certificate
 - a TLS auth key from HMAC security
 The OpenVPN server is started with the default run cmd of `ovpn_run`
 The configuration is located in `/etc/openvpn`, and the Dockerfile
 declares that directory as a volume. It means that you can start another
 container with the `--volumes-from` flag, and access the configuration.
 The volume also holds the PKI keys and certs so that it could be backed up.
 To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the
 `easyrsa` command in the container's path.  The `EASYRSA_*` environmental
 variables place the PKI CA under `/etc/opevpn/pki`.
 Conveniently, `kylemanna/openvpn` comes with a script called `ovpn_getclient`,
 which dumps an inline OpenVPN client configuration file.  This single file can
 then be given to a client for access to the VPN.
-## OpenVPN Details
+Quick Start with docker-compose
 ================================
-We use `tun` mode, because it works on the widest range of devices.
+```{.sh}
-`tap` mode, for instance, does not work on Android, except if the device
+docker-compose run --rm openvpn_service ovpn_genconfig -u udp://____VPN.SERVERNAME.COM____
-is rooted.
+docker-compose run --rm openvpn_service ovpn_initpki
 ```
-The topology used is `net30`, because it works on the widest range of OS.
+or
 `p2p`, for instance, does not work on Windows.
-The UDP server uses`192.168.255.0/24` for dynamic clients by default.
+```{.sh}
 docker-compose run --rm openvpn_service ovpn_genconfig -u udp://____VPN.SERVERNAME.COM____ -b -D -C AES-256-CBC -p ____LOCAL_IP_SERVER____/32 -R -V -F
 docker-compose run --rm openvpn_service ovpn_initpki
 ```
-The client profile specifies `redirect-gateway def1`, meaning that after
+**Note:** the ```-d``` create some errors
 establishing the VPN connection, all traffic will go through the VPN.
 This might cause problems if you use local DNS recursors which are not
 directly reachable, since you will try to reach them through the VPN
 and they might not answer to you. If that happens, use public DNS
 resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS
 (208.67.222.222 and 208.67.220.220).
-## Security Discussion
+With a teltonika routeur, you need to add the interface of the docker:
-
+```
-The Docker container runs its own EasyRSA PKI Certificate Authority.  This was
+-p "route 10.3.1.0 255.255.255.0"
-chosen as a good way to compromise on security and convenience.  The container
+```
 runs under the assumption that the OpenVPN container is running on a secure
 host, that is to say that an adversary does not have access to the PKI files
 under `/etc/openvpn/pki`.  This is a fairly reasonable compromise because if an
 adversary had access to these files, the adversary could manipulate the
 function of the OpenVPN server itself (sniff packets, create a new PKI CA, MITM
 packets, etc).
 * The certificate authority key is kept in the container by default for
  simplicity.  It's highly recommended to secure the CA key with some
  passphrase to protect against a filesystem compromise.  A more secure system
  would put the EasyRSA PKI CA on an offline system (can use the same Docker
  image to accomplish this).
 * It would be impossible for an adversary to sign bad or forged certificates
  without first cracking the key's passphase should the adversary have root
  access to the filesystem.
 * The EasyRSA `build-client-full` command will generate and leave keys on the
  server, again possible to compromise and steal the keys.  The keys generated
  need to signed by the CA which the user hopefully configured with a passphrase
  as described above.
 * Assuming the rest of the Docker container's filesystem is secure, TLS + PKI
  security should prevent any malicious host from using the VPN.
 ## Differences from jpetazzo/dockvpn
-* No longer uses serveconfig to distribute the configuration via https
+Fix ownership (depending on how to handle your backups, this may not be needed)
-* Proper PKI support integrated into image
+---------------------------------------------------------------------------------
 * OpenVPN config files, PKI keys and certs are stored on a storage
  volume for re-use across containers
 * Only offer UDP support for now, I don't have a good use case for TCP
 * Addition of tls-auth for HMAC security
-## Tested On
+```{.sh}
 sudo chown -R $(whoami): ./openvpn-data
 ```
 Start OpenVPN server process
 ----------------------------
 ```{.sh}
 docker-compose up -d openvpn_service
 ```
 You can access the container logs with
 --------------------------------------
 ```{.sh}
 docker-compose logs -f
 ```
 Generate a client certificate
 -----------------------------
 ```{.sh}
 export CLIENT_NAME="your_client_name"
 # with a passphrase (recommended)
 docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME
 # without a passphrase (not recommended)
 docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME nopass
 ```
 Add toute too the client:
 ```
 echo "route 10.10.1.0 255.255.255.0" >> openvpn-data/conf/openvpn.conf
 echo "iroute 10.10.1.0 255.255.255.0" > openvpn-data/conf/ccd/$CLIENT_NAME
 ```
 Retrieve the client configuration with embedded certificates
 ------------------------------------------------------------
 In a single file:
 ```{.sh}
 # if the container is down
 docker-compose run --rm openvpn_service ovpn_getclient $CLIENT_NAME > $CLIENT_NAME.ovpn
 # if the container is up
 docker-compose exec openvpn_service ovpn_getclient $CLIENT_NAME > $CLIENT_NAME.ovpn
 ```
 In multiple files
 ```{.sh}
 # if the container is down
 docker-compose run --rm openvpn_service ovpn_getclient $CLIENT_NAME separated
 # if the container is up
 docker-compose exec openvpn_service ovpn_getclient $CLIENT_NAME separated
 ```
 Revoke a client certificate
 ---------------------------
 ```{.sh}
 # Keep the corresponding crt, key and req files.
 docker-compose run --rm openvpn_service ovpn_revokeclient $CLIENT_NAME
 # Remove the corresponding crt, key and req files.
 docker-compose run --rm openvpn_service ovpn_revokeclient $CLIENT_NAME remove
 ```
 Debugging Tips
 --------------
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
 ```{.sh}
 docker-compose run -e DEBUG=1 -p 1194:1194/udp openvpn_service
 ```
 Test on the client:
 -------------------
 Run in root mode:
 ```
 openvpn --config $CLIENT_NAME.ovpn
 ```
 you can test the connection with the server:
 ```
 ping ____LOCAL_IP_SERVER____
 ```
 On server test the Connectionwith the client:
 ```
 ping ____CLIENT_IP_SERVER____
 ```
 If needed add the routing rules on the server:
 ```
 ip route add 10.10.0.0/16 via 10.3.0.2
 ```
 * Docker hosts:
  * server a Digitial Ocean Droplet with 512 MB RAM running Ubuntu 14.04
 * Clients
  * Android App OpenVPN Connect 1.1.14 (built 56)
     * OpenVPN core 3.0 android armv7a thumb2 32-bit
  * OS X Mavericks with Tunnelblick 3.4beta26 (build 3828) using openvpn-2.3.4
  * ArchLinux OpenVPN pkg 2.3.4-1
--- a/bin/ovpn_genconfig
+++ b/bin/ovpn_genconfig
@@ -1,167 +0,0 @@
 #!/bin/bash
 #
 # Generate OpenVPN configs
 #
 # Convert 1.2.3.4/24 -> 255.255.255.0
 cidr2mask()
 {
    local i
    local subnetmask=""
    local cidr=${1#*/}
    local full_octets=$(($cidr/8))
    local partial_octet=$(($cidr%8))
    for ((i=0;i<4;i+=1)); do
        if [ $i -lt $full_octets ]; then
            subnetmask+=255
        elif [ $i -eq $full_octets ]; then
            subnetmask+=$((256 - 2**(8-$partial_octet)))
        else
            subnetmask+=0
        fi
        [ $i -lt 3 ] && subnetmask+=.
    done
    echo $subnetmask
 }
 # Used often enough to justify a function
 getroute() {
    echo ${1%/*} $(cidr2mask $1)
 }
 usage() {
    echo "usage: $0 [-d]"
    echo "                  -u SERVER_PUBLIC_URL"
    echo "                 [-s SERVER_SUBNET]"
    echo "                 [-r ROUTE ...]"
    echo
    echo "optional arguments:"
    echo " -d    Disable NAT routing and default route"
 }
 set -ex
 OVPN_ENV=$OPENVPN/ovpn_env.sh
 OVPN_SERVER=192.168.255.0/24
 OVPN_DEFROUTE=1
 # Import defaults if present
 [ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
 ORIG_OVPN_ROUTES=$OVPN_ROUTES
 OVPN_ROUTES=""
 # Parse arguments
 while getopts ":r:s:du:" opt; do
    case $opt in
        r)
            if [ -n "$OVPN_ROUTES" ]; then
                OVPN_ROUTES+=" $OPTARG"
            else
                OVPN_ROUTES+="$OPTARG"
            fi
            ;;
        s)
            OVPN_SERVER=$OPTARG
            ;;
        d)
            OVPN_DEFROUTE=0
            ;;
        u)
            OVPN_SERVER_URL=$OPTARG
            ;;
        \?)
            set +x
            echo "Invalid option: -$OPTARG" >&2
            usage
            exit 1
            ;;
        :)
            set +x
            echo "Option -$OPTARG requires an argument." >&2
            usage
            exit 1
            ;;
    esac
 done
 # Server name is in the form "udp://vpn.example.com:1194"
 if [[ "$OVPN_SERVER_URL" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then
    OVPN_PROTO=${BASH_REMATCH[2]};
    OVPN_CN=${BASH_REMATCH[3]};
    OVPN_PORT=${BASH_REMATCH[5]};
 else
    set +x
    echo "Common name not specified, see '-u'"
    usage
    exit 1
 fi
 # Apply defaults
 [ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
 [ -z "$OVPN_PORT" ] && OVPN_PORT=1194
 if [ -z "$OVPN_ROUTES" ]; then
    if [ -n "$ORIG_OVPN_ROUTES" ]; then
        OVPN_ROUTES=$ORIG_OVPN_ROUTES
    else
        OVPN_ROUTES=192.168.254.0/24
    fi
 fi
 export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE
 export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT
 # Preserve config
 if [ -f "$OVPN_ENV" ]; then
    bak_env=$OVPN_ENV.$(date +%s).bak
    echo "Backing up $OVPN_ENV -> $bak_env"
    mv "$OVPN_ENV" "$bak_env"
 fi
 export | grep OVPN_ > "$OVPN_ENV"
 conf=$OPENVPN/openvpn.conf
 if [ -f "$conf" ]; then
    bak=$conf.$(date +%s).bak
    echo "Backing up $conf -> $bak"
    mv "$conf" "$bak"
 fi
 cat > "$conf" <<EOF
 server $(getroute $OVPN_SERVER)
 verb 3
 #duplicate-cn
 key $EASYRSA_PKI/private/${OVPN_CN}.key
 ca $EASYRSA_PKI/ca.crt
 cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
 dh $EASYRSA_PKI/dh.pem
 tls-auth $EASYRSA_PKI/ta.key
 key-direction 0
 keepalive 10 60
 persist-key
 persist-tun
 push "dhcp-option DNS 8.8.4.4"
 push "dhcp-option DNS 8.8.8.8"
 proto $OVPN_PROTO
 # Rely on Docker to do port mapping, internally always 1194
 port 1194
 dev tun0
 status /tmp/openvpn-status.log
 client-config-dir $OPENVPN/ccd
 EOF
 # Append Routes
 for i in ${OVPN_ROUTES[@]}; do
    # If user passed "0" skip this, assume no extra routes
    [ "$i" = "0" ] && break;
    echo route $(getroute $i) >> "$conf"
 done
 # Clean-up duplicate configs (always return success)
 diff -q "$bak_env" "$OVPN_ENV" 2> /dev/null && rm "$bak_env" || true
 diff -q "$bak" "$conf" 2> /dev/null && rm "$bak" || true
--- a/bin/ovpn_getclient
+++ b/bin/ovpn_getclient
@@ -1,46 +0,0 @@
 #!/bin/bash
 #
 # Get an OpenVPN client configuration file
 #
 set -ex
 source "$OPENVPN/ovpn_env.sh"
 cn=$1
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
    easyrsa build-server-full $cn nopass
 fi
 cat <<EOF
 client
 nobind
 dev tun
 remote-cert-tls server
 <key>
 $(cat $EASYRSA_PKI/private/${cn}.key)
 </key>
 <cert>
 $(cat $EASYRSA_PKI/issued/${cn}.crt)
 </cert>
 <ca>
 $(cat $EASYRSA_PKI/ca.crt)
 </ca>
 <dh>
 $(cat $EASYRSA_PKI/dh.pem)
 </dh>
 <tls-auth>
 $(cat $EASYRSA_PKI/ta.key)
 </tls-auth>
 key-direction 1
 <connection>
 remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
 </connection>
 EOF
 if [ "$OVPN_DEFROUTE" != "0" ];then
    echo "redirect-gateway def1"
 fi
--- a/bin/ovpn_run
+++ b/bin/ovpn_run
@@ -1,31 +0,0 @@
 #!/bin/bash
 #
 # Run the OpenVPN server normally
 #
 set -ex
 source "$OPENVPN/ovpn_env.sh"
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
 fi
 if [ ! -d "$OPENVPN/ccd" ]; then
    mkdir -p /etc/openvpn/ccd
 fi
 # Setup NAT forwarding if requested
 if [ "$OVPN_DEFROUTE" != "0" ];then
    iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE
    for i in ${OVPN_ROUTES[@]}; do
        iptables -t nat -A POSTROUTING -s $i -o eth0 -j MASQUERADE
    done
 fi
 conf="$OPENVPN/openvpn.conf"
 openvpn --config "$conf"
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -0,0 +1,20 @@
 version: '3'
 services:
  openvpn_service:
    privileged: true
    cap_add:
     - NET_ADMIN
    build: docker
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn
 networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: 10.3.1.0/30
--- a/docker/11_route_enable.conf
+++ b/docker/11_route_enable.conf
@@ -0,0 +1,2 @@
 # Enable network forwarding
 net.ipv4.ip_forward=1
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -0,0 +1,37 @@
 # Original credit: https://github.com/jpetazzo/dockvpn
 # Smallest base image
 FROM alpine:latest
 LABEL maintainer="Edouard DUPIN <yui.heero@gmail.com>"
 # Testing: pamtester
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`
 EXPOSE 1194/udp
 CMD ["ovpn_run"]
 ADD ./11_route_enable.conf /etc/sysctl.d/11_route_enable.conf
 RUN sysctl -p /etc/sysctl.d/*
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
--- a/docker/bin/easyrsa_vars
+++ b/docker/bin/easyrsa_vars
@@ -4,7 +4,11 @@
 # Import/export EasyRSA default settings
 #
-set -ex
+if [ "$DEBUG" == "1" ]; then
  set -x
 fi
 set -e
 if [ $# -lt 1 ]; then
    echo "No command provided"
--- a/docker/bin/ovpn_copy_server_files
+++ b/docker/bin/ovpn_copy_server_files
@@ -0,0 +1,47 @@
 #!/bin/bash
 ## @licence MIT <http://opensource.org/licenses/MIT>
 ## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
 set -e
 if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
 fi
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 TARGET="$OPENVPN/server"
 if [ -n "$1" ]; then
    TARGET="$1"
 fi
 mkdir -p "${TARGET}"
 ## Ensure that no other keys then the one for the server is present.
 rm -rf "$TARGET/pki/private" "$TARGET/pki/issued"
 FILES=(
    "openvpn.conf"
    "ovpn_env.sh"
    "pki/private/${OVPN_CN}.key"
    "pki/issued/${OVPN_CN}.crt"
    "pki/dh.pem"
    "pki/ta.key"
    "pki/ca.crt"
    "ccd"
 )
 if [ -f "${OPENVPN}/pki/crl.pem" ]; then
    FILES+=("pki/crl.pem")
 fi
 # Ensure the ccd directory exists, even if empty
 mkdir -p "ccd"
 # rsync isn't available to keep size down
 # cp --parents isn't in busybox version
 # hack the directory structure with tar
 tar cf - -C "${OPENVPN}" "${FILES[@]}" | tar xvf - -C "${TARGET}"
 echo "Created the openvpn configuration for the server: $TARGET"
--- a/docker/bin/ovpn_genconfig
+++ b/docker/bin/ovpn_genconfig
@@ -0,0 +1,467 @@
 #!/bin/bash
 #
 # Generate OpenVPN configs
 #
 TMP_PUSH_CONFIGFILE=$(mktemp -t vpn_push.XXXXXXX)
 TMP_ROUTE_CONFIGFILE=$(mktemp -t vpn_route.XXXXXXX)
 TMP_EXTRA_CONFIGFILE=$(mktemp -t vpn_extra.XXXXXXX)
 #Traceback on Error and Exit come from https://docwhat.org/tracebacks-in-bash/
 set -eu
 _showed_traceback=f
 traceback() {
 	# Hide the traceback() call.
 	local -i start=$(( ${1:-0} + 1 ))
 	local -i end=${#BASH_SOURCE[@]}
 	local -i i=0
 	local -i j=0
 	echo "Traceback (last called is first):" 1>&2
 	for ((i=${start}; i < ${end}; i++)); do
 		j=$(( $i - 1 ))
 		local function="${FUNCNAME[$i]}"
 		local file="${BASH_SOURCE[$i]}"
 		local line="${BASH_LINENO[$j]}"
 		echo "     ${function}() in ${file}:${line}" 1>&2
 	done
 }
 on_error() {
  local _ec="$?"
  local _cmd="${BASH_COMMAND:-unknown}"
  traceback 1
  _showed_traceback=t
  echo "The command ${_cmd} exited with exit code ${_ec}." 1>&2
 }
 trap on_error ERR
 on_exit() {
  echo "Cleaning up before Exit ..."
  rm -f $TMP_PUSH_CONFIGFILE
  rm -f $TMP_ROUTE_CONFIGFILE
  rm -f $TMP_EXTRA_CONFIGFILE
  local _ec="$?"
  if [[ $_ec != 0 && "${_showed_traceback}" != t ]]; then
    traceback 1
  fi
 }
 trap on_exit EXIT
 # Convert 1.2.3.4/24 -> 255.255.255.0
 cidr2mask()
 {
    local i
    local subnetmask=""
    local cidr=${1#*/}
    local full_octets=$(($cidr/8))
    local partial_octet=$(($cidr%8))
    for ((i=0;i<4;i+=1)); do
        if [ $i -lt $full_octets ]; then
            subnetmask+=255
        elif [ $i -eq $full_octets ]; then
            subnetmask+=$((256 - 2**(8-$partial_octet)))
        else
            subnetmask+=0
        fi
        [ $i -lt 3 ] && subnetmask+=.
    done
    echo $subnetmask
 }
 # Used often enough to justify a function
 getroute() {
    echo ${1%/*} $(cidr2mask $1)
 }
 usage() {
    echo "usage: $0 [-d]"
    echo "                  -u SERVER_PUBLIC_URL"
    echo "                 [-e EXTRA_SERVER_CONFIG ]"
    echo "                 [-E EXTRA_CLIENT_CONFIG ]"
    echo "                 [-f FRAGMENT ]"
    echo "                 [-n DNS_SERVER ...]"
    echo "                 [-p PUSH ...]"
    echo "                 [-r ROUTE ...]"
    echo "                 [-s SERVER_SUBNET]"
    echo
    echo "optional arguments:"
    echo " -2    Enable two factor authentication using Google Authenticator."
    echo " -a    Authenticate  packets with HMAC using the given message digest algorithm (auth)."
    echo " -b    Disable 'push block-outside-dns'"
    echo " -c    Enable client-to-client option"
    echo " -C    A list of allowable TLS ciphers delimited by a colon (cipher)."
    echo " -d    Disable default route"
    echo " -D    Do not push dns servers"
    echo " -k    Set keepalive. Default: '10 120'"
    echo " -m    Set client MTU"
    echo " -N    Configure NAT to access external server network"
    echo " -t    Use TAP device (instead of TUN device)"
    echo " -T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)."
    echo " -z    Enable comp-lzo compression."
    echo " -S    Change status folder. Default '/tmp'."
    echo " -R    Disable the reduce the OpenVPN daemon's privileges after initialization."
    echo " -K    Set a client config directory. Default Disable. Example: 'ccd'."
    echo " -V    Enable the the record of client <-> virtual IP address (store in a config file)."
    echo " -L    Configure log mode: 'disable', 'enable', 'append'. Default 'disable'."
    echo " -F    Enable the notification to the client that the server restarts."
 }
 process_route_config() {
  local ovpn_route_config=''
  ovpn_route_config="$1"
  # If user passed "0" skip this, assume no extra routes
  [[ "$ovpn_route_config" == "0" ]] && break;
  echo "Processing Route Config: '${ovpn_route_config}'"
  [[ -n "$ovpn_route_config" ]] && echo "route $(getroute $ovpn_route_config)" >> "$TMP_ROUTE_CONFIGFILE"
 }
 process_push_config() {
  local ovpn_push_config=''
  ovpn_push_config="$1"
  echo "Processing PUSH Config: '${ovpn_push_config}'"
  [[ -n "$ovpn_push_config" ]] && echo "push \"$ovpn_push_config\"" >> "$TMP_PUSH_CONFIGFILE"
 }
 process_extra_config() {
  local ovpn_extra_config=''
  ovpn_extra_config="$1"
  echo "Processing Extra Config: '${ovpn_extra_config}'"
  [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CONFIGFILE"
 }
 if [ "${DEBUG:-}" == "1" ]; then
  set -x
 fi
 set -e
 if [ -z "${OPENVPN:-}" ]; then
  export OPENVPN="$PWD"
 fi
 if [ -z "${EASYRSA_PKI:-}" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
 fi
 OVPN_AUTH=''
 OVPN_CIPHER=''
 OVPN_CLIENT_TO_CLIENT=''
 OVPN_CN=''
 OVPN_COMP_LZO=0
 OVPN_DEFROUTE=1
 OVPN_DEVICE="tun"
 OVPN_DEVICEN=0
 OVPN_DISABLE_PUSH_BLOCK_DNS=0
 OVPN_DNS=1
 OVPN_DNS_SERVERS=()
 OVPN_ENV=${OPENVPN}/ovpn_env.sh
 OVPN_EXTRA_CLIENT_CONFIG=()
 OVPN_EXTRA_SERVER_CONFIG=()
 OVPN_FRAGMENT=''
 OVPN_KEEPALIVE="10 120"
 OVPN_MTU=''
 OVPN_NAT=0
 OVPN_PORT=''
 OVPN_PROTO=''
 OVPN_PUSH=()
 OVPN_ROUTES=()
 OVPN_SERVER=192.168.200.0/24
 OVPN_SERVER_URL=''
 OVPN_TLS_CIPHER=''
 OVPN_STATUS_PATH='/tmp'
 OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES=0
 OVPN_CLIENT_CONFIG_DIR=''
 OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP=0
 OVPN_LOG_MODE="disable"
 OVPN_ENABLE_NOTIFY_SERVER_RESTARTS=0
 # Import existing configuration if present
 [ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
 # Parse arguments
 while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2S:RK:VL:F" opt; do
    case $opt in
        a)
            OVPN_AUTH="$OPTARG"
            ;;
        e)
            mapfile -t TMP_EXTRA_SERVER_CONFIG <<< "$OPTARG"
            for i in "${TMP_EXTRA_SERVER_CONFIG[@]}"; do
              OVPN_EXTRA_SERVER_CONFIG+=("$i")
            done
            ;;
        E)
            mapfile -t TMP_EXTRA_CLIENT_CONFIG <<< "$OPTARG"
            for i in "${TMP_EXTRA_CLIENT_CONFIG[@]}"; do
              OVPN_EXTRA_CLIENT_CONFIG+=("$i")
            done
            ;;
        C)
            OVPN_CIPHER="$OPTARG"
            ;;
        T)
            OVPN_TLS_CIPHER="$OPTARG"
            ;;
        r)
            mapfile -t TMP_ROUTES <<< "$OPTARG"
            for i in "${TMP_ROUTES[@]}"; do
              OVPN_ROUTES+=("$i")
            done
            ;;
        s)
            OVPN_SERVER="$OPTARG"
            ;;
        d)
            OVPN_DEFROUTE=0
            OVPN_DISABLE_PUSH_BLOCK_DNS=1
            ;;
        u)
            OVPN_SERVER_URL="$OPTARG"
            ;;
        b)
            OVPN_DISABLE_PUSH_BLOCK_DNS=1
            ;;
        c)
            OVPN_CLIENT_TO_CLIENT=1
            ;;
        p)
            mapfile -t TMP_PUSH <<< "$OPTARG"
            for i in "${TMP_PUSH[@]}"; do
              OVPN_PUSH+=("$i")
            done
            ;;
        n)
            mapfile -t TMP_DNS_SERVERS <<< "$OPTARG"
            for i in "${TMP_DNS_SERVERS[@]}"; do
              OVPN_DNS_SERVERS+=("$i")
            done
            ;;
        D)
            OVPN_DNS=0
            ;;
        N)
            OVPN_NAT=1
            ;;
        k)
            OVPN_KEEPALIVE="$OPTARG"
            ;;
        m)
            OVPN_MTU="$OPTARG"
            ;;
        t)
            OVPN_DEVICE="tap"
            ;;
        z)
            OVPN_COMP_LZO=1
            ;;
        2)
            OVPN_OTP_AUTH=1
            ;;
        f)
            OVPN_FRAGMENT="$OPTARG"
            ;;
        S)
            OVPN_STATUS_PATH="$OPTARG"
            ;;
        R)
            OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES=1
            ;;
        K)
            OVPN_CLIENT_CONFIG_DIR="$OPTARG"
            ;;
        V)
            OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP=1
            ;;
        L)
            OVPN_LOG_MODE="$OPTARG"
            ;;
        F)
            OVPN_ENABLE_NOTIFY_SERVER_RESTARTS=1
            ;;
        \?)
            set +x
            echo "Invalid option: -$OPTARG" >&2
            usage
            exit 1
            ;;
        :)
            set +x
            echo "Option -$OPTARG requires an argument." >&2
            usage
            exit 1
            ;;
    esac
 done
 # Create ccd directory for static routes
 [ ! -d "${OPENVPN:-}/ccd" ] && mkdir -p ${OPENVPN:-}/ccd
 # Server name is in the form "udp://vpn.example.com:1194"
 if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
    OVPN_PROTO=${BASH_REMATCH[2]};
    OVPN_CN=${BASH_REMATCH[3]};
    OVPN_PORT=${BASH_REMATCH[5]};
 else
    set +x
    echo "Common name not specified, see '-u'"
    usage
    exit 1
 fi
 # Apply defaults. If dns servers were not defined with -n, use google nameservers
 set +u
 [ -z "$OVPN_DNS_SERVERS" ] && OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4")
 [ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
 [ -z "$OVPN_PORT" ] && OVPN_PORT=1194
 set -u
 [ "${#OVPN_ROUTES[@]}" == "0" ] && [ "$OVPN_DEFROUTE" == "1" ] && OVPN_ROUTES+=("192.168.200.0/24")
 # Preserve config
 if [ -f "$OVPN_ENV" ]; then
    bak_env=$OVPN_ENV.$(date +%s).bak
    echo "Backing up $OVPN_ENV -> $bak_env"
    mv "$OVPN_ENV" "$bak_env"
 fi
 # Save the current OVPN_ vars to the ovpn_env.sh file
 (set | grep '^OVPN_') | while read -r var; do
  echo "declare -x $var"  >> "$OVPN_ENV"
 done
 conf=${OPENVPN:-}/openvpn.conf
 if [ -f "$conf" ]; then
    bak=$conf.$(date +%s).bak
    echo "Backing up $conf -> $bak"
    mv "$conf" "$bak"
 fi
 # Echo extra client configurations
 if [ ${#OVPN_EXTRA_CLIENT_CONFIG[@]} -gt 0 ]; then
  for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
    echo "Processing Extra Client Config: $i"
  done
 fi
 cat > "$conf" <<EOF
 server $(getroute $OVPN_SERVER)
 verb 3
 key $EASYRSA_PKI/private/${OVPN_CN}.key
 ca $EASYRSA_PKI/ca.crt
 cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
 dh $EASYRSA_PKI/dh.pem
 tls-auth $EASYRSA_PKI/ta.key
 key-direction 0
 keepalive $OVPN_KEEPALIVE
 persist-key
 persist-tun
 proto $OVPN_PROTO
 # Rely on Docker to do port mapping, internally always 1194
 port 1194
 dev $OVPN_DEVICE$OVPN_DEVICEN
 status $OVPN_STATUS_PATH/openvpn-status.log
 EOF
 if [ "${OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES}" == "1" ]; then
  echo "Disable 'user' and 'group'"
 else
  echo "user nobody" >> "$conf"
  echo "group nogroup" >> "$conf"
 fi
 if [ "${OVPN_DISABLE_PUSH_BLOCK_DNS}" == "1" ]; then
  echo "Disable default push of 'block-outside-dns'"
 else
  process_push_config "block-outside-dns"
 fi
 if [ "${OVPN_CLIENT_CONFIG_DIR}" == "" ]; then
  echo "Disable client config 'client-config-dir'"
 else
  echo "client-config-dir ${OVPN_CLIENT_CONFIG_DIR}" >> "$conf"
 fi
 [ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
 [ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"
 [ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf"
 [ -n "${OVPN_CLIENT_TO_CLIENT:-}" ] && echo "client-to-client" >> "$conf"
 [ "$OVPN_COMP_LZO" == "1" ] && echo "comp-lzo" >> "$conf"
 [ "$OVPN_COMP_LZO" == "0" ] && echo "comp-lzo no" >> "$conf"
 [ "$OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP" == "1" ] && echo "ifconfig-pool-persist /etc/openvpn/client_vitual_ip.txt" >> "$conf"
 [ "$OVPN_ENABLE_NOTIFY_SERVER_RESTARTS" == "1" ] && echo "explicit-exit-notify 1" >> "$conf"
 if [ "${OVPN_LOG_MODE}" == "enable" ]; then
  echo "log /var/log/openvpn/openvpn.log" >> "$conf"
 else
  if [ "${OVPN_LOG_MODE}" == "append" ]; then
    echo "log-append /var/log/openvpn/openvpn.log" >> "$conf"
  else
    echo "Log file mode is disable"
  fi
 fi
 [ -n "${OVPN_FRAGMENT:-}" ] && echo "fragment $OVPN_FRAGMENT" >> "$conf"
 # Append route commands
 if [ ${#OVPN_ROUTES[@]} -gt 0 ]; then
  for i in "${OVPN_ROUTES[@]}"; do
    process_route_config "$i"
  done
  echo -e "\n### Route Configurations Below" >> "$conf"
  cat $TMP_ROUTE_CONFIGFILE >> "$conf"
 fi
 # Append push commands
 [ "$OVPN_DNS" == "1" ] && for i in "${OVPN_DNS_SERVERS[@]}"; do
  process_push_config "dhcp-option DNS $i"
 done
 if [ "$OVPN_COMP_LZO" == "0" ]; then
    process_push_config "comp-lzo no"
 fi
 [ ${#OVPN_PUSH[@]} -gt 0 ] && for i in "${OVPN_PUSH[@]}"; do
  process_push_config "$i"
 done
 echo -e "\n### Push Configurations Below" >> "$conf"
 cat $TMP_PUSH_CONFIGFILE >> "$conf"
 # Append optional OTP authentication support
 if [ -n "${OVPN_OTP_AUTH:-}" ]; then
    echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
    echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
    echo "reneg-sec 0" >> "$conf"
 fi
 # Append extra server configurations
 if [ ${#OVPN_EXTRA_SERVER_CONFIG[@]} -gt 0 ]; then
  for i in "${OVPN_EXTRA_SERVER_CONFIG[@]}"; do
    process_extra_config "$i"
  done
  echo -e "\n### Extra Configurations Below" >> "$conf"
  cat $TMP_EXTRA_CONFIGFILE >> "$conf"
 fi
 set +e
 # Clean-up duplicate configs
 if diff -q "${bak_env:-}" "$OVPN_ENV" 2>/dev/null; then
    echo "Removing duplicate back-up: $bak_env"
    rm -fv "$bak_env"
 fi
 if diff -q "${bak:-}" "$conf" 2>/dev/null; then
    echo "Removing duplicate back-up: $bak"
    rm -fv "$bak"
 fi
 echo "Successfully generated config"
--- a/docker/bin/ovpn_getclient
+++ b/docker/bin/ovpn_getclient
@@ -0,0 +1,132 @@
 #!/bin/bash
 #
 # Get an OpenVPN client configuration file
 #
 if [ "$DEBUG" == "1" ]; then
    set -x
 fi
 set -e
 if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
 fi
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
 fi
 cn="$1"
 parm="$2"
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
    echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
    exit 1
 fi
 get_client_config() {
    mode="$1"
    echo "
 client
 nobind
 dev $OVPN_DEVICE
 remote-cert-tls server
 remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"
    if [ "$OVPN_PROTO" == "udp6" ]; then
        echo "remote $OVPN_CN $OVPN_PORT udp"
    fi
    if [ "$OVPN_PROTO" == "tcp6" ]; then
        echo "remote $OVPN_CN $OVPN_PORT tcp"
    fi
    for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
      echo "$i"
    done
    if [ "$mode" == "combined" ]; then
        echo "
 <key>
 $(cat $EASYRSA_PKI/private/${cn}.key)
 </key>
 <cert>
 $(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
 </cert>
 <ca>
 $(cat $EASYRSA_PKI/ca.crt)
 </ca>
 key-direction 1
 <tls-auth>
 $(cat $EASYRSA_PKI/ta.key)
 </tls-auth>
 "
    elif [ "$mode" == "separated" ]; then
        echo "
 key ${cn}.key
 ca ca.crt
 cert ${cn}.crt
 tls-auth ta.key 1
 "
    fi
    if [ "$OVPN_DEFROUTE" != "0" ];then
        echo "redirect-gateway def1"
    fi
    if [ -n "$OVPN_MTU" ]; then
        echo "tun-mtu $OVPN_MTU"
    fi
    if [ -n "$OVPN_TLS_CIPHER" ]; then
        echo "tls-cipher $OVPN_TLS_CIPHER"
    fi
    if [ -n "$OVPN_CIPHER" ]; then
        echo "cipher $OVPN_CIPHER"
    fi
    if [ -n "$OVPN_AUTH" ]; then
        echo "auth $OVPN_AUTH"
    fi
    if [ -n "$OVPN_OTP_AUTH" ]; then
        echo "auth-user-pass"
        echo "auth-nocache"
    fi
    if [ "$OVPN_COMP_LZO" == "1" ]; then
        echo "comp-lzo"
    fi
    if [ -n "$OVPN_OTP_AUTH" ]; then
        echo reneg-sec 0
    fi
 }
 dir="$OPENVPN/clients/$cn"
 case "$parm" in
    "separated")
        mkdir -p "$dir"
        get_client_config "$parm" > "$dir/${cn}.ovpn"
        cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
        cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
        cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
        cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
        ;;
    "" | "combined")
        get_client_config "combined"
        ;;
    "combined-save")
        mkdir -p "$dir"
        get_client_config "combined" > "$dir/${cn}-combined.ovpn"
        ;;
    *)
        echo "This script can produce the client configuration in two formats:" >&2
        echo "    1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
        echo "    2. separated: Separated files." >&2
        echo "Please specify one of those options as second parameter." >&2
        ;;
 esac
--- a/docker/bin/ovpn_getclient_all
+++ b/docker/bin/ovpn_getclient_all
@@ -0,0 +1,25 @@
 #!/bin/bash
 ## @licence MIT <http://opensource.org/licenses/MIT>
 ## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
 if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
 fi
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
 fi
 pushd "$EASYRSA_PKI"
 for name in issued/*.crt; do
    name=${name%.crt}
    name=${name#issued/}
    if [ "$name" != "$OVPN_CN" ]; then
        ovpn_getclient "$name" separated
        ovpn_getclient "$name" combined-save
    fi
 done
 popd
--- a/docker/bin/ovpn_initpki
+++ b/docker/bin/ovpn_initpki
@@ -4,7 +4,11 @@
 # Initialize the EasyRSA PKI
 #
-set -ex
+if [ "$DEBUG" == "1" ]; then
  set -x
 fi
 set -e
 source "$OPENVPN/ovpn_env.sh"
@@ -20,7 +24,7 @@ easyrsa init-pki
 easyrsa build-ca $nopass
 easyrsa gen-dh
-openvpn --genkey --secret $OPENVPN/pki/ta.key
+openvpn --genkey --secret $EASYRSA_PKI/ta.key
 # Was nice to autoset, but probably a bad idea in practice, users should
 # have to explicitly specify the common name of their server
@@ -34,3 +38,6 @@ openvpn --genkey --secret $OPENVPN/pki/ta.key
 # For a server key with a password, manually init; this is autopilot
 easyrsa build-server-full "$OVPN_CN" nopass
 # Generate the CRL for client/server certificates revocation.
 easyrsa gen-crl
--- a/docker/bin/ovpn_listclients
+++ b/docker/bin/ovpn_listclients
@@ -0,0 +1,54 @@
 #!/bin/bash
 if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
 fi
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
 fi
 cd "$EASYRSA_PKI"
 if [ -e crl.pem ]; then
    cat ca.crt crl.pem > cacheck.pem
 else
    cat ca.crt > cacheck.pem
 fi
 echo "name,begin,end,status"
 for name in issued/*.crt; do
    path=$name
    begin=$(openssl x509 -noout -startdate -in $path | awk -F= '{ print $2 }')
    end=$(openssl x509 -noout -enddate -in $path | awk -F= '{ print $2 }')
    name=${name%.crt}
    name=${name#issued/}
    if [ "$name" != "$OVPN_CN" ]; then
        # check for revocation or expiration
        command="openssl verify -crl_check -CAfile cacheck.pem $path"
        result=$($command)
        if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
            status="VALID"
        else
            result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
            case $result in
                10)
                    status="EXPIRED"
                    ;;
                23)
                    status="REVOKED"
                    ;;
                *)
                    status="INVALID"
            esac
        fi
        echo "$name,$begin,$end,$status"
    fi
 done
 # Clean
 rm cacheck.pem
--- a/docker/bin/ovpn_otp_user
+++ b/docker/bin/ovpn_otp_user
@@ -0,0 +1,33 @@
 #!/bin/bash
 #
 # Generate OpenVPN users via google authenticator
 #
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 if [ "x$OVPN_OTP_AUTH" != "x1" ]; then
    echo "OTP authentication not enabled, please regenerate configuration using -2 flag"
    exit 1
 fi
 if [ -z $1 ]; then
    echo "Usage: ovpn_otp_user USERNAME"
    exit 1
 fi
 # Ensure the otp folder is present
 [ -d /etc/openvpn/otp ] || mkdir -p /etc/openvpn/otp
 # Binary is present in image, save an $user.google_authenticator file in /etc/openvpn/otp
 if [ "$2" == "interactive" ]; then
    # Authenticator will ask for other parameters. User can choose rate limit, token reuse policy and time window policy
    # Always use time base OTP otherwise storage for counters must be configured somewhere in volume
    google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
 else
    google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
        -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
 fi
--- a/docker/bin/ovpn_revokeclient
+++ b/docker/bin/ovpn_revokeclient
@@ -0,0 +1,61 @@
 #!/bin/bash
 #
 # Revoke a client certificate
 #
 if [ "$DEBUG" == "1" ]; then
    set -x
 fi
 set -e
 if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
 fi
 if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
 fi
 if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
 fi
 cn="$1"
 parm="$2"
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
    echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
    exit 1
 fi
 revoke_client_certificate(){
    easyrsa revoke "$1"
    echo "Generating the Certificate Revocation List :"
    easyrsa gen-crl
    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
    chmod 644 "$OPENVPN/crl.pem"
 }
 remove_files(){
    rm -v "$EASYRSA_PKI/issued/${1}.crt"
    rm -v "$EASYRSA_PKI/private/${1}.key"
    rm -v "$EASYRSA_PKI/reqs/${1}.req"
 }
 case "$parm" in
    "remove")
        revoke_client_certificate "$cn"
        remove_files "$cn"
        ;;
    "" | "keep")
        revoke_client_certificate "$cn"
        ;;
    *)
        echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
        echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
        echo "    1. keep (default): Keep the files." >&2
        echo "    2. remove: Remove the files." >&2
        echo "Please specify one of those options as second parameter." >&2
        ;;
 esac
--- a/docker/bin/ovpn_run
+++ b/docker/bin/ovpn_run
@@ -0,0 +1,107 @@
 #!/bin/bash
 #
 # Run the OpenVPN server normally
 #
 if [ "$DEBUG" == "1" ]; then
  set -x
 fi
 set -e
 cd $OPENVPN
 # Build runtime arguments array based on environment
 USER_ARGS=("${@}")
 ARGS=()
 # Checks if ARGS already contains the given value
 function hasArg {
    local element
    for element in "${@:2}"; do
        [ "${element}" == "${1}" ] && return 0
    done
    return 1
 }
 # Adds the given argument if it's not already specified.
 function addArg {
    local arg="${1}"
    [ $# -ge 1 ] && local val="${2}"
    if ! hasArg "${arg}" "${USER_ARGS[@]}"; then
        ARGS+=("${arg}")
        [ $# -ge 1 ] && ARGS+=("${val}")
    fi
 }
 # set up iptables rules and routing
 # this allows rules/routing to be altered by supplying this function
 # in an included file, such as ovpn_env.sh
 function setupIptablesAndRouting {
    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
    }
    for i in "${OVPN_ROUTES[@]}"; do
        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
        }
    done
 }
 addArg "--config" "$OPENVPN/openvpn.conf"
 source "$OPENVPN/ovpn_env.sh"
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
 fi
 if [ -d "$OPENVPN/ccd" ]; then
    addArg "--client-config-dir" "$OPENVPN/ccd"
 fi
 # When using --net=host, use this to specify nat device.
 [ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0
 # Setup NAT forwarding if requested
 if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
 	# call function to setup iptables rules and routing
 	# this allows rules to be customized by supplying
 	# a replacement function in, for example, ovpn_env.sh
 	setupIptablesAndRouting
 fi
 # Use a copy of crl.pem as the CRL Needs to be readable by the user/group
 # OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
 if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
    chmod 644 "$OPENVPN/crl.pem"
 fi
 if [ -r "$OPENVPN/crl.pem" ]; then
    addArg "--crl-verify" "$OPENVPN/crl.pem"
 fi
 # If this fails, ensure the docker container is run with --privileged
 # Could be side stepped with `ip netns` madness to drop privileged flag
 echo "Enabling IPv4 Forwarding"
 sysctl -w net.ipv4.ip_forward=1 || echo "Failed to enable IPv4 forwarding"
 ip -6 route show default 2>/dev/null
 if [ $? = 0 ]; then
    echo "Enabling IPv6 Forwarding"
    # If this fails, ensure the docker container is run with --privileged
    # Could be side stepped with `ip netns` madness to drop privileged flag
    sysctl -w net.ipv6.conf.all.disable_ipv6=0 || echo "Failed to enable IPv6 support"
    sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default"
    sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding"
 fi
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
--- a/docker/bin/ovpn_status
+++ b/docker/bin/ovpn_status
@@ -3,7 +3,10 @@
 #
 # Get OpenVPN server status
 #
 if [ "$DEBUG" == "1" ]; then
  set -x
 fi
-set -ex
+set -e
 tail -F /tmp/openvpn-status.log
--- a/docker/otp/openvpn
+++ b/docker/otp/openvpn
@@ -0,0 +1,7 @@
 # Uses google authenticator library as PAM module using a single folder for all users tokens
 # User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
 # See https://github.com/google/google-authenticator-libpam#usersome-user
 auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
 # Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
 account sufficient pam_permit.so
--- a/docs/backup.md
+++ b/docs/backup.md
@@ -1,18 +0,0 @@
 # Backing Up Configuration and Certificates
 ## Security
 The resulting archive from this back-up contains all credential to impersonate the server at a minimum.  If the client private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients.  Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will.
 I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES).  For the paranoid keep backup offline.  For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
 TL;DR Protect the resulting archive file, by ensure there is very limited access to it.
 ## Backup to Archive
    docker run --volumes-from openvpn-data --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz
 ## Retore to New Image
    xzcat openvpn-backup.tar.xz | docker run --name openvpn-data -v /etc/openvpn -i busybox tar -xvf - -C /etc
--- a/docs/debug.md
+++ b/docs/debug.md
@@ -1,32 +0,0 @@
 # Debugging
 Random things I do to debug the containers.
 ## Stream OpenVPN Logs
 1. Get the container's name or container ID:
        root@vpn:~/docker-openvpn# docker ps
        CONTAINER ID        IMAGE                      COMMAND             CREATED             STATUS              PORTS                    NAMES
        ed335aaa9b82        kylemanna/openvpn:latest   ovpn_run            5 minutes ago       Up 5 minutes        0.0.0.0:1194->1194/udp   sad_lovelace
 2. Tail the logs:
        root@vpn:~/docker-openvpn# docker logs -f sad_lovelace
        + mkdir -p /dev/net
        + [ ! -c /dev/net/tun ]
        + mknod /dev/net/tun c 10 200
        + [ ! -d /etc/openvpn/ccd ]
        + iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
        + iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
        + conf=/etc/openvpn/openvpn.conf
        + [ ! -s /etc/openvpn/openvpn.conf ]
        + conf=/etc/openvpn/udp1194.conf
        + openvpn --config /etc/openvpn/udp1194.conf
        Tue Jul  1 06:56:48 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 17 2014
        Tue Jul  1 06:56:49 2014 Diffie-Hellman initialized with 2048 bit key
        Tue Jul  1 06:56:49 2014 Control Channel Authentication: using '/etc/openvpn/pki/ta.key' as a OpenVPN static key file
        Tue Jul  1 06:56:49 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        Tue Jul  1 06:56:49 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        Tue Jul  1 06:56:49 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
--- a/docs/static-ips.md
+++ b/docs/static-ips.md
@@ -1,24 +0,0 @@
 # Static IP Addresses
 The docker image is setup for static client configuration on the 192.168.254.0/24 subnet.  To use it follow the Quick Start section below.  Note that the IP addresses octects need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details.
 ## Quick Start
 1. Create a client specific configuration:
        $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from openvpn-data -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME
        ifconfig-push 192.168.254.1 192.168.254.2
 2. Wait for client to reconnect if necessary
 ## Advanced Admin
 Login to the openvpn-data volume with a `bash` container, note only changes in /etc/openvpn will persist:
    docker run --volumes-from openvpn-data -it --rm kylemanna/openvpn bash -l
 ## Upgrading from Old OpenVPN Configurations
 If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following:
    docker run  --volumes-from openvpn-data --rm kylemanna/openvpn ovpn_genconfig
		`@@ -0,0 +1,2 @@`
							`# Enable network forwarding`
							`net.ipv4.ip_forward=1`