[DOC] update documentation

* fix indents in "quick start"

no more spaces before an command

.travis.yml

@@ -0,0 +1,33 @@
+# Disallowing packages: openvpn
+# If you require these packages, please review the package approval process at: https://github.com/travis-ci/apt-package-whitelist#package-approval-process
+#addons:
+#    apt:
+#        sources:
+#            - ubuntu-toolchain-r-test
+#        packages:
+#            - openvpn
+
+services:
+    - docker
+
+before_install:
+    - docker --version
+
+install:
+    - git clone https://github.com/docker-library/official-images.git official-images
+
+# Assist with ci test debugging:
+#   - DEBUG=1
+before_script:
+    - image="kylemanna/openvpn"
+    - docker build -t "$image" .
+    - docker inspect "$image"
+    - docker run --rm "$image" openvpn --version || true # why does it return 1?
+    - docker run --rm "$image" openssl version
+
+script:
+    - official-images/test/run.sh "$image"
+    - test/run.sh "$image"
+
+after_script:
+    - docker images

Dockerfile

@@ -1,30 +0,0 @@
-# Original credit: https://github.com/jpetazzo/dockvpn
-
-# Leaner build then Ubunutu
-FROM debian:jessie
-
-MAINTAINER Kyle Manna <kyle@kylemanna.com>
-
-RUN apt-get update && apt-get install -y openvpn iptables git-core
-
-# Update checkout to use tags when v3.0 is finally released
-RUN git clone https://github.com/OpenVPN/easy-rsa.git /usr/local/share/easy-rsa
-RUN cd /usr/local/share/easy-rsa && git checkout -b tested 89f369c5bbd13fbf0da2ea6361632c244e8af532
-RUN ln -s /usr/local/share/easy-rsa/easyrsa3/easyrsa /usr/local/bin
-
-# Needed by scripts
-ENV OPENVPN /etc/openvpn
-ENV EASYRSA /usr/local/share/easy-rsa/easyrsa3
-ENV EASYRSA_PKI $OPENVPN/pki
-ENV EASYRSA_VARS_FILE $OPENVPN/vars
-
-VOLUME ["/etc/openvpn"]
-
-# Internally uses port 1194, remap using docker
-EXPOSE 1194/udp
-
-WORKDIR /etc/openvpn
-CMD ["ovpn_run"]
-
-ADD ./bin /usr/local/bin
-RUN chmod a+x /usr/local/bin/*

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Kyle Manna
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,120 +1,152 @@
-# OpenVPN for Docker
+OpenVPN for Docker-compose
+============================
 
 OpenVPN server in a Docker container complete with an EasyRSA PKI CA.
 
-## Quick Start
+Check if your port is availlable
+================================
 
-* Create the `openvpn-data` volume container
+On your server:
+```{.sh}
+nc -ul -p 1194
+```
 
-        docker run --name openvpn-data -v /etc/openvpn busybox
-
-* Initalize the `openvpn-data` container that will hold the configuration files and certificates
-
-        docker run --volumes-from openvpn-data kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194
-        docker run --volumes-from openvpn-data -it kylemanna/openvpn ovpn_initpki
-
-* Start OpenVPN server process
-
-        docker run --volumes-from openvpn-data -d -p 1194:1194/udp --privileged kylemanna/openvpn
-
-* Generate a client certificate without a passphrase
-
-        docker run --volumes-from openvpn-data --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
-
-* Retrieve the client configuration with embedded certificates
-
-        docker run --volumes-from openvpn-data --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+On your computer
+```{.sh}
+nc -u __SERVER_IP__ 1194
+```
 
 
-## How Does It Work?
+Remove other VPN local:
 
-Initialize the volume container using the `kylemanna/openvpn` image with the
-included scripts to automatically generate:
-
-- Diffie-Hellman parameters
-- a private key
-- a self-certificate matching the private key for the OpenVPN server
-- an EasyRSA CA key and certificate
-- a TLS auth key from HMAC security
-
-The OpenVPN server is started with the default run cmd of `ovpn_run`
-
-The configuration is located in `/etc/openvpn`, and the Dockerfile
-declares that directory as a volume. It means that you can start another
-container with the `--volumes-from` flag, and access the configuration.
-The volume also holds the PKI keys and certs so that it could be backed up.
-
-To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the
-`easyrsa` command in the container's path.  The `EASYRSA_*` environmental
-variables place the PKI CA under `/etc/opevpn/pki`.
-
-Conveniently, `kylemanna/openvpn` comes with a script called `ovpn_getclient`,
-which dumps an inline OpenVPN client configuration file.  This single file can
-then be given to a client for access to the VPN.
+In case an other service is started :
+```
+sudo systemctl stop openvpn@server.service
+```
 
 
-## OpenVPN Details
+Quick Start with docker-compose
+================================
 
-We use `tun` mode, because it works on the widest range of devices.
-`tap` mode, for instance, does not work on Android, except if the device
-is rooted.
+```{.sh}
+docker-compose run --rm openvpn_service ovpn_genconfig -u udp://____VPN.SERVERNAME.COM____
+docker-compose run --rm openvpn_service ovpn_initpki
+```
 
-The topology used is `net30`, because it works on the widest range of OS.
-`p2p`, for instance, does not work on Windows.
+or
 
-The UDP server uses`192.168.255.0/24` for dynamic clients by default.
+```{.sh}
+docker-compose run --rm openvpn_service ovpn_genconfig -u udp://____VPN.SERVERNAME.COM____ -b -D -C AES-256-CBC -p ____LOCAL_IP_SERVER____/32 -R -V -F
+docker-compose run --rm openvpn_service ovpn_initpki
+```
 
-The client profile specifies `redirect-gateway def1`, meaning that after
-establishing the VPN connection, all traffic will go through the VPN.
-This might cause problems if you use local DNS recursors which are not
-directly reachable, since you will try to reach them through the VPN
-and they might not answer to you. If that happens, use public DNS
-resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS
-(208.67.222.222 and 208.67.220.220).
+**Note:** the ```-d``` create some errors
 
 
-## Security Discussion
-
-The Docker container runs its own EasyRSA PKI Certificate Authority.  This was
-chosen as a good way to compromise on security and convenience.  The container
-runs under the assumption that the OpenVPN container is running on a secure
-host, that is to say that an adversary does not have access to the PKI files
-under `/etc/openvpn/pki`.  This is a fairly reasonable compromise because if an
-adversary had access to these files, the adversary could manipulate the
-function of the OpenVPN server itself (sniff packets, create a new PKI CA, MITM
-packets, etc).
-
-* The certificate authority key is kept in the container by default for
-  simplicity.  It's highly recommended to secure the CA key with some
-  passphrase to protect against a filesystem compromise.  A more secure system
-  would put the EasyRSA PKI CA on an offline system (can use the same Docker
-  image to accomplish this).
-* It would be impossible for an adversary to sign bad or forged certificates
-  without first cracking the key's passphase should the adversary have root
-  access to the filesystem.
-* The EasyRSA `build-client-full` command will generate and leave keys on the
-  server, again possible to compromise and steal the keys.  The keys generated
-  need to signed by the CA which the user hopefully configured with a passphrase
-  as described above.
-* Assuming the rest of the Docker container's filesystem is secure, TLS + PKI
-  security should prevent any malicious host from using the VPN.
+With a teltonika routeur, you need to add the interface of the docker:
+```
+-p "route 10.3.1.0 255.255.255.0"
+```
 
 
-## Differences from jpetazzo/dockvpn
 
-* No longer uses serveconfig to distribute the configuration via https
-* Proper PKI support integrated into image
-* OpenVPN config files, PKI keys and certs are stored on a storage
-  volume for re-use across containers
-* Only offer UDP support for now, I don't have a good use case for TCP
-* Addition of tls-auth for HMAC security
+Fix ownership (depending on how to handle your backups, this may not be needed)
+---------------------------------------------------------------------------------
 
-## Tested On
+```{.sh}
+sudo chown -R $(whoami): ./openvpn-data
+```
+
+Start OpenVPN server process
+----------------------------
+
+```{.sh}
+docker-compose up -d openvpn_service
+```
+
+You can access the container logs with
+--------------------------------------
+
+```{.sh}
+docker-compose logs -f
+```
+
+Generate a client certificate
+-----------------------------
+
+```{.sh}
+export CLIENT_NAME="your_client_name"
+# with a passphrase (recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME
+# without a passphrase (not recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME nopass
+```
+
+Add toute too the client:
+```
+echo "route 10.10.1.0 255.255.255.0" >> openvpn-data/conf/openvpn.conf
+echo "iroute 10.10.1.0 255.255.255.0" > openvpn-data/conf/ccd/$CLIENT_NAME
+```
+
+
+Retrieve the client configuration with embedded certificates
+------------------------------------------------------------
+
+In a single file:
+```{.sh}
+# if the container is down
+docker-compose run --rm openvpn_service ovpn_getclient $CLIENT_NAME > $CLIENT_NAME.ovpn
+# if the container is up
+docker-compose exec openvpn_service ovpn_getclient $CLIENT_NAME > $CLIENT_NAME.ovpn
+```
+
+In multiple files
+```{.sh}
+# if the container is down
+docker-compose run --rm openvpn_service ovpn_getclient $CLIENT_NAME separated
+# if the container is up
+docker-compose exec openvpn_service ovpn_getclient $CLIENT_NAME separated
+```
+
+Revoke a client certificate
+---------------------------
+
+```{.sh}
+# Keep the corresponding crt, key and req files.
+docker-compose run --rm openvpn_service ovpn_revokeclient $CLIENT_NAME
+# Remove the corresponding crt, key and req files.
+docker-compose run --rm openvpn_service ovpn_revokeclient $CLIENT_NAME remove
+```
+
+Debugging Tips
+--------------
+
+* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
+
+```{.sh}
+docker-compose run -e DEBUG=1 -p 1194:1194/udp openvpn_service
+```
+
+Test on the client:
+-------------------
+
+Run in root mode:
+```
+openvpn --config $CLIENT_NAME.ovpn
+```
+
+you can test the connection with the server:
+```
+ping ____LOCAL_IP_SERVER____
+```
+
+On server test the Connectionwith the client:
+```
+ping ____CLIENT_IP_SERVER____
+```
+
+If needed add the routing rules on the server:
+```
+ip route add 10.10.0.0/16 via 10.3.0.2
+```
 
-* Docker hosts:
-  * server a Digitial Ocean Droplet with 512 MB RAM running Ubuntu 14.04
-* Clients
-  * Android App OpenVPN Connect 1.1.14 (built 56)
-     * OpenVPN core 3.0 android armv7a thumb2 32-bit
-  * OS X Mavericks with Tunnelblick 3.4beta26 (build 3828) using openvpn-2.3.4
-  * ArchLinux OpenVPN pkg 2.3.4-1

bin/ovpn_genconfig

@@ -1,167 +0,0 @@
-#!/bin/bash
-
-#
-# Generate OpenVPN configs
-#
-
-# Convert 1.2.3.4/24 -> 255.255.255.0
-cidr2mask()
-{
-    local i
-    local subnetmask=""
-    local cidr=${1#*/}
-    local full_octets=$(($cidr/8))
-    local partial_octet=$(($cidr%8))
-
-    for ((i=0;i<4;i+=1)); do
-        if [ $i -lt $full_octets ]; then
-            subnetmask+=255
-        elif [ $i -eq $full_octets ]; then
-            subnetmask+=$((256 - 2**(8-$partial_octet)))
-        else
-            subnetmask+=0
-        fi
-        [ $i -lt 3 ] && subnetmask+=.
-    done
-    echo $subnetmask
-}
-
-# Used often enough to justify a function
-getroute() {
-    echo ${1%/*} $(cidr2mask $1)
-}
-
-usage() {
-    echo "usage: $0 [-d]"
-    echo "                  -u SERVER_PUBLIC_URL"
-    echo "                 [-s SERVER_SUBNET]"
-    echo "                 [-r ROUTE ...]"
-    echo
-    echo "optional arguments:"
-    echo " -d    Disable NAT routing and default route"
-}
-
-set -ex
-
-OVPN_ENV=$OPENVPN/ovpn_env.sh
-OVPN_SERVER=192.168.255.0/24
-OVPN_DEFROUTE=1
-
-# Import defaults if present
-[ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
-
-ORIG_OVPN_ROUTES=$OVPN_ROUTES
-OVPN_ROUTES=""
-
-# Parse arguments
-while getopts ":r:s:du:" opt; do
-    case $opt in
-        r)
-            if [ -n "$OVPN_ROUTES" ]; then
-                OVPN_ROUTES+=" $OPTARG"
-            else
-                OVPN_ROUTES+="$OPTARG"
-            fi
-            ;;
-        s)
-            OVPN_SERVER=$OPTARG
-            ;;
-        d)
-            OVPN_DEFROUTE=0
-            ;;
-        u)
-            OVPN_SERVER_URL=$OPTARG
-            ;;
-        \?)
-            set +x
-            echo "Invalid option: -$OPTARG" >&2
-            usage
-            exit 1
-            ;;
-        :)
-            set +x
-            echo "Option -$OPTARG requires an argument." >&2
-            usage
-            exit 1
-            ;;
-    esac
-done
-
-
-# Server name is in the form "udp://vpn.example.com:1194"
-if [[ "$OVPN_SERVER_URL" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then
-    OVPN_PROTO=${BASH_REMATCH[2]};
-    OVPN_CN=${BASH_REMATCH[3]};
-    OVPN_PORT=${BASH_REMATCH[5]};
-else
-    set +x
-    echo "Common name not specified, see '-u'"
-    usage
-    exit 1
-fi
-
-# Apply defaults
-[ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
-[ -z "$OVPN_PORT" ] && OVPN_PORT=1194
-
-if [ -z "$OVPN_ROUTES" ]; then
-    if [ -n "$ORIG_OVPN_ROUTES" ]; then
-        OVPN_ROUTES=$ORIG_OVPN_ROUTES
-    else
-        OVPN_ROUTES=192.168.254.0/24
-    fi
-fi
-
-export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE
-export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT
-
-# Preserve config
-if [ -f "$OVPN_ENV" ]; then
-    bak_env=$OVPN_ENV.$(date +%s).bak
-    echo "Backing up $OVPN_ENV -> $bak_env"
-    mv "$OVPN_ENV" "$bak_env"
-fi
-export | grep OVPN_ > "$OVPN_ENV"
-
-conf=$OPENVPN/openvpn.conf
-if [ -f "$conf" ]; then
-    bak=$conf.$(date +%s).bak
-    echo "Backing up $conf -> $bak"
-    mv "$conf" "$bak"
-fi
-
-cat > "$conf" <<EOF
-server $(getroute $OVPN_SERVER)
-verb 3
-#duplicate-cn
-key $EASYRSA_PKI/private/${OVPN_CN}.key
-ca $EASYRSA_PKI/ca.crt
-cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
-dh $EASYRSA_PKI/dh.pem
-tls-auth $EASYRSA_PKI/ta.key
-key-direction 0
-keepalive 10 60
-persist-key
-persist-tun
-push "dhcp-option DNS 8.8.4.4"
-push "dhcp-option DNS 8.8.8.8"
-
-proto $OVPN_PROTO
-# Rely on Docker to do port mapping, internally always 1194
-port 1194
-dev tun0
-status /tmp/openvpn-status.log
-
-client-config-dir $OPENVPN/ccd
-EOF
-
-# Append Routes
-for i in ${OVPN_ROUTES[@]}; do
-    # If user passed "0" skip this, assume no extra routes
-    [ "$i" = "0" ] && break;
-    echo route $(getroute $i) >> "$conf"
-done
-
-# Clean-up duplicate configs (always return success)
-diff -q "$bak_env" "$OVPN_ENV" 2> /dev/null && rm "$bak_env" || true
-diff -q "$bak" "$conf" 2> /dev/null && rm "$bak" || true

bin/ovpn_getclient

@@ -1,46 +0,0 @@
-#!/bin/bash
-
-#
-# Get an OpenVPN client configuration file
-#
-
-set -ex
-
-source "$OPENVPN/ovpn_env.sh"
-cn=$1
-
-if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
-    easyrsa build-server-full $cn nopass
-fi
-
-cat <<EOF
-client
-nobind
-dev tun
-remote-cert-tls server
-
-<key>
-$(cat $EASYRSA_PKI/private/${cn}.key)
-</key>
-<cert>
-$(cat $EASYRSA_PKI/issued/${cn}.crt)
-</cert>
-<ca>
-$(cat $EASYRSA_PKI/ca.crt)
-</ca>
-<dh>
-$(cat $EASYRSA_PKI/dh.pem)
-</dh>
-<tls-auth>
-$(cat $EASYRSA_PKI/ta.key)
-</tls-auth>
-key-direction 1
-
-<connection>
-remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
-</connection>
-EOF
-
-if [ "$OVPN_DEFROUTE" != "0" ];then
-    echo "redirect-gateway def1"
-fi

bin/ovpn_run

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-#
-# Run the OpenVPN server normally
-#
-
-set -ex
-
-source "$OPENVPN/ovpn_env.sh"
-
-mkdir -p /dev/net
-if [ ! -c /dev/net/tun ]; then
-    mknod /dev/net/tun c 10 200
-fi
-
-if [ ! -d "$OPENVPN/ccd" ]; then
-    mkdir -p /etc/openvpn/ccd
-fi
-
-# Setup NAT forwarding if requested
-if [ "$OVPN_DEFROUTE" != "0" ];then
-    iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE
-
-    for i in ${OVPN_ROUTES[@]}; do
-        iptables -t nat -A POSTROUTING -s $i -o eth0 -j MASQUERADE
-    done
-fi
-
-conf="$OPENVPN/openvpn.conf"
-
-openvpn --config "$conf"

docker-compose.yaml

@@ -0,0 +1,20 @@
+version: '3'
+services:
+  openvpn_service:
+    privileged: true
+    cap_add:
+     - NET_ADMIN
+    build: docker
+    container_name: openvpn
+    ports:
+     - "1194:1194/udp"
+    restart: always
+    volumes:
+     - ./openvpn-data/conf:/etc/openvpn
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.3.1.0/30

docker/11_route_enable.conf

@@ -0,0 +1,2 @@
+# Enable network forwarding
+net.ipv4.ip_forward=1

docker/Dockerfile

@@ -0,0 +1,37 @@
+# Original credit: https://github.com/jpetazzo/dockvpn
+
+# Smallest base image
+FROM alpine:latest
+
+LABEL maintainer="Edouard DUPIN <yui.heero@gmail.com>"
+
+# Testing: pamtester
+RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
+    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
+    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
+    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
+
+# Needed by scripts
+ENV OPENVPN /etc/openvpn
+ENV EASYRSA /usr/share/easy-rsa
+ENV EASYRSA_PKI $OPENVPN/pki
+ENV EASYRSA_VARS_FILE $OPENVPN/vars
+
+# Prevents refused client connection because of an expired CRL
+ENV EASYRSA_CRL_DAYS 3650
+
+VOLUME ["/etc/openvpn"]
+
+# Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`
+EXPOSE 1194/udp
+
+CMD ["ovpn_run"]
+
+ADD ./11_route_enable.conf /etc/sysctl.d/11_route_enable.conf
+RUN sysctl -p /etc/sysctl.d/*
+
+ADD ./bin /usr/local/bin
+RUN chmod a+x /usr/local/bin/*
+
+# Add support for OTP authentication using a PAM module
+ADD ./otp/openvpn /etc/pam.d/

docker/bin/easyrsa_vars

@@ -4,7 +4,11 @@
 # Import/export EasyRSA default settings
 #
 
-set -ex
+if [ "$DEBUG" == "1" ]; then
+  set -x
+fi
+
+set -e
 
 if [ $# -lt 1 ]; then
     echo "No command provided"

docker/bin/ovpn_copy_server_files

@@ -0,0 +1,47 @@
+#!/bin/bash
+## @licence MIT <http://opensource.org/licenses/MIT>
+## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
+
+set -e
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+
+TARGET="$OPENVPN/server"
+if [ -n "$1" ]; then
+    TARGET="$1"
+fi
+mkdir -p "${TARGET}"
+
+## Ensure that no other keys then the one for the server is present.
+rm -rf "$TARGET/pki/private" "$TARGET/pki/issued"
+
+FILES=(
+    "openvpn.conf"
+    "ovpn_env.sh"
+    "pki/private/${OVPN_CN}.key"
+    "pki/issued/${OVPN_CN}.crt"
+    "pki/dh.pem"
+    "pki/ta.key"
+    "pki/ca.crt"
+    "ccd"
+)
+
+if [ -f "${OPENVPN}/pki/crl.pem" ]; then
+    FILES+=("pki/crl.pem")
+fi
+
+# Ensure the ccd directory exists, even if empty
+mkdir -p "ccd"
+
+# rsync isn't available to keep size down
+# cp --parents isn't in busybox version
+# hack the directory structure with tar
+tar cf - -C "${OPENVPN}" "${FILES[@]}" | tar xvf - -C "${TARGET}"
+
+echo "Created the openvpn configuration for the server: $TARGET"

docker/bin/ovpn_genconfig

@@ -0,0 +1,467 @@
+#!/bin/bash
+
+#
+# Generate OpenVPN configs
+#
+
+TMP_PUSH_CONFIGFILE=$(mktemp -t vpn_push.XXXXXXX)
+TMP_ROUTE_CONFIGFILE=$(mktemp -t vpn_route.XXXXXXX)
+TMP_EXTRA_CONFIGFILE=$(mktemp -t vpn_extra.XXXXXXX)
+
+#Traceback on Error and Exit come from https://docwhat.org/tracebacks-in-bash/
+set -eu
+
+_showed_traceback=f
+
+traceback() {
+	# Hide the traceback() call.
+	local -i start=$(( ${1:-0} + 1 ))
+	local -i end=${#BASH_SOURCE[@]}
+	local -i i=0
+	local -i j=0
+
+	echo "Traceback (last called is first):" 1>&2
+	for ((i=${start}; i < ${end}; i++)); do
+		j=$(( $i - 1 ))
+		local function="${FUNCNAME[$i]}"
+		local file="${BASH_SOURCE[$i]}"
+		local line="${BASH_LINENO[$j]}"
+		echo "     ${function}() in ${file}:${line}" 1>&2
+	done
+}
+
+on_error() {
+  local _ec="$?"
+  local _cmd="${BASH_COMMAND:-unknown}"
+  traceback 1
+  _showed_traceback=t
+  echo "The command ${_cmd} exited with exit code ${_ec}." 1>&2
+}
+trap on_error ERR
+
+
+on_exit() {
+  echo "Cleaning up before Exit ..."
+  rm -f $TMP_PUSH_CONFIGFILE
+  rm -f $TMP_ROUTE_CONFIGFILE
+  rm -f $TMP_EXTRA_CONFIGFILE
+  local _ec="$?"
+  if [[ $_ec != 0 && "${_showed_traceback}" != t ]]; then
+    traceback 1
+  fi
+}
+trap on_exit EXIT
+
+# Convert 1.2.3.4/24 -> 255.255.255.0
+cidr2mask()
+{
+    local i
+    local subnetmask=""
+    local cidr=${1#*/}
+    local full_octets=$(($cidr/8))
+    local partial_octet=$(($cidr%8))
+
+    for ((i=0;i<4;i+=1)); do
+        if [ $i -lt $full_octets ]; then
+            subnetmask+=255
+        elif [ $i -eq $full_octets ]; then
+            subnetmask+=$((256 - 2**(8-$partial_octet)))
+        else
+            subnetmask+=0
+        fi
+        [ $i -lt 3 ] && subnetmask+=.
+    done
+    echo $subnetmask
+}
+
+# Used often enough to justify a function
+getroute() {
+    echo ${1%/*} $(cidr2mask $1)
+}
+
+usage() {
+    echo "usage: $0 [-d]"
+    echo "                  -u SERVER_PUBLIC_URL"
+    echo "                 [-e EXTRA_SERVER_CONFIG ]"
+    echo "                 [-E EXTRA_CLIENT_CONFIG ]"
+    echo "                 [-f FRAGMENT ]"
+    echo "                 [-n DNS_SERVER ...]"
+    echo "                 [-p PUSH ...]"
+    echo "                 [-r ROUTE ...]"
+    echo "                 [-s SERVER_SUBNET]"
+    echo
+    echo "optional arguments:"
+    echo " -2    Enable two factor authentication using Google Authenticator."
+    echo " -a    Authenticate  packets with HMAC using the given message digest algorithm (auth)."
+    echo " -b    Disable 'push block-outside-dns'"
+    echo " -c    Enable client-to-client option"
+    echo " -C    A list of allowable TLS ciphers delimited by a colon (cipher)."
+    echo " -d    Disable default route"
+    echo " -D    Do not push dns servers"
+    echo " -k    Set keepalive. Default: '10 120'"
+    echo " -m    Set client MTU"
+    echo " -N    Configure NAT to access external server network"
+    echo " -t    Use TAP device (instead of TUN device)"
+    echo " -T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)."
+    echo " -z    Enable comp-lzo compression."
+    echo " -S    Change status folder. Default '/tmp'."
+    echo " -R    Disable the reduce the OpenVPN daemon's privileges after initialization."
+    echo " -K    Set a client config directory. Default Disable. Example: 'ccd'."
+    echo " -V    Enable the the record of client <-> virtual IP address (store in a config file)."
+    echo " -L    Configure log mode: 'disable', 'enable', 'append'. Default 'disable'."
+    echo " -F    Enable the notification to the client that the server restarts."
+}
+
+process_route_config() {
+  local ovpn_route_config=''
+  ovpn_route_config="$1"
+  # If user passed "0" skip this, assume no extra routes
+  [[ "$ovpn_route_config" == "0" ]] && break;
+  echo "Processing Route Config: '${ovpn_route_config}'"
+  [[ -n "$ovpn_route_config" ]] && echo "route $(getroute $ovpn_route_config)" >> "$TMP_ROUTE_CONFIGFILE"
+}
+
+process_push_config() {
+  local ovpn_push_config=''
+  ovpn_push_config="$1"
+  echo "Processing PUSH Config: '${ovpn_push_config}'"
+  [[ -n "$ovpn_push_config" ]] && echo "push \"$ovpn_push_config\"" >> "$TMP_PUSH_CONFIGFILE"
+}
+
+process_extra_config() {
+  local ovpn_extra_config=''
+  ovpn_extra_config="$1"
+  echo "Processing Extra Config: '${ovpn_extra_config}'"
+  [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CONFIGFILE"
+}
+
+if [ "${DEBUG:-}" == "1" ]; then
+  set -x
+fi
+
+set -e
+
+if [ -z "${OPENVPN:-}" ]; then
+  export OPENVPN="$PWD"
+fi
+if [ -z "${EASYRSA_PKI:-}" ]; then
+    export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+OVPN_AUTH=''
+OVPN_CIPHER=''
+OVPN_CLIENT_TO_CLIENT=''
+OVPN_CN=''
+OVPN_COMP_LZO=0
+OVPN_DEFROUTE=1
+OVPN_DEVICE="tun"
+OVPN_DEVICEN=0
+OVPN_DISABLE_PUSH_BLOCK_DNS=0
+OVPN_DNS=1
+OVPN_DNS_SERVERS=()
+OVPN_ENV=${OPENVPN}/ovpn_env.sh
+OVPN_EXTRA_CLIENT_CONFIG=()
+OVPN_EXTRA_SERVER_CONFIG=()
+OVPN_FRAGMENT=''
+OVPN_KEEPALIVE="10 120"
+OVPN_MTU=''
+OVPN_NAT=0
+OVPN_PORT=''
+OVPN_PROTO=''
+OVPN_PUSH=()
+OVPN_ROUTES=()
+OVPN_SERVER=192.168.200.0/24
+OVPN_SERVER_URL=''
+OVPN_TLS_CIPHER=''
+OVPN_STATUS_PATH='/tmp'
+OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES=0
+OVPN_CLIENT_CONFIG_DIR=''
+OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP=0
+OVPN_LOG_MODE="disable"
+OVPN_ENABLE_NOTIFY_SERVER_RESTARTS=0
+
+# Import existing configuration if present
+[ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
+
+# Parse arguments
+while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2S:RK:VL:F" opt; do
+    case $opt in
+        a)
+            OVPN_AUTH="$OPTARG"
+            ;;
+        e)
+            mapfile -t TMP_EXTRA_SERVER_CONFIG <<< "$OPTARG"
+            for i in "${TMP_EXTRA_SERVER_CONFIG[@]}"; do
+              OVPN_EXTRA_SERVER_CONFIG+=("$i")
+            done
+            ;;
+        E)
+            mapfile -t TMP_EXTRA_CLIENT_CONFIG <<< "$OPTARG"
+            for i in "${TMP_EXTRA_CLIENT_CONFIG[@]}"; do
+              OVPN_EXTRA_CLIENT_CONFIG+=("$i")
+            done
+            ;;
+        C)
+            OVPN_CIPHER="$OPTARG"
+            ;;
+        T)
+            OVPN_TLS_CIPHER="$OPTARG"
+            ;;
+        r)
+            mapfile -t TMP_ROUTES <<< "$OPTARG"
+            for i in "${TMP_ROUTES[@]}"; do
+              OVPN_ROUTES+=("$i")
+            done
+            ;;
+        s)
+            OVPN_SERVER="$OPTARG"
+            ;;
+        d)
+            OVPN_DEFROUTE=0
+            OVPN_DISABLE_PUSH_BLOCK_DNS=1
+            ;;
+        u)
+            OVPN_SERVER_URL="$OPTARG"
+            ;;
+        b)
+            OVPN_DISABLE_PUSH_BLOCK_DNS=1
+            ;;
+        c)
+            OVPN_CLIENT_TO_CLIENT=1
+            ;;
+        p)
+            mapfile -t TMP_PUSH <<< "$OPTARG"
+            for i in "${TMP_PUSH[@]}"; do
+              OVPN_PUSH+=("$i")
+            done
+            ;;
+        n)
+            mapfile -t TMP_DNS_SERVERS <<< "$OPTARG"
+            for i in "${TMP_DNS_SERVERS[@]}"; do
+              OVPN_DNS_SERVERS+=("$i")
+            done
+            ;;
+        D)
+            OVPN_DNS=0
+            ;;
+        N)
+            OVPN_NAT=1
+            ;;
+        k)
+            OVPN_KEEPALIVE="$OPTARG"
+            ;;
+        m)
+            OVPN_MTU="$OPTARG"
+            ;;
+        t)
+            OVPN_DEVICE="tap"
+            ;;
+        z)
+            OVPN_COMP_LZO=1
+            ;;
+        2)
+            OVPN_OTP_AUTH=1
+            ;;
+        f)
+            OVPN_FRAGMENT="$OPTARG"
+            ;;
+        S)
+            OVPN_STATUS_PATH="$OPTARG"
+            ;;
+        R)
+            OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES=1
+            ;;
+        K)
+            OVPN_CLIENT_CONFIG_DIR="$OPTARG"
+            ;;
+        V)
+            OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP=1
+            ;;
+        L)
+            OVPN_LOG_MODE="$OPTARG"
+            ;;
+        F)
+            OVPN_ENABLE_NOTIFY_SERVER_RESTARTS=1
+            ;;
+        \?)
+            set +x
+            echo "Invalid option: -$OPTARG" >&2
+            usage
+            exit 1
+            ;;
+        :)
+            set +x
+            echo "Option -$OPTARG requires an argument." >&2
+            usage
+            exit 1
+            ;;
+    esac
+done
+
+# Create ccd directory for static routes
+[ ! -d "${OPENVPN:-}/ccd" ] && mkdir -p ${OPENVPN:-}/ccd
+
+# Server name is in the form "udp://vpn.example.com:1194"
+if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
+    OVPN_PROTO=${BASH_REMATCH[2]};
+    OVPN_CN=${BASH_REMATCH[3]};
+    OVPN_PORT=${BASH_REMATCH[5]};
+else
+    set +x
+    echo "Common name not specified, see '-u'"
+    usage
+    exit 1
+fi
+
+# Apply defaults. If dns servers were not defined with -n, use google nameservers
+set +u
+[ -z "$OVPN_DNS_SERVERS" ] && OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4")
+[ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
+[ -z "$OVPN_PORT" ] && OVPN_PORT=1194
+set -u
+[ "${#OVPN_ROUTES[@]}" == "0" ] && [ "$OVPN_DEFROUTE" == "1" ] && OVPN_ROUTES+=("192.168.200.0/24")
+
+# Preserve config
+if [ -f "$OVPN_ENV" ]; then
+    bak_env=$OVPN_ENV.$(date +%s).bak
+    echo "Backing up $OVPN_ENV -> $bak_env"
+    mv "$OVPN_ENV" "$bak_env"
+fi
+
+# Save the current OVPN_ vars to the ovpn_env.sh file
+(set | grep '^OVPN_') | while read -r var; do
+  echo "declare -x $var"  >> "$OVPN_ENV"
+done
+
+conf=${OPENVPN:-}/openvpn.conf
+if [ -f "$conf" ]; then
+    bak=$conf.$(date +%s).bak
+    echo "Backing up $conf -> $bak"
+    mv "$conf" "$bak"
+fi
+
+# Echo extra client configurations
+if [ ${#OVPN_EXTRA_CLIENT_CONFIG[@]} -gt 0 ]; then
+  for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
+    echo "Processing Extra Client Config: $i"
+  done
+fi
+
+cat > "$conf" <<EOF
+server $(getroute $OVPN_SERVER)
+verb 3
+key $EASYRSA_PKI/private/${OVPN_CN}.key
+ca $EASYRSA_PKI/ca.crt
+cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
+dh $EASYRSA_PKI/dh.pem
+tls-auth $EASYRSA_PKI/ta.key
+key-direction 0
+keepalive $OVPN_KEEPALIVE
+persist-key
+persist-tun
+
+proto $OVPN_PROTO
+# Rely on Docker to do port mapping, internally always 1194
+port 1194
+dev $OVPN_DEVICE$OVPN_DEVICEN
+status $OVPN_STATUS_PATH/openvpn-status.log
+
+EOF
+
+if [ "${OVPN_DISABLE_REDUCE_DEAMON_S_PRIVILEGES}" == "1" ]; then
+  echo "Disable 'user' and 'group'"
+else
+  echo "user nobody" >> "$conf"
+  echo "group nogroup" >> "$conf"
+fi
+
+if [ "${OVPN_DISABLE_PUSH_BLOCK_DNS}" == "1" ]; then
+  echo "Disable default push of 'block-outside-dns'"
+else
+  process_push_config "block-outside-dns"
+fi
+
+if [ "${OVPN_CLIENT_CONFIG_DIR}" == "" ]; then
+  echo "Disable client config 'client-config-dir'"
+else
+  echo "client-config-dir ${OVPN_CLIENT_CONFIG_DIR}" >> "$conf"
+fi
+
+[ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
+[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"
+[ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf"
+
+[ -n "${OVPN_CLIENT_TO_CLIENT:-}" ] && echo "client-to-client" >> "$conf"
+[ "$OVPN_COMP_LZO" == "1" ] && echo "comp-lzo" >> "$conf"
+[ "$OVPN_COMP_LZO" == "0" ] && echo "comp-lzo no" >> "$conf"
+
+[ "$OVPN_ENABLE_KEEP_CLIENT_VIRTUAL_IP" == "1" ] && echo "ifconfig-pool-persist /etc/openvpn/client_vitual_ip.txt" >> "$conf"
+
+[ "$OVPN_ENABLE_NOTIFY_SERVER_RESTARTS" == "1" ] && echo "explicit-exit-notify 1" >> "$conf"
+
+if [ "${OVPN_LOG_MODE}" == "enable" ]; then
+  echo "log /var/log/openvpn/openvpn.log" >> "$conf"
+else
+  if [ "${OVPN_LOG_MODE}" == "append" ]; then
+    echo "log-append /var/log/openvpn/openvpn.log" >> "$conf"
+  else
+    echo "Log file mode is disable"
+  fi
+fi
+
+[ -n "${OVPN_FRAGMENT:-}" ] && echo "fragment $OVPN_FRAGMENT" >> "$conf"
+
+# Append route commands
+if [ ${#OVPN_ROUTES[@]} -gt 0 ]; then
+  for i in "${OVPN_ROUTES[@]}"; do
+    process_route_config "$i"
+  done
+  echo -e "\n### Route Configurations Below" >> "$conf"
+  cat $TMP_ROUTE_CONFIGFILE >> "$conf"
+fi
+
+# Append push commands
+[ "$OVPN_DNS" == "1" ] && for i in "${OVPN_DNS_SERVERS[@]}"; do
+  process_push_config "dhcp-option DNS $i"
+done
+
+if [ "$OVPN_COMP_LZO" == "0" ]; then
+    process_push_config "comp-lzo no"
+fi
+
+[ ${#OVPN_PUSH[@]} -gt 0 ] && for i in "${OVPN_PUSH[@]}"; do
+  process_push_config "$i"
+done
+
+echo -e "\n### Push Configurations Below" >> "$conf"
+cat $TMP_PUSH_CONFIGFILE >> "$conf"
+
+# Append optional OTP authentication support
+if [ -n "${OVPN_OTP_AUTH:-}" ]; then
+    echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
+    echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
+    echo "reneg-sec 0" >> "$conf"
+fi
+
+# Append extra server configurations
+if [ ${#OVPN_EXTRA_SERVER_CONFIG[@]} -gt 0 ]; then
+  for i in "${OVPN_EXTRA_SERVER_CONFIG[@]}"; do
+    process_extra_config "$i"
+  done
+  echo -e "\n### Extra Configurations Below" >> "$conf"
+  cat $TMP_EXTRA_CONFIGFILE >> "$conf"
+fi
+
+set +e
+
+# Clean-up duplicate configs
+if diff -q "${bak_env:-}" "$OVPN_ENV" 2>/dev/null; then
+    echo "Removing duplicate back-up: $bak_env"
+    rm -fv "$bak_env"
+fi
+if diff -q "${bak:-}" "$conf" 2>/dev/null; then
+    echo "Removing duplicate back-up: $bak"
+    rm -fv "$bak"
+fi
+
+echo "Successfully generated config"

docker/bin/ovpn_getclient

@@ -0,0 +1,132 @@
+#!/bin/bash
+
+#
+# Get an OpenVPN client configuration file
+#
+
+if [ "$DEBUG" == "1" ]; then
+    set -x
+fi
+
+set -e
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+    export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+cn="$1"
+parm="$2"
+
+if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
+    echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
+    exit 1
+fi
+
+get_client_config() {
+    mode="$1"
+    echo "
+client
+nobind
+dev $OVPN_DEVICE
+remote-cert-tls server
+
+remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"
+    if [ "$OVPN_PROTO" == "udp6" ]; then
+        echo "remote $OVPN_CN $OVPN_PORT udp"
+    fi
+    if [ "$OVPN_PROTO" == "tcp6" ]; then
+        echo "remote $OVPN_CN $OVPN_PORT tcp"
+    fi
+    for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
+      echo "$i"
+    done
+    if [ "$mode" == "combined" ]; then
+        echo "
+<key>
+$(cat $EASYRSA_PKI/private/${cn}.key)
+</key>
+<cert>
+$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
+</cert>
+<ca>
+$(cat $EASYRSA_PKI/ca.crt)
+</ca>
+key-direction 1
+<tls-auth>
+$(cat $EASYRSA_PKI/ta.key)
+</tls-auth>
+"
+    elif [ "$mode" == "separated" ]; then
+        echo "
+key ${cn}.key
+ca ca.crt
+cert ${cn}.crt
+tls-auth ta.key 1
+"
+    fi
+
+    if [ "$OVPN_DEFROUTE" != "0" ];then
+        echo "redirect-gateway def1"
+    fi
+
+    if [ -n "$OVPN_MTU" ]; then
+        echo "tun-mtu $OVPN_MTU"
+    fi
+
+    if [ -n "$OVPN_TLS_CIPHER" ]; then
+        echo "tls-cipher $OVPN_TLS_CIPHER"
+    fi
+
+    if [ -n "$OVPN_CIPHER" ]; then
+        echo "cipher $OVPN_CIPHER"
+    fi
+
+    if [ -n "$OVPN_AUTH" ]; then
+        echo "auth $OVPN_AUTH"
+    fi
+
+    if [ -n "$OVPN_OTP_AUTH" ]; then
+        echo "auth-user-pass"
+        echo "auth-nocache"
+    fi
+
+    if [ "$OVPN_COMP_LZO" == "1" ]; then
+        echo "comp-lzo"
+    fi
+
+    if [ -n "$OVPN_OTP_AUTH" ]; then
+        echo reneg-sec 0
+    fi
+}
+
+dir="$OPENVPN/clients/$cn"
+case "$parm" in
+    "separated")
+        mkdir -p "$dir"
+        get_client_config "$parm" > "$dir/${cn}.ovpn"
+        cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
+        cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
+        cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
+        cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
+        ;;
+    "" | "combined")
+        get_client_config "combined"
+        ;;
+    "combined-save")
+        mkdir -p "$dir"
+        get_client_config "combined" > "$dir/${cn}-combined.ovpn"
+        ;;
+    *)
+        echo "This script can produce the client configuration in two formats:" >&2
+        echo "    1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
+        echo "    2. separated: Separated files." >&2
+        echo "Please specify one of those options as second parameter." >&2
+        ;;
+esac

docker/bin/ovpn_getclient_all

@@ -0,0 +1,25 @@
+#!/bin/bash
+## @licence MIT <http://opensource.org/licenses/MIT>
+## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+    export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+pushd "$EASYRSA_PKI"
+for name in issued/*.crt; do
+    name=${name%.crt}
+    name=${name#issued/}
+    if [ "$name" != "$OVPN_CN" ]; then
+        ovpn_getclient "$name" separated
+        ovpn_getclient "$name" combined-save
+    fi
+done
+popd

docker/bin/ovpn_initpki

@@ -4,7 +4,11 @@
 # Initialize the EasyRSA PKI
 #
 
-set -ex
+if [ "$DEBUG" == "1" ]; then
+  set -x
+fi
+
+set -e
 
 source "$OPENVPN/ovpn_env.sh"
 
@@ -20,7 +24,7 @@ easyrsa init-pki
 easyrsa build-ca $nopass
 
 easyrsa gen-dh
-openvpn --genkey --secret $OPENVPN/pki/ta.key
+openvpn --genkey --secret $EASYRSA_PKI/ta.key
 
 # Was nice to autoset, but probably a bad idea in practice, users should
 # have to explicitly specify the common name of their server
@@ -34,3 +38,6 @@ openvpn --genkey --secret $OPENVPN/pki/ta.key
 
 # For a server key with a password, manually init; this is autopilot
 easyrsa build-server-full "$OVPN_CN" nopass
+
+# Generate the CRL for client/server certificates revocation.
+easyrsa gen-crl

docker/bin/ovpn_listclients

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+    export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+cd "$EASYRSA_PKI"
+
+if [ -e crl.pem ]; then
+    cat ca.crt crl.pem > cacheck.pem
+else
+    cat ca.crt > cacheck.pem
+fi
+
+echo "name,begin,end,status"
+for name in issued/*.crt; do
+    path=$name
+    begin=$(openssl x509 -noout -startdate -in $path | awk -F= '{ print $2 }')
+    end=$(openssl x509 -noout -enddate -in $path | awk -F= '{ print $2 }')
+
+    name=${name%.crt}
+    name=${name#issued/}
+    if [ "$name" != "$OVPN_CN" ]; then
+        # check for revocation or expiration
+        command="openssl verify -crl_check -CAfile cacheck.pem $path"
+        result=$($command)
+        if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
+            status="VALID"
+        else
+            result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
+            case $result in
+                10)
+                    status="EXPIRED"
+                    ;;
+                23)
+                    status="REVOKED"
+                    ;;
+                *)
+                    status="INVALID"
+            esac
+        fi
+        echo "$name,$begin,$end,$status"
+    fi
+done
+
+# Clean
+rm cacheck.pem

docker/bin/ovpn_otp_user

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+#
+# Generate OpenVPN users via google authenticator
+#
+
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+
+if [ "x$OVPN_OTP_AUTH" != "x1" ]; then
+    echo "OTP authentication not enabled, please regenerate configuration using -2 flag"
+    exit 1
+fi
+
+if [ -z $1 ]; then
+    echo "Usage: ovpn_otp_user USERNAME"
+    exit 1
+fi
+
+# Ensure the otp folder is present
+[ -d /etc/openvpn/otp ] || mkdir -p /etc/openvpn/otp
+
+# Binary is present in image, save an $user.google_authenticator file in /etc/openvpn/otp
+if [ "$2" == "interactive" ]; then
+    # Authenticator will ask for other parameters. User can choose rate limit, token reuse policy and time window policy
+    # Always use time base OTP otherwise storage for counters must be configured somewhere in volume
+    google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
+else
+    google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
+        -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
+fi

docker/bin/ovpn_revokeclient

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+#
+# Revoke a client certificate
+#
+
+if [ "$DEBUG" == "1" ]; then
+    set -x
+fi
+
+set -e
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+    export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+cn="$1"
+parm="$2"
+
+if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
+    echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
+    exit 1
+fi
+
+revoke_client_certificate(){
+    easyrsa revoke "$1"
+    echo "Generating the Certificate Revocation List :"
+    easyrsa gen-crl
+    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
+    chmod 644 "$OPENVPN/crl.pem"
+}
+
+remove_files(){
+    rm -v "$EASYRSA_PKI/issued/${1}.crt"
+    rm -v "$EASYRSA_PKI/private/${1}.key"
+    rm -v "$EASYRSA_PKI/reqs/${1}.req"
+}
+
+case "$parm" in
+    "remove")
+        revoke_client_certificate "$cn"
+        remove_files "$cn"
+        ;;
+    "" | "keep")
+        revoke_client_certificate "$cn"
+        ;;
+    *)
+        echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
+        echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
+        echo "    1. keep (default): Keep the files." >&2
+        echo "    2. remove: Remove the files." >&2
+        echo "Please specify one of those options as second parameter." >&2
+        ;;
+esac

docker/bin/ovpn_run

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+#
+# Run the OpenVPN server normally
+#
+
+if [ "$DEBUG" == "1" ]; then
+  set -x
+fi
+
+set -e
+
+cd $OPENVPN
+
+# Build runtime arguments array based on environment
+USER_ARGS=("${@}")
+ARGS=()
+
+# Checks if ARGS already contains the given value
+function hasArg {
+    local element
+    for element in "${@:2}"; do
+        [ "${element}" == "${1}" ] && return 0
+    done
+    return 1
+}
+
+# Adds the given argument if it's not already specified.
+function addArg {
+    local arg="${1}"
+    [ $# -ge 1 ] && local val="${2}"
+    if ! hasArg "${arg}" "${USER_ARGS[@]}"; then
+        ARGS+=("${arg}")
+        [ $# -ge 1 ] && ARGS+=("${val}")
+    fi
+}
+
+# set up iptables rules and routing
+# this allows rules/routing to be altered by supplying this function
+# in an included file, such as ovpn_env.sh
+function setupIptablesAndRouting {
+    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
+      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
+    }
+    for i in "${OVPN_ROUTES[@]}"; do
+        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
+          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
+        }
+    done
+}
+
+
+addArg "--config" "$OPENVPN/openvpn.conf"
+
+source "$OPENVPN/ovpn_env.sh"
+
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
+if [ -d "$OPENVPN/ccd" ]; then
+    addArg "--client-config-dir" "$OPENVPN/ccd"
+fi
+
+# When using --net=host, use this to specify nat device.
+[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0
+
+# Setup NAT forwarding if requested
+if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
+	# call function to setup iptables rules and routing
+	# this allows rules to be customized by supplying
+	# a replacement function in, for example, ovpn_env.sh
+	setupIptablesAndRouting
+fi
+
+# Use a copy of crl.pem as the CRL Needs to be readable by the user/group
+# OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
+if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then
+    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
+    chmod 644 "$OPENVPN/crl.pem"
+fi
+
+if [ -r "$OPENVPN/crl.pem" ]; then
+    addArg "--crl-verify" "$OPENVPN/crl.pem"
+fi
+
+
+# If this fails, ensure the docker container is run with --privileged
+# Could be side stepped with `ip netns` madness to drop privileged flag
+echo "Enabling IPv4 Forwarding"
+sysctl -w net.ipv4.ip_forward=1 || echo "Failed to enable IPv4 forwarding"
+
+
+ip -6 route show default 2>/dev/null
+if [ $? = 0 ]; then
+    echo "Enabling IPv6 Forwarding"
+    # If this fails, ensure the docker container is run with --privileged
+    # Could be side stepped with `ip netns` madness to drop privileged flag
+
+    sysctl -w net.ipv6.conf.all.disable_ipv6=0 || echo "Failed to enable IPv6 support"
+    sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default"
+    sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding"
+fi
+
+echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
+exec openvpn ${ARGS[@]} ${USER_ARGS[@]}

docker/bin/ovpn_status

@@ -3,7 +3,10 @@
 #
 # Get OpenVPN server status
 #
+if [ "$DEBUG" == "1" ]; then
+  set -x
+fi
 
-set -ex
+set -e
 
 tail -F /tmp/openvpn-status.log

docker/otp/openvpn

@@ -0,0 +1,7 @@
+# Uses google authenticator library as PAM module using a single folder for all users tokens
+# User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
+# See https://github.com/google/google-authenticator-libpam#usersome-user
+auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
+
+# Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
+account sufficient pam_permit.so

docs/backup.md

@@ -1,18 +0,0 @@
-# Backing Up Configuration and Certificates
-
-## Security
-
-The resulting archive from this back-up contains all credential to impersonate the server at a minimum.  If the client private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients.  Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will.
-
-I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES).  For the paranoid keep backup offline.  For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
-
-
-TL;DR Protect the resulting archive file, by ensure there is very limited access to it.
-
-## Backup to Archive
-
-    docker run --volumes-from openvpn-data --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz
-
-## Retore to New Image
-
-    xzcat openvpn-backup.tar.xz | docker run --name openvpn-data -v /etc/openvpn -i busybox tar -xvf - -C /etc

docs/debug.md

@@ -1,32 +0,0 @@
-# Debugging
-
-Random things I do to debug the containers.
-
-## Stream OpenVPN Logs
-
-1. Get the container's name or container ID:
-
-        root@vpn:~/docker-openvpn# docker ps
-        CONTAINER ID        IMAGE                      COMMAND             CREATED             STATUS              PORTS                    NAMES
-        ed335aaa9b82        kylemanna/openvpn:latest   ovpn_run            5 minutes ago       Up 5 minutes        0.0.0.0:1194->1194/udp   sad_lovelace
-
-2. Tail the logs:
-
-        root@vpn:~/docker-openvpn# docker logs -f sad_lovelace
-        + mkdir -p /dev/net
-        + [ ! -c /dev/net/tun ]
-        + mknod /dev/net/tun c 10 200
-        + [ ! -d /etc/openvpn/ccd ]
-        + iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
-        + iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
-        + conf=/etc/openvpn/openvpn.conf
-        + [ ! -s /etc/openvpn/openvpn.conf ]
-        + conf=/etc/openvpn/udp1194.conf
-        + openvpn --config /etc/openvpn/udp1194.conf
-        Tue Jul  1 06:56:48 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 17 2014
-        Tue Jul  1 06:56:49 2014 Diffie-Hellman initialized with 2048 bit key
-        Tue Jul  1 06:56:49 2014 Control Channel Authentication: using '/etc/openvpn/pki/ta.key' as a OpenVPN static key file
-        Tue Jul  1 06:56:49 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
-        Tue Jul  1 06:56:49 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
-        Tue Jul  1 06:56:49 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
-

docs/static-ips.md

@@ -1,24 +0,0 @@
-# Static IP Addresses
-
-The docker image is setup for static client configuration on the 192.168.254.0/24 subnet.  To use it follow the Quick Start section below.  Note that the IP addresses octects need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details.
-
-## Quick Start
-
-1. Create a client specific configuration:
-
-        $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from openvpn-data -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME
-        ifconfig-push 192.168.254.1 192.168.254.2
-
-2. Wait for client to reconnect if necessary
-
-## Advanced Admin
-
-Login to the openvpn-data volume with a `bash` container, note only changes in /etc/openvpn will persist:
-
-    docker run --volumes-from openvpn-data -it --rm kylemanna/openvpn bash -l
-
-## Upgrading from Old OpenVPN Configurations
-
-If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following:
-
-    docker run  --volumes-from openvpn-data --rm kylemanna/openvpn ovpn_genconfig