Skip to content

Instantly share code, notes, and snippets.

@ryansch

ryansch/README.md

Last active February 20, 2017 17:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ryansch/8cb1147b87dd0d4cfa90cc1ab3a0067a to your computer and use it in GitHub Desktop.
Save ryansch/8cb1147b87dd0d4cfa90cc1ab3a0067a to your computer and use it in GitHub Desktop.
Download ZIP
openvpn HOWTO
Raw
README.md

This uses https://github.com/kylemanna/docker-openvpn for most of the heavy lifting. I've also wrapped it with some persistence management for production usage at https://github.com/outstand/docker-openvpn. I'm using a data container in production as rancherOS doesn't support named volumes in cloud config yet.

I skipped using elliptic curves until both easyrsa and openvpn support choosing the curve (NIST curves are considered harmful).

When you're done, you'll have your PKI in the named volume on your workstation and only the files that the server needs on S3. Back up the contents of the volume somewhere secure. You can't issue new certs or revoke old ones without it.

Setup

  • OVPN_DATA="openvpn-data"

  • docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -d -N -C AES-256-CBC -T TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 -a SHA512 -n <VPC_DNS_IP> -p 'route <VPC_CIDR> 255.255.0.0' -p 'route <ANOTHER_VPC_CIDR> 255.255.0.0' -u udp://<VPN_SERVER_FQDN> -e 'topology subnet' -p 'dhcp-option DOMAIN ec2.internal' -p 'dhcp-option DOMAIN amazonaws.com' -E 'remote <VPC_SERVER_FQDN> 443 tcp'

  • docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e EASYRSA_KEY_SIZE=4096 kylemanna/openvpn ovpn_initpki

  • docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e EASYRSA_KEY_SIZE=4096 kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

  • docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

Upload to S3

  • docker run --net=none -it --rm -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
  • docker run -it --rm -v $OVPN_DATA:/etc/openvpn -v ~/.aws:/root/.aws -e S3_BUCKET=<S3_BUCKET> outstand/openvpn:storage upload.sh

Run it in prod

  • docker run -d --name openvpn-storage -e S3_BUCKET=<S3_BUCKET> outstand/openvpn:storage
  • docker run -d --name openvpn --volumes-from openvpn-storage --net=host --cap-add=NET_ADMIN outstand/openvpn:latest

RancherOS Example

#cloud-config
rancher:
  services:
    openvpn-storage:
      image: outstand/openvpn:storage
      environment:
        - S3_BUCKET=${openvpn_bucket}
    openvpn:
      image: outstand/openvpn:latest
      net: host
      volumes_from:
        - openvpn-storage
      cap_add:
        - NET_ADMIN
      restart: always

Backup PKI/Config

  • docker run -v $OVPN_DATA:/etc/openvpn --rm -w /etc kylemanna/openvpn tar -zcv openvpn > openvpn-data.tar.gz
  • Store tarball somewhere safe and secure.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment