Ubuntu (#51)

* Debian * Make Ubuntu the base. Update TLS ciphers. Ensure the openvpn log file exists for fail2ban. * Fix default cipher string and log date format. Add the ability to override the OpenVPN port. * Updated README formatting, add a random file for easyrsa, allow specifying the OpenVPN port.
wheelybird · Dec 17, 2021 · 9c5e6d5 · 9c5e6d5
1 parent 92732c1
commit 9c5e6d5
Show file tree

Hide file tree

Showing 11 changed files with 104 additions and 68 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,32 @@
-FROM centos:7
+FROM ubuntu:20.04
 
 MAINTAINER Brian Lycett <[email protected]>
 
-RUN yum -y install epel-release iptables bash nss-pam-ldapd ca-certificates net-tools wget openssl
-RUN wget http://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el7/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm && yum -y install rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
-RUN yum -y install openvpn easy-rsa whatmask fail2ban google-authenticator ipcalc
-RUN yum -y upgrade
-RUN mkdir /opt/easyrsa && cp -rp /usr/share/easy-rsa/3/{x509-types,easyrsa} /opt/easyrsa
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+            easy-rsa \
+            fail2ban \
+            ipcalc \
+            iptables \
+            libpam-google-authenticator \
+            libpam-ldapd \
+            net-tools \
+            nslcd \
+            openssl \
+            openvpn && \
+    apt-get autoremove && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir /opt/easyrsa && \
+    cp -rp /usr/share/easy-rsa/x509-types /opt/easyrsa/ && \
+    cp -rp /usr/share/easy-rsa/easyrsa /opt/easyrsa/
+
 EXPOSE 1194/udp
 EXPOSE 5555/tcp
 
 ADD ./files/bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
-
 ADD ./files/configuration /opt/configuration
-
-# Copy openvpn PAM modules (with and without OTP)
 ADD ./files/etc/pam.d/openvpn* /opt/
 ADD ./files/easyrsa/* /opt/easyrsa/
 

diff --git a/README.md b/README.md
diff --git a/files/bin/entrypoint b/files/bin/entrypoint
@@ -8,37 +8,56 @@ set -e
 CONFIGFILES="/opt/configuration"
 
 source "$CONFIGFILES/set_defaults.sh"
+
+echo
+echo "$(date +'%F %T') - Setting up networking..."
+echo
 source "$CONFIGFILES/setup_networking.sh"
+
+echo
+echo "$(date +'%F %T') - Setting up PKI..."
+echo
 source "$CONFIGFILES/setup_pki.sh"
 
+echo
+echo "$(date +'%F %T') - Creating configuration files..."
+echo
+
 if [ "${USE_CLIENT_CERTIFICATE}" != "true" ] ; then
- source "$CONFIGFILES/setup_ldap.sh"
- source "$CONFIGFILES/setup_otp.sh"
+  source "$CONFIGFILES/setup_ldap.sh"
+  source "$CONFIGFILES/setup_otp.sh"
 fi 
 
 source "$CONFIGFILES/create_server_config.sh"
 
+###
+
 if [ "${FAIL2BAN_ENABLED}" == "true" ] ; then
- source "$CONFIGFILES/setup_fail2ban.sh"
+  echo
+  echo "$(date +'%F %T') - Starting fail2ban..."
+  echo
+  source "$CONFIGFILES/setup_fail2ban.sh"
 fi
 
 echo
-echo "***************"
-echo " Client config "
-echo "***************"
+echo "$(date +'%F %T') - Generating client config ..."
 echo
+echo "#---------- Start of client.ovpn ----------"
 /usr/local/bin/show-client-config
+echo "#----------  End of client.ovpn  ----------"
 
 echo
-echo "***************"
-echo "Running NSCLD"
-echo "***************"
+echo "$(date +'%F %T') - Starting NSCLD... (ignore any NSS_LDAP module warnings)"
 echo
 nslcd
 
+
 echo
-echo "***************"
-echo "Running OpenVPN"
-echo "***************"
+echo "$(date +'%F %T') - Running OpenVPN..."
 echo
-exec openvpn --config $OPENVPN_DIR/server.conf
+if [ "${FAIL2BAN_ENABLED}" == "true" ] ; then
+  openvpn --daemon --config $OPENVPN_DIR/server.conf
+  exec tail -f $LOG_FILE
+else
+  exec openvpn --config $OPENVPN_DIR/server.conf
+fi
diff --git a/files/bin/show-client-config b/files/bin/show-client-config
@@ -16,12 +16,12 @@ fi
 
 echo "
 client
+tls-client
 dev tun
 persist-key
 persist-tun
 remote-cert-tls server
 key-direction 1
-cipher AES-256-CBC
 auth SHA512
 proto tcp
 reneg-sec 0
@@ -64,7 +64,7 @@ echo "
 verb $OVPN_VERBOSITY
 
 <connection>
-remote $OVPN_SERVER_CN 1194 $OVPN_PROTOCOL
+remote $OVPN_SERVER_CN $OVPN_PORT $OVPN_PROTOCOL
 float
 nobind
 </connection>

diff --git a/files/configuration/create_server_config.sh b/files/configuration/create_server_config.sh
@@ -10,7 +10,7 @@ fi
 
 cat <<Part01 >>$CONFIG_FILE
 
-port 1194
+port $OVPN_PORT
 proto $OVPN_PROTOCOL
 dev $OVPN_INTERFACE_NAME
 dev-type tun
@@ -33,7 +33,10 @@ if [ "${OVPN_DNS_SERVERS}x" != "x" ] ; then
 fi
 
 if [ "${OVPN_DNS_SEARCH_DOMAIN}x" != "x" ]; then
- echo "push \"dhcp-option DOMAIN $OVPN_DNS_SEARCH_DOMAIN\"" >> $CONFIG_FILE
+ domains=(${OVPN_DNS_SEARCH_DOMAIN//,/ })
+ for this_search_domain in "${domains[@]}" ; do
+  echo "push \"dhcp-option DOMAIN $this_search_domain\"" >> $CONFIG_FILE
+ done
 fi
 
 if [ "${OVPN_ENABLE_COMPRESSION}" == "true" ]; then
@@ -65,13 +68,13 @@ cat <<Part02 >>$CONFIG_FILE
 # As we're using LDAP, each client can use the same certificate
 duplicate-cn
 
+tls-server
 tls-auth $PKI_DIR/ta.key 0 
 tls-cipher $OVPN_TLS_CIPHERS
 auth SHA512
-cipher AES-256-CBC
 
 user nobody
-group nobody
+group nogroup
 
 persist-key
 persist-tun
@@ -88,7 +91,7 @@ Part02
 if [ "${USE_CLIENT_CERTIFICATE}" != "true" ] ; then
 
 cat <<Part03 >>$CONFIG_FILE
-plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
+plugin $(dpkg-query -L openvpn | grep openvpn-plugin-auth-pam.so) openvpn
 verify-client-cert optional
 username-as-common-name
 

diff --git a/files/configuration/set_defaults.sh b/files/configuration/set_defaults.sh
@@ -31,9 +31,10 @@ if [ ! -d "$LOG_DIR" ]; then
  mkdir -p $LOG_DIR
 fi
 
-default_tls_ciphers="TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA"
+default_tls_ciphers="TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
 
 if [ "${OVPN_TLS_CIPHERS}x" == "x" ];             then export OVPN_TLS_CIPHERS=$default_tls_ciphers;      fi
+if [ "${OVPN_PORT}x" == "x" ];                    then export OVPN_PORT="1194";                           fi
 if [ "${OVPN_PROTOCOL}x" == "x" ];                then export OVPN_PROTOCOL="udp";                        fi
 if [ "${OVPN_INTERFACE_NAME}x" == "x" ];          then export OVPN_INTERFACE_NAME="tun";                  fi
 if [ "${OVPN_NETWORK}x" == "x" ];                 then export OVPN_NETWORK="10.50.50.0 255.255.255.0";    fi
@@ -63,6 +64,7 @@ if [ "$LOG_TO_STDOUT" == "true" ]; then
  LOG_FILE="/proc/1/fd/1"
 else
  LOG_FILE="${LOG_DIR}/openvpn.log"
+ touch $LOG_FILE
 fi
 
 

diff --git a/files/configuration/setup_fail2ban.sh b/files/configuration/setup_fail2ban.sh
@@ -1,11 +1,5 @@
 #!/bin/bash
 
-echo
-echo "*****************"
-echo " Fail2ban config "
-echo "*****************"
-echo
-
 cat <<EOF >> /etc/fail2ban/filter.d/openvpn.local
 [Definition]
 
@@ -38,7 +32,7 @@ cat <<EOF >> /etc/fail2ban/fail2ban.local
 logtarget = /proc/1/fd/1
 EOF
 
-touch $LOG_FILE
-chown openvpn:openvpn $LOG_FILE
 echo "Starting fail2ban..."
+touch /var/log/auth.log
+mkdir /var/run/fail2ban
 /usr/bin/fail2ban-server -xb --logtarget=stdout start
diff --git a/files/configuration/setup_ldap.sh b/files/configuration/setup_ldap.sh
@@ -5,7 +5,7 @@ echo "ldap: creating LDAP configuration"
 cat <<EoLDAP >$LDAP_CONFIG
 
 uid nslcd
-gid ldap
+gid nslcd
 
 uri $LDAP_URI
 
@@ -30,7 +30,7 @@ if [ "${LDAP_TLS_CA_CERT}x" != "x" ] ; then
   echo "$LDAP_TLS_CA_CERT" > $OPENVPN_DIR/ldap-ca.crt
   echo "tls_cacertfile ${OPENVPN_DIR}/ldap-ca.crt" >> $LDAP_CONFIG
 else
-  echo "tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt" >> $LDAP_CONFIG
+  echo "tls_cacertfile /etc/ssl/certs/ca-certificates.crt" >> $LDAP_CONFIG
 fi
 
 if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}" == "true" ]; then

diff --git a/files/configuration/setup_networking.sh b/files/configuration/setup_networking.sh
@@ -32,7 +32,8 @@ if [ "${OVPN_ROUTES}x" != "x" ] ; then
     IFS=","
     to_masquerade="${this_net}/${this_cidr}"
     echo "iptables: masquerade from $ovpn_net to $to_masquerade via $this_natdevice"
-    iptables -t nat -C POSTROUTING -s "$ovpn_net" -d "$to_masquerade" -o $this_natdevice -j MASQUERADE || \
+    echo -n "Checking for existing iptables rule: "
+    iptables -t nat -C POSTROUTING -s "$ovpn_net" -d "$to_masquerade" -o $this_natdevice -j MASQUERADE 2>&1 || \
     iptables -t nat -A POSTROUTING -s "$ovpn_net" -d "$to_masquerade" -o $this_natdevice -j MASQUERADE
    fi
 
@@ -45,10 +46,11 @@ else
  #If no routes are set then we'll redirect all traffic from the client over the tunnel.
 
  echo "push \"redirect-gateway def1\"" >> /tmp/routes_config.txt
- echo "iptables: masquerade from $ovpn_net to everywhere via $this_natdevice"
 
  if [ "$OVPN_NAT" == "true" ]; then
-  iptables -t nat -C POSTROUTING -s "$ovpn_net" -o $this_natdevice -j MASQUERADE || \
+  echo "iptables: masquerade from $ovpn_net to everywhere via $this_natdevice"
+  echo -n "Checking for existing iptables rule: "
+  iptables -t nat -C POSTROUTING -s "$ovpn_net" -o $this_natdevice -j MASQUERADE 2>&1 || \
   iptables -t nat -A POSTROUTING -s "$ovpn_net" -o $this_natdevice -j MASQUERADE
  fi
 

diff --git a/files/configuration/setup_pki.sh b/files/configuration/setup_pki.sh
@@ -1,7 +1,8 @@
 if [ ! -f "$PKI_DIR/issued/$OVPN_SERVER_CN.crt" ] || [ "$REGENERATE_CERTS" == 'true' ]; then
 
  echo "easyrsa: creating server certs"
- EASYCMD="/usr/share/easy-rsa/3/easyrsa --vars=/opt/easyrsa/vars"
+ dd if=/dev/urandom of=/etc/openvpn/pki/.rnd bs=256 count=1
+ EASYCMD="/opt/easyrsa/easyrsa --vars=/opt/easyrsa/vars"
  $EASYCMD init-pki
 
  $EASYCMD build-ca nopass

diff --git a/files/easyrsa/openssl-1.0.cnf b/files/easyrsa/openssl-1.0.cnf
@@ -19,7 +19,6 @@ certificate	= $dir/ca.crt	 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/ca.key	# The private key
-RANDFILE	= $dir/.rand		# private random number file
 
 x509_extensions	= basic_exts		# The extentions to add to the cert