Verified Commit 31db31ba authored by Alex Thomae's avatar Alex Thomae 👓
Browse files

Update docs and tests to use registry.gitlab.com

parent 76f8e536
Pipeline #210234964 passed with stages
in 1 minute and 55 seconds
......@@ -12,6 +12,7 @@ OpenVPN server in a Docker container complete with an EasyRSA PKI CA.
#### Upstream Links
* Gitlab Registry @ [registry.gitlab.com/ix.ai/openvpn](https://gitlab.com/ix.ai/openvpn/container_registry)
* Docker Registry @ [ixdotai/openvpn](https://hub.docker.com/r/ixdotai/openvpn/)
* GitLab @ [ix.ai/openvpn](https://gitlab.com/ix.ai/openvpn)
* GitHub @ [ix-ai/openvpn](https://github.com/ix-ai/openvpn)
......@@ -30,20 +31,20 @@ OpenVPN server in a Docker container complete with an EasyRSA PKI CA.
private key used by the newly generated certificate authority.
docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ixdotai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ixdotai/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
* Start OpenVPN server process
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN ixdotai/openvpn
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN registry.gitlab.com/ix.ai/openvpn
* Generate a client certificate without a passphrase
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ixdotai/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it registry.gitlab.com/ix.ai/openvpn easyrsa build-client-full CLIENTNAME nopass
* Retrieve the client configuration with embedded certificates
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ixdotai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm registry.gitlab.com/ix.ai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
## Next Steps
......@@ -68,7 +69,7 @@ If you prefer to use `docker-compose` please refer to the [documentation](docs/d
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 ixdotai/openvpn
docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 registry.gitlab.com/ix.ai/openvpn
* Test using a client that has openvpn installed correctly
......@@ -86,7 +87,7 @@ If you prefer to use `docker-compose` please refer to the [documentation](docs/d
## How Does It Work?
Initialize the volume container using the `ixdotai/openvpn` image with the
Initialize the volume container using the `registry.gitlab.com/ix.ai/openvpn` image with the
included scripts to automatically generate:
- Diffie-Hellman parameters
......@@ -102,11 +103,11 @@ declares that directory as a volume. It means that you can start another
container with the `-v` argument, and access the configuration.
The volume also holds the PKI keys and certs so that it could be backed up.
To generate a client certificate, `ixdotai/openvpn` uses EasyRSA via the
To generate a client certificate, `registry.gitlab.com/ix.ai/openvpn` uses EasyRSA via the
`easyrsa` command in the container's path. The `EASYRSA_*` environmental
variables place the PKI CA under `/etc/openvpn/pki`.
Conveniently, `ixdotai/openvpn` comes with a script called `ovpn_getclient`,
Conveniently, `registry.gitlab.com/ix.ai/openvpn` comes with a script called `ovpn_getclient`,
which dumps an inline OpenVPN client configuration file. This single file can
then be given to a client for access to the VPN.
......@@ -172,7 +173,7 @@ OpenVPN with latest OpenSSL on Ubuntu 12.04 LTS).
### It Doesn't Stomp All Over the Server's Filesystem
Everything for the Docker container is contained in two images: the ephemeral
run time image (ixdotai/openvpn) and the `$OVPN_DATA` data volume. To remove
run time image (registry.gitlab.com/ix.ai/openvpn) and the `$OVPN_DATA` data volume. To remove
it, remove the corresponding containers, `$OVPN_DATA` data volume and Docker
image and it's completely removed. This also makes it easier to run multiple
servers since each lives in the bubble of the container (of course multiple IPs
......
......@@ -9,12 +9,12 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config
mkdir openvpn0
cd openvpn0
docker run --rm -v $PWD:/etc/openvpn ixdotai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194
docker run --rm -v $PWD:/etc/openvpn -it ixdotai/openvpn ovpn_initpki
docker run --rm -v $PWD:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194
docker run --rm -v $PWD:/etc/openvpn -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
vim openvpn.conf
docker run --rm -v $PWD:/etc/openvpn -it ixdotai/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run --rm -v $PWD:/etc/openvpn ixdotai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
docker run --rm -v $PWD:/etc/openvpn -it registry.gitlab.com/ix.ai/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run --rm -v $PWD:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
* Start the server with:
docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged ixdotai/openvpn
docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged registry.gitlab.com/ix.ai/openvpn
......@@ -11,11 +11,11 @@ I'd recommend encrypting the archive with something strong (e.g. gpg or openssl
## Backup to Archive
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz
## Restore to New Data Volume
Creates an volume container named `$OVPN_DATA` to extract the data to.
docker volume create --name $OVPN_DATA
xzcat openvpn-backup.tar.xz | docker run -v $OVPN_DATA:/etc/openvpn -i ixdotai/openvpn tar -xvf - -C /etc
xzcat openvpn-backup.tar.xz | docker run -v $OVPN_DATA:/etc/openvpn -i registry.gitlab.com/ix.ai/openvpn tar -xvf - -C /etc
......@@ -13,7 +13,7 @@ Note that some client software might be picky about which configuration format i
See an overview of the configured clients, including revocation and expiration status:
docker run --rm -it -v $OVPN_DATA:/etc/openvpn ixdotai/openvpn ovpn_listclients
docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_listclients
The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.
......@@ -23,7 +23,7 @@ If you have more than a few clients, you will want to generate and update your c
Execute the following to generate the configuration for all clients:
docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients ixdotai/openvpn ovpn_getclient_all
docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients registry.gitlab.com/ix.ai/openvpn ovpn_getclient_all
After doing so, you will find the following files in each of the `$cn` directories:
......@@ -38,10 +38,10 @@ After doing so, you will find the following files in each of the `$cn` directori
Revoke `client1`'s certificate and generate the certificate revocation list (CRL) using [`ovpn_revokeclient`](/bin/ovpn_revokeclient) script :
docker run --rm -it -v $OVPN_DATA:/etc/openvpn ixdotai/openvpn ovpn_revokeclient client1
docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_revokeclient client1
The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.
You can optionally pass `remove` as second parameter to ovpn_revokeclient to remove the corresponding crt, key and req files :
docker run --rm -it -v $OVPN_DATA:/etc/openvpn ixdotai/openvpn ovpn_revokeclient client1 remove
docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_revokeclient client1 remove
......@@ -7,7 +7,7 @@ Random things I do to debug the containers.
* Create a shell in the running docker container with `docker exec`.
* To modify the data, you can also mount the data container and modify it with
docker run --rm -it -v $OVPN_DATA:/etc/openvpn ixdotai/openvpn bash -l
docker run --rm -it -v $OVPN_DATA:/etc/openvpn registry.gitlab.com/ix.ai/openvpn bash -l
## Stream OpenVPN Logs
......@@ -15,7 +15,7 @@ Random things I do to debug the containers.
root@vpn:~/docker-openvpn# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ed335aaa9b82 ixdotai/openvpn:latest ovpn_run 5 minutes ago Up 5 minutes 0.0.0.0:1194->1194/udp sad_lovelace
ed335aaa9b82 registry.gitlab.com/ix.ai/openvpn:latest ovpn_run 5 minutes ago Up 5 minutes 0.0.0.0:1194->1194/udp sad_lovelace
2. Tail the logs:
......
......@@ -8,7 +8,7 @@ services:
openvpn:
cap_add:
- NET_ADMIN
image: ixdotai/openvpn
image: registry.gitlab.com/ix.ai/openvpn
container_name: openvpn
ports:
- "1194:1194/udp"
......
......@@ -4,14 +4,14 @@
Use a Docker image with an editor and connect the volume container:
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn vi /etc/openvpn/openvpn.conf
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn vi /etc/openvpn/openvpn.conf
## Why not keep everything in one image?
The run-time image (`ixdotai/openvpn`) is intended to be an ephemeral image. Nothing should be saved in it so that it can be re-downloaded and re-run when updates are pushed (i.e. newer version of OpenVPN or even Debian). The data container contains all this data and is attached at run time providing a safe home.
The run-time image (`registry.gitlab.com/ix.ai/openvpn`) is intended to be an ephemeral image. Nothing should be saved in it so that it can be re-downloaded and re-run when updates are pushed (i.e. newer version of OpenVPN or even Debian). The data container contains all this data and is attached at run time providing a safe home.
If it was all in one container, an upgrade would require a few steps to extract all the data, perform some upgrade import, and re-run. This technique is also prone to people losing their EasyRSA PKI when they forget where it was. With everything in the data container upgrading is as simple as re-running `docker pull ixdotai/openvpn` and then `docker run ... ixdotai/openvpn`.
If it was all in one container, an upgrade would require a few steps to extract all the data, perform some upgrade import, and re-run. This technique is also prone to people losing their EasyRSA PKI when they forget where it was. With everything in the data container upgrading is as simple as re-running `docker pull registry.gitlab.com/ix.ai/openvpn` and then `docker run ... registry.gitlab.com/ix.ai/openvpn`.
## How do I set up a split tunnel?
......
......@@ -53,7 +53,7 @@ On modern **systemd** distributions copy the service file and modify it and relo
Copy the systemd init file from the docker-openvpn /init directory of the repository and install into `/etc/systemd/system/docker-openvpn.service`
curl -o /etc/systemd/system/docker-openvpn@.service 'https://raw.githubusercontent.com/ixdotai/docker-openvpn/dev/init/docker-openvpn%40.service'
curl -o /etc/systemd/system/docker-openvpn@.service 'https://raw.githubusercontent.com/registry.gitlab.com/ix.ai/docker-openvpn/dev/init/docker-openvpn%40.service'
Edit the file, replace `IP6_PREFIX` value with the value of your /64 prefix.
......@@ -97,5 +97,5 @@ This will allow connections over IPv4 and IPv6.
Generate server configuration with the udp6 or tcp6 protocol:
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig -u udp6://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig -u tcp6://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp6://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u tcp6://VPN.SERVERNAME.COM
......@@ -13,22 +13,22 @@ In order to enable two factor authentication the following steps are required.
1. Generate server configuration with the `-2` option. It's no longer necessary to supply the cipher option because OpenVPN 2.4 [uses AES-256-GCM by default](https://community.openvpn.net/openvpn/wiki/SWEET32).
```bash
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig -u udp://vpn.example.com -2
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp://vpn.example.com -2
```
1. Init the EasyRSA PKI.
```bash
docker run -v $PWD/data:/etc/openvpn --rm -it ixdotai/openvpn ovpn_initpki
docker run -v $PWD/data:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
```
1. Generate your client certificate (possibly without a password since you're using OTP)
```bash
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn easyrsa build-client-full <user> nopass
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn easyrsa build-client-full <user> nopass
```
1. Generate authentication configuration for your client. `-t` is needed to display the QR code, `-i` is also needed as `google_authenticator` prompts you to enter an OTP token to test. The QR code can be scanned with the Google Authenticator application. It also provides a link to a Google chart url that will display a QR code for the authentication.
```bash
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn ovpn_otp_user <user>
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_otp_user <user>
```
**Do not share QR code (or generated url) with anyone but final user, that is your second factor for authentication
......@@ -67,7 +67,7 @@ If you have an existing installation with customised config, follow this tutoria
1. Alternatively, you could regenerate the client config if yours doesn't have custom fields added.
```bash
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ixdotai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm registry.gitlab.com/ix.ai/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
```
## TL;DR
......@@ -84,7 +84,7 @@ If something is not working you can verify your PAM setup with these commands
```
# Start a shell in container
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn bash
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn bash
# Then in container you have pamtester utility already installed
which pamtester
......
......@@ -5,9 +5,9 @@ As mentioned in the [backup section](/docs/backup.md), there are good reasons to
Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this.
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn ixdotai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn ixdotai/openvpn ovpn_initpki
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn ixdotai/openvpn ovpn_copy_server_files
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_initpki
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn registry.gitlab.com/ix.ai/openvpn ovpn_copy_server_files
The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.
......@@ -22,7 +22,7 @@ If you want to select the ciphers used by OpenVPN the following parameters of th
The following options have been tested successfully:
docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm ixdotai/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:
......@@ -33,8 +33,8 @@ Changing the `tls-cipher` option seems to be more complicated because some clien
EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argument is added to `ovpn_initpki` and `easyrsa build-client-full` commands.
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn ovpn_initpki
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn easyrsa build-client-full CLIENTNAME nopass
## Logging and stdout
......@@ -42,7 +42,7 @@ Because you are running within Docker, remember that any command that generates
A simple way to avoid having Docker log output for a given command is to run with `--log-driver=none`, e.g
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ixdotai/openvpn ovpn_getclient USER > USER.ovpn
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm registry.gitlab.com/ix.ai/openvpn ovpn_getclient USER > USER.ovpn
## Additional Resources
......
......@@ -6,7 +6,7 @@ The docker image is setup for static client configuration on the 192.168.254.0/2
1. Create a client specific configuration:
$ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm ixdotai/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME
$ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm registry.gitlab.com/ix.ai/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME
ifconfig-push 192.168.254.1 192.168.254.2
2. Wait for client to reconnect if necessary
......@@ -15,10 +15,10 @@ The docker image is setup for static client configuration on the 192.168.254.0/2
Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist:
docker run -v $OVPN_DATA:/etc/openvpn -it --rm ixdotai/openvpn bash -l
docker run -v $OVPN_DATA:/etc/openvpn -it --rm registry.gitlab.com/ix.ai/openvpn bash -l
## Upgrading from Old OpenVPN Configurations
If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following:
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig
......@@ -23,13 +23,13 @@ To use and enable automatic start by systemd:
2. Initialize the data container, but don't start the container :
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
3. Download the [docker-openvpn@.service](https://raw.githubusercontent.com/ixdotai/docker-openvpn/master/init/docker-openvpn%40.service)
3. Download the [docker-openvpn@.service](https://raw.githubusercontent.com/registry.gitlab.com/ix.ai/docker-openvpn/master/init/docker-openvpn%40.service)
file to `/etc/systemd/system`:
curl -L https://raw.githubusercontent.com/ixdotai/docker-openvpn/master/init/docker-openvpn%40.service | sudo tee /etc/systemd/system/docker-openvpn@.service
curl -L https://raw.githubusercontent.com/registry.gitlab.com/ix.ai/docker-openvpn/master/init/docker-openvpn%40.service | sudo tee /etc/systemd/system/docker-openvpn@.service
4. Enable and start the service with:
......
......@@ -10,18 +10,18 @@ Another example would be trying to open a VPN connection from within a very rest
## Using TCP
Those requiring TCP connections should initialize the data container by specifying the TCP protocol and port number:
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443
docker run -v $OVPN_DATA:/etc/openvpn --rm -it ixdotai/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443
docker run -v $OVPN_DATA:/etc/openvpn --rm -it registry.gitlab.com/ix.ai/openvpn ovpn_initpki
Because the server container always exposes port 1194, regardless of the
specified protocol, adjust the mapping appropriately:
docker run -v $OVPN_DATA:/etc/openvpn -d -p 443:1194/tcp --cap-add=NET_ADMIN ixdotai/openvpn
docker run -v $OVPN_DATA:/etc/openvpn -d -p 443:1194/tcp --cap-add=NET_ADMIN registry.gitlab.com/ix.ai/openvpn
## Running a Second Fallback TCP Container
Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443:
docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged ixdotai/openvpn ovpn_run --proto tcp
docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged registry.gitlab.com/ix.ai/openvpn ovpn_run --proto tcp
`ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting.
......@@ -36,7 +36,7 @@ First, change the listening port of your existing webserver (for instance from 4
Then initialize the data container by specifying the TCP protocol, port 443 and the port-share option:
docker run -v $OVPN_DATA:/etc/openvpn --rm ixdotai/openvpn ovpn_genconfig \
docker run -v $OVPN_DATA:/etc/openvpn --rm registry.gitlab.com/ix.ai/openvpn ovpn_genconfig \
-u tcp://VPN.SERVERNAME.COM:443 \
-e 'port-share VPN.SERVERNAME.COM 4433'
......
......@@ -46,7 +46,7 @@ Restart=always
#Environment="ARGS=--config openvpn.conf --server-ipv6 2001:db8::/64"
Environment="NAME=ovpn-%i"
Environment="DATA_VOL=ovpn-data-%i"
Environment="IMG=ixdotai/openvpn:latest"
Environment="IMG=registry.gitlab.com/ix.ai/openvpn:latest"
Environment="PORT=1194:1194/udp"
# To override environment variables, use local configuration directory:
......
......@@ -4,5 +4,5 @@ start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run -v ovpn-data-example:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN ixdotai/openvpn
exec docker run -v ovpn-data-example:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN registry.gitlab.com/ix.ai/openvpn
end script
......@@ -4,9 +4,9 @@ Philosophy is to not re-invent the wheel while allowing users to quickly test re
Example invocation from top-level of repository:
docker build -t ixdotai/openvpn .
test/run.sh ixdotai/openvpn
# Be sure to pull ixdotai/openvpn:latest after you're done testing
docker build -t registry.gitlab.com/ix.ai/openvpn .
test/run.sh registry.gitlab.com/ix.ai/openvpn
# Be sure to pull registry.gitlab.com/ix.ai/openvpn:latest after you're done testing
More details: https://github.com/docker-library/official-images/tree/master/test
......
......@@ -2,7 +2,7 @@
set -e
testAlias+=(
[ixdotai/openvpn]='openvpn'
[registry.gitlab.com/ix.ai/openvpn]='openvpn'
)
imageTests+=(
......
......@@ -20,7 +20,7 @@ function cleanup {
[ -n "${DEBUG+x}" ] && set -x
OVPN_DATA=iptables-data
IMG="ixdotai/openvpn"
IMG="registry.gitlab.com/ix.ai/openvpn"
NAME="ovpn-iptables"
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
......
......@@ -26,7 +26,7 @@ function cleanup {
OVPN_DATA=data-otp
CLIENT=gitlab-client
IMG=ixdotai/openvpn
IMG=registry.gitlab.com/ix.ai/openvpn
NAME="ovpn-otp"
OTP_USER=otp
CLIENT_DIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../../client")"
......
......@@ -24,7 +24,7 @@ function cleanup {
OVPN_DATA="revocation-data"
CLIENT1="gitlab-client1"
CLIENT2="gitlab-client2"
IMG="ixdotai/openvpn"
IMG="registry.gitlab.com/ix.ai/openvpn"
NAME="ovpn-test"
CLIENT_DIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../../client")"
SERV_IP="$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment