Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-31 06:57:02 +01:00
Code Issues Projects Releases Wiki Activity
Files
28050efa50a64d79f834a7bdd8a9eea6d32ec2f7
openvpn-install/test/Dockerfile.server
Stanislas 28050efa50 fix: support fingerprint mode in client management operations (#1446) 
## Summary

Fixes fingerprint mode (OpenVPN 2.6+ peer-fingerprint authentication)
which was broken for client management operations.

### CI Fix
Docker environment variables (`AUTH_MODE`, etc.) weren't being passed to
the systemd service running tests. Added `PassEnvironment` directive to
fix this.

### Script Fixes
In fingerprint mode, `easyrsa self-sign-*` commands don't
create/maintain `index.txt`, but several functions depended on it.

**Fixed operations:**
- `selectClient()`: uses fingerprints from server.conf instead of
index.txt
- `listClients()`: scans certs in pki/issued/, marks those without
fingerprint as revoked
- `newClient()`: duplicate check works in fingerprint mode, cleans up
revoked cert files for name reuse
- `revokeClient()`: removes fingerprint from server.conf, keeps cert for
listing
- `renewClient()`: uses `self-sign-client` instead of `easyrsa renew`
- `renewServer()`: uses `self-sign-server` + regenerates all client
configs (they embed server fingerprint)

**New helpers:**
- `getAuthMode()` - returns "pki" or "fingerprint"
- `getClientsFromFingerprints()` - parses client names from server.conf
- `clientExistsInFingerprints()` - checks client existence
- `getCertExpiry()` - extracts expiry date/days from cert file
- `removeCertFiles()` - removes cert/key/req files for regeneration
- `extractFingerprint()` - gets SHA256 fingerprint from cert

Fixes #1444
2025-12-29 17:04:45 +01:00

99 lines
3.9 KiB
Docker
Raw Blame History

# checkov:skip=CKV_DOCKER_2:Test container doesn't need healthcheck
# checkov:skip=CKV_DOCKER_3:OpenVPN server requires root for NET_ADMIN
# checkov:skip=CKV_DOCKER_7:Base image is parameterized, some use latest tag
ARG BASE_IMAGE=ubuntu:24.04
FROM ${BASE_IMAGE}
ARG BASE_IMAGE
# Set to "y" to install and enable firewalld for testing
ARG ENABLE_FIREWALLD=n
# Set to "y" to install and enable nftables for testing
ARG ENABLE_NFTABLES=n
ENV DEBIAN_FRONTEND=noninteractive
ENV ENABLE_FIREWALLD=${ENABLE_FIREWALLD}
ENV ENABLE_NFTABLES=${ENABLE_NFTABLES}
# Install basic dependencies based on the OS
# dnsutils/bind-utils provides dig for DNS testing with Unbound
# Note: socat is installed by openvpn-install.sh during OpenVPN installation
RUN if command -v apt-get >/dev/null; then \
apt-get update && apt-get install -y --no-install-recommends \
iproute2 iptables curl procps systemd systemd-sysv dnsutils jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then apt-get install -y --no-install-recommends nftables; fi \
&& rm -rf /var/lib/apt/lists/*; \
elif command -v dnf >/dev/null; then \
dnf install -y --allowerasing \
iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
&& if [ "$ENABLE_FIREWALLD" = "y" ]; then dnf install -y firewalld; fi \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then dnf install -y nftables; fi \
&& dnf clean all; \
elif command -v yum >/dev/null; then \
yum install -y \
iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
&& if [ "$ENABLE_FIREWALLD" = "y" ]; then yum install -y firewalld; fi \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then yum install -y nftables; fi \
&& yum clean all; \
elif command -v pacman >/dev/null; then \
pacman -Syu --noconfirm \
iproute2 iptables curl procps-ng bind jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then pacman -S --noconfirm nftables; fi \
&& pacman -Scc --noconfirm; \
elif command -v zypper >/dev/null; then \
zypper install -y \
iproute2 iptables curl procps systemd tar gzip bind-utils gawk jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then zypper install -y nftables; fi \
&& zypper clean -a; \
fi
# Enable firewalld if requested (must be done after systemd is available)
RUN if [ "$ENABLE_FIREWALLD" = "y" ] && command -v firewall-cmd >/dev/null; then \
systemctl enable firewalld; \
fi
# Enable nftables if requested (must be done after systemd is available)
# Use empty nftables.conf - do NOT flush ruleset as it removes Docker's networking rules
RUN if [ "$ENABLE_NFTABLES" = "y" ] && command -v nft >/dev/null; then \
systemctl enable nftables; \
mkdir -p /etc/nftables; \
echo '#!/usr/sbin/nft -f' > /etc/nftables.conf; \
fi
# Create TUN device (will be mounted at runtime)
RUN mkdir -p /dev/net
# Copy the install script
COPY openvpn-install.sh /opt/openvpn-install.sh
RUN chmod +x /opt/openvpn-install.sh
# Copy test scripts
COPY test/server-entrypoint.sh /entrypoint.sh
COPY test/validate-output.sh /opt/test/validate-output.sh
RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh
# Create systemd service for the test script
# PassEnvironment passes Docker env vars (-e) from PID 1 to the service
RUN printf '%s\n' \
'[Unit]' \
'Description=OpenVPN Installation Test' \
'After=network.target' \
'' \
'[Service]' \
'Type=oneshot' \
'Environment=HOME=/root' \
'PassEnvironment=AUTH_MODE TLS_SIG TLS_KEY_FILE TLS_VERSION_MIN TLS13_CIPHERSUITES CLIENT_IPV6 VPN_SUBNET_IPV6' \
'WorkingDirectory=/root' \
'ExecStart=/entrypoint.sh' \
'RemainAfterExit=yes' \
'StandardOutput=journal+console' \
'StandardError=journal+console' \
'' \
'[Install]' \
'WantedBy=multi-user.target' \
> /etc/systemd/system/openvpn-test.service \
&& systemctl enable openvpn-test.service
WORKDIR /opt
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]
Reference in New Issue View Git Blame Copy Permalink