Make fully configurable for other networks

Dockerfile

@@ -14,8 +14,12 @@ ENV \
     OAUTH2_CLIENT_SECRET="" \
     OAUTH2_AUTH_URL="https://gitlab.example.com/oauth/authorize" \
     OAUTH2_TOKEN_URL="https://gitlab.example.com/oauth/token" \
-    OAUTH2_REDIRECT_URL="https://certman.example.com/login/oauth2/redirect" \
+    OAUTH2_REDIRECT_URL="https://vpn.example.com/login/oauth2/redirect" \
     USER_ENDPOINT="https://gitlab.example.com/api/v4/user" \
+    VPN_DEV="tun" \
+    VPN_HOST="vpn.example.com" \
+    VPN_PORT="1194" \
+    VPN_PROTO="udp" \
     APP_KEY=""
 COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=0 /go/src/git.klink.asia/paul/certman/certman /

README.md

@@ -40,11 +40,16 @@ variables:
  * `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
  * `APP_KEY` random ASCII string, 32 characters in length. Used for cookie generation.
  * `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000`
+ * `VPN_DEV` which device is used by the network, either `tun` or `tap` (check server cfg)
+ * `VPN_HOST` Hostname or IP address of the server
+ * `VPN_PORT` Port of the VPN server
+ * `VPN_PROTO` Protocol of the VPN server, either `tcp` or `udp`
 
 There are some files that need to be mounted inside the container:
 
  * `/ca.crt` the certificate of the server PKI
  * `/ca.key` the key of the server PKI, unencrypted
+ * `/ta.key` shared HMAC secret of server and client
  * `/clients.json` the generated certificates for each client
 
- There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service.
+ There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service.

assets/templates/files/config.ovpn

@@ -1,8 +1,7 @@
 {{ define "base" }}# Client configuration for {{ .User }}@{{ .Name }}
 client
-dev tun
-remote ovpn.oneofftech.xyz 443 udp
-remote ovpn.oneofftech.xyz 443 tcp
+dev {{ .Dev }}
+remote {{ .Host }} {{ .Port }} {{ .Proto }}
 resolv-retry infinite
 nobind
 persist-key
@@ -16,33 +15,8 @@ tls-version-min 1.2
 ;comp-lzo
 verb 3
 
-route 172.31.1.100 255.255.255.255 net_gateway
-
 <ca>
------BEGIN CERTIFICATE-----
-MIIDwDCCAqigAwIBAgIJAMvRC7FajlAOMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
-BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UE
-CgwKT25lT2ZmVGVjaDEWMBQGA1UECwwNSVQgZGVwYXJ0bWVudDEXMBUGA1UEAwwO
-Y2EtY2VydGlmaWNhdGUwHhcNMTgwMTI1MTM0NjI3WhcNMjMwMTI0MTM0NjI3WjB1
-MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4x
-EzARBgNVBAoMCk9uZU9mZlRlY2gxFjAUBgNVBAsMDUlUIGRlcGFydG1lbnQxFzAV
-BgNVBAMMDmNhLWNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA5LzVrHqz33L5YiFs1HOZWvLht9yQ6+AxK1+RDZsx8490UEYvPnguyU/c
-8NtaZPtWOg5Qvnh+0tHpLHV+3WbWyIObkix6b3U5EgR6Hgdf1zuzX7y/S2o7uPT1
-zkCgIi9EQfy0IDIhIErsO0dOWndFt/cAfrMaOx0LV/kzr9bKdgg7WLQoVzUgawZq
-ROScZUogaElISxC/C77YaGg9V5sV9qTa3uZ9DxuESzXLGMDx3DJMjH+Yu+nhJjoc
-isSxK5qEnfqWJhZgJFTAY2BRbcMFMieVz/+UGk2GDZf1tpMZOQKxwrNibe4HO8zo
-lfhX+H+sb4QZCdn30eUGstK/jJdQrQIDAQABo1MwUTAdBgNVHQ4EFgQU9UASoCXR
-ountXC2vQ4s9BT5qGRYwHwYDVR0jBBgwFoAU9UASoCXRountXC2vQ4s9BT5qGRYw
-DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA2YgYuFKMzoblpPf+
-VcyFKAXC9IoOJFeoA8FWMLBy38FedpCP+aFtlnG5eSLB/Xy7rdJK+7ASrdbAsFMD
-U6P2guqUix4veIBZK0WLGTLfRKHQiOUqNP1zZpWsdrwUoUjGOEt4iqG9PCcaANSg
-mOfl/BK+MtuRevF6Ry2JAZDArUXrXXjNdRXKB7iNc3Sd5icII53OGXXtn1ehzZXL
-djbdz4MZa1kbA1ZlJVaYCRzOS/F9kU2aQceO17foxI5BvnOkpONLXDZHs61/KtYu
-5z7hJoH49+4iyWZuRgWT/sq36qpvu+/f48JPxzqV94Jp77Z9BocTIjdfqHM++X9h
-Yo95ZQ==
------END CERTIFICATE-----
-</ca>
+{{ .CA | html }}</ca>
 
 <cert>
 {{ .Cert | html }}</cert>
@@ -51,26 +25,5 @@ Yo95ZQ==
 {{ .Key | html }}</key>
 
 <tls-auth>
-#
-# 2048 bit OpenVPN static key
-#
------BEGIN OpenVPN Static key V1-----
-187be23c2b3b0a6a9d79bc5b5c95b70b
-b43b6b303e7c00eb75121d68df470ea3
-3cdd0ddedc273f5412f181709890ea32
-7086cbc5b21bbaf3dd231d115b5ba986
-1b1aee31bff9be5f6c6f6dd490d593a1
-eec50bb866558c6b2c6fe62ebfe125d9
-34b7115e72d94ce08cc9e1c4e8ccdbfe
-a5ee19ac0aec60da63df881e3c2e7d4d
-9c4f167ec1b46309f17c16c36683780b
-bed7551ad7a3d526c19014567370122e
-98ae0ae7fd83a8a6de09883fcc181b36
-a8465c0deda7a345ec3d16a4daf3fbf5
-23dc36a48e679c653b3cfc6dbaa150a7
-7ace46081d2c3712ce655f4b8211f674
-4d4688c2b3828f9208a80bf71e6e4554
-ae09b91154a435995439ad576fcc72c1
------END OpenVPN Static key V1-----
-</tls-auth>
+{{ .TA | html }}</tls-auth>
 {{ end }}

docker-compose.yml.example

@@ -20,6 +20,7 @@ services:
         volumes:
             - ./ca.crt:/ca.crt:ro
             - ./ca.key:/ca.key:ro
+            - ./ta.key:/ta.key:ro
             - ./clients.json:/clients.json:rw
         labels:
             - "traefik.enable=true"

handlers/cert.go

@@ -13,6 +13,7 @@ import (
 	"log"
 	"math/big"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -170,9 +171,31 @@ func DownloadCertHandler(p *services.Provider) http.HandlerFunc {
 		pem.Encode(cbuf, &pem.Block{Type: "CERTIFICATE", Bytes: client.Cert})
 		pem.Encode(kbuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: client.PrivateKey})
 
+		ca, err := ioutil.ReadFile("ca.crt")
+		if err != nil {
+			log.Printf("Error loading ca file: %s", err)
+			v.RenderError(w, http.StatusInternalServerError)
+			return
+		}
+
+		ta, err := ioutil.ReadFile("ta.key")
+		if err != nil {
+			log.Printf("Error loading ta file: %s", err)
+			v.RenderError(w, http.StatusInternalServerError)
+			return
+		}
+
 		vars := map[string]string{
-			"Cert": cbuf.String(),
-			"Key":  kbuf.String(),
+			"CA":    string(ca),
+			"TA":    string(ta),
+			"Cert":  cbuf.String(),
+			"Key":   kbuf.String(),
+			"User":  username,
+			"Name":  name,
+			"Dev":   os.Getenv("VPN_DEV"),
+			"Host":  os.Getenv("VPN_HOST"),
+			"Port":  os.Getenv("VPN_PORT"),
+			"Proto": os.Getenv("VPN_PROTO"),
 		}
 
 		t, err := views.GetTemplate("config.ovpn")