diff --git a/README.md b/README.md index 272b5ae..9f7275f 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ openvpn 安全与加密相关配置参考于[openvpn-install](https://github.com 初始化生成证书及配置文件 ```shell -docker run -it --rm yyxx/openvpn --init +docker run -v $(pwd)/data:/data --rm yyxx/openvpn --init ``` 运行 openvpn diff --git a/build/Dockerfile b/build/Dockerfile index adc037b..41e876e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.19.1 +FROM alpine:3.20.1 RUN apk add --no-cache easy-rsa openvpn iptables iptables-legacy bash supervisor RUN ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin diff --git a/build/docker-entrypoint.sh b/build/docker-entrypoint.sh index e1274cc..2ec61d2 100644 --- a/build/docker-entrypoint.sh +++ b/build/docker-entrypoint.sh @@ -4,6 +4,8 @@ set -e init_env(){ cat < $OVPN_DATA/pki/vars EASYRSA_PKI=$OVPN_DATA/pki +EASYRSA_CA_EXPIRE=3650 +EASYRSA_CERT_EXPIRE=3650 EASYRSA_CRL_DAYS=3650 EASYRSA_ALGO=ec EASYRSA_CURVE=prime256v1 @@ -174,6 +176,25 @@ update_config(){ fi } +renew_cert(){ + source $OVPN_DATA/.vars + source $OVPN_DATA/pki/vars + + cd $OVPN_DATA/pki + openssl x509 -in ca.crt -days $EASYRSA_CA_EXPIRE -out ca.crt -signkey private/ca.key + /usr/share/easy-rsa/easyrsa --batch renew $SERVER_NAME + /usr/share/easy-rsa/easyrsa --batch revoke-renewed $SERVER_NAME + /usr/share/easy-rsa/easyrsa gen-crl +} + +auth(){ + if [ "$1" = "true" ]; then + sed -i 's/^#auth-user-pass-verify/auth-user-pass-verify/' $OVPN_DATA/server.conf + else + sed -i 's/^auth-user-pass-verify/#&/' $OVPN_DATA/server.conf + fi +} + getsubnet(){ ip=$(echo $1 | cut -d'/' -f1) prefix=$(echo $1 | cut -d'/' -f2) @@ -260,6 +281,18 @@ case $1 in $(genclient $2 $3 "$4") exit 0 ;; + "auth") + $(auth $2) + + supervisorctl stop openvpn && sleep 1 && supervisorctl start openvpn + exit 0 + ;; + "renewcert") + renew_cert + + supervisorctl stop openvpn && sleep 1 && supervisorctl start openvpn + exit 0 + ;; "/usr/sbin/openvpn") update_config run_server