Closed PennyLook closed 10 months ago
PennyLook
commented
10 months ago Trying to put up an image with the changed environment parameters in docker-compose.yml doesn't help either - there are still those default values.
Default from docker-compose.yml:
REQ_COUNTRY: UA
REQ_PROVINCE: Kyiv
REQ_CITY: Chayka
REQ_ORG: CopyleftCertificateCo
REQ_OU: ShantiShanti
REQ_CN: MyOpenVPN
d3vilh
commented
10 months ago Hi @PennyLook,
You can change it manually in ~/openvpn/pki/vars there are commented lines which needs to be uncommented.
Automation part I'll test and fix on this week.
PennyLook
commented
10 months ago Hi @d3vilh
Yes, but as I wrote at the beginning, I added these entries to ~/openvpn/pki/vars and it currently looks like this:
set_var EASYRSA_REQ_COUNTRY "<custom_value>"
set_var EASYRSA_REQ_PROVINCE "<custom_value>"
set_var EASYRSA_REQ_CITY "<custom_value>"
set_var EASYRSA_REQ_ORG "<custom_value>"
set_var EASYRSA_REQ_EMAIL "<custom_value>"
set_var EASYRSA_REQ_OU "<custom_value>"and then restarted openvpn, but these changes do not work - the default ones are still there :/
d3vilh
commented
10 months ago OK, it is interesting, as I see these options does nothing when you just start container first time to generate new CA, Certs and pki (so it takes internal easyrsa.var.example and apply it).
There are few ways to fix it. I think we will keep ENV vars passing to container and add few new lines to entrypoint.sh to patch the easyrsa.var.example file with ENV variables.
Let me test it and I'll push new image.
PennyLook
commented
10 months ago There are few ways to fix it. I think we will keep ENV vars passing to container and add few new lines to entrypoint.sh to patch the easyrsa.var.example file with ENV variables.
I just checked a lot of different options where this configuration exis - and this is when run the container first time and the subsequent editing and vars entries - I tried several ways and each time it did not work for me, so thats why I reported it
Let me test it and I'll push new image.
sure, I just wanted to report, because maybe someone else will also have similar questions
d3vilh
commented
10 months ago sure, I just wanted to report, because maybe someone else will also have similar questions
Thank you, I really appreciate your help.
Now openvpn-docker-entrypoint.sh will forcefully replace EasyRSA vars by those vars which were passed via Docker environment (now we have 2 more parameters in docker env).
Image updated, I test it with following environment in docker-compose:
environment:
EASYRSA_DN: org
REQ_COUNTRY: US
REQ_PROVINCE: DE
REQ_CITY: NewCastle
REQ_ORG: CopyleftCo
REQ_EMAIL: sweet@home.us
REQ_OU: GagaZush
REQ_CN: MyOpenVPN
TRUST_SUB: 10.0.70.0/24
GUEST_SUB: 10.0.71.0/24
HOME_SUB: 192.168.88.0/24and it works:
Keypair and certificate request completed. Your files are:
req: /opt/app/easy-rsa/pki/reqs/server.req
key: /opt/app/easy-rsa/pki/private/server.key
Sign request...
* Using SSL: openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
* Using Easy-RSA configuration: /opt/app/easy-rsa/vars
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'DE'
localityName :ASN.1 12:'NewCastle'
organizationName :ASN.1 12:'CopyleftCo'
organizationalUnitName:ASN.1 12:'My Organizational Unit'
commonName :ASN.1 12:'server'
emailAddress :IA5STRING:'sweet@home.us'
Certificate is to be certified until Nov 24 20:40:53 2025 GMT (825 days)New Client certificate:
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2c:51:943:fa:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=DE, L=NewCastle, O=CopyleftCo, OU=My Organizational Unit, CN=Easy-RSA CA/emailAddress=sweet@home.us
Validity
Not Before: Aug 22 20:59:52 2023 GMT
Not After : Nov 24 20:59:52 2025 GMT
Subject: CN=Alice
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:12:7d:44:e6:0c:bd:2f:74:a5:c3:ad:17:86:
41:3a:93:52:cb:c6:8d:f0:e9:11:13:95:a7:b7:ca:
74:9d:1c:7a:d6:6c:ad:e3:e3:60:57:55:60:90:63:
fd:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
AA:B0:27:24:32:E9F9:A8
X509v3 Authority Key Identifier:
keyid:C0:16:4A:FE:30:AF:4E:D1
DirName:/C=US/ST=DE/L=NewCastle/O=CopyleftCo/OU=My Organizational Unit/CN=Easy-RSA CA/emailAddress=sweet@home.us
serial:20:E5:88:86:AF:52:EFThanks again.
PennyLook
commented
10 months ago Hi @d3vilh
and it works:
Keypair and certificate request completed. Your files are: req: /opt/app/easy-rsa/pki/reqs/server.req key: /opt/app/easy-rsa/pki/private/server.key Sign request...
Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'DE' localityName :ASN.1 12:'NewCastle' organizationName :ASN.1 12:'CopyleftCo' organizationalUnitName:ASN.1 12:'My Organizational Unit' commonName :ASN.1 12:'server' emailAddress :IA5STRING:'sweet@home.us' Certificate is to be certified until Nov 24 20:40:53 2025 GMT (825 days)
But howto use it?
What command did you run it with?
From the `openvpn-aws` level and the new container up, there is still the same problemopenvpn-ui is up-to-date openvpn is up-to-date
GM Penny,
docker logs openvpn should report which VARs were used to create CA on the container start:
Notice
------
An updated CRL has been created.
CRL file: /opt/app/easy-rsa/pki/crl.pem
Following environment variables are set:
EASYRSA_DN = org
REQ_COUNTRY = US
REQ_PROVINCE = DE
REQ_CITY = NewCastle
REQ_ORG = CopyleftCo
REQ_EMAIL = sweet@home.us
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
No additional firewall rules to apply.
IPT MASQ Chains:
MASQUERADE all -- ip-10-0-70-0.ec2.internal/24 anywhere
MASQUERADE all -- ip-10-0-71-0.ec2.internal/24 anywhere
IPT FWD Chains:
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 8
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 0
0 0 DROP 0 -- * * 10.0.71.0/24 192.168.88.0/24
Start openvpn process...
admin@ip-161-61-61-61:~/openvpn-aws$If similar logs not there, then you probably have outdated image.
docker image rm d3vilh/openvpn-server
and
docker pull d3vilh/openvpn-server
should do the trick.
PennyLook
commented
10 months ago @d3vilh I checked it out
If similar logs not there, then you probably have outdated image. docker image rm d3vilh/openvpn-server and docker pull d3vilh/openvpn-server should do the trick.
That's exactly what I did, and even though the logs return the correct values (i.e., the changed ones): part from logs:
Fixing easy-rsa variables...
PKI already set up.
Following environment variables are set:
EASYRSA_DN = org
REQ_COUNTRY = <my_custom_value>
REQ_PROVINCE = <my_custom_value>
REQ_CITY = <my_custom_value>
REQ_ORG = <my_custom_value>
REQ_EMAIL = <my_custom_value>
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
No additional firewall rules to apply.then when I create a new certificate (new client) I still have the default values:
part from new .ovpn from latest image:
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA/emailAddress=sweet@home.net
ValidityI'm probably still missing something
and after openvpn restart i got error:
d3vilh
commented
10 months ago Do you still need old CA and certificates?
I'd recommend to move openvpn folder with all the old configuration and install it from scratch. there maybe some configuration files which still have something in it.
Stop containers, then move volume with all the openvpn config:
cd ~; sudo mv ~/openvpn openvpn_back
Then run openvpn-server with new parameters, wait for new CA to be created and then run openvpn-ui.
PennyLook
commented
10 months ago the only solution that worked for me was, before running ansible main.yml , to add in ~/openvpn-aws/openvpn/config/easy-rsa.vars the appropriate entries like:
set_var EASYRSA_DN "<your_value_here>"
set_var EASYRSA_REQ_COUNTRY "<your_value_here>"
set_var EASYRSA_REQ_PROVINCE "<your_value_here>"
set_var EASYRSA_REQ_CITY "<your_value_here>"
set_var EASYRSA_REQ_ORG "<your_value_here>"
set_var EASYRSA_REQ_EMAIL "<your_value_here>"
set_var EASYRSA_REQ_OU "<your_value_here>"
set_var EASYRSA_REQ_CN "<your_value_here>"but once the container is up, I have no way to change it - even if I change it in /pki/vars, it will always be the values as they were when I first ran ansible main.yml
d3vilh
commented
10 months ago the only solution that worked for me was, before running ansible
main.yml, to add in~/openvpn-aws/openvpn/config/easy-rsa.vars
OK, I add option to update this file with config.yml options for openvpn-aws project:
# EasyRSA configuration parameters.
easyrsa_dn: "org" # Leave this as-is. "org" for traditional, "cn_only" for CN only.
easyrsa_req_country: "UA" # The two-letter country code (e.g. US).
easyrsa_req_province: "KY" # The two-letter state or province code (e.g. CA).
easyrsa_req_city: "Kyiv" # The city of the organization.
easyrsa_req_org: "SweetHome" # The name of the organization.
easyrsa_req_email: "sweet@home.net" # The email address of the organization.
easyrsa_req_ou: "MyOrganizationalUnit" # The name of the organizational unit.
easyrsa_req_cn: "server" # The name of the common name.
easyrsa_key_size: 2048 # Leave this as-is. Size in bits for your keypairs. The recommended value is 2048. up to 4096.
easyrsa_ca_expire: 3650 # Number of days until the root CA expires.
easyrsa_cert_expire: 825 # Number of days until certificates expire.
easyrsa_cert_renew: 30 # Number of days before expiration to automatically renew certificates.
easyrsa_crl_days: 180 # Number of days until the CRL expires.All these parameters should be configured before running playbook first time. This way server will apply it to container at the first run.
If you would like to change it postinit, it is still possible, but not much easy.
In short you need to change easy-rsa.vars manually with new values, then load it to environment, initialise new easy-rsa PKI with keeping all the existed certificates, then import old CA and TLS auth keys to new PKI infra, sign all old certificates with new CA, then verify all the old certs structure with show-ca and show-cert and finally drop old certificates on all the clients and install new certificates.
That is why it is important to configure everything properly at the init step.
Hello, I have a problem with chane for
IssuerandDirNamein<cert>in client.ovpnconfig default:changing :
easy-rsa.varspki/varsdoesn't do anything - it's still the default