search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.62k stars 2.37k forks source link

EasyRSA Environment Settings do not apply #627

Closed maxswjeon closed 3 years ago

maxswjeon commented 3 years ago

Reading and Following docker-compose documentation, I found that easyrsa is not taking environment variables that I have set.

Doing some search, there was some issues with easyrsa ( OpenVPN/easyrsa#111 ) and it was fixed at the latest revision of easyrsa.

Bypassing the bug

  1. Copy the latest easyrsa binary and the vars.example file to OpenVPN config folder (where host volumes are attached)
  2. Rename vars.example file to var, and edit it for your style
  3. Set EASYRSA_VARS_FILE to vars file. Remember : EASYRSA_VARS_FILE will be read in docker container, so set the file path in docker side I ran export EASYRSA_VARS_FILE=/etc/openssl/vars since the vars file was at the root of the config folder (data/conf/vars on the host side)
  4. Follow the documentation until ovpn_genconfig part
  5. Refering to docker-openvpn/ovpn_initpki, run these commands with docker-compose run --rm openvpn {COMMAND}
    • /etc/openvpn/easyrsa init-pki
    • /etc/openvpn/easyrsa build-ca
    • /etc/openvpn/easyrsa gen-dh
    • openvpn --genkey --secret /etc/openvpn/pki/ta.key
    • /etc/openvpn/easyrsa build-server-full "{THE_URL_THAT_YOU_USED_ON_OVPN_GENCONFIG}" nopass
    • /etc/openvpn/easyrsa gen-crl
  6. Remove easyrsa files
  7. Start OpenVPN docker container with docker-compose up -d
  8. Follow the documentation to generate client keys

Fixing the bug

I'm nearly first to docker so I don't know how to fix it correctly. However, these were essential for fixing the bug.

  1. Update easyrsa binary to the last version
  2. Writeable vars file for easyrsa
kylemanna commented 3 years ago

I'm unaware of any bugs after #620

Can you explain precisely what things failed when passed by environment. All environment variables can be overridden by docker.

maxswjeon commented 3 years ago

I passed EASYRSA_ALGO=ec and EASYRSA_CURVE=secp521r1 Environment Variable, and checked with docker-compose run --rm openvpn echo $EASYRSA_ALGO. ovpn_initpki did not apply the environment variables and generated RSA 2048 CA (expected ECDSA CA).

kylemanna commented 3 years ago

If you ran that command as passed then the shell variable was expanded by your local shell and is most likely empty. Try again but escape the variable so it's interpreted in the docker container.

Test with plain old docker since it docker-compose doesn't really matter here:

$ docker run --rm -e 'EASYRSA_ALGO=test1' -it kylemanna/openvpn sh -c 'echo $EASYRSA_ALGO'
test1
$ docker run --rm -e 'EASYRSA_ALGO=test1' -it kylemanna/openvpn echo $EASYRSA_ALGO

I'd recommend running export instead of echo so that you can see the entire environment and more easily find typos:

$ docker run --rm -e 'EASYRSA_ALGO=test1' -it kylemanna/openvpn env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=ad5bad7d653f
TERM=xterm
EASYRSA_ALGO=test1
OPENVPN=/etc/openvpn
EASYRSA=/usr/share/easy-rsa
EASYRSA_CRL_DAYS=3650
EASYRSA_PKI=/etc/openvpn/pki
HOME=/root
maxswjeon commented 3 years ago

Thanks. My mistake.