Skip to content

Commit

Permalink
Merge pull request #14 from dcos-labs/0.0.0-2.0
Browse files Browse the repository at this point in the history
0.0.0 2.0
  • Loading branch information
aggress authored Dec 7, 2017
2 parents a9f21d9 + 37fddda commit ade7cfe
Show file tree
Hide file tree
Showing 10 changed files with 184 additions and 146 deletions.
5 changes: 5 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
local_universe_setup.sh
.git
.gitignore
docker-build.sh
marathon.json
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
Changelog
===============

0.0.0-2.0 - 7th December 2017

- Added synchronisation of the PKI (users, certificates and keys) between multiple running instances
- Enabled >1 instances to be started at the same time and match their local data
- Cleaned up the output to stdout
- Refactored a number of functions in run.sh to improve robustness
- Increased CPU resource from 0.1 to 1.0 due to DC/OS 1.10 now enforcing CPU usage - required for key generation.
- Fixed https://github.com/dcos-labs/dcos-openvpn/issues/13
- Improved the function to find the public address
- Fixed the hostports in the marathon.json

0.0.0-1.0 - 12th September 2017

- Changed znode path from dcos-vpn to openvpn
Expand Down
9 changes: 6 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,17 @@ FROM kylemanna/openvpn

MAINTAINER Richard Shaw <rshaw@mesosphere.com>

RUN apk -U add ca-certificates python python-dev py-setuptools alpine-sdk libffi libffi-dev openssl-dev
RUN apk -U add ca-certificates python python-dev \
py-setuptools alpine-sdk libffi libffi-dev openssl-dev \
haveged

COPY . /dcos

WORKDIR /dcos
RUN haveged -n 100g -f - | dd of=/dev/null
RUN ["/usr/bin/python", "setup.py", "install"]
RUN apk del alpine-sdk && \
apk fix openssl && \
rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
EXPOSE 5000 1194/tcp 1194/udp
CMD ["bin/run.sh", "run_server"]
EXPOSE 5000/tcp 1194/udp
CMD ["bin/run.sh", "run_server"]
53 changes: 31 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@ DC/OS OpenVPN

[![release](http://github-release-version.herokuapp.com/github/dcos-labs/dcos-openvpn/release.svg?style=flat)](https://github.com/dcos-labs/dcos-openvpn/releases/latest)

Please note: This is a [DC/OS Community package](https://dcos.io/community/), which is not formally tested or supported by Mesosphere.

OpenVPN server and REST management interface package for DC/OS.

Please note: This is a [DC/OS Community package](https://dcos.io/community/), which is not formally tested or supported by Mesosphere.

Issues and PRs are welcome.

Please review the Changelog for recent changes


Features
--------------
Expand All @@ -22,21 +26,21 @@ Features
1. The Zookeeper znode `/openvpn` has ACLs enabled, to protect the OpenVPN server and client credentials
1. Synchronisation of assets between the container and Zookeeper in case the container is restarted
1. Clients revoked through the REST interface are correctly revoked from OpenVPN
1. Merged the previously separate openvpn server & openvpn-admin 0.0.0-0.1 packages into one. The openvpn-admin package is no longer required.
1. Merged the previously separate openvpn server & openvpn-admin 0.0.0-0.1 packages into one. The openvpn-admin package is no longer required


Installation
--------------

**You must configure the OVPN_USERNAME & OVPN_PASSWORD environment variables before installation** These are required for both the REST interface
credentials and for the Zookeeper znode ACL.
credentials and for the Zookeeper znode ACL. Please note, DC/OS 1.10 enforces CPU usage, key generation requires a full 1.0 CPU. This can be reduced back to 0.1 once up and running.

### DC/OS Public Universe Installation

1. From the **DC/OS Dashboard > Universe > Packages > enter openvpn in the search box**
1. Select **Install Package > Advanced Installation** and scroll down
1. Configure both the OVPN_USERNAME & OVPN_PASSWORD
1. Select **Review and Install > Install**
1. From the `DC/OS Dashboard > Universe > Packages > enter openvpn in the search box`
1. Select `Install Package > Advanced Installation` and scroll down
1. Configure both the `OVPN_USERNAME` & `OVPN_PASSWORD`
1. Select `Review and Install > Install`
1. The service is installed and initialises, when complete, it'll be marked as Running and Healthy
1. See Troubleshooting for any issues, otherwise go to Usage

Expand All @@ -51,53 +55,51 @@ The task can be also be added as a package to a local Universe repository

1. Clone https://github.com/mesosphere/universe
1. Read https://docs.mesosphere.com/1.9/administering-clusters/deploying-a-local-dcos-universe/
1. Read and amend the source of local_universe_setup.sh to facilitate building and publishing


Usage
--------------

### Endpoints

The exact endpoints can be confirmed from **DC/OS Dashboard > Services > OpenVPN > <running task> > Details**
The exact endpoints can be confirmed from `DC/OS Dashboard > Services > OpenVPN > <running task> > Details`

1. OpenVPN is presented on 1194/UDP and any OpenVPN client will default to this port
1. The REST management interface is available on 5000/TCP and will be accessed at https://<IP>:5000
1. OpenVPN is presented on `1194/UDP` and any OpenVPN client will default to this port
1. The REST management interface is available on `5000/TCP` and will be accessed at `https://<IP>:5000`
1. /status /test /client are all valid REST endpoints. /status does not require authentication as it is used for health checks

### Add a User

1. Authenticate and POST to the REST endpoint, the new user's credentials will be output to the POST body
```
curl -k -u username:password -X POST -d "name=richard" https://<IP>:5000/client
curl -k -u username:password -X POST -d "name=richard" https://<IP>:5000/client > richard.ovpn
```
2. Copy the entire ouput and save to a single file - you may need to amend the target server IP if on an internal network
3. Save the file as dcos.ovpn and add to any suitable OpenVPN client, like [Tunnelblick](https://tunnelblick.net/) for macOS for example
4. Test connecting with the OpenVPN client. See Troubleshooting for help.
5. The new client credentials will be backed up to Zookeeper for persistence in case the task is killed, and will be copied back as required
2. Import the .ovpn file into any suitable OpenVPN client, Tunnelblick for macOS, for example
3. Test connecting with the OpenVPN client. See Troubleshooting for help
4. The new client credentials will be backed up to Zookeeper for persistence in case the task is killed, and will be synchronised with any other instances

### Revoke a User

1. Using the same client endpoint, append the name of the user you wish to revoke
```
curl -k -u username:password -X DELETE https://<IP>:5000/client/richard
```
2. The client is correctly revoked from OpenVPN and the assets are removed from the container and Zookeeper
2. The client is correctly revoked from OpenVPN and the change is synchronised with all running instances

### Remove Zookeeper data

During installation, an ACL is set on the Zookeeper openvpn znode, restricting access based on the OVPN_USERNAME & OVPN_PASSWWORD credentials.
During installation, an ACL is set on the Zookeeper OpenVPN znode, restricting access based on the `OVPN_USERNAME` & `OVPN_PASSWWORD` credentials.
In order to remove the znode data you must either authenticate with those same credentials or as the Zookeeper super user.

Some examples of how to achieve this using zk-shell which is shipped in the Docker image:
```
zk-shell connect master.mesos:2181
(CONNECTED) / add_auth digest <username>:<password>
(CONNECTED) / rmr openvpn/
(CONNECTED) / rmr /openvpn/
(CONNECTED) / exit
```

If you intend to change the OVPN_USERNAME & OVPN_PASSWORD, you will need to change the ACL on the existing znode, then reinstall the package
If you intend to change the `OVPN_USERNAME` & `OVPN_PASSWORD`, you will need to change the ACL on the existing znode, then reinstall the package
with new credentials
```
zk-shell connect master.mesos:2181
Expand Down Expand Up @@ -132,18 +134,27 @@ zkshrun.sh is a little standalone helper script that provides run_command to the

A modified version of easyrsa is shipped which removes user prompts.

Synchronisation between multiple running instances is handled via a cron job, which runs every 2 minutes. It checks to see
if the `openvpn/pki/issue.txt` differs between localhost and in Zookeeper. If there's a diff, it signifies that a user has been created
or revoked by another instance which has been uploaded to Zookeeper. The full pki directory is copied down to update the local instance
and the ovpn daemon is restarted.

This functionality is rudimentary and it's recommended not to add or revoke more than one user at a time and then leave >3 minutes between
each change to allow the synchronisation to work.

### Startup order
1. run.sh checks for existing assets in Zookeeper and copies them to the container if they exist, otherwise initpki and genconfig are run
1. Launchs the OpenVPN daemon in daemon mode
1. Starts the Python REST interface
1. Synchronisation cron job every 2 minutes


Troubleshooting
--------------

### Service

1. Review stdout and stderr from the task's logs under the **DC/OS Dashboard > Service > openvpn > running task > logs**
1. Review stdout and stderr from the task's logs under the `DC/OS Dashboard > Service > openvpn > running task > logs`
2. If the task is running on DC/OS, find out which agent is running the service using the DC/OS cli `dcos task | grep openvpn`
4. SSH to that agent and get a shell on the running container
```
Expand Down Expand Up @@ -176,10 +187,8 @@ DC/OS to allow you to delete the root openvpn znode. Setting ZK credentials is r

Todo
--------------
1. Get defined host ports working in the marathon.json - works in the Universe marathon template
1. The patch for zk-shell https://github.com/rgs1/zk_shell/pull/82 as managed in run.bash around line 100 needs removing when zk-shell is fixed
1. Update the /status endpoint for ovpn_status output and tie into a healthcheck
1. run.sh usage and tidying
1. Update for DC/OS 1.10 and file based secrets
1. Either extend zk-shell to add auth to its params or replace with Kazoo code
1. Replace the location function which calls out to ifconfig.me as it's of no use for internal networks
1 change: 1 addition & 0 deletions bin/envs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ export ZKURL=${ZKURL:="master.mesos:2181"}
export CONFIG_LOCATION=${CONFIG_LOCATION:="/etc/openvpn"}
export HOST=${HOST:=127.0.0.1}
export PORT0=${PORT0:=6000}
export OVPN_PORT=${OVPN_PORT:=1194}
Loading

0 comments on commit ade7cfe

Please sign in to comment.