Merge pull request #138 from dappnode/v0.2.3

v0.2.3 Release

Author: eduadiez

VPN-min.png

@@ -43,7 +43,7 @@ RUN ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
 # (Docker) Necessary dependencies
 RUN apk add --no-cache libltdl
 RUN ALPINE_GLIBC_BASE_URL="https://github.com/sgerrand/alpine-pkg-glibc/releases/download" && \
-    ALPINE_GLIBC_PACKAGE_VERSION="2.28-r0" && \
+    ALPINE_GLIBC_PACKAGE_VERSION="2.30-r0" && \
     ALPINE_GLIBC_BASE_PACKAGE_FILENAME="glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
     ALPINE_GLIBC_BIN_PACKAGE_FILENAME="glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
     ALPINE_GLIBC_I18N_PACKAGE_FILENAME="glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
@@ -96,15 +96,10 @@ ENV EASYRSA=/usr/share/easy-rsa \
     OPENVPN_CCD_DIR=$OPENVPN/ccd \
     OPENVPN_CRED_PORT=8090 \
 # VPN management parameters - Node paths
-    DB_PATH=/usr/src/app/secrets/vpndb.json \
     LOGIN_MSG_PATH=/usr/src/app/secrets/loginMsgFile.txt \
     INSTALLATION_STATIC_IP=/usr/src/app/config/static_ip \
-    KEYPAIR_PATH=/usr/src/app/secrets/keypair \
-    PUBLIC_IP_PATH=/usr/src/app/secrets/server-ip \
+    SALT_PATH=/usr/src/app/secrets/salt \
     SERVER_NAME_PATH=/etc/vpnname \
-    INTERNAL_IP_PATH=/usr/src/app/secrets/internal-ip \
-    EXTERNAL_IP_PATH=/usr/src/app/secrets/external-ip \
-    PUBLIC_IP_RESOLVED_PATH=/usr/src/app/secrets/public-ip_resolved \
 # VPN management parameters - URLs
     DYNDNS_HOST=https://ns.dappnode.io \
     DYNDNS_DOMAIN=dyndns.dappnode.io \
@@ -122,7 +117,6 @@ VOLUME ["/etc/openvpn"]
 EXPOSE 1194/udp
 
 RUN ln -s /usr/src/app/src/getAdminCredentials.js /usr/local/bin/getAdminCredentials && \
-    ln -s /usr/src/app/src/migrateOldUsers.js /usr/local/bin/migrateOldUsers && \
     ln -s /usr/src/app/src/vpncli.js /usr/local/bin/vpncli
 
 ADD build/bin /usr/local/bin

build/Dockerfile

@@ -5,17 +5,17 @@
 # Import global variables first
 source /etc/env.sh
 
-SALT=$(jq -r ".salt" ${DB_PATH})
+SALT=$(cat ${SALT_PATH})
 FILE=$(echo -n ${SALT}${common_name} | sha256sum | cut -c -16)
 
-if [ -e ${OPENVPN_CRED_DIR}/${FILE} ]; then
-    rm ${OPENVPN_CRED_DIR}/${FILE}
+if [ -e "${OPENVPN_CRED_DIR}/${FILE}" ]; then
+    rm "${OPENVPN_CRED_DIR}/${FILE}"
 fi
 
 # Reset login text
-if [ ${common_name} = ${DEFAULT_ADMIN_USER} ]; then
-    echo "The admin credentials expired. Use the command below to generate a new download link:" > $LOGIN_MSG_PATH
-    echo "dappnode_get ${DEFAULT_ADMIN_USER}" >> $LOGIN_MSG_PATH
+if [ "${common_name}" = "${DEFAULT_ADMIN_USER}" ]; then
+    echo "The admin credentials expired. Use the command below to generate a new download link:" > "$LOGIN_MSG_PATH"
+    echo "dappnode_get ${DEFAULT_ADMIN_USER}" >> "$LOGIN_MSG_PATH"
 fi
 
 exit 0

build/bin/ovpn_client_up

@@ -141,11 +141,16 @@ fi
 if [ -z "${EASYRSA_PKI:-}" ]; then
     export EASYRSA_PKI="$OPENVPN/pki"
 fi
+if [ -z "${OVPN_CN:-}" ]; then
+  export OVPN_CN="dappnode.eth"
+fi
+
 
 OVPN_AUTH=''
 OVPN_CIPHER=''
 OVPN_CLIENT_TO_CLIENT=''
-OVPN_CN=''
+#OVPN_CN='' // Don't clear it, grab from entrypoint
+OVPN_HOSTNAME='localhost'
 OVPN_COMP_LZO=0
 OVPN_DEFROUTE=1
 OVPN_DEVICE="tun"
@@ -274,7 +279,7 @@ done
 # Server name is in the form "udp://vpn.example.com:1194"
 if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
     OVPN_PROTO=${BASH_REMATCH[2]};
-    OVPN_CN=${BASH_REMATCH[3]};
+    OVPN_HOSTNAME=${BASH_REMATCH[3]};
     OVPN_PORT=${BASH_REMATCH[5]};
 else
     set +x
@@ -288,27 +293,28 @@ set +u
 [ -z "$OVPN_DNS_SERVERS" ] && OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4")
 [ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
 [ -z "$OVPN_PORT" ] && OVPN_PORT=1194
+[ -z "$OVPN_HOSTNAME" ] && OVPN_HOSTNAME=localhost
 set -u
 [ "${#OVPN_ROUTES[@]}" == "0" ] && [ "$OVPN_DEFROUTE" == "1" ] && OVPN_ROUTES+=("192.168.254.0/24")
 
-# Preserve config
-if [ -f "$OVPN_ENV" ]; then
-    bak_env=$OVPN_ENV.$(date +%s).bak
-    echo "Backing up $OVPN_ENV -> $bak_env"
-    mv "$OVPN_ENV" "$bak_env"
-fi
+# Dont' backup, regenerated at every boot
+# if [ -f "$OVPN_ENV" ]; then
+#     bak_env=$OVPN_ENV.$(date +%s).bak
+#     echo "Backing up $OVPN_ENV -> $bak_env"
+#     mv "$OVPN_ENV" "$bak_env"
+# fi
 
 # Save the current OVPN_ vars to the ovpn_env.sh file
 (set | grep '^OVPN_') | while read -r var; do
   echo "declare -x $var"  >> "$OVPN_ENV"
 done
 
 conf=${OPENVPN:-}/openvpn.conf
-if [ -f "$conf" ]; then
-    bak=$conf.$(date +%s).bak
-    echo "Backing up $conf -> $bak"
-    mv "$conf" "$bak"
-fi
+# if [ -f "$conf" ]; then
+#     bak=$conf.$(date +%s).bak
+#     echo "Backing up $conf -> $bak"
+#     mv "$conf" "$bak"
+# fi
 
 # Echo extra client configurations
 if [ ${#OVPN_EXTRA_CLIENT_CONFIG[@]} -gt 0 ]; then

build/bin/ovpn_genconfig

@@ -37,15 +37,16 @@ nobind
 dev $OVPN_DEVICE
 remote-cert-tls server
 
-remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"
+remote $OVPN_HOSTNAME $OVPN_PORT $OVPN_PROTO"
+
     if [ "$OVPN_PROTO" == "udp6" ]; then
-        echo "remote $OVPN_CN $OVPN_PORT udp"
+        echo "remote $OVPN_HOSTNAME $OVPN_PORT udp"
     fi
     if [ "$OVPN_PROTO" == "tcp6" ]; then
-        echo "remote $OVPN_CN $OVPN_PORT tcp"
+        echo "remote $OVPN_HOSTNAME $OVPN_PORT tcp"
     fi
     for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
-      echo "$i"
+        echo "$i"
     done
     if [ "$mode" == "combined" ]; then
         echo "
@@ -62,45 +63,45 @@ key-direction 1
 <tls-auth>
 $(cat $EASYRSA_PKI/ta.key)
 </tls-auth>
-"
-    elif [ "$mode" == "separated" ]; then
+        "
+        elif [ "$mode" == "separated" ]; then
         echo "
 key ${cn}.key
 ca ca.crt
 cert ${cn}.crt
 tls-auth ta.key 1
-"
+        "
     fi
-
+    
     if [ "$OVPN_DEFROUTE" != "0" ];then
         echo "redirect-gateway def1"
     fi
-
+    
     if [ -n "$OVPN_MTU" ]; then
         echo "tun-mtu $OVPN_MTU"
     fi
-
+    
     if [ -n "$OVPN_TLS_CIPHER" ]; then
         echo "tls-cipher $OVPN_TLS_CIPHER"
     fi
-
+    
     if [ -n "$OVPN_CIPHER" ]; then
         echo "cipher $OVPN_CIPHER"
     fi
-
+    
     if [ -n "$OVPN_AUTH" ]; then
         echo "auth $OVPN_AUTH"
     fi
-
+    
     if [ -n "$OVPN_OTP_AUTH" ]; then
         echo "auth-user-pass"
         echo "auth-nocache"
     fi
-
+    
     if [ "$OVPN_COMP_LZO" == "1" ]; then
         echo "comp-lzo"
     fi
-
+    
     if [ -n "$OVPN_OTP_AUTH" ]; then
         echo reneg-sec 0
     fi
@@ -115,18 +116,18 @@ case "$parm" in
         cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
         cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
         cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
-        ;;
+    ;;
     "" | "combined")
         get_client_config "combined"
-        ;;
+    ;;
     "combined-save")
         mkdir -p "$dir"
         get_client_config "combined" > "$dir/${cn}-combined.ovpn"
-        ;;
+    ;;
     *)
         echo "This script can produce the client configuration in two formats:" >&2
         echo "    1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
         echo "    2. separated: Separated files." >&2
         echo "Please specify one of those options as second parameter." >&2
-        ;;
+    ;;
 esac

build/bin/ovpn_getclient

@@ -2,39 +2,44 @@
 
 # Initialize APP
 echo "Initializing App..."
-node src/initializeApp.js
-echo "Initialized App"
 
-# Check in db if node has a static IP, use dynamic DNS domain instead.
-export PUBLIC_ENDPOINT="$(node src/getPublicEndpointCommand)"
-echo "Fetched public endpoint: $PUBLIC_ENDPOINT"
-VPNHOSTNAME=${PUBLIC_ENDPOINT}
+[ -z "$_DAPPNODE_GLOBAL_HOSTNAME" ] || echo "Global variables not loaded yet. Waiting to be restarted by DAPPMANAGER..."
+while [ -z "$_DAPPNODE_GLOBAL_HOSTNAME" ]; do
+    sleep 5
+done
+[ -n "$_DAPPNODE_GLOBAL_HOSTNAME" ] || echo "Public hostname loaded: ${_DAPPNODE_GLOBAL_HOSTNAME}"
+# check and generate random seed
+if [ ! -f "${SALT_PATH}" ]; then
+  head /dev/urandom | tr -dc a-f0-9 | head -c 16 > "${SALT_PATH}"
+fi
+OVPN_CN="${_DAPPNODE_GLOBAL_HOSTNAME}"
+export OVPN_CN
+echo "Initialized App"
 
-# Initialize config and PKI 
+# Initialize config and PKI
 # -c: Client to Client
 # -d: disable default route (disables NAT without '-N')
 # -p "route 172.33.0.0 255.255.0.0": Route to push to the client
-
-if [ ! -e "${OPENVPN_CONF}" ]; then
-    ovpn_genconfig -c -d -u udp://${VPNHOSTNAME} -s 172.33.8.0/22 \
-    -p "route 172.33.0.0 255.255.0.0" \
-    -n "172.33.1.2"
-    EASYRSA_REQ_CN=${VPNHOSTNAME} ovpn_initpki nopass
+# -n "172.33.1.2": DNS server (BIND)
+ovpn_genconfig -c -d -u udp://"${_DAPPNODE_GLOBAL_HOSTNAME}" -s 172.33.8.0/22 \
+    -p "route 172.33.0.0 255.255.0.0" -n "172.33.1.2"
+
+# check if PKI is initalized already, if not use hostname as CN
+if [ ! -d "${OPENVPN}/pki/reqs" ] || [ ! "$(ls -A ${OPENVPN}/pki/reqs)" ]; then
+    echo "Initializing PKI"
+    EASYRSA_REQ_CN=${OVPN_CN} ovpn_initpki nopass
 fi
 
 # Create admin user
 if [ ! -e "${OPENVPN_ADMIN_PROFILE}" ]; then
-    vpncli add ${DEFAULT_ADMIN_USER}
-    vpncli get ${DEFAULT_ADMIN_USER}
-    echo "ifconfig-push 172.33.10.1 255.255.252.0" > ${OPENVPN_CCD_DIR}/${DEFAULT_ADMIN_USER}
+    vpncli add "${DEFAULT_ADMIN_USER}"
+    vpncli get "${DEFAULT_ADMIN_USER}"
+    echo "ifconfig-push 172.33.10.1 255.255.252.0" > "${OPENVPN_CCD_DIR}/${DEFAULT_ADMIN_USER}"
 fi
 
 # Enable Proxy ARP (needs privileges)
 echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
 
-# Migrate users from v1
-migrateOldUsers
-
 # Save environment
 env | sed '/affinity/d' > /etc/env.sh
 

build/src/entrypoint.sh

@@ -17,34 +17,27 @@
   "author": "dappLion & vdo",
   "license": "ISC",
   "dependencies": {
-    "autobahn": "^18.10.2",
-    "base64url": "^3.0.0",
+    "autobahn": "^19.9.2",
     "chalk": "^2.4.2",
-    "cmd": "^0.1.0",
-    "create-error": "^0.3.1",
-    "eth-crypto": "^1.2.4",
-    "file-system": "^2.2.2",
-    "generate-password": "^1.4.1",
-    "is-ip": "^2.0.0",
+    "commander": "^3.0.1",
     "ip": "^1.1.5",
-    "ip-regex": "^3.0.0",
-    "lowdb": "^1.0.0",
-    "node-fetch": "^2.1.2",
+    "is-ip": "^3.1.0",
+    "node-fetch": "^2.6.0",
     "prettyjson": "^1.2.1",
     "qrcode-terminal": "^0.12.0",
-    "tweetnacl": "^1.0.0",
-    "winston": "^3.0.0"
+    "tweetnacl": "^1.0.1",
+    "winston": "^3.2.1"
   },
   "devDependencies": {
     "chai": "^4.1.2",
-    "coveralls": "^3.0.2",
-    "eslint": "^5.16.0",
+    "coveralls": "^3.0.6",
+    "eslint": "^6.4.0",
     "husky": "^1.3.1",
-    "mocha": "^5.2.0",
-    "nyc": "^12.0.2",
+    "mocha": "^6.2.0",
+    "nyc": "^14.1.1",
     "prettier": "^1.16.4",
-    "proxyquire": "^2.1.0",
-    "sinon": "^5.1.0",
+    "proxyquire": "^2.1.3",
+    "sinon": "^7.4.2",
     "sinon-chai": "^3.1.0"
   },
   "husky": {

build/src/package.json

@@ -24,7 +24,7 @@ async function addDevice({ id }) {
     );
   }
 
-  let userArray = await getUserList();
+  const userArray = await getUserList();
 
   if (userArray.length >= userLimit) {
     throw Error(`You have reached the maximum user limit (${userLimit})`);