reisbel · dainer88 · Jun 25, 2020 · Jun 25, 2020 · Jun 25, 2020 · Jun 25, 2020
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # openvpn-docker-scripts
 
- Scripts for creating your own [OpenVPN](https://openvpn.net/) server with [Docker](https://www.docker.com/),  based on [this](https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45) article and this [repository](https://github.com/kylemanna/docker-openvpn)
+ Scripts for creating your own [OpenVPN](https://openvpn.net/) server with [Docker](https://www.docker.com/) and optional openvpn monitor,  based on [this](https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45) article, this [repository](https://github.com/kylemanna/docker-openvpn) and this [repository](https://github.com/ruimarinho/docker-openvpn-monitor) for openvpn monitor.
 
 ## Steps
 
@@ -10,11 +10,20 @@ Install OpenVPN and dependencies
 sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/reisbel/openvpn-docker-scripts/master/install_openvpn.sh)"
 ```
 
+Install OpenVPN and Monitor
+```bash
+sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/reisbel/openvpn-docker-scripts/master/install_openvpn.sh) --monitor-enable true"
+```
+
 ## Create user
 
 ```bash
 sudo bash  -c "$(wget -qO- https://raw.githubusercontent.com/reisbel/openvpn-docker-scripts/master/create_user.sh)" --dump-strings user1
 ```
+## Delete user
+```bash
+sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/dainer88/openvpn-docker-scripts/master/delete_user.sh)" user1
+```
 
 ## References
 
@@ -24,6 +33,9 @@ Outline install script
 Set Up a VPN Server With Docker In 5 Minutes
 <https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45>
 
+Script to delete user
+<https://aurlen.net/w/es/script-para-eliminar-un-usuario-openvpn/>
+
 ## License
 
 Apache License - See [LICENSE](LICENSE) for more information.
diff --git a/delete_user.sh b/delete_user.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+#Color definition
+red=$'\e[1;31m'
+grn=$'\e[1;32m'
+end=$'\e[0m'
+
+if [ $# -ne 1 ]; then
+	printf "%s\n" "${red}Usage: Provide the username (only one).${end}"
+	printf "%s\n" "${grn}Example: $0 juanperez${end}"
+	exit 1
+else
+
+# Remove non-ASCII characters of the paramenter 1, the username
+	export LC_ALL=C 
+	username = echo "$1" #$(echo "$1" | tr -cd '[:alnum:]')
+
+	# easy-rsa directory
+	EasyRsaDir="/etc/openvpn/easy-rsa"
+	#OpenVPN Dir
+	OpenVpnDir="/etc/openvpn"
+
+	#User's certificate
+	CertificateFile="$EasyRsaDir/keys/$username.crt"
+
+	# Verify if the user can read the certificate and can find the certificate
+	if [ ! -r "$CertificateFile" ]; then
+		printf "%s\n" "${red}Error. User $username not found or you don't have permission to read the certificate $CertificateFile.${end}"
+		exit 1
+	fi
+
+
+	cd $EasyRsaDir
+	if [ $? -ne 0 ]; then
+	printf "%s\n" "${red}Error to access to the directory $EasyRsaDir.${end}"
+	exit 1
+	fi
+
+	#Importing the openvpn variables
+
+	source $EasyRsaDir/vars 1 >> /dev/null 2 >> /dev/null
+
+	if [ $? -ne 0 ]; then
+	printf "%s\n" "${red}Error to import variables.${end}"
+	exit 1
+	fi
+
+
+	#After revocation the command send this line
+	#error 23 at 0 depth lookup:certificate revoked
+
+	#Revoke the certificate and check if the status 23 to the CancellSuccess variable
+	CancellSuccess=$($EasyRsaDir/revoke-full $username 2> /dev/null | tail -1 | awk '{print $2}')
+	UserStatus=$(cat $EasyRsaDir/keys/index.txt | grep $username | tail -1 | awk '{ print $1 }' | tr -cd '[:alnum:]')
+
+	#Logical OR in bash script is used with operator -o.
+
+	if [ "$CancellSuccess" -eq 23 -o "$UserStatus" == "R" ]; then 
+		/bin/cp -fbp $EasyRsaDir/keys/crl.pem $OpenVpnDir/keys/crl.pem
+		#Move the revoved certificate to a direcotory for backup
+		/bin/mv $EasyRsaDir/keys/$username.crt $EasyRsaDir/revoke-keys/
+		/bin/mv $EasyRsaDir/keys/$username.key $EasyRsaDir/revoke-keys/
+		/bin/mv $EasyRsaDir/keys/$username.csr $EasyRsaDir/revoke-keys/
+		printf "%s\n" "${grn}The user $username was deleted${end}"
+	else
+		printf "%s\n" "${red}Error to revoke user $username${end}"
+		exit 1
+	fi 
+fi
diff --git a/install_openvpn.sh b/install_openvpn.sh
@@ -19,11 +19,13 @@ set -euo pipefail
 
 function display_usage() {
   cat <<EOF
-Usage: install_server.sh [--hostname <hostname>] [--api-port <port>] [--keys-port <port>]
+Usage: install_server.sh [--hostname <hostname>] [--api-port <port>] [--keys-port <port>] [--management-port <port>] [--monitor-enable <true or false>]
 
-  --hostname   The hostname to be used to access the management API and access keys
-  --api-port   The port number for the management API
-  --keys-port  The port number for the access keys
+  --hostname   The hostname to be used to access the management API and access keys.
+  --api-port   The port number for the management API. (By default is 1194)
+  --keys-port  The port number for the access keys.
+  --management-port The port number for the managent. (By default is 5555)
+  --monitor-enable Define if monitor app should be deployed or not. (By default is false).
 EOF
 }
 
@@ -201,14 +203,14 @@ function join() {
 }
 
 function init_pki() {
-  sudo docker run -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn --rm -it ${SB_IMAGE} ovpn_initpki
+  sudo docker run --network vpn -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn --rm -it ${SB_IMAGE} ovpn_initpki
 }
 
 function generate_openvpn_config_file() {
   # By itself, local messes up the return code.
   local readonly STDERR_OUTPUT
 
-  STDERR_OUTPUT=$(docker run -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn --rm ${SB_IMAGE} ovpn_genconfig -u udp://${PUBLIC_HOSTNAME}:${API_PORT} 2>&1 >/dev/null)
+  STDERR_OUTPUT=$(docker run --network vpn -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn --rm ${SB_IMAGE} ovpn_genconfig -u udp://${PUBLIC_HOSTNAME}:${API_PORT} -e "management 0.0.0.0 ${MANAGEMENT_PORT}" 2>&1 >/dev/null)
   local readonly RET=$?
   if [[ $RET -eq 0 ]]; then
     return 0
@@ -220,7 +222,31 @@ function start_openvpn() {
   # By itself, local messes up the return code.
   local readonly STDERR_OUTPUT
 
-  STDERR_OUTPUT=$(docker run --name openvpn -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn -d -p ${API_PORT}:${API_PORT}/udp --cap-add=NET_ADMIN ${SB_IMAGE} 2>&1 >/dev/null)
+  STDERR_OUTPUT=$(docker run --name openvpn --network vpn --network-alias openvpn --restart unless-stopped -v ${OPEN_VPN_DATA_DIR}:/etc/openvpn -d -p ${API_PORT}:${API_PORT}/udp -p ${MANAGEMENT_PORT}:${MANAGEMENT_PORT} --cap-add=NET_ADMIN ${SB_IMAGE} 2>&1 >/dev/null)
+  local readonly RET=$?
+  if [[ $RET -eq 0 ]]; then
+    return 0
+  fi
+  log_error "FAILED"
+}
+
+function start_openvpn_monitor() {
+  # By itself, local messes up the return code.
+  local readonly STDERR_OUTPUT
+
+  STDERR_OUTPUT=$(docker run -d --name openvpn-monitor --network vpn --network-alias openvpn-monitor --restart unless-stopped -e OPENVPNMONITOR_SITES_0_ALIAS=UDP -e OPENVPNMONITOR_SITES_0_HOST=openvpn -e OPENVPNMONITOR_SITES_0_NAME=UDP -e OPENVPNMONITOR_SITES_0_PORT=${MANAGEMENT_PORT} -e OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True -e OPENVPNMONITOR_SITES_1_ALIAS=TCP -e OPENVPNMONITOR_SITES_1_HOST=openvpn -e OPENVPNMONITOR_SITES_1_NAME=TCP -e OPENVPNMONITOR_SITES_1_PORT=${MANAGEMENT_PORT} -p 80:80 ruimarinho/openvpn-monitor 2>&1 >/dev/null)
+  local readonly RET=$?
+  if [[ $RET -eq 0 ]]; then
+    return 0
+  fi
+  log_error "FAILED"
+}
+
+function create_network() {
+  # By itself, local messes up the return code.
+  local readonly STDERR_OUTPUT
+
+  STDERR_OUTPUT=$(docker network create vpn 2>&1 >/dev/null)
   local readonly RET=$?
   if [[ $RET -eq 0 ]]; then
     return 0
@@ -237,7 +263,7 @@ function start_watchtower() {
   docker_watchtower_flags+=(-v /var/run/docker.sock:/var/run/docker.sock)
   # By itself, local messes up the return code.
   local readonly STDERR_OUTPUT
-  STDERR_OUTPUT=$(docker run -d "${docker_watchtower_flags[@]}" v2tec/watchtower --cleanup --tlsverify --interval $WATCHTOWER_REFRESH_SECONDS 2>&1 >/dev/null)
+  STDERR_OUTPUT=$(docker run -d --network vpn "${docker_watchtower_flags[@]}" v2tec/watchtower --cleanup --tlsverify --interval $WATCHTOWER_REFRESH_SECONDS 2>&1 >/dev/null)
   local readonly RET=$?
   if [[ $RET -eq 0 ]]; then
     return 0
@@ -269,16 +295,22 @@ install_openvpn() {
   log_for_sentry "Setting API port"
   API_PORT="${FLAGS_API_PORT}"
 
+  if [[ $API_PORT == 0 ]]; then
+    API_PORT=${SB_API_PORT:-$(get_random_port)}
+  fi
+
+  log_for_sentry "Setting MANAGEMENT por"
+  MANAGEMENT_PORT="${FLAGS_MANAGEMENT_PORT}"
+
   log_for_sentry "Setting PUBLIC_HOSTNAME"
   # TODO(fortuna): Make sure this is IPv4
   PUBLIC_HOSTNAME=${FLAGS_HOSTNAME:-${SB_PUBLIC_IP:-$(curl -4s https://ipinfo.io/ip)}}
 
-  if [[ $API_PORT == 0 ]]; then
-    API_PORT=${SB_API_PORT:-$(get_random_port)}
-  fi
+  while [[ $MANAGEMENT_PORT == 0 || $MANAGEMENT_PORT == $API_PORT ]]; do
+    MANAGEMENT_PORT=${SB_MANAGEMENT_PORT:-$(get_random_port)}
+  done
 
-  readonly SB_IMAGE=${SB_IMAGE:-kylemanna/openvpn}
-
+  readonly SB_IMAGE=${SB_IMAGE:-kylemanna/openvpn:2.4}
 
   if [[ -z $PUBLIC_HOSTNAME ]]; then
     local readonly MSG="Failed to determine the server's IP address."
@@ -287,6 +319,9 @@ install_openvpn() {
     exit 1
   fi
 
+  #create network
+  run_step "Generate network to vpn service" create_network
+
   #Generate OpenVPN config file
   run_step "Generate OpenVPN config file" generate_openvpn_config_file
 
@@ -321,8 +356,13 @@ function is_valid_port() {
   (( 0 < "$1" && "$1" <= 65535 ))
 }
 
+function is_valid_bool() {
+  printf "true"
+  (("${1}" == "true" || "${1}" == "false"))
+}
+
 function parse_flags() {
-  params=$(getopt --longoptions hostname:,api-port:,keys-port: -n $0 -- $0 "$@")
+  params=$(getopt --longoptions hostname:,api-port:,keys-port:,monitor-enable:,management-port: -n $0 -- $0 "$@")
   [[ $? == 0 ]] || exit 1
   eval set -- $params
 
@@ -350,6 +390,22 @@ function parse_flags() {
           exit 1
         fi
         ;;
+      --management-port)
+        FLAGS_MANAGEMENT_PORT=$1
+        shift
+        if ! is_valid_port $FLAGS_MANAGEMENT_PORT; then
+          log_error "Invalid value for $flag: $FLAGS_MANAGEMENT_PORT"
+          exit 1
+        fi
+        ;;
+      --monitor-enable)
+        FLAGS_MONITOR_ENABLE=${1}
+        shift
+        if ! is_valid_bool $FLAGS_MONITOR_ENABLE; then
+          log_error "Invalid value for $flag: $FLAGS_MONITOR_ENABLE"
+          exit 1
+        fi
+        ;;
       --)
         break
         ;;
@@ -364,6 +420,10 @@ function parse_flags() {
     log_error "--api-port must be different from --keys-port"
     exit 1
   fi
+  if [[ $FLAGS_API_PORT != 0 && $FLAGS_MANAGEMENT_PORT == $FLAGS_API_PORT ]]; then
+    log_error "--api-port must be different from --management-port"
+    exit 1
+  fi
   return 0
 }
 
@@ -372,8 +432,14 @@ function main() {
   declare FLAGS_HOSTNAME=""
   declare -i FLAGS_API_PORT=1194
   declare -i FLAGS_KEYS_PORT=0
+  declare -i FLAGS_MANAGEMENT_PORT=5555
+  declare FLAGS_MONITOR_ENABLE=true
   parse_flags "$@"
   install_openvpn
+  if $FLAGS_MONITOR_ENABLE; then
+    #run_step "Starting OpenVPN Monitor" start_openvpn_monitor
+    run_step "Starting OpenVPN Monitor" start_openvpn_monitor
+  fi
 }
 
-main "$@"
+main "$@"