Add OpenVPN for remote access

groupsky · Dec 25, 2019 · efee65d · efee65d
1 parent 0109936
commit efee65d
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -3,14 +3,60 @@ Home actuation, monitoring and automation
 
 ## Installation
 
-Start the containers
+* Clone the repo
 
+```bash
+git clone https://github.com/groupsky/homy
+cd homy
 ```
+
+* Initialize the OPNVPN configuration files and certificates
+
+```bash
+docker-compose run --rm openvpn ovpn_genconfig -Ddbu udp://VPN.SERVERNAME.COM
+docker-compose run --rm openvpn ovpn_initpki
+```
+
+* Start the containers
+
+```bash
 docker-compose up -d
 ```
 
+* All is up and running
 Node-red is available at http://localhost:1880
 Home-assistant is available at http://localhost:8123
 MQTT broker uses standard port mqtt://localhost:1883 with websocker ws://localhost:9001
+OpenVPN listens on udp://localhost:1194
+
+### Important security note
+
+If using ufw to limit the access to docker exposed ports, be aware of an issue that allows unrestricted access to docker.
+A good solution is available at [ufw-docker](https://github.com/chaifeng/ufw-docker)
+
+### OpenVPN client certificates
 
-**Important security** if using ufw to limit the access to docker exposed ports, be aware of an issue that allows unrestricted access to docker. A good solution is available at [ufw-docker](https://github.com/chaifeng/ufw-docker)
+* Generate a client certificate
+
+```bash
+export CLIENTNAME="your_client_name"
+# with a passphrase (recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
+# without a passphrase (not recommended)
+docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass
+```
+
+* Retrieve the client configuration with embedded certificates
+
+```bash
+docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn
+```
+
+* Revoke a client certificate
+
+```bash
+# Keep the corresponding crt, key and req files.
+docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME
+# Remove the corresponding crt, key and req files.
+docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove
+```
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -30,3 +30,13 @@ services:
     environment:
       - TZ=Europe/Sofia
     restart: always
+  openvpn:
+    cap_add:
+      - NET_ADMIN
+    image: kylemanna/openvpn:2.4
+    container_name: openvpn
+    ports:
+      - "1194:1194/udp"
+    volumes:
+      - ./data/openvpn:/etc/openvpn
+    restart: always