continued work on totp_auth

.env

@@ -1,3 +1,4 @@
+OVPN_LISTEN_BASE_URL="/"
 OVPN_SERVER_NET="192.168.100.0"
 OVPN_SERVER_MASK="255.255.255.0"
 OVPN_NETWORK="192.168.100.0/24"
@@ -6,8 +7,6 @@ OVPN_CCD_PATH="/mnt/ccd"
 EASYRSA_PATH="/mnt/easyrsa"
 OVPN_INDEX_PATH="/mnt/easyrsa/pki/index.txt"
 OVPN_SERVER="127.0.0.1:7777:tcp"
-OVPN_AUTH="true"
-OVPN_AUTH_TFA="true"
-OVPN_PASSWD_AUTH="true"
+OVPN_AUTH="TOTP"
 OVPN_AUTH_DB_PATH="/mnt/easyrsa/pki/users.db"
 LOG_LEVEL="debug"

.github/workflows/publish-latest.yaml

@@ -12,11 +12,24 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Push ovpn-admin image to Docker Hub
-        uses: docker/build-push-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASS }}
-          repository: flant/ovpn-admin
-          tags: latest
-          dockerfile: Dockerfile
+      - name: Push openvpn image to Docker Hub
+        uses: docker/build-push-action@v4
+        with:
+          tags: flant/ovpn-admin:openvpn-latest
+          platforms: linux/amd64,linux/arm64,linux/arm
+          file:  Dockerfile.openvpn
+          push: true
+      - name: Push ovpn-admin image to Docker Hub
+        uses: docker/build-push-action@v4
+        with:
+          tags: flant/ovpn-admin:latest
+          platforms: linux/amd64,linux/arm64,linux/arm
+          file: Dockerfile
+          push: true

.github/workflows/publish-tag.yaml

@@ -16,11 +16,24 @@ jobs:
       - name: Get the version
         id: get_version
         run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
-      - name: Push ovpn-admin image to Docker Hub
-        uses: docker/build-push-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASS }}
-          repository: flant/ovpn-admin
-          tags: ${{ steps.get_version.outputs.VERSION }}
-          dockerfile: Dockerfile
+      - name: Push openvpn image to Docker Hub
+        uses: docker/build-push-action@v4
+        with:
+          tags: flant/ovpn-admin:openvpn-${{ steps.get_version.outputs.VERSION }}
+          platforms: linux/amd64,linux/arm64,linux/arm
+          file: Dockerfile.openvpn
+          push: true
+      - name: Push ovpn-admin image to Docker Hub
+        uses: docker/build-push-action@v4
+        with:
+          tags: flant/ovpn-admin:${{ steps.get_version.outputs.VERSION }}
+          platforms: linux/amd64,linux/arm64,linux/arm
+          file: Dockerfile
+          push: true

.github/workflows/release.yaml

@@ -17,7 +17,7 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v2
       - name: build binaries
-        uses: wangyoucao577/go-release-action@v1.28
+        uses: wangyoucao577/go-release-action@v1.40
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           goversion: 1.17

.github/workflows/release_arm.yaml

@@ -17,7 +17,7 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v2
       - name: build binaries
-        uses: wangyoucao577/go-release-action@v1.28
+        uses: wangyoucao577/go-release-action@v1.40
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           goversion: 1.17

Dockerfile

@@ -1,18 +1,21 @@
 FROM node:16-alpine3.15 AS frontend-builder
 COPY frontend/ /app
-RUN cd /app && npm install && npm run build
+RUN apk add --update python3 make g++ && cd /app && npm install && npm run build
 
 FROM golang:1.17.3-buster AS backend-builder
 COPY --from=frontend-builder /app/static /app/frontend/static
 COPY . /app
-RUN cd /app && env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -a -tags netgo -ldflags '-linkmode external -extldflags -static -s -w' -o ovpn-admin
+ARG TARGETARCH
+RUN cd /app && env CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} go build -a -tags netgo -ldflags '-linkmode external -extldflags -static -s -w' -o ovpn-admin
 
 FROM alpine:3.16
 WORKDIR /app
+ARG TARGETARCH
 RUN apk add --update bash easy-rsa openssl openvpn coreutils iptables curl&& \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
-    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.9/openvpn-user-linux-amd64.tar.gz -O - |  tar xz -C /usr/local/bin && \
+    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.9/openvpn-user-linux-${TARGETARCH}.tar.gz -O - |  tar xz -C /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
+RUN if [ -f "/usr/local/bin/openvpn-user-${TARGETARCH}" ]; then ln -s /usr/local/bin/openvpn-user-${TARGETARCH} /usr/local/bin/openvpn-user; fi
 COPY --from=backend-builder /app/ovpn-admin /app
 COPY setup/ /etc/openvpn/setup
 RUN chmod +x /etc/openvpn/setup/configure.sh

README.md

@@ -97,6 +97,9 @@ Flags:
   --listen.port="8080"         port for ovpn-admin
   (or OVPN_LISTEN_PORT)
 
+  --listen.base-url="/"        base URL for ovpn-admin web files
+  (or $OVPN_LISTEN_BASE_URL)
+
   --role="master"              server role, master or slave
   (or OVPN_ROLE)
 

backend/consts.go

@@ -11,4 +11,16 @@ const (
 	stringDateFormat     = "2006-01-02 15:04:05"
 
 	KubeNamespaceFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
-)
+
+	secretCA         = "openvpn-pki-ca"
+	secretServer     = "openvpn-pki-server"
+	secretClientTmpl = "openvpn-pki-%d"
+	secretCRL        = "openvpn-pki-crl"
+	secretIndexTxt   = "openvpn-pki-index-txt"
+	secretDHandTA    = "openvpn-pki-dh-and-ta"
+	certFileName     = "tls.crt"
+	privKeyFileName  = "tls.key"
+
+  //<year><month><day><hour><minute><second>Z
+  indexTxtDateFormat = "060102150405Z"
+)

backend/errors.go

@@ -12,7 +12,7 @@ var (
 	userIsNotActiveError        = errors.New("user is not active")
 	passwordMismatchedError     = errors.New("password mismatched")
 	tokenMismatchedError        = errors.New("token mismatched")
-	checkAppError               = errors.New("failed to check 2FA app")
-	registerAppError            = errors.New("failed to register 2FA app")
+	checkAppError               = errors.New("failed to check 2FA TOTP app")
+	registerAppError            = errors.New("failed to register 2FA TOTP app")
 	authBackendDisabled         = errors.New("auth backend not enabled yet")
 )

backend/flags.go

@@ -3,9 +3,10 @@ package backend
 import "gopkg.in/alecthomas/kingpin.v2"
 
 var (
-	ListenHost = kingpin.Flag("listen.host", "host for ovpn-admin").Default("0.0.0.0").Envar("OVPN_LISTEN_HOST").String()
-	ListenPort = kingpin.Flag("listen.port", "port for ovpn-admin").Default("8080").Envar("OVPN_LISTEN_PORT").String()
-	ServerRole = kingpin.Flag("role", "server role, master or slave").Default("master").Envar("OVPN_ROLE").HintOptions("master", "slave").String()
+	ListenHost    = kingpin.Flag("listen.host", "host for ovpn-admin").Default("0.0.0.0").Envar("OVPN_LISTEN_HOST").String()
+	ListenPort 	  = kingpin.Flag("listen.port", "port for ovpn-admin").Default("8080").Envar("OVPN_LISTEN_PORT").String()
+	ListenBaseUrl = kingpin.Flag("listen.base-url", "base url for ovpn-admin").Default("/").Envar("OVPN_LISTEN_BASE_URL").String()
+	ServerRole    = kingpin.Flag("role", "server role, master or slave").Default("master").Envar("OVPN_ROLE").HintOptions("master", "slave").String()
 
 	//PersonalAccess       = kingpin.Flag("personalize", "personalize access for users").Default("false").Envar("OVPN_ADMIN_PERSONALIZE").Bool()
 	//AdminUserPassword    = kingpin.Flag("admin.password", "password fom admin user").Default("admin").Envar("OVPN_ADMIN_PASSWORD").String()
@@ -29,15 +30,15 @@ var (
 
 	EasyrsaDirPath = kingpin.Flag("easyrsa.path", "path to easyrsa dir").Default("./easyrsa").Envar("EASYRSA_PATH").String()
 	IndexTxtPath   = kingpin.Flag("easyrsa.index-path", "path to easyrsa index file").Default("").Envar("OVPN_INDEX_PATH").String()
+	EasyrsaBinPath = kingpin.Flag("easyrsa.bin-path", "path to easyrsa script").Default("easyrsa").Envar("EASYRSA_BIN_PATH").String()
 
 	CcdEnabled = kingpin.Flag("ccd", "enable client-config-dir").Default("false").Envar("OVPN_CCD").Bool()
 	CcdDir     = kingpin.Flag("ccd.path", "path to client-config-dir").Default("./ccd").Envar("OVPN_CCD_PATH").String()
 
 	clientConfigTemplatePath = kingpin.Flag("templates.clientconfig-path", "path to custom client.conf.tpl").Default("").Envar("OVPN_TEMPLATES_CC_PATH").String()
 	ccdTemplatePath          = kingpin.Flag("templates.ccd-path", "path to custom ccd.tpl").Default("").Envar("OVPN_TEMPLATES_CCD_PATH").String()
 
-	AuthByPassword = kingpin.Flag("auth.password", "enable additional password authentication").Default("false").Envar("OVPN_AUTH").Bool()
-	AuthTFA        = kingpin.Flag("auth.2fa", "auth type").Default("false").Envar("OVPN_AUTH_TFA").Bool()
+	AuthType	   = kingpin.Flag("auth.type", "auth type").Default("").Envar("OVPN_AUTH").HintOptions("TOTP", "PASSWORD", "").String()
 	AuthDatabase   = kingpin.Flag("auth.db", "database path for password authentication").Default("./easyrsa/pki/users.db").Envar("OVPN_AUTH_DB_PATH").String()
 
 	LogLevel  = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String()

backend/handlers.go

@@ -17,7 +17,7 @@ func (oAdmin *OvpnAdmin) UserListHandler(w http.ResponseWriter, r *http.Request)
 		}
 		oAdmin.clients = oAdmin.usersList()
 	}
-	
+
 	usersList, _ := json.Marshal(oAdmin.clients)
 	fmt.Fprintf(w, "%s", usersList)
 }
@@ -74,7 +74,7 @@ func (oAdmin *OvpnAdmin) UserResetTFAHandler(w http.ResponseWriter, r *http.Requ
 		http.Error(w, err.Error(), http.StatusBadRequest)
 	} else {
 		w.WriteHeader(http.StatusOK)
-		fmt.Fprintf(w, "2FA reseted")
+		fmt.Fprintf(w, "TOTP reseted")
 	}
 }
 
@@ -150,7 +150,7 @@ func (oAdmin *OvpnAdmin) UserUnrevokeHandler(w http.ResponseWriter, r *http.Requ
 func (oAdmin *OvpnAdmin) UserChangePasswordHandler(w http.ResponseWriter, r *http.Request) {
 	log.Info(r.RemoteAddr, " ", r.RequestURI)
 	_ = r.ParseForm()
-	if *AuthByPassword {
+	if oAdmin.ExtraAuth {
 		err, msg := oAdmin.userChangePassword(r.FormValue("username"), r.FormValue("password"))
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)