feat: 支持更新证书

README.md

@@ -28,7 +28,7 @@ openvpn 安全与加密相关配置参考于[openvpn-install](https://github.com
 初始化生成证书及配置文件
 
 ```shell
-docker run -it --rm yyxx/openvpn --init
+docker run -v $(pwd)/data:/data --rm yyxx/openvpn --init
 ```
 
 运行 openvpn

build/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.20.1
 
 RUN apk add --no-cache easy-rsa openvpn iptables iptables-legacy bash supervisor
 RUN ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin

build/docker-entrypoint.sh

@@ -4,6 +4,8 @@ set -e
 init_env(){
     cat <<EOF > $OVPN_DATA/pki/vars
 EASYRSA_PKI=$OVPN_DATA/pki
+EASYRSA_CA_EXPIRE=3650
+EASYRSA_CERT_EXPIRE=3650
 EASYRSA_CRL_DAYS=3650
 EASYRSA_ALGO=ec
 EASYRSA_CURVE=prime256v1
@@ -174,6 +176,25 @@ update_config(){
     fi
 }
 
+renew_cert(){
+    source $OVPN_DATA/.vars
+    source $OVPN_DATA/pki/vars
+
+    cd $OVPN_DATA/pki
+    openssl x509 -in ca.crt -days $EASYRSA_CA_EXPIRE -out ca.crt -signkey private/ca.key
+    /usr/share/easy-rsa/easyrsa --batch renew $SERVER_NAME
+    /usr/share/easy-rsa/easyrsa --batch revoke-renewed $SERVER_NAME
+    /usr/share/easy-rsa/easyrsa gen-crl
+}
+
+auth(){
+    if [ "$1" = "true" ]; then
+        sed -i 's/^#auth-user-pass-verify/auth-user-pass-verify/' $OVPN_DATA/server.conf
+    else
+        sed -i 's/^auth-user-pass-verify/#&/' $OVPN_DATA/server.conf
+    fi
+}
+
 getsubnet(){
     ip=$(echo $1 | cut -d'/' -f1)
     prefix=$(echo $1 | cut -d'/' -f2)
@@ -260,6 +281,18 @@ case $1 in
         $(genclient $2 $3 "$4")
         exit 0
     ;;
+    "auth")
+        $(auth $2)
+
+        supervisorctl stop openvpn && sleep 1 && supervisorctl start openvpn
+        exit 0
+    ;;
+    "renewcert")
+        renew_cert
+
+        supervisorctl stop openvpn && sleep 1 && supervisorctl start openvpn
+        exit 0
+    ;;
     "/usr/sbin/openvpn")
         update_config
         run_server