Certman is a simple certificate manager web service for OpenVPN.
**For usage tips, please consult usage.md
There are prebuilt binary files for this application. They are statically linked and have no additional dependencies. Supported plattforms are:
- Windows (XP and up)
- Linux (2.6.16 and up)
- Linux ARM (for raspberry pi, 3.0 and up) Simply download them from the "artifacts" section of this project.
A prebuilt docker image (10MB) is available:
docker pull zombi/certman
You can easily build your own docker image from source
docker build -t zombi/certman .
Certman assumes the root certificates of the VPN CA are located in the same
directory as the binary, If that is not the case you need to copy over the
ca.crt
and ca.key
files before you are able to generate certificates
with this tool.
Additionally, the project is configured by the following environment variables:
OAUTH2_CLIENT_ID
the Client ID, assigned during client registrationOAUTH2_CLIENT_SECRET
the Client secret, assigned during client registrationOAUTH2_AUTH_URL
the URL to the "/authorize" endpoint of the identity providerOAUTH2_TOKEN_URL
the URL to the "/token" endpoint of the identity providerOAUTH2_REDIRECT_URL
the redirect URL used by the app, usually the hostname suffixed by "/login/oauth2/redirect"USER_ENDPOINT
the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.APP_LISTEN
port and ip to listen on, e.g.:8000
or127.0.0.1:3000
VPN_DEV
which device is used by the network, eithertun
ortap
(check server cfg)VPN_HOST
Hostname or IP address of the serverVPN_PORT
Port of the VPN serverVPN_PROTO
Protocol of the VPN server, eithertcp
orudp
There are some files that need to be mounted inside the container:
/ca.crt
the certificate of the server PKI/ca.key
the key of the server PKI, unencrypted/ta.key
shared HMAC secret of server and client/clients.json
the generated certificates for each client
There is an docker-compose.yml example
you can use as a base for your own docker-compose service.