-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #63 from theohbrothers/enhancement/bump-openvpn-2.…
…6-variants-to-2.6.7 Enhancement: Bump openvpn 2.6 variants to 2.6.7
- Loading branch information
Showing
9 changed files
with
700 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
FROM alpine:3.18 | ||
|
||
RUN set -eux; \ | ||
apk add --no-cache openvpn~=2.6.7 iptables; \ | ||
# Workaround openvpn --version exiting with non-zero exit code on openvpn <= 2.4.x | ||
openvpn --version | grep -A100 -B100 2.6.7 | ||
|
||
COPY docker-entrypoint.sh /docker-entrypoint.sh | ||
RUN chmod +x /docker-entrypoint.sh | ||
|
||
ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
version: '2.1' | ||
services: | ||
openvpn-server: | ||
build: | ||
dockerfile: Dockerfile | ||
context: . | ||
environment: | ||
- OPENVPN_CONFIG_FILE=/etc/openvpn/server.conf | ||
- NAT_MASQUERADE=1 | ||
# - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh | ||
volumes: | ||
- ./openvpn/server.conf:/etc/openvpn/server.conf | ||
# - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh | ||
ports: | ||
- 1194:1194/udp | ||
cap_add: | ||
- NET_ADMIN | ||
# sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls | ||
sysctls: | ||
- net.ipv4.conf.all.forwarding=1 | ||
# - net.ipv6.conf.all.disable_ipv6=0 | ||
# - net.ipv6.conf.default.forwarding=1 | ||
# - net.ipv6.conf.all.forwarding=1 | ||
restart: unless-stopped | ||
|
||
openvpn-client: | ||
build: | ||
dockerfile: Dockerfile | ||
context: . | ||
environment: | ||
- OPENVPN_CONFIG_FILE=/etc/openvpn/client.conf | ||
- NAT_MASQUERADE=0 | ||
# - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh | ||
volumes: | ||
- ./openvpn/client.conf:/etc/openvpn/client.conf | ||
# - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh | ||
cap_add: | ||
- NET_ADMIN | ||
# sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls | ||
sysctls: | ||
- net.ipv4.conf.all.forwarding=1 | ||
# - net.ipv6.conf.all.disable_ipv6=0 | ||
# - net.ipv6.conf.default.forwarding=1 | ||
# - net.ipv6.conf.all.forwarding=1 | ||
restart: unless-stopped |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
#!/bin/sh | ||
set -eu | ||
|
||
# Env vars | ||
OPENVPN_CONFIG_FILE=${OPENVPN_CONFIG_FILE:-/etc/openvpn/server.conf} | ||
OPENVPN_SERVER_CONFIG_FILE=${OPENVPN_SERVER_CONFIG_FILE:-} # Deprecated. For backward compatibility | ||
OPENVPN_ROUTES=${OPENVPN_ROUTES:-} | ||
NAT=${NAT:-1} | ||
NAT_INTERFACE=${NAT_INTERFACE:-eth0} | ||
NAT_MASQUERADE=${NAT_MASQUERADE:-1} | ||
CUSTOM_FIREWALL_SCRIPT=${CUSTOM_FIREWALL_SCRIPT:-/etc/openvpn/firewall.sh} | ||
|
||
# Normalization | ||
if [ -n "$OPENVPN_SERVER_CONFIG_FILE" ]; then | ||
echo "Warning: OPENVPN_SERVER_CONFIG_FILE is deprecated. Use OPENVPN_CONFIG_FILE instead." | ||
OPENVPN_CONFIG_FILE="$OPENVPN_SERVER_CONFIG_FILE" | ||
fi | ||
|
||
# If no args are passed, run the entrypoint. If a flag is passed, run openvpn directly. Else, run the passed command | ||
if [ "$#" -eq 0 ]; then | ||
# Provision | ||
echo "Provisioning tun device" | ||
mkdir -p /dev/net | ||
if [ ! -c /dev/net/tun ]; then | ||
mknod /dev/net/tun c 10 200 | ||
fi | ||
if [ -f "$CUSTOM_FIREWALL_SCRIPT" ]; then | ||
echo "Executing custom firewall script: $CUSTOM_FIREWALL_SCRIPT" | ||
. "$CUSTOM_FIREWALL_SCRIPT" | ||
else | ||
echo "Not executing custom firewall script $CUSTOM_FIREWALL_SCRIPT because it does not exist" | ||
fi | ||
if [ "$NAT" = 1 ]; then | ||
echo "NAT is enabled" | ||
echo "Provisioning NAT iptables rules" | ||
echo "NAT_INTERFACE: $NAT_INTERFACE" | ||
if [ "$NAT_MASQUERADE" = 1 ]; then | ||
echo "NAT_MASQUERADE is enabled" | ||
iptables -t nat -C POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE | ||
if [ -n "$OPENVPN_ROUTES" ]; then | ||
echo "Provisioning NAT iptables rules for OPENVPN_ROUTES=$OPENVPN_ROUTES" | ||
for r in $OPENVPN_ROUTES; do | ||
iptables -t nat -C POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE | ||
done | ||
else | ||
echo "Not provisioning route iptables rules because OPENVPN_ROUTES is empty" | ||
fi | ||
else | ||
echo "Not provisioning NAT iptables rules because NAT_MASQUERADE is disabled." | ||
fi | ||
else | ||
echo "NAT is disabled." | ||
echo "Not adding NAT iptables rules" | ||
fi | ||
|
||
echo "Listing iptables rules:" | ||
iptables -L -nv | ||
echo "Listing iptables NAT rules:" | ||
iptables -L -nv -t nat | ||
|
||
# Generate the command line. openvpn man: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ | ||
set openvpn --cd /etc/openvpn --config "$OPENVPN_CONFIG_FILE" | ||
echo "openvpn command line: $@" | ||
exec "$@" | ||
elif [ "$#" -gt 0 ] && [ "${1#-}" != "$1" ]; then | ||
echo "openvpn command line: $@" | ||
exec openvpn "$@" | ||
fi | ||
|
||
exec "$@" |
Oops, something went wrong.