Skip to content

Commit

Permalink
Merge pull request #63 from theohbrothers/enhancement/bump-openvpn-2.…
Browse files Browse the repository at this point in the history
…6-variants-to-2.6.7

Enhancement: Bump openvpn 2.6 variants to 2.6.7
  • Loading branch information
leojonathanoh authored Dec 7, 2023
2 parents c0e8fbe + 234d0e8 commit b4f98cb
Show file tree
Hide file tree
Showing 9 changed files with 700 additions and 24 deletions.
42 changes: 21 additions & 21 deletions .github/workflows/ci-master-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
run: |
git diff --exit-code
build-2-6-5:
build-2-6-7:
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down Expand Up @@ -64,9 +64,9 @@ jobs:
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-2.6.5-${{ github.sha }}
key: ${{ runner.os }}-buildx-2.6.7-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-2.6.5-
${{ runner.os }}-buildx-2.6.7-
${{ runner.os }}-buildx-
- name: Login to Docker Hub registry
Expand All @@ -79,7 +79,7 @@ jobs:

# This step generates the docker tags
- name: Prepare
id: prep-2-6-5-alpine-3-18
id: prep-2-6-7-alpine-3-18
run: |
set -e
Expand All @@ -92,7 +92,7 @@ jobs:
# Generate docker image tags
# E.g. 'v0.0.0-<variant>' and 'v0.0.0-abc0123-<variant>'
# E.g. 'master-<variant>' and 'master-abc0123-<variant>'
VARIANT="2.6.5-alpine-3.18"
VARIANT="2.6.7-alpine-3.18"
REF_VARIANT="${REF}-${VARIANT}"
REF_SHA_VARIANT="${REF}-${SHA}-${VARIANT}"
Expand All @@ -102,45 +102,45 @@ jobs:
echo "REF_VARIANT=$REF_VARIANT" >> $GITHUB_OUTPUT
echo "REF_SHA_VARIANT=$REF_SHA_VARIANT" >> $GITHUB_OUTPUT
- name: 2.6.5-alpine-3.18 - Build (PRs)
- name: 2.6.7-alpine-3.18 - Build (PRs)
# Run only on pull requests
if: github.event_name == 'pull_request'
uses: docker/build-push-action@v3
with:
context: variants/2.6.5-alpine-3.18
context: variants/2.6.7-alpine-3.18
platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
push: false
tags: |
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_SHA_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_SHA_VARIANT }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

- name: 2.6.5-alpine-3.18 - Build and push (master)
- name: 2.6.7-alpine-3.18 - Build and push (master)
# Run only on master
if: github.ref == 'refs/heads/master'
uses: docker/build-push-action@v3
with:
context: variants/2.6.5-alpine-3.18
context: variants/2.6.7-alpine-3.18
platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
push: true
tags: |
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_SHA_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_SHA_VARIANT }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max

- name: 2.6.5-alpine-3.18 - Build and push (release)
- name: 2.6.7-alpine-3.18 - Build and push (release)
if: startsWith(github.ref, 'refs/tags/')
uses: docker/build-push-action@v3
with:
context: variants/2.6.5-alpine-3.18
context: variants/2.6.7-alpine-3.18
platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
push: true
tags: |
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-5-alpine-3-18.outputs.REF_SHA_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_VARIANT }}
${{ github.repository }}:${{ steps.prep-2-6-7-alpine-3-18.outputs.REF_SHA_VARIANT }}
${{ github.repository }}:latest
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
Expand Down Expand Up @@ -1204,7 +1204,7 @@ jobs:
update-draft-release:
needs:
- build-2-6-5
- build-2-6-7
- build-2-5-8
- build-2-4-12
- build-2-4-11
Expand All @@ -1224,7 +1224,7 @@ jobs:

publish-draft-release:
needs:
- build-2-6-5
- build-2-6-7
- build-2-5-8
- build-2-4-12
- build-2-4-11
Expand All @@ -1246,7 +1246,7 @@ jobs:

update-dockerhub-description:
needs:
- build-2-6-5
- build-2-6-7
- build-2-5-8
- build-2-4-12
- build-2-4-11
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Dockerized `openvpn`.

| Tag | Dockerfile Build Context |
|:-------:|:---------:|
| `:2.6.5-alpine-3.18`, `:latest` | [View](variants/2.6.5-alpine-3.18) |
| `:2.6.7-alpine-3.18`, `:latest` | [View](variants/2.6.7-alpine-3.18) |
| `:2.5.8-alpine-3.17` | [View](variants/2.5.8-alpine-3.17) |
| `:2.4.12-alpine-3.12` | [View](variants/2.4.12-alpine-3.12) |
| `:2.4.11-alpine-3.11` | [View](variants/2.4.11-alpine-3.11) |
Expand All @@ -37,7 +37,7 @@ It is assumed that you have knowledge of configuring `openvpn`. If needed, refer
To run the image, at the least you should mount a `/etc/openvpn/server.conf`, which may be a unified openvpn profile (see INLINE FILE SUPPORT section in the [openvpn manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)).

```sh
docker run --rm -it --cap-add NET_ADMIN -v /path/to/server.conf:/etc/openvpn/server.conf theohbrothers/docker-openvpn:2.6.5-alpine-3.18
docker run --rm -it --cap-add NET_ADMIN -v /path/to/server.conf:/etc/openvpn/server.conf theohbrothers/docker-openvpn:2.6.7-alpine-3.18
```

## Environment variables
Expand Down
2 changes: 1 addition & 1 deletion generate/definitions/VARIANTS.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
$local:VARIANTS_MATRIX = @(
@{
package = 'openvpn'
package_version = '2.6.5'
package_version = '2.6.7'
distro = 'alpine'
distro_version = '3.18'
subvariants = @(
Expand Down
11 changes: 11 additions & 0 deletions variants/2.6.7-alpine-3.18/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM alpine:3.18

RUN set -eux; \
apk add --no-cache openvpn~=2.6.7 iptables; \
# Workaround openvpn --version exiting with non-zero exit code on openvpn <= 2.4.x
openvpn --version | grep -A100 -B100 2.6.7

COPY docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh

ENTRYPOINT ["/docker-entrypoint.sh"]
45 changes: 45 additions & 0 deletions variants/2.6.7-alpine-3.18/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
version: '2.1'
services:
openvpn-server:
build:
dockerfile: Dockerfile
context: .
environment:
- OPENVPN_CONFIG_FILE=/etc/openvpn/server.conf
- NAT_MASQUERADE=1
# - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh
volumes:
- ./openvpn/server.conf:/etc/openvpn/server.conf
# - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh
ports:
- 1194:1194/udp
cap_add:
- NET_ADMIN
# sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls
sysctls:
- net.ipv4.conf.all.forwarding=1
# - net.ipv6.conf.all.disable_ipv6=0
# - net.ipv6.conf.default.forwarding=1
# - net.ipv6.conf.all.forwarding=1
restart: unless-stopped

openvpn-client:
build:
dockerfile: Dockerfile
context: .
environment:
- OPENVPN_CONFIG_FILE=/etc/openvpn/client.conf
- NAT_MASQUERADE=0
# - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh
volumes:
- ./openvpn/client.conf:/etc/openvpn/client.conf
# - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh
cap_add:
- NET_ADMIN
# sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls
sysctls:
- net.ipv4.conf.all.forwarding=1
# - net.ipv6.conf.all.disable_ipv6=0
# - net.ipv6.conf.default.forwarding=1
# - net.ipv6.conf.all.forwarding=1
restart: unless-stopped
70 changes: 70 additions & 0 deletions variants/2.6.7-alpine-3.18/docker-entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#!/bin/sh
set -eu

# Env vars
OPENVPN_CONFIG_FILE=${OPENVPN_CONFIG_FILE:-/etc/openvpn/server.conf}
OPENVPN_SERVER_CONFIG_FILE=${OPENVPN_SERVER_CONFIG_FILE:-} # Deprecated. For backward compatibility
OPENVPN_ROUTES=${OPENVPN_ROUTES:-}
NAT=${NAT:-1}
NAT_INTERFACE=${NAT_INTERFACE:-eth0}
NAT_MASQUERADE=${NAT_MASQUERADE:-1}
CUSTOM_FIREWALL_SCRIPT=${CUSTOM_FIREWALL_SCRIPT:-/etc/openvpn/firewall.sh}

# Normalization
if [ -n "$OPENVPN_SERVER_CONFIG_FILE" ]; then
echo "Warning: OPENVPN_SERVER_CONFIG_FILE is deprecated. Use OPENVPN_CONFIG_FILE instead."
OPENVPN_CONFIG_FILE="$OPENVPN_SERVER_CONFIG_FILE"
fi

# If no args are passed, run the entrypoint. If a flag is passed, run openvpn directly. Else, run the passed command
if [ "$#" -eq 0 ]; then
# Provision
echo "Provisioning tun device"
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
if [ -f "$CUSTOM_FIREWALL_SCRIPT" ]; then
echo "Executing custom firewall script: $CUSTOM_FIREWALL_SCRIPT"
. "$CUSTOM_FIREWALL_SCRIPT"
else
echo "Not executing custom firewall script $CUSTOM_FIREWALL_SCRIPT because it does not exist"
fi
if [ "$NAT" = 1 ]; then
echo "NAT is enabled"
echo "Provisioning NAT iptables rules"
echo "NAT_INTERFACE: $NAT_INTERFACE"
if [ "$NAT_MASQUERADE" = 1 ]; then
echo "NAT_MASQUERADE is enabled"
iptables -t nat -C POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE
if [ -n "$OPENVPN_ROUTES" ]; then
echo "Provisioning NAT iptables rules for OPENVPN_ROUTES=$OPENVPN_ROUTES"
for r in $OPENVPN_ROUTES; do
iptables -t nat -C POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE
done
else
echo "Not provisioning route iptables rules because OPENVPN_ROUTES is empty"
fi
else
echo "Not provisioning NAT iptables rules because NAT_MASQUERADE is disabled."
fi
else
echo "NAT is disabled."
echo "Not adding NAT iptables rules"
fi

echo "Listing iptables rules:"
iptables -L -nv
echo "Listing iptables NAT rules:"
iptables -L -nv -t nat

# Generate the command line. openvpn man: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
set openvpn --cd /etc/openvpn --config "$OPENVPN_CONFIG_FILE"
echo "openvpn command line: $@"
exec "$@"
elif [ "$#" -gt 0 ] && [ "${1#-}" != "$1" ]; then
echo "openvpn command line: $@"
exec openvpn "$@"
fi

exec "$@"
Loading

0 comments on commit b4f98cb

Please sign in to comment.