admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Runs OpenVPN as root by default, fixes #19

Browse Source
This commit is contained in:
Quentin McGaw
2019-03-18 11:27:36 +01:00
parent 10483f81dc
commit 27802ba886
5 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
org.label-schema.version="" \ org.label-schema.version="" \
image-size="17.1MB" \ image-size="17.1MB" \
ram-usage="13MB to 80MB" \ ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
PROTOCOL=udp \ PROTOCOL=udp \
REGION="CA Montreal" \ REGION="CA Montreal" \
BLOCK_MALICIOUS=off \ BLOCK_MALICIOUS=off \
EXTRA_SUBNETS= EXTRA_SUBNETS= \
NONROOT=
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

7
Dockerfile.arm32v6
View File

@@ -1,4 +1,4 @@
ARG ALPINE_VERSION=3.8 ARG ALPINE_VERSION=3.9
FROM arm32v6/alpine:${ALPINE_VERSION} FROM arm32v6/alpine:${ALPINE_VERSION}
ARG BUILD_DATE ARG BUILD_DATE
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
org.label-schema.version="" \ org.label-schema.version="" \
image-size="15.6MB" \ image-size="15.6MB" \
ram-usage="13MB to 80MB" \ ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
PROTOCOL=udp \ PROTOCOL=udp \
REGION="CA Montreal" \ REGION="CA Montreal" \
BLOCK_MALICIOUS=off \ BLOCK_MALICIOUS=off \
EXTRA_SUBNETS= EXTRA_SUBNETS= \
NONROOT=
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

7
Dockerfile.arm64v8
View File

@@ -1,4 +1,4 @@
ARG ALPINE_VERSION=3.8 ARG ALPINE_VERSION=3.9
FROM arm64v8/alpine:${ALPINE_VERSION} FROM arm64v8/alpine:${ALPINE_VERSION}
ARG BUILD_DATE ARG BUILD_DATE
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
org.label-schema.version="" \ org.label-schema.version="" \
image-size="16.7MB" \ image-size="16.7MB" \
ram-usage="13MB to 80MB" \ ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
PROTOCOL=udp \ PROTOCOL=udp \
REGION="CA Montreal" \ REGION="CA Montreal" \
BLOCK_MALICIOUS=off \ BLOCK_MALICIOUS=off \
EXTRA_SUBNETS= EXTRA_SUBNETS= \
NONROOT=
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

3
README.md
View File

@@ -52,6 +52,7 @@
- Username and password - Username and password
- Malicious DNS blocking - Malicious DNS blocking
- Extra subnets allowed by firewall - Extra subnets allowed by firewall
- Run openvpn without root (but will give reconnect problems)
- Connect other containers to it - Connect other containers to it
- The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination - The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
- OpenVPN restarts on failure using another PIA IP address for the same region - OpenVPN restarts on failure using another PIA IP address for the same region
@@ -136,6 +137,7 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
| `BLOCK_MALICIOUS` | `off` | `on` or `off` | | `BLOCK_MALICIOUS` | `off` | `on` or `off` |
| `USER` | | Your PIA username | | `USER` | | Your PIA username |
| `PASSWORD` | | Your PIA password | | `PASSWORD` | | Your PIA password |
| `NONROOT` | | Run OpenVPN without root, `yes` or other |
| `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall | | `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall |
`EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28` `EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28`
@@ -220,6 +222,7 @@ services:
- ENCRYPTION=strong - ENCRYPTION=strong
- REGION=CA Montreal - REGION=CA Montreal
- EXTRA_SUBNETS= - EXTRA_SUBNETS=
- NONROOT=
restart: always restart: always
nginx: nginx:
image: nginx:alpine image: nginx:alpine

8
entrypoint.sh
View File

@@ -179,9 +179,11 @@ exitOnError $? "Cannot add 'auth-retry nointeract' to $TARGET_PATH/config.ovpn"
# Prevents auth_failed infinite loops - make it interact? Remove persist-tun? nobind? # Prevents auth_failed infinite loops - make it interact? Remove persist-tun? nobind?
echo "pull-filter ignore \"auth-token\"" >> "$TARGET_PATH/config.ovpn" echo "pull-filter ignore \"auth-token\"" >> "$TARGET_PATH/config.ovpn"
exitOnError $? "Cannot add 'pull-filter ignore \"auth-token\"' to $TARGET_PATH/config.ovpn" exitOnError $? "Cannot add 'pull-filter ignore \"auth-token\"' to $TARGET_PATH/config.ovpn"
# Runs openvpn without root, as nonrootuser # Runs openvpn without root, as nonrootuser if specified
echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn" if [ "$NONROOT" = "yes" ]; then
exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn" echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn"
exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn"
fi
# Note: TUN device re-opening will restart the container due to permissions # Note: TUN device re-opening will restart the container due to permissions
printf "DONE\n" printf "DONE\n"