admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Cloudflare 1.1.1.1 DNS over TLS

Browse Source
This commit is contained in:
Quentin McGaw
2018-04-13 15:35:31 -04:00
parent 712b10dbf9
commit 3bd804843c
6 changed files with 94 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.dockerignore
View File

@@ -1,6 +1,6 @@
.git/
.git
.travis.yml
readme/
readme
tun.sh
docker-compose.yml
README.md

27
Dockerfile
View File

@@ -1,18 +1,19 @@
FROM alpine:3.7
LABEL maintainer="quentin.mcgaw@gmail.com" \
description="VPN client container to private internet access servers based on Alpine Linux and OpenVPN" \
download="3.3MB" \
size="8MB" \
ram="4.3MB" \
description="VPN client to private internet access servers using OpenVPN, Alpine and Cloudflare 1.1.1.1 DNS over TLS" \
download="?MB" \
size="12.9MB" \
ram="?MB" \
cpu_usage="Very low" \
github="https://github.com/qdm12/private-internet-access-docker"
COPY script.sh .
RUN chmod +x script.sh && \
apk add -q --progress --no-cache --update openvpn && \
apk add -q --progress --no-cache --update --virtual build-dependencies wget unzip && \
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
unzip openvpn.zip && \
rm openvpn.zip && \
RUN apk add -q --progress --no-cache --update openvpn unbound && \
apk add -q --progress --no-cache --update --virtual build-dependencies ca-certificates wget unzip && \
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
unzip -q openvpn.zip && \
apk del -q --progress --purge build-dependencies && \
rm -rf /var/cache/apk/*
ENTRYPOINT /script.sh
rm -rf /var/cache/apk/* /etc/unbound/unbound.conf /openvpn.zip
COPY unbound.conf /etc/unbound/unbound.conf
ENTRYPOINT echo "nameserver 127.0.0.1" > /etc/resolv.conf && \
echo "options ndots:0" >> /etc/resolv.conf && \
unbound && \
openvpn --config "$REGION".ovpn --auth-user-pass auth.conf

109
README.md
View File

@@ -1,6 +1,6 @@
# Private Internet Access Docker (OpenVPN, Alpine)
Docker VPN client to private internet access servers based on [Alpine Linux](https://alpinelinux.org/) and [OpenVPN](https://openvpn.net/)
Docker VPN client to private internet access servers based on [Alpine Linux](https://alpinelinux.org/) using [OpenVPN](https://openvpn.net/) and Unbound to connect to [Cloudflare DNS 1.1.1.1 over TLS](https://developers.cloudflare.com/1.1.1.1/dns-over-tls)
[![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/)
@@ -11,13 +11,22 @@ Docker VPN client to private internet access servers based on [Alpine Linux](htt
| Download size | Image size | RAM usage | CPU usage |
| --- | --- | --- | --- |
| 3.3MB | 8.02MB | 4.3MB | Very low |
| ?MB | 12.9MB | ?MB | Very low |
It requires:
- A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
- [Docker](https://docs.docker.com/install/) installed on the host
The PIA configuration files are downloaded from [the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) when the Docker image gets built.
The PIA *.ovpn* configuration files are downloaded from
[the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip)
when the Docker image is built.
Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for multiple reasons:
- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name.
*For example, `austria.privateinternetaccess.com` maps to `185.216.34.229`*
- Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when.
*As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved*
- Lower latency than other DNS such as Google DNS, Open DNS or your ISP DNS.
## Installation & Testing
@@ -28,6 +37,12 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
sudo chmod +x tun.sh
./tun.sh
```
1. Create a network to be used by this container and other containers connecting to it with:
```bash
docker network create pianet
```
1. Create a file *auth.conf* in `/yourhostpath` (for example), with:
- On the first line: your PIA username (i.e. `js89ds7`)
@@ -35,40 +50,24 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
### Using Docker only
1. Test the container by connecting another container to it
1. Run the container interactively with (and change `/yourhostpath/auth.conf`):
Run the container with (change `/yourhostpath` to your actual path, and optionally `Germany`):
```bash
docker run --rm --name=piaTEST --cap-add=NET_ADMIN \
--device=/dev/net/tun --dns 209.222.18.222 --dns 209.222.18.218 \
-e 'REGION=Germany' -v '/yourhostpath/auth.conf:/pia/auth.conf:ro' \
qmcgaw/private-internet-access
```
```bash
docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
--device=/dev/net/tun --network=pianet \
-e REGION=Germany -v /yourhostpath/auth.conf:/auth.conf:ro \
qmcgaw/private-internet-access
```
Wait about 5 seconds for it to connect to the PIA server.
1. Check your host IP address with:
Wait about 5 seconds for it to connect to the PIA server.
You can check with:
```bash
curl -s ifconfig.co
```
```bash
docker logs pia
```
1. Run the **curl** Docker container using your *piaTEST* container with:
You should now check it works following the [Testing section](#testing)
```bash
docker run --rm --net=container:piaTEST tutum/curl curl -s ifconfig.co
```
If the displayed IP address appears and is different that your host IP address, your PIA OpenVPN client works !
1. Run the container as a daemon in the background with (and change the `/yourhostpath/auth.conf`):
```bash
docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
--device=/dev/net/tun --dns 209.222.18.222 --dns 209.222.18.218 \
-e 'REGION=Germany' -v '/yourhostpath/auth.conf:/pia/auth.conf' \
qmcgaw/private-internet-access
```
### Using Docker Compose
1. Download [**docker-compose.yml**](https://github.com/qdm12/private-internet-access-docker/blob/master/docker-compose.yml)
@@ -80,6 +79,16 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
```
Wait about 5 seconds for it to connect to the PIA server.
You can check with:
```bash
docker logs pia
```
1. You should now check it works following the [Testing section](#testing)
## Testing
1. Check your host IP address with:
```bash
@@ -89,30 +98,32 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
1. Run the **curl** Docker container using your *pia* container with:
```bash
docker run --rm --net=container:pia tutum/curl curl -s ifconfig.co
docker run --rm --network=container:pia tutum/curl curl -s ifconfig.co
```
If the displayed IP address appears and is different that your host IP address, your PIA OpenVPN client works !
## Connect other containers to it
Connect other Docker containers to the VPN connection by adding `--net=container:pia` when launching them.
If the displayed IP address appears and is different that your host IP address,
the PIA client should fully work !
## Container launch parameters
- You can change the `--name=` parameter to anything you like
- You can change the `REGION=` parameter to one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/)
- You must adapt the `/yourhostpath/auth.conf` path to your host path where you created `auth.conf`
- You can change the `REGION` environment variable to one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/)
- If you know what you're doing, you can change the container name (`pia`),
the hostname (`piaclient`) and the network name (`pianet`)
## Connect other containers to it
Connect other Docker containers to the PIA VPN connection by adding
`--network=container:pia` when launching them.
## Access ports of containers connected to the VPN container
You have to use another container acting as a Reverse Proxy such as Nginx.
**Example**:
- *Deluge* container with name **deluge** connected to the `pia` container with `--network=container:pia`
- Deluge's WebUI runs on port TCP 8112
1. I have a *Deluge* container connected to the PIA container with `--net=container:pia` and its WebUI runs on port 8112.
2. I create the following Nginx configuration file *nginx.conf*:
1. Create the Nginx configuration file *nginx.conf*:
```
user nginx;
@@ -142,12 +153,14 @@ You have to use another container acting as a Reverse Proxy such as Nginx.
}
```
3. I run the Alpine [Nginx container](https://hub.docker.com/_/nginx/) with:
1. Run the Alpine [Nginx container](https://hub.docker.com/_/nginx) with:
```bash
sudo docker -d --restart=always --name=proxypia -p 8000:80 --link pia:deluge \
docker -d --restart=always --name=proxypia -p 8000:80 \
--network=pianet --link pia:deluge \
-v /mypathto/nginx.conf:/etc/nginx/nginx.conf:ro nginx:alpine
```
4. Now I can access the WebUI of Deluge at `localhost:8000`
5. You can add more `--link pia:xxx` for more containers and you have to modify *nginx.conf*
1. Access the WebUI of Deluge at [localhost:8000](http://localhost:8000)
For more containers, add more `--link pia:xxx` and modify *nginx.conf* accordingly

5
docker-compose.yml
View File

@@ -7,9 +7,8 @@ services:
- NET_ADMIN
devices:
- /dev/net/tun
dns:
- 209.222.18.222
- 209.222.18.218
networks:
- pianet
volumes:
- /yourpath/auth.conf:/auth.conf:ro
environment:

8
script.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
set -e
if [ ! -f "/auth.conf" ]]; then
echo "File auth.conf was not found, aborting !"
exit 1
fi
openvpn --config "$REGION".ovpn --auth-user-pass auth.conf

15
unbound.conf Normal file
View File

@@ -0,0 +1,15 @@
server:
verbosity: 0
use-syslog: no
qname-minimisation: yes
do-tcp: yes
prefetch: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip4: yes
do-ip6: no
forward-zone:
name: "."
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-ssl-upstream: yes