From 55492015cbb62d47d1f97e6067e64f09cd234f18 Mon Sep 17 00:00:00 2001 From: Gauthier Delacroix Date: Mon, 15 Jul 2019 22:02:40 +0200 Subject: [PATCH] Fix/improve port forwarding handling --- Dockerfile | 3 ++- README.md | 7 ++++++- entrypoint.sh | 10 ++++++++-- portforward.sh | 15 ++++++++++----- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 77c4388e..113020e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,7 @@ ENV USER= \ BLOCK_NSA=off \ UNBLOCK= \ EXTRA_SUBNETS= \ + PORT_FORWARDING=false \ PROXY=on \ PROXY_LOG_LEVEL=Critical \ PROXY_PORT=8888 \ @@ -38,7 +39,7 @@ ENV USER= \ ENTRYPOINT /entrypoint.sh EXPOSE 8888 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh -RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy && \ +RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \ wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \ https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \ https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \ diff --git a/README.md b/README.md index 9a779286..77b7dcbb 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames | | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames | | `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) | +| `PORT_FORWARDING` | | Set to `true` to read the forwarded port | | `PROXY` | `on` | `on` or `off`, to switch the internal HTTP proxy | | `PROXY_LOG_LEVEL` | `Critical` | `Info`, `Warning`, `Error` or `Critical` | | `PROXY_PORT` | `8888` | `1024` to `65535` internal port for HTTP proxy | @@ -236,7 +237,11 @@ There are various ways to achieve this, depending on your use case. ## Port forwarding -On a running PIA container, say `pia`, simply run: +By setting `PORT_FORWARDING` environment variable to `true`, the forwarded port will be read and written to `/forwarded_port`. + +You can mount this file as a volume to read it from other containers. + +On a running PIA container, say `pia`, you can also run the script manually: ```sh docker exec -it pia /portforward.sh diff --git a/entrypoint.sh b/entrypoint.sh index 42f9a9dd..a5e5db88 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -266,8 +266,6 @@ fi # Note: TUN device re-opening will restart the container due to permissions printf "DONE\n" - - ############################################ # NETWORKING ############################################ @@ -395,6 +393,14 @@ if [ "$PROXY" == "on" ]; then printf "DONE\n" fi +############################################ +# READ FORWARDED PORT +############################################ + +if [ "$PORT_FORWARDING" == "true" ]; then + sleep 10 && /portforward.sh & +fi + ############################################ # OPENVPN LAUNCH ############################################ diff --git a/portforward.sh b/portforward.sh index d18cd8e8..5d4beec2 100644 --- a/portforward.sh +++ b/portforward.sh @@ -11,6 +11,7 @@ exitOnError(){ fi } +printf "[INFO] Reading forwarded port\n" client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"` exitOnError $? json=`wget -qO- "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` @@ -19,16 +20,20 @@ if [ "$json" == "" ]; then printf "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding\n" exit 1 fi -port=`echo $json | grep -Eo [0-9]{3,5}` +port=`echo $json | jq .port` +port_file="/forwarded_port" +echo "$port" > $port_file +printf " * Written forwarded port to $port_file\n" ip=`wget -qO- https://diagnostic.opendns.com/myip` exitOnError $? -printf "Forwarded port for IP $ip is: $port\n" -printf "Detecting target VPN interface..." +printf " * Forwarded port for IP $ip is: $port\n" +printf " * Detecting target VPN interface..." TARGET_PATH="/openvpn/target" vpn_device=$(cat $TARGET_PATH/config.ovpn | grep 'dev ' | cut -d" " -f 2)0 exitOnError $? printf "$vpn_device\n" -printf "Accepting input traffic through $vpn_device to port $port..." -iptables -A INPUT -i $vpn_device --dport $PORT -j ACCEPT +printf " * Accepting input traffic through $vpn_device to port $port..." +iptables -A INPUT -i $vpn_device -p tcp --dport $port -j ACCEPT +iptables -A INPUT -i $vpn_device -p udp --dport $port -j ACCEPT exitOnError $? printf "DONE\n"