Added choice of UDP/TCP and level of encryption. Reworked readme and Dockerfile

Dockerfile

@@ -2,18 +2,26 @@ FROM alpine:3.7
 LABEL maintainer="quentin.mcgaw@gmail.com" \
       description="VPN client to private internet access servers using OpenVPN, Alpine and Cloudflare 1.1.1.1 DNS over TLS" \
       download="5.4MB" \
-      size="12.9MB" \
+      size="13MB" \
       ram="11.89MB" \
       cpu_usage="Low to medium" \
       github="https://github.com/qdm12/private-internet-access-docker"
 RUN apk add -q --progress --no-cache --update openvpn unbound && \
-    apk add -q --progress --no-cache --update --virtual build-dependencies ca-certificates wget unzip && \
+    apk add -q --progress --no-cache --update --virtual=build-dependencies ca-certificates wget unzip && \
-    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
+    mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \
-    unzip -q openvpn.zip && \
+    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
+            https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
+            https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
+            https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
+    unzip -q openvpn.zip -d /openvpn-udp-normal && \
+    unzip -q openvpn-strong.zip -d /openvpn-udp-strong && \
+    unzip -q openvpn-tcp.zip -d /openvpn-tcp-normal && \
+    unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \
     apk del -q --progress --purge build-dependencies && \
-    rm -rf /var/cache/apk/* /etc/unbound/unbound.conf /openvpn.zip
+    rm -rf /*.zip /etc/unbound/unbound.conf /var/cache/apk/*
 COPY unbound.conf /etc/unbound/unbound.conf
-ENTRYPOINT echo "nameserver 127.0.0.1" > /etc/resolv.conf && \
+ENV ENCRYPTION=strong \
-           echo "options ndots:0" >> /etc/resolv.conf && \
+    PROTOCOL=tcp \
-           unbound && \
+    REGION=Switzerland
-           openvpn --config "$REGION".ovpn --auth-user-pass auth.conf
+COPY entrypoint.sh /
+ENTRYPOINT /entrypoint.sh

README.md

@@ -1,17 +1,33 @@
 # Private Internet Access Docker (OpenVPN, Alpine)
 
-Docker VPN client to private internet access servers based on [Alpine Linux](https://alpinelinux.org/) using [OpenVPN](https://openvpn.net/) and Unbound to connect to [Cloudflare DNS 1.1.1.1 over TLS](https://developers.cloudflare.com/1.1.1.1/dns-over-tls)
+Docker VPN client to private internet access servers using [OpenVPN](https://openvpn.net/) and [Cloudflare DNS 1.1.1.1 over TLS](https://developers.cloudflare.com/1.1.1.1/dns-over-tls)
+
+Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables.
 
 [![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/)
 
 [![Build Status](https://travis-ci.org/qdm12/private-internet-access-docker.svg?branch=master)](https://travis-ci.org/qdm12/private-internet-access-docker)
+[![Docker Build Status](https://img.shields.io/docker/build/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
+
+[![GitHub last commit](https://img.shields.io/github/last-commit/qdm12/private-internet-access-docker.svg)](https://github.com/qdm12/private-internet-access-docker/issues)
+[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/qdm12/private-internet-access-docker.svg)](https://github.com/qdm12/private-internet-access-docker/issues)
+[![GitHub issues](https://img.shields.io/github/issues/qdm12/private-internet-access-docker.svg)](https://github.com/qdm12/private-internet-access-docker/issues)
+
+[![Docker Pulls](https://img.shields.io/docker/pulls/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
+[![Docker Stars](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
+[![Docker Automated](https://img.shields.io/docker/automated/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
 
 [![](https://images.microbadger.com/badges/image/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access)
 [![](https://images.microbadger.com/badges/version/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access)
 
 | Download size | Image size | RAM usage | CPU usage |
 | --- | --- | --- | --- |
-| 5.4MB | 12.9MB | 11.89MB | Low to Medium |
+| 5.4MB | 13MB | 11.89MB | Low to Medium |
+
+It is based on:
+- [Alpine 3.7](https://alpinelinux.org)
+- [OpenVPN 2.4.5-r1](https://pkgs.alpinelinux.org/package/edge/main/ppc64le/openvpn)
+- [Unbound 1.7.0-r2](https://pkgs.alpinelinux.org/package/edge/main/aarch64/unbound)
 
 It requires:
 - A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
@@ -19,18 +35,17 @@ It requires:
 
 The PIA *.ovpn* configuration files are downloaded from 
 [the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) 
-when the Docker image is built.
+when the Docker image is built. You can build the image yourself if you are paranoid.
 
 Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for multiple reasons:
 - Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name. 
     *For example, `austria.privateinternetaccess.com` maps to `185.216.34.229`*
 - Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when.
     *As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved*
-- Lower latency than other DNS such as Google DNS, Open DNS or your ISP DNS.
 
-## Installation & Testing
+## Setup
 
-1. Run the [**tun.sh**](https://raw.githubusercontent.com/qdm12/private-internet-access-docker/master/tun.sh) script on your host machine to ensure you have the **tun** device setup
+1. Run the [**tun.sh**](https://raw.githubusercontent.com/qdm12/private-internet-access-docker/master/tun.sh) script on your host machine to ensure you have the `/dev/tun` device setup
 
     ```bash
     wget https://raw.githubusercontent.com/qdm12/private-internet-access-docker/master/tun.sh
@@ -50,42 +65,45 @@ Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for mul
 
 ### Using Docker only
 
-Run the container with (change `/yourhostpath` to your actual path, and optionally `Germany`):
+1. Run the container with (at least change `/yourhostpath` to your actual path):
 
-```bash
+    ```bash
-docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
+    docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
---device=/dev/net/tun --network=pianet \
+    --device=/dev/net/tun --network=pianet \
--e REGION=Germany -v /yourhostpath/auth.conf:/auth.conf:ro \
+    -v /yourhostpath/auth.conf:/auth.conf:ro \
-qmcgaw/private-internet-access
+    -e REGION=Germany -e PROTOCOL=udp -e ENCRYPTION=normal \
-```
+    qmcgaw/private-internet-access
+    ```
 
-Wait about 5 seconds for it to connect to the PIA server.
+    Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`. 
-You can check with:
+    See the [Environment variables section](#environment-variables)
+1. Wait about 5 seconds for it to connect to the PIA server. You can check with:
 
-```bash
+    ```bash
-docker logs pia
+    docker logs pia
-```
+    ```
 
-You should now check it works following the [Testing section](#testing)
+1. Follow the [**Testing section**](#testing)
 
 ### Using Docker Compose
 
 1. Download [**docker-compose.yml**](https://github.com/qdm12/private-internet-access-docker/blob/master/docker-compose.yml)
-1. Edit it and change `yourpath`
+1. Edit it and change at least `yourpath`
 1. Run the container as a daemon in the background with:
 
    ```bash
     docker-compose up -d
     ```
 
-    Wait about 5 seconds for it to connect to the PIA server.
+    Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`. 
-    You can check with:
+    See the [Environment variables section](#environment-variables)
+1. Wait about 5 seconds for it to connect to the PIA server. You can check with:
 
     ```bash
     docker logs pia
     ```
     
-1. You should now check it works following the [Testing section](#testing)
+1. Follow the [**Testing section**](#testing)
 
 ## Testing
 
@@ -98,24 +116,31 @@ You should now check it works following the [Testing section](#testing)
 1. Run the **curl** Docker container using your *pia* container with:
 
     ```bash
-    docker run --rm --network=container:pia tutum/curl curl -s ifconfig.co
+    docker run --rm --network=container:pia byrnedo/alpine-curl ifconfig.co
     ```
 
     If the displayed IP address appears and is different that your host IP address, 
     the PIA client should fully work !
 
-## Container launch parameters
+## Environment variables
 
-- You can change the `REGION` environment variable to one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/)
+| Environment variable | Default | Description |
-- If you know what you're doing, you can change the container name (`pia`), 
+| --- | --- | --- |
-  the hostname (`piaclient`) and the network name (`pianet`)
+| `REGION` | `Switzerland` | Any one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/) |
+| `PROTOCOL` | `tcp` | `tcp` or `udp` |
+| `ENCRYPTION` | `strong` | `normal` or `strong` |
+
+If you know what you're doing, you can change the container name (`pia`), 
+the hostname (`piaclient`) and the network name (`pianet`) as well.
 
 ## Connect other containers to it
 
 Connect other Docker containers to the PIA VPN connection by adding 
 `--network=container:pia` when launching them.
 
-## Access ports of containers connected to the VPN container
+---
+  
+## EXTRA: Access ports of containers connected to the VPN container
 
 You have to use another container acting as a Reverse Proxy such as Nginx. 
 
@@ -164,3 +189,11 @@ You have to use another container acting as a Reverse Proxy such as Nginx.
 1. Access the WebUI of Deluge at [localhost:8000](http://localhost:8000)
 
 For more containers, add more `--link pia:xxx` and modify *nginx.conf* accordingly
+
+## EXTRA: For the paranoids
+
+- You might want to build the image yourself
+- The download and unziping is done at build for the ones not able to download the zip files with their ISPs.
+- Checksums for PIA openvpn zip files are not used as these files change often
+- You should use strong encryption for the environment variable `ENCRYPTION`
+

docker-compose.yml

@@ -12,6 +12,8 @@ services:
         volumes:
             - /yourpath/auth.conf:/auth.conf:ro
         environment:
+            - PROTOCOL=tcp
+            - ENCRYPTION=strong
             - REGION=Germany
         restart: always
         

entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+printf "Changing DNS to localhost..."
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+echo "options ndots:0" >> /etc/resolv.conf
+printf "DONE\nStarting Unbound to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint TCP 853..."
+unbound
+printf "DONE\nStarting OpenVPN using $PROTOCOL with $ENCRYPTION encryption\n"
+DIR=/openvpn-$PROTOCOL-$ENCRYPTION
+openvpn --config $DIR/$REGION.ovpn --auth-user-pass /auth.conf --ca $DIR/ca.rsa.*.crt --crl-verify $DIR/ca.rsa.*.crt
+printf "\n\nExiting..."