Re-added Unbound DNS over TLS

It turns out you can't use a local DNS server once connected with the VPN, so running the DNS over TLS in the PIA container is the best.

Dockerfile

@@ -6,7 +6,14 @@ LABEL maintainer="quentin.mcgaw@gmail.com" \
       ram="11MB" \
       cpu_usage="Low" \
       github="https://github.com/qdm12/private-internet-access-docker"
-RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables ip6tables && \
+HEALTHCHECK --interval=1m --timeout=10s --start-period=10s --retries=1 \
+            CMD export OLD_VPN_IP="$NEW_VPN_IP" && \
+                export NEW_VPN_IP=$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*') && \
+                [ "$NEW_VPN_IP" != "$INITIAL_IP" ] && [ "$NEW_VPN_IP" != "$OLD_VPN_IP" ] || exit 1
+ENV ENCRYPTION=strong \
+    PROTOCOL=tcp \
+    REGION=Germany
+RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables ip6tables unbound && \
     apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \
     mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \
     wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
@@ -18,14 +25,7 @@ RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables i
     unzip -q openvpn-tcp.zip -d /openvpn-tcp-normal && \
     unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \
     apk del -q --progress --purge build-dependencies && \
-    rm -rf /*.zip /var/cache/apk/*
-HEALTHCHECK --interval=10m --timeout=10s --start-period=10s --retries=1 \
-            CMD export OLD_VPN_IP="$NEW_VPN_IP" && \
-                export NEW_VPN_IP=$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*') && \
-                [ "$NEW_VPN_IP" != "$INITIAL_IP" ] && [ "$NEW_VPN_IP" != "$OLD_VPN_IP" ] || exit 1
-ENV ENCRYPTION=strong \
-    PROTOCOL=tcp \
-    REGION=Germany
+    rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf
+COPY unbound.conf /etc/unbound/unbound.conf
 COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
 ENTRYPOINT /entrypoint.sh

README.md

@@ -221,3 +221,9 @@ For more containers, add more `--link pia:xxx` and modify *nginx.conf* according
 - The download and unziping is done at build for the ones not able to download the zip files with their ISPs.
 - Checksums for PIA openvpn zip files are not used as these files change often
 - You should use strong encryption for the environment variable `ENCRYPTION`
+
+### TODOs
+
+- More iptables restrictions
+- Rework readme with unbound required for VPN
+- Block malicious websites with Unbound

entrypoint.sh

@@ -2,16 +2,32 @@
 
 printf "=== PIA CONTAINER ==="
 
-# Obtaining your original IP address to use for the healthcheck
+############################################
+# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
+############################################
+printf "\nChanging DNS to localhost..."
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+echo "options ndots:0" >> /etc/resolv.conf
+printf "DONE"
+printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
+unbound
+printf "DONE"
+
+############################################
+# ORIGINAL IP FOR HEALTHCHECK
+############################################
 printf "\nGetting non VPN public IP address..."
 export INITIAL_IP=$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')
 printf "$INITIAL_IP"
 
+############################################
+# FIREWALL
+############################################
 printf "\nSetting firewall for killswitch purposes..."
 printf "\n * Detecting local subnet..."
 SUBNET=$(ip route show default | tail -n 1 | awk '// {print $1}')
 printf "$SUBNET"
-printf "\n * Detecting parameters to be used for region $REGION, protocol $PROTOCOL and encryption $ENCRYPTION..."
+printf "\n * Reading parameters to be used for region $REGION, protocol $PROTOCOL and encryption $ENCRYPTION..."
 CONNECTIONSTRING=$(grep -i "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" -e 'privateinternetaccess.com')
 PORT=$(echo $CONNECTIONSTRING | cut -d' ' -f3)
 PIADOMAIN=$(echo $CONNECTIONSTRING | cut -d' ' -f2)
@@ -36,8 +52,10 @@ ip6tables -P OUTPUT DROP 2>/dev/null
 printf "\n * Adding rules to accept local loopback traffic..."
 iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A INPUT -i lo -j ACCEPT
 ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
 ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null
+ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null
 printf "DONE"
 printf "\n * Adding rules to accept traffic of subnet $SUBNET..."
 iptables -A OUTPUT -d $SUBNET -j ACCEPT
@@ -47,24 +65,39 @@ for ip in $VPNIPS
 do
     printf "\n * Adding rules to accept traffic with $ip on port $PROTOCOL $PORT..."
     iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
+    iptables -A INPUT -j ACCEPT -s $ip -i eth0 -p $PROTOCOL -m $PROTOCOL --sport $PORT
     ip6tables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT 2>/dev/null
+    ip6tables -A INPUT -j ACCEPT -s $ip -i eth0 -p $PROTOCOL -m $PROTOCOL --sport $PORT 2>/dev/null
     printf "DONE"
 done
 printf "\n * Adding rules to accept traffic going through the tun device..."
 iptables -A OUTPUT -o tun0 -j ACCEPT
-iptables -A OUTPUT -o tap0 -j ACCEPT
-ip6tables -A OUTPUT -o tap0 -j ACCEPT 2>/dev/null
+iptables -A INPUT -i tun0 -j ACCEPT
 ip6tables -A OUTPUT -o tun0 -j ACCEPT 2>/dev/null
+ip6tables -A INPUT -i tun0 -j ACCEPT 2>/dev/null
 printf "DONE"
 printf "\n * Allowing outgoing DNS queries on port 53 UDP..."
 iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
 ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
 printf "DONE"
+
+############################################
+# SUMMARY
+############################################
 printf "\n * Starting OpenVPN using the following parameters:"
 printf "\n   * Domain: $PIADOMAIN"
 printf "\n   * Port: $PORT"
 printf "\n   * Protocol: $PROTOCOL"
 printf "\n   * Encryption: $ENCRYPTION\n"
+
+############################################
+# OPENVPN LAUNCH
+############################################
+# RUN AS OTHER USER TODO
 cd /openvpn-$PROTOCOL-$ENCRYPTION
 openvpn --config "$REGION.ovpn" --auth-user-pass /auth.conf
+
+############################################
+# CLEANUP
+############################################
 printf "\nExiting...\n\n"

unbound.conf

@@ -0,0 +1,18 @@
+server:
+  verbosity: 0
+  use-syslog: yes
+  qname-minimisation: yes
+  do-tcp: yes
+  prefetch: yes
+  rrset-roundrobin: yes
+  use-caps-for-id: yes
+  do-ip4: yes
+  do-ip6: no
+  interface: 127.0.0.1
+  hide-identity: yes
+  hide-version: yes
+forward-zone:
+  name: "."
+  forward-addr: 1.1.1.1@853#cloudflare-dns.com
+  forward-addr: 1.0.0.1@853#cloudflare-dns.com
+  forward-ssl-upstream: yes