admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reworked project overall

Browse Source
This commit is contained in:
Quentin McGaw
2018-11-06 14:55:11 +01:00
parent f5919d0aab
commit 7b4c216fc8
4 changed files with 125 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
org.label-schema.docker.cmd="docker run -d -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \ org.label-schema.docker.cmd="docker run -d -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel="docker run -it --rm -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \ org.label-schema.docker.cmd.devel="docker run -it --rm -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \
org.label-schema.docker.params="" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp or tcp,ENCRYPTION=strong or normal,BLOCK_MALICIOUS=on or off" \
org.label-schema.version="" \ org.label-schema.version="" \
image-size="17.1MB" \ image-size="17.1MB" \
ram-usage="13MB to 80MB" \ ram-usage="13MB to 80MB" \
@@ -23,7 +23,7 @@ ENV ENCRYPTION=strong \
REGION="CA Montreal" \ REGION="CA Montreal" \
BLOCK_MALICIOUS=off BLOCK_MALICIOUS=off
HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \ HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \
CMD if [[ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')" == "$INITIAL_IP" ]]; then echo "IP address is the same as the non VPN IP address"; exit 1; fi CMD [ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')" != "$INITIAL_IP" ] || exit 1
RUN V_ALPINE="v$(cat /etc/alpine-release | grep -oE '[0-9]+\.[0-9]+')" && \ RUN V_ALPINE="v$(cat /etc/alpine-release | grep -oE '[0-9]+\.[0-9]+')" && \
echo https://dl-3.alpinelinux.org/alpine/$V_ALPINE/main > /etc/apk/repositories && \ echo https://dl-3.alpinelinux.org/alpine/$V_ALPINE/main > /etc/apk/repositories && \
apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

22
README.md
View File

@@ -1,10 +1,6 @@
# Private Internet Access Client (OpenVPN+Iptables+DNS over TLS on Alpine Linux) # Private Internet Access Client (OpenVPN+Iptables+DNS over TLS on Alpine Linux)
*VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux* *Lightweight VPN client to tunnel to private internet access servers*
Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables.
A killswitch is implemented with the *iptables* firewall, only allowing traffic with PIA servers on needed ports / protocols.
[![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/) [![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/)
@@ -30,16 +26,21 @@ It is based on:
- [Alpine 3.8](https://alpinelinux.org) for a tiny image - [Alpine 3.8](https://alpinelinux.org) for a tiny image
- [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/openvpn) to tunnel to PIA servers - [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/openvpn) to tunnel to PIA servers
- [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (killswitch) - [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
- [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS - [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
- [Malicious hostnames list](https://github.com/qdm12/malicious-hostnames-docker) used with Unbound (see `BLOCK_MALICIOUS` environment variable) - [Malicious hostnames list](https://github.com/qdm12/malicious-hostnames-docker) used with Unbound (see `BLOCK_MALICIOUS` environment variable)
- [Malicious IPs list](https://github.com/qdm12/malicious-ips-docker) used with Unbound (see `BLOCK_MALICIOUS`) - [Malicious IPs list](https://github.com/qdm12/malicious-ips-docker) used with Unbound (see `BLOCK_MALICIOUS`)
## Extra features ## Extra features
- With environment variables, choose:
- the PIA region
- the protocol `TCP` or `UDP`
- the level of encryption
- Connect other containers to it - Connect other containers to it
- Restarts OpenVPN on failure using another IP address corresponding to the PIA server domain name (usually 10 IPs per subdomain name) - The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
- Regular Docker healthchecks using [duckduckgo.com](https://duckduckgo.com) to obtain your current public IP address and compare it with your initial non-VPN IP address - OpenVPN restarts on failure using another PIA IP address in the same region
- Docker healthchecks using [duckduckgo.com](https://duckduckgo.com) to obtain your public IP address and compare it with your initial non-VPN IP address
- Openvpn and Unbound do not run as root - Openvpn and Unbound do not run as root
## Requirements ## Requirements
@@ -111,7 +112,7 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
wget -qO- https://ipinfo.io/ip wget -qO- https://ipinfo.io/ip
``` ```
1. Run the **curl** Docker container using your *pia* container with: 1. Run the same command in a Docker container using your *pia* container as network with:
```bash ```bash
docker run --rm --network=container:pia alpine:3.8 wget -qO- https://ipinfo.io/ip docker run --rm --network=container:pia alpine:3.8 wget -qO- https://ipinfo.io/ip
@@ -214,10 +215,11 @@ For more containers, add more `--link pia:xxx` and modify *nginx.conf* according
## TODOs ## TODOs
- [ ] Test pia with port mappings and without pia_net and nginx
- [ ] Iptables should change after initial ip address is obtained - [ ] Iptables should change after initial ip address is obtained
- [ ] More checks for environment variables provided - [ ] More checks for environment variables provided
- [ ] Add checks when launching PIA $? - [ ] Add checks when launching PIA $?
- [ ] VPN server for other devices to go through the tunnel - [ ] VPN server for other devices to go through the tunnel OR hiproxy
## License ## License

4
docker-compose.yml
View File

@@ -1,7 +1,7 @@
version: '3' version: '3'
services: services:
pia: pia:
build: . build: https://github.com/qdm12/private-internet-access-docker.git
image: qmcgaw/private-internet-access image: qmcgaw/private-internet-access
container_name: pia container_name: pia
cap_add: cap_add:
@@ -17,7 +17,7 @@ services:
- ENCRYPTION=strong - ENCRYPTION=strong
- REGION=CA Montreal - REGION=CA Montreal
restart: always restart: always
networks: networks:
pianet: pianet:
external: true external: true

208
entrypoint.sh
View File

@@ -1,49 +1,66 @@
#!/bin/sh #!/bin/sh
printf "\n =========================================" exitOnError(){
printf "\n =========================================" # $1 should be $?
printf "\n ============= PIA CONTAINER =============" status=$1
printf "\n =========================================" message=$2
printf "\n =========================================" [ "$message" != "" ] || message="Error!"
printf "\n == by github.com/qdm12 - Quentin McGaw ==\n" if [ $status != 0 ]; then
printf "$message (status $status)\n"
exit $status
fi
}
printf "\nOpenVPN version: $(openvpn --version | head -n 1 | grep -oE "OpenVPN [0-9\.]* " | cut -d" " -f2)" printf "\n =========================================\n"
printf "\nUnbound version: $(unbound -h | grep "Version" | cut -d" " -f2)" printf "=========================================\n"
printf "\nIptables version: $(iptables --version | cut -d" " -f2)" printf "============= PIA CONTAINER =============\n"
printf "=========================================\n"
printf "=========================================\n"
printf "== by github.com/qdm12 - Quentin McGaw ==\n\n"
printf "OpenVPN version: $(openvpn --version | head -n 1 | grep -oE "OpenVPN [0-9\.]* " | cut -d" " -f2)\n"
printf "Unbound version: $(unbound -h | grep "Version" | cut -d" " -f2)\n"
printf "Iptables version: $(iptables --version | cut -d" " -f2)\n"
############################################ ############################################
# CHECK PARAMETERS # CHECK PARAMETERS
############################################ ############################################
cat "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null cat "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null
if [[ "$?" != 0 ]]; then printf "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible\nSleeping for 10 seconds before exit...\n"; sleep 10; exit 1; fi exitOnError $? "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible"
# TODO more # TODO more
############################################ ############################################
# CHECK FOR TUN DEVICE # CHECK FOR TUN DEVICE
############################################ ############################################
while [ "$(cat /dev/net/tun 2>&1 /dev/null)" != "cat: read error: File descriptor in bad state" ]; while [ "$(cat /dev/net/tun 2>&1 /dev/null)" != "cat: read error: File descriptor in bad state" ]; do
do printf "\nTUN device is not opened, sleeping for 30 seconds..."; sleep 30; done printf "TUN device is not available, sleeping for 30 seconds...\n"
printf "\nTUN device is opened" sleep 30
done
printf "TUN device OK\n"
############################################ ############################################
# BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND # BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND
############################################ ############################################
touch /etc/unbound/blocks-malicious.conf touch /etc/unbound/blocks-malicious.conf
printf "\nUnbound malicious hostnames blocking is $BLOCK_MALICIOUS" printf "Unbound malicious hostnames blocking is $BLOCK_MALICIOUS\n"
if [ "$BLOCK_MALICIOUS" = "on" ] && [ ! -f /etc/unbound/blocks-malicious.conf ]; then if [ "$BLOCK_MALICIOUS" = "on" ] && [ ! -f /etc/unbound/blocks-malicious.conf ]; then
printf "Extracting malicious hostnames archive..." printf "Extracting malicious hostnames archive..."
tar -xjf /etc/unbound/malicious-hostnames.bz2 -C /etc/unbound/ tar -xjf /etc/unbound/malicious-hostnames.bz2 -C /etc/unbound/
exitOnError $?
printf "DONE\n" printf "DONE\n"
printf "Extracting malicious IPs archive..." printf "Extracting malicious IPs archive..."
tar -xjf /etc/unbound/malicious-ips.bz2 -C /etc/unbound/ tar -xjf /etc/unbound/malicious-ips.bz2 -C /etc/unbound/
exitOnError $?
printf "DONE\n" printf "DONE\n"
printf "Building blocks-malicious.conf for Unbound..." printf "Building blocks-malicious.conf for Unbound..."
while read hostname; do while read hostname; do
echo "local-zone: \""$hostname"\" static" >> /etc/unbound/blocks-malicious.conf echo "local-zone: \""$hostname"\" static" >> /etc/unbound/blocks-malicious.conf
done < /etc/unbound/malicious-hostnames done < /etc/unbound/malicious-hostnames
exitOnError $?
while read ip; do while read ip; do
echo "private-address: $ip" >> /etc/unbound/blocks-malicious.conf echo "private-address: $ip" >> /etc/unbound/blocks-malicious.conf
done < /etc/unbound/malicious-ips done < /etc/unbound/malicious-ips
exitOnError $?
printf "$(cat /etc/unbound/malicious-hostnames | wc -l ) malicious hostnames and $(cat /etc/unbound/malicious-ips | wc -l) malicious IP addresses added\n" printf "$(cat /etc/unbound/malicious-hostnames | wc -l ) malicious hostnames and $(cat /etc/unbound/malicious-ips | wc -l) malicious IP addresses added\n"
rm -f /etc/unbound/malicious-hostnames* /etc/unbound/malicious-ips* rm -f /etc/unbound/malicious-hostnames* /etc/unbound/malicious-ips*
else else
@@ -53,129 +70,122 @@ fi
############################################ ############################################
# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1 # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
############################################ ############################################
printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..." printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint...\n"
unbound unbound
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE" printf "Changing DNS to localhost..."
printf "\nChanging DNS to localhost..."
echo "nameserver 127.0.0.1" > /etc/resolv.conf echo "nameserver 127.0.0.1" > /etc/resolv.conf
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
echo "options ndots:0" >> /etc/resolv.conf echo "options ndots:0" >> /etc/resolv.conf
printf "DONE" exitOnError $?
printf "DONE\n"
############################################ ############################################
# ORIGINAL IP FOR HEALTHCHECK # ORIGINAL IP FOR HEALTHCHECK
############################################ ############################################
printf "\nGetting non VPN public IP address..." printf "Getting non VPN public IP address..."
export INITIAL_IP=$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*') export INITIAL_IP=$(wget -qO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -o 'Your IP address is [0-9.]*[0-9]' | grep -o '[0-9][0-9.]*')
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "$INITIAL_IP\n"
printf "$INITIAL_IP"
############################################ ############################################
# FIREWALL # FIREWALL
############################################ ############################################
printf "\nSetting firewall for killswitch purposes..." printf "Setting firewall for killswitch purposes...\n"
printf "\n * Detecting local subnet..." printf " * Detecting local subnet..."
SUBNET=$(ip route show default | tail -n 1 | awk '// {print $1}') SUBNET=$(ip route show default | tail -n 1 | awk '// {print $1}')
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "$SUBNET\n"
printf "$SUBNET" printf " * Reading parameters to be used for region $REGION, protocol $PROTOCOL and encryption $ENCRYPTION..."
printf "\n * Reading parameters to be used for region $REGION, protocol $PROTOCOL and encryption $ENCRYPTION..."
CONNECTIONSTRING=$(grep -i "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" -e 'privateinternetaccess.com') CONNECTIONSTRING=$(grep -i "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" -e 'privateinternetaccess.com')
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
PORT=$(echo $CONNECTIONSTRING | cut -d' ' -f3) PORT=$(echo $CONNECTIONSTRING | cut -d' ' -f3)
if [[ "$PORT" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi if [ "$PORT" = "" ]; then
printf "Port not found in /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn\n"
exit 1
fi
PIADOMAIN=$(echo $CONNECTIONSTRING | cut -d' ' -f2) PIADOMAIN=$(echo $CONNECTIONSTRING | cut -d' ' -f2)
if [[ "$PIADOMAIN" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi if [ "$PIADOMAIN" = "" ]; then
sed -i '/^remote $PIADOMAIN $PORT/d' "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" && \ printf "Domain not found in /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn\n"
printf "\n * Port: $PORT" exit 1
printf "\n * Domain: $PIADOMAIN" fi
printf "\n * Detecting IP addresses corresponding to $PIADOMAIN..." sed -i '/^remote $PIADOMAIN $PORT/d' "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn"
exitOnError $? "Can't delete remote connection string in /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn"
printf "DONE\n"
printf " * Port: $PORT\n"
printf " * Domain: $PIADOMAIN\n"
printf " * Detecting IP addresses corresponding to $PIADOMAIN..."
VPNIPS=$(nslookup $PIADOMAIN localhost | tail -n +5 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') VPNIPS=$(nslookup $PIADOMAIN localhost | tail -n +5 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
for ip in $VPNIPS for ip in $VPNIPS; do printf " $ip\n"; done
do printf " * Adding IP addresses of $PIADOMAIN to /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn...\n"
printf "\n $ip" for ip in $VPNIPS; do
if [ $(grep "remote $ip $PORT" "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn") != "" ]; then
printf " remote $ip $PORT (already present)\n"
else
printf " remote $ip $PORT\n"
echo "remote $ip $PORT" >> "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn"
fi
done done
printf "\n * Adding IP addresses of $PIADOMAIN to /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn..." printf " * Deleting all iptables rules..."
for ip in $VPNIPS
do
printf "\n remote $ip $PORT"
grep "remote $ip $PORT" "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" || echo "remote $ip $PORT" >> "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn"
done
printf "\n * Deleting all iptables rules..."
iptables --flush iptables --flush
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables --delete-chain iptables --delete-chain
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -t nat --flush iptables -t nat --flush
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -t nat --delete-chain iptables -t nat --delete-chain
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE" printf " * Blocking all output traffic..."
printf "\n * Blocking all output traffic..."
iptables -F OUTPUT iptables -F OUTPUT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -P OUTPUT DROP iptables -P OUTPUT DROP
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE" printf " * Adding rules to accept local loopback traffic..."
printf "\n * Adding rules to accept local loopback traffic..."
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE" printf " * Adding rules to accept traffic of subnet $SUBNET..."
printf "\n * Adding rules to accept traffic of subnet $SUBNET..."
iptables -A OUTPUT -d $SUBNET -j ACCEPT iptables -A OUTPUT -d $SUBNET -j ACCEPT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE" for ip in $VPNIPS; do
for ip in $VPNIPS printf " * Adding rules to accept traffic with $ip on port $PROTOCOL $PORT..."
do
printf "\n * Adding rules to accept traffic with $ip on port $PROTOCOL $PORT..."
iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE"
done done
printf "\n * Adding rules to accept traffic going through the tun device..." printf " * Adding rules to accept traffic going through the tun device..."
iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT
status=$? exitOnError $?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "DONE\n"
printf "DONE"
############################################ ############################################
# USER SECURITY # USER SECURITY
############################################ ############################################
printf "\nChanging /auth.conf ownership to nonrootuser with read only access..." printf "Changing /auth.conf ownership to nonrootuser with read only access..."
chown nonrootuser /auth.conf chown nonrootuser /auth.conf
exitOnError $?
chmod 400 /auth.conf chmod 400 /auth.conf
printf "DONE" exitOnError $?
printf "DONE\n"
############################################ ############################################
# OPENVPN LAUNCH # OPENVPN LAUNCH
############################################ ############################################
printf "\nStarting OpenVPN using the following parameters:" printf "Starting OpenVPN using the following parameters:\n"
printf "\n * Region: $REGION" printf " * Region: $REGION\n"
printf "\n * Encryption: $ENCRYPTION" printf " * Encryption: $ENCRYPTION\n"
printf "\n * Protocol: $PROTOCOL" printf " * Protocol: $PROTOCOL\n"
printf "\n * Port: $PORT" printf " * Port: $PORT\n"
printf "\n * Initial IP address: $(echo "$VPNIPS" | head -n 1)" printf " * Initial IP address: $(echo "$VPNIPS" | head -n 1)\n\n"
printf "\n\n"
cd "/openvpn-$PROTOCOL-$ENCRYPTION" cd "/openvpn-$PROTOCOL-$ENCRYPTION"
exitOnError $? "Can't access /openvpn-$PROTOCOL-$ENCRYPTION"
openvpn --config "$REGION.ovpn" --user nonrootuser --persist-tun --auth-retry nointeract --auth-user-pass /auth.conf --auth-nocache openvpn --config "$REGION.ovpn" --user nonrootuser --persist-tun --auth-retry nointeract --auth-user-pass /auth.conf --auth-nocache
status=$? printf "\nOpenVPN exited with status $?\n"
printf "\nOpenVPN exited with status $status\n"