diff --git a/Dockerfile b/Dockerfile index 28994dd0..1f951072 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,8 +12,8 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \ org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \ org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ - org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ - org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ + org.label-schema.docker.cmd="docker run -d --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ + org.label-schema.docker.cmd.devel="docker run -it --rm --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \ org.label-schema.version="" \ image-size="19.8MB" \ @@ -24,11 +24,13 @@ ENV USER= \ ENCRYPTION=strong \ PROTOCOL=udp \ REGION="CA Montreal" \ + NONROOT=no \ + DOT=on \ BLOCK_MALICIOUS=off \ BLOCK_NSA=off \ UNBLOCK= \ - EXTRA_SUBNETS= \ - NONROOT=no + FIREWALL=on \ + EXTRA_SUBNETS= ENTRYPOINT /entrypoint.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ diff --git a/README.md b/README.md index 4cd9c025..b16fd560 100644 --- a/README.md +++ b/README.md @@ -41,10 +41,12 @@ - [Destination region](https://www.privateinternetaccess.com/pages/network) - Internet protocol - Level of encryption - - Username and password + - PIA Username and password + - DNS over TLS - Malicious DNS blocking - - Extra subnets allowed by firewall + - Internal firewall - Run openvpn without root (but will give reconnect problems) + - Run openvpn without root

- Connect other containers to it, [see this](https://github.com/qdm12/private-internet-access-docker#connect-to-it) @@ -109,7 +111,7 @@ 1. Launch the container with: ```bash - docker run -d --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \ + docker run -d --init --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \ -e REGION="CA Montreal" -e USER=js89ds7 -e PASSWORD=8fd9s239G \ qmcgaw/private-internet-access ``` @@ -120,7 +122,7 @@ docker-compose up -d ``` - Note that you can change all the [environment variables](#environment-variables) + Note that you can change all the [environment variables](#environment-variables). ## Testing @@ -140,10 +142,12 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io | `USER` | | Your PIA username | | `PASSWORD` | | Your PIA password | | `NONROOT` | `no` | Run OpenVPN without root, `yes` or `no` | -| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) | +| `DOT` | `on` | `on` or `off`, to activate DNS over TLS to 1.1.1.1 | | `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs | | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames | | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames | +| `FIREWALL` | `on` | `on` or `off`, to switch the internal killswitch firewall (should be left `on`) | +| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) | ## Connect to it diff --git a/docker-compose.yml b/docker-compose.yml index 50f7c9b2..c2c8cfea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,6 +9,7 @@ services: devices: - /dev/net/tun network_mode: bridge + init: true environment: - USER=js89ds7 - PASSWORD=8fd9s239G diff --git a/entrypoint.sh b/entrypoint.sh index 1b915e72..0b6506da 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -30,7 +30,7 @@ exitIfNotIn(){ return 0 fi done - printf "Environment variable $1=$var must be one of the following: " + printf "Environment variable $1 cannot be '$var' and must be one of the following: " for value in ${2//,/ } do printf "$value " @@ -57,8 +57,6 @@ exitIfUnset USER exitIfUnset PASSWORD exitIfNotIn ENCRYPTION "normal,strong" exitIfNotIn PROTOCOL "tcp,udp" -exitIfNotIn BLOCK_MALICIOUS "on,off" -exitIfNotIn BLOCK_NSA "on,off" exitIfNotIn NONROOT "yes,no" cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible" @@ -68,6 +66,19 @@ for SUBNET in ${EXTRA_SUBNETS//,/ }; do exit 1 fi done +exitIfNotIn DOT "on,off" +exitIfNotIn BLOCK_MALICIOUS "on,off" +exitIfNotIn BLOCK_NSA "on,off" +if [ "$DOT" == "off" ]; then + if [ "$BLOCK_MALICIOUS" == "on" ]; then + printf "DOT is off so BLOCK_MALICIOUS cannot be on\n" + exit 1 + elif [ "$BLOCK_NSA" == "on" ]; then + printf "DOT is off so BLOCK_NSA cannot be on\n" + exit 1 + fi +fi +exitIfNotIn FIREWALL "on,off" ##################################################### # Writes to protected file and remove USER, PASSWORD @@ -103,40 +114,45 @@ printf "TUN device OK\n" ############################################ # BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND ############################################ -printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n" -rm -f /etc/unbound/blocks-malicious.conf -if [ "$BLOCK_MALICIOUS" = "on" ]; then - tar -xjf /etc/unbound/blocks-malicious.bz2 -C /etc/unbound/ - printf "$(cat /etc/unbound/blocks-malicious.conf | grep "local-zone" | wc -l ) malicious hostnames and $(cat /etc/unbound/blocks-malicious.conf | grep "private-address" | wc -l) malicious IP addresses blacklisted\n" -else - echo "" > /etc/unbound/blocks-malicious.conf +if [ "$DOT" == "on" ]; then + printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n" + rm -f /etc/unbound/blocks-malicious.conf + if [ "$BLOCK_MALICIOUS" = "on" ]; then + tar -xjf /etc/unbound/blocks-malicious.bz2 -C /etc/unbound/ + printf "$(cat /etc/unbound/blocks-malicious.conf | grep "local-zone" | wc -l ) malicious hostnames and $(cat /etc/unbound/blocks-malicious.conf | grep "private-address" | wc -l) malicious IP addresses blacklisted\n" + else + echo "" > /etc/unbound/blocks-malicious.conf + fi + if [ "$BLOCK_NSA" = "on" ]; then + tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/ + printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n" + cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf + rm /etc/unbound/blocks-nsa.conf + sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf + fi + for hostname in ${UNBLOCK//,/ } + do + printf "Unblocking hostname $hostname\n" + sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf + done fi -if [ "$BLOCK_NSA" = "on" ]; then - tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/ - printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n" - cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf - rm /etc/unbound/blocks-nsa.conf - sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf -fi -for hostname in ${UNBLOCK//,/ } -do - printf "Unblocking hostname $hostname\n" - sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf -done ############################################ # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1 ############################################ -printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..." -unbound -exitOnError $? -printf "DONE\n" -printf "Changing DNS to localhost..." -echo "nameserver 127.0.0.1" > /etc/resolv.conf -exitOnError $? -echo "options ndots:0" >> /etc/resolv.conf -exitOnError $? -printf "DONE\n" +printf "DNS over TLS is $DOT\n" +if [ "$DOT" == "on" ]; then + printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..." + unbound + exitOnError $? + printf "DONE\n" + printf "Changing DNS to localhost..." + echo "nameserver 127.0.0.1" > /etc/resolv.conf + exitOnError $? + echo "options ndots:0" >> /etc/resolv.conf + exitOnError $? + printf "DONE\n" +fi ############################################ # Reading chosen OpenVPN configuration @@ -204,56 +220,59 @@ printf "DONE\n" ############################################ # FIREWALL ############################################ -printf "Setting firewall for killswitch purposes...\n" -printf " * Detecting local subnet..." -SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1) -exitOnError $? -printf "$SUBNET\n" -printf " * Deleting all iptables rules..." -iptables --flush -exitOnError $? -iptables --delete-chain -exitOnError $? -iptables -t nat --flush -exitOnError $? -iptables -t nat --delete-chain -exitOnError $? -printf "DONE\n" -printf " * Block output traffic..." -iptables -F OUTPUT -exitOnError $? -iptables -P OUTPUT DROP -exitOnError $? -printf "DONE\n" -printf " * Accept established and related output traffic..." -iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -exitOnError $? -printf "DONE\n" -printf " * Accept local loopback output traffic..." -iptables -A OUTPUT -o lo -j ACCEPT -exitOnError $? -printf "DONE\n" -printf " * Accept output traffic with local subnet $SUBNET..." -iptables -A OUTPUT -d $SUBNET -j ACCEPT -exitOnError $? -printf "DONE\n" -for EXTRASUBNET in ${EXTRA_SUBNETS//,/ } -do - printf " * Accept output traffic with extra subnet $EXTRASUBNET..." - iptables -A OUTPUT -d $EXTRASUBNET -j ACCEPT +printf "Firewall is $FIREWALL\n" +if [ "$FIREWALL" == "on" ]; then + printf "Setting firewall for killswitch purposes...\n" + printf " * Detecting local subnet..." + SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1) + exitOnError $? + printf "$SUBNET\n" + printf " * Deleting all iptables rules..." + iptables --flush + exitOnError $? + iptables --delete-chain + exitOnError $? + iptables -t nat --flush + exitOnError $? + iptables -t nat --delete-chain exitOnError $? printf "DONE\n" -done -for ip in $VPNIPS; do - printf " * Accept output traffic to $ip on interface eth0, port $PROTOCOL $PORT..." - iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT + printf " * Block output traffic..." + iptables -F OUTPUT + exitOnError $? + iptables -P OUTPUT DROP exitOnError $? printf "DONE\n" -done -printf " * Accept all output traffic on tun0 interface..." -iptables -A OUTPUT -o tun0 -j ACCEPT -exitOnError $? -printf "DONE\n" + printf " * Accept established and related output traffic..." + iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + exitOnError $? + printf "DONE\n" + printf " * Accept local loopback output traffic..." + iptables -A OUTPUT -o lo -j ACCEPT + exitOnError $? + printf "DONE\n" + printf " * Accept output traffic with local subnet $SUBNET..." + iptables -A OUTPUT -d $SUBNET -j ACCEPT + exitOnError $? + printf "DONE\n" + for EXTRASUBNET in ${EXTRA_SUBNETS//,/ } + do + printf " * Accept output traffic with extra subnet $EXTRASUBNET..." + iptables -A OUTPUT -d $EXTRASUBNET -j ACCEPT + exitOnError $? + printf "DONE\n" + done + for ip in $VPNIPS; do + printf " * Accept output traffic to $ip on interface eth0, port $PROTOCOL $PORT..." + iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT + exitOnError $? + printf "DONE\n" + done + printf " * Accept all output traffic on tun0 interface..." + iptables -A OUTPUT -o tun0 -j ACCEPT + exitOnError $? + printf "DONE\n" +fi ############################################ # OPENVPN LAUNCH