admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More modularity and reworked readme

Browse Source 
- Docker's init added to avoid zombie processes (i.e. Unbound)
- Added environment variables to enable or disable features: `DOT`, `FIREWALL`
- Reworked readme
This commit is contained in:
Quentin McGaw
2019-06-27 13:10:51 +02:00
parent 62f4cc56b4
commit 95e69b5c9c
4 changed files with 113 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Dockerfile
View File

@@ -12,8 +12,8 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \ org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \
org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \ org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \ org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd="docker run -d --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \ org.label-schema.docker.cmd.devel="docker run -it --rm --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \ org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
org.label-schema.version="" \ org.label-schema.version="" \
image-size="19.8MB" \ image-size="19.8MB" \
@@ -24,11 +24,13 @@ ENV USER= \
ENCRYPTION=strong \ ENCRYPTION=strong \
PROTOCOL=udp \ PROTOCOL=udp \
REGION="CA Montreal" \ REGION="CA Montreal" \
NONROOT=no \
DOT=on \
BLOCK_MALICIOUS=off \ BLOCK_MALICIOUS=off \
BLOCK_NSA=off \ BLOCK_NSA=off \
UNBLOCK= \ UNBLOCK= \
EXTRA_SUBNETS= \ FIREWALL=on \
NONROOT=no EXTRA_SUBNETS=
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

14
README.md
View File

@@ -41,10 +41,12 @@
- [Destination region](https://www.privateinternetaccess.com/pages/network) - [Destination region](https://www.privateinternetaccess.com/pages/network)
- Internet protocol - Internet protocol
- Level of encryption - Level of encryption
- Username and password - PIA Username and password
- DNS over TLS
- Malicious DNS blocking - Malicious DNS blocking
- Extra subnets allowed by firewall - Internal firewall
- Run openvpn without root (but will give reconnect problems) - Run openvpn without root (but will give reconnect problems)
- Run openvpn without root
</p></details> </p></details>
- Connect other containers to it, [see this](https://github.com/qdm12/private-internet-access-docker#connect-to-it) - Connect other containers to it, [see this](https://github.com/qdm12/private-internet-access-docker#connect-to-it)
@@ -109,7 +111,7 @@
1. Launch the container with: 1. Launch the container with:
```bash ```bash
docker run -d --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \ docker run -d --init --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \
-e REGION="CA Montreal" -e USER=js89ds7 -e PASSWORD=8fd9s239G \ -e REGION="CA Montreal" -e USER=js89ds7 -e PASSWORD=8fd9s239G \
qmcgaw/private-internet-access qmcgaw/private-internet-access
``` ```
@@ -120,7 +122,7 @@
docker-compose up -d docker-compose up -d
``` ```
Note that you can change all the [environment variables](#environment-variables) Note that you can change all the [environment variables](#environment-variables).
## Testing ## Testing
@@ -140,10 +142,12 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
| `USER` | | Your PIA username | | `USER` | | Your PIA username |
| `PASSWORD` | | Your PIA password | | `PASSWORD` | | Your PIA password |
| `NONROOT` | `no` | Run OpenVPN without root, `yes` or `no` | | `NONROOT` | `no` | Run OpenVPN without root, `yes` or `no` |
| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) | | `DOT` | `on` | `on` or `off`, to activate DNS over TLS to 1.1.1.1 |
| `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs | | `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs |
| `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames | | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
| `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames | | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
| `FIREWALL` | `on` | `on` or `off`, to switch the internal killswitch firewall (should be left `on`) |
| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
## Connect to it ## Connect to it

1
docker-compose.yml
View File

@@ -9,6 +9,7 @@ services:
devices: devices:
- /dev/net/tun - /dev/net/tun
network_mode: bridge network_mode: bridge
init: true
environment: environment:
- USER=js89ds7 - USER=js89ds7
- PASSWORD=8fd9s239G - PASSWORD=8fd9s239G

25
entrypoint.sh
View File

@@ -30,7 +30,7 @@ exitIfNotIn(){
return 0 return 0
fi fi
done done
printf "Environment variable $1=$var must be one of the following: " printf "Environment variable $1 cannot be '$var' and must be one of the following: "
for value in ${2//,/ } for value in ${2//,/ }
do do
printf "$value " printf "$value "
@@ -57,8 +57,6 @@ exitIfUnset USER
exitIfUnset PASSWORD exitIfUnset PASSWORD
exitIfNotIn ENCRYPTION "normal,strong" exitIfNotIn ENCRYPTION "normal,strong"
exitIfNotIn PROTOCOL "tcp,udp" exitIfNotIn PROTOCOL "tcp,udp"
exitIfNotIn BLOCK_MALICIOUS "on,off"
exitIfNotIn BLOCK_NSA "on,off"
exitIfNotIn NONROOT "yes,no" exitIfNotIn NONROOT "yes,no"
cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null
exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible" exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible"
@@ -68,6 +66,19 @@ for SUBNET in ${EXTRA_SUBNETS//,/ }; do
exit 1 exit 1
fi fi
done done
exitIfNotIn DOT "on,off"
exitIfNotIn BLOCK_MALICIOUS "on,off"
exitIfNotIn BLOCK_NSA "on,off"
if [ "$DOT" == "off" ]; then
if [ "$BLOCK_MALICIOUS" == "on" ]; then
printf "DOT is off so BLOCK_MALICIOUS cannot be on\n"
exit 1
elif [ "$BLOCK_NSA" == "on" ]; then
printf "DOT is off so BLOCK_NSA cannot be on\n"
exit 1
fi
fi
exitIfNotIn FIREWALL "on,off"
##################################################### #####################################################
# Writes to protected file and remove USER, PASSWORD # Writes to protected file and remove USER, PASSWORD
@@ -103,6 +114,7 @@ printf "TUN device OK\n"
############################################ ############################################
# BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND # BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND
############################################ ############################################
if [ "$DOT" == "on" ]; then
printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n" printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n"
rm -f /etc/unbound/blocks-malicious.conf rm -f /etc/unbound/blocks-malicious.conf
if [ "$BLOCK_MALICIOUS" = "on" ]; then if [ "$BLOCK_MALICIOUS" = "on" ]; then
@@ -123,10 +135,13 @@ do
printf "Unblocking hostname $hostname\n" printf "Unblocking hostname $hostname\n"
sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf
done done
fi
############################################ ############################################
# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1 # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
############################################ ############################################
printf "DNS over TLS is $DOT\n"
if [ "$DOT" == "on" ]; then
printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..." printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
unbound unbound
exitOnError $? exitOnError $?
@@ -137,6 +152,7 @@ exitOnError $?
echo "options ndots:0" >> /etc/resolv.conf echo "options ndots:0" >> /etc/resolv.conf
exitOnError $? exitOnError $?
printf "DONE\n" printf "DONE\n"
fi
############################################ ############################################
# Reading chosen OpenVPN configuration # Reading chosen OpenVPN configuration
@@ -204,6 +220,8 @@ printf "DONE\n"
############################################ ############################################
# FIREWALL # FIREWALL
############################################ ############################################
printf "Firewall is $FIREWALL\n"
if [ "$FIREWALL" == "on" ]; then
printf "Setting firewall for killswitch purposes...\n" printf "Setting firewall for killswitch purposes...\n"
printf " * Detecting local subnet..." printf " * Detecting local subnet..."
SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1) SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1)
@@ -254,6 +272,7 @@ printf " * Accept all output traffic on tun0 interface..."
iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT
exitOnError $? exitOnError $?
printf "DONE\n" printf "DONE\n"
fi
############################################ ############################################
# OPENVPN LAUNCH # OPENVPN LAUNCH