More modularity and reworked readme

- Docker's init added to avoid zombie processes (i.e. Unbound)
- Added environment variables to enable or disable features: `DOT`, `FIREWALL`
- Reworked readme

Dockerfile

@@ -12,8 +12,8 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
     org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \
     org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
     org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
-    org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+    org.label-schema.docker.cmd="docker run -d --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-    org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+    org.label-schema.docker.cmd.devel="docker run -it --rm --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
     org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
     org.label-schema.version="" \
     image-size="19.8MB" \
@@ -24,11 +24,13 @@ ENV USER= \
     ENCRYPTION=strong \
     PROTOCOL=udp \
     REGION="CA Montreal" \
+    NONROOT=no \
+    DOT=on \
     BLOCK_MALICIOUS=off \
     BLOCK_NSA=off \
     UNBLOCK= \
-    EXTRA_SUBNETS= \
+    FIREWALL=on \
-    NONROOT=no
+    EXTRA_SUBNETS=
 ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \

README.md

@@ -41,10 +41,12 @@
     - [Destination region](https://www.privateinternetaccess.com/pages/network)
     - Internet protocol
     - Level of encryption
-    - Username and password
+    - PIA Username and password
+    - DNS over TLS
     - Malicious DNS blocking
-    - Extra subnets allowed by firewall
+    - Internal firewall
     - Run openvpn without root (but will give reconnect problems)
+    - Run openvpn without root
 
     </p></details>
 - Connect other containers to it, [see this](https://github.com/qdm12/private-internet-access-docker#connect-to-it)
@@ -109,7 +111,7 @@
 1. Launch the container with:
 
     ```bash
-    docker run -d --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \
+    docker run -d --init --name=pia --cap-add=NET_ADMIN --device=/dev/net/tun \
     -e REGION="CA Montreal" -e USER=js89ds7 -e PASSWORD=8fd9s239G \
     qmcgaw/private-internet-access
     ```
@@ -120,7 +122,7 @@
     docker-compose up -d
     ```
 
-    Note that you can change all the [environment variables](#environment-variables)
+    Note that you can change all the [environment variables](#environment-variables).
 
 ## Testing
 
@@ -140,10 +142,12 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
 | `USER` | | Your PIA username |
 | `PASSWORD` | | Your PIA password |
 | `NONROOT` | `no` | Run OpenVPN without root, `yes` or `no` |
-| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
+| `DOT` | `on` | `on` or `off`, to activate DNS over TLS to 1.1.1.1 |
 | `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs |
 | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
 | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
+| `FIREWALL` | `on` | `on` or `off`, to switch the internal killswitch firewall (should be left `on`) |
+| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
 
 ## Connect to it
 

docker-compose.yml

@@ -9,6 +9,7 @@ services:
     devices:
       - /dev/net/tun
     network_mode: bridge
+    init: true
     environment:
       - USER=js89ds7
       - PASSWORD=8fd9s239G

entrypoint.sh

@@ -30,7 +30,7 @@ exitIfNotIn(){
       return 0
     fi
   done
-  printf "Environment variable $1=$var must be one of the following: "
+  printf "Environment variable $1 cannot be '$var' and must be one of the following: "
   for value in ${2//,/ }
   do
     printf "$value "
@@ -57,8 +57,6 @@ exitIfUnset USER
 exitIfUnset PASSWORD
 exitIfNotIn ENCRYPTION "normal,strong"
 exitIfNotIn PROTOCOL "tcp,udp"
-exitIfNotIn BLOCK_MALICIOUS "on,off"
-exitIfNotIn BLOCK_NSA "on,off"
 exitIfNotIn NONROOT "yes,no"
 cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null
 exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible"
@@ -68,6 +66,19 @@ for SUBNET in ${EXTRA_SUBNETS//,/ }; do
     exit 1
   fi
 done
+exitIfNotIn DOT "on,off"
+exitIfNotIn BLOCK_MALICIOUS "on,off"
+exitIfNotIn BLOCK_NSA "on,off"
+if [ "$DOT" == "off" ]; then
+  if [ "$BLOCK_MALICIOUS" == "on" ]; then
+    printf "DOT is off so BLOCK_MALICIOUS cannot be on\n"
+    exit 1
+  elif [ "$BLOCK_NSA" == "on" ]; then
+    printf "DOT is off so BLOCK_NSA cannot be on\n"
+    exit 1
+  fi
+fi
+exitIfNotIn FIREWALL "on,off"
 
 #####################################################
 # Writes to protected file and remove USER, PASSWORD
@@ -103,40 +114,45 @@ printf "TUN device OK\n"
 ############################################
 # BLOCKING MALICIOUS HOSTNAMES AND IPs WITH UNBOUND
 ############################################
-printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n"
+if [ "$DOT" == "on" ]; then
-rm -f /etc/unbound/blocks-malicious.conf
+  printf "Malicious hostnames and ips blocking is $BLOCK_MALICIOUS\n"
-if [ "$BLOCK_MALICIOUS" = "on" ]; then
+  rm -f /etc/unbound/blocks-malicious.conf
-  tar -xjf /etc/unbound/blocks-malicious.bz2 -C /etc/unbound/
+  if [ "$BLOCK_MALICIOUS" = "on" ]; then
-  printf "$(cat /etc/unbound/blocks-malicious.conf | grep "local-zone" | wc -l ) malicious hostnames and $(cat /etc/unbound/blocks-malicious.conf | grep "private-address" | wc -l) malicious IP addresses blacklisted\n"
+    tar -xjf /etc/unbound/blocks-malicious.bz2 -C /etc/unbound/
-else
+    printf "$(cat /etc/unbound/blocks-malicious.conf | grep "local-zone" | wc -l ) malicious hostnames and $(cat /etc/unbound/blocks-malicious.conf | grep "private-address" | wc -l) malicious IP addresses blacklisted\n"
-  echo "" > /etc/unbound/blocks-malicious.conf
+  else
+    echo "" > /etc/unbound/blocks-malicious.conf
+  fi
+  if [ "$BLOCK_NSA" = "on" ]; then
+    tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/
+    printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n"
+    cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf
+    rm /etc/unbound/blocks-nsa.conf
+    sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf
+  fi
+  for hostname in ${UNBLOCK//,/ }
+  do
+    printf "Unblocking hostname $hostname\n"
+    sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf
+  done
 fi
-if [ "$BLOCK_NSA" = "on" ]; then
-  tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/
-  printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n"
-  cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf
-  rm /etc/unbound/blocks-nsa.conf
-  sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf
-fi
-for hostname in ${UNBLOCK//,/ }
-do
-  printf "Unblocking hostname $hostname\n"
-  sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf
-done
 
 ############################################
 # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
 ############################################
-printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
+printf "DNS over TLS is $DOT\n"
-unbound
+if [ "$DOT" == "on" ]; then
-exitOnError $?
+  printf "Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
-printf "DONE\n"
+  unbound
-printf "Changing DNS to localhost..."
+  exitOnError $?
-echo "nameserver 127.0.0.1" > /etc/resolv.conf
+  printf "DONE\n"
-exitOnError $?
+  printf "Changing DNS to localhost..."
-echo "options ndots:0" >> /etc/resolv.conf
+  echo "nameserver 127.0.0.1" > /etc/resolv.conf
-exitOnError $?
+  exitOnError $?
-printf "DONE\n"
+  echo "options ndots:0" >> /etc/resolv.conf
+  exitOnError $?
+  printf "DONE\n"
+fi
 
 ############################################
 # Reading chosen OpenVPN configuration
@@ -204,56 +220,59 @@ printf "DONE\n"
 ############################################
 # FIREWALL
 ############################################
-printf "Setting firewall for killswitch purposes...\n"
+printf "Firewall is $FIREWALL\n"
-printf " * Detecting local subnet..."
+if [ "$FIREWALL" == "on" ]; then
-SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1)
+  printf "Setting firewall for killswitch purposes...\n"
-exitOnError $?
+  printf " * Detecting local subnet..."
-printf "$SUBNET\n"
+  SUBNET=$(ip route show | tail -n 1 | cut -d" " -f 1)
-printf " * Deleting all iptables rules..."
+  exitOnError $?
-iptables --flush
+  printf "$SUBNET\n"
-exitOnError $?
+  printf " * Deleting all iptables rules..."
-iptables --delete-chain
+  iptables --flush
-exitOnError $?
+  exitOnError $?
-iptables -t nat --flush
+  iptables --delete-chain
-exitOnError $?
+  exitOnError $?
-iptables -t nat --delete-chain
+  iptables -t nat --flush
-exitOnError $?
+  exitOnError $?
-printf "DONE\n"
+  iptables -t nat --delete-chain
-printf " * Block output traffic..."
-iptables -F OUTPUT
-exitOnError $?
-iptables -P OUTPUT DROP
-exitOnError $?
-printf "DONE\n"
-printf " * Accept established and related output traffic..."
-iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-exitOnError $?
-printf "DONE\n"
-printf " * Accept local loopback output traffic..."
-iptables -A OUTPUT -o lo -j ACCEPT
-exitOnError $?
-printf "DONE\n"
-printf " * Accept output traffic with local subnet $SUBNET..."
-iptables -A OUTPUT -d $SUBNET -j ACCEPT
-exitOnError $?
-printf "DONE\n"
-for EXTRASUBNET in ${EXTRA_SUBNETS//,/ }
-do
-  printf " * Accept output traffic with extra subnet $EXTRASUBNET..."
-  iptables -A OUTPUT -d $EXTRASUBNET -j ACCEPT
   exitOnError $?
   printf "DONE\n"
-done
+  printf " * Block output traffic..."
-for ip in $VPNIPS; do
+  iptables -F OUTPUT
-  printf " * Accept output traffic to $ip on interface eth0, port $PROTOCOL $PORT..."
+  exitOnError $?
-  iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
+  iptables -P OUTPUT DROP
   exitOnError $?
   printf "DONE\n"
-done
+  printf " * Accept established and related output traffic..."
-printf " * Accept all output traffic on tun0 interface..."
+  iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-iptables -A OUTPUT -o tun0 -j ACCEPT
+  exitOnError $?
-exitOnError $?
+  printf "DONE\n"
-printf "DONE\n"
+  printf " * Accept local loopback output traffic..."
+  iptables -A OUTPUT -o lo -j ACCEPT
+  exitOnError $?
+  printf "DONE\n"
+  printf " * Accept output traffic with local subnet $SUBNET..."
+  iptables -A OUTPUT -d $SUBNET -j ACCEPT
+  exitOnError $?
+  printf "DONE\n"
+  for EXTRASUBNET in ${EXTRA_SUBNETS//,/ }
+  do
+    printf " * Accept output traffic with extra subnet $EXTRASUBNET..."
+    iptables -A OUTPUT -d $EXTRASUBNET -j ACCEPT
+    exitOnError $?
+    printf "DONE\n"
+  done
+  for ip in $VPNIPS; do
+    printf " * Accept output traffic to $ip on interface eth0, port $PROTOCOL $PORT..."
+    iptables -A OUTPUT -j ACCEPT -d $ip -o eth0 -p $PROTOCOL -m $PROTOCOL --dport $PORT
+    exitOnError $?
+    printf "DONE\n"
+  done
+  printf " * Accept all output traffic on tun0 interface..."
+  iptables -A OUTPUT -o tun0 -j ACCEPT
+  exitOnError $?
+  printf "DONE\n"
+fi
 
 ############################################
 # OPENVPN LAUNCH