From 9c6afff973a3e3b4b226af9ccc7f23d35dbe7367 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Wed, 14 Nov 2018 16:25:23 +0200 Subject: [PATCH] Healthcheck checks your IP is in the VPN configuration file --- Dockerfile | 4 ++-- README.md | 17 ++++++++--------- entrypoint.sh | 8 -------- 3 files changed, 10 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 36dfaa87..50db49d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,8 +26,8 @@ ENV USER= \ BLOCK_MALICIOUS=off \ EXTRA_SUBNETS= ENTRYPOINT /entrypoint.sh -HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \ - CMD [ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')" != "$INITIAL_IP" ] || exit 1 +HEALTHCHECK --interval=5m --timeout=5s --start-period=15s --retries=1 \ + CMD grep -Fq "$(wget -qO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -oE 'Your IP address is [0-9.]*[0-9]' | grep -oE '[0-9][0-9.]*')" "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \ wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \ https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \ diff --git a/README.md b/README.md index e126f942..23f7d364 100644 --- a/README.md +++ b/README.md @@ -42,20 +42,19 @@ It is based on: - Connect other containers to it - The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination - OpenVPN restarts on failure using another PIA IP address for the same region -- Docker healthchecks using [duckduckgo.com](https://duckduckgo.com) to obtain your public IP address and compare it with your initial non-VPN IP address +- Docker healthchecks using [duckduckgo.com](https://duckduckgo.com) to obtain your public IP address and compare it with PIA Ips in configuration file - Openvpn and Unbound do not run as root ## Requirements - A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/) - [Docker](https://docs.docker.com/install/) installed on the host -- If you use a firewall on the host: - - Allow outgoing TCP port 853 for Cloudflare DNS over TLS initial resolution of PIA server domain name, **you should then BLOCK it** - - Allow outgoing TCP port 443 for querying duckduckgo.com to obtain the initial IP address *only at the start of the container*, **you should then BLOCK it** - - Allow outgoing TCP port 501 for TCP strong encryption - - Allow outgoing TCP port 502 for TCP normal encryption - - Allow outgoing UDP port 1197 for UDP strong encryption - - Allow outgoing UDP port 1198 for UDP normal encryption +- If you use a strict firewall on the host/router: + - Allow outbound TCP 853 to 1.1.1.1 to allow Unbound to resolve the PIA domain name at start. You can then block it once the container is started. + - For UDP strong encryption, allow outbound UDP 1197 + - For UDP normal encryption, allow outbound UDP 1198 + - For TCP strong encryption, allow outbound TCP 501 + - For TCP normal encryption, allow outbound TCP 502 ## Setup @@ -98,7 +97,7 @@ It is based on: ## Testing -You can simply use the Docker healthcheck. The container will mark itself as **unhealthy** if the public IP address is the same as your initial public IP address. Otherwise you can follow these instructions: +You can simply use the Docker healthcheck. The container will mark itself as **unhealthy** if the public IP address is not part of the PIA IPs. Otherwise you can follow these instructions: 1. Check your host IP address with: diff --git a/entrypoint.sh b/entrypoint.sh index 720dd594..d0e264c2 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -119,14 +119,6 @@ echo "options ndots:0" >> /etc/resolv.conf exitOnError $? printf "DONE\n" -############################################ -# ORIGINAL IP FOR HEALTHCHECK -############################################ -printf "Getting non VPN public IP address..." -export INITIAL_IP=$(wget -qO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -o 'Your IP address is [0-9.]*[0-9]' | grep -o '[0-9][0-9.]*') -exitOnError $? -printf "$INITIAL_IP\n" - ############################################ # FIREWALL ############################################