Moved DNS over TLS at start as DNS is required in firewall anyway
This commit is contained in:
Quentin McGaw
@@ -1,7 +1,7 @@
|
||||
FROM alpine:3.8
|
||||
LABEL maintainer="quentin.mcgaw@gmail.com" \
|
||||
description="VPN client to private internet access servers using OpenVPN, IPtables firewall, DNS over TLS with Unbound and Alpine Linux" \
|
||||
download="???MB" \
|
||||
download="6.6MB" \
|
||||
size="15.7MB" \
|
||||
ram="13MB" \
|
||||
cpu_usage="Low" \
|
||||
@@ -29,5 +29,4 @@ RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables i
|
||||
addgroup -S nonrootusers && adduser -S nonrootuser -G nonrootusers
|
||||
COPY unbound.conf /etc/unbound/unbound.conf
|
||||
COPY entrypoint.sh /
|
||||
RUN chmod +x entrypoint.sh
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
@@ -24,7 +24,7 @@ A killswitch is implemented with the *iptables* firewall, only allowing traffic
|
||||
|
||||
| Download size | Image size | RAM usage | CPU usage |
|
||||
| --- | --- | --- | --- |
|
||||
| ???MB | 15.7MB | 14MB | Low |
|
||||
| 6.6MB | 15.7MB | 14MB | Low |
|
||||
|
||||
## Features
|
||||
|
||||
@@ -42,6 +42,8 @@ A killswitch is implemented with the *iptables* firewall, only allowing traffic
|
||||
- A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
|
||||
- [Docker](https://docs.docker.com/install/) installed on the host
|
||||
- If you use an advanced firewall:
|
||||
- Allow outgoing TCP port 853 for Cloudflare DNS over TLS initial resolution of PIA server domain name.
|
||||
- Allow outgoing TCP port 443 for querying duckduckgo to obtain the initial IP address for the healthcheck.
|
||||
- Allow outgoing TCP port 501 for TCP strong encryption
|
||||
- Allow outgoing TCP port 502 for TCP normal encryption
|
||||
- Allow outgoing UDP port 1197 for UDP strong encryption
|
||||
|
||||
@@ -19,6 +19,17 @@ do
|
||||
done
|
||||
printf "\nTUN device is opened"
|
||||
|
||||
############################################
|
||||
# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
|
||||
############################################
|
||||
printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
|
||||
unbound
|
||||
printf "DONE"
|
||||
printf "\nChanging DNS to localhost..."
|
||||
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
||||
echo "options ndots:0" >> /etc/resolv.conf
|
||||
printf "DONE"
|
||||
|
||||
############################################
|
||||
# ORIGINAL IP FOR HEALTHCHECK
|
||||
############################################
|
||||
@@ -85,17 +96,6 @@ printf "DONE"
|
||||
#ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
|
||||
#printf "DONE"
|
||||
|
||||
############################################
|
||||
# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
|
||||
############################################
|
||||
printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
|
||||
unbound
|
||||
printf "DONE"
|
||||
printf "\nChanging DNS to localhost..."
|
||||
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
||||
echo "options ndots:0" >> /etc/resolv.conf
|
||||
printf "DONE"
|
||||
|
||||
############################################
|
||||
# USE NON-ROOT USER
|
||||
############################################
|
||||
|
||||
Reference in New Issue
Block a user