admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Openvpn runs as non root user and tries all IP addresses

Browse Source
This commit is contained in:
Quentin McGaw
2018-10-05 12:43:16 +02:00
parent b73ad75cde
commit e0f201a334
2 changed files with 42 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@@ -85,7 +85,8 @@ RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables u
unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \ unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \
apk del -q --progress --purge build-dependencies && \ apk del -q --progress --purge build-dependencies && \
rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf && \ rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf && \
chown unbound /etc/unbound/root.key chown unbound /etc/unbound/root.key && \
adduser -S nonrootuser
COPY unbound.conf /etc/unbound/unbound.conf COPY unbound.conf /etc/unbound/unbound.conf
COPY entrypoint.sh / COPY entrypoint.sh /
RUN chmod +x /entrypoint.sh RUN chmod +x /entrypoint.sh

75
entrypoint.sh
View File

@@ -7,15 +7,13 @@ printf "\n ========================================="
printf "\n =========================================" printf "\n ========================================="
printf "\n == by github.com/qdm12 - Quentin McGaw ==\n" printf "\n == by github.com/qdm12 - Quentin McGaw ==\n"
cd /openvpn-$PROTOCOL-$ENCRYPTION
############################################ ############################################
# CHECK FOR TUN DEVICE # CHECK FOR TUN DEVICE
############################################ ############################################
while [ "$(cat /dev/net/tun 2>&1 /dev/null)" != "cat: read error: File descriptor in bad state" ]; while [ "$(cat /dev/net/tun 2>&1 /dev/null)" != "cat: read error: File descriptor in bad state" ];
do do
printf "\nTUN device is not opened, sleeping for 30 seconds..." printf "\nTUN device is not opened, sleeping for 30 seconds...";
sleep 30 sleep 30;
done done
printf "\nTUN device is opened" printf "\nTUN device is opened"
@@ -72,17 +70,22 @@ PORT=$(echo $CONNECTIONSTRING | cut -d' ' -f3)
if [[ "$PORT" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi if [[ "$PORT" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi
PIADOMAIN=$(echo $CONNECTIONSTRING | cut -d' ' -f2) PIADOMAIN=$(echo $CONNECTIONSTRING | cut -d' ' -f2)
if [[ "$PIADOMAIN" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi if [[ "$PIADOMAIN" == "" ]]; then printf "Port could not be extracted from configuration file\n"; exit 1; fi
sed -i '/^remote $PIADOMAIN $PORT/d' "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn" && \
printf "\n * Port: $PORT" printf "\n * Port: $PORT"
printf "\n * Domain: $PIADOMAIN" printf "\n * Domain: $PIADOMAIN"
printf "\n * Detecting IP addresses corresponding to $PIADOMAIN..." printf "\n * Detecting IP addresses corresponding to $PIADOMAIN..."
VPNIPS=$(nslookup $PIADOMAIN localhost | tail -n +5 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}') VPNIPS=$(nslookup $PIADOMAIN localhost | tail -n +5 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
status=$? status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
VPNIPSLENGTH=0
for ip in $VPNIPS for ip in $VPNIPS
do do
printf "\n $ip" printf "\n $ip"
VPNIPSLENGTH=$((VPNIPSLENGTH+1)) done
printf "\n * Adding IP addresses of $PIADOMAIN to /openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn..."
for ip in $VPNIPS
do
printf "\n remote $ip $PORT"
echo "remote $ip $PORT" >> "/openvpn-$PROTOCOL-$ENCRYPTION/$REGION.ovpn"
done done
printf "\n * Deleting all iptables rules..." printf "\n * Deleting all iptables rules..."
iptables --flush iptables --flush
@@ -98,11 +101,21 @@ iptables -t nat --delete-chain
status=$? status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
printf "DONE" printf "DONE"
printf "\n * Blocking all output traffic..."
iptables -F OUTPUT iptables -F OUTPUT
status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -P OUTPUT DROP iptables -P OUTPUT DROP
status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
printf "DONE"
printf "\n * Adding rules to accept local loopback traffic..." printf "\n * Adding rules to accept local loopback traffic..."
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
printf "DONE" printf "DONE"
printf "\n * Adding rules to accept traffic of subnet $SUBNET..." printf "\n * Adding rules to accept traffic of subnet $SUBNET..."
iptables -A OUTPUT -d $SUBNET -j ACCEPT iptables -A OUTPUT -d $SUBNET -j ACCEPT
@@ -119,36 +132,28 @@ do
done done
printf "\n * Adding rules to accept traffic going through the tun device..." printf "\n * Adding rules to accept traffic going through the tun device..."
iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT
status=$?
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi
printf "DONE" printf "DONE"
############################################ ############################################
# OPENVPN LAUNCH (retry with next VPN IP if fail) # USER SECURITY
############################################ ############################################
failed=1 printf "\nChanging /auth.conf ownership to nonrootuser with read only access..."
i=1 chown nonrootuser /auth.conf
PREVIOUSIP=$PIADOMAIN chmod 400 /auth.conf
while [ $failed != 0 ] printf "DONE"
do
VPNIP=$(echo $VPNIPS | cut -d' ' -f$i) ############################################
printf "\nChanging server VPN address $PREVIOUSIP to $VPNIP..." # OPENVPN LAUNCH
sed -i "s/$PREVIOUSIP/$VPNIP/g" $REGION.ovpn ############################################
status=$? printf "\nStarting OpenVPN using the following parameters:"
if [[ "$status" != 0 ]]; then printf "ERROR with status code $status\nSleeping for 10 seconds before exit...\n"; sleep 10; exit $status; fi printf "\n * Region: $REGION"
PREVIOUSIP=$VPNIP printf "\n * Encryption: $ENCRYPTION"
printf "\nStarting OpenVPN using the following parameters:" printf "\n * Protocol: $PROTOCOL"
printf "\n * Region: $REGION" printf "\n * Port: $PORT"
printf "\n * Encryption: $ENCRYPTION" printf "\n * Initial IP address: $(echo $VPNIPS | cut -d' ' -f1)"
printf "\n * Address: $PROTOCOL://$VPNIP:$PORT" printf "\n\n"
printf "\n\n" cd "/openvpn-$PROTOCOL-$ENCRYPTION"
openvpn --config "$REGION.ovpn" --auth-user-pass /auth.conf openvpn --config $REGION.ovpn --user nonrootuser --persist-tun --auth-retry nointeract --auth-user-pass /auth.conf --auth-nocache
failed=$? printf "\n\nOpenVPN exited with status $?\n"
if [[ $failed != 0 ]]; then
printf "\n==> Openvpn failed with status code: $failed"
i=$((i+1))
if [[ $i -gt $VPNIPSLENGTH ]]; then
i=0
fi
else
printf "\n==> Openvpn stopped gracefully"
fi
done