admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse Source
This commit is contained in:
Quentin McGaw
2019-07-25 10:24:03 -04:00
parent 7823a148da 453414c19d
commit f1427e4aad
4 changed files with 31 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@@ -30,6 +30,7 @@ ENV USER= \
BLOCK_NSA=off \ BLOCK_NSA=off \
UNBLOCK= \ UNBLOCK= \
EXTRA_SUBNETS= \ EXTRA_SUBNETS= \
PORT_FORWARDING=false \
PROXY=on \ PROXY=on \
PROXY_LOG_LEVEL=Critical \ PROXY_LOG_LEVEL=Critical \
PROXY_PORT=8888 \ PROXY_PORT=8888 \
@@ -38,7 +39,7 @@ ENV USER= \
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
EXPOSE 8888 EXPOSE 8888
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy && \ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \ wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \ https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \ https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \

9
README.md
View File

@@ -154,6 +154,7 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
| `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames | | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
| `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames | | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) | | `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
| `PORT_FORWARDING` | false | Set to `true` to read the forwarded port |
| `PROXY` | `on` | `on` or `off`, to switch the internal HTTP proxy | | `PROXY` | `on` | `on` or `off`, to switch the internal HTTP proxy |
| `PROXY_LOG_LEVEL` | `Critical` | `Info`, `Warning`, `Error` or `Critical` | | `PROXY_LOG_LEVEL` | `Critical` | `Info`, `Warning`, `Error` or `Critical` |
| `PROXY_PORT` | `8888` | `1024` to `65535` internal port for HTTP proxy | | `PROXY_PORT` | `8888` | `1024` to `65535` internal port for HTTP proxy |
@@ -236,13 +237,9 @@ There are various ways to achieve this, depending on your use case.
## Port forwarding ## Port forwarding
On a running PIA container, say `pia`, simply run: By setting `PORT_FORWARDING` environment variable to `true`, the forwarded port will be read and written to `/forwarded_port`.
```sh You can mount this file as a volume to read it from other containers.
docker exec -it pia /portforward.sh
```
And it will indicate you the port forwarded for your current public IP address.
Note that not all regions support port forwarding. Note that not all regions support port forwarding.

10
entrypoint.sh
View File

@@ -268,8 +268,6 @@ exitOnError $? "Cannot add 'mssfix 1300' to $TARGET_PATH/config.ovpn"
# Note: TUN device re-opening will restart the container due to permissions # Note: TUN device re-opening will restart the container due to permissions
printf "DONE\n" printf "DONE\n"
############################################ ############################################
# NETWORKING # NETWORKING
############################################ ############################################
@@ -397,6 +395,14 @@ if [ "$PROXY" == "on" ]; then
printf "DONE\n" printf "DONE\n"
fi fi
############################################
# READ FORWARDED PORT
############################################
if [ "$PORT_FORWARDING" == "true" ]; then
sleep 10 && /portforward.sh &
fi
############################################ ############################################
# OPENVPN LAUNCH # OPENVPN LAUNCH
############################################ ############################################

31
portforward.sh
View File

@@ -11,24 +11,29 @@ exitOnError(){
fi fi
} }
printf "[INFO] Reading forwarded port\n"
client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"` client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
exitOnError $? exitOnError $? "Unable to generate Client ID"
json=`wget -qO- "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` json=`wget -qO- "http://209.222.18.222:2000/?client_id=$client_id"`
exitOnError $?
if [ "$json" == "" ]; then if [ "$json" == "" ]; then
printf "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding\n" printf " * Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding\n"
exit 1 exit 1
fi fi
port=`echo $json | grep -Eo [0-9]{3,5}` port=`echo $json | jq .port`
port_file="/forwarded_port"
echo "$port" > $port_file
printf " * Written forwarded port to $port_file\n"
ip=`wget -qO- https://diagnostic.opendns.com/myip` ip=`wget -qO- https://diagnostic.opendns.com/myip`
exitOnError $? exitOnError $? "Unable to read remote VPN IP"
printf "Forwarded port for IP $ip is: $port\n" printf " * Forwarded port is $port on remote VPN IP $ip\n"
printf "Detecting target VPN interface..." printf " * Detecting target VPN interface..."
TARGET_PATH="/openvpn/target" TARGET_PATH="/openvpn/target"
vpn_device=$(cat $TARGET_PATH/config.ovpn | grep 'dev ' | cut -d" " -f 2)0 vpn_device=$(cat $TARGET_PATH/config.ovpn | grep 'dev ' | cut -d" " -f 2)0
exitOnError $? exitOnError $? "Unable to find VPN interface"
printf "$vpn_device\n" printf "$vpn_device\n"
printf "Accepting input traffic through $vpn_device to port $port..." printf " * Accepting input traffic through $vpn_device to port $port..."
iptables -A INPUT -i $vpn_device --dport $PORT -j ACCEPT iptables -A INPUT -i $vpn_device -p tcp --dport $port -j ACCEPT
exitOnError $? exitOnError $? "Unable to allow the forwarded port in TCP"
iptables -A INPUT -i $vpn_device -p udp --dport $port -j ACCEPT
exitOnError $? "Unable to allow the forwarded port in UDP"
printf "DONE\n" printf "DONE\n"