admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
76 Commits 18 Branches 75 Tags
24ba0958ac692436d0e3f9b0dee1b57991533995
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Quentin McGaw 24ba0958ac Fixed healthcheck
2018-11-27 21:09:21 +02:00
hooks
Reworked labels, readme and added License
2018-10-29 16:32:11 +01:00
readme
Updated readme and pictures
2018-04-15 14:21:44 -04:00
.dockerignore
Added Cloudflare 1.1.1.1 DNS over TLS
2018-04-13 15:35:31 -04:00
.travis.yml
Added docker badges
2018-04-01 13:56:20 -04:00
docker-compose.yml
Fixed docker-compose to use bridge network
2018-11-20 09:27:25 +02:00
Dockerfile
Fixed healthcheck
2018-11-27 21:09:21 +02:00
entrypoint.sh
The target files are created in /openvpn/target
2018-11-27 17:50:08 +02:00
LICENSE
Reworked labels, readme and added License
2018-10-29 16:32:11 +01:00
README.md
The target files are created in /openvpn/target
2018-11-27 17:50:08 +02:00
unbound.conf
Multiple additions and fixes #12
2018-11-14 14:38:10 +02:00

README.md

Private Internet Access Client (OpenVPN+Iptables+DNS over TLS on Alpine Linux)

Lightweight VPN client to tunnel to private internet access servers

PIA Docker OpenVPN

Build Status Docker Build Status

GitHub last commit GitHub commit activity GitHub issues

Docker Pulls Docker Stars Docker Automated

Image size Image version

Image size RAM usage CPU usage
20MB 14MB to 80MB Low to Medium

It is based on:

Extra features

  • Only use environment variables:
    • the destination region
    • the protocol tcp or udp
    • the level of encryption normal or strong
  • Connect other containers to it
  • The iptables firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
  • OpenVPN restarts on failure using another PIA IP address for the same region
  • Docker healthchecks using duckduckgo.com to obtain your public IP address and compare it with PIA Ips in configuration file
  • Openvpn and Unbound do not run as root

Requirements

  • A Private Internet Access username and password - Sign up
  • Docker installed on the host
  • If you use a strict firewall on the host/router:
    • Allow outbound TCP 853 to 1.1.1.1 to allow Unbound to resolve the PIA domain name at start. You can then block it once the container is started.
    • For UDP strong encryption, allow outbound UDP 1197
    • For UDP normal encryption, allow outbound UDP 1198
    • For TCP strong encryption, allow outbound TCP 501
    • For TCP normal encryption, allow outbound TCP 502

Setup

  1. Make sure you have your /dev/net/tun device setup on your host with one of the following commands, depending on your OS:

    insmod /lib/modules/tun.ko

    Or

    modprobe tun

  2. Launch the container with:

    docker run -d --name=pia -v ./auth.conf:/auth.conf:ro \
--cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \
-e REGION="CA Montreal" -e PROTOCOL=udp -e ENCRYPTION=strong \
-e USER=js89ds7 -e PASSWORD=8fd9s239G \
qmcgaw/private-internet-access

    or use docker-compose.yml with:

    docker-compose up -d

    Note that you can change all the environment variables

  3. Wait about 5 seconds for it to connect to the PIA server. You can check with:

    docker logs -f pia

  4. Follow the Testing section

Testing

You can simply use the Docker healthcheck. The container will mark itself as unhealthy if the public IP address is not part of the PIA IPs. Otherwise you can follow these instructions:

  1. Check your host IP address with:

    wget -qO- https://ipinfo.io/ip

  2. Run the same command in a Docker container using your pia container as network with:

    docker run --rm --network=container:pia alpine:3.8 wget -qO- https://ipinfo.io/ip

    If the displayed IP address appears and is different that your host IP address, the PIA client works !

Environment variables

Environment variable Default Description
REGION CA Montreal One of the PIA regions
PROTOCOL udp tcp or udp
ENCRYPTION strong normal or strong
BLOCK_MALICIOUS off on or off
USER `` Your PIA username
PASSWORD `` Your PIA password
EXTRA_SUBNETS `` Comma separated subnets allowed in the container firewall

EXTRA_SUBNETS can be in example: 192.168.1.0/24,192.168.10.121,10.0.0.5/28

Connect other containers to it

Connect other Docker containers to the PIA VPN connection by adding --network=container:pia when launching them.

For containers in the same docker-compose.yml as PIA, you can use network: "service:pia (see below)

Access ports of PIA-connected containers

General case

  1. For example, the following containers are launched connected to PIA:

    docker run -d --name=deluge --network=container:pia linuxserver/deluge
docker run -d --name=hydra --network=container:pia linuxserver/hydra

    We want to access: - The HTTP web UI of Deluge at port 8112 - The HTTP Web UI of Hydra at port 5075

  2. In this case we use Nginx for its small size. Create ./nginx.conf with:

    # nginx.conf
user nginx;
worker_processes 1;
events {
  worker_connections 64;
}
http {
  server {
    listen 8000;
    location /deluge {
      proxy_pass http://deluge:8112/;
      proxy_set_header X-Deluge-Base "/deluge";
    }
  }
  server {
    listen 8001;
    location / {
      proxy_pass http://hydra:5075/;
    }
  }
}

  3. Run the Nginx Alpine container:

    docker run -d -p 8001:8001/tcp -p 8002:8002/tcp \
--link pia:deluge --link pia:hydra \
-v $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro \
nginx:alpine

    WARNING: Make sure the Docker network in which Nginx runs is the same as the one of PIA. It can be the default bridge network.

  4. Access the WebUI of Deluge at localhost:8000 and Hydra at localhost:8001

For more containers, add more --link pia:xxx and modify nginx.conf accordingly

Containers with PIA in one docker-compose.yml

This is simpler but restrictive in terms of management as all containers must be in the same docker-compose.yml.

For example, the following file

version: '3'
services:
  pia:
    build: https://github.com/qdm12/private-internet-access-docker.git
    image: qmcgaw/private-internet-access
    container_name: pia
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    network_mode: bridge
    ports:
      - 8112:8112/tcp
    environment:
      - USER=js89ds7
      - PASSWORD=8fd9s239G
      - PROTOCOL=udp
      - ENCRYPTION=strong
      - REGION=CA Montreal
      - EXTRA_SUBNETS=
    restart: always
  deluge:
    image: linuxserver/deluge
    depends_on:
      - pia
    network_mode: "service:pia"
    restart: always

will publish port 8112 as Deluge WebUI without any trouble.

For the paranoids

  • You can review the code which essential consits in the Dockerfile and entrypoint.sh

  • Build the images yourself:

    docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git

  • The download and unziping of PIA openvpn files is done at build for the ones not able to download the zip files

  • Checksums for PIA openvpn zip files are not used as these files change often (but HTTPS is used)

  • Use -e ENCRYPTION=strong -e BLOCK_MALICIOUS=on

TODOs

  • Malicious IPs and hostnames with wget at launch+checksums
  • Nginx scratch
  • SOCKS proxy/Hiproxy/VPN server for other devices to use the container
  • Port forwarding

License

This repository is under an MIT license

Reference in New Issue View Git Blame Copy Permalink
Description
VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
alpinecyberghostdns-over-tlsdockergolanghttp-proxymullvadnordvpnopenvpnpiaprivadoprivate-internet-accesspurevpnshadowsockssurfsharkvpn-clientvyprvpnwindscribewireguard
Readme MIT 33 MiB
Languages
Go 99.4%
Dockerfile 0.6%