admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
69 Commits 18 Branches 75 Tags
9ba7f5969cab57fba240b0d850ae455858068688
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Quentin McGaw 9ba7f5969c Fixed healthcheck
2018-11-15 14:41:39 +02:00
hooks
Reworked labels, readme and added License
2018-10-29 16:32:11 +01:00
readme
Updated readme and pictures
2018-04-15 14:21:44 -04:00
.dockerignore
Added Cloudflare 1.1.1.1 DNS over TLS
2018-04-13 15:35:31 -04:00
.travis.yml
Added docker badges
2018-04-01 13:56:20 -04:00
docker-compose.yml
Added dummy credentials
2018-11-14 16:24:56 +02:00
Dockerfile
Fixed healthcheck
2018-11-15 14:41:39 +02:00
entrypoint.sh
Healthcheck checks your IP is in the VPN configuration file
2018-11-14 16:25:23 +02:00
LICENSE
Reworked labels, readme and added License
2018-10-29 16:32:11 +01:00
README.md
Healthcheck checks your IP is in the VPN configuration file
2018-11-14 16:25:23 +02:00
unbound.conf
Multiple additions and fixes #12
2018-11-14 14:38:10 +02:00

README.md

Private Internet Access Client (OpenVPN+Iptables+DNS over TLS on Alpine Linux)

Lightweight VPN client to tunnel to private internet access servers

WARNING: auth.conf is now replaced by the environment variables USER and PASSWORD, please update your configuration

PIA Docker OpenVPN

Build Status Docker Build Status

GitHub last commit GitHub commit activity GitHub issues

Docker Pulls Docker Stars Docker Automated

Image size Image version

Image size RAM usage CPU usage
20MB 14MB to 80MB Low to Medium

It is based on:

Extra features

  • Only use environment variables:
    • the destination region
    • the protocol tcp or udp
    • the level of encryption normal or strong
  • Connect other containers to it
  • The iptables firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
  • OpenVPN restarts on failure using another PIA IP address for the same region
  • Docker healthchecks using duckduckgo.com to obtain your public IP address and compare it with PIA Ips in configuration file
  • Openvpn and Unbound do not run as root

Requirements

  • A Private Internet Access username and password - Sign up
  • Docker installed on the host
  • If you use a strict firewall on the host/router:
    • Allow outbound TCP 853 to 1.1.1.1 to allow Unbound to resolve the PIA domain name at start. You can then block it once the container is started.
    • For UDP strong encryption, allow outbound UDP 1197
    • For UDP normal encryption, allow outbound UDP 1198
    • For TCP strong encryption, allow outbound TCP 501
    • For TCP normal encryption, allow outbound TCP 502

Setup

  1. Make sure you have your /dev/net/tun device setup on your host with one of the following commands, depending on your OS:

    insmod /lib/modules/tun.ko

    Or

    modprobe tun

  2. Launch the container with:

    docker run -d --name=pia -v ./auth.conf:/auth.conf:ro \
--cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \
-e REGION="CA Montreal" -e PROTOCOL=udp -e ENCRYPTION=strong \
-e USER=js89ds7 -e PASSWORD=8fd9s239G \
qmcgaw/private-internet-access

    or use docker-compose.yml with:

    docker-compose up -d

    Note that you can change all the environment variables

  3. Wait about 5 seconds for it to connect to the PIA server. You can check with:

    docker logs -f pia

  4. Follow the Testing section

Testing

You can simply use the Docker healthcheck. The container will mark itself as unhealthy if the public IP address is not part of the PIA IPs. Otherwise you can follow these instructions:

  1. Check your host IP address with:

    wget -qO- https://ipinfo.io/ip

  2. Run the same command in a Docker container using your pia container as network with:

    docker run --rm --network=container:pia alpine:3.8 wget -qO- https://ipinfo.io/ip

    If the displayed IP address appears and is different that your host IP address, the PIA client works !

Environment variables

Environment variable Default Description
REGION CA Montreal One of the PIA regions
PROTOCOL udp tcp or udp
ENCRYPTION strong normal or strong
BLOCK_MALICIOUS off on or off
USER `` Your PIA username
PASSWORD `` Your PIA password
EXTRA_SUBNETS `` Comma separated subnets allowed in the container firewall

EXTRA_SUBNETS can be in example: 192.168.1.0/24,192.168.10.121,10.0.0.5/28

Connect other containers to it

Connect other Docker containers to the PIA VPN connection by adding --network=container:pia when launching them.

For the paranoids

  • You can review the code which essential consits in the Dockerfile and entrypoint.sh

  • Build the images yourself:

    docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git

  • The download and unziping of PIA openvpn files is done at build for the ones not able to download the zip files

  • Checksums for PIA openvpn zip files are not used as these files change often (but HTTPS is used)

  • Use -e ENCRYPTION=strong -e BLOCK_MALICIOUS=on

TODOs

  • Malicious IPs and hostnames with wget at launch+checksums
  • Su Exec (fork and addition)
  • SOCKS proxy/Hiproxy/VPN server for other devices to use the container

License

This repository is under an MIT license

Reference in New Issue View Git Blame Copy Permalink
Description
VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
alpinecyberghostdns-over-tlsdockergolanghttp-proxymullvadnordvpnopenvpnpiaprivadoprivate-internet-accesspurevpnshadowsockssurfsharkvpn-clientvyprvpnwindscribewireguard
Readme MIT 33 MiB
Languages
Go 99.4%
Dockerfile 0.6%