From 64827e9b1fef9c94e232bf15a4fe7aac6eb1b93b Mon Sep 17 00:00:00 2001 From: yohan <783b8c87@scimetis.net> Date: Sat, 15 May 2021 15:15:11 +0200 Subject: [PATCH] Initial commit. --- client_privateinternetaccess_US_East.conf | 20 +++++++ docker-compose.yml | 63 +++++++++++++++++++++++ entrypoint.sh | 28 ++++++++++ start_or_update.sh | 49 ++++++++++++++++++ 4 files changed, 160 insertions(+) create mode 100644 client_privateinternetaccess_US_East.conf create mode 100644 docker-compose.yml create mode 100755 entrypoint.sh create mode 100755 start_or_update.sh diff --git a/client_privateinternetaccess_US_East.conf b/client_privateinternetaccess_US_East.conf new file mode 100644 index 0000000..b58e9af --- /dev/null +++ b/client_privateinternetaccess_US_East.conf @@ -0,0 +1,20 @@ +client +dev tun +proto udp +remote us-newyorkcity.privacy.network 1197 +resolv-retry infinite +nobind +persist-key +persist-tun +cipher aes-256-cbc +auth sha256 +tls-client +remote-cert-tls server +auth-user-pass /etc/openvpn/keys_privateinternetaccess/password +comp-lzo +verb 1 +reneg-sec 0 +# Those are the 4096 RSA versions +ca /etc/openvpn/keys_privateinternetaccess/ca.crt +crl-verify /etc/openvpn/keys_privateinternetaccess/crl.pem +disable-occ diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..b9095e9 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,63 @@ +# needs at least docker-compose 1.18.0 (1.10.0 for sysctls option and 1.18.0 for custom network name) +version: "2.1" + +services: + + vpn-client: + image: vpn-client:$VERSION_VPN_CLIENT + build: "https://git.scimetis.net/yohan/docker-VPN-client.git" + restart: always + volumes: + - ./keys_privateinternetaccess:/etc/openvpn/keys_privateinternetaccess:Z + - ./client_privateinternetaccess_US_East.conf:/etc/openvpn/openvpn.conf:Z + - ./post-up.sh:/root/post-up.sh:Z + cap_add: + - NET_ADMIN + sysctls: + net.ipv4.ip_forward: 1 + devices: + - "/dev/net/tun:/dev/net/tun" + dns: 80.67.169.12 + networks: + openvpn-USA-network: + ipv4_address: 172.31.0.2 + + l2tp-client: + image: l2tp-client:$VERSION_L2TP_CLIENT + build: "https://git.scimetis.net/yohan/docker-l2tp-client.git" + restart: always + cap_add: + - NET_ADMIN + devices: + - "/dev/net/tun:/dev/net/tun" + - "/dev/ppp:/dev/ppp" + networks: + openvpn-USA-network: + ipv4_address: 172.31.0.3 + + proxy: + image: proxy:$VERSION_PROXY + build: "https://git.scimetis.net/yohan/docker-proxy.git" + restart: always + ports: + - 3129:3128/tcp + volumes: + - ./users:/etc/squid/users:Z + - ./entrypoint.sh:/root/entrypoint.sh:Z + entrypoint: /root/entrypoint.sh + cap_add: + - SYS_PTRACE + - NET_ADMIN + environment: + subnet: 172.31.0 + networks: + openvpn-USA-network: + ipv4_address: 172.31.0.4 + +networks: + openvpn-USA-network: + name: openvpn-USA-network + ipam: + config: + - subnet: 172.31.0.0/24 + diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..2649042 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# stop service and clean up here +function shut_down() { +/etc/init.d/squid stop +reset +echo "exited $0" +exit 0 +} + +# USE the trap if you need to also do manual cleanup after the service is stopped, +# or need to start multiple services in the one container +trap "shut_down" SIGINT SIGTERM SIGKILL + +/bin/ip route change default via ${subnet}.2 dev eth0 +bash -c '> /etc/resolv.conf' +echo "nameserver 80.67.169.12" >> /etc/resolv.conf +echo "100 toengine" >> /etc/iproute2/rt_tables +iptables -t mangle -A OUTPUT -p tcp --sport 3128 -j MARK --set-mark 01 +ip rule add fwmark 01 lookup toengine +ip route add default via ${subnet}.1 table toengine +# start service in background here +/etc/init.d/squid start +while pidof squid > /dev/null +do + sleep 3 +done +shut_down + diff --git a/start_or_update.sh b/start_or_update.sh new file mode 100755 index 0000000..9b305d5 --- /dev/null +++ b/start_or_update.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# The commands below fix iptables -j MARK not working: +#type=AVC msg=audit(1546362201.768:148429): avc: denied { module_request } for pid=11415 comm="iptables" kmod="ipt_MARK" scontext=system_u:system_r:container_t:s0:c283,c766 tcontext=system_u:system_r:kernel_t:s0 tclass=system +# +# Was caused by: +# The boolean domain_kernel_load_modules was set incorrectly. +# Description: +# Allow domain to kernel load modules +# +# Allow access by executing: +# # setsebool -P domain_kernel_load_modules 1 + +sudo modprobe ipt_MARK +sudo modprobe l2tp_ppp +MODULE_FILE=/etc/modules-load.d/docker.conf +sudo bash -c "test -f $MODULE_FILE || touch $MODULE_FILE" +sudo bash -c "grep -q ipt_MARK $MODULE_FILE \ +|| { echo '# Loading ipt_MARK at boot is needed to use iptables -j MARK in docker containers' >> $MODULE_FILE; \ + echo 'ipt_MARK' >> $MODULE_FILE; }" +sudo bash -c "grep -q l2tp_ppp $MODULE_FILE \ +|| { echo '# Loading l2tp_ppp at boot is needed to use xl2tpd with kernel drivers in docker containers' >> $MODULE_FILE; \ + echo 'l2tp_ppp' >> $MODULE_FILE; }" + +source vars +test -z $1 || HOST="_$1" +test -z $2 || INSTANCE="_$2" +sudo rm -f keys_privateinternetaccess/* +test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://${CLOUD_SERVER}/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc" +openssl enc -aes-256-cbc -d -in ~/secrets.tar.gz.enc | sudo tar -zxv --strip 2 secrets/docker-VPN-client-USA-stack${HOST}${INSTANCE}/keys_privateinternetaccess secrets/docker-VPN-client-USA-stack${HOST}${INSTANCE}/users + +rm -rf ~/config +git clone https://${GIT_SERVER}/yohan/config.git ~/config +test -f ~/config/docker-VPN-client-stack_serveur-appart_PIA-USA/post-up.sh \ +&& sudo cp -a ~/config/docker-VPN-client-stack_serveur-appart_PIA-USA/post-up.sh ./ \ +|| sudo bash -c 'echo "#!/bin/bash" > post-up.sh' +rm -rf ~/config + +sudo chown root:13 users +sudo chown root:root entrypoint.sh post-up.sh +sudo chmod +x entrypoint.sh post-up.sh +sudo chown -R root. client_privateinternetaccess_US_East.conf keys_privateinternetaccess + +# --force-recreate is used to recreate container when crontab file has changed +unset VERSION_PROXY VERSION_VPN_CLIENT VERSION_L2TP_CLIENT +VERSION_PROXY=$(git ls-remote https://${GIT_SERVER}/yohan/docker-proxy.git| head -1 | cut -f 1|cut -c -10) \ +VERSION_VPN_CLIENT=$(git ls-remote https://${GIT_SERVER}/yohan/docker-VPN-client.git| head -1 | cut -f 1|cut -c -10) \ +VERSION_L2TP_CLIENT=$(git ls-remote https://${GIT_SERVER}/yohan/docker-l2tp-client.git| head -1 | cut -f 1|cut -c -10) \ + sudo -E bash -c 'docker-compose up -d --force-recreate' +