Initial commit.

2021-05-15 15:15:11 +02:00 · 2021-05-15 15:15:11 +02:00 · 64827e9b1f
commit 64827e9b1f
4 changed files with 160 additions and 0 deletions
--- a/client_privateinternetaccess_US_East.conf
+++ b/client_privateinternetaccess_US_East.conf
@ -0,0 +1,20 @@
 client
 dev tun
 proto udp
 remote us-newyorkcity.privacy.network 1197
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 cipher aes-256-cbc
 auth sha256
 tls-client
 remote-cert-tls server
 auth-user-pass /etc/openvpn/keys_privateinternetaccess/password
 comp-lzo
 verb 1
 reneg-sec 0
 # Those are the 4096 RSA versions
 ca /etc/openvpn/keys_privateinternetaccess/ca.crt
 crl-verify /etc/openvpn/keys_privateinternetaccess/crl.pem
 disable-occ
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,63 @@
 # needs at least docker-compose 1.18.0 (1.10.0 for sysctls option and 1.18.0 for custom network name)
 version: "2.1"
 services:
  vpn-client:
    image: vpn-client:$VERSION_VPN_CLIENT
    build: "https://git.scimetis.net/yohan/docker-VPN-client.git"
    restart: always
    volumes:
      - ./keys_privateinternetaccess:/etc/openvpn/keys_privateinternetaccess:Z
      - ./client_privateinternetaccess_US_East.conf:/etc/openvpn/openvpn.conf:Z
      - ./post-up.sh:/root/post-up.sh:Z
    cap_add:
      - NET_ADMIN
    sysctls:
      net.ipv4.ip_forward: 1
    devices:
      - "/dev/net/tun:/dev/net/tun"
    dns: 80.67.169.12
    networks:
      openvpn-USA-network:
        ipv4_address: 172.31.0.2
  l2tp-client:
    image: l2tp-client:$VERSION_L2TP_CLIENT
    build: "https://git.scimetis.net/yohan/docker-l2tp-client.git"
    restart: always
    cap_add:
      - NET_ADMIN
    devices:
      - "/dev/net/tun:/dev/net/tun"
      - "/dev/ppp:/dev/ppp"
    networks:
      openvpn-USA-network:
        ipv4_address: 172.31.0.3
  proxy:
    image: proxy:$VERSION_PROXY
    build: "https://git.scimetis.net/yohan/docker-proxy.git"
    restart: always
    ports:
      - 3129:3128/tcp
    volumes:
      - ./users:/etc/squid/users:Z
      - ./entrypoint.sh:/root/entrypoint.sh:Z
    entrypoint: /root/entrypoint.sh
    cap_add:
      - SYS_PTRACE
      - NET_ADMIN
    environment:
      subnet: 172.31.0
    networks:
      openvpn-USA-network:
        ipv4_address: 172.31.0.4
 networks:
  openvpn-USA-network:
    name: openvpn-USA-network
    ipam:
      config:
        - subnet: 172.31.0.0/24
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,28 @@
 #!/bin/bash
 # stop service and clean up here
 function shut_down() {
 /etc/init.d/squid stop
 reset
 echo "exited $0"
 exit 0
 }
 # USE the trap if you need to also do manual cleanup after the service is stopped,
 #     or need to start multiple services in the one container
 trap "shut_down" SIGINT SIGTERM SIGKILL
 /bin/ip route change default via ${subnet}.2 dev eth0
 bash -c '> /etc/resolv.conf'
 echo "nameserver 80.67.169.12" >> /etc/resolv.conf
 echo "100     toengine" >> /etc/iproute2/rt_tables
 iptables -t mangle -A OUTPUT -p tcp --sport 3128 -j MARK --set-mark 01
 ip rule add fwmark 01 lookup toengine
 ip route add default via ${subnet}.1 table toengine
 # start service in background here
 /etc/init.d/squid start
 while pidof squid > /dev/null
 do
        sleep 3
 done
 shut_down
--- a/start_or_update.sh
+++ b/start_or_update.sh
@ -0,0 +1,49 @@
 #!/bin/bash
 # The commands below fix iptables -j MARK not working:
 #type=AVC msg=audit(1546362201.768:148429): avc:  denied  { module_request } for  pid=11415 comm="iptables" kmod="ipt_MARK" scontext=system_u:system_r:container_t:s0:c283,c766 tcontext=system_u:system_r:kernel_t:s0 tclass=system
 #
 #       Was caused by:
 #       The boolean domain_kernel_load_modules was set incorrectly. 
 #       Description:
 #       Allow domain to kernel load modules
 #
 #       Allow access by executing:
 #       # setsebool -P domain_kernel_load_modules 1
 sudo modprobe ipt_MARK
 sudo modprobe l2tp_ppp
 MODULE_FILE=/etc/modules-load.d/docker.conf
 sudo bash -c "test -f $MODULE_FILE || touch $MODULE_FILE"
 sudo bash -c "grep -q ipt_MARK $MODULE_FILE \
 || { echo '# Loading ipt_MARK at boot is needed to use iptables -j MARK in docker containers' >> $MODULE_FILE; \
     echo 'ipt_MARK' >> $MODULE_FILE; }"
 sudo bash -c "grep -q l2tp_ppp $MODULE_FILE \
 || { echo '# Loading l2tp_ppp at boot is needed to use xl2tpd with kernel drivers in docker containers' >> $MODULE_FILE; \
     echo 'l2tp_ppp' >> $MODULE_FILE; }"
 source vars
 test -z $1 || HOST="_$1"
 test -z $2 || INSTANCE="_$2"
 sudo rm -f keys_privateinternetaccess/* 
 test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://${CLOUD_SERVER}/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc"
 openssl enc -aes-256-cbc -d -in ~/secrets.tar.gz.enc | sudo tar -zxv --strip 2 secrets/docker-VPN-client-USA-stack${HOST}${INSTANCE}/keys_privateinternetaccess secrets/docker-VPN-client-USA-stack${HOST}${INSTANCE}/users
 rm -rf ~/config
 git clone https://${GIT_SERVER}/yohan/config.git ~/config
 test -f ~/config/docker-VPN-client-stack_serveur-appart_PIA-USA/post-up.sh \
 && sudo cp -a ~/config/docker-VPN-client-stack_serveur-appart_PIA-USA/post-up.sh ./ \
 || sudo bash -c 'echo "#!/bin/bash" > post-up.sh'
 rm -rf ~/config
 sudo chown root:13 users
 sudo chown root:root entrypoint.sh post-up.sh
 sudo chmod +x entrypoint.sh post-up.sh
 sudo chown -R root. client_privateinternetaccess_US_East.conf keys_privateinternetaccess
 # --force-recreate is used to recreate container when crontab file has changed
 unset VERSION_PROXY VERSION_VPN_CLIENT VERSION_L2TP_CLIENT
 VERSION_PROXY=$(git ls-remote https://${GIT_SERVER}/yohan/docker-proxy.git| head -1 | cut -f 1|cut -c -10) \
 VERSION_VPN_CLIENT=$(git ls-remote https://${GIT_SERVER}/yohan/docker-VPN-client.git| head -1 | cut -f 1|cut -c -10) \
 VERSION_L2TP_CLIENT=$(git ls-remote https://${GIT_SERVER}/yohan/docker-l2tp-client.git| head -1 | cut -f 1|cut -c -10) \
 sudo -E bash -c 'docker-compose up -d --force-recreate'