From af605782688d00db3007ea86bf6abe41429fb3ff Mon Sep 17 00:00:00 2001 From: yohan <783b8c87@scimetis.net> Date: Tue, 31 Dec 2019 20:25:01 +0100 Subject: [PATCH] Generalization. --- client.conf | 14 -------------- docker-compose.yml | 15 ++------------- docker-compose.yml-subnet | 30 ++++++++++++++++++++++++++++++ entrypoint.sh | 28 ---------------------------- start_or_update.sh | 16 +++++++++++++--- vars | 2 ++ 6 files changed, 47 insertions(+), 58 deletions(-) delete mode 100644 client.conf create mode 100644 docker-compose.yml-subnet delete mode 100755 entrypoint.sh create mode 100644 vars diff --git a/client.conf b/client.conf deleted file mode 100644 index 5783889..0000000 --- a/client.conf +++ /dev/null @@ -1,14 +0,0 @@ -client -dev tun -proto udp -remote 92.222.98.176 1194 -resolv-retry infinite -nobind -persist-key -persist-tun -ca /etc/openvpn/client/ca.crt -cert /etc/openvpn/client/client-ovh1.crt -key /etc/openvpn/client/client-ovh1.key -ns-cert-type server -comp-lzo -verb 3 diff --git a/docker-compose.yml b/docker-compose.yml index 6a49d5b..50367f8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,21 +10,10 @@ services: volumes: - ./keys:/etc/openvpn/client:Z - ./client.conf:/etc/openvpn/openvpn.conf:Z + - ./post-up.sh:/root/post-up.sh:Z cap_add: - NET_ADMIN - sysctls: - net.ipv4.ip_forward: 1 devices: - "/dev/net/tun:/dev/net/tun" dns: 80.67.169.12 - networks: - openvpn-network: - ipv4_address: 172.31.1.2 - -networks: - openvpn-network: - name: openvpn-network - ipam: - config: - - subnet: 172.31.1.0/24 - + network_mode: "host" diff --git a/docker-compose.yml-subnet b/docker-compose.yml-subnet new file mode 100644 index 0000000..2a280a0 --- /dev/null +++ b/docker-compose.yml-subnet @@ -0,0 +1,30 @@ +# needs at least docker-compose 1.18.0 (1.10.0 for sysctls option and 1.18.0 for custom network name) +version: "2.1" + +services: + + vpn-client: + image: vpn-client:$VERSION_VPN_CLIENT + build: "https://git.scimetis.net/yohan/docker-VPN-client.git" + restart: always + volumes: + - ./keys:/etc/openvpn/client:Z + - ./client.conf:/etc/openvpn/openvpn.conf:Z + - ./post-up.sh:/root/post-up.sh:Z + cap_add: + - NET_ADMIN + sysctls: + net.ipv4.ip_forward: 1 + devices: + - "/dev/net/tun:/dev/net/tun" + dns: 80.67.169.12 + networks: + openvpn-network: + ipv4_address: 172.32.0.2 + +networks: + openvpn-network: + ipam: + config: + - subnet: 172.32.0.0/24 + diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 2649042..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -# stop service and clean up here -function shut_down() { -/etc/init.d/squid stop -reset -echo "exited $0" -exit 0 -} - -# USE the trap if you need to also do manual cleanup after the service is stopped, -# or need to start multiple services in the one container -trap "shut_down" SIGINT SIGTERM SIGKILL - -/bin/ip route change default via ${subnet}.2 dev eth0 -bash -c '> /etc/resolv.conf' -echo "nameserver 80.67.169.12" >> /etc/resolv.conf -echo "100 toengine" >> /etc/iproute2/rt_tables -iptables -t mangle -A OUTPUT -p tcp --sport 3128 -j MARK --set-mark 01 -ip rule add fwmark 01 lookup toengine -ip route add default via ${subnet}.1 table toengine -# start service in background here -/etc/init.d/squid start -while pidof squid > /dev/null -do - sleep 3 -done -shut_down - diff --git a/start_or_update.sh b/start_or_update.sh index fc9dd8f..f988441 100755 --- a/start_or_update.sh +++ b/start_or_update.sh @@ -17,15 +17,25 @@ sudo bash -c "grep -q ipt_MARK $MODULE_FILE \ || { echo '# Loading ipt_MARK at boot is needed to use iptables -j MARK in docker containers' >> $MODULE_FILE; \ echo 'ipt_MARK' >> $MODULE_FILE; }" +source vars test -z $1 || HOST="_$1" test -z $2 || INSTANCE="_$2" -test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://cloud.scimetis.net/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc" +sudo rm -f keys/* +test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://${CLOUD_SERVER}/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc" openssl enc -aes-256-cbc -d -in ~/secrets.tar.gz.enc | sudo tar -zxv --strip 2 secrets/docker-VPN-client-stack${HOST}${INSTANCE}/keys -sudo chown -R root. client.conf keys +rm -rf ~/config +git clone https://${GIT_SERVER}/yohan/config.git ~/config +sudo cp -a ~/config/docker-VPN-client-stack${HOST}${INSTANCE}/client.conf ./ +test -f ~/config/docker-VPN-client-stack${HOST}${INSTANCE}/post-up.sh \ +&& sudo cp -a ~/config/docker-VPN-client-stack${HOST}${INSTANCE}/post-up.sh ./ \ +|| sudo bash -c 'echo "#!/bin/bash" > post-up.sh' +rm -rf ~/config +sudo chown -R root. client.conf keys post-up.sh +sudo chmod +x post-up.sh # --force-recreate is used to recreate container when crontab file has changed unset VERSION_VPN_CLIENT -VERSION_VPN_CLIENT=$(git ls-remote https://git.scimetis.net/yohan/docker-VPN-client.git| head -1 | cut -f 1|cut -c -10) \ +VERSION_VPN_CLIENT=$(git ls-remote https://${GIT_SERVER}/yohan/docker-VPN-client.git| head -1 | cut -f 1|cut -c -10) \ sudo -E bash -c 'docker-compose up -d --force-recreate' diff --git a/vars b/vars new file mode 100644 index 0000000..f2246db --- /dev/null +++ b/vars @@ -0,0 +1,2 @@ +CLOUD_SERVER=cloud.scimetis.net +GIT_SERVER=git.scimetis.net