-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathentrypoint.sh
131 lines (115 loc) · 3.54 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
if [[ $PROTO == "udp" ]]; then
DEV=tun0
VPN_NET="10.88.0.0"
else
DEV=tun1
VPN_NET="10.89.0.0"
fi
writeServerConfig() {
if [[ -f /etc/openvpn/server/config.ovpn ]]; then
sed -i 's/client-cert-not-required//' /etc/openvpn/server/config.ovpn
sed -i 's/^#verify-client/verify-client/' /etc/openvpn/server/config.ovpn
return
fi
echo First run...
mkdir -p /etc/openvpn/server
echo Generating server configuration...
cat > /etc/openvpn/server/config.ovpn << EOF
port 1194
dev tun0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/$(hostname).crt
key /etc/openvpn/easy-rsa/pki/private/$(hostname).key
dh /etc/openvpn/easy-rsa/pki/dh.pem
cipher AES-256-CBC
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
verify-client-cert none
username-as-common-name
server $VPN_NET 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway autolocal"
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
duplicate-cn
#log-append /var/log/openvpn/openvpn.log
status /tmp/vpn.status 10
EOF
}
writeClientConfig() {
[[ -f /etc/openvpn/client/client.ovpn ]] && return
echo Generating client configuration...
mkdir -p /etc/openvpn/client
cat > /etc/openvpn/client/client.ovpn << EOF
remote SERVER_NAME PORT
auth-user-pass
client
proto tcp
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
auth SHA1
comp-lzo
verb 3
# only route specific networks
# route-nopull
# route 10.0.0.0 255.0.0.0
EOF
echo >> /etc/openvpn/client/client.ovpn
echo '<ca>' >> /etc/openvpn/client/client.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/client/client.ovpn
echo '</ca>' >> /etc/openvpn/client/client.ovpn
echo You can find the client configuration in container volume or under /etc/openvpn/client
echo "You need to modify the client configuration to reflect your setup (server name, port)"
}
addVpnUser() {
if ! grep vpn_user /etc/passwd > /dev/null; then
echo Adding user vpn_user...
useradd -m vpn_user
if [[ -f /etc/openvpn/client/auth.txt ]]; then
PASSWORD=$(tail -n1 /etc/openvpn/client/auth.txt)
else
PASSWORD=$(date | md5sum | head -c 10)
fi
echo Setting password $(echo ${PASSWORD} | base64) for vpn_user
echo "vpn_user:${PASSWORD}" | chpasswd
echo vpn_user > /etc/openvpn/client/auth.txt
echo $PASSWORD >> /etc/openvpn/client/auth.txt
echo You can find the authorization data in container volume or under /etc/openvpn/client
fi
}
generateCerts() {
[[ -f /etc/openvpn/easy-rsa/pki/dh.pem ]] && return
echo Generating certificates...
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
EASYRSA_BATCH=1 ./easyrsa --days=4000 build-ca nopass
EASYRSA_BATCH=1 ./easyrsa --days=4000 build-server-full $(hostname) nopass
EASYRSA_BATCH=1 ./easyrsa gen-dh
}
echo Starting...
if [[ $CONTAINER_TYPE == "INIT" ]]; then
generateCerts
writeServerConfig
writeClientConfig
exit 0
fi
addVpnUser
echo Running OpenVPN server...
[[ -d /dev/net ]] || mkdir -p /dev/net
[[ -a /dev/net/tun ]] || mknod /dev/net/tun c 10 200
iptables -t nat -C POSTROUTING -s $VPN_NET/24 -o eth+ -j MASQUERADE || iptables -t nat -A POSTROUTING -s $VPN_NET/24 -o eth+ -j MASQUERADE
[[ $PROTO == "udp" ]] && DEV=tun0 || DEV=tun1
exec openvpn --config /etc/openvpn/server/config.ovpn --proto $PROTO --dev $DEV --server $VPN_NET 255.255.255.0