commit
1f47f361eb
@ -171,8 +171,6 @@ port 1194
|
|||||||
dev tun0
|
dev tun0
|
||||||
status /tmp/openvpn-status.log
|
status /tmp/openvpn-status.log
|
||||||
|
|
||||||
client-config-dir $OPENVPN/ccd
|
|
||||||
|
|
||||||
user nobody
|
user nobody
|
||||||
group nogroup
|
group nogroup
|
||||||
EOF
|
EOF
|
||||||
|
@ -45,7 +45,7 @@ remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
|
|||||||
$(cat $EASYRSA_PKI/private/${cn}.key)
|
$(cat $EASYRSA_PKI/private/${cn}.key)
|
||||||
</key>
|
</key>
|
||||||
<cert>
|
<cert>
|
||||||
$(cat $EASYRSA_PKI/issued/${cn}.crt)
|
$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
|
||||||
</cert>
|
</cert>
|
||||||
<ca>
|
<ca>
|
||||||
$(cat $EASYRSA_PKI/ca.crt)
|
$(cat $EASYRSA_PKI/ca.crt)
|
||||||
|
21
bin/ovpn_run
21
bin/ovpn_run
@ -10,6 +10,9 @@ fi
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
# Build runtime arguments array based on environment
|
||||||
|
ARGS=("--config" "$OPENVPN/openvpn.conf")
|
||||||
|
|
||||||
source "$OPENVPN/ovpn_env.sh"
|
source "$OPENVPN/ovpn_env.sh"
|
||||||
|
|
||||||
mkdir -p /dev/net
|
mkdir -p /dev/net
|
||||||
@ -17,8 +20,8 @@ if [ ! -c /dev/net/tun ]; then
|
|||||||
mknod /dev/net/tun c 10 200
|
mknod /dev/net/tun c 10 200
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -d "$OPENVPN/ccd" ]; then
|
if [ -d "$OPENVPN/ccd" ]; then
|
||||||
mkdir -p /etc/openvpn/ccd
|
ARGS+=("--client-config-dir" "$OPENVPN/ccd")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup NAT forwarding if requested
|
# Setup NAT forwarding if requested
|
||||||
@ -40,11 +43,21 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then
|
|||||||
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
||||||
chmod 644 "$OPENVPN/crl.pem"
|
chmod 644 "$OPENVPN/crl.pem"
|
||||||
fi
|
fi
|
||||||
ARGS=("--crl-verify" "$OPENVPN/crl.pem")
|
ARGS+=("--crl-verify" "$OPENVPN/crl.pem")
|
||||||
|
fi
|
||||||
|
|
||||||
|
ip -6 route show default 2>/dev/null
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
echo "Enabling IPv6 Forwarding"
|
||||||
|
# If this fails, ensure the docker container is run with --privileged
|
||||||
|
# Could be side stepped with `ip netns` madness to drop privileged flag
|
||||||
|
|
||||||
|
sysctl net.ipv6.conf.default.forwarding=1
|
||||||
|
sysctl net.ipv6.conf.all.forwarding=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$#" -gt 0 ]; then
|
if [ "$#" -gt 0 ]; then
|
||||||
exec openvpn "$@"
|
exec openvpn "$@"
|
||||||
else
|
else
|
||||||
exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
|
exec openvpn ${ARGS[@]}
|
||||||
fi
|
fi
|
||||||
|
52
docs/docker.md
Normal file
52
docs/docker.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
# Install Latest Docker Service
|
||||||
|
|
||||||
|
Docker included with some distributions lags far behind upstream. This guide aims to provide a quick and reliable way to install or update it.
|
||||||
|
|
||||||
|
It is recommended to use platforms that support systemd as future versions of this docker image may require systemd to help with some tasks:
|
||||||
|
|
||||||
|
* Fedora
|
||||||
|
* Debian 8.1+
|
||||||
|
|
||||||
|
## Debian / Ubuntu
|
||||||
|
|
||||||
|
### Step 1 — Set Up Docker
|
||||||
|
|
||||||
|
Docker is moving fast and Debian / Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker.
|
||||||
|
|
||||||
|
Ensure dependencies are installed:
|
||||||
|
|
||||||
|
sudo apt-get update && sudo apt-get install -y apt-transport-https curl
|
||||||
|
|
||||||
|
Add the upstream Docker repository package signing key. The apt-key command uses elevated privileges via sudo, so a password prompt for the user's password may appear:
|
||||||
|
|
||||||
|
curl https://get.docker.io/gpg | sudo apt-key add -
|
||||||
|
|
||||||
|
Add the upstream Docker repository to the system list:
|
||||||
|
|
||||||
|
echo deb https://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list
|
||||||
|
|
||||||
|
Update the package list and install the Docker package:
|
||||||
|
|
||||||
|
sudo apt-get update && sudo apt-get install -y lxc-docker
|
||||||
|
|
||||||
|
Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where `$USER` is your username. Exit and log in again for the new group to take effect:
|
||||||
|
|
||||||
|
sudo usermod -aG docker $USER
|
||||||
|
|
||||||
|
After **re-logging in** verify the group membership using the id command. The expected response should include docker like the following example:
|
||||||
|
|
||||||
|
uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker)
|
||||||
|
|
||||||
|
### Step 2 — Test Docker
|
||||||
|
|
||||||
|
Run a Debian jessie docker container:
|
||||||
|
|
||||||
|
docker run --rm -it debian:jessie bash -l
|
||||||
|
|
||||||
|
Once inside the container you'll see the `root@<container id>:/#` prompt signifying that the current shell is in a Docker container. To confirm that it's different from the host, check the version of Debian running in the container:
|
||||||
|
|
||||||
|
cat /etc/issue.net
|
||||||
|
|
||||||
|
Expected result:
|
||||||
|
|
||||||
|
Debian GNU/Linux 8
|
@ -1,5 +1,12 @@
|
|||||||
# Frequently Asked Questions
|
# Frequently Asked Questions
|
||||||
|
|
||||||
|
## How do I edit `openvpn.conf`?
|
||||||
|
|
||||||
|
Use a Docker image with a text editor pre-installed (i.e. Ubuntu) and connect the volume container:
|
||||||
|
|
||||||
|
docker run --volumes-from $OVPN_DATA --rm -it ubuntu vi /etc/openvpn/openvpn.conf
|
||||||
|
|
||||||
|
|
||||||
## Why not keep everything in one image?
|
## Why not keep everything in one image?
|
||||||
|
|
||||||
The run-time image (`kylemanna/openvpn`) is intended to be an ephemeral image. Nothing should be saved in it so that it can be re-downloaded and re-run when updates are pushed (i.e. newer version of OpenVPN or even Debian). The data container contains all this data and is attached at run time providing a safe home.
|
The run-time image (`kylemanna/openvpn`) is intended to be an ephemeral image. Nothing should be saved in it so that it can be re-downloaded and re-run when updates are pushed (i.e. newer version of OpenVPN or even Debian). The data container contains all this data and is attached at run time providing a safe home.
|
||||||
|
91
docs/ipv6.md
Normal file
91
docs/ipv6.md
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
# IPv6 Support
|
||||||
|
|
||||||
|
This is a work in progress, more polish to follow. Use the `dev` git branch and `dev` docker image tag for testing.
|
||||||
|
|
||||||
|
## Tunnel IPv6 Address To OpenVPN Clients
|
||||||
|
|
||||||
|
This feature is advanced and recommended only for those who already have a functioning IPv4 tunnel and know how IPv6 works.
|
||||||
|
|
||||||
|
Systemd is used to setup a static route and Debian 8.1 or later is recommended as the host distribution. Others probably work, but haven't been tested.
|
||||||
|
|
||||||
|
|
||||||
|
### Step 1 — Setup IPv6 on the Host Machine
|
||||||
|
|
||||||
|
The tutorial uses a free tunnel from [tunnelbroker.net](https://tunnelbroker.net/) to get a /64 and /48 prefix allocated to me. The tunnel endpoint is less then 3 ms away from Digital Ocean's San Francisco datacenter.
|
||||||
|
|
||||||
|
Place the following in `/etc/network/interfaces`. Relace `PUBLIC_IP` with your host's public IPv4 address and replace 2001:db8::2 and 2001:db8::1 with the corresponding tunnel endpoints:
|
||||||
|
|
||||||
|
auto he-ipv6
|
||||||
|
iface he-ipv6 inet6 v4tunnel
|
||||||
|
address 2001:db8::2
|
||||||
|
netmask 64
|
||||||
|
endpoint 72.52.104.74
|
||||||
|
local PUBLIC_IP
|
||||||
|
ttl 255
|
||||||
|
gateway 2001:db8::1
|
||||||
|
|
||||||
|
Bring the interface up:
|
||||||
|
|
||||||
|
ifup he-ipv6
|
||||||
|
|
||||||
|
Test that IPv6 works on the host:
|
||||||
|
|
||||||
|
ping6 google.com
|
||||||
|
|
||||||
|
If this doesn't work, figure it out. It may be necessary to add an firewall rule to allow IP protocol 41 through the firewall.
|
||||||
|
|
||||||
|
|
||||||
|
### Step 2 — Update Docker's Init To Enable IPv6 Support
|
||||||
|
|
||||||
|
Copy the system's existing docker file and append the `--ipv6` argument to the end of the command line:
|
||||||
|
|
||||||
|
sed -e 's:^\(ExecStart.*\):\1 --ipv6:' /lib/systemd/system/docker.service | tee /etc/systemd/system/docker.service
|
||||||
|
|
||||||
|
Reload the daemon and restart docker so that it takes affect:
|
||||||
|
|
||||||
|
systemctl daemon-reload && systemctl restart docker.service
|
||||||
|
|
||||||
|
|
||||||
|
### Step 3 — Setup the systemd Unit File
|
||||||
|
|
||||||
|
Copy the systemd init file from the docker-openvpn /init directory of the repository and install into `/etc/systemd/system/docker-openvpn.service`
|
||||||
|
|
||||||
|
curl -o /etc/systemd/system/docker-openvpn.service https://raw.githubusercontent.com/kylemanna/docker-openvpn/dev/init/docker-openvpn.service
|
||||||
|
|
||||||
|
Edit the file, replace `IP6_PREFIX` value with the value of your /64 prefix.
|
||||||
|
|
||||||
|
vi /etc/systemd/system/docker-openvpn.service
|
||||||
|
|
||||||
|
Finally, reload systemd so the changes take affect:
|
||||||
|
|
||||||
|
systemctl daemon-reload
|
||||||
|
|
||||||
|
### Step 4 — Start OpenVPN
|
||||||
|
|
||||||
|
Ensure that OpenVPN has been initialized and configured as described in the top level `README.md`.
|
||||||
|
|
||||||
|
Start the systemd service file:
|
||||||
|
|
||||||
|
systemctl start docker-openvpn
|
||||||
|
|
||||||
|
Verify logs if needed:
|
||||||
|
|
||||||
|
systemctl status docker-openvpn
|
||||||
|
docker logs openvpn0
|
||||||
|
|
||||||
|
### Step 4 — Modify Client Config for IPv6 Default Route
|
||||||
|
|
||||||
|
Append the default route for the public Internet:
|
||||||
|
|
||||||
|
echo "route-ipv6 2000::/3" >> clientname.ovpn
|
||||||
|
|
||||||
|
### Step 5 — Start up Client
|
||||||
|
|
||||||
|
If all went according to plan, then `ping6 2600::` and `ping6 google.com` should work.
|
||||||
|
|
||||||
|
Fire up a web browser and attempt to navigate to [https://ipv6.google.com](https://ipv6.google.com).
|
||||||
|
|
||||||
|
|
||||||
|
## Connect to the OpenVPN Server Over IPv6
|
||||||
|
|
||||||
|
Not implemented, yet.
|
44
init/docker-openvpn@.service
Normal file
44
init/docker-openvpn@.service
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=OpenVPN Docker Container
|
||||||
|
Documentation=https://github.com/kylemanna/docker-openvpn
|
||||||
|
After=network.target docker.socket
|
||||||
|
Requires=docker.socket
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
RestartSec=10
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
# Modify IP6_PREFIX to match network config
|
||||||
|
#Environment="IP6_PREFIX=2001:db8::/64"
|
||||||
|
#Environment="ARGS=--config openvpn.conf --server-ipv6 2001:db8::/64"
|
||||||
|
Environment="NAME=ovpn-%i"
|
||||||
|
Environment="DATA_VOL=ovpn-data-%i"
|
||||||
|
Environment="IMG=kylemanna/openvpn:dev"
|
||||||
|
Environment="PORT=1194:1194/udp"
|
||||||
|
|
||||||
|
# To override environment variables, use local configuration directory:
|
||||||
|
# /etc/systemd/system/docker-openvpn@foo.d/local.conf
|
||||||
|
# http://www.freedesktop.org/software/systemd/man/systemd.unit.html
|
||||||
|
|
||||||
|
# Clean-up bad state if still hanging around
|
||||||
|
ExecStartPre=-/usr/bin/docker rm -f $NAME
|
||||||
|
|
||||||
|
# Attempt to pull new image for security updates
|
||||||
|
ExecStartPre=-/usr/bin/docker pull $IMG
|
||||||
|
|
||||||
|
# IPv6: Ensure forwarding is enabled on host's networking stack (hacky)
|
||||||
|
# Would be nice to use systemd-network on the host, but this doens't work
|
||||||
|
# http://lists.freedesktop.org/archives/systemd-devel/2015-June/032762.html
|
||||||
|
ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1'
|
||||||
|
|
||||||
|
# Main process
|
||||||
|
ExecStart=/usr/bin/docker run --rm --privileged --volumes-from ${DATA_VOL}:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS
|
||||||
|
|
||||||
|
# IPv6: Add static route for IPv6 after it starts up
|
||||||
|
ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0'
|
||||||
|
|
||||||
|
# IPv6: Clean-up
|
||||||
|
ExecStopPost=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; ip route del $IP6_PREFIX dev docker0'
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user