#!/bin/bash # # Run the OpenVPN server normally # if [ "$DEBUG" == "1" ]; then set -x fi set -e cd $OPENVPN # Build runtime arguments array based on environment ARGS=("--config" "$OPENVPN/openvpn.conf") source "$OPENVPN/ovpn_env.sh" mkdir -p /dev/net if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200 fi if [ -d "$OPENVPN/ccd" ]; then ARGS+=("--client-config-dir" "$OPENVPN/ccd") fi # When using --net=host, use this to specify nat device. [ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0 # Setup NAT forwarding if requested if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE } for i in "${OVPN_ROUTES[@]}"; do iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || { iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE } done fi # Use a hacky hardlink as the CRL Needs to be readable by the user/group # OpenVPN is running as. Only pass arguments to OpenVPN if it's found. if [ -r "$EASYRSA_PKI/crl.pem" ]; then if [ ! -r "$OPENVPN/crl.pem" ]; then ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" chmod 644 "$OPENVPN/crl.pem" fi ARGS+=("--crl-verify" "$OPENVPN/crl.pem") fi ip -6 route show default 2>/dev/null if [ $? = 0 ]; then echo "Enabling IPv6 Forwarding" # If this fails, ensure the docker container is run with --privileged # Could be side stepped with `ip netns` madness to drop privileged flag sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default" sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding" fi if [ "$#" -gt 0 ]; then exec openvpn "$@" else exec openvpn ${ARGS[@]} fi