container-openvpn/bin/ovpn_run
Kyle Manna e6f7904344 run: Add IPv6 forwarding if default route
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
  around using `ip netns` madness.
2015-07-05 21:07:06 -07:00

61 lines
1.5 KiB
Bash
Executable File

#!/bin/bash
#
# Run the OpenVPN server normally
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
source "$OPENVPN/ovpn_env.sh"
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
if [ ! -d "$OPENVPN/ccd" ]; then
mkdir -p /etc/openvpn/ccd
fi
# Setup NAT forwarding if requested
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE || {
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE
}
for i in "${OVPN_ROUTES[@]}"; do
iptables -t nat -C POSTROUTING -s "$i" -o eth0 -j MASQUERADE || {
iptables -t nat -A POSTROUTING -s "$i" -o eth0 -j MASQUERADE
}
done
fi
# Use a hacky hardlink as the CRL Needs to be readable by the user/group
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
if [ -r "$EASYRSA_PKI/crl.pem" ]; then
if [ ! -r "$OPENVPN/crl.pem" ]; then
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
chmod 644 "$OPENVPN/crl.pem"
fi
ARGS=("--crl-verify" "$OPENVPN/crl.pem")
fi
ip -6 route show default 2>/dev/null
if [ $? = 0 ]; then
echo "Enabling IPv6 Forwarding"
# If this fails, ensure the docker container is run with --privileged
# Could be side stepped with `ip netns` madness to drop privileged flag
sysctl net.ipv6.conf.default.forwarding=1
sysctl net.ipv6.conf.all.forwarding=1
fi
if [ "$#" -gt 0 ]; then
exec openvpn "$@"
else
exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
fi