-
-
Notifications
You must be signed in to change notification settings - Fork 38
/
docker-entrypoint.sh
executable file
·97 lines (75 loc) · 2.87 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/bash
#VERSION 0.2.3 by @d3vilh@github.com aka Mr. Philipp
set -e
#Variables
EASY_RSA=/usr/share/easy-rsa
OPENVPN_DIR=/etc/openvpn
echo "EasyRSA path: $EASY_RSA OVPN path: $OPENVPN_DIR"
if [[ ! -f $OPENVPN_DIR/pki/ca.crt ]]; then
export EASYRSA_BATCH=1 # see https://superuser.com/questions/1331293/easy-rsa-v3-execute-build-ca-and-gen-req-silently
cd $EASY_RSA
# Building the CA
echo 'Setting up public key infrastructure...'
$EASY_RSA/easyrsa init-pki
# Copy easy-rsa variables
cp $OPENVPN_DIR/config/easy-rsa.vars $EASY_RSA/pki/vars
# Listing env parameters:
echo "Following EASYRSA variables will be used:"
cat $EASY_RSA/pki/vars | awk '{$1=""; print $0}';
echo 'Generating ertificate authority...'
$EASY_RSA/easyrsa build-ca nopass
# Creating the Server Certificate, Key, and Encryption Files
echo 'Creating the Server Certificate...'
$EASY_RSA/easyrsa gen-req server nopass
echo 'Sign request...'
$EASY_RSA/easyrsa sign-req server server
echo 'Generate Diffie-Hellman key...'
$EASY_RSA/easyrsa gen-dh
echo 'Generate HMAC signature...'
openvpn --genkey --secret $EASY_RSA/pki/ta.key
echo 'Create certificate revocation list (CRL)...'
$EASY_RSA/easyrsa gen-crl
chmod +r $EASY_RSA/pki/crl.pem
# Copy to mounted volume
cp -r $EASY_RSA/pki/. $OPENVPN_DIR/pki
else
echo 'PKI already set up.'
fi
# Listing env parameters:
echo "Following EASYRSA variables were set during CA init:"
cat $OPENVPN_DIR/pki/vars | awk '{$1=""; print $0}';
# Configure network
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
echo 'Configuring networking rules...'
if ! grep -q 'net.ipv4.ip_forward=1' /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf;
echo 'IP forwarding configuration now applied:'
else
echo 'IP forwarding configuration already applied:'
fi
sysctl -p /etc/sysctl.conf
echo 'Configuring iptables...'
echo 'NAT for OpenVPN clients'
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE
echo 'Blocking ICMP for external clients'
iptables -A FORWARD -p icmp -j DROP --icmp-type echo-request -s $GUEST_SUB
iptables -A FORWARD -p icmp -j DROP --icmp-type echo-reply -s $GUEST_SUB
echo 'Blocking internal home subnet to access from external openvpn clients (Internet still available)'
iptables -A FORWARD -s $GUEST_SUB -d $HOME_SUB -j DROP
if [[ ! -s fw-rules.sh ]]; then
echo "No additional firewall rules to apply."
else
echo "Applying firewall rules"
./fw-rules.sh
echo 'Additional firewall rules applied.'
fi
echo 'IPT MASQ Chains:'
iptables -t nat -L | grep MASQ
echo 'IPT FWD Chains:'
iptables -v -x -n -L | grep DROP
echo 'Start openvpn process...'
/usr/sbin/openvpn --cd $OPENVPN_DIR --script-security 2 --config $OPENVPN_DIR/server.conf