docker-openvpn/bin/ovpn_run

#!/bin/bash

#
# Run the OpenVPN server normally
#

if [ "$DEBUG" == "1" ]; then
  set -x
fi

set -e

cd $OPENVPN

# Build runtime arguments array based on environment
ARGS=("--config" "$OPENVPN/openvpn.conf")

source "$OPENVPN/ovpn_env.sh"

mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
fi

if [ -d "$OPENVPN/ccd" ]; then
    ARGS+=("--client-config-dir" "$OPENVPN/ccd")
fi

# When using --net=host, use this to specify nat device.
[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0

# Setup NAT forwarding if requested
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
    }
    for i in "${OVPN_ROUTES[@]}"; do
        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
        }
    done
fi

# Use a hacky hardlink as the CRL Needs to be readable by the user/group
# OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
if [ -r "$EASYRSA_PKI/crl.pem" ]; then
    if [ ! -r "$OPENVPN/crl.pem" ]; then
        ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
        chmod 644 "$OPENVPN/crl.pem"
    fi
    ARGS+=("--crl-verify" "$OPENVPN/crl.pem")
fi

ip -6 route show default 2>/dev/null
if [ $? = 0 ]; then
    echo "Enabling IPv6 Forwarding"
    # If this fails, ensure the docker container is run with --privileged
    # Could be side stepped with `ip netns` madness to drop privileged flag

    sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default"
    sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding"
fi

if [ "$#" -gt 0 ]; then
    exec openvpn "$@"
else
    exec openvpn ${ARGS[@]}
fi
run: Handle NAT routes dynamically * Handle the NAT routes dynamically * Stop caring about backwards compatibility for now 2014-07-05 21:39:50 -07:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 11:13:59 -07:00
			`#`
			`# Run the OpenVPN server normally`
			`#`

Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 02:45:31 -08:00			`if [ "$DEBUG" == "1" ]; then`
			`set -x`
			`fi`

			`set -e`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 11:13:59 -07:00
Set working dir in ovpn_run instead of Dockerfile 2016-05-28 21:39:47 -05:00			`cd $OPENVPN`

ovpn_run: Assume /etc/openvpn is read-only * Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount. 2015-07-27 20:20:46 -07:00			`# Build runtime arguments array based on environment`
			`ARGS=("--config" "$OPENVPN/openvpn.conf")`

run: Handle NAT routes dynamically * Handle the NAT routes dynamically * Stop caring about backwards compatibility for now 2014-07-05 21:39:50 -07:00			`source "$OPENVPN/ovpn_env.sh"`

openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 11:13:59 -07:00			`mkdir -p /dev/net`
			`if [ ! -c /dev/net/tun ]; then`
			`mknod /dev/net/tun c 10 200`
			`fi`

ovpn_run: Assume /etc/openvpn is read-only * Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount. 2015-07-27 20:20:46 -07:00			`if [ -d "$OPENVPN/ccd" ]; then`
			`ARGS+=("--client-config-dir" "$OPENVPN/ccd")`
run: Always ensure client dir exists * OpenVPN will fail to start if this directory doesn't exist. 2014-06-29 23:22:03 -07:00			`fi`

Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00			`# When using --net=host, use this to specify nat device.`
			`[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0`

run: Handle NAT routes dynamically * Handle the NAT routes dynamically * Stop caring about backwards compatibility for now 2014-07-05 21:39:50 -07:00			`# Setup NAT forwarding if requested`
Create NAT if OVPN_NAT is set (flag -N) 2015-01-17 01:00:18 -08:00			`if [ "$OVPN_DEFROUTE" != "0" ] \|\| [ "$OVPN_NAT" == "1" ] ; then`
Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00			`iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE \|\| {`
			`iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE`
avoid dup iptables rules 2014-10-23 09:16:51 -04:00			`}`
genconfig: Convert OVPN_ROUTES to array * Convert to an array to simplify the code. * This breaks running `ovpn_genconfig` multiple times with the same route argument as the array will just grow. This needs to be fixed in the future. * Recommended way to work around this is to remove ovpn_env.sh. 2014-07-09 10:34:39 -07:00			`for i in "${OVPN_ROUTES[@]}"; do`
Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00			`iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE \|\| {`
			`iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE`
avoid dup iptables rules 2014-10-23 09:16:51 -04:00			`}`
run: Handle NAT routes dynamically * Handle the NAT routes dynamically * Stop caring about backwards compatibility for now 2014-07-05 21:39:50 -07:00			`done`
			`fi`
ovpn: Remove reference to udp/1194 * Remove references to udp/1194. * Works better with non-standard ports and tcp. 2014-06-30 22:56:26 -07:00
crl: Pass crl-verify if found * Empty CRLs don't work. * Avoids confusing easyrsa during the init step where it thinks an existing PKI configuration exists. * Add to ovpn_run to help users that are upgrading and ran genconfig which now depends on the file being present. * Use a hardlink to tip toe around permissions issues. 2015-05-12 00:59:43 -07:00			`# Use a hacky hardlink as the CRL Needs to be readable by the user/group`
			`# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.`
			`if [ -r "$EASYRSA_PKI/crl.pem" ]; then`
			`if [ ! -r "$OPENVPN/crl.pem" ]; then`
			`ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"`
			`chmod 644 "$OPENVPN/crl.pem"`
			`fi`
ovpn_run: Assume /etc/openvpn is read-only * Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount. 2015-07-27 20:20:46 -07:00			`ARGS+=("--crl-verify" "$OPENVPN/crl.pem")`
crl: Pass crl-verify if found * Empty CRLs don't work. * Avoids confusing easyrsa during the init step where it thinks an existing PKI configuration exists. * Add to ovpn_run to help users that are upgrading and ran genconfig which now depends on the file being present. * Use a hardlink to tip toe around permissions issues. 2015-05-12 00:59:43 -07:00			`fi`

run: Add IPv6 forwarding if default route * Enable IPv6 forwarding if docker daemon provided a default route * For now this requires the --privileged flag, but this could be hacked around using `ip netns` madness. 2015-07-05 21:07:06 -07:00			`ip -6 route show default 2>/dev/null`
			`if [ $? = 0 ]; then`
			`echo "Enabling IPv6 Forwarding"`
			`# If this fails, ensure the docker container is run with --privileged`
			# Could be side stepped with `ip netns` madness to drop privileged flag

ovpn_run: Fix sysctl IPv6 forwarding write * I'm not sure if this ever worked without the `-w` flag. Perhaps in an old version of sysctl? 2015-12-29 13:33:55 -08:00			`sysctl -w net.ipv6.conf.default.forwarding=1 \|\| echo "Failed to enable IPv6 Forwarding default"`
			`sysctl -w net.ipv6.conf.all.forwarding=1 \|\| echo "Failed to enable IPv6 Forwarding"`
run: Add IPv6 forwarding if default route * Enable IPv6 forwarding if docker daemon provided a default route * For now this requires the --privileged flag, but this could be hacked around using `ip netns` madness. 2015-07-05 21:07:06 -07:00			`fi`

run: Pass cmd line arguments to openvpn * Pass command line arguments to openvpn if passed in. Enables users to easily override or add settings. * Resolves #42 2015-05-09 15:17:17 -07:00			`if [ "$#" -gt 0 ]; then`
			`exec openvpn "$@"`
			`else`
ovpn_run: Assume /etc/openvpn is read-only * Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount. 2015-07-27 20:20:46 -07:00			`exec openvpn ${ARGS[@]}`
run: Pass cmd line arguments to openvpn * Pass command line arguments to openvpn if passed in. Enables users to easily override or add settings. * Resolves #42 2015-05-09 15:17:17 -07:00			`fi`