Added IPv6 examples

Author: SloCompTech

root/defaults/example/config/basic_nat_ipv6/README.md

@@ -0,0 +1,21 @@
+# basic_nat_ipv6
+
+Features:  
+
+- Works out of the box on bridge or host network
+- NAT (Network translation protocol)
+- Has configuration wizard
+- LAN protection (does not allow traffic to LANs connected to server)
+
+## Configure
+
+``` bash
+ovpn_enconf basic_nat
+#Protocol udp, tcp, udp6, tcp6 [udp]:
+#VPN network [10.0.0.0]:
+#VPN IPv6 network with CIDR [2001:db8::/32]:
+#Port [1194]:
+#Public IP or domain of server: <PUBLIC IP>
+#DNS1 [8.8.8.8]:
+#DNS2 [8.8.4.4]:
+```

root/defaults/example/config/basic_nat_ipv6/client/client.conf

@@ -0,0 +1,34 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 2
+# @since 12/03/2019
+#
+
+# Basic info
+client
+dev tun0
+proto $PROTO
+nobind
+
+# Remote info
+remote $SERVER_IP $PORT
+
+# Connection settings
+resolv-retry infinite
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+compress lzo
+verb 3
+
+# Permissions
+user nobody
+group nogroup
+
+# CA
+remote-cert-tls server

root/defaults/example/config/basic_nat_ipv6/config/server.conf

@@ -0,0 +1,46 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 3
+# @since 12/03/2019
+#
+
+# Basic info
+proto $PROTO
+port $PORT
+
+# Network info (local VPN network)
+topology subnet
+server $NETWORK_ADDRESS 255.255.255.0
+server-ipv6 $NETWORK_ADDRESS_IPV6
+
+push "redirect-gateway def1 bypass-dhcp"
+push "route-ipv6 ::/0"
+push "dhcp-option DNS $DNS1"
+push "dhcp-option DNS $DNS2"
+
+ifconfig-pool-persist /config/tmp/ipp.txt
+
+# CA files
+ca /config/pki/ca.crt
+cert /config/pki/issued/server.crt
+key /config/pki/private/server.key
+dh /config/pki/dh.pem
+tls-crypt /config/pki/ta.key
+remote-cert-tls client
+
+# Connection settings
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Verify client certificate
+verify-client-cert require
+
+# Additional settings
+client-to-client
+keepalive 10 120
+compress lzo
+explicit-exit-notify 1

root/defaults/example/config/basic_nat_ipv6/hooks/down/10-network.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/with-contenv bash
+
+source /app/hookBaseFirewallDestroy.sh
+
+#
+#   Network clear
+#
+echo "Clearing OpenVPN releated firewall rules"
+
+# Close OpenVPN port to outside
+ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+ovpn-ip6tables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Disable LAN protection of VPN
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+
+# Disable Routing Internet <--> VPN network
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-ip6tables -D FORWARD -i tun0 -s $NETWORK_ADDRESS_IPV6 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-ip6tables -D FORWARD -i $OUT_INT -d $NETWORK_ADDRESS_IPV6 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Disable NAT for VPN traffic
+ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-ip6tables -t nat -D POSTROUTING -s $NETWORK_ADDRESS_IPV6 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"

root/defaults/example/config/basic_nat_ipv6/hooks/finish/10-network.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/with-contenv bash
+
+source /app/hookBaseFirewallDestroy.sh
+
+#
+#   Network clear
+#
+echo "Clearing up basic firewall rules"
+
+# Accept everything from input
+ovpn-iptables -P INPUT ACCEPT
+ovpn-ip6tables -P INPUT ACCEPT
+
+# Delete: Allow established connection 
+ovpn-iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+ovpn-ip6tables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Delete: Allow ICMP ping request
+ovpn-iptables -D INPUT -p icmp --icmp-type 8 -j ACCEPT
+ovpn-ip6tables -D INPUT -p icmp --icmp-type 128 -j ACCEPT
+
+# Accept all forwarded traffic
+ovpn-iptables -P FORWARD ACCEPT
+ovpn-ip6tables -P FORWARD ACCEPT

root/defaults/example/config/basic_nat_ipv6/hooks/init/10-network.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/with-contenv bash
+
+source /app/hookBaseFirewallSetup.sh
+
+#
+#   Network initialization
+#
+echo "Setting up basic firewall rules"
+
+#
+# Because default iptables rules are set to ACCEPT all connection, we need to put some
+# security settings in place
+#
+
+# Drop everything from input
+ovpn-iptables -P INPUT DROP
+ovpn-ip6tables -P INPUT DROP
+
+# Allow established connection 
+ovpn-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+ovpn-ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Allow ICMP ping request
+ovpn-iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
+ovpn-ip6tables -A INPUT -p icmp --icmp-type 128 -j ACCEPT
+
+# Drop all forwarded traffic
+ovpn-iptables -P FORWARD DROP
+ovpn-ip6tables -P FORWARD DROP

root/defaults/example/config/basic_nat_ipv6/hooks/up/10-network.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/with-contenv bash
+
+source /app/hookBaseFirewallSetup.sh
+
+#
+#   Network initialization
+#
+echo "Setting up OpenVPN related firewall rules"
+
+# Open OpenVPN port to outside
+ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+ovpn-ip6tables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Protect LANs after VPN
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+
+# Allow Routing Internet <--> VPN network
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-ip6tables -A FORWARD -i tun0 -s $NETWORK_ADDRESS_IPV6 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-ip6tables -A FORWARD -i $OUT_INT -d $NETWORK_ADDRESS_IPV6 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Preform NAT for VPN traffic
+ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-ip6tables -t nat -A POSTROUTING -s $NETWORK_ADDRESS_IPV6 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"

root/defaults/example/config/basic_nat_ipv6/wizard

@@ -0,0 +1,95 @@
+#!/usr/bin/python
+
+#
+#   Config wizard for basic_nat example
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+
+#   Defaults:
+#       Protocol: udp
+#       Network: 10.0.0.0
+#       Port: 1194
+#       DNS: 8.8.8.8, 2001:4860:4860::8888
+#
+
+import sys, os
+
+# Import libraries included in this docker
+sys.path.insert(0, '/app')
+import libovpn
+
+# Check if temporary path was passed to this script
+if len(sys.argv) < 2:
+    print("Temporary path was not passed to wizard")
+    sys.exit(1)
+TEMP_PATH = sys.argv[1]
+if not os.path.isdir(TEMP_PATH):
+    print("Specified directory does not exist")
+    sys.exit(2)
+
+# Select output interface
+out_int = input("Out interface [eth0]:")
+if len(out_int) == 0:
+    out_int = "eth0"
+
+# Select protocol
+protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
+AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
+if len(protocol) != 0 and protocol not in AVAILABLE_PROTOCOLS:
+    print("Invalid protocol")
+    sys.exit(3)
+if len(protocol) == 0:
+    protocol = "udp"
+
+# Select network
+network = input("VPN network [10.0.0.0]:")
+if len(network) == 0:
+  network = "10.0.0.0"
+networkv6 = input("VPN IPv6 network with CIDR [2001:db8::/32]:")
+if len(network) == 0:
+  print("Invalid network")
+    sys.exit(4)
+
+# Select port
+port = input("Port [1194]:")
+if len(port) == 0:
+  port="1194"
+
+# Select Public IP or domain
+public = input("Public IP or domain of server:")
+if len(public) == 0:
+  print("Invalid Public IP")
+  sys.exit(5)
+
+# DNS servers
+dns1 = input("DNS1 [8.8.8.8]:")
+if len(dns1) == 0:
+  dns1 = "8.8.8.8"
+dns2 = input("DNS2 [2001:4860:4860::8888]:")
+if len(dns2) == 0:
+  dns2 = "2001:4860:4860::8888"
+
+
+# Write to server config
+vars = [
+  ("$OUT_INT", out_int),
+  ("$PROTO", protocol),
+  ("$PORT", port),
+  ("$NETWORK_ADDRESS", network),
+  ("$NETWORK_ADDRESS_IPV6", networkv6),
+  ("$SERVER_IP", public),
+  ("$DNS1", dns1),
+  ("$DNS2", dns2)
+]
+
+# Process config files
+confs = [
+  "/config/server.conf",
+  "/client/client.conf",
+  "/hooks/down/10-network.sh",
+  "/hooks/up/10-network.sh"
+]
+for config_file in confs:
+  libovpn.conf_envsubst(TEMP_PATH + config_file, vars)

root/defaults/example/config/basic_nat_wlp_ipv6/README.md

@@ -0,0 +1,21 @@
+# basic_nat_wlp_ipv6
+
+Features:  
+
+- Works out of the box on bridge or host network
+- NAT (Network translation protocol)
+- Has configuration wizard
+- **WITHOUT** LAN protection (does not allow traffic to LANs connected to server), so you can still access devices in LAN (but **routed** example is recommended, because here traffic is still NAT-ed)
+
+## Configure
+
+``` bash
+ovpn_enconf basic_nat
+#Protocol udp, tcp, udp6, tcp6 [udp]:
+#VPN network [10.0.0.0]:
+#VPN IPv6 network with CIDR [2001:db8::/32]:
+#Port [1194]:
+#Public IP or domain of server: <PUBLIC IP>
+#DNS1 [8.8.8.8]:
+#DNS2 [8.8.4.4]:
+```

root/defaults/example/config/basic_nat_wlp_ipv6/client/client.conf

@@ -0,0 +1,34 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 2
+# @since 12/03/2019
+#
+
+# Basic info
+client
+dev tun0
+proto $PROTO
+nobind
+
+# Remote info
+remote $SERVER_IP $PORT
+
+# Connection settings
+resolv-retry infinite
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+compress lzo
+verb 3
+
+# Permissions
+user nobody
+group nogroup
+
+# CA
+remote-cert-tls server