Rewrite README.md and clean up entry.sh

yacht7 · yacht7 · commit 13868bbef76b · 2020-05-01T21:23:24.000Z
- Added trap and cleanup function for cleaner and faster container stops.
- A copy of the OpenVPN config file is made to keep from modifying original.
- Slight reorganization and additional comments/logging
diff --git a/README.md b/README.md
@@ -1,14 +1,32 @@
 # OpenVPN Client for Docker
+## What is this and what does it do?
+`yacht7/openvpn-client` is a containerized OpenVPN client. It has a kill switch built with `iptables` that kills Internet connectivity to the container if the VPN tunnel goes down for any reason. It also includes two types of proxy: HTTP (Tinyproxy) and SOCKS5 (Shadowsocks). These allow hosts and non-containerized applications to use the VPN without having to run VPN clients on every host.
+
+This image requires the user to supply the necessary OpenVPN configuration file(s). Because of this, any VPN provider should work (however, if you find something that doesn't, please open an issue for it).
+
 ## Why?
-Using this image will allow you establish a VPN connection usable by other containers (and hosts via the built-in proxies) without having to install a VPN client on the host. The image requires the user to supply the necessary OpenVPN configuration files, so (probably) any VPN provider will work.
+Having a containerized VPN client lets you easy choose exactly what you want to use the VPN at the Docker level instead of having to set up split tunnelling at the VPN level. It also keeps you from having to install an OpenVPN client on the underlying host.
+
+The idea for this image came from a similar project by [qdm12](https://github.com/qdm12) that has since evolved into something bigger and more complex than I wanted to use. I decided to dissect it and take it in my own direction. I plan to keep everything here well-documented because I want this to be a learning experience for both me and hopefully anyone else that uses it.
 
-It has a VPN kill switch enabled by default, so if the VPN connection is lost at any time, all internet connectivity to the container and connected clients is lost.
+## How do I use it?
+### Getting the image
+You can either pull it from Docker Hub or build it yourself.
 
-Please note that the kill switch does allow connections to the VPN server address/port combinations specified in the configuration file outside of the VPN tunnel in order to establish connection.
+To pull from [Docker Hub](https://hub.docker.com/r/yacht7/openvpn-client), run `docker pull yacht7/openvpn-client`.
 
-## Creating
-### `docker run`
+To build it yourself, do the following:
+```bash
+git clone https://github.com/yacht7/docker-openvpn-client.git
+cd docker-openvpn-client
+docker build -t yacht7/openvpn-client .
 ```
+
+### Creating and running a container
+The image requires the container be created with the `NET_ADMIN` capability and `/dev/net/tun` accessible. Below are bare-bones examples for `docker run` and Compose; however, you'll probably want to do more than just run the VPN client. See the sections below to learn how to use the [proxies](#shadowsocks-and-tinyproxy) and have [other containers use `openvpn-client`'s network stack](#using-with-other-containers).
+
+#### `docker run`
+```bash
 docker run -d \
   --name=openvpn-client \
   --cap-add=NET_ADMIN \
@@ -17,8 +35,8 @@ docker run -d \
   yacht7/openvpn-client
 ```
 
-### `docker-compose`
-```
+#### `docker-compose`
+```yaml
 version: '2'
 
 services:
@@ -33,58 +51,59 @@ services:
             - <path/to/config>:/data/vpn
         restart: unless-stopped
 ```
-#### Considerations
-##### Tinyproxy and Shadowsocks
-If enabling Tinyproxy or Shadowsocks, you'll want to publish the proxy's port in order to access the proxy. To do that using `docker run`, add `-p <host_port>:<container_port>` where `<host_port>` and `<container_port>` are whatever port your proxy is using (8888 and 8388 by default for Tinyproxy and Shadowsocks). If you're using `docker-compose`, add the below snippet to the `openvpn-client` service definition in your Compose file.
-```
-ports:
-    - <host_port>:<container_port>
-```
-
-##### Handling ports intended for connected containers
-If you plan on having [other containers use `openvpn-client`'s network stack](#using-with-other-containers) and those containers have web UIs, you'll want to publish the web UI ports on `openvpn-client` instead of the connected container. To do that, add `-p <host_port>:<container_port>` if you're using `docker run`, or add the below snippet to the `openvpn-client` service definition in your Compose file if using `docker-compose`.
-```
-ports:
-    - <host_port>:<container_port>
-```
-In both cases, replace `<host_port>` and `<container_port>` with the port used by your connected container.
-
-### Environment variables
 
+#### Environment variables
 | Variable | Default (blank is unset) | Description |
 | --- | --- | --- |
 | `KILL_SWITCH` | `on` | The on/off status of VPN kill switch. To disable, set to any value besides `on`. |
-| `SUBNETS` | | A comma-separated (no whitespaces) list of LAN subnets (e.g. `192.168.0.0/24,192.168.1.0/24`). |
+| `SUBNETS` | | A list of one or more comma-separated subnets (e.g. `192.168.0.0/24,192.168.1.0/24`) to allow outside of the VPN tunnel. See important note about this [below](#subnets). |
 | `FORWARDED_PORTS` | | Port(s) forwarded by your VPN provider (e.g. `12345` or `9876,54321`) |
 | `VPN_LOG_LEVEL` | `3` | OpenVPN verbosity (`1`-`11`) |
 | `SHADOWSOCKS` | | The on/off status of Shadowsocks. To enable, set to `on`. Any other value, including leaving it unset, will cause the proxy to not start. |
-| `SHADOWSOCKS_PORT` | `8388` | The port that Shadowsocks listens on. If manually specified, choose a port over 1024. |
-| `SHADOWSOCKS_PASS` | `password` | Required to start Shadowsocks, so a default is specified. |
+| `SHADOWSOCKS_PORT` | `8388` | The port on which Shadowsocks listens. If manually specified, choose a port over 1024. |
+| `SHADOWSOCKS_PASS` | `password` | A password is required to start Shadowsocks, so a default is specified. I recommend you change this if Shadowsocks is enabled. |
 | `TINYPROXY` | | The on/off status of Tinyproxy. To enable, set to `on`. Any other value, including leaving it unset, will cause the proxy to not start. |
-| `TINYPROXY_PORT` | `8888` | The port that Tinyproxy listens on. If manually specified, choose a port over 1024. |
-| `TINYPROXY_USER` | | Setting `TINYPROXY_USER` and `TINYPROXY_PASS` will restrict access to the proxy server to only the specified username and password. |
-| `TINYPROXY_PASS` | | Setting `TINYPROXY_USER` and `TINYPROXY_PASS` will restrict access to the proxy server to only the specified username and password. |
+| `TINYPROXY_PORT` | `8888` | The port on which Tinyproxy listens. If manually specified, choose a port over 1024. |
+| `TINYPROXY_USER` | | Credentials for accessing Tinyproxy. If `TINYPROXY_USER` is specified, you must also specify `TINYPROXY_PASS`. |
+| `TINYPROXY_PASS` | | Credentials for accessing Tinyproxy. If `TINYPROXY_PASS` is specified, you must also specify `TINYPROXY_USER`. |
 
-#### `SUBNETS`
-**Important note about this variable**: the DNS server used by this container prior to VPN connection must be included in the value specified. For example, if your underlying host is using 192.168.1.1 as a DNS server, then this address must be included in `SUBNETS` (`192.168.1.1` or `192.168.1.0/24` would be acceptable). This is necessary because the kill switch will block traffic outside of the VPN tunnel before it's actually established. If the DNS server is not whitelisted, the server addresses in the VPN configuration will not resolve.
+##### Environment variable considerations
+###### `KILL_SWITCH`
+The kill switch allows connections outside of the VPN tunnel to the following two places: 1) the VPN server(s) specified in the configuration file and 2) all addresses specified in `SUBNETS`.
+
+###### `SUBNETS`
+**Important**: The DNS server used by this container prior to VPN connection must be included in the value specified. For example, if your container is using 192.168.1.1 as a DNS server, then this address or an appropriate CIDR block must be included in `SUBNETS`. This is necessary because the kill switch blocks traffic outside of the VPN tunnel before it's actually established. If the DNS server is not whitelisted, the server addresses in the VPN configuration will not resolve.
 
 The subnets specified will have routes created and whitelists added in the firewall for them which allows for connectivity to and from hosts on the subnets.
 
-## Running
-### Verifying functionality
-Once you have container running `yacht7/openvpn-client`, run the following command to spin up a temporary container using `openvpn-client` for networking. The `wget -qO - ifconfig.me` bit will return the public IP of the container (and anything else using `openvpn-client` for networking). You should see an IP address owned by your VPN provider.
-```
-docker run --rm -it --network=container:openvpn-client alpine wget -qO - ifconfig.me
+###### `SHADOWSOCKS` and `TINYPROXY`
+If enabling Shadowsocks or Tinyproxy, you'll want to publish the proxy's port in order to access the proxy. To do that using `docker run`, add `-p <host_port>:<container_port>` where `<host_port>` and `<container_port>` are whatever port your proxy is using (8388 and 8888 by default for Shadowsocks and Tinyproxy). If you're using `docker-compose`, add the below snippet to the `openvpn-client` service definition in your Compose file.
+```yaml
+ports:
+    - <host_port>:<container_port>
 ```
 
 ### Using with other containers
-Once you have your OpenVPN client container up and running, you can tell other containers to use `openvpn-client`'s network stack which gives any container the ability to utilize the VPN tunnel. There are a few ways to accomplish this depending how how your container is created.
+Once you have your `openvpn-client` container up and running, you can tell other containers to use `openvpn-client`'s network stack which gives them the ability to utilize the VPN tunnel. There are a few ways to accomplish this depending how how your container is created.
 
 If your container is being created with
 1. the same Compose YAML file as `openvpn-client`, add `network_mode: service:openvpn-client` to the container's service definition.
-2. a different Compose YAML file as `openvpn-client`, add `network_mode: container:openvpn-client` to the container's service definition.
+2. a different Compose YAML file than `openvpn-client`, add `network_mode: container:openvpn-client` to the container's service definition.
 3. `docker run`, add `--network=container:openvpn-client` as an option to `docker run`.
 
 Once running and provided your container has `wget` or `curl`, you can run `docker exec <container_name> wget -qO - ifconfig.me` or `docker exec <container_name> curl -s ifconfig.me` to get the public IP of the container and make sure everything is working as expected. This IP should match the one of `openvpn-client`.
 
-If the connected container needs to publish ports, see [this](#handling-ports-intended-for-connected-containers) section.
+#### Handling ports intended for connected containers
+If you have a connected container and you need to access a port that container, you'll want to publish that port on the `openvpn-client` container instead of the connected container. To do that, add `-p <host_port>:<container_port>` if you're using `docker run`, or add the below snippet to the `openvpn-client` service definition in your Compose file if using `docker-compose`.
+```yaml
+ports:
+    - <host_port>:<container_port>
+```
+In both cases, replace `<host_port>` and `<container_port>` with the port used by your connected container.
+
+### Verifying functionality
+Once you have container running `yacht7/openvpn-client`, run the following command to spin up a temporary container using `openvpn-client` for networking. The `wget -qO - ifconfig.me` bit will return the public IP of the container (and anything else using `openvpn-client` for networking). You should see an IP address owned by your VPN provider.
+```bash
+docker run --rm -it --network=container:openvpn-client alpine wget -qO - ifconfig.me
+```
+
diff --git a/data/entry.sh b/data/entry.sh
@@ -1,51 +1,72 @@
 #!/bin/sh
 
-################################################################################
-
-config_file=$(ls -1 /data/vpn/*.conf 2>/dev/null | head -1)
-if [ -z $config_file ]; then
+# When you run `docker stop` or any equivalent, a SIGTERM signal is sent to PID 1.
+# A process running as PID 1 inside a container is treated specially by Linux:
+# it ignores any signal with the default action. As a result, the process will
+# not terminate on SIGINT or SIGTERM unless it is coded to do so. Because of this,
+# I've defined behavior for when SIGINT and SIGTERM is received.
+cleanup() {
+    if [ $openvpn_child ]; then
+        echo "Stopping OpenVPN..."
+        kill -TERM $openvpn_child
+    fi
+    
+    sleep 1
+    rm $config_file_modified
+    echo "Exiting."
+    exit 0
+}
+
+# Capture the filename of the first .conf file to use as the OpenVPN config.
+config_file_original=$(ls -1 /data/vpn/*.conf 2> /dev/null | head -1)
+if [ -z $config_file_original ]; then
     >&2 echo "[ERRO] No configuration file found. Please check your mount and file permissions. Exiting."
     exit 1
 fi
 
-vpn_log_level=${LOG_LEVEL:-3}
+vpn_log_level=${VPN_LOG_LEVEL:-3}
 if ! $(echo $vpn_log_level | grep -Eq '^([1-9]|1[0-1])$'); then
     echo "[WARN] Invalid log level $vpn_log_level. Setting to default."
     vpn_log_level=3
 fi
 
 echo -e "\n---- Details ----
-Kill switch: $KILL_SWITCH
-Tinyproxy: $TINYPROXY
-Shadowsocks: $SHADOWSOCKS
+Kill switch: ${KILL_SWITCH:-off}
+Tinyproxy: ${TINYPROXY:-off}
+Shadowsocks: ${SHADOWSOCKS:-off}
 Whitelisting subnets: ${SUBNETS:-none}
-Using configuration file: $config_file
+Using configuration file: $config_file_original
 Using OpenVPN log level: $vpn_log_level"
 
 ################################################################################
 
 echo -e "\n---- OpenVPN Configuration ----"
 
+# Create a new configuration file to modify so the original is left untouched.
+config_file_modified=${config_file_original}.modified
+cp $config_file_original $config_file_modified
+
 # These configuration file changes are required by Alpine.
 echo "Making required changes to the configuration file."
 sed -i \
     -e '/up /c up \/etc\/openvpn\/up.sh' \
     -e '/down /c down \/etc\/openvpn\/down.sh' \
     -e 's/^proto udp$/proto udp4/' \
     -e 's/^proto tcp$/proto tcp4/' \
-    $config_file
+    $config_file_modified
 
-if ! grep -q 'pull-filter ignore "route-ipv6"' $config_file; then
-    printf '\npull-filter ignore "route-ipv6"' >> $config_file
+if ! grep -q 'pull-filter ignore "route-ipv6"' $config_file_modified; then
+    printf '\npull-filter ignore "route-ipv6"' >> $config_file_modified
 fi
 
-if ! grep -q 'pull-filter ignore "ifconfig-ipv6"' $config_file; then
-    printf '\npull-filter ignore "ifconfig-ipv6"' >> $config_file
+if ! grep -q 'pull-filter ignore "ifconfig-ipv6"' $config_file_modified; then
+    printf '\npull-filter ignore "ifconfig-ipv6"' >> $config_file_modified
 fi
 
-cp /data/vpn/* /etc/openvpn
+echo "[INFO] Changes made."
 
-echo "[INFO] Changes made and files moved into place."
+# Upon receiving a SIGINT or SIGTERM, run the cleanup function.
+trap cleanup INT TERM
 
 ################################################################################
 
@@ -57,18 +78,19 @@ if [ $KILL_SWITCH = "on" ]; then
 
     echo "Creating VPN kill switch and local routes."
 
-    # allows established and related connections
+    echo "Allowing established and related connections..."
     iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-    # allows loopback connections
+    echo "Allowing loopback connections..."
     iptables -A INPUT -i lo -j ACCEPT
     iptables -A OUTPUT -o lo -j ACCEPT
 
-    # allows Docker network connections
+    echo "Allowing Docker network connections..."
     iptables -A INPUT -s $local_subnet -j ACCEPT
     iptables -A OUTPUT -d $local_subnet -j ACCEPT
 
+    echo "Allowing specified subnets..."
     # for every specified subnet...
     for subnet in ${SUBNETS//,/ }; do
         # create a route to it and...
@@ -78,28 +100,27 @@ if [ $KILL_SWITCH = "on" ]; then
         iptables -A OUTPUT -d $subnet -j ACCEPT
     done
 
-    # allows OpenVPN connections only to addresses in configuration file
-    remote_port=$(grep "port " $config_file | cut -d " " -f 2)
-    remote_proto=$(grep "proto " $config_file | cut -d " " -f 2 | cut -c1-3)
-    remotes=$(grep "remote " $config_file | cut -d " " -f 2-4)
-
+    echo "Allowing remote servers in configuration file..."
+    remote_port=$(grep "port " $config_file_modified | cut -d " " -f 2)
+    remote_proto=$(grep "proto " $config_file_modified | cut -d " " -f 2 | cut -c1-3)
+    remotes=$(grep "remote " $config_file_modified | cut -d " " -f 2-4)
 
-    echo "Using remote servers:"
+    echo "  Using:"
     echo "$remotes" | while IFS= read line; do
         domain=$(echo "$line" | cut -d " " -f 1)
         port=$(echo "$line" | cut -d " " -f 2)
         proto=$(echo "$line" | cut -d " " -f 3 | cut -c1-3)
         for ip in $(nslookup $domain localhost | tail -n +4 | grep -Eo '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort | uniq); do
-            echo "$domain (IP:$ip PORT:$port)"
+            echo "    $domain (IP:$ip PORT:$port)"
             iptables -A OUTPUT -o eth0 -d $ip -p ${proto:-$remote_proto} --dport ${port:-$remote_port} -j ACCEPT
         done
     done
 
-    # allow connections over VPN interface...
+    echo "Allowing connections over VPN interface..."
     iptables -A INPUT -i tun0 -j ACCEPT
     iptables -A OUTPUT -o tun0 -j ACCEPT
 
-    # and over VPN interface to forwarded ports
+    echo "Allowing connections over VPN interface to forwarded ports..."
     if [ ! -z $FORWARDED_PORTS ]; then
         for port in ${FORWARDED_PORTS//,/ }; do
             if [ $port -lt 1024 ] || [ $port -gt 65535 ]; then
@@ -110,6 +131,7 @@ if [ $KILL_SWITCH = "on" ]; then
         done
     fi
 
+    echo "Preventing anything else..."
     iptables -P INPUT DROP
     iptables -P OUTPUT DROP
     iptables -P FORWARD DROP
@@ -119,7 +141,22 @@ else
     echo "[WARN] VPN kill switch is disabled. Traffic will be allowed outside of the tunnel if the connection is lost."
 fi
 
-################################################################################
+if [ "$SHADOWSOCKS" = "on" ]; then
+    {
+        echo "[INFO] Running Shadowsocks"
+        while ! ping -c 1 1.1.1.1 > /dev/null 2>&1; do
+            sleep 1
+        done
+
+        sed -i \
+            -e "/server_port/c\    \"server_port\": ${SHADOWSOCKS_PORT:-8388}," \
+            -e "/password/c\    \"password\": \"${SHADOWSOCKS_PASS:-password}\"," \
+            /data/shadowsocks.conf
+        
+        sleep 1
+        ss-server -c /data/shadowsocks.conf
+    } &
+fi
 
 if [ "$TINYPROXY" = "on" ]; then
     # start list of commands to run Tinyproxy
@@ -147,29 +184,13 @@ if [ "$TINYPROXY" = "on" ]; then
         fi
 
         sleep 1
-        tinyproxy -c /data/tinyproxy.conf
-    } &
-fi
-
-if [ "$SHADOWSOCKS" = "on" ]; then
-    {
-        echo "[INFO] Running Shadowsocks"
-        while ! ping -c 1 1.1.1.1 > /dev/null 2>&1; do
-            sleep 1
-        done
-
-        sed -i \
-            -e "/server_port/c\    \"server_port\": ${SHADOWSOCKS_PORT:-8388}," \
-            -e "/password/c\    \"password\": \"${SHADOWSOCKS_PASS:-password}\"," \
-            /data/shadowsocks.conf
-        
-        sleep 1
-        ss-server -c /data/shadowsocks.conf
+        tinyproxy -c /data/tinyproxy.conf &
     } &
 fi
 
-cd /etc/openvpn
-
 echo "[INFO] Running OpenVPN"
 
-openvpn --verb $vpn_log_level --auth-nocache --config $config_file
+openvpn --verb $vpn_log_level --auth-nocache --cd /data/vpn --config $config_file_modified &
+
+openvpn_child=$!
+wait $openvpn_child
