Make several changes

yacht7 · yacht7 · commit 644849a2bdb4 · 2020-06-20T12:20:58.000-05:00
- update to Alpine 3.12
- move Shadowsocks and Tinyproxy to wrapper scripts to simplify code
- add healthcheck to kill container if OpenVPN can't reconnect
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,9 @@
-FROM alpine:3.11.6
+FROM alpine:3.12
 
 LABEL maintainer="yacht7@protonmail.com"
 
-ENV KILL_SWITCH=on
+ENV KILL_SWITCH=on\
+    VPN_LOG_LEVEL=3
 
 RUN \
     echo '@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \
@@ -19,4 +20,4 @@ RUN \
 
 COPY data/ /data
 
-ENTRYPOINT ["/data/entry.sh"]
+ENTRYPOINT ["/data/scripts/entry.sh"]
diff --git a/data/scripts/entry.sh b/data/scripts/entry.sh
@@ -1,16 +1,21 @@
 #!/bin/sh
 
-# When you run `docker stop` or any equivalent, a SIGTERM signal is sent to PID 1.
-# A process running as PID 1 inside a container is treated specially by Linux:
-# it ignores any signal with the default action. As a result, the process will
-# not terminate on SIGINT or SIGTERM unless it is coded to do so. Because of this,
-# I've defined behavior for when SIGINT and SIGTERM is received.
 cleanup() {
+    # When you run `docker stop` or any equivalent, a SIGTERM signal is sent to PID 1.
+    # A process running as PID 1 inside a container is treated specially by Linux:
+    # it ignores any signal with the default action. As a result, the process will
+    # not terminate on SIGINT or SIGTERM unless it is coded to do so. Because of this,
+    # I've defined behavior for when SIGINT and SIGTERM is received.
+    if [ $healthcheck_child ]; then
+        echo "Stopping healthcheck script..."
+        kill -TERM $healthcheck_child
+    fi
+
     if [ $openvpn_child ]; then
         echo "Stopping OpenVPN..."
         kill -TERM $openvpn_child
     fi
-    
+
     sleep 1
     rm $config_file_modified
     echo "Exiting."
@@ -20,35 +25,34 @@ cleanup() {
 # Capture the filename of the first .conf file to use as the OpenVPN config.
 config_file_original=$(ls -1 /data/vpn/*.conf 2> /dev/null | head -1)
 if [ -z $config_file_original ]; then
-    >&2 echo "[ERRO] No configuration file found. Please check your mount and file permissions. Exiting."
+    >&2 echo "ERROR: No configuration file found. Please check your mount and file permissions. Exiting."
     exit 1
 fi
 
-vpn_log_level=${VPN_LOG_LEVEL:-3}
-if ! $(echo $vpn_log_level | grep -Eq '^([1-9]|1[0-1])$'); then
-    echo "[WARN] Invalid log level $vpn_log_level. Setting to default."
+if ! $(echo $VPN_LOG_LEVEL | grep -Eq '^([1-9]|1[0-1])$'); then
+    echo "WARNING: Invalid log level $VPN_LOG_LEVEL. Setting to default."
     vpn_log_level=3
+else
+    vpn_log_level=$VPN_LOG_LEVEL
 fi
 
-echo -e "\n---- Details ----
+echo "
+---- Running with the following variables ----
 Kill switch: ${KILL_SWITCH:-off}
 Tinyproxy: ${TINYPROXY:-off}
 Shadowsocks: ${SHADOWSOCKS:-off}
 Whitelisting subnets: ${SUBNETS:-none}
 Using configuration file: $config_file_original
-Using OpenVPN log level: $vpn_log_level"
-
-################################################################################
-
-echo -e "\n---- OpenVPN Configuration ----"
+Using OpenVPN log level: $vpn_log_level
+"
 
 # Create a new configuration file to modify so the original is left untouched.
 config_file_modified=${config_file_original}.modified
 
-# These configuration file changes are required by Alpine.
 echo "Creating $config_file_modified and making required changes to that file."
 cp $config_file_original $config_file_modified
 
+# These configuration file changes are required by Alpine.
 sed -i \
     -e '/up /c up \/etc\/openvpn\/up.sh' \
     -e '/down /c down \/etc\/openvpn\/down.sh' \
@@ -64,15 +68,10 @@ if ! grep -q 'pull-filter ignore "ifconfig-ipv6"' $config_file_modified; then
     printf '\npull-filter ignore "ifconfig-ipv6"' >> $config_file_modified
 fi
 
-echo "[INFO] Changes made."
+echo -e "Changes made.\n"
 
-# Upon receiving a SIGINT or SIGTERM, run the cleanup function.
 trap cleanup INT TERM
 
-################################################################################
-
-echo -e "\n---- Network, Kill switch, and Proxies ----"
-
 if [ $KILL_SWITCH = "on" ]; then 
     local_subnet=$(ip r | grep -v 'default via' | grep eth0 | tail -n 1 | cut -d " " -f 1)
     default_gateway=$(ip r | grep 'default via' | cut -d " " -f 3)
@@ -123,11 +122,12 @@ if [ $KILL_SWITCH = "on" ]; then
     echo "Allowing connections over VPN interface to forwarded ports..."
     if [ ! -z $FORWARDED_PORTS ]; then
         for port in ${FORWARDED_PORTS//,/ }; do
-            if [ $port -lt 1024 ] || [ $port -gt 65535 ]; then
-                echo "[WARN] $port not a valid port. Ignoring."
+            if $(echo $port | grep -Eq '^[0-9]+$') && [ $port -ge 1024 ] && [ $port -le 65535 ]; then
+                iptables -A INPUT -i tun0 -p tcp --dport $port -j ACCEPT
+                iptables -A INPUT -i tun0 -p udp --dport $port -j ACCEPT
+            else
+                echo "WARNING: $port not a valid port. Ignoring."
             fi
-            iptables -A INPUT -i tun0 -p tcp --dport $port -j ACCEPT
-            iptables -A INPUT -i tun0 -p udp --dport $port -j ACCEPT
         done
     fi
 
@@ -136,61 +136,42 @@ if [ $KILL_SWITCH = "on" ]; then
     iptables -P OUTPUT DROP
     iptables -P FORWARD DROP
 
-    echo "[INFO] iptables rules created and routes configured."
+    echo -e "iptables rules created and routes configured.\n"
 else
-    echo "[WARN] VPN kill switch is disabled. Traffic will be allowed outside of the tunnel if the connection is lost."
+    echo -e "WARNING: VPN kill switch is disabled. Traffic will be allowed outside of the tunnel if the connection is lost.\n"
 fi
 
 if [ "$SHADOWSOCKS" = "on" ]; then
-    # https://www.gnu.org/software/bash/manual/html_node/Command-Grouping.html
-    {
-        echo "[INFO] Running Shadowsocks"
-        # Wait for VPN connection to be established
-        while ! ping -c 1 1.1.1.1 > /dev/null 2>&1; do
-            sleep 1
-        done
-
-        sed -i \
-            -e "/server_port/c\    \"server_port\": ${SHADOWSOCKS_PORT:-8388}," \
-            -e "/password/c\    \"password\": \"${SHADOWSOCKS_PASS:-password}\"," \
-            /data/shadowsocks.conf
-        
-        sleep 1
-        ss-server -c /data/shadowsocks.conf
-    } &
+    echo -e "Running Shadowsocks.\n"
+    sed -i \
+        -e "/server_port/c\    \"server_port\": ${SHADOWSOCKS_PORT:-8388}," \
+        -e "/password/c\    \"password\": \"${SHADOWSOCKS_PASS:-password}\"," \
+        /data/shadowsocks.conf
+    /data/scripts/shadowsocks-wrapper.sh &
 fi
 
 if [ "$TINYPROXY" = "on" ]; then
-    # https://www.gnu.org/software/bash/manual/html_node/Command-Grouping.html
-    {
-        echo "[INFO] Running Tinyproxy"
-        while ! ping -c 1 1.1.1.1 > /dev/null 2>&1; do
-            sleep 1
-        done
-
-        addr_tun=$(ip a show dev tun0 | grep inet | cut -d " " -f 6 | cut -d "/" -f 1)
-
-        sed -i \
-            -e "/Port/c Port ${TINYPROXY_PORT:-8888}" \
-            -e "/Bind/c Bind $addr_tun" \
-            /data//tinyproxy.conf
-
-        if [ $TINYPROXY_USER ]; then
-            if [ $TINYPROXY_PASS ]; then
-                echo -e "\nBasicAuth $TINYPROXY_USER $TINYPROXY_PASS" >> /data/tinyproxy.conf
-            else
-                echo "[WARN] Tinyproxy username supplied without password. Starting without credentials."
-            fi
+    echo -e "Running Tinyproxy.\n"
+    sed -i \
+        -e "/Port/c Port ${TINYPROXY_PORT:-8888}" \
+        /data/tinyproxy.conf
+
+    if [ $TINYPROXY_USER ]; then
+        if [ $TINYPROXY_PASS ]; then
+            echo -e "\nBasicAuth $TINYPROXY_USER $TINYPROXY_PASS" >> /data/tinyproxy.conf
+        else
+            echo "WARNING: Tinyproxy username supplied without password. Starting without credentials."
         fi
-
-        sleep 1
-        tinyproxy -c /data/tinyproxy.conf
-    } &
+    fi
+    /data/scripts/tinyproxy-wrapper.sh &
 fi
 
-echo "[INFO] Running OpenVPN"
+# /data/scripts/healthcheck.sh &
+# healthcheck_child=$!
 
-openvpn --verb $vpn_log_level --auth-nocache --cd /data/vpn --config $config_file_modified &
+echo -e "Running OpenVPN client.\n"
 
+openvpn --auth-nocache --cd /data/vpn --verb $vpn_log_level --config $config_file_modified &
 openvpn_child=$!
+
 wait $openvpn_child
diff --git a/data/scripts/healthcheck.sh b/data/scripts/healthcheck.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+sleep 10
+while ping -c 3 1.1.1.1 > /dev/null 2>&1; do
+    sleep 10
+done
+echo "ERROR: Failed ping healthcheck. Exiting."
+
+kill -- -1
diff --git a/data/scripts/shadowsocks-wrapper.sh b/data/scripts/shadowsocks-wrapper.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+until ping -c 3 1.1.1.1 > /dev/null 2>&1; do
+    sleep 1
+done
+
+ss-server -c /data/shadowsocks.conf
diff --git a/data/scripts/tinyproxy-wrapper.sh b/data/scripts/tinyproxy-wrapper.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+until ping -c 3 1.1.1.1 > /dev/null 2>&1; do
+    sleep 1
+done
+
+# This part is in the wrapper script because addr_tun requires the VPN connection
+# to be established.
+addr_tun=$(ip a show dev tun0 | grep inet | cut -d " " -f 6 | cut -d "/" -f 1)
+sed -i \
+    -e "/Bind/c Bind $addr_tun" \
+    /data/tinyproxy.conf
+
+tinyproxy -d -c /data/tinyproxy.conf
