Merge branch 'develop'

Author: SloCompTech

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+### 1.0.4 - IPv6 docs, improved wizards
+
+- Added instructions for IPv6 configuration
+- Added outside interface option to setup wizards
+- Added some links to documentation
+
 ### 1.0.3 - New examples, fixes, more docs
 
 - Updated instructions

CONTRIBUTING.md

@@ -90,4 +90,5 @@ Sections:
 
 - [OpenVPN docs](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)  
 - [Setup OpenVPN on alpine linux](https://wiki.alpinelinux.org/wiki/Setting_up_a_OpenVPN_server#Alternative_Certificate_Method)  
-- [EasyRSA](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)   
+- [EasyRSA](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)
+- [EasyRSA doc](https://github.com/OpenVPN/easy-rsa/tree/master/doc)

README.md

@@ -56,15 +56,12 @@ services:
       context: .
       cache_from:
         - lsiobase/alpine.python3:latest
-    networks:
-      mynetwork:
-        ipv4_address: 10.0.0.5
-        ipv6_address: 2001:1111::5
-    
-networks:
-  mynetwork:
-    driver: host
-    enable_ipv6: true
+    sysctls: # For IPv6
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.default.forwarding=1
+      - net.ipv6.conf.all.forwarding=1
+    network_mode: host
+
 ```
 
 ## Parameters
@@ -75,6 +72,8 @@ networks:
 |`-e PGID=1000`|for GroupID - see below for explanation|
 |`-v /config`|All the config files including OpenVPNs reside here|
 
+See also: [EasyRSA](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md)  
+
 ## User / Group Identifiers
 
 When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
@@ -110,13 +109,15 @@ If you are new to containers please see rather [Detailed first setup guide](docs
 
   ``` bash
   ovpn_enconf basic_nat
+  #Out interface [eth0]: <interface connected to the Internet>
   #Protocol udp, tcp, udp6, tcp6 [udp]:
   #VPN network [10.0.0.0]:
   #Port [1194]:
   #Public IP or domain of server: <YOUR PUBLIC IP>
   #DNS1 [8.8.8.8]:
   #DNS2 [8.8.4.4]:
   ```
+
 4. Enable **port forwarding** on your router so OpenVPN server will be accessible from the internet.
 5. Add clients
 

docker-compose.yml

@@ -2,7 +2,7 @@
 # OpenVPN server sample configuration
 #
 
-version: '2.2'
+version: '2.2' # Min version 2.1 for IPv6
 services:
   ovpn:
     image: slocomptech/openvpn
@@ -22,7 +22,11 @@ services:
       context: .
       cache_from:
         - lsiobase/alpine.python3:latest
-    
+    sysctls: # For IPv6
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.default.forwarding=1
+      - net.ipv6.conf.all.forwarding=1
+
     network_mode: "bridge"
     #network_mode: "host"
 

docs/README.md

@@ -72,7 +72,8 @@ Configs:
     <example config name>
 ```
 
-**Note:** Please read example documentation to understand how to use it.  
+**Note:** Please read example documentation to understand how to use it.
+**Warning:** Some examples automaticaly add firewall rules, so if you are using host networking make sure to check **iptables** for correct configuration.     
 **Tip:** If you modifed config in a way that others might need same configuration, consider making new example.  
 
 #### ovpn_init

docs/SetupGuide.md

@@ -95,6 +95,7 @@ This is simple setup guide to help you get started. It uses the simplest configu
 
   ``` bash
   ovpn_enconf basic_nat
+  #Out interface [eth0]: <interface connected to the Internet>
   #Protocol udp, tcp, udp6, tcp6 [udp]:
   #VPN network [10.0.0.0]:
   #Port [1194]:
@@ -140,4 +141,4 @@ This is simple setup guide to help you get started. It uses the simplest configu
     ```
 
 **Note:** PUID, GUID parameters are optional.  
-**Note:** Container in this example will connect to host network, so there is less network overhead (recommended), this also works if container is in default docker network.  
+**Note:** Container in this example will connect to host network, so there is less network overhead (recommended), this also works if container is in default docker network. (But be careful if you already have firewall configured, because some rules are added when using most of examples).  

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -8,14 +8,14 @@
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Disable LAN protection of VPN
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
 
 # Disable Routing Internet <--> VPN network
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 
 # Disable NAT for VPN traffic
-ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
 

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -8,14 +8,14 @@
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Protect LANs after VPN
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
 
 # Allow Routing Internet <--> VPN network
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 
 # Preform NAT for VPN traffic
-ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
 

root/defaults/example/config/basic_nat/wizard

@@ -29,6 +29,11 @@ if not os.path.isdir(TEMP_PATH):
     print("Specified directory does not exist")
     sys.exit(2)
 
+# Select output interface
+out_int = input("Out interface [eth0]:")
+if len(out_int) == 0:
+    out_int = "eth0"
+
 # Select protocol
 protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
 AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
@@ -65,6 +70,7 @@ if len(dns2) == 0:
 
 # Write to server config
 vars = [
+    ("$OUT_INT", out_int),
     ("$PROTO", protocol),
     ("$PORT", port),
     ("$NETWORK_ADDRESS", network),

root/defaults/example/config/basic_nat_wlp/hooks/down/10-network.sh

@@ -8,9 +8,9 @@
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Disable Routing Internet <--> VPN network
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 
 # Disable NAT for VPN traffic
-ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
 

root/defaults/example/config/basic_nat_wlp/hooks/up/10-network.sh

@@ -8,9 +8,9 @@
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Allow Routing Internet <--> VPN network
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 
 # Preform NAT for VPN traffic
-ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o $OUT_INT -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
 

root/defaults/example/config/basic_nat_wlp/wizard

@@ -29,6 +29,11 @@ if not os.path.isdir(TEMP_PATH):
     print("Specified directory does not exist")
     sys.exit(2)
 
+# Select output interface
+out_int = input("Out interface [eth0]:")
+if len(out_int) == 0:
+    out_int = "eth0"
+
 # Select protocol
 protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
 AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
@@ -65,6 +70,7 @@ if len(dns2) == 0:
 
 # Write to server config
 vars = [
+    ("$OUT_INT", out_int),
     ("$PROTO", protocol),
     ("$PORT", port),
     ("$NETWORK_ADDRESS", network),

root/defaults/example/config/basic_routed/hooks/down/10-network.sh

@@ -8,6 +8,6 @@
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Disable Routing Internet <--> VPN network
-ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 

root/defaults/example/config/basic_routed/hooks/up/10-network.sh

@@ -8,6 +8,6 @@
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
 # Allow Routing Internet <--> VPN network
-ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
-ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o $OUT_INT -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i $OUT_INT -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
 

root/defaults/example/config/basic_routed/wizard

@@ -29,6 +29,11 @@ if not os.path.isdir(TEMP_PATH):
     print("Specified directory does not exist")
     sys.exit(2)
 
+# Select output interface
+out_int = input("Out interface [eth0]:")
+if len(out_int) == 0:
+    out_int = "eth0"
+
 # Select protocol
 protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
 AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
@@ -65,6 +70,7 @@ if len(dns2) == 0:
 
 # Write to server config
 vars = [
+    ("$OUT_INT", out_int),
     ("$PROTO", protocol),
     ("$PORT", port),
     ("$NETWORK_ADDRESS", network),