Merge branch 'develop'

Author: SloCompTech

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+### 1.0.3 - New examples, fixes, more docs
+
+- Updated instructions
+- Improved `Makefile`
+- Allowed **ping** to the container
+- Added new examples **basic_nat_wlp** and **basic_routed**
+- Added **LAN protection** to original example
+- Added **docker-compose** for sample
+
 ### 1.0.2 - Official release
 
 - Fixed typo in `basic_nat` example config wizard  

Makefile

@@ -29,15 +29,15 @@ build:
 config:
 	@echo "Running temporary container"
 	mkdir -p data
-	docker run -it --rm --cap-add NET_ADMIN -v ${DATA_DIR}:/config ${IMAGE_NAME}:latest bash
+	docker run -it -e PUID=$(id -u) -e PGID=$(id -g) --rm --cap-add NET_ADMIN -v ${DATA_DIR}:/config ${IMAGE_NAME}:latest bash
 
 #
 #	Setups & starts real container
 #	Run only once, then use docker start|stop|restart|exec
 #
 setup:
 	@echo "Running temporary container"
-	docker run -it --cap-add NET_ADMIN -p 1194:1194/udp -v ${DATA_DIR}:/config --name ${CONTAINER_NAME} ${IMAGE_NAME}:latest 
+	docker run -it -d -e PUID=$(id -u) -e PGID=$(id -g) --cap-add NET_ADMIN -p 1194:1194/udp -v ${DATA_DIR}:/config --name ${CONTAINER_NAME} ${IMAGE_NAME}:latest 
 
 #
 #	Starts container

README.md

@@ -34,8 +34,37 @@ docker run \
 
 ### docker-compose
 
-```
-
+``` yml
+version: '2.2'
+services:
+  ovpn:
+    image: slocomptech/openvpn
+    container_name: ovpn
+    hostname: ovpn
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "1194:1194/udp"
+    volumes:
+      - ./data:/config
+    environment:
+      - PUID=1000
+      - PGUID=1000
+    restart: on-failure
+    # If you want to build from source add build:
+    build:
+      context: .
+      cache_from:
+        - lsiobase/alpine.python3:latest
+    networks:
+      mynetwork:
+        ipv4_address: 10.0.0.5
+        ipv6_address: 2001:1111::5
+    
+networks:
+  mynetwork:
+    driver: host
+    enable_ipv6: true
 ```
 
 ## Parameters
@@ -112,6 +141,11 @@ For more infromation see:
 - **configuration example directory** (for more info about example)  
 - [Contributing](CONTRIBUTING.md) (for explanation how container works, how to write an example config ...)  
 
+## Troubleshooting
+
+- [OpenVPN troubleshoot guide](https://community.openvpn.net/openvpn/wiki/HOWTO#Troubleshooting)  
+
+
 ## Contribute
 
 Feel free to contribute new features to this container, but first see [Contribute Guide](CONTRIBUTING.md).
@@ -128,7 +162,7 @@ Wanted features (please help implement):
 ## Licenses
 
 - [This project](LICENSE.md)  
-- [OpenVPN]()  
+- [OpenVPN](https://openvpn.net/terms/)  
 - [Base image](https://github.com/linuxserver/docker-baseimage-alpine)  
 - [s6 Layer](https://github.com/just-containers/s6-overlay/blob/master/LICENSE.md)  
 

docker-compose.yml

@@ -0,0 +1,28 @@
+#
+# OpenVPN server sample configuration
+#
+
+version: '2.2'
+services:
+  ovpn:
+    image: slocomptech/openvpn
+    container_name: ovpn
+    hostname: ovpn
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "1194:1194/udp"
+    volumes:
+      - ./data:/config
+    #environment:
+    #  - PUID=1000
+    #  - PGUID=1000
+    restart: on-failure
+    build:
+      context: .
+      cache_from:
+        - lsiobase/alpine.python3:latest
+    
+    network_mode: "bridge"
+    #network_mode: "host"
+    

root/defaults/example/README.md

@@ -67,4 +67,6 @@ Hooks are located in `hook` directory. Please follow hook guidelines:
 - At the top of the script
     - Optionaly copyright notice
     - What this hook does
-    - Setttings with comments and an example settings values
+    - Setttings with comments and an example settings values
+
+**Note:** All hooks run as non-root user so instead of using `ip` and `iptables` use `ovpn-ip` and `ovpn-iptables`.

root/defaults/example/config/basic_nat/README.md

@@ -5,6 +5,7 @@ Features:
 - Works out of the box on bridge or host network
 - NAT (Network translation protocol)
 - Has configuration wizard
+- LAN protection (does not allow traffic to LANs connected to server)
 
 ## Configure
 

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -7,6 +7,11 @@
 # Close OpenVPN port to outside
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
+# Disable LAN protection of VPN
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+
 # Disable Routing Internet <--> VPN network
 ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
 ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"

root/defaults/example/config/basic_nat/hooks/init/10-network.sh

@@ -15,5 +15,8 @@ ovpn-iptables -P INPUT DROP
 # Allow established connection 
 ovpn-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
 
+# Allow ICMP ping request
+ovpn-iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
+
 # Drop all forwarded traffic
 ovpn-iptables -P FORWARD DROP

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -7,6 +7,11 @@
 # Open OpenVPN port to outside
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
 
+# Protect LANs after VPN
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 10.0.0.0/8 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 192.168.0.0/16 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -d 172.16.0.0/12 -j REJECT -m comment --comment "Drop traffic VPN --> LANs"
+
 # Allow Routing Internet <--> VPN network
 ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
 ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"

root/defaults/example/config/basic_nat_wlp/README.md

@@ -0,0 +1,20 @@
+# basic_nat_wlp
+
+Features:  
+
+- Works out of the box on bridge or host network
+- NAT (Network translation protocol)
+- Has configuration wizard
+- **WITHOUT** LAN protection (does not allow traffic to LANs connected to server), so you can still access devices in LAN (but **routed** example is recommended, because here traffic is still NAT-ed)
+
+## Configure
+
+``` bash
+ovpn_enconf basic_nat_wlp
+#Protocol udp, tcp, udp6, tcp6 [udp]:
+#VPN network [10.0.0.0]:
+#Port [1194]:
+#Public IP or domain of server: <PUBLIC IP>
+#DNS1 [8.8.8.8]:
+#DNS2 [8.8.4.4]:
+```

root/defaults/example/config/basic_nat_wlp/client/client.conf

@@ -0,0 +1,38 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 2
+# @since 12/03/2019
+#
+
+# Basic info
+client
+dev tun0
+proto $PROTO
+nobind
+pull
+
+
+# Remote info
+remote $SERVER_IP $PORT
+
+# Connection settings
+resolv-retry infinite
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+compress lzo
+verb 3
+ping 10 120
+
+# Permissions
+user nobody
+group nogroup
+
+# CA
+remote-cert-tls server
+

root/defaults/example/config/basic_nat_wlp/hooks/down/10-network.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#
+#   Network clear
+#
+
+# Close OpenVPN port to outside
+ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Disable Routing Internet <--> VPN network
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Disable NAT for VPN traffic
+ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+

root/defaults/example/config/basic_nat_wlp/hooks/init/10-network.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+#
+# Because default iptables rules are set to ACCEPT all connection, we need to put some
+# security settings in place
+#
+
+# Drop everything from input
+ovpn-iptables -P INPUT DROP
+
+# Allow established connection 
+ovpn-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Allow ICMP ping request
+ovpn-iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
+
+# Drop all forwarded traffic
+ovpn-iptables -P FORWARD DROP

root/defaults/example/config/basic_nat_wlp/hooks/up/10-network.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+# Open OpenVPN port to outside
+ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Allow Routing Internet <--> VPN network
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Preform NAT for VPN traffic
+ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+

root/defaults/example/config/basic_nat_wlp/server/server.conf

@@ -0,0 +1,44 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 3
+# @since 12/03/2019
+#
+
+# Basic info
+proto $PROTO
+port $PORT
+
+# Network info (local VPN network)
+topology subnet
+server $NETWORK_ADDRESS 255.255.255.0
+
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option $DNS1"
+push "dhcp-option $DNS2"
+
+ifconfig-pool-persist tmp/ipp.txt
+
+# CA files
+ca pki/ca.crt
+cert pki/issued/server.crt
+key pki/private/server.key
+dh pki/dh.pem
+tls-crypt pki/ta.key
+remote-cert-tls client
+
+# Connection settings
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Verify client certificate
+verify-client-cert require
+
+# Additional settings
+client-to-client
+keepalive 10 120
+compress lzo
+explicit-exit-notify 1