Added basic_routed example

Added example were routing is used instead of NAT-ing

Author: SloCompTech

root/defaults/example/config/basic_routed/README.md

@@ -0,0 +1,47 @@
+# basic_routed
+
+Features:  
+
+- Has configuration wizard
+- Prepared for using routing (so you will have access to LANs directly without usign NAT)
+
+## Configure
+
+``` bash
+ovpn_enconf basic_routed
+#Protocol udp, tcp, udp6, tcp6 [udp]:
+#VPN network [10.0.0.0]:
+#Port [1194]:
+#Public IP or domain of server: <PUBLIC IP>
+#DNS1 [8.8.8.8]:
+#DNS2 [8.8.4.4]:
+```
+
+### Network configuration
+
+1. If you are using **bridge** networking mode else skip this step:
+
+    - Assign static IP to this container  
+    - see [docker compose networks](https://docs.docker.com/compose/compose-file/compose-file-v2/#networks), you can also check current IP of container
+        with `docker exec -it CONTAINERNAME ifconfig`  
+    - Add static route on host to the container with network
+
+        ``` bash
+            route add -net NETWORK netmask MASK gw CONTAINER_IP
+        ```
+
+2. Add route to the network on your router
+
+    - Destination IP Address: NETWORK
+    - Subnet mask: MASK
+    - Gateway: SERVERIP_OR_CONTAINERIP (IP where your OpenVPN server is running: server ip when bridge mode, container ip on host mode)
+
+    ![Sample interface](img/img1.png)  
+
+3. If you have Mikrotik or Cisco router make sure you have NAT correctly configured
+4. Make sure you have firewall rules correctly configured on your router
+5. Add additional routes in *server config* if nessesary (see [--route option](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)), default route is set as default gateway  
+
+    ``` OpenVPN
+    route network/IP [netmask] [gateway] [metric]
+    ```

root/defaults/example/config/basic_routed/client/client.conf

@@ -0,0 +1,38 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 2
+# @since 12/03/2019
+#
+
+# Basic info
+client
+dev tun0
+proto $PROTO
+nobind
+pull
+
+
+# Remote info
+remote $SERVER_IP $PORT
+
+# Connection settings
+resolv-retry infinite
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+compress lzo
+verb 3
+ping 10 120
+
+# Permissions
+user nobody
+group nogroup
+
+# CA
+remote-cert-tls server
+

root/defaults/example/config/basic_routed/hooks/down/10-network.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+#
+#   Network clear
+#
+
+# Close OpenVPN port to outside
+ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Disable Routing Internet <--> VPN network
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+

root/defaults/example/config/basic_routed/hooks/init/10-network.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+#
+# Because default iptables rules are set to ACCEPT all connection, we need to put some
+# security settings in place
+#
+
+# Drop everything from input
+ovpn-iptables -P INPUT DROP
+
+# Allow established connection 
+ovpn-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Allow ICMP ping request
+ovpn-iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
+
+# Drop all forwarded traffic
+ovpn-iptables -P FORWARD DROP

root/defaults/example/config/basic_routed/hooks/up/10-network.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+# Open OpenVPN port to outside
+ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Allow Routing Internet <--> VPN network
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+

root/defaults/example/config/basic_routed/img/img1.png

@@ -0,0 +1,44 @@
+#
+# Basic OpenVPN server configuration
+# @author Martin Dagarin
+# @version 3
+# @since 12/03/2019
+#
+
+# Basic info
+proto $PROTO
+port $PORT
+
+# Network info (local VPN network)
+topology subnet
+server $NETWORK_ADDRESS 255.255.255.0
+
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option $DNS1"
+push "dhcp-option $DNS2"
+
+ifconfig-pool-persist tmp/ipp.txt
+
+# CA files
+ca pki/ca.crt
+cert pki/issued/server.crt
+key pki/private/server.key
+dh pki/dh.pem
+tls-crypt pki/ta.key
+remote-cert-tls client
+
+# Connection settings
+persist-key
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Verify client certificate
+verify-client-cert require
+
+# Additional settings
+client-to-client
+keepalive 10 120
+compress lzo
+explicit-exit-notify 1

root/defaults/example/config/basic_routed/server/server.conf

@@ -0,0 +1,84 @@
+#!/usr/bin/python
+
+#
+#   Config wizard for basic_routed example
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+
+#   Defaults:
+#       Protocol: udp
+#       Network: 10.0.0.0
+#       Port: 1194
+#       DNS: 8.8.8.8, 8.8.4.4
+#
+
+import sys, os
+
+# Import libraries included in this docker
+sys.path.insert(0, '/app/lib')
+import libovpn
+
+# Check if temporary path was passed to this script
+if len(sys.argv) < 2:
+    print("Temporary path was not passed to wizard")
+    sys.exit(1)
+TEMP_PATH = sys.argv[1]
+if not os.path.isdir(TEMP_PATH):
+    print("Specified directory does not exist")
+    sys.exit(2)
+
+# Select protocol
+protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
+AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
+if len(protocol) != 0 and protocol not in AVAILABLE_PROTOCOLS:
+    print("Invalid protocol")
+    sys.exit(3)
+if len(protocol) == 0:
+    protocol = "udp"
+
+# Select network
+network = input("VPN network [10.0.0.0]:")
+if len(network) == 0:
+    network = "10.0.0.0"
+
+# Select port
+port = input("Port [1194]:")
+if len(port) == 0:
+    port="1194"
+
+# Select Public IP or domain
+public = input("Public IP or domain of server:")
+if len(public) == 0:
+    print("Invalid Public IP")
+    sys.exit(4)
+
+# DNS servers
+dns1 = input("DNS1 [8.8.8.8]:")
+if len(dns1) == 0:
+    dns1 = "8.8.8.8"
+dns2 = input("DNS2 [8.8.4.4]:")
+if len(dns2) == 0:
+    dns2 = "8.8.4.4"
+
+
+# Write to server config
+vars = [
+    ("$PROTO", protocol),
+    ("$PORT", port),
+    ("$NETWORK_ADDRESS", network),
+    ("$SERVER_IP", public),
+    ("$DNS1", dns1),
+    ("$DNS2", dns2)
+]
+
+# Process config files
+confs = [
+    "/server/server.conf",
+    "/client/client.conf",
+    "/hooks/down/10-network.sh",
+    "/hooks/up/10-network.sh"
+]
+for config_file in confs:
+    libovpn.conf_envsubst(TEMP_PATH + config_file, vars)