bea/docker-deluge-openvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added UFW_ALLOW_GW_NET. Changes firewall rules from using GW to the GW network when set to true.

Browse Source 
Extended LOCAL_NETWORK to support comma seperated list of /CIDR.

Minor firewall cleanups. Removed specified TCP in range allow. No point, we don't specify tcp/udp anywhere else.

Formatting changes (BASH 3+ style).

Cleaned removed external [ ] calls. Use builtin [[ ]].

Use ${VAR,,} to lowercase isntead of TR.
This commit is contained in:
Dean Bailey
2018-03-04 23:39:38 -08:00
parent 4d657ab72e
commit 9f89da6522
6 changed files with 100 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
DockerEnv
View File

@@ -6,6 +6,7 @@
#OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60 #OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
#LOCAL_NETWORK= #LOCAL_NETWORK=
#ENABLE_UFW=false #ENABLE_UFW=false
#UFW_ALLOW_GW_NET=false
#UFW_EXTRA_PORTS= #UFW_EXTRA_PORTS=
#TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_DOWN=50
#TRANSMISSION_ALT_SPEED_ENABLED=false #TRANSMISSION_ALT_SPEED_ENABLED=false

1
Dockerfile
View File

@@ -110,6 +110,7 @@ ENV OPENVPN_USERNAME=**None** \
TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \

2
Dockerfile.alpine
View File

@@ -101,6 +101,8 @@ ENV OPENVPN_USERNAME=**None** \
TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \
PGID= \ PGID= \

1
Dockerfile.armhf
View File

@@ -101,6 +101,7 @@ ENV OPENVPN_USERNAME=**None** \
TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI=\ TRANSMISSION_WEB_UI=\
PUID=\ PUID=\

4
README.md
View File

@@ -137,7 +137,7 @@ This is a list of providers that are bundled within the image. Feel free to crea
|----------|----------|-------| |----------|----------|-------|
|`OPENVPN_CONFIG` | Sets the OpenVPN endpoint to connect to. | `OPENVPN_CONFIG=UK Southampton`| |`OPENVPN_CONFIG` | Sets the OpenVPN endpoint to connect to. | `OPENVPN_CONFIG=UK Southampton`|
|`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) | |`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) |
|`LOCAL_NETWORK` | Sets the local network that should have access. | `LOCAL_NETWORK=192.168.0.0/24`| |`LOCAL_NETWORK` | Sets the local network that should have access. Accepts comma separated list. | `LOCAL_NETWORK=192.168.0.0/24`|
### Firewall configuration options ### Firewall configuration options
When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway. When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway.
@@ -147,6 +147,8 @@ If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to t
| Variable | Function | Example | | Variable | Function | Example |
|----------|----------|-------| |----------|----------|-------|
|`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`| |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
|`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`|
|`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respsects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`|
### Alternative web UIs ### Alternative web UIs
You can override the default web UI by setting the ```TRANSMISSION_WEB_HOME``` environment variable. If set, Transmission will look there for the Web Interface files, such as the javascript, html, and graphics files. You can override the default web UI by setting the ```TRANSMISSION_WEB_HOME``` environment variable. If set, Transmission will look there for the Web Interface files, such as the javascript, html, and graphics files.

156
openvpn/start.sh
View File

@@ -1,42 +1,40 @@
#!/bin/bash #!/bin/bash
vpn_provider="$(echo $OPENVPN_PROVIDER | tr '[A-Z]' '[a-z]')" VPN_PROVIDER="${OPENVPN_PROVIDER,,}"
vpn_provider_configs="/etc/openvpn/$vpn_provider" VPN_PROVIDER_CONFIGS="/etc/openvpn/${VPN_PROVIDER}"
if [ ! -d "$vpn_provider_configs" ]; then if [[ ! -d "${VPN_PROVIDER_CONFIGS}" ]]; then
echo "Could not find OpenVPN provider: $OPENVPN_PROVIDER" echo "Could not find OpenVPN provider: ${OPENVPN_PROVIDER}"
echo "Please check your settings." echo "Please check your settings."
exit 1 exit 1
fi fi
echo "Using OpenVPN provider: $OPENVPN_PROVIDER" echo "Using OpenVPN provider: ${OPENVPN_PROVIDER}"
if [ ! -z "$OPENVPN_CONFIG" ] if [[ ! -z "${OPENVPN_CONFIG}" ]]; then
then n=$(echo "$OPENVPN_CONFIG" | wc -w)
n=$(echo "$OPENVPN_CONFIG" | wc -w) if [ $n -gt 1 ]
if [ $n -gt 1 ] then
then rnd=$((RANDOM%n+1))
rnd=$((RANDOM%n+1)) srv=$(echo "$OPENVPN_CONFIG" | awk -vrnd=$rnd '{print $rnd}')
srv=$(echo "$OPENVPN_CONFIG" | awk -vrnd=$rnd '{print $rnd}') echo "$n servers found in OPENVPN_CONFIG, $srv chosen randomly"
echo "$n servers found in OPENVPN_CONFIG, $srv chosen randomly" OPENVPN_CONFIG=$srv
OPENVPN_CONFIG=$srv fi
fi
if [ -f $vpn_provider_configs/"${OPENVPN_CONFIG}".ovpn ] if [[ -f "${VPN_PROVIDER_CONFIGS}/${OPENVPN_CONFIG}".ovpn ]]; then
then echo "Starting OpenVPN using config ${OPENVPN_CONFIG}.ovpn"
echo "Starting OpenVPN using config ${OPENVPN_CONFIG}.ovpn" OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/${OPENVPN_CONFIG}.ovpn"
OPENVPN_CONFIG=$vpn_provider_configs/${OPENVPN_CONFIG}.ovpn else
else echo "Supplied config ${OPENVPN_CONFIG}.ovpn could not be found."
echo "Supplied config ${OPENVPN_CONFIG}.ovpn could not be found." echo "Using default OpenVPN gateway for provider ${VPN_PROVIDER}"
echo "Using default OpenVPN gateway for provider ${vpn_provider}" OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/default.ovpn"
OPENVPN_CONFIG=$vpn_provider_configs/default.ovpn fi
fi
else else
echo "No VPN configuration provided. Using default." echo "No VPN configuration provided. Using default."
OPENVPN_CONFIG=$vpn_provider_configs/default.ovpn OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/default.ovpn"
fi fi
# add OpenVPN user/pass # add OpenVPN user/pass
if [ "${OPENVPN_USERNAME}" = "**None**" ] || [ "${OPENVPN_PASSWORD}" = "**None**" ] ; then if [[ "${OPENVPN_USERNAME}" == "**None**" ]] || [[ "${OPENVPN_PASSWORD}" == "**None**" ]] ; then
if [ ! -f /config/openvpn-credentials.txt ] ; then if [[ ! -f /config/openvpn-credentials.txt ]] ; then
echo "OpenVPN credentials not set. Exiting." echo "OpenVPN credentials not set. Exiting."
exit 1 exit 1
fi fi
@@ -44,67 +42,97 @@ if [ "${OPENVPN_USERNAME}" = "**None**" ] || [ "${OPENVPN_PASSWORD}" = "**None**
else else
echo "Setting OPENVPN credentials..." echo "Setting OPENVPN credentials..."
mkdir -p /config mkdir -p /config
echo $OPENVPN_USERNAME > /config/openvpn-credentials.txt echo "${OPENVPN_USERNAME}" > /config/openvpn-credentials.txt
echo $OPENVPN_PASSWORD >> /config/openvpn-credentials.txt echo "${OPENVPN_PASSWORD}" >> /config/openvpn-credentials.txt
chmod 600 /config/openvpn-credentials.txt chmod 600 /config/openvpn-credentials.txt
fi fi
# add transmission credentials from env vars # add transmission credentials from env vars
echo $TRANSMISSION_RPC_USERNAME > /config/transmission-credentials.txt echo "${TRANSMISSION_RPC_USERNAME}" > /config/transmission-credentials.txt
echo $TRANSMISSION_RPC_PASSWORD >> /config/transmission-credentials.txt echo "${TRANSMISSION_RPC_PASSWORD}" >> /config/transmission-credentials.txt
# Persist transmission settings for use by transmission-daemon # Persist transmission settings for use by transmission-daemon
dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmission/environment-variables.sh dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmission/environment-variables.sh
TRANSMISSION_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/openvpn/tunnelUp.sh --down /etc/openvpn/tunnelDown.sh" TRANSMISSION_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/openvpn/tunnelUp.sh --down /etc/openvpn/tunnelDown.sh"
if [ "true" = "$ENABLE_UFW" ]; then ## If we use UFW or the LOCAL_NETWORK we need to grab network config info
if [[ "${ENABLE_UFW,,}" == "true" ]] || [[ -n "${LOCAL_NETWORK-}" ]]; then
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
## IF we use UFW_ALLOW_GW_NET along with ENABLE_UFW we need to know what our netmask CIDR is
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
eval $(ip r l dev ${INT} | awk '{if($5=="link"){print "GW_CIDR="$1; exit}}')
fi
fi
## Open port to any address
function ufwAllowPort {
typeset -n portNum=${1}
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]]; then
echo "allowing ${portNum} through the firewall"
ufw allow ${portNum}
fi
}
## Open port to specific address.
function ufwAllowPortLong {
typeset -n portNum=${1} sourceAddress=${2}
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]] && [[ -n "${sourceAddress-}" ]]; then
echo "allowing ${sourceAddress} through the firewall to port ${portNum}"
ufw allow from ${sourceAddress} to any port ${portNum}
fi
}
if [[ "${ENABLE_UFW,,}" == "true" ]]; then
# Enable firewall # Enable firewall
echo "enabling firewall" echo "enabling firewall"
sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
ufw enable ufw enable
if [ "true" = "$TRANSMISSION_PEER_PORT_RANDOM_ON_START" ]; then if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then
PEER_PORT="$TRANSMISSION_PEER_PORT_RANDOM_LOW:$TRANSMISSION_PEER_PORT_RANDOM_HIGH/tcp" PEER_PORT="${TRANSMISSION_PEER_PORT_RANDOM_LOW}:${TRANSMISSION_PEER_PORT_RANDOM_HIGH}"
else else
PEER_PORT=$TRANSMISSION_PEER_PORT PEER_PORT="${TRANSMISSION_PEER_PORT}"
fi fi
echo "allowing $PEER_PORT through the firewall" ufwAllowPort PEER_PORT
ufw allow $PEER_PORT
if [ "true" = "$WEBPROXY_ENABLED" ]; then if [[ "${WEBPROXY_ENABLED,,}" == "true" ]]; then
echo "allowing $WEBPROXY_PORT through the firewall" ufwAllowPort WEBPROXY_PORT
ufw allow $WEBPROXY_PORT fi
if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufwAllowPortLong TRANSMISSION_RPC_PORT GW_CIDR
else
ufwAllowPortLong TRANSMISSION_RPC_PORT GW
fi fi
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}') if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
echo "allowing access to $TRANSMISSION_RPC_PORT from $GW"
ufw allow proto tcp from $GW to any port $TRANSMISSION_RPC_PORT
if [ ! -z "${UFW_EXTRA_PORTS}" ]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do for port in ${UFW_EXTRA_PORTS//,/ }; do
echo "allowing access to ${port} from $GW" if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufw allow proto tcp from $GW to any port ${port} ufwAllowPortLong port GW_CIDR
else
ufwAllowPortLong port GW
fi
done done
fi fi
fi fi
if [ -n "${LOCAL_NETWORK-}" ]; then if [[ -n "${LOCAL_NETWORK-}" ]]; then
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}') if [[ -n "${GW-}" ]] && [[ -n "${INT-}" ]]; then
if [ -n "${GW-}" -a -n "${INT-}" ]; then for localNet in ${LOCAL_NETWORK//,/ }; do
echo "adding route to local network $LOCAL_NETWORK via $GW dev $INT" echo "adding route to local network ${localNet} via ${GW} dev ${INT}"
/sbin/ip r a "$LOCAL_NETWORK" via "$GW" dev "$INT" /sbin/ip r a "${localNet}" via "${GW}" dev "${INT}"
if [ "true" = "$ENABLE_UFW" ]; then if [[ "${ENABLE_UFW,,}" == "true" ]]; then
echo "allowing access to $TRANSMISSION_RPC_PORT from $LOCAL_NETWORK" ufwAllowPortLong TRANSMISSION_RPC_PORT localNet
ufw allow proto tcp from $LOCAL_NETWORK to any port $TRANSMISSION_RPC_PORT if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
if [ ! -z "${UFW_EXTRA_PORTS}" ]; then for port in ${UFW_EXTRA_PORTS//,/ }; do
for port in ${UFW_EXTRA_PORTS//,/ }; do ufwAllowPortLong port localNet
echo "allowing access to ${port} from $LOCAL_NETWORK" done
ufw allow proto tcp from $LOCAL_NETWORK to any port ${port} fi
done
fi fi
fi done
fi fi
fi fi
exec openvpn $TRANSMISSION_CONTROL_OPTS $OPENVPN_OPTS --config "$OPENVPN_CONFIG" exec openvpn ${TRANSMISSION_CONTROL_OPTS} ${OPENVPN_OPTS} --config "${OPENVPN_CONFIG}"