Merge branch 'develop'

Author: SloCompTech

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+### 1.0.5 - Bugfix, finish hook, persistent interface, no firewall ...
+
+- Fixed bug when running hooks (#3)
+- Added **finish** hook (which runs just before container exit)
+- Added **persistent interface** option, so interface is persistently present on device (if using host networking mode) and firewall setup rules are executed **only once** (no ip tables mess) (#1)
+- Logging chaned to stdout, no more log file by default
+- Added **firewall disable** feature to disable all firewall related modifications
+- Added `ìp6tables` & more permissions to *ip utils*
+- Run OpenVPN only if config is present in `/config/openvpn/server` else **sleep forever** until config was setup & **CONTAINER RESTART**
+
 ### 1.0.4 - IPv6 docs, improved wizards
 
 - Added instructions for IPv6 configuration

CONTRIBUTING.md

@@ -51,16 +51,17 @@ Sections:
         hook # Example hook configs
     module # Modules for openvpn
     hooks # Put your custom scripts in one of subfolders
+        auth # On authentication (needs to be enabled in config)
+        client-connect # Client connected
+        client-disconnect # Client disconnected
+        down # After interface is down
+        finish # Deinit container
         init # Init container
+        learn-address
         route-up # After routes are added
         route-pre-down # Before routes are removed
         up # After interface is up  
-        down # After interface is down
-        client-connect # Client connected
-        client-disconnect # Client disconnected
-        learn-address
         tls-verify # Check certificate
-        auth # On authentication (needs to be enabled in config)
     system.conf # System OpenVPN config file (do not edit, unless instructed)
     include-server.conf # File that includes all server configuration files (automatically generated)
     donotdelete # Leave this file alone, if deleted it triggers full setup

Dockerfile

@@ -55,15 +55,18 @@ ENV PATH="/app/bin:$PATH" \
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main/" >> /etc/apk/repositories && \
     apk add --no-cache \
     # Core packages
-    bash sudo iptables git openvpn easy-rsa && \
+    bash sudo iptables ip6tables git openvpn easy-rsa && \
     # Link easy-rsa in bin directory
     ln -s ${EASYRSA}/easyrsa /usr/local/bin && \
     # Link python3 also as python
     ln -s /usr/bin/python3 /usr/bin/python && \
     # Remove any temporary files created by apk
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* && \
     # Add permission for network management to user abc
-    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip, /sbin/iptables" >> /etc/sudoers
+    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip, /sbin/ip6tables, /sbin/ip6tables-compat, /sbin/ip6tables-compat-restore, /sbin/ip6tables-compat-save, /sbin/ip6tables-restore, /sbin/ip6tables-restore-translate, \
+        /sbin/ip6tables-save, /sbin/ip6tables-translate, /sbin/iptables, /sbin/iptables-compat, /sbin/iptables-compat-restore, /sbin/iptables-compat-save, \
+        /sbin/iptables-restore, /sbin/iptables-restore-translate, /sbin/iptables-save, /sbin/iptables-translate, /sbin/route" \
+        >> /etc/sudoers.d/abc
 
 # Add repo files to image
 COPY root/ /

README.md

@@ -70,6 +70,8 @@ services:
 |:-----------:|:----------:|
 |`-e PUID=1000`|for UserID - see below for explanation|
 |`-e PGID=1000`|for GroupID - see below for explanation|
+|`-e OVPN_NFW=true`|Disable any firewall related rules to be created, modified ... (must be implemented in example)|
+|`-e OVPN_PERINT=false`|Disable persistent TUN interface|
 |`-v /config`|All the config files including OpenVPNs reside here|
 
 See also: [EasyRSA](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md)  
@@ -146,7 +148,6 @@ For more infromation see:
 
 - [OpenVPN troubleshoot guide](https://community.openvpn.net/openvpn/wiki/HOWTO#Troubleshooting)  
 
-
 ## Contribute
 
 Feel free to contribute new features to this container, but first see [Contribute Guide](CONTRIBUTING.md).
@@ -158,7 +159,7 @@ Planed features:
 Wanted features (please help implement):
 
 - LDAP authentication script
-- Google authenticator 
+- Google authenticator
 
 ## Licenses
 
@@ -167,7 +168,6 @@ Wanted features (please help implement):
 - [Base image](https://github.com/linuxserver/docker-baseimage-alpine)  
 - [s6 Layer](https://github.com/just-containers/s6-overlay/blob/master/LICENSE.md)  
 
-
 ## Versions
 
 See [CHANGELOG](CHANGELOG.md)  

root/app/bin/run_hooks

@@ -10,10 +10,17 @@ function usage() {
     echo "Usage: run_hooks HOOK_NAME [ARGS]"
     echo ""
     echo "Hooks:"
-    echo "  up          saasas"
-    echo "  down-pre    asasss"
-    echo "  down-post   asasda"
-    echo "  auth        asdasd"
+    echo "  auth                On OpenVPN client authentication"
+    echo "  client-connect      On OpenVPN client connected"
+    echo "  client-disconnect   On OpenVPN client disconnected"
+    echo "  finish              On container shutdown"
+    echo "  init                On container power on"
+    echo "  learn-address       Client Address & Routes validation"
+    echo "  down                Before/After TUN interface closed"
+    echo "  route-up            After routes are added"
+    echo "  route-pre-down      Before routes are removed"
+    echo "  tls-verify          On OpenVPN client certificate verificaton"
+    echo "  up                  After TUN interface opened"
 }
 
 # Check if hook name is set
@@ -33,8 +40,9 @@ for script in $OVPN_HOOKS/$1/*; do
     [ -e "$script" ] || continue
 
     # Execute only executable files
-    if [ -f "$script" ] || [ -x "$script" ] || true; then
+    if [ -f "$script" ] && [ -x "$script" ]; then
         # Run script and pass additional args to hooks
+        echo "Executing hook: $script"
         if [ $# -gt 2 ]; then
             $script ${@:2}
         else

root/app/lib/settings

@@ -0,0 +1,42 @@
+#!/usr/bin/with-contenv bash
+
+#
+#   Settings functions
+#
+
+#
+#   Checks if TUN interface is supposed to be persistant
+#   @return 1 if persistant, 0 if not
+#
+function intPersistant() {
+    if [ ! -n "$OVPN_PERINT" ] || ([ "$OVPN_PERINT" != "true" ] && [ "$OVPN_PERINT" != "1" ]); then
+        return 0 # Not persistant by default
+    else
+        return 1 # Persistant
+    fi
+}
+
+#
+#   Checks if we use firewall rules
+#   @return 1 if yes, 0 if not
+#
+function useFW() {
+    if [ ! -n "$OVPN_NFW" ] || ([ "$OVPN_NFW" != "true" ] && [ "$OVPN_NFW" != "1" ]); then
+        return 1 # yes by default
+    else
+        return 0 # No
+    fi
+}
+
+#
+#   Checks if TUN interface exists already
+#   @return 0 if found, 1 if not found
+#
+function intTunExists() {
+    RES=`cat /proc/net/dev | grep tun0`
+    if [ -n "$RES" ]; then
+        return 0 # Found
+    else
+        return 1 # Not found
+    fi
+}

root/app/lib/utils

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
 
 #
 #   Additional functions
@@ -45,4 +45,16 @@ function arrayContains() {
 
     # Element not found
     return 0
+}
+
+#
+#   Function that makes sure, that script runs only once
+#   @param $1 ID
+#
+function run_once() {
+    if [ -f "$1" ]; then # Check if file (as flag) exists
+        exit 0
+    fi
+    touch $1 # Create flag
+    chown abc:abc $1 # Change permission
 }

root/defaults/example/README.md

@@ -35,12 +35,37 @@ config
         Readme.md # Info about example, what to configure
 ```
 
+### Hooks
+
+- start hook file with
+
+    ``` bash
+    #!/usr/bin/with-contenv bash
+
+    source /app/lib/settings
+    source /app/lib/utils
+    ```
+
+- if hooks call any **firewall** related commands add after above code and before any commands
+
+    ``` bash
+    # Check if firewall rules are disabled
+    useFW
+    if [ $? -eq 0 ]; then
+        # Don't use fw rules
+        exit 0
+    fi
+    ```
+
+- also check the examples how persistent interface is handled, so you don't create iptables mess (running init, up script once, never call down, finish)
+
 ### Notes
 
 - **DO NOT** use `dev` attribute, because it is set to static interface `tun0`.
 - **DO NOT** use any script running directives, because they are probably already set in `system.conf` (except `auth-user-pass-verify` is commented out), but use hooks directory.
 - **DO NOT** use log directives, because they are already set for `log` directory.
 - Please name your hooks as `<number>-<name>` to ensure order of execution.
+- If your hooks need access to container environment variables add `#!/usr/bin/with-contenv bash` at the top of the file.
 
 ### Wizard
 
@@ -49,7 +74,7 @@ User will call `ovpn_enconf CONFIG_NAME [wizard args]` to load your example in s
 
 Then there are two options:
 
-1. User manualy configure settigns in `/config/openvpn` folder
+1. User manualy configure settings in `/config/openvpn` folder
 2. Your **wizard** script, configures files which will be copied to `/config/openvpn`
     - Configuration files are copied to temporary location (so they can be modified)
     - `wizard` script will be called with temporary location as first argument `$1` (folder has same structure as in examples)
@@ -69,4 +94,4 @@ Hooks are located in `hook` directory. Please follow hook guidelines:
     - What this hook does
     - Setttings with comments and an example settings values
 
-**Note:** All hooks run as non-root user so instead of using `ip` and `iptables` use `ovpn-ip` and `ovpn-iptables`.
+**Note:** All hooks run as non-root user so instead of using `ip` and `iptables` use `ovpn-ip`, `ovpn-iptables`, `ovpn-ip6tables` (see [/root/usr/local/sbin](/usr/local/sbin)).

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -1,8 +1,25 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
 
 #
 #   Network clear
 #
+echo "Clearing OpenVPN releated firewall rules"
 
 # Close OpenVPN port to outside
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"

root/defaults/example/config/basic_nat/hooks/finish/10-network.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
+
+#
+#   Network clear
+#
+echo "Clearing up basic firewall rules"
+
+# Accept everything from input
+ovpn-iptables -P INPUT ACCEPT
+
+# Delete: Allow established connection 
+ovpn-iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Delete: Allow ICMP ping request
+ovpn-iptables -D INPUT -p icmp --icmp-type 8 -j ACCEPT
+
+# Accept all forwarded traffic
+ovpn-iptables -P FORWARD ACCEPT

root/defaults/example/config/basic_nat/hooks/init/10-network.sh

@@ -1,8 +1,25 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
+# Run only once if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    run_once "/config/hooks/init/10-network"
+fi
 
 #
 #   Network initialization
 #
+echo "Setting up basic firewall rules"
 
 #
 # Because default iptables rules are set to ACCEPT all connection, we need to put some

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -1,8 +1,25 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
+# Run only once if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    run_once "/config/hooks/up/10-network"
+fi
 
 #
 #   Network initialization
 #
+echo "Setting up OpenVPN related firewall rules"
 
 # Open OpenVPN port to outside
 ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"

root/defaults/example/config/basic_nat_wlp/hooks/down/10-network.sh

@@ -1,8 +1,25 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
+
+source /app/lib/settings
+source /app/lib/utils
+
+# Check if firewall rules are disabled
+useFW
+if [ $? -eq 0 ]; then
+    # Don't use fw rules
+    exit 0
+fi
+
+# Don't run if interface persistent
+intPersistant
+if [ $? -eq 1 ]; then
+    exit 0
+fi
 
 #
 #   Network clear
 #
+echo "Clearing OpenVPN releated firewall rules"
 
 # Close OpenVPN port to outside
 ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"