-
-
Notifications
You must be signed in to change notification settings - Fork 234
/
start.sh
executable file
路144 lines (114 loc) 路 3.3 KB
/
start.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/bin/bash
source ./functions.sh
SHORT=rnqs
LONG="regenerate,noop,quit,skip"
OPTS=$(getopt -a -n dockovpn --options $SHORT --longoptions $LONG -- "$@")
if [[ $? -ne 0 ]] ; then
exit 1
fi
eval set -- "$OPTS"
while :
do
case "$1" in
-r | --regenerate)
REGENERATE="1"
shift;
;;
-n | --noop)
NOOP="1"
shift;
;;
-q | --quit)
QUIT="1"
shift;
;;
-s | --skip)
SKIP="1"
shift;
;;
--)
shift;
break
;;
*)
echo "Unexpected option: $1"
exit 1
;;
esac
done
ADAPTER="${NET_ADAPTER:=eth0}"
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
echo "$(datef) Creating tun/tap device."
mknod /dev/net/tun c 10 200
fi
# Replace variables in ovpn config file
sed -i 's/%HOST_TUN_PROTOCOL%/'"$HOST_TUN_PROTOCOL"'/g' /etc/openvpn/server.conf
# Allow ${HOST_TUN_PROTOCOL} traffic on port 1194.
iptables -A INPUT -i $ADAPTER -p ${HOST_TUN_PROTOCOL} -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
iptables -A OUTPUT -o $ADAPTER -p ${HOST_TUN_PROTOCOL} -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# Allow traffic on the TUN interface.
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
# Allow forwarding traffic only from the VPN.
iptables -A FORWARD -i tun0 -o $ADAPTER -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $ADAPTER -j MASQUERADE
cd "$APP_PERSIST_DIR"
LOCKFILE=.gen
# Regenerate certs only on the first start
if [ ! -f $LOCKFILE ]; then
IS_INITIAL="1"
test -d pki || REGENERATE="1"
if [[ -n $REGENERATE ]]; then
easyrsa --batch init-pki
easyrsa --batch gen-dh
# DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem
# Copy DH file
cp pki/dh.pem /etc/openvpn
fi
easyrsa build-ca nopass << EOF
EOF
# CA creation complete and you may now import and sign cert requests.
# Your new CA certificate file for publishing is at:
# /opt/Dockovpn_data/pki/ca.crt
easyrsa gen-req MyReq nopass << EOF2
EOF2
# Keypair and certificate request completed. Your files are:
# req: /opt/Dockovpn_data/pki/reqs/MyReq.req
# key: /opt/Dockovpn_data/pki/private/MyReq.key
easyrsa sign-req server MyReq << EOF3
yes
EOF3
# Certificate created at: /opt/Dockovpn_data/pki/issued/MyReq.crt
openvpn --genkey --secret ta.key << EOF4
yes
EOF4
easyrsa --days=$CRL_DAYS gen-crl
touch $LOCKFILE
fi
# Copy server keys and certificates
cp pki/dh.pem pki/ca.crt pki/issued/MyReq.crt pki/private/MyReq.key pki/crl.pem ta.key /etc/openvpn
cd "$APP_INSTALL_PATH"
# Print app version
getVersionFull
if ! [[ -n $NOOP ]]; then
# Need to feed key password
openvpn --config /etc/openvpn/server.conf &
if [[ -n $IS_INITIAL ]]; then
# By some strange reason we need to do echo command to get to the next command
echo " "
if ! [[ -n $SKIP ]]; then
# Generate client config
generateClientConfig $@ &
else
echo "$(datef) SKIP is set: skipping client generation"
fi
else
echo "$(datef) Data exist: skipping client generation"
fi
fi
if ! [[ -n $QUIT ]]; then
tail -f /dev/null
fi