From ea8b231d37efb19b2b2bf268efeca1280b32a8d2 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sat, 27 Feb 2016 00:48:30 +0800 Subject: [PATCH 01/11] Support directory style OpenVPN configs --- Dockerfile | 11 +++++------ sockd.sh | 6 +++--- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 05f4d72..2356ac2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,13 +6,13 @@ # Note that the config must have embedded certs # See `start` in same repo for more ideas -FROM alpine:edge +FROM alpine ADD sockd.sh /usr/local/bin/ RUN true \ && echo "http://dl-4.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ - && apk add --update-cache dante-server openvpn \ + && apk add --update-cache dante-server openvpn bash openresolv openrc \ && rm -rf /var/cache/apk/* \ && chmod a+x /usr/local/bin/sockd.sh \ && true @@ -20,7 +20,6 @@ RUN true \ ADD sockd.conf /etc/ ENTRYPOINT [ \ - "openvpn", \ - "--up", "/usr/local/bin/sockd.sh", \ - "--script-security", "2", \ - "--config", "/ovpn.conf"] + "/bin/bash", "-c", \ + "cd /etc/openvpn && /usr/sbin/openvpn --config *.conf --up /usr/local/bin/sockd.sh" \ + ] diff --git a/sockd.sh b/sockd.sh index c33a690..8021a64 100644 --- a/sockd.sh +++ b/sockd.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -e -/etc/openvpn/up.sh "$@" -exec /usr/sbin/sockd -D +[ -f /etc/openvpn/up.sh ] && /etc/openvpn/up.sh "$@" +/usr/sbin/sockd -D From 5a41dc9d1af069550dc5b4e0aaeb12ba001f1dee Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sat, 27 Feb 2016 00:52:18 +0800 Subject: [PATCH 02/11] Stack MIT license --- LICENSE | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/LICENSE b/LICENSE index 6be61f8..9ae428b 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,29 @@ The MIT License (MIT) +Copyright (c) 2016 Chris Yuen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +=== + +The MIT License (MIT) + Copyright (c) 2016 Mook Permission is hereby granted, free of charge, to any person obtaining a copy From 09acbed908bdc6d9fb3b3c0a950821299f0b2db6 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sat, 27 Feb 2016 00:57:43 +0800 Subject: [PATCH 03/11] New start command --- start | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/start b/start index 7bcad26..fcee6bf 100755 --- a/start +++ b/start @@ -7,5 +7,5 @@ exec docker run \ --device=/dev/net/tun \ --cap-add=NET_ADMIN \ --publish 127.0.0.1:1081:1080 \ - --volume "$(realpath "$1"):/ovpn.conf:ro" \ - mook/openvpn-client-socks + --volume "$(realpath "$1"):/etc/openvpn/:ro" \ + kizzx2/openvpn-client-socks From 10e392479d48d787f6e8fbaa0b7d39ad26e8f1be Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sat, 27 Feb 2016 00:57:49 +0800 Subject: [PATCH 04/11] Updated README for usage --- README.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 607f8fd..d5dcad6 100644 --- a/README.md +++ b/README.md @@ -4,23 +4,21 @@ This is a docker image of an OpenVPN client tied to a SOCKS proxy server. It is useful to isolate network changes (so the host is not affected by the modified routing). +This supports directory style (where the certificates are not bundled together in one `.ovpn` file) and those that contains `update-resolv-conf` + ## Usage Preferably, using `start` in this repository: ```bash -start client_config.ovpn +start /your/openvpn/directory ``` +`/your/openvpn/directory` should contain *one* OpenVPN `.conf` file. It can reference other certificate files or key files in the same directory. + Alternatively, using `docker run` directly: ```bash -docker run -t -i --device=/dev/net/tun --cap-add=NET_ADMIN \ - --volume client_config.ovpn:/ovpn.conf:ro \ - mook/openvpn-client-socks +docker run -it --device=/dev/net/tun --cap-add=NET_ADMIN \ + --volume /your/openvpn/directory/:/etc/openvpn/:ro \ + kizzx2/openvpn-client-socks ``` - -### OpenVPN Configuration Constraints - -- The configuration file must have embedded certificates; references to other - files are not allowed. -- The configuration file must use `dev tun0`. From 7521212b9ee922a92b6f252e305e6c728309fec5 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sun, 12 Jun 2016 17:39:32 +0800 Subject: [PATCH 05/11] Updated better command line and README --- README.md | 11 +++++++++-- start | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d5dcad6..7a3e8ee 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,14 @@ start /your/openvpn/directory Alternatively, using `docker run` directly: ```bash -docker run -it --device=/dev/net/tun --cap-add=NET_ADMIN \ - --volume /your/openvpn/directory/:/etc/openvpn/:ro \ +docker run -it --rm --device=/dev/net/tun --cap-add=NET_ADMIN \ + --name openvpn-client \ + --volume /your/openvpn/directory/:/etc/openvpn/:ro -p 1081:1080 \ kizzx2/openvpn-client-socks ``` + +Then connect to SOCKS proxy through through `local.docker:1081`. For example: + +```bash +curl --proxy socks5://local.docker:1081 ipinfo.io +``` diff --git a/start b/start index fcee6bf..4dd4ac4 100755 --- a/start +++ b/start @@ -5,6 +5,7 @@ exec docker run \ --tty \ --interactive \ --device=/dev/net/tun \ + --name=openvpn-client \ --cap-add=NET_ADMIN \ --publish 127.0.0.1:1081:1080 \ --volume "$(realpath "$1"):/etc/openvpn/:ro" \ From 226f0ccbc44b8114735efb71765db521ac127b9a Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Thu, 26 Oct 2017 20:49:53 +0800 Subject: [PATCH 06/11] Fix `RTNETLINK answers: Permission denied` error Ref: https://github.com/dperson/openvpn-client/issues/75 --- start | 1 + 1 file changed, 1 insertion(+) diff --git a/start b/start index 4dd4ac4..cfd2268 100755 --- a/start +++ b/start @@ -9,4 +9,5 @@ exec docker run \ --cap-add=NET_ADMIN \ --publish 127.0.0.1:1081:1080 \ --volume "$(realpath "$1"):/etc/openvpn/:ro" \ + --sysctl net.ipv6.conf.all.disable_ipv6=0 \ kizzx2/openvpn-client-socks From 0716e4877e810aeb33dbe57115c13fc1bd983f3b Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Mon, 1 Jan 2018 00:09:09 +0800 Subject: [PATCH 07/11] Add `--script-security 2` flag --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2356ac2..4e92f8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ FROM alpine -ADD sockd.sh /usr/local/bin/ +COPY sockd.sh /usr/local/bin/ RUN true \ && echo "http://dl-4.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ @@ -17,9 +17,9 @@ RUN true \ && chmod a+x /usr/local/bin/sockd.sh \ && true -ADD sockd.conf /etc/ +COPY sockd.conf /etc/ ENTRYPOINT [ \ "/bin/bash", "-c", \ - "cd /etc/openvpn && /usr/sbin/openvpn --config *.conf --up /usr/local/bin/sockd.sh" \ + "cd /etc/openvpn && /usr/sbin/openvpn --config *.conf --script-security 2 --up /usr/local/bin/sockd.sh" \ ] From 12e3dae9440eb5e855f02e4c314c285e95159cb9 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Tue, 8 Oct 2019 23:18:12 +0800 Subject: [PATCH 08/11] fix(doc) --- README.md | 12 +++++++++--- start | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7a3e8ee..aff0c0a 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,12 @@ routing). This supports directory style (where the certificates are not bundled together in one `.ovpn` file) and those that contains `update-resolv-conf` +(For the same thing in WireGuard, see [kizzx2/docker-wireguard-socks-proxy](https://github.com/kizzx2/docker-wireguard-socks-proxy)) + +## Why? + +This is arguably the easiest way to achieve "app based" routing. For example, you may only want certain applications to go through your WireGuard tunnel while the rest of your system should go through the default gateway. You can also achieve "domain name based" routing by using a [PAC file](https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file) that most browsers support. + ## Usage Preferably, using `start` in this repository: @@ -20,12 +26,12 @@ Alternatively, using `docker run` directly: ```bash docker run -it --rm --device=/dev/net/tun --cap-add=NET_ADMIN \ --name openvpn-client \ - --volume /your/openvpn/directory/:/etc/openvpn/:ro -p 1081:1080 \ + --volume /your/openvpn/directory/:/etc/openvpn/:ro -p 1080:1080 \ kizzx2/openvpn-client-socks ``` -Then connect to SOCKS proxy through through `local.docker:1081`. For example: +Then connect to SOCKS proxy through through `localhost:1080` / `local.docker:1080`. For example: ```bash -curl --proxy socks5://local.docker:1081 ipinfo.io +curl --proxy socks5h://local.docker:1080 ipinfo.io ``` diff --git a/start b/start index cfd2268..b3cfa06 100755 --- a/start +++ b/start @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh exec docker run \ --rm \ @@ -7,7 +7,7 @@ exec docker run \ --device=/dev/net/tun \ --name=openvpn-client \ --cap-add=NET_ADMIN \ - --publish 127.0.0.1:1081:1080 \ + --publish 127.0.0.1:1080:1080 \ --volume "$(realpath "$1"):/etc/openvpn/:ro" \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ kizzx2/openvpn-client-socks From 4ac1f668c067db53a11df09ca33c3338c9f4e78b Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Tue, 8 Oct 2019 23:19:29 +0800 Subject: [PATCH 09/11] doc: add reference to http-proxy-to-socks --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index aff0c0a..5d14e9a 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,9 @@ Then connect to SOCKS proxy through through `localhost:1080` / `local.docker:108 ```bash curl --proxy socks5h://local.docker:1080 ipinfo.io ``` + +## HTTP Proxy + +You can easily convert this to an HTTP proxy using [http-proxy-to-socks](https://github.com/oyyd/http-proxy-to-socks), e.g. + +hpts -s 127.0.0.1:1080 -p 8080 From fb722dd5222e14f2af76c429869d02c2753b4910 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sun, 27 Sep 2020 22:59:37 +0800 Subject: [PATCH 10/11] refactor: install dante-server from main alpine repo --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4e92f8d..874f5a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,6 @@ FROM alpine COPY sockd.sh /usr/local/bin/ RUN true \ - && echo "http://dl-4.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ && apk add --update-cache dante-server openvpn bash openresolv openrc \ && rm -rf /var/cache/apk/* \ && chmod a+x /usr/local/bin/sockd.sh \ From 7d2e94283514aae6ee2df907284f563dfb077fd1 Mon Sep 17 00:00:00 2001 From: Chris Yuen Date: Sun, 27 Mar 2022 23:10:13 +0800 Subject: [PATCH 11/11] doc: add solutions to common problems --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 5d14e9a..7b8aff1 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,20 @@ Then connect to SOCKS proxy through through `localhost:1080` / `local.docker:108 curl --proxy socks5h://local.docker:1080 ipinfo.io ``` +## Solutions to Common Problems + +### I'm getting `RTNETLINK answers: Permission denied` + +Try adding `--sysctl net.ipv6.conf.all.disable_ipv6=0` to your docker command + +### DNS doesn't work + +You can put a `update-resolv-conf` as your `up` script. One simple way is to put [this file](https://gist.github.com/Ikke/3829134) as `up.sh` inside your OpenVPN configuration directory. + ## HTTP Proxy You can easily convert this to an HTTP proxy using [http-proxy-to-socks](https://github.com/oyyd/http-proxy-to-socks), e.g. +```bash hpts -s 127.0.0.1:1080 -p 8080 +```