Merge pull request #51 from siomiz/vpncmd

VPNCMD_* envs support
siomiz · Apr 20, 2018 · f8917b1 · f8917b1
2 parents e16f764 + daccb13
commit f8917b1
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@
 ## Image Tags
 Base OS Image | Latest Stable ([v4.25-9656-rtm](https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/tree/v4.25-9656-rtm))
 ------------- | --
-`centos:7` | **`:latest`**, `:9656`, `4.25`, `:centos`, `:9656-centos`, `4.25-centos`
+`centos:7` | **`:latest`**, `:9656`, `:4.25`, `:centos`, `:9656-centos`, `4.25-centos`
 `debian:9-slim` | `:debian`, `:9656-debian`, `:4.25-debian`
 `alpine:3.7` | `:alpine`, `:9656-alpine`, `:4.25-alpine`
 
@@ -57,6 +57,17 @@ Dots (.) are part of the password. Password will not be logged if specified via
 
 If you specify credentials using environment variables (`-e`), they may be revealed via the process list on host (ex. `ps(1)` command) or `docker inspect` command. It is recommended to mount an already-configured SoftEther VPN config file at `/opt/vpn_server.config`, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using [`docker cp` command](https://docs.docker.com/engine/reference/commandline/cp/).
 
+## Server & Hub Management Commands ##
+
+Management commands can be executed just before the server & hub admin passwords are set via:
+- `-e VPNCMD_SERVER`: `;`-separated [Server management commands](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.3_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Entire_Server)).
+- `-e VPNCMD_HUB`: `;`-separated [Hub management commands](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.4_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Virtual_Hub)) (currently only for `DEFAULT` hub).
+
+Example: Set MTU via [`NatSet`](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.4_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Virtual_Hub)#6.4.97_.22NatSet.22:_Change_Virtual_NAT_Function_Setting_of_SecureNAT_Function) Hub management command:
+`-e VPNCMD_HUB='NatSet /MTU:1500'`
+
+Note that commands run only if the config file is not mounted. Some commands (like `ServerPasswordSet`) will cause problems.
+
 ## OpenVPN ##
 
 `docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn`

diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
@@ -8,6 +8,17 @@ if [ "$*" == "gencert" ]; then
 
 fi
 
+# check if iptables works (just warns)
+set +e
+iptables -L 2>/dev/null > /dev/null
+if [[ $? -ne 0 ]]
+then
+  echo '# [!!] This image requires --cap-add NET_ADMIN'
+  sleep 7
+  # exit -1
+fi
+set -e
+
 if [ ! -f /usr/vpnserver/vpn_server.config ]; then
 
 : ${PSK:='notasecret'}
@@ -32,40 +43,50 @@ else
   fi
 fi
 
-: ${MTU:='1500'}
-echo "# SecureNat MTU set to $MTU"
-
 printf '# '
 printf '=%.0s' {1..24}
 echo
 
+vpncmd_server () {
+  /usr/bin/vpncmd localhost /SERVER /CSV /CMD "$@"
+}
+
+vpncmd_hub () {
+  /usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@"
+}
+
 /usr/bin/vpnserver start 2>&1 > /dev/null
 
 # while-loop to wait until server comes up
 # switch cipher
 while : ; do
   set +e
-  /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCipherSet DHE-RSA-AES256-SHA 2>&1 > /dev/null
+  vpncmd_server ServerCipherSet DHE-RSA-AES256-SHA 2>&1 > /dev/null
   [[ $? -eq 0 ]] && break
   set -e
   sleep 1
 done
 
 # About command to grab version number
-/usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;'
+# /usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;'
+vpncmd_server About | head -2 | tail -1 | sed 's/^/# /;'
 
 # enable L2TP_IPsec
-/usr/bin/vpncmd localhost /SERVER /CSV /CMD IPsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:no /PSK:${PSK} /DEFAULTHUB:DEFAULT
+vpncmd_server IPsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:no /PSK:${PSK} /DEFAULTHUB:DEFAULT
 
 # enable SecureNAT
-/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD SecureNatEnable
-/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD NatSet /MTU:$MTU /LOG:no /TCPTIMEOUT:3600 /UDPTIMEOUT:1800
+vpncmd_hub SecureNatEnable
+
+# set MTU
+: ${MTU:='1500'}
+vpncmd_hub NatSet /MTU:$MTU /LOG:no /TCPTIMEOUT:3600 /UDPTIMEOUT:1800
+
 # enable OpenVPN
-/usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194
+vpncmd_server OpenVpnEnable yes /PORTS:1194
 
 # set server certificate & key
 if [[ -f server.crt && -f server.key ]]; then
-  /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key
+  vpncmd_server ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key
 
 elif [[ "*${CERT}*" != "**" && "*${KEY}*" != "**" ]]; then
   # server cert/key pair specified via -e
@@ -79,12 +100,12 @@ elif [[ "*${CERT}*" != "**" && "*${KEY}*" != "**" ]]; then
   echo ${KEY} | fold -w 64 >> server.key
   echo -----END PRIVATE KEY----- >> server.key
 
-  /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key
+  vpncmd_server ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key
   rm server.crt server.key
   export KEY='**'
 fi
 
-/usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnMakeConfig openvpn.zip 2>&1 > /dev/null
+vpncmd_server OpenVpnMakeConfig openvpn.zip 2>&1 > /dev/null
 
 # extract .ovpn config
 unzip -p openvpn.zip *_l3.ovpn > softether.ovpn
@@ -94,15 +115,15 @@ sed -i '/^#/d;s/\r//;/^$/d' softether.ovpn
 cat softether.ovpn
 
 # disable extra logs
-/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD LogDisable packet
-/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD LogDisable security
+vpncmd_hub LogDisable packet
+vpncmd_hub LogDisable security
 
 # add user
 
 adduser () {
     printf " $1"
-    /usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD UserCreate $1 /GROUP:none /REALNAME:none /NOTE:none
-    /usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD UserPasswordSet $1 /PASSWORD:$2
+    vpncmd_hub UserCreate $1 /GROUP:none /REALNAME:none /NOTE:none
+    vpncmd_hub UserPasswordSet $1 /PASSWORD:$2
 }
 
 printf '# Creating user(s):'
@@ -125,19 +146,34 @@ echo
 export USERS='**'
 export PASSWORD='**'
 
+# handle VPNCMD_* commands right before setting admin passwords
+if [[ $VPNCMD_SERVER ]]
+then
+  while IFS=";" read -ra CMD; do
+    vpncmd_server "$CMD"
+  done <<< "$VPNCMD_SERVER"
+fi
+
+if [[ $VPNCMD_HUB ]]
+then
+  while IFS=";" read -ra CMD; do
+    vpncmd_hub "$CMD"
+  done <<< "$VPNCMD_HUB"
+fi
+
 # set password for hub
 : ${HPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 16 | head -n 1)}
-/usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD SetHubPassword ${HPW}
+vpncmd_hub SetHubPassword ${HPW}
 
 # set password for server
 : ${SPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)}
-/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerPasswordSet ${SPW}
+vpncmd_server ServerPasswordSet ${SPW}
 
 /usr/bin/vpnserver stop 2>&1 > /dev/null
 
 # while-loop to wait until server goes away
 set +e
-while [[ $(pidof vpnserver)  ]] > /dev/null; do sleep 1; done
+while [[ $(pidof vpnserver) ]] > /dev/null; do sleep 1; done
 set -e
 
 echo \# [initial setup OK]