From 6d9743a262d21e0f9e67eb20bfa6bccfc2e64252 Mon Sep 17 00:00:00 2001 From: Tomohisa Kusano Date: Fri, 20 Apr 2018 15:13:19 -0700 Subject: [PATCH 1/2] FEAT(all): initial VPNCMD_* envs support --- copyables/entrypoint.sh | 74 ++++++++++++++++++++++++++++++----------- 1 file changed, 55 insertions(+), 19 deletions(-) diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh index 69aed251..b7d09973 100644 --- a/copyables/entrypoint.sh +++ b/copyables/entrypoint.sh @@ -8,6 +8,17 @@ if [ "$*" == "gencert" ]; then fi +# check if iptables works (just warns) +set +e +iptables -L 2>/dev/null > /dev/null +if [[ $? -ne 0 ]] +then + echo '# [!!] This image requires --cap-add NET_ADMIN' + sleep 7 + # exit -1 +fi +set -e + if [ ! -f /usr/vpnserver/vpn_server.config ]; then : ${PSK:='notasecret'} @@ -32,40 +43,50 @@ else fi fi -: ${MTU:='1500'} -echo "# SecureNat MTU set to $MTU" - printf '# ' printf '=%.0s' {1..24} echo +vpncmd_server () { + /usr/bin/vpncmd localhost /SERVER /CSV /CMD "$@" +} + +vpncmd_hub () { + /usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@" +} + /usr/bin/vpnserver start 2>&1 > /dev/null # while-loop to wait until server comes up # switch cipher while : ; do set +e - /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCipherSet DHE-RSA-AES256-SHA 2>&1 > /dev/null + vpncmd_server ServerCipherSet DHE-RSA-AES256-SHA 2>&1 > /dev/null [[ $? -eq 0 ]] && break set -e sleep 1 done # About command to grab version number -/usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;' +# /usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;' +vpncmd_server About | head -2 | tail -1 | sed 's/^/# /;' # enable L2TP_IPsec -/usr/bin/vpncmd localhost /SERVER /CSV /CMD IPsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:no /PSK:${PSK} /DEFAULTHUB:DEFAULT +vpncmd_server IPsecEnable /L2TP:yes /L2TPRAW:yes /ETHERIP:no /PSK:${PSK} /DEFAULTHUB:DEFAULT # enable SecureNAT -/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD SecureNatEnable -/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD NatSet /MTU:$MTU /LOG:no /TCPTIMEOUT:3600 /UDPTIMEOUT:1800 +vpncmd_hub SecureNatEnable + +# set MTU +: ${MTU:='1500'} +vpncmd_hub NatSet /MTU:$MTU /LOG:no /TCPTIMEOUT:3600 /UDPTIMEOUT:1800 + # enable OpenVPN -/usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 +vpncmd_server OpenVpnEnable yes /PORTS:1194 # set server certificate & key if [[ -f server.crt && -f server.key ]]; then - /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key + vpncmd_server ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key elif [[ "*${CERT}*" != "**" && "*${KEY}*" != "**" ]]; then # server cert/key pair specified via -e @@ -79,12 +100,12 @@ elif [[ "*${CERT}*" != "**" && "*${KEY}*" != "**" ]]; then echo ${KEY} | fold -w 64 >> server.key echo -----END PRIVATE KEY----- >> server.key - /usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key + vpncmd_server ServerCertSet /LOADCERT:server.crt /LOADKEY:server.key rm server.crt server.key export KEY='**' fi -/usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnMakeConfig openvpn.zip 2>&1 > /dev/null +vpncmd_server OpenVpnMakeConfig openvpn.zip 2>&1 > /dev/null # extract .ovpn config unzip -p openvpn.zip *_l3.ovpn > softether.ovpn @@ -94,15 +115,15 @@ sed -i '/^#/d;s/\r//;/^$/d' softether.ovpn cat softether.ovpn # disable extra logs -/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD LogDisable packet -/usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD LogDisable security +vpncmd_hub LogDisable packet +vpncmd_hub LogDisable security # add user adduser () { printf " $1" - /usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD UserCreate $1 /GROUP:none /REALNAME:none /NOTE:none - /usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD UserPasswordSet $1 /PASSWORD:$2 + vpncmd_hub UserCreate $1 /GROUP:none /REALNAME:none /NOTE:none + vpncmd_hub UserPasswordSet $1 /PASSWORD:$2 } printf '# Creating user(s):' @@ -125,19 +146,34 @@ echo export USERS='**' export PASSWORD='**' +# handle VPNCMD_* commands right before setting admin passwords +if [[ $VPNCMD_SERVER ]] +then + while IFS=";" read -ra CMD; do + vpncmd_server "$CMD" + done <<< "$VPNCMD_SERVER" +fi + +if [[ $VPNCMD_HUB ]] +then + while IFS=";" read -ra CMD; do + vpncmd_hub "$CMD" + done <<< "$VPNCMD_HUB" +fi + # set password for hub : ${HPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 16 | head -n 1)} -/usr/bin/vpncmd localhost /SERVER /HUB:DEFAULT /CSV /CMD SetHubPassword ${HPW} +vpncmd_hub SetHubPassword ${HPW} # set password for server : ${SPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)} -/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerPasswordSet ${SPW} +vpncmd_server ServerPasswordSet ${SPW} /usr/bin/vpnserver stop 2>&1 > /dev/null # while-loop to wait until server goes away set +e -while [[ $(pidof vpnserver) ]] > /dev/null; do sleep 1; done +while [[ $(pidof vpnserver) ]] > /dev/null; do sleep 1; done set -e echo \# [initial setup OK] From daccb130f908849048743e6763c0020ddb3a5ca2 Mon Sep 17 00:00:00 2001 From: Tomohisa Kusano Date: Fri, 20 Apr 2018 15:54:33 -0700 Subject: [PATCH 2/2] DOCS(all): Management Commands section Fixes #41, #49 --- README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6febe5d2..8b7a0006 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ ## Image Tags Base OS Image | Latest Stable ([v4.25-9656-rtm](https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/tree/v4.25-9656-rtm)) ------------- | -- -`centos:7` | **`:latest`**, `:9656`, `4.25`, `:centos`, `:9656-centos`, `4.25-centos` +`centos:7` | **`:latest`**, `:9656`, `:4.25`, `:centos`, `:9656-centos`, `4.25-centos` `debian:9-slim` | `:debian`, `:9656-debian`, `:4.25-debian` `alpine:3.7` | `:alpine`, `:9656-alpine`, `:4.25-alpine` @@ -57,6 +57,17 @@ Dots (.) are part of the password. Password will not be logged if specified via If you specify credentials using environment variables (`-e`), they may be revealed via the process list on host (ex. `ps(1)` command) or `docker inspect` command. It is recommended to mount an already-configured SoftEther VPN config file at `/opt/vpn_server.config`, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using [`docker cp` command](https://docs.docker.com/engine/reference/commandline/cp/). +## Server & Hub Management Commands ## + +Management commands can be executed just before the server & hub admin passwords are set via: +- `-e VPNCMD_SERVER`: `;`-separated [Server management commands](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.3_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Entire_Server)). +- `-e VPNCMD_HUB`: `;`-separated [Hub management commands](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.4_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Virtual_Hub)) (currently only for `DEFAULT` hub). + +Example: Set MTU via [`NatSet`](https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.4_VPN_Server_%2F%2F_VPN_Bridge_Management_Command_Reference_(For_Virtual_Hub)#6.4.97_.22NatSet.22:_Change_Virtual_NAT_Function_Setting_of_SecureNAT_Function) Hub management command: +`-e VPNCMD_HUB='NatSet /MTU:1500'` + +Note that commands run only if the config file is not mounted. Some commands (like `ServerPasswordSet`) will cause problems. + ## OpenVPN ## `docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn`