summaryrefslogtreecommitdiff
path: root/images/obfsvpn/scripts/start.sh
blob: 3a3bce5a68dca49cfc0db961f3adb4a35b0b2c09 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/bash

source ./functions.sh

mkdir -p /dev/net

if ! [ -c /dev/net/tun ]; then
    echo "$(datef) Creating tun/tap device."
    mknod /dev/net/tun c 10 200
fi

# Following firewall configurations will be needed later on
# for a functional deployment of obfsvpn
    # Allow UDP traffic on port 1194.
    #iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
    #iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT

    # Allow traffic on the TUN interface.
    #iptables -A INPUT -i tun0 -j ACCEPT
    #iptables -A FORWARD -i tun0 -j ACCEPT
    #iptables -A OUTPUT -o tun0 -j ACCEPT

    # Allow forwarding traffic only from the VPN.
    #iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
    #iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

cd "$APP_PERSIST_DIR"

LOCKFILE=.gen

# Regenerate certs only on the first start 
if ! [ -f $LOCKFILE ]; then
    IS_INITIAL="1"
    
    /usr/share/easy-rsa/easyrsa init-pki
    
    # DH parameters of size 2048 created at APP_PERSIST_DIR/pki
    /usr/share/easy-rsa/easyrsa gen-dh

    /usr/share/easy-rsa/easyrsa build-ca nopass << EOF

EOF
    # CA creation complete and you may now import and sign cert requests.
    # Your new CA certificate file for publishing is at:
    # /opt/Dockovpn_data/pki/ca.crt

    /usr/share/easy-rsa/easyrsa gen-req MyReq nopass << EOF2

EOF2
    # Keypair and certificate request completed. Your files are:
    # req: /opt/Dockovpn_data/pki/reqs/MyReq.req
    # key: /opt/Dockovpn_data/pki/private/MyReq.key

    /usr/share/easy-rsa/easyrsa sign-req server MyReq << EOF3
yes
EOF3
    # Certificate created at: /opt/Dockovpn_data/pki/issued/MyReq.crt

    openvpn --genkey secret ta.key << EOF4
yes
EOF4

    touch $LOCKFILE
fi

# Copy server keys, dh file and certificates
cp pki/dh.pem pki/ca.crt pki/issued/MyReq.crt pki/private/MyReq.key ta.key /etc/openvpn

# Update proto and port in /etc/openvpn/server.conf
sed -i -e "s/__PROTO__/${PROTO}/g" \
	-e "s/__PORT__/${PORT}/g" /etc/openvpn/server.conf

# Need to feed key password
openvpn --config /etc/openvpn/server.conf &

# By some strange reason we need to do echo command to get to the next command
echo " "

# backoff for openvpn to start
sleep 20

# Generate client config
if [[ -n $IS_INITIAL ]]; then
	CLIENT_PATH="$(createConfig)"
	FILE_NAME=client.ovpn
	FILE_PATH="$CLIENT_PATH/$FILE_NAME"
	sed -i -e "s/__PROTO__/${PROTO}/g" "${FILE_PATH}"
	
	echo "$(datef) Created ${FILE_PATH}."
    # dirty hack: copy client config to root of APP_PERSIST_DIR
    # for reusing in the obfsvpn-client container
    cp "${FILE_PATH}" "$APP_PERSIST_DIR/"
fi

cd "${APP_INSTALL_PATH}"
./start_obfs4.sh &

tail -f /dev/null