blob: 3a3bce5a68dca49cfc0db961f3adb4a35b0b2c09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#!/bin/bash
source ./functions.sh
mkdir -p /dev/net
if ! [ -c /dev/net/tun ]; then
echo "$(datef) Creating tun/tap device."
mknod /dev/net/tun c 10 200
fi
# Following firewall configurations will be needed later on
# for a functional deployment of obfsvpn
# Allow UDP traffic on port 1194.
#iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
# Allow traffic on the TUN interface.
#iptables -A INPUT -i tun0 -j ACCEPT
#iptables -A FORWARD -i tun0 -j ACCEPT
#iptables -A OUTPUT -o tun0 -j ACCEPT
# Allow forwarding traffic only from the VPN.
#iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
cd "$APP_PERSIST_DIR"
LOCKFILE=.gen
# Regenerate certs only on the first start
if ! [ -f $LOCKFILE ]; then
IS_INITIAL="1"
/usr/share/easy-rsa/easyrsa init-pki
# DH parameters of size 2048 created at APP_PERSIST_DIR/pki
/usr/share/easy-rsa/easyrsa gen-dh
/usr/share/easy-rsa/easyrsa build-ca nopass << EOF
EOF
# CA creation complete and you may now import and sign cert requests.
# Your new CA certificate file for publishing is at:
# /opt/Dockovpn_data/pki/ca.crt
/usr/share/easy-rsa/easyrsa gen-req MyReq nopass << EOF2
EOF2
# Keypair and certificate request completed. Your files are:
# req: /opt/Dockovpn_data/pki/reqs/MyReq.req
# key: /opt/Dockovpn_data/pki/private/MyReq.key
/usr/share/easy-rsa/easyrsa sign-req server MyReq << EOF3
yes
EOF3
# Certificate created at: /opt/Dockovpn_data/pki/issued/MyReq.crt
openvpn --genkey secret ta.key << EOF4
yes
EOF4
touch $LOCKFILE
fi
# Copy server keys, dh file and certificates
cp pki/dh.pem pki/ca.crt pki/issued/MyReq.crt pki/private/MyReq.key ta.key /etc/openvpn
# Update proto and port in /etc/openvpn/server.conf
sed -i -e "s/__PROTO__/${PROTO}/g" \
-e "s/__PORT__/${PORT}/g" /etc/openvpn/server.conf
# Need to feed key password
openvpn --config /etc/openvpn/server.conf &
# By some strange reason we need to do echo command to get to the next command
echo " "
# backoff for openvpn to start
sleep 20
# Generate client config
if [[ -n $IS_INITIAL ]]; then
CLIENT_PATH="$(createConfig)"
FILE_NAME=client.ovpn
FILE_PATH="$CLIENT_PATH/$FILE_NAME"
sed -i -e "s/__PROTO__/${PROTO}/g" "${FILE_PATH}"
echo "$(datef) Created ${FILE_PATH}."
# dirty hack: copy client config to root of APP_PERSIST_DIR
# for reusing in the obfsvpn-client container
cp "${FILE_PATH}" "$APP_PERSIST_DIR/"
fi
cd "${APP_INSTALL_PATH}"
./start_obfs4.sh &
tail -f /dev/null
|