Commit 23aa3410 authored by mehdi's avatar mehdi

WIP: iptables rules to allow NATing

parent 05e05146
......@@ -11,7 +11,7 @@
],
"version": "0.1.0",
"healthCheckPath": "/api/healthcheck",
"httpPort": 8000,
"httpPort": 3000,
"manifestVersion": 1,
"website": "https://git.cloudron.io/mehdi/cloudron-openvpn",
"contactEmail": "arantes555@gmail.com",
......
......@@ -3,9 +3,9 @@ MAINTAINER Mehdi Kouhen <arantes555@gmail.com>
ENV PATH /usr/local/node-6.9.5/bin:$PATH
## Installing openVPN and key-management tool
## Installing OpenVPN, key-management tool, and iptables
RUN apt-get update -y
RUN apt-get install -y openvpn easy-rsa
RUN apt-get install -y openvpn easy-rsa iptables
RUN mkdir -p /app/code
WORKDIR /app/code
......@@ -18,8 +18,8 @@ RUN npm install --production
ADD src /app/code/src
ADD app /app/code/app
ADD start.sh server.js README.md /app/code/
ADD openvpn/writeOpenVPNConfig.js /app/code/
ADD start.sh server.js openvpn-conf.sh iptables.rules /app/code/
RUN chmod +x start.sh openvpn-conf.sh
RUN mkdir -p /app/data
......
*raw
:PREROUTING ACCEPT [26181:2443991]
:OUTPUT ACCEPT [34944:5740522]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [26181:2443991]
:INPUT ACCEPT [26181:2443991]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34944:5740522]
:POSTROUTING ACCEPT [34944:5740522]
COMMIT
*filter
:INPUT ACCEPT [26181:2443991]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34944:5740522]
COMMIT
#!/usr/bin/env node
'use strict'
#!/bin/bash
const baseDir = '/app/data/keys/'
const VPN_TCP_PORT = process.env.VPN_TCP_PORT || 12345
console.log(`
# Server TCP/${VPN_TCP_PORT}
echo "# Server TCP/${VPN_TCP_PORT:?}
mode server
proto tcp
port ${VPN_TCP_PORT}
port ${VPN_TCP_PORT:?}
dev tun
dev-node /app/code/net-tun
# Keys and certificats
ca ${baseDir}ca.crt
cert ${baseDir}cloudron.crt
key ${baseDir}cloudron.key
dh ${baseDir}dh2048.pem
tls-auth ${baseDir}ta.key 0
ca /app/data/keys/ca.crt
cert /app/data/keys/cloudron.crt
key /app/data/keys/cloudron.key
dh /app/data/keys/dh2048.pem
tls-auth /app/data/keys/ta.key 0
cipher AES-256-CBC
# Network
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
push \"redirect-gateway def1 bypass-dhcp\"
push \"dhcp-option DNS 8.8.4.4\"
push \"dhcp-option DNS 8.8.8.8\"
client-to-client
keepalive 10 120
# Security
......@@ -34,4 +30,4 @@ verb 3
mute 20
status /run/openvpn-status.log
log-append /run/openvpn.log
`)
"
This diff is collapsed.
......@@ -28,7 +28,7 @@ export KEY_OU="Cloudron"
export KEY_NAME="EasyRSA"
export KEY_CONFIG="/app/code/easyrsa/openssl-1.0.0.cnf"
# Initializing openvpn keys
# The first time this is run, initialize OpenVPN keys
if [ ! -d /app/data/keys ]; then
/app/code/easyrsa/clean-all
/app/code/easyrsa/pkitool --initca
......@@ -37,11 +37,14 @@ if [ ! -d /app/data/keys ]; then
/app/code/easyrsa/pkitool --server cloudron
fi
node writeOpenVPNConfig.js > /run/openvpn.conf
# Writing OpenVPN config
./openvpn-conf.sh > /run/openvpn.conf
# Add iptables rules for NATing VPN traffic
iptables-restore < iptables.rules
# Fix permissions
chown -R cloudron:cloudron /app/data /tmp /run
echo "Starting server"
exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i River
# exec node /app/code/server.js
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment