treyzania
/
sscraggles-docker-deluge-openvpn
Observar 2
Favorito 0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Ver código fonte

Added UFW_ALLOW_GW_NET. Changes firewall rules from using GW to the GW network when set to true. 

Extended LOCAL_NETWORK to support comma seperated list of /CIDR.

Minor firewall cleanups. Removed specified TCP in range allow. No point, we don't specify tcp/udp anywhere else.

Formatting changes (BASH 3+ style).

Cleaned removed external [ ] calls. Use builtin [[ ]].

Use ${VAR,,} to lowercase isntead of TR.
master
Dean Bailey 6 anos atrás
pai
4d657ab72e
commit
9f89da6522
6 arquivos alterados com 102 adições e 67 exclusões
Visão unificada Mostrar estatísticas do Diff
  1. 1
    0
      DockerEnv
  2. 1
    0
      Dockerfile
  3. 2
    0
      Dockerfile.alpine
  4. 1
    0
      Dockerfile.armhf
  5. 3
    1
      README.md
  6. 94
    66
      openvpn/start.sh

+ 1
- 0
DockerEnv Ver arquivo

#OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60 #OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
#LOCAL_NETWORK= #LOCAL_NETWORK=
#ENABLE_UFW=false #ENABLE_UFW=false
#UFW_ALLOW_GW_NET=false
#UFW_EXTRA_PORTS= #UFW_EXTRA_PORTS=
#TRANSMISSION_ALT_SPEED_DOWN=50 #TRANSMISSION_ALT_SPEED_DOWN=50
#TRANSMISSION_ALT_SPEED_ENABLED=false #TRANSMISSION_ALT_SPEED_ENABLED=false

+ 1
- 0
Dockerfile Ver arquivo

TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \

+ 2
- 0
Dockerfile.alpine Ver arquivo

TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI= \ TRANSMISSION_WEB_UI= \
PUID= \ PUID= \
PGID= \ PGID= \

+ 1
- 0
Dockerfile.armhf Ver arquivo

TRANSMISSION_WATCH_DIR_ENABLED=true \ TRANSMISSION_WATCH_DIR_ENABLED=true \
TRANSMISSION_HOME=/data/transmission-home \ TRANSMISSION_HOME=/data/transmission-home \
ENABLE_UFW=false \ ENABLE_UFW=false \
UFW_ALLOW_GW_NET=false \
UFW_EXTRA_PORTS= \ UFW_EXTRA_PORTS= \
TRANSMISSION_WEB_UI=\ TRANSMISSION_WEB_UI=\
PUID=\ PUID=\

+ 3
- 1
README.md Ver arquivo

|----------|----------|-------| |----------|----------|-------|
|`OPENVPN_CONFIG` | Sets the OpenVPN endpoint to connect to. | `OPENVPN_CONFIG=UK Southampton`| |`OPENVPN_CONFIG` | Sets the OpenVPN endpoint to connect to. | `OPENVPN_CONFIG=UK Southampton`|
|`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) | |`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) |
|`LOCAL_NETWORK` | Sets the local network that should have access. | `LOCAL_NETWORK=192.168.0.0/24`|
|`LOCAL_NETWORK` | Sets the local network that should have access. Accepts comma separated list. | `LOCAL_NETWORK=192.168.0.0/24`|


### Firewall configuration options ### Firewall configuration options
When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway. When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway.
| Variable | Function | Example | | Variable | Function | Example |
|----------|----------|-------| |----------|----------|-------|
|`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`| |`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
|`UFW_ALLOW_GW_NET` | Allows the gateway network through the firewall. Off defaults to only allowing the gateway. | `UFW_ALLOW_GW_NET=true`|
|`UFW_EXTRA_PORTS` | Allows the comma separated list of ports through the firewall. Respsects UFW_ALLOW_GW_NET. | `UFW_EXTRA_PORTS=9910,23561,443`|


### Alternative web UIs ### Alternative web UIs
You can override the default web UI by setting the ```TRANSMISSION_WEB_HOME``` environment variable. If set, Transmission will look there for the Web Interface files, such as the javascript, html, and graphics files. You can override the default web UI by setting the ```TRANSMISSION_WEB_HOME``` environment variable. If set, Transmission will look there for the Web Interface files, such as the javascript, html, and graphics files.

+ 94
- 66
openvpn/start.sh Ver arquivo

#!/bin/bash #!/bin/bash
vpn_provider="$(echo $OPENVPN_PROVIDER | tr '[A-Z]' '[a-z]')"
vpn_provider_configs="/etc/openvpn/$vpn_provider"
if [ ! -d "$vpn_provider_configs" ]; then
echo "Could not find OpenVPN provider: $OPENVPN_PROVIDER"
echo "Please check your settings."
exit 1
VPN_PROVIDER="${OPENVPN_PROVIDER,,}"
VPN_PROVIDER_CONFIGS="/etc/openvpn/${VPN_PROVIDER}"
if [[ ! -d "${VPN_PROVIDER_CONFIGS}" ]]; then
echo "Could not find OpenVPN provider: ${OPENVPN_PROVIDER}"
echo "Please check your settings."
exit 1
fi fi


echo "Using OpenVPN provider: $OPENVPN_PROVIDER"

if [ ! -z "$OPENVPN_CONFIG" ]
then
n=$(echo "$OPENVPN_CONFIG" | wc -w)
if [ $n -gt 1 ]
then
rnd=$((RANDOM%n+1))
srv=$(echo "$OPENVPN_CONFIG" | awk -vrnd=$rnd '{print $rnd}')
echo "$n servers found in OPENVPN_CONFIG, $srv chosen randomly"
OPENVPN_CONFIG=$srv
fi

if [ -f $vpn_provider_configs/"${OPENVPN_CONFIG}".ovpn ]
then
echo "Starting OpenVPN using config ${OPENVPN_CONFIG}.ovpn"
OPENVPN_CONFIG=$vpn_provider_configs/${OPENVPN_CONFIG}.ovpn
else
echo "Supplied config ${OPENVPN_CONFIG}.ovpn could not be found."
echo "Using default OpenVPN gateway for provider ${vpn_provider}"
OPENVPN_CONFIG=$vpn_provider_configs/default.ovpn
fi
echo "Using OpenVPN provider: ${OPENVPN_PROVIDER}"

if [[ ! -z "${OPENVPN_CONFIG}" ]]; then
n=$(echo "$OPENVPN_CONFIG" | wc -w)
if [ $n -gt 1 ]
then
rnd=$((RANDOM%n+1))
srv=$(echo "$OPENVPN_CONFIG" | awk -vrnd=$rnd '{print $rnd}')
echo "$n servers found in OPENVPN_CONFIG, $srv chosen randomly"
OPENVPN_CONFIG=$srv
fi

if [[ -f "${VPN_PROVIDER_CONFIGS}/${OPENVPN_CONFIG}".ovpn ]]; then
echo "Starting OpenVPN using config ${OPENVPN_CONFIG}.ovpn"
OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/${OPENVPN_CONFIG}.ovpn"
else
echo "Supplied config ${OPENVPN_CONFIG}.ovpn could not be found."
echo "Using default OpenVPN gateway for provider ${VPN_PROVIDER}"
OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/default.ovpn"
fi
else else
echo "No VPN configuration provided. Using default."
OPENVPN_CONFIG=$vpn_provider_configs/default.ovpn
echo "No VPN configuration provided. Using default."
OPENVPN_CONFIG="${VPN_PROVIDER_CONFIGS}/default.ovpn"
fi fi


# add OpenVPN user/pass # add OpenVPN user/pass
if [ "${OPENVPN_USERNAME}" = "**None**" ] || [ "${OPENVPN_PASSWORD}" = "**None**" ] ; then
if [ ! -f /config/openvpn-credentials.txt ] ; then
if [[ "${OPENVPN_USERNAME}" == "**None**" ]] || [[ "${OPENVPN_PASSWORD}" == "**None**" ]] ; then
if [[ ! -f /config/openvpn-credentials.txt ]] ; then
echo "OpenVPN credentials not set. Exiting." echo "OpenVPN credentials not set. Exiting."
exit 1 exit 1
fi fi
else else
echo "Setting OPENVPN credentials..." echo "Setting OPENVPN credentials..."
mkdir -p /config mkdir -p /config
echo $OPENVPN_USERNAME > /config/openvpn-credentials.txt
echo $OPENVPN_PASSWORD >> /config/openvpn-credentials.txt
echo "${OPENVPN_USERNAME}" > /config/openvpn-credentials.txt
echo "${OPENVPN_PASSWORD}" >> /config/openvpn-credentials.txt
chmod 600 /config/openvpn-credentials.txt chmod 600 /config/openvpn-credentials.txt
fi fi


# add transmission credentials from env vars # add transmission credentials from env vars
echo $TRANSMISSION_RPC_USERNAME > /config/transmission-credentials.txt
echo $TRANSMISSION_RPC_PASSWORD >> /config/transmission-credentials.txt
echo "${TRANSMISSION_RPC_USERNAME}" > /config/transmission-credentials.txt
echo "${TRANSMISSION_RPC_PASSWORD}" >> /config/transmission-credentials.txt


# Persist transmission settings for use by transmission-daemon # Persist transmission settings for use by transmission-daemon
dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmission/environment-variables.sh dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmission/environment-variables.sh


TRANSMISSION_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/openvpn/tunnelUp.sh --down /etc/openvpn/tunnelDown.sh" TRANSMISSION_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/openvpn/tunnelUp.sh --down /etc/openvpn/tunnelDown.sh"


if [ "true" = "$ENABLE_UFW" ]; then
## If we use UFW or the LOCAL_NETWORK we need to grab network config info
if [[ "${ENABLE_UFW,,}" == "true" ]] || [[ -n "${LOCAL_NETWORK-}" ]]; then
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
## IF we use UFW_ALLOW_GW_NET along with ENABLE_UFW we need to know what our netmask CIDR is
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
eval $(ip r l dev ${INT} | awk '{if($5=="link"){print "GW_CIDR="$1; exit}}')
fi
fi

## Open port to any address
function ufwAllowPort {
typeset -n portNum=${1}
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]]; then
echo "allowing ${portNum} through the firewall"
ufw allow ${portNum}
fi
}

## Open port to specific address.
function ufwAllowPortLong {
typeset -n portNum=${1} sourceAddress=${2}

if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]] && [[ -n "${sourceAddress-}" ]]; then
echo "allowing ${sourceAddress} through the firewall to port ${portNum}"
ufw allow from ${sourceAddress} to any port ${portNum}
fi
}

if [[ "${ENABLE_UFW,,}" == "true" ]]; then
# Enable firewall # Enable firewall
echo "enabling firewall" echo "enabling firewall"
sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
ufw enable ufw enable


if [ "true" = "$TRANSMISSION_PEER_PORT_RANDOM_ON_START" ]; then
PEER_PORT="$TRANSMISSION_PEER_PORT_RANDOM_LOW:$TRANSMISSION_PEER_PORT_RANDOM_HIGH/tcp"
if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then
PEER_PORT="${TRANSMISSION_PEER_PORT_RANDOM_LOW}:${TRANSMISSION_PEER_PORT_RANDOM_HIGH}"
else else
PEER_PORT=$TRANSMISSION_PEER_PORT
PEER_PORT="${TRANSMISSION_PEER_PORT}"
fi fi


echo "allowing $PEER_PORT through the firewall"
ufw allow $PEER_PORT
ufwAllowPort PEER_PORT


if [ "true" = "$WEBPROXY_ENABLED" ]; then
echo "allowing $WEBPROXY_PORT through the firewall"
ufw allow $WEBPROXY_PORT
if [[ "${WEBPROXY_ENABLED,,}" == "true" ]]; then
ufwAllowPort WEBPROXY_PORT
fi
if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufwAllowPortLong TRANSMISSION_RPC_PORT GW_CIDR
else
ufwAllowPortLong TRANSMISSION_RPC_PORT GW
fi fi


eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
echo "allowing access to $TRANSMISSION_RPC_PORT from $GW"
ufw allow proto tcp from $GW to any port $TRANSMISSION_RPC_PORT
if [ ! -z "${UFW_EXTRA_PORTS}" ]; then
if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do for port in ${UFW_EXTRA_PORTS//,/ }; do
echo "allowing access to ${port} from $GW"
ufw allow proto tcp from $GW to any port ${port}
if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufwAllowPortLong port GW_CIDR
else
ufwAllowPortLong port GW
fi
done done
fi fi
fi fi


if [ -n "${LOCAL_NETWORK-}" ]; then
eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
if [ -n "${GW-}" -a -n "${INT-}" ]; then
echo "adding route to local network $LOCAL_NETWORK via $GW dev $INT"
/sbin/ip r a "$LOCAL_NETWORK" via "$GW" dev "$INT"
if [ "true" = "$ENABLE_UFW" ]; then
echo "allowing access to $TRANSMISSION_RPC_PORT from $LOCAL_NETWORK"
ufw allow proto tcp from $LOCAL_NETWORK to any port $TRANSMISSION_RPC_PORT
if [ ! -z "${UFW_EXTRA_PORTS}" ]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do
echo "allowing access to ${port} from $LOCAL_NETWORK"
ufw allow proto tcp from $LOCAL_NETWORK to any port ${port}
done
if [[ -n "${LOCAL_NETWORK-}" ]]; then
if [[ -n "${GW-}" ]] && [[ -n "${INT-}" ]]; then
for localNet in ${LOCAL_NETWORK//,/ }; do
echo "adding route to local network ${localNet} via ${GW} dev ${INT}"
/sbin/ip r a "${localNet}" via "${GW}" dev "${INT}"
if [[ "${ENABLE_UFW,,}" == "true" ]]; then
ufwAllowPortLong TRANSMISSION_RPC_PORT localNet
if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do
ufwAllowPortLong port localNet
done
fi
fi fi
fi
done
fi fi
fi fi


exec openvpn $TRANSMISSION_CONTROL_OPTS $OPENVPN_OPTS --config "$OPENVPN_CONFIG"
exec openvpn ${TRANSMISSION_CONTROL_OPTS} ${OPENVPN_OPTS} --config "${OPENVPN_CONFIG}"

Escrever Pré-visualização
Carregando…
Cancelar
Salvar