From b71fa6764c9e81f24d8620a0fface2d75972a1ef Mon Sep 17 00:00:00 2001 From: Eldwan Brianne Date: Mon, 15 Feb 2021 18:44:10 +0100 Subject: [PATCH] Fix openvpn problems, remove tinyproxy, move dockerfile to ubuntu 18.04 as alpine crashes --- .gitignore | 3 +- Dockerfile | 49 ++++++++--------- root/etc/deluge/start.sh | 15 +++--- root/etc/openvpn/persistEnvironment.py | 4 +- root/etc/openvpn/start.sh | 9 ++-- root/etc/openvpn/tunnelDown.sh | 1 - root/etc/openvpn/tunnelUp.sh | 42 ++++++++++++++- root/etc/tinyproxy/start.sh | 75 -------------------------- root/etc/tinyproxy/stop.sh | 7 --- root/etc/ufw/enable.sh | 7 ++- 10 files changed, 86 insertions(+), 126 deletions(-) delete mode 100755 root/etc/tinyproxy/start.sh delete mode 100755 root/etc/tinyproxy/stop.sh diff --git a/.gitignore b/.gitignore index 600d2d33ba..a031848e5d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -.vscode \ No newline at end of file +.vscode +docker-compose.yml \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 2966bca206..ee3f75ffa8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,24 @@ -FROM alpine:edge - -RUN echo "@edgecommunity http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ - && echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ - && apk update \ - && apk add --upgrade apk-tools \ - && apk add bash dumb-init openvpn shadow curl jq tzdata openrc tinyproxy tinyproxy-openrc openssh unrar deluge@testing ufw@edgecommunity \ - && rm -rf /tmp/* /var/tmp/* \ - && groupadd -g 911 abc \ - && useradd -u 911 -g 911 -s /bin/false -m abc \ - && usermod -G users abc +FROM ubuntu:18.04 + +ARG DEBIAN_FRONTEND="noninteractive" + +RUN set -ex; \ + apt-get update && \ + apt-get -y install gnupg apt-utils && \ + apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C5E6A5ED249AD24C && \ + echo "deb http://ppa.launchpad.net/deluge-team/stable/ubuntu bionic main" >> \ + /etc/apt/sources.list.d/deluge.list && \ + echo "deb-src http://ppa.launchpad.net/deluge-team/stable/ubuntu bionic main" >> \ + /etc/apt/sources.list.d/deluge.list && \ + echo "**** install packages ****" && \ + apt-get update && \ + apt-get -y install dumb-init iputils-ping dnsutils bash jq net-tools openvpn curl ufw deluged deluge-console deluge-web python3-future python3-requests p7zip-full unrar unzip && \ + echo "Cleanup"; \ + rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/* && \ + echo "Adding user"; \ + groupadd -g 911 abc && \ + useradd -u 911 -g 911 -s /bin/false -m abc && \ + usermod -G users abc # Add configuration and scripts COPY root/ / @@ -23,10 +33,6 @@ ENV OPENVPN_USERNAME=**None** \ PUID= \ PGID= \ DROP_DEFAULT_ROUTE= \ - WEBPROXY_ENABLED=false \ - WEBPROXY_PORT=8888 \ - WEBPROXY_USERNAME= \ - WEBPROXY_PASSWORD= \ HEALTH_CHECK_HOST=google.com \ LANG='en_US.UTF-8' \ LANGUAGE='en_US.UTF-8' \ @@ -35,20 +41,9 @@ ENV OPENVPN_USERNAME=**None** \ HEALTHCHECK --interval=1m CMD /etc/scripts/healthcheck.sh -# Compatability with https://hub.docker.com/r/willfarrell/autoheal/ -LABEL autoheal=true - VOLUME /downloads VOLUME /config -# Expose web ui port -EXPOSE 8112 - -# expose port for deluge daemon -EXPOSE 58846 - -# expose port for incoming torrent data (tcp and udp) -EXPOSE 58946 -EXPOSE 58946/udp +EXPOSE 8112 58846 58946 58946/udp CMD ["dumb-init", "/etc/openvpn/start.sh"] \ No newline at end of file diff --git a/root/etc/deluge/start.sh b/root/etc/deluge/start.sh index 8dcf17c828..e29d821653 100755 --- a/root/etc/deluge/start.sh +++ b/root/etc/deluge/start.sh @@ -49,14 +49,15 @@ if [[ "${ENABLE_UFW,,}" == "true" ]] || [[ -n "${LOCAL_NETWORK-}" ]]; then eval $(/sbin/ip r l | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}') ## IF we use UFW_ALLOW_GW_NET along with ENABLE_UFW we need to know what our netmask CIDR is if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then - eval $(ip r l dev ${INT} | awk '{if($5=="link"){print "GW_CIDR="$1; exit}}') + eval $(ip r l dev ${INT} | awk '{if($3=="link"){print "GW_CIDR="$1; exit}}') fi fi -if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then - log "Allow in and out from ${GW_CIDR}" - ufw allow in from ${GW_CIDR} - ufw allow out from ${GW_CIDR} +echo "Got local network ${GW} and CIDR ${GW_CIDR} on interface ${INT}" + +if [[ "${ENABLE_UFW,,}" == "true" && "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then + log "Allow from ${GW_CIDR}" + ufw allow from ${GW_CIDR} fi if [[ -n "${LOCAL_NETWORK-}" ]]; then @@ -68,6 +69,8 @@ if [[ -n "${LOCAL_NETWORK-}" ]]; then fi fi +ufw status + log "Starting Deluge" exec su --preserve-environment abc -s /bin/bash -c "/usr/bin/deluged -d -c /config -L info -l /config/deluged.log" & @@ -93,4 +96,4 @@ if [[ -x /config/deluge-post-start.sh ]]; then log "/config/deluge-post-start.sh returned $?" fi -log "Deluge startup script complete." +log "Deluge startup script complete." \ No newline at end of file diff --git a/root/etc/openvpn/persistEnvironment.py b/root/etc/openvpn/persistEnvironment.py index 11261023af..5b50094141 100644 --- a/root/etc/openvpn/persistEnvironment.py +++ b/root/etc/openvpn/persistEnvironment.py @@ -28,9 +28,7 @@ variables_to_persist = {} for env_var in os.environ: - if env_var.startswith('WEBPROXY_'): - variables_to_persist[env_var] = os.environ.get(env_var) - elif env_var in wanted_variables: + if env_var in wanted_variables: variables_to_persist[env_var] = os.environ.get(env_var) diff --git a/root/etc/openvpn/start.sh b/root/etc/openvpn/start.sh index a571a969f2..5b4e5bdf90 100755 --- a/root/etc/openvpn/start.sh +++ b/root/etc/openvpn/start.sh @@ -106,7 +106,7 @@ fi if [[ "${CREATE_TUN_DEVICE,,}" == "true" ]]; then mkdir -p /dev/net mknod /dev/net/tun c 10 200 - chmod 0666 /dev/net/tun + chmod 600 /dev/net/tun fi ## @@ -118,7 +118,10 @@ fi VPN_PROVIDER="${OPENVPN_PROVIDER:-custom}" VPN_PROVIDER="${VPN_PROVIDER,,}" # to lowercase VPN_PROVIDER_HOME="/etc/openvpn/${VPN_PROVIDER}" -mkdir -p "$VPN_PROVIDER_HOME" +if [[ ! -d $VPN_PROVIDER_HOME ]]; then + echo "Creating $VPN_PROVIDER_HOME" + mkdir -p "$VPN_PROVIDER_HOME" +fi # Make sure that we have enough information to start OpenVPN if [[ -z $OPENVPN_CONFIG_URL ]] && [[ "${OPENVPN_PROVIDER}" == "**None**" ]] || [[ -z "${OPENVPN_PROVIDER-}" ]]; then @@ -201,4 +204,4 @@ DELUGE_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/openvpn/tunnelUp.s # shellcheck disable=SC2086 log "Starting openvpn" -exec openvpn ${DELUGE_CONTROL_OPTS} ${OPENVPN_OPTS} --config "${CHOSEN_OPENVPN_CONFIG}" +exec openvpn ${DELUGE_CONTROL_OPTS} ${OPENVPN_OPTS} --config "${CHOSEN_OPENVPN_CONFIG}" \ No newline at end of file diff --git a/root/etc/openvpn/tunnelDown.sh b/root/etc/openvpn/tunnelDown.sh index 8349e3398d..6186eaddaf 100755 --- a/root/etc/openvpn/tunnelDown.sh +++ b/root/etc/openvpn/tunnelDown.sh @@ -1,4 +1,3 @@ #!/bin/bash /etc/deluge/stop.sh -[[ ! -f /opt/tinyproxy/stop.sh ]] || /opt/tinyproxy/stop.sh diff --git a/root/etc/openvpn/tunnelUp.sh b/root/etc/openvpn/tunnelUp.sh index 6b7f32add9..7ccf27250d 100755 --- a/root/etc/openvpn/tunnelUp.sh +++ b/root/etc/openvpn/tunnelUp.sh @@ -1,4 +1,44 @@ #!/bin/bash +if [ "${PEER_DNS}" != "no" ]; then + NS= + DOMAIN= + SEARCH= + i=1 + while true ; do + eval opt=\$foreign_option_${i} + [ -z "${opt}" ] && break + if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then + if [ -z "${DOMAIN}" ] ; then + DOMAIN="${opt#dhcp-option DOMAIN *}" + else + SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}" + fi + elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then + NS="${NS}nameserver ${opt#dhcp-option DNS *}\n" + fi + i=$((${i} + 1)) + done + + if [ -n "${NS}" ] ; then + DNS="# Generated by openvpn for interface ${dev}\n" + if [ -n "${SEARCH}" ] ; then + DNS="${DNS}search ${DOMAIN} ${SEARCH}\n" + elif [ -n "${DOMAIN}" ]; then + DNS="${DNS}domain ${DOMAIN}\n" + fi + DNS="${DNS}${NS}" + if [ -x /sbin/resolvconf ] ; then + printf "${DNS}" | /sbin/resolvconf -a "${dev}" + else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv + fi + printf "${DNS}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf + fi + fi +fi + /etc/deluge/start.sh "$@" -[[ ! -f /opt/tinyproxy/start.sh ]] || /opt/tinyproxy/start.sh diff --git a/root/etc/tinyproxy/start.sh b/root/etc/tinyproxy/start.sh deleted file mode 100755 index 943ce28e1e..0000000000 --- a/root/etc/tinyproxy/start.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -find_proxy_conf() -{ - if [[ -f /etc/tinyproxy.conf ]]; then - PROXY_CONF='/etc/tinyproxy.conf' - elif [[ -f /etc/tinyproxy/tinyproxy.conf ]]; then - PROXY_CONF='/etc/tinyproxy/tinyproxy.conf' - else - echo "ERROR: Could not find tinyproxy config file. Exiting..." - exit 1 - fi -} - -set_port() -{ - expr $1 + 0 1>/dev/null 2>&1 - status=$? - if test ${status} -gt 1 - then - echo "Port [$1]: Not a number" >&2; exit 1 - fi - - # Port: Specify the port which tinyproxy will listen on. Please note - # that should you choose to run on a port lower than 1024 you will need - # to start tinyproxy using root. - - if test $1 -lt 1024 - then - echo "tinyproxy: $1 is lower than 1024. Ports below 1024 are not permitted."; - exit 1 - fi - - echo "Setting tinyproxy port to $1"; - sed -i -e"s,^Port .*,Port $1," $2 -} - -set_authentication() -{ - echo "Setting tinyproxy basic auth"; - echo "BasicAuth $1 $2" >> $3 -} - -if [[ "${WEBPROXY_ENABLED}" = "true" ]]; then - - echo "STARTING TINYPROXY" - - find_proxy_conf - echo "Found config file $PROXY_CONF, updating settings." - - set_port ${WEBPROXY_PORT} ${PROXY_CONF} - - if [[ ! -z "${WEBPROXY_USERNAME}" ]] && [[ ! -z "${WEBPROXY_PASSWORD}" ]]; then - set_authentication ${WEBPROXY_USERNAME} ${WEBPROXY_PASSWORD} ${PROXY_CONF} - fi - - # Allow all clients - sed -i -e"s/^Allow /#Allow /" ${PROXY_CONF} - - # Disable Via Header for privacy (leaks that you're using a proxy) - sed -i -e "s/#DisableViaHeader/DisableViaHeader/" ${PROXY_CONF} - - # Lower log level for privacy (writes dns names by default) - sed -i -e "s/LogLevel Info/LogLevel Critical/" ${PROXY_CONF} - - if command -v tinyproxy &> /dev/null; then - echo "tinyproxy is on the PATH, run it" - tinyproxy -c ${PROXY_CONF} - else - /etc/init.d/tinyproxy start - fi - - echo "Tinyproxy startup script complete." - -fi diff --git a/root/etc/tinyproxy/stop.sh b/root/etc/tinyproxy/stop.sh deleted file mode 100755 index 9a504f1510..0000000000 --- a/root/etc/tinyproxy/stop.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -if [[ "${WEBPROXY_ENABLED}" = "true" ]]; then - - /etc/init.d/tinyproxy stop - -fi diff --git a/root/etc/ufw/enable.sh b/root/etc/ufw/enable.sh index 852585bb11..09cee36cda 100755 --- a/root/etc/ufw/enable.sh +++ b/root/etc/ufw/enable.sh @@ -19,8 +19,11 @@ sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw log "Deny all outgoing traffic" ufw default deny outgoing # Block all incoming -log "Deny all incoming traffic" -ufw default deny incoming +# log "Deny all incoming traffic" +# ufw default deny incoming +# Allow all incoming +log "Allow all incoming traffic" +ufw default allow incoming # Allow LOCAL_NETWORK if [[ -n "${LOCAL_NETWORK-}" ]]; then