-
Notifications
You must be signed in to change notification settings - Fork 2
/
docker-entrypoint.sh
271 lines (238 loc) · 8.91 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/bin/bash
ocserv_dir=/etc/ocserv/
get_config_line(){
echo $(grep -rne '^'$1' =' ${ocserv_dir}ocserv.conf | grep -Eo '^[^:]+')
}
if [ -z "$TZ" ]
then
TZ=Europe/Berlin
fi
set_config(){
option=$1
value=$2
ocserv_file=$(awk '/^auth/&&c++ {next} 1' ${ocserv_dir}ocserv.conf)
echo "$ocserv_file" > ${ocserv_dir}ocserv.conf
option_line=$(get_config_line $option)
option_line=${option_line##* }
if [ ! -z "${option_line}" ]; then
sed -i "s?^${option} .*?${option} = ${value}?g" ${ocserv_dir}ocserv.conf
else
echo -e "${option} = ${value}" >> ${ocserv_dir}ocserv.conf
fi
}
run_server(){
# Open ipv4 ip forward
# sysctl -w net.ipv4.ip_forward=1
# Enable NAT forwarding
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Enable TUN device
# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chmod 600 /dev/net/tun
# Run OpennConnect Server
exec "$@";
}
generate_cert(){
server_cert_path=${ocserv_dir}certs/server-cert.pem
server_key_path=${ocserv_dir}certs/server-key.pem
cert_dir=${ocserv_dir}certs
if [ -f ${ocserv_dir}ocserv.conf ]; then
server_cert_path_temp="$(grep "^server-cert*" ${ocserv_dir}ocserv.conf | tail -1 | sed -e 's#.*=\(\)#\1#;s/^[ \t]*//;s/#.*//')"
server_key_path_temp="$(grep "^server-key*" ${ocserv_dir}ocserv.conf | tail -1 | sed -e 's#.*=\(\)#\1#;s/^[ \t]*//;s/#.*//')"
if [ ! -z "${server_cert_path_temp}" ]; then
server_cert_path=$server_cert_path_temp
else
echo "server-cert = $server_cert_path" >> ${ocserv_dir}ocserv.conf
fi
if [ ! -z "${server_key_path_temp}" ]; then
server_key_path=$server_key_path_temp
else
echo "server-key = $server_key_path" >> ${ocserv_dir}ocserv.conf
fi
fi
mkdir -p ${ocserv_dir}certs
if [ ! -f $server_key_path ] || [ ! -f $server_cert_path ]; then
if [ -z "$CA_CN" ]; then
CA_CN="VPN CA"
fi
if [ -z "$CA_ORG" ]; then
CA_ORG="My Organization"
fi
if [ -z "$CA_DAYS" ]; then
CA_DAYS=9999
fi
if [ -z "$DOMAIN" ]; then
DOMAIN="example.com"
fi
if [ -z "$SRV_ORG" ]; then
SRV_ORG="My Company"
fi
if [ -z "$SRV_DAYS" ]; then
SRV_DAYS=9999
fi
# No certification found, generate one
certtool --generate-privkey --outfile $cert_dir/ca-key.pem
cat > /tmp/ca.tmpl <<-EOCA
cn = "$CA_CN"
organization = "$CA_ORG"
serial = 1
expiration_days = $CA_DAYS
ca
signing_key
cert_signing_key
crl_signing_key
EOCA
certtool --generate-self-signed --load-privkey $cert_dir/ca-key.pem --template /tmp/ca.tmpl --outfile $cert_dir/ca-cert.pem
certtool --generate-privkey --outfile $server_key_path
cat > /tmp/server.tmpl <<-EOSRV
cn = "$DOMAIN"
organization = "$SRV_ORG"
expiration_days = $SRV_DAYS
signing_key
encryption_key
tls_www_server
EOSRV
certtool --generate-certificate --load-privkey $server_key_path --load-ca-certificate $cert_dir/ca-cert.pem \
--load-ca-privkey $cert_dir/ca-key.pem --template /tmp/server.tmpl --outfile $server_cert_path
fi
}
if [ "$POWER_MODE" = "TRUE" ]; then
echo "::: POWER MODE activated"
generate_cert
exec $@
else
POWER_MODE="FALSE"
fi
if [ ! -e ${ocserv_dir}ocserv.conf ] || [ ! -e ${ocserv_dir}connect.sh ] || [ ! -e ${ocserv_dir}disconnect.sh ]; then
echo "::: Default config loaded."
cp -vipr "/etc/default/ocserv/" "/etc/" &>/dev/null
fi
chmod a+x ${ocserv_dir}*.sh
generate_cert
LISTEN_PORT=$(echo "${LISTEN_PORT}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~;s/[^0-9]*//g;s/^0*//')
if [ -z "${LISTEN_PORT}" ]; then
echo "::: LISTEN_PORT not defined, defaulting to '443'"
LISTEN_PORT=443
else
if [ "$LISTEN_PORT" -gt "65535" ]; then
echo "::: Specified port out of range, defaulting to '443'"
LISTEN_PORT=443
else
echo "::: Defined LISTEN_PORT as '${LISTEN_PORT}'"
echo "::: Make sure you expose the port you selected!"
fi
fi
set_config tcp-port "${LISTEN_PORT}"
set_config udp-port "${LISTEN_PORT}"
DOMAIN=$(echo "${DOMAIN}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
if [ -z "${DOMAIN}" ]; then
echo "::: DOMAIN not defined, defaulting to 'example.com'"
DOMAIN="example.com"
else
echo "::: Defined DOMAIN as '${DOMAIN}'"
fi
set_config default-domain "${DOMAIN}"
SPLIT_DNS_DOMAINS=$(echo "${SPLIT_DNS_DOMAINS}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
sed -i '/^split-dns =/d' ${ocserv_dir}ocserv.conf
if [ ! -z "${SPLIT_DNS_DOMAINS}" ]; then
IFS=',' read -ra split_domain_list <<< "${SPLIT_DNS_DOMAINS}"
for split_domain_item in "${split_domain_list[@]}"; do
DOMDUP=$(cat ${ocserv_dir}ocserv.conf | grep "split-dns = ${split_domain_item}")
if [[ -z "$DOMDUP" ]]; then
split_domain_item=$(echo "${split_domain_item}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
echo "::: Defined SPLIT_DNS_DOMAIN as "${split_domain_item}""
echo "split-dns = ${split_domain_item}" >> ${ocserv_dir}ocserv.conf
fi
done
else
echo "::: SPLIT_DNS_DOMAINS not defined"
fi
TUNNEL_MODE=$(echo "${TUNNEL_MODE}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
sed -i '/^route =/d' ${ocserv_dir}ocserv.conf
if [ "${TUNNEL_MODE}" = "all" ]; then
echo "::: TUNNEL_MODE defined as 'all', ignoring TUNNEL_ROUTES. If you want to define specific routes, change TUNNEL_MODE to split-include"
echo "route = default" >> ${ocserv_dir}ocserv.conf
elif [ "${TUNNEL_MODE}" = "split-include" ]; then
TUNNEL_ROUTES=$(echo "${TUNNEL_ROUTES}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
if [ ! -z "${TUNNEL_ROUTES}" ]; then
echo "::: TUNNEL_ROUTES defined as '${TUNNEL_ROUTES}'"
echo "$TUNNEL_ROUTES" | IFS=',' read -a myarray
IFS=', ' read -r -a routes_array <<< "$TUNNEL_ROUTES"
for route in "${routes_array[@]}"
do
echo "route = ${route}" >> ${ocserv_dir}ocserv.conf
done
else
echo "::: No TUNNEL_ROUTES defined, but TUNNEL_MODE is defined as split-include, defaulting to 'all'"
echo "route = default" >> ${ocserv_dir}ocserv.conf
fi
else
echo "::: TUNNEL_MODE not defined, defaulting to 'all'"
echo "route = default" >> ${ocserv_dir}ocserv.conf
fi
DNS_SERVERS=$(echo "${DNS_SERVERS}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
if [ ! -z "${DNS_SERVERS}" ]; then
echo "::: DNS_SERVERS defined as '${DNS_SERVERS}'"
else
echo "::: DNS_SERVERS not defined, defaulting to Cloudflare and Google name servers"
DNS_SERVERS="1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4"
fi
sed -i '/^dns =/d' ${ocserv_dir}ocserv.conf
IFS=',' read -ra dns_servers_list <<< "${DNS_SERVERS}"
for dns_server in "${dns_servers_list[@]}"; do
split_domain_item=$(echo "${dns_server}" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
echo "dns = ${dns_server}" >> ${ocserv_dir}ocserv.conf
done
N=10
for (( counter=1; counter<=N; counter++ ))
do
username=USER_${counter}
password=PASS_${counter}
if [[ -n ${!username} ]]
then
echo "::: Adding user ${!username}"
ocpasswd -c ${ocserv_dir}ocpasswd -g "Route,All" ${!username}<<< "${!password}"
fi
done
AUTH_METHOD=${AUTH_METHOD^^}
if [[ "${AUTH_METHOD}" == *"OTP"* ]] && [[ "${AUTH_METHOD}" == *"TEXT"* ]]
then
echo "::: Auth method set to \"TEXT+OTP\" auth"
bash /generate_otp.sh
set_config "auth" "\"plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/otp]\""
elif [[ "${AUTH_METHOD}" == *"CERT"* ]] && [[ "${AUTH_METHOD}" == *"OTP"* ]] && [[ "${AUTH_METHOD}" == *"TEXT"* ]]
then
echo "::: Auth method set to \"TEXT+OTP+CERTIFICATE\" auth"
bash /generate_otp.sh
bash /gen_cert.sh
set_config "auth" "\"plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/otp]\" \nauth = \"certificate\""
elif [[ "${AUTH_METHOD}" == *"CERT"* ]] && [[ "${AUTH_METHOD}" == *"OTP"* ]]
then
echo "::: Auth method set to \"OTP+CERTIFICATE\" auth"
bash /generate_otp.sh
bash /gen_cert.sh
set_config "auth" "\"plain[otp=/etc/ocserv/otp]\" \nauth = \"certificate\""
elif [[ "${AUTH_METHOD}" == *"CERT"* ]] && [[ "${AUTH_METHOD}" == *"TEXT"* ]]
then
echo "::: Auth method set to \"TEXT+CERTIFICATE\" auth"
bash /gen_cert.sh
set_config "auth" "\"plain[passwd=/etc/ocserv/ocpasswd]\" \nauth = \"certificate\""
elif [[ "${AUTH_METHOD}" == *"CERT"* ]]
then
echo "::: Auth method set to \"CERTIFICATE\" auth"
bash /gen_cert.sh
set_config "auth" "\"certificate\""
elif [[ "${AUTH_METHOD}" == *"TEXT"* ]]
then
echo "::: Auth method set to \"TEXT\" auth"
set_config "auth" "\"plain[passwd=/etc/ocserv/ocpasswd]\""
elif [[ "${AUTH_METHOD}" == *"OTP"* ]]
then
echo "::: Auth method set to \"OTP\" auth"
bash /generate_otp.sh
set_config "auth" "\"plain[otp=/etc/ocserv/otp]\""
else
set_config "auth" "\"plain[passwd=/etc/ocserv/ocpasswd]\""
fi
run_server $@