Dockerfile

FROM alpine:3.8
LABEL maintainer="quentin.mcgaw@gmail.com" \
      description="VPN client to private internet access servers using OpenVPN, IPtables firewall, DNS over TLS with Unbound and Alpine Linux" \
      download="6.6MB" \
      size="15.7MB" \
      ram="13MB" \
      cpu_usage="Low" \
      github="https://github.com/qdm12/private-internet-access-docker"
ENV ENCRYPTION=strong \
    PROTOCOL=tcp \
    REGION="CA Montreal" \
    BLOCK_MALICIOUS=off
HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \
            CMD if [[ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')" == "$INITIAL_IP" ]]; then echo "IP address is the same as the non VPN IP address"; exit 1; fi
COPY --from=qmcgaw/dns-trustanchor /named.root /etc/unbound/root.hints
COPY --from=qmcgaw/dns-trustanchor /root.key /etc/unbound/root.key
RUN echo https://dl-3.alpinelinux.org/alpine/v3.8/main > /etc/apk/repositories && \
    apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound && \
    apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \
    mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \
    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
            https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
            https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
            https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
    unzip -q openvpn.zip -d /openvpn-udp-normal && \
    unzip -q openvpn-strong.zip -d /openvpn-udp-strong && \
    unzip -q openvpn-tcp.zip -d /openvpn-tcp-normal && \
    unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \
    apk del -q --progress --purge build-dependencies && \
    rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf && \
    chown unbound /etc/unbound/root.key && \
    adduser -S nonrootuser
COPY unbound.conf /etc/unbound/unbound.conf
COPY --from=qmcgaw/malicious-hostnames /malicious-hostnames.bz2 /etc/unbound/malicious-hostnames.bz2
COPY --from=qmcgaw/malicious-ips /malicious-ips.bz2 /etc/unbound/malicious-ips.bz2
COPY entrypoint.sh /entrypoint.sh
RUN chmod 700 /entrypoint.sh
ENTRYPOINT /entrypoint.sh
Update to Alpine 3.8 2018-09-08 16:04:05 +02:00			`FROM alpine:3.8`
Updated repo 2018-03-31 20:33:45 -04:00			`LABEL maintainer="quentin.mcgaw@gmail.com" \`
Restarts on fail; DNS over TLS only when connected to VPN; readme update 2018-09-21 16:39:08 +02:00			`description="VPN client to private internet access servers using OpenVPN, IPtables firewall, DNS over TLS with Unbound and Alpine Linux" \`
Moved DNS over TLS at start as DNS is required in firewall anyway 2018-09-28 19:51:30 +02:00			`download="6.6MB" \`
Restarts on fail; DNS over TLS only when connected to VPN; readme update 2018-09-21 16:39:08 +02:00			`size="15.7MB" \`
			`ram="13MB" \`
Finished dockerfile and updating RAM usage 2018-04-16 14:50:24 -04:00			`cpu_usage="Low" \`
Updated repo 2018-03-31 20:33:45 -04:00			`github="https://github.com/qdm12/private-internet-access-docker"`
Re-added Unbound DNS over TLS It turns out you can't use a local DNS server once connected with the VPN, so running the DNS over TLS in the PIA container is the best. 2018-09-21 11:28:23 +02:00			`ENV ENCRYPTION=strong \`
			`PROTOCOL=tcp \`
Big refactoring (more secured, more modular) - Region change to "CA Montreal" - Using external data images for malicious hostnames - Added malicious IP addresses blocking with Unbound - Unbound has DNS rebinding protection 2018-10-28 14:08:14 +01:00			`REGION="CA Montreal" \`
Multiple additions and fixes #5 - Multi stage build - Download and checks Unbound Root anchors - Download and build malicious hostnames block list for Unbound - Healthcheck only based on the current IP being different from the initial IP - IPv6 related completely removed - Multiple checks at launch with $? - Launch openvpn as root (can't change user) - Unbound configured with DNS SEC for DNS over TLS 2018-10-04 22:24:43 +02:00			`BLOCK_MALICIOUS=off`
Big refactoring (more secured, more modular) - Region change to "CA Montreal" - Using external data images for malicious hostnames - Added malicious IP addresses blocking with Unbound - Unbound has DNS rebinding protection 2018-10-28 14:08:14 +01:00			`HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \`
			`CMD if [[ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' \| grep -ow 'Your IP address is [0-9.][0-9]' \| grep -ow '[0-9][0-9.]')" == "$INITIAL_IP" ]]; then echo "IP address is the same as the non VPN IP address"; exit 1; fi`
			`COPY --from=qmcgaw/dns-trustanchor /named.root /etc/unbound/root.hints`
			`COPY --from=qmcgaw/dns-trustanchor /root.key /etc/unbound/root.key`
			`RUN echo https://dl-3.alpinelinux.org/alpine/v3.8/main > /etc/apk/repositories && \`
			`apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound && \`
Added healthcheck 2018-04-15 14:52:27 -04:00			`apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \`
Added choice of UDP/TCP and level of encryption. Reworked readme and Dockerfile 2018-04-15 14:15:58 -04:00			`mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \`
			`wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \`
			`https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \`
			`https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \`
			`https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \`
			`unzip -q openvpn.zip -d /openvpn-udp-normal && \`
			`unzip -q openvpn-strong.zip -d /openvpn-udp-strong && \`
			`unzip -q openvpn-tcp.zip -d /openvpn-tcp-normal && \`
			`unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \`
Updated repo 2018-03-31 20:33:45 -04:00			`apk del -q --progress --purge build-dependencies && \`
Runs openvpn as non-root user 2018-09-21 11:39:00 +02:00			`rm -rf /.zip /var/cache/apk/ /etc/unbound/unbound.conf && \`
Openvpn runs as non root user and tries all IP addresses 2018-10-05 12:43:16 +02:00			`chown unbound /etc/unbound/root.key && \`
			`adduser -S nonrootuser`
Re-added Unbound DNS over TLS It turns out you can't use a local DNS server once connected with the VPN, so running the DNS over TLS in the PIA container is the best. 2018-09-21 11:28:23 +02:00			`COPY unbound.conf /etc/unbound/unbound.conf`
Big refactoring (more secured, more modular) - Region change to "CA Montreal" - Using external data images for malicious hostnames - Added malicious IP addresses blocking with Unbound - Unbound has DNS rebinding protection 2018-10-28 14:08:14 +01:00			`COPY --from=qmcgaw/malicious-hostnames /malicious-hostnames.bz2 /etc/unbound/malicious-hostnames.bz2`
			`COPY --from=qmcgaw/malicious-ips /malicious-ips.bz2 /etc/unbound/malicious-ips.bz2`
			`COPY entrypoint.sh /entrypoint.sh`
			`RUN chmod 700 /entrypoint.sh`
Multiple additions and fixes #5 - Multi stage build - Download and checks Unbound Root anchors - Download and build malicious hostnames block list for Unbound - Healthcheck only based on the current IP being different from the initial IP - IPv6 related completely removed - Multiple checks at launch with $? - Launch openvpn as root (can't change user) - Unbound configured with DNS SEC for DNS over TLS 2018-10-04 22:24:43 +02:00			`ENTRYPOINT /entrypoint.sh`