Runs OpenVPN as root by default, fixes #19
This commit is contained in:
Quentin McGaw
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
|
||||
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
|
||||
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
|
||||
org.label-schema.version="" \
|
||||
image-size="17.1MB" \
|
||||
ram-usage="13MB to 80MB" \
|
||||
@@ -24,7 +24,8 @@ ENV USER= \
|
||||
PROTOCOL=udp \
|
||||
REGION="CA Montreal" \
|
||||
BLOCK_MALICIOUS=off \
|
||||
EXTRA_SUBNETS=
|
||||
EXTRA_SUBNETS= \
|
||||
NONROOT=
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
|
||||
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG ALPINE_VERSION=3.8
|
||||
ARG ALPINE_VERSION=3.9
|
||||
|
||||
FROM arm32v6/alpine:${ALPINE_VERSION}
|
||||
ARG BUILD_DATE
|
||||
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
|
||||
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
|
||||
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
|
||||
org.label-schema.version="" \
|
||||
image-size="15.6MB" \
|
||||
ram-usage="13MB to 80MB" \
|
||||
@@ -24,7 +24,8 @@ ENV USER= \
|
||||
PROTOCOL=udp \
|
||||
REGION="CA Montreal" \
|
||||
BLOCK_MALICIOUS=off \
|
||||
EXTRA_SUBNETS=
|
||||
EXTRA_SUBNETS= \
|
||||
NONROOT=
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
|
||||
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG ALPINE_VERSION=3.8
|
||||
ARG ALPINE_VERSION=3.9
|
||||
|
||||
FROM arm64v8/alpine:${ALPINE_VERSION}
|
||||
ARG BUILD_DATE
|
||||
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
|
||||
org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
|
||||
org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
|
||||
org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
|
||||
org.label-schema.version="" \
|
||||
image-size="16.7MB" \
|
||||
ram-usage="13MB to 80MB" \
|
||||
@@ -24,7 +24,8 @@ ENV USER= \
|
||||
PROTOCOL=udp \
|
||||
REGION="CA Montreal" \
|
||||
BLOCK_MALICIOUS=off \
|
||||
EXTRA_SUBNETS=
|
||||
EXTRA_SUBNETS= \
|
||||
NONROOT=
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
|
||||
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
|
||||
|
||||
@@ -52,6 +52,7 @@
|
||||
- Username and password
|
||||
- Malicious DNS blocking
|
||||
- Extra subnets allowed by firewall
|
||||
- Run openvpn without root (but will give reconnect problems)
|
||||
- Connect other containers to it
|
||||
- The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
|
||||
- OpenVPN restarts on failure using another PIA IP address for the same region
|
||||
@@ -136,6 +137,7 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
|
||||
| `BLOCK_MALICIOUS` | `off` | `on` or `off` |
|
||||
| `USER` | | Your PIA username |
|
||||
| `PASSWORD` | | Your PIA password |
|
||||
| `NONROOT` | | Run OpenVPN without root, `yes` or other |
|
||||
| `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall |
|
||||
|
||||
`EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28`
|
||||
@@ -220,6 +222,7 @@ services:
|
||||
- ENCRYPTION=strong
|
||||
- REGION=CA Montreal
|
||||
- EXTRA_SUBNETS=
|
||||
- NONROOT=
|
||||
restart: always
|
||||
nginx:
|
||||
image: nginx:alpine
|
||||
|
||||
@@ -179,9 +179,11 @@ exitOnError $? "Cannot add 'auth-retry nointeract' to $TARGET_PATH/config.ovpn"
|
||||
# Prevents auth_failed infinite loops - make it interact? Remove persist-tun? nobind?
|
||||
echo "pull-filter ignore \"auth-token\"" >> "$TARGET_PATH/config.ovpn"
|
||||
exitOnError $? "Cannot add 'pull-filter ignore \"auth-token\"' to $TARGET_PATH/config.ovpn"
|
||||
# Runs openvpn without root, as nonrootuser
|
||||
echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn"
|
||||
exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn"
|
||||
# Runs openvpn without root, as nonrootuser if specified
|
||||
if [ "$NONROOT" = "yes" ]; then
|
||||
echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn"
|
||||
exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn"
|
||||
fi
|
||||
# Note: TUN device re-opening will restart the container due to permissions
|
||||
printf "DONE\n"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user