FIREWALL_VPN_INPUT_PORTS variable, fixes #196
This commit is contained in:
Quentin McGaw
@@ -82,6 +82,7 @@ ENV VPNSP=pia \
|
|||||||
# Firewall
|
# Firewall
|
||||||
FIREWALL=on \
|
FIREWALL=on \
|
||||||
EXTRA_SUBNETS= \
|
EXTRA_SUBNETS= \
|
||||||
|
FIREWALL_VPN_INPUT_PORTS= \
|
||||||
FIREWALL_DEBUG=off \
|
FIREWALL_DEBUG=off \
|
||||||
# Tinyproxy
|
# Tinyproxy
|
||||||
TINYPROXY=off \
|
TINYPROXY=off \
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ iptables, DNS over TLS, ShadowSocks and Tinyproxy*
|
|||||||
- **Windscribe**: Pick the [region](https://windscribe.com/status), and optionally a custom port to use
|
- **Windscribe**: Pick the [region](https://windscribe.com/status), and optionally a custom port to use
|
||||||
- **Surfshark**: Pick the [region](https://github.com/qdm12/private-internet-access-docker/wiki/Surfshark) or a multi hop region name
|
- **Surfshark**: Pick the [region](https://github.com/qdm12/private-internet-access-docker/wiki/Surfshark) or a multi hop region name
|
||||||
- **Cyberghost**: Pick the [region](https://github.com/qdm12/private-internet-access-docker/wiki/Cyberghost) and server group.
|
- **Cyberghost**: Pick the [region](https://github.com/qdm12/private-internet-access-docker/wiki/Cyberghost) and server group.
|
||||||
- **VyprVPN**: Pick the [region](https://www.vyprvpn.com/server-locations), port forwarding works by default
|
- **VyprVPN**: Pick the [region](https://www.vyprvpn.com/server-locations), port forwarding works by default (see `FIREWALL_VPN_INPUT_PORTS` though)
|
||||||
- **NordVPN**: Pick the region and optionally the server number
|
- **NordVPN**: Pick the region and optionally the server number
|
||||||
|
|
||||||
### Extra niche features
|
### Extra niche features
|
||||||
@@ -240,6 +240,7 @@ That one is important if you want to connect to the container from your LAN for
|
|||||||
| --- | --- | --- | --- |
|
| --- | --- | --- | --- |
|
||||||
| `FIREWALL` | `on` | `on` or `off` | Turn on or off the container built-in firewall. You should use it for **debugging purposes** only. |
|
| `FIREWALL` | `on` | `on` or `off` | Turn on or off the container built-in firewall. You should use it for **debugging purposes** only. |
|
||||||
| `EXTRA_SUBNETS` | | i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28` | Comma separated subnets allowed in the container firewall |
|
| `EXTRA_SUBNETS` | | i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28` | Comma separated subnets allowed in the container firewall |
|
||||||
|
| `FIREWALL_VPN_INPUT_PORTS` | | i.e. `1000,8080` | Comma separated list of ports to allow from the VPN server side (useful for **vyprvpn** port forwarding) |
|
||||||
| `FIREWALL_DEBUG` | `off` | `on` or `off` | Prints every firewall related command. You should use it for **debugging purposes** only. |
|
| `FIREWALL_DEBUG` | `off` | `on` or `off` | Prints every firewall related command. You should use it for **debugging purposes** only. |
|
||||||
|
|
||||||
### Shadowsocks
|
### Shadowsocks
|
||||||
|
|||||||
@@ -16,6 +16,7 @@ import (
|
|||||||
"github.com/qdm12/golibs/network"
|
"github.com/qdm12/golibs/network"
|
||||||
"github.com/qdm12/private-internet-access-docker/internal/alpine"
|
"github.com/qdm12/private-internet-access-docker/internal/alpine"
|
||||||
"github.com/qdm12/private-internet-access-docker/internal/cli"
|
"github.com/qdm12/private-internet-access-docker/internal/cli"
|
||||||
|
"github.com/qdm12/private-internet-access-docker/internal/constants"
|
||||||
"github.com/qdm12/private-internet-access-docker/internal/dns"
|
"github.com/qdm12/private-internet-access-docker/internal/dns"
|
||||||
"github.com/qdm12/private-internet-access-docker/internal/firewall"
|
"github.com/qdm12/private-internet-access-docker/internal/firewall"
|
||||||
gluetunLogging "github.com/qdm12/private-internet-access-docker/internal/logging"
|
gluetunLogging "github.com/qdm12/private-internet-access-docker/internal/logging"
|
||||||
@@ -137,6 +138,11 @@ func _main(background context.Context, args []string) int {
|
|||||||
err = firewallConf.SetAllowedSubnets(ctx, allSettings.Firewall.AllowedSubnets)
|
err = firewallConf.SetAllowedSubnets(ctx, allSettings.Firewall.AllowedSubnets)
|
||||||
fatalOnError(err)
|
fatalOnError(err)
|
||||||
|
|
||||||
|
for _, vpnPort := range allSettings.Firewall.VPNInputPorts {
|
||||||
|
err = firewallConf.SetAllowedPort(ctx, vpnPort, string(constants.TUN))
|
||||||
|
fatalOnError(err)
|
||||||
|
}
|
||||||
|
|
||||||
openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid,
|
openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid,
|
||||||
ovpnConf, firewallConf, logger, client, fileManager, streamMerger, fatalOnError)
|
ovpnConf, firewallConf, logger, client, fileManager, streamMerger, fatalOnError)
|
||||||
restartOpenvpn := openvpnLooper.Restart
|
restartOpenvpn := openvpnLooper.Restart
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ package params
|
|||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
libparams "github.com/qdm12/golibs/params"
|
libparams "github.com/qdm12/golibs/params"
|
||||||
@@ -35,6 +36,30 @@ func (r *reader) GetExtraSubnets() (extraSubnets []net.IPNet, err error) {
|
|||||||
return extraSubnets, nil
|
return extraSubnets, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetAllowedVPNInputPorts obtains a list of input ports to allow from the
|
||||||
|
// VPN server side in the firewall, from the environment variable FIREWALL_VPN_INPUT_PORTS
|
||||||
|
func (r *reader) GetVPNInputPorts() (ports []uint16, err error) {
|
||||||
|
s, err := r.envParams.GetEnv("FIREWALL_VPN_INPUT_PORTS", libparams.Default(""))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if len(s) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
portsStr := strings.Split(s, ",")
|
||||||
|
ports = make([]uint16, len(portsStr))
|
||||||
|
for i := range portsStr {
|
||||||
|
portInt, err := strconv.Atoi(portsStr[i])
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("VPN input port %q is not valid (%s)", portInt, err)
|
||||||
|
} else if portInt <= 0 || portInt > 65535 {
|
||||||
|
return nil, fmt.Errorf("VPN input port %d must be between 1 and 65535", portInt)
|
||||||
|
}
|
||||||
|
ports[i] = uint16(portInt)
|
||||||
|
}
|
||||||
|
return ports, nil
|
||||||
|
}
|
||||||
|
|
||||||
// GetFirewallDebug obtains if the firewall should run in debug verbose mode from the environment variable FIREWALL_DEBUG
|
// GetFirewallDebug obtains if the firewall should run in debug verbose mode from the environment variable FIREWALL_DEBUG
|
||||||
func (r *reader) GetFirewallDebug() (debug bool, err error) {
|
func (r *reader) GetFirewallDebug() (debug bool, err error) {
|
||||||
return r.envParams.GetOnOff("FIREWALL_DEBUG", libparams.Default("off"))
|
return r.envParams.GetOnOff("FIREWALL_DEBUG", libparams.Default("off"))
|
||||||
|
|||||||
@@ -42,6 +42,7 @@ type Reader interface {
|
|||||||
// Firewall getters
|
// Firewall getters
|
||||||
GetFirewall() (enabled bool, err error)
|
GetFirewall() (enabled bool, err error)
|
||||||
GetExtraSubnets() (extraSubnets []net.IPNet, err error)
|
GetExtraSubnets() (extraSubnets []net.IPNet, err error)
|
||||||
|
GetVPNInputPorts() (ports []uint16, err error)
|
||||||
GetFirewallDebug() (debug bool, err error)
|
GetFirewallDebug() (debug bool, err error)
|
||||||
|
|
||||||
// VPN getters
|
// VPN getters
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
package settings
|
package settings
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
@@ -10,6 +11,7 @@ import (
|
|||||||
// Firewall contains settings to customize the firewall operation
|
// Firewall contains settings to customize the firewall operation
|
||||||
type Firewall struct {
|
type Firewall struct {
|
||||||
AllowedSubnets []net.IPNet
|
AllowedSubnets []net.IPNet
|
||||||
|
VPNInputPorts []uint16
|
||||||
Enabled bool
|
Enabled bool
|
||||||
Debug bool
|
Debug bool
|
||||||
}
|
}
|
||||||
@@ -22,9 +24,15 @@ func (f *Firewall) String() string {
|
|||||||
if !f.Enabled {
|
if !f.Enabled {
|
||||||
return "Firewall settings: disabled"
|
return "Firewall settings: disabled"
|
||||||
}
|
}
|
||||||
|
vpnInputPorts := make([]string, len(f.VPNInputPorts))
|
||||||
|
for i, port := range f.VPNInputPorts {
|
||||||
|
vpnInputPorts[i] = fmt.Sprintf("%d", port)
|
||||||
|
}
|
||||||
|
|
||||||
settingsList := []string{
|
settingsList := []string{
|
||||||
"Firewall settings:",
|
"Firewall settings:",
|
||||||
"Allowed subnets: " + strings.Join(allowedSubnets, ", "),
|
"Allowed subnets: " + strings.Join(allowedSubnets, ", "),
|
||||||
|
"VPN input ports: " + strings.Join(vpnInputPorts, ", "),
|
||||||
}
|
}
|
||||||
if f.Debug {
|
if f.Debug {
|
||||||
settingsList = append(settingsList, "Debug: on")
|
settingsList = append(settingsList, "Debug: on")
|
||||||
@@ -38,6 +46,10 @@ func GetFirewallSettings(paramsReader params.Reader) (settings Firewall, err err
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return settings, err
|
return settings, err
|
||||||
}
|
}
|
||||||
|
settings.VPNInputPorts, err = paramsReader.GetVPNInputPorts()
|
||||||
|
if err != nil {
|
||||||
|
return settings, err
|
||||||
|
}
|
||||||
settings.Enabled, err = paramsReader.GetFirewall()
|
settings.Enabled, err = paramsReader.GetFirewall()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return settings, err
|
return settings, err
|
||||||
|
|||||||
Reference in New Issue
Block a user