diff --git a/Dockerfile b/Dockerfile index d7c0a77e..2d56d58b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,8 @@ ENV USER= \ PROTOCOL=udp \ REGION="CA Montreal" \ BLOCK_MALICIOUS=off \ + BLOCK_NSA=off \ + UNBLOCK= \ EXTRA_SUBNETS= \ NONROOT= ENTRYPOINT /entrypoint.sh @@ -45,10 +47,13 @@ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptab wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \ cd /tmp && \ wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \ + wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \ wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \ while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \ while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \ tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \ + while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-nsa.conf; done < nsa-hostnames && \ + tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \ rm -f /tmp/* COPY unbound.conf /etc/unbound/unbound.conf COPY entrypoint.sh healthcheck.sh / @@ -59,4 +64,4 @@ RUN chown nonrootuser -R /etc/unbound && \ /etc/unbound/root.hints \ /etc/unbound/root.key \ /etc/unbound/unbound.conf \ - /etc/unbound/blocks-malicious.bz2 + /etc/unbound/*.bz2 diff --git a/README.md b/README.md index 9eb70d58..84f81bc1 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ - [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/openvpn) to tunnel to PIA servers - [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch) - [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS -- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` environment variable) +- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` and `BLOCK_NSA` environment variables)

@@ -136,13 +136,13 @@ You can simply use the Docker healthcheck. The container will mark itself as **u | `REGION` | `CA Montreal` | One of the [PIA regions](https://www.privateinternetaccess.com/pages/network/) | | `PROTOCOL` | `udp` | `tcp` or `udp` | | `ENCRYPTION` | `strong` | `normal` or `strong` | -| `BLOCK_MALICIOUS` | `off` | `on` or `off` | | `USER` | | Your PIA username | | `PASSWORD` | | Your PIA password | | `NONROOT` | | Run OpenVPN without root, `yes` or other | | `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall | - -`EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28` +| `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs | +| `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames | +| `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames | ## Connect other containers to it diff --git a/docker-compose.yml b/docker-compose.yml index d8c16c37..cf6d02bb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,5 +16,8 @@ services: - ENCRYPTION=strong - REGION=CA Montreal - EXTRA_SUBNETS= + - BLOCK_MALICIOUS=off + - BLOCK_NSA=off + - UNBLOCK= restart: always \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 484ec266..8f47167b 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -58,6 +58,7 @@ exitIfUnset PASSWORD exitIfNotIn ENCRYPTION "normal,strong" exitIfNotIn PROTOCOL "tcp,udp" exitIfNotIn BLOCK_MALICIOUS "on,off" +exitIfNotIn BLOCK_NSA "on,off" cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible" for SUBNET in ${EXTRA_SUBNETS//,/ }; do @@ -109,6 +110,18 @@ if [ "$BLOCK_MALICIOUS" = "on" ]; then else echo "" > /etc/unbound/blocks-malicious.conf fi +if [ "$BLOCK_NSA" = "on" ]; then + tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/ + printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n" + cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf + rm /etc/unbound/blocks-nsa.conf + sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf +fi +for hostname in ${UNBLOCK//,/ } +do + printf "Unblocking hostname $hostname\n" + sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf +done ############################################ # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1