diff --git a/Dockerfile b/Dockerfile index a17fe39e..d1023afe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM alpine:3.8 LABEL maintainer="quentin.mcgaw@gmail.com" \ - description="VPN client to private internet access servers using OpenVPN, Alpine, IPtables firewall and Cloudflare 1.1.1.1 DNS over TLS" \ + description="VPN client to private internet access servers using OpenVPN, Alpine and IPtables firewall" \ download="5.7MB" \ - size="13.5MB" \ - ram="12MB" \ + size="8.94MB" \ + ram="11MB" \ cpu_usage="Low" \ github="https://github.com/qdm12/private-internet-access-docker" -RUN apk add -q --progress --no-cache --update openvpn unbound ca-certificates iptables && \ +RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables && \ apk add -q --progress --no-cache --update --virtual=build-dependencies unzip && \ mkdir /openvpn-udp-normal /openvpn-udp-strong /openvpn-tcp-normal /openvpn-tcp-strong && \ wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \ @@ -18,8 +18,7 @@ RUN apk add -q --progress --no-cache --update openvpn unbound ca-certificates ip unzip -q openvpn-tcp.zip -d /openvpn-tcp-normal && \ unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \ apk del -q --progress --purge build-dependencies && \ - rm -rf /*.zip /etc/unbound/unbound.conf /var/cache/apk/* -COPY unbound.conf /etc/unbound/unbound.conf + rm -rf /*.zip /var/cache/apk/* HEALTHCHECK --interval=10m --timeout=10s --start-period=10s --retries=1 \ CMD export OLD_VPN_IP="$NEW_VPN_IP" && \ export NEW_VPN_IP=$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*') && \ diff --git a/README.md b/README.md index 62d87e5d..baeeafea 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ -# Private Internet Access Client (OpenVPN, Alpine and DNS over TLS with Unbound) +# Private Internet Access Client (OpenVPN on Alpine Linux) -Docker VPN client to private internet access servers using [OpenVPN](https://openvpn.net/) and [Cloudflare DNS 1.1.1.1 over TLS](https://developers.cloudflare.com/1.1.1.1/dns-over-tls) +Docker VPN client to private internet access servers using [OpenVPN](https://openvpn.net/) and Iptables on Alpine Linux. Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables. -A killswitch is implemented with a firewall (*iptables*), only allowing traffic with PIA servers on needed ports / protocols. +A killswitch is implemented with the *iptables* firewall, only allowing traffic with PIA servers on needed ports / protocols. [![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/) @@ -19,29 +19,30 @@ A killswitch is implemented with a firewall (*iptables*), only allowing traffic [![Docker Stars](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access) [![Docker Automated](https://img.shields.io/docker/automated/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access) -[![](https://images.microbadger.com/badges/image/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access) -[![](https://images.microbadger.com/badges/version/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access) +[![?](https://images.microbadger.com/badges/image/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access) +[![?](https://images.microbadger.com/badges/version/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access) | Download size | Image size | RAM usage | CPU usage | | --- | --- | --- | --- | -| 5.6MB | 13.5MB | 12MB | Low | +| 5MB | 8.94MB | 11MB | Low | It is based on: + - [Alpine 3.8](https://alpinelinux.org) -- [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/edge/main/ppc64le/openvpn) -- [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/edge/main/aarch64/unbound) -- Ca-Certificates for the healthcheck (through HTTPS) +- [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/openvpn) +- [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/iptables) +- CA-Certificates for the healthcheck (through HTTPS) It requires: + - A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/) - [Docker](https://docs.docker.com/install/) installed on the host -The PIA *.ovpn* configuration files are downloaded from -[the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) -when the Docker image is built. You can build the image yourself if you are paranoid. +The PIA *.ovpn* configuration files are downloaded from [the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) when the Docker image is built. You can build the image yourself if you are paranoid. -Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for multiple reasons: -- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name. +You might also want to use [my Cloudflare DNS over TLS Docker container](https://hub.docker.com/r/qmcgaw/cloudflare-dns-server/) to connect to any PIA server so that: + +- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name *For example, `austria.privateinternetaccess.com` maps to `185.216.34.229`* - Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when. *As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved* @@ -50,15 +51,15 @@ Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for mul 1. Make sure you have your `/dev/net/tun` device setup on your host with one of the following commands, depending on your OS: - ```bash - insmod /lib/modules/tun.ko - ``` - - Or - - ```bash - sudo modprobe tun - ``` + ```bash + insmod /lib/modules/tun.ko + ``` + + Or + + ```bash + sudo modprobe tun + ``` 1. Create a network to be used by this container and other containers connecting to it with: @@ -76,14 +77,13 @@ Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for mul ```bash docker run -d --name=pia \ - --cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \ - -v /yourhostpath/auth.conf:/auth.conf:ro \ + --cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \ + -v /yourhostpath/auth.conf:/auth.conf:ro \ -e REGION=Germany -e PROTOCOL=udp -e ENCRYPTION=normal \ qmcgaw/private-internet-access ``` - Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`. - See the [Environment variables section](#environment-variables) + Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`, see the [Environment variables section](#environment-variables) for more. 1. Wait about 5 seconds for it to connect to the PIA server. You can check with: ```bash @@ -98,24 +98,22 @@ Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for mul 1. Edit it and change at least `yourpath` 1. Run the container as a daemon in the background with: - ```bash + ```bash docker-compose up -d ``` - Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`. - See the [Environment variables section](#environment-variables) + Note that you can change `REGION`, `PROTOCOL` and `ENCRYPTION`, see the [Environment variables section](#environment-variables) for more. 1. Wait about 5 seconds for it to connect to the PIA server. You can check with: ```bash - docker logs pia + docker logs -f pia ``` - + 1. Follow the [**Testing section**](#testing) ## Testing -1. Note that you can simply use the HEALTCHECK provided. The container will stop by itself -if the VPN IP is the same as your initial public IP address. +1. Note that you can simply use the HEALTCHECK provided. The container will stop by itself if the VPN IP is the same as your initial public IP address. Otherwise you can follow these instructions: @@ -131,8 +129,7 @@ Otherwise you can follow these instructions: docker run --rm --network=container:pia byrnedo/alpine-curl -s ifconfig.co ``` - If the displayed IP address appears and is different that your host IP address, - the PIA client works ! + If the displayed IP address appears and is different that your host IP address, the PIA client works ! ## Environment variables @@ -142,39 +139,37 @@ Otherwise you can follow these instructions: | `PROTOCOL` | `tcp` | `tcp` or `udp` | | `ENCRYPTION` | `strong` | `normal` or `strong` | -If you know what you're doing, you can change the container name (`pia`), -the hostname (`piaclient`) and the network name (`pianet`) as well. +If you know what you're doing, you can change the container name (`pia`), the hostname (`piaclient`) and the network name (`pianet`) as well. ## Connect other containers to it -Connect other Docker containers to the PIA VPN connection by adding -`--network=container:pia` when launching them. +Connect other Docker containers to the PIA VPN connection by adding `--network=container:pia` when launching them. --- ## EXTRA: Access ports of containers connected to the VPN container -You have to use another container acting as a Reverse Proxy such as Nginx. +You have to use another container acting as a Reverse Proxy such as Nginx. **Example**: + - We launch a *Deluge* (torrent client) container with name **deluge** connected to the `pia` container with: - ```bash - docker run -d --name=deluge --network=container:pia linuxserver/deluge - ``` + ```bash + docker run -d --name=deluge --network=container:pia linuxserver/deluge + ``` - We launch a *Hydra* container with name **hydra** connected to the `pia` container with: - ```bash - docker run -d --name=hydra --network=container:pia linuxserver/hydra - ``` + ```bash + docker run -d --name=hydra --network=container:pia linuxserver/hydra + ``` - HTTP User interfaces are accessible at port 8112 for Deluge and 5075 for Hydra - 1. Create the Nginx configuration file *nginx.conf*: - ``` + ```txt user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; @@ -226,4 +221,3 @@ For more containers, add more `--link pia:xxx` and modify *nginx.conf* according - The download and unziping is done at build for the ones not able to download the zip files with their ISPs. - Checksums for PIA openvpn zip files are not used as these files change often - You should use strong encryption for the environment variable `ENCRYPTION` - diff --git a/unbound.conf b/unbound.conf deleted file mode 100644 index 7890a435..00000000 --- a/unbound.conf +++ /dev/null @@ -1,15 +0,0 @@ -server: - verbosity: 0 - use-syslog: no - qname-minimisation: yes - do-tcp: yes - prefetch: yes - rrset-roundrobin: yes - use-caps-for-id: yes - do-ip4: yes - do-ip6: no -forward-zone: - name: "." - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com - forward-ssl-upstream: yes \ No newline at end of file