├── Dockerfile ├── README.md ├── bin ├── get_vpn_client_conf.sh ├── prepare-ssh.sh ├── prepare-vpn.sh └── run.sh └── etc └── supervisord.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:14.04 2 | 3 | MAINTAINER Manel Martinez 4 | 5 | RUN apt-get update && \ 6 | apt-get install -y openssh-server pwgen openvpn easy-rsa iptables rsync ipcalc dnsutils supervisor 7 | 8 | RUN mkdir -p /var/run/sshd /var/log/supervisor 9 | RUN perl -p -i -e "s/^Port .*/Port 2222/g" /etc/ssh/sshd_config 10 | RUN perl -p -i -e "s/#?PasswordAuthentication .*/PasswordAuthentication yes/g" /etc/ssh/sshd_config 11 | RUN perl -p -i -e "s/#?PermitRootLogin .*/PermitRootLogin yes/g" /etc/ssh/sshd_config 12 | RUN grep ClientAliveInterval /etc/ssh/sshd_config >/dev/null 2>&1 || echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config 13 | 14 | ENV VPN_PATH /etc/openvpn 15 | ENV VPN_PASSWORD **ChangeMe** 16 | ENV ROUTED_NETWORK_CIDR 10.42.0.0 17 | ENV ROUTED_NETWORK_MASK 255.255.0.0 18 | ENV DEBUG 0 19 | 20 | VOLUME ["/etc/openvpn"] 21 | 22 | EXPOSE 2222 23 | EXPOSE 1194 24 | 25 | WORKDIR /etc/openvpn 26 | 27 | RUN mkdir -p /usr/local/bin 28 | ADD ./bin /usr/local/bin 29 | RUN chmod +x /usr/local/bin/*.sh 30 | ADD ./etc/supervisord.conf /etc/supervisor/conf.d/supervisord.conf 31 | 32 | CMD ["/usr/local/bin/run.sh"] 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # rancher-vpn 2 | -------------------------------------------------------------------------------- /bin/get_vpn_client_conf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | VPN_PATH=/etc/openvpn 6 | 7 | # Extract remote nodes 8 | VPN_SERVERS="$1" 9 | if [ "${VPN_SERVERS}" == "**ChangeMe**" ] || [ -z ${VPN_SERVERS} ]; then 10 | echo "ERROR: You did not specify VPN Servers to connect to, please enter VPN Servers as an argument." 11 | echo "You may specify more than one server separated by a comma, for example: $0 X.X.X.X:1194,Y.Y.Y.Y:1194" 12 | echo "Exiting..." 13 | exit 1 14 | fi 15 | OVPN_SERVERS=`echo ${VPN_SERVERS} | sed "s/^/remote /g" | sed "s/,$//g" | sed "s/,/\nremote /g" | sed "s/:/ /g"` 16 | 17 | # Extract ca.crt 18 | CA_CRT=`cat $VPN_PATH/easy-rsa/keys/ca.crt` 19 | CLIENT_CRT=`cat $VPN_PATH/easy-rsa/keys/RancherVPNClient.crt` 20 | CLIENT_KEY=`cat $VPN_PATH/easy-rsa/keys/RancherVPNClient.key` 21 | TA_KEY=`cat $VPN_PATH/easy-rsa/keys/ta.key` 22 | 23 | cat > $VPN_PATH/RancherVPNClient.ovpn < 45 | $CA_CRT 46 | 47 | 48 | 49 | $CLIENT_CRT 50 | 51 | 52 | 53 | $CLIENT_KEY 54 | 55 | 56 | 57 | $TA_KEY 58 | 59 | EOF 60 | 61 | chmod 600 $VPN_PATH/RancherVPNClient.ovpn 62 | cat $VPN_PATH/RancherVPNClient.ovpn 63 | -------------------------------------------------------------------------------- /bin/prepare-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [ "$DEBUG" == "1" ] && set -x 4 | 5 | set -e 6 | 7 | echo "root:${VPN_PASSWORD}" | chpasswd 8 | -------------------------------------------------------------------------------- /bin/prepare-vpn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [ "$DEBUG" == "1" ] && set -x 4 | 5 | set -e 6 | 7 | if [ ! -d $VPN_PATH/easy-rsa ]; then 8 | # Copy easy-rsa tools to /etc/openvpn 9 | rsync -avz /usr/share/easy-rsa $VPN_PATH/ 10 | 11 | # Configure easy-rsa vars file 12 | perl -p -i -e "s/export KEY_COUNTRY=.*/export KEY_COUNTRY=\"CA\"/g" $VPN_PATH/easy-rsa/vars 13 | perl -p -i -e "s/export KEY_PROVINCE=.*/export KEY_PROVINCE=\"BARCELONA\"/g" $VPN_PATH/easy-rsa/vars 14 | perl -p -i -e "s/export KEY_CITY=.*/export KEY_CITY=\"CASTELLDEFELS\"/g" $VPN_PATH/easy-rsa/vars 15 | perl -p -i -e "s/export KEY_ORG=.*/export KEY_ORG=\"NIXEL\"/g" $VPN_PATH/easy-rsa/vars 16 | perl -p -i -e "s/export KEY_EMAIL=.*/export KEY_EMAIL=\"manel\@nixelsolutions.com\"/g" $VPN_PATH/easy-rsa/vars 17 | perl -p -i -e "s/export KEY_OU=.*/export KEY_OU=\"NIXEL\"/g" $VPN_PATH/easy-rsa/vars 18 | 19 | pushd $VPN_PATH/easy-rsa 20 | . ./vars 21 | ./clean-all 22 | ./build-ca --batch 23 | ./build-key-server --batch server 24 | ./build-dh 25 | ./build-key --batch RancherVPNClient 26 | openvpn --genkey --secret keys/ta.key 27 | popd 28 | fi 29 | 30 | # Update openvpn route 31 | #RANCHER_NETWORK_CIDR=`ip addr show dev eth0 | grep inet | grep 10.42 | awk '{print $2}' | xargs -i ipcalc -n {} | grep Network | awk '{print $2}' | awk -F/ '{print $1}'` 32 | #RANCHER_NETWORK_MASK=`ip addr show dev eth0 | grep inet | grep 10.42 | awk '{print $2}' | xargs -i ipcalc -n {} | grep Netmask | awk '{print $2}'` 33 | 34 | # Create OpenVPN server config 35 | cat > $VPN_PATH/server.conf < /proc/sys/net/ipv4/ip_forward 65 | iptables -t nat -F 66 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE 67 | -------------------------------------------------------------------------------- /bin/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [ "$DEBUG" == "1" ] && set -x 4 | 5 | SSH_OPTS="-p 2222 -o ConnectTimeout=4 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" 6 | my_public_ip=`dig -4 @ns1.google.com -t txt o-o.myaddr.l.google.com +short | sed "s/\"//g"` 7 | 8 | # Change root password 9 | if [ "${VPN_PASSWORD}" == "**ChangeMe**" ]; then 10 | export VPN_PASSWORD=`pwgen -s 20 1` 11 | fi 12 | 13 | prepare-ssh.sh 14 | prepare-vpn.sh 15 | 16 | echo "===========================================" 17 | echo "If you are using nixel/rancher-vpn-client docker image you must run rancher-vpn-client container using the following docker command:" 18 | echo "sudo docker run -ti -d --privileged --name rancher-vpn-client -e VPN_SERVERS=$my_public_ip:1194 -e VPN_PASSWORD=${VPN_PASSWORD} nixel/rancher-vpn-client:latest" 19 | echo 20 | echo "Then execute \"sudo docker logs rancher-vpn-client\" so you can view the ip route you need to add in your system in order to reach rancher network" 21 | echo "===========================================" 22 | echo "If you are using another OpenVPN client (for example for mobile devices) you can get the VPN client configuration executing this command from your PC:" 23 | echo "sshpass -p ${VPN_PASSWORD} ssh $SSH_OPTS root@$my_public_ip \"get_vpn_client_conf.sh $my_public_ip:1194\" > RancherVPNClient.ovpn" 24 | echo "===========================================" 25 | 26 | /usr/bin/supervisord 27 | -------------------------------------------------------------------------------- /etc/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | 4 | [program:sshd] 5 | command=/usr/sbin/sshd -D 6 | 7 | [program:openvpn] 8 | command=/usr/sbin/openvpn --cd /etc/openvpn --config server.conf 9 | --------------------------------------------------------------------------------