├── All ├── Dockerfile ├── Local ├── README.md ├── Route ├── cn-no-route.txt ├── docker-entrypoint.sh ├── domain-common.txt ├── domain-develop.txt ├── domain-other.txt ├── groupinfo.txt ├── route.py └── route.txt /All: -------------------------------------------------------------------------------- 1 | no-route=192.168.0.0/255.255.0.0 2 | no-route=10.0.0.0/255.0.0.0 3 | no-route=172.16.0.0/255.240.0.0 4 | no-route=127.0.0.0/255.0.0.0 5 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.12 2 | 3 | ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig/:/usr/lib/pkgconfig/ 4 | 5 | RUN buildDeps=" \ 6 | curl \ 7 | g++ \ 8 | gnutls-dev \ 9 | gpgme \ 10 | libev-dev \ 11 | libnl3-dev \ 12 | libseccomp-dev \ 13 | linux-headers \ 14 | linux-pam-dev \ 15 | lz4-dev \ 16 | make \ 17 | readline-dev \ 18 | tar \ 19 | xz \ 20 | autoconf \ 21 | libtool \ 22 | automake \ 23 | abi-compliance-checker \ 24 | "; \ 25 | set -x \ 26 | && apk update \ 27 | && apk add gnutls gnutls-utils iptables libev libintl libnl3 libseccomp linux-pam lz4 lz4-libs openssl readline sed \ 28 | && apk add $buildDeps \ 29 | && RADCLI_VERSION=`curl "https://api.github.com/repos/radcli/radcli/releases/latest" | sed -n 's/^.*"tag_name": "\(.*\)",$/\1/p'` \ 30 | && curl -SL "https://github.com/radcli/radcli/releases/download/$RADCLI_VERSION/radcli-$RADCLI_VERSION.tar.gz" -o radcli.tar.gz \ 31 | && mkdir -p /usr/src/radcli \ 32 | && tar -xf radcli.tar.gz -C /usr/src/radcli --strip-components=1 \ 33 | && rm radcli.tar.gz* \ 34 | && cd /usr/src/radcli \ 35 | && ./configure --sysconfdir=/etc/ \ 36 | && make \ 37 | && make install \ 38 | && cd / \ 39 | && rm -fr /usr/src/radcli \ 40 | && OC_VERSION=`curl "http://ocserv.gitlab.io/www/download.html" | sed -n 's/^.*version is \(.*$\)/\1/p'` \ 41 | && curl -SL "ftp://ftp.infradead.org/pub/ocserv/ocserv-$OC_VERSION.tar.xz" -o ocserv.tar.xz \ 42 | && curl -SL "ftp://ftp.infradead.org/pub/ocserv/ocserv-$OC_VERSION.tar.xz.sig" -o ocserv.tar.xz.sig \ 43 | && gpg --keyserver ha.pool.sks-keyservers.net --recv-key 96865171 \ 44 | && gpg --verify ocserv.tar.xz.sig \ 45 | && mkdir -p /usr/src/ocserv \ 46 | && tar -xf ocserv.tar.xz -C /usr/src/ocserv --strip-components=1 \ 47 | && rm ocserv.tar.xz* \ 48 | && cd /usr/src/ocserv \ 49 | && ./configure \ 50 | && make \ 51 | && make install \ 52 | && mkdir -p /etc/ocserv \ 53 | && cp /usr/src/ocserv/doc/sample.config /etc/ocserv/ocserv.conf \ 54 | && cd / \ 55 | && rm -fr /usr/src/ocserv \ 56 | && apk del $buildDeps \ 57 | && rm -rf /var/cache/apk/* 58 | 59 | # Setup config 60 | COPY groupinfo.txt /tmp/ 61 | RUN set -x \ 62 | && sed -i 's/\.\/sample\.passwd/\/etc\/ocserv\/ocpasswd/' /etc/ocserv/ocserv.conf \ 63 | && sed -i 's/\(max-same-clients = \)2/\110/' /etc/ocserv/ocserv.conf \ 64 | && sed -i 's/^max-clients = 16/max-clients = 512/' /etc/ocserv/ocserv.conf \ 65 | && sed -i 's/\.\.\/tests/\/etc\/ocserv/' /etc/ocserv/ocserv.conf \ 66 | && sed -i 's/#\(compression.*\)/\1/' /etc/ocserv/ocserv.conf \ 67 | && sed -i '/^ipv4-network = /{s/192.168.1.0/10.205.0.0/}' /etc/ocserv/ocserv.conf \ 68 | && sed -i '/^ipv4-netmask = /{s/255.255.255.0/255.255.0.0/}' /etc/ocserv/ocserv.conf \ 69 | && sed -i 's/^dns = 192.168.1.2/dns = 208.67.222.222\ndns = 8.8.8.8/' /etc/ocserv/ocserv.conf \ 70 | && sed -i 's/^route/#route/' /etc/ocserv/ocserv.conf \ 71 | && sed -i 's/^no-route/#no-route/' /etc/ocserv/ocserv.conf \ 72 | && mkdir -p /etc/ocserv/config-per-group \ 73 | && cat /tmp/groupinfo.txt >> /etc/ocserv/ocserv.conf \ 74 | && rm -fr /tmp/cn-no-route.txt \ 75 | && rm -fr /tmp/groupinfo.txt 76 | 77 | WORKDIR /etc/ocserv 78 | 79 | COPY All /etc/ocserv/config-per-group/All 80 | COPY cn-no-route.txt /etc/ocserv/config-per-group/Route 81 | COPY Local /etc/ocserv/config-per-group/Local 82 | 83 | COPY docker-entrypoint.sh /entrypoint.sh 84 | ENTRYPOINT ["/entrypoint.sh"] 85 | 86 | EXPOSE 443 87 | CMD ["ocserv", "-c", "/etc/ocserv/ocserv.conf", "-f"] 88 | -------------------------------------------------------------------------------- /Local: -------------------------------------------------------------------------------- 1 | route = 10.213.0.0/255.255.0.0 2 | route = 172.0.0.0/255.255.0.0 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker-ocserv-radius 2 | 3 | docker-ocserv is an OpenConnect VPN Server boxed in a Docker image built by [Tommy Lau](mailto:tommy@gen-new.com). 4 | 5 | docker-ocserv-radius based on [Tommy Lau](mailto:tommy@gen-new.com)’s great job and add bit of enterprise support to that. 6 | 7 | 1. add radcli before ocserv compile to enable radius mod 8 | 2. add local group for enterprise 9 | 10 | ## Update on July 20,2016 11 | You can login with two group (`Route`/`ALL`) from now on. 12 | `Route` group means you can access China Mainland website directly and other connection will be protected by OpenConnect VPN 13 | `All` group means all of connection will be protected by OpenConnect VPN 14 | 15 | ## Update on July 16, 2016 16 | 17 | Thanks for [@sempr](https://github.com/sempr)'s contribution and suggestion, from now on, the [Alpine Linux](https://hub.docker.com/_/alpine/) will be used as the base image. The docker image size has been dramatically reduced from around 150MB to only 20MB. 18 | 19 | > NOTICE: You have to use Docker version 1.9.0 or later to support Alpine, DO NOT UPDATE the image if your Docker version is older than 1.9.0 20 | 21 | 22 | 23 | ## What is OpenConnect Server? 24 | 25 | [OpenConnect server (ocserv)](http://www.infradead.org/ocserv/) is an SSL VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the [AnyConnect SSL VPN](http://www.cisco.com/c/en/us/support/security/anyconnect-vpn-client/tsd-products-support-series-home.html) protocol. 26 | 27 | ## How to use this image 28 | 29 | Get the docker image by running the following commands: 30 | 31 | ```bash 32 | docker pull tommylau/ocserv 33 | ``` 34 | 35 | Start an ocserv instance: 36 | 37 | ```bash 38 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv 39 | ``` 40 | 41 | This will start an instance with the a test user named `test` and password is also `test`. 42 | 43 | ### Environment Variables 44 | 45 | All the variables to this image is optional, which means you don't have to type in any environment variables, and you can have a OpenConnect Server out of the box! However, if you like to config the ocserv the way you like it, here's what you wanna know. 46 | 47 | `CA_CN`, this is the common name used to generate the CA(Certificate Authority). 48 | 49 | `CA_ORG`, this is the organization name used to generate the CA. 50 | 51 | `CA_DAYS`, this is the expiration days used to generate the CA. 52 | 53 | `SRV_CN`, this is the common name used to generate the server certification. 54 | 55 | `SRV_ORG`, this is the organization name used to generate the server certification. 56 | 57 | `SRV_DAYS`, this is the expiration days used to generate the server certification. 58 | 59 | `NO_TEST_USER`, while this variable is set to not empty, the `test` user will not be created. You have to create your own user with password. The default value is to create `test` user with password `test`. 60 | 61 | The default values of the above environment variables: 62 | 63 | | Variable | Default | 64 | |:------------:|:---------------:| 65 | | **CA_CN** | VPN CA | 66 | | **CA_ORG** | Big Corp | 67 | | **CA_DAYS** | 9999 | 68 | | **SRV_CN** | www.example.com | 69 | | **SRV_ORG** | My Company | 70 | | **SRV_DAYS** | 9999 | 71 | 72 | ### Running examples 73 | 74 | Start an instance out of the box with username `test` and password `test` 75 | 76 | ```bash 77 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv 78 | ``` 79 | 80 | Start an instance with server name `my.test.com`, `My Test` and `365` days 81 | 82 | ```bash 83 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -e SRV_CN=my.test.com -e SRV_ORG="My Test" -e SRV_DAYS=365 -d tommylau/ocserv 84 | ``` 85 | 86 | Start an instance with CA name `My CA`, `My Corp` and `3650` days 87 | 88 | ```bash 89 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -e CA_CN="My CA" -e CA_ORG="My Corp" -e CA_DAYS=3650 -d tommylau/ocserv 90 | ``` 91 | 92 | A totally customized instance with both CA and server certification 93 | 94 | ```bash 95 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -e CA_CN="My CA" -e CA_ORG="My Corp" -e CA_DAYS=3650 -e SRV_CN=my.test.com -e SRV_ORG="My Test" -e SRV_DAYS=365 -d tommylau/ocserv 96 | ``` 97 | 98 | Start an instance as above but without test user 99 | 100 | ```bash 101 | docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -e CA_CN="My CA" -e CA_ORG="My Corp" -e CA_DAYS=3650 -e SRV_CN=my.test.com -e SRV_ORG="My Test" -e SRV_DAYS=365 -e NO_TEST_USER=1 -v /some/path/to/ocpasswd:/etc/ocserv/ocpasswd -d tommylau/ocserv 102 | ``` 103 | 104 | **WARNING:** The ocserv requires the ocpasswd file to start, if `NO_TEST_USER=1` is provided, there will be no ocpasswd created, which will stop the container immediately after start it. You must specific a ocpasswd file pointed to `/etc/ocserv/ocpasswd` by using the volume argument `-v` by docker as demonstrated above. 105 | 106 | ### User operations 107 | 108 | All the users opertaions happened while the container is running. If you used a different container name other than `ocserv`, then you have to change the container name accordingly. 109 | 110 | #### Add user 111 | 112 | If say, you want to create a user named `tommy`, type the following command 113 | 114 | ```bash 115 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -g "Route,All" tommy 116 | Enter password: 117 | Re-enter password: 118 | ``` 119 | 120 | When prompt for password, type the password twice, then you will have the user with the password you want. 121 | 122 | >`-g "Route,ALL"` means add user `tommy` to group `Route` and group `All` 123 | 124 | #### Delete user 125 | 126 | Delete user is similar to add user, just add another argument `-d` to the command line 127 | 128 | ```bash 129 | docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -d test 130 | ``` 131 | 132 | The above command will delete the default user `test`, if you start the instance without using environment variable `NO_TEST_USER`. 133 | 134 | #### Change password 135 | 136 | Change password is exactly the same command as add user, please refer to the command mentioned above. 137 | -------------------------------------------------------------------------------- /Route: -------------------------------------------------------------------------------- 1 | route = 1.0.0.0/255.0.0.0 2 | route = 3.0.0.0/255.0.0.0 3 | route = 203.0.0.0/255.0.0.0 4 | route = 4.0.0.0/255.0.0.0 5 | route = 8.0.0.0/252.0.0.0 6 | route = 16.0.0.0/255.0.0.0 7 | route = 23.0.0.0/255.0.0.0 8 | route = 31.0.0.0/255.0.0.0 9 | route = 38.0.0.0/255.0.0.0 10 | route = 46.4.0.0/255.255.0.0 11 | route = 50.0.0.0/255.0.0.0 12 | route = 52.0.0.0/255.0.0.0 13 | route = 54.0.0.0/255.0.0.0 14 | route = 58.0.0.0/255.0.0.0 15 | route = 59.0.0.0/255.0.0.0 16 | route = 60.0.0.0/248.0.0.0 17 | route = 62.0.0.0/255.0.0.0 18 | route = 64.0.0.0/255.0.0.0 19 | route = 66.0.0.0/255.0.0.0 20 | route = 67.0.0.0/255.0.0.0 21 | route = 68.0.0.0/255.0.0.0 22 | route = 69.0.0.0/255.0.0.0 23 | route = 72.0.0.0/255.0.0.0 24 | route = 74.0.0.0/255.0.0.0 25 | route = 76.0.0.0/255.0.0.0 26 | route = 78.0.0.0/255.0.0.0 27 | route = 80.0.0.0/255.0.0.0 28 | route = 92.0.0.0/255.0.0.0 29 | route = 93.0.0.0/255.0.0.0 30 | route = 96.0.0.0/255.0.0.0 31 | route = 100.0.0.0/255.0.0.0 32 | route = 101.0.0.0/255.0.0.0 33 | route = 103.0.0.0/255.0.0.0 34 | route = 104.0.0.0/255.0.0.0 35 | route = 107.0.0.0/255.0.0.0 36 | route = 108.174.0.0/255.255.240.0 37 | route = 109.0.0.0/255.0.0.0 38 | route = 111.0.0.0/255.0.0.0 39 | route = 117.0.0.0/255.0.0.0 40 | route = 119.0.0.0/255.0.0.0 41 | route = 125.0.0.0/255.0.0.0 42 | route = 128.0.0.0/255.0.0.0 43 | route = 131.103.0.0/255.255.0.0 44 | route = 134.0.0.0/255.0.0.0 45 | route = 141.0.0.0/255.0.0.0 46 | route = 162.0.0.0/255.0.0.0 47 | route = 165.0.0.0/255.0.0.0 48 | route = 168.0.0.0/255.0.0.0 49 | route = 170.0.0.0/255.0.0.0 50 | route = 173.0.0.0/255.0.0.0 51 | route = 174.0.0.0/255.0.0.0 52 | route = 184.0.0.0/255.0.0.0 53 | route = 185.0.0.0/255.0.0.0 54 | route = 190.0.0.0/255.0.0.0 55 | route = 192.0.0.0/255.128.0.0 56 | route = 192.172.0.0/255.252.0.0 57 | route = 192.176.0.0/255.240.0.0 58 | route = 192.192.0.0/255.192.0.0 59 | route = 198.0.0.0/254.0.0.0 60 | route = 199.0.0.0/255.0.0.0 61 | route = 204.0.0.0/255.0.0.0 62 | route = 205.0.0.0/255.0.0.0 63 | route = 206.0.0.0/255.0.0.0 64 | route = 207.0.0.0/255.0.0.0 65 | route = 208.0.0.0/255.0.0.0 66 | route = 209.0.0.0/255.0.0.0 67 | route = 210.0.0.0/255.0.0.0 68 | route = 212.0.0.0/255.0.0.0 69 | route = 216.0.0.0/255.0.0.0 70 | route = 224.0.0.0/255.0.0.0 71 | route = 243.0.0.0/255.0.0.0 72 | -------------------------------------------------------------------------------- /cn-no-route.txt: -------------------------------------------------------------------------------- 1 | no-route = 1.0.0.0/255.192.0.0 2 | no-route = 1.64.0.0/255.224.0.0 3 | no-route = 1.112.0.0/255.248.0.0 4 | no-route = 1.176.0.0/255.240.0.0 5 | no-route = 1.192.0.0/255.240.0.0 6 | no-route = 14.0.0.0/255.224.0.0 7 | no-route = 14.96.0.0/255.224.0.0 8 | no-route = 14.128.0.0/255.224.0.0 9 | no-route = 14.192.0.0/255.224.0.0 10 | no-route = 27.0.0.0/255.192.0.0 11 | no-route = 27.96.0.0/255.224.0.0 12 | no-route = 27.128.0.0/255.224.0.0 13 | no-route = 27.176.0.0/255.240.0.0 14 | no-route = 27.192.0.0/255.224.0.0 15 | no-route = 27.224.0.0/255.252.0.0 16 | no-route = 36.0.0.0/255.192.0.0 17 | no-route = 36.96.0.0/255.224.0.0 18 | no-route = 36.128.0.0/255.192.0.0 19 | no-route = 36.192.0.0/255.224.0.0 20 | no-route = 36.240.0.0/255.240.0.0 21 | no-route = 39.0.0.0/255.255.0.0 22 | no-route = 39.64.0.0/255.224.0.0 23 | no-route = 39.96.0.0/255.240.0.0 24 | no-route = 39.128.0.0/255.192.0.0 25 | no-route = 40.72.0.0/255.254.0.0 26 | no-route = 40.124.0.0/255.252.0.0 27 | no-route = 42.0.0.0/255.248.0.0 28 | no-route = 42.48.0.0/255.240.0.0 29 | no-route = 42.80.0.0/255.240.0.0 30 | no-route = 42.96.0.0/255.224.0.0 31 | no-route = 42.128.0.0/255.128.0.0 32 | no-route = 43.224.0.0/255.224.0.0 33 | no-route = 45.3.32.0/255.255.224.0 34 | no-route = 45.65.16.0/255.255.240.0 35 | no-route = 45.78.80.0/255.255.240.0 36 | no-route = 45.112.0.0/255.240.0.0 37 | no-route = 45.248.0.0/255.248.0.0 38 | no-route = 47.92.0.0/255.252.0.0 39 | no-route = 47.96.0.0/255.224.0.0 40 | no-route = 49.0.0.0/255.128.0.0 41 | no-route = 49.128.0.0/255.224.0.0 42 | no-route = 49.192.0.0/255.192.0.0 43 | no-route = 52.80.0.0/255.252.0.0 44 | no-route = 54.222.0.0/255.254.0.0 45 | no-route = 58.0.0.0/255.128.0.0 46 | no-route = 58.128.0.0/255.224.0.0 47 | no-route = 58.192.0.0/255.224.0.0 48 | no-route = 58.240.0.0/255.240.0.0 49 | no-route = 59.32.0.0/255.224.0.0 50 | no-route = 59.64.0.0/255.224.0.0 51 | no-route = 59.96.0.0/255.240.0.0 52 | no-route = 59.144.0.0/255.240.0.0 53 | no-route = 59.160.0.0/255.224.0.0 54 | no-route = 59.192.0.0/255.192.0.0 55 | no-route = 60.0.0.0/255.224.0.0 56 | no-route = 60.48.0.0/255.240.0.0 57 | no-route = 60.160.0.0/255.224.0.0 58 | no-route = 60.192.0.0/255.192.0.0 59 | no-route = 61.0.0.0/255.192.0.0 60 | no-route = 61.80.0.0/255.248.0.0 61 | no-route = 61.128.0.0/255.192.0.0 62 | no-route = 61.224.0.0/255.224.0.0 63 | no-route = 91.234.36.0/255.255.255.0 64 | no-route = 101.0.0.0/255.128.0.0 65 | no-route = 101.128.0.0/255.224.0.0 66 | no-route = 101.192.0.0/255.240.0.0 67 | no-route = 101.224.0.0/255.224.0.0 68 | no-route = 103.0.0.0/255.0.0.0 69 | no-route = 104.167.16.0/255.255.240.0 70 | no-route = 104.207.32.0/255.255.224.0 71 | no-route = 106.0.0.0/255.128.0.0 72 | no-route = 106.224.0.0/255.240.0.0 73 | no-route = 110.0.0.0/255.128.0.0 74 | no-route = 110.144.0.0/255.240.0.0 75 | no-route = 110.160.0.0/255.224.0.0 76 | no-route = 110.192.0.0/255.192.0.0 77 | no-route = 111.0.0.0/255.192.0.0 78 | no-route = 111.64.0.0/255.224.0.0 79 | no-route = 111.112.0.0/255.240.0.0 80 | no-route = 111.128.0.0/255.192.0.0 81 | no-route = 111.192.0.0/255.224.0.0 82 | no-route = 111.224.0.0/255.240.0.0 83 | no-route = 112.0.0.0/255.128.0.0 84 | no-route = 112.128.0.0/255.240.0.0 85 | no-route = 112.192.0.0/255.252.0.0 86 | no-route = 112.224.0.0/255.224.0.0 87 | no-route = 113.0.0.0/255.128.0.0 88 | no-route = 113.128.0.0/255.240.0.0 89 | no-route = 113.192.0.0/255.192.0.0 90 | no-route = 114.16.0.0/255.240.0.0 91 | no-route = 114.48.0.0/255.240.0.0 92 | no-route = 114.64.0.0/255.192.0.0 93 | no-route = 114.128.0.0/255.240.0.0 94 | no-route = 114.192.0.0/255.192.0.0 95 | no-route = 115.0.0.0/255.0.0.0 96 | no-route = 116.0.0.0/255.0.0.0 97 | no-route = 117.0.0.0/255.128.0.0 98 | no-route = 117.128.0.0/255.192.0.0 99 | no-route = 118.16.0.0/255.240.0.0 100 | no-route = 118.64.0.0/255.192.0.0 101 | no-route = 118.128.0.0/255.128.0.0 102 | no-route = 119.0.0.0/255.128.0.0 103 | no-route = 119.128.0.0/255.192.0.0 104 | no-route = 119.224.0.0/255.224.0.0 105 | no-route = 120.0.0.0/255.192.0.0 106 | no-route = 120.64.0.0/255.224.0.0 107 | no-route = 120.128.0.0/255.240.0.0 108 | no-route = 120.192.0.0/255.192.0.0 109 | no-route = 121.0.0.0/255.128.0.0 110 | no-route = 121.192.0.0/255.192.0.0 111 | no-route = 122.0.0.0/254.0.0.0 112 | no-route = 124.0.0.0/255.0.0.0 113 | no-route = 125.0.0.0/255.128.0.0 114 | no-route = 125.160.0.0/255.224.0.0 115 | no-route = 125.192.0.0/255.192.0.0 116 | no-route = 137.59.59.0/255.255.255.0 117 | no-route = 137.59.88.0/255.255.252.0 118 | no-route = 139.0.0.0/255.224.0.0 119 | no-route = 139.128.0.0/255.128.0.0 120 | no-route = 140.64.0.0/255.240.0.0 121 | no-route = 140.128.0.0/255.240.0.0 122 | no-route = 140.192.0.0/255.192.0.0 123 | no-route = 144.0.0.0/255.248.0.0 124 | no-route = 144.12.0.0/255.255.0.0 125 | no-route = 144.48.0.0/255.248.0.0 126 | no-route = 144.123.0.0/255.255.0.0 127 | no-route = 144.255.0.0/255.255.0.0 128 | no-route = 146.196.0.0/255.255.128.0 129 | no-route = 150.0.0.0/255.255.0.0 130 | no-route = 150.96.0.0/255.224.0.0 131 | no-route = 150.128.0.0/255.240.0.0 132 | no-route = 150.192.0.0/255.192.0.0 133 | no-route = 152.104.128.0/255.255.128.0 134 | no-route = 153.0.0.0/255.192.0.0 135 | no-route = 153.96.0.0/255.224.0.0 136 | no-route = 157.0.0.0/255.255.0.0 137 | no-route = 157.18.0.0/255.255.0.0 138 | no-route = 157.61.0.0/255.255.0.0 139 | no-route = 157.112.0.0/255.240.0.0 140 | no-route = 157.144.0.0/255.240.0.0 141 | no-route = 157.255.0.0/255.255.0.0 142 | no-route = 159.226.0.0/255.255.0.0 143 | no-route = 160.19.208.0/255.255.240.0 144 | no-route = 160.20.48.0/255.255.252.0 145 | no-route = 160.202.0.0/255.255.0.0 146 | no-route = 160.238.64.0/255.255.252.0 147 | no-route = 161.207.0.0/255.255.0.0 148 | no-route = 162.105.0.0/255.255.0.0 149 | no-route = 163.0.0.0/255.192.0.0 150 | no-route = 163.96.0.0/255.224.0.0 151 | no-route = 163.128.0.0/255.192.0.0 152 | no-route = 163.192.0.0/255.224.0.0 153 | no-route = 166.111.0.0/255.255.0.0 154 | no-route = 167.139.0.0/255.255.0.0 155 | no-route = 167.189.0.0/255.255.0.0 156 | no-route = 167.220.244.0/255.255.252.0 157 | no-route = 168.160.0.0/255.255.0.0 158 | no-route = 170.179.0.0/255.255.0.0 159 | no-route = 171.0.0.0/255.128.0.0 160 | no-route = 171.192.0.0/255.224.0.0 161 | no-route = 175.0.0.0/255.128.0.0 162 | no-route = 175.128.0.0/255.192.0.0 163 | no-route = 180.64.0.0/255.192.0.0 164 | no-route = 180.128.0.0/255.128.0.0 165 | no-route = 182.0.0.0/255.0.0.0 166 | no-route = 183.0.0.0/255.192.0.0 167 | no-route = 183.64.0.0/255.224.0.0 168 | no-route = 183.128.0.0/255.128.0.0 169 | no-route = 192.124.154.0/255.255.255.0 170 | no-route = 192.140.0.0/255.255.0.0 171 | no-route = 192.188.170.0/255.255.255.0 172 | no-route = 202.0.0.0/255.128.0.0 173 | no-route = 202.128.0.0/255.192.0.0 174 | no-route = 202.192.0.0/255.224.0.0 175 | no-route = 203.0.0.0/255.0.0.0 176 | no-route = 210.0.0.0/255.192.0.0 177 | no-route = 210.64.0.0/255.224.0.0 178 | no-route = 210.160.0.0/255.224.0.0 179 | no-route = 210.192.0.0/255.224.0.0 180 | no-route = 211.64.0.0/255.248.0.0 181 | no-route = 211.80.0.0/255.240.0.0 182 | no-route = 211.96.0.0/255.248.0.0 183 | no-route = 211.136.0.0/255.248.0.0 184 | no-route = 211.144.0.0/255.240.0.0 185 | no-route = 211.160.0.0/255.248.0.0 186 | no-route = 218.0.0.0/255.128.0.0 187 | no-route = 218.160.0.0/255.224.0.0 188 | no-route = 218.192.0.0/255.192.0.0 189 | no-route = 219.64.0.0/255.224.0.0 190 | no-route = 219.128.0.0/255.224.0.0 191 | no-route = 219.192.0.0/255.192.0.0 192 | no-route = 220.96.0.0/255.224.0.0 193 | no-route = 220.128.0.0/255.128.0.0 194 | no-route = 221.0.0.0/255.224.0.0 195 | no-route = 221.96.0.0/255.224.0.0 196 | no-route = 221.128.0.0/255.128.0.0 197 | no-route = 222.0.0.0/255.0.0.0 198 | no-route = 223.0.0.0/255.224.0.0 199 | no-route = 223.64.0.0/255.192.0.0 200 | no-route = 223.128.0.0/255.128.0.0 201 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ ! -f /etc/ocserv/server-key.pem ] || [ ! -f /etc/ocserv/server-cert.pem ]; then 4 | # Check environment variables 5 | if [ -z "$CA_CN" ]; then 6 | CA_CN="VPN CA" 7 | fi 8 | 9 | if [ -z "$CA_ORG" ]; then 10 | CA_ORG="Big Corp" 11 | fi 12 | 13 | if [ -z "$CA_DAYS" ]; then 14 | CA_DAYS=9999 15 | fi 16 | 17 | if [ -z "$SRV_CN" ]; then 18 | SRV_CN="www.example.com" 19 | fi 20 | 21 | if [ -z "$SRV_ORG" ]; then 22 | SRV_ORG="MyCompany" 23 | fi 24 | 25 | if [ -z "$SRV_DAYS" ]; then 26 | SRV_DAYS=9999 27 | fi 28 | 29 | # No certification found, generate one 30 | cd /etc/ocserv 31 | certtool --generate-privkey --outfile ca-key.pem 32 | cat > ca.tmpl <<-EOCA 33 | cn = "$CA_CN" 34 | organization = "$CA_ORG" 35 | serial = 1 36 | expiration_days = $CA_DAYS 37 | ca 38 | signing_key 39 | cert_signing_key 40 | crl_signing_key 41 | EOCA 42 | certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca.pem 43 | certtool --generate-privkey --outfile server-key.pem 44 | cat > server.tmpl <<-EOSRV 45 | cn = "$SRV_CN" 46 | organization = "$SRV_ORG" 47 | expiration_days = $SRV_DAYS 48 | signing_key 49 | encryption_key 50 | tls_www_server 51 | EOSRV 52 | certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem 53 | 54 | # Create a test user 55 | if [ -z "$NO_TEST_USER" ] && [ ! -f /etc/ocserv/ocpasswd ]; then 56 | echo "Create test user 'test' with password 'test'" 57 | echo 'test:Route,All:$5$DktJBFKobxCFd7wN$sn.bVw8ytyAaNamO.CvgBvkzDiFR6DaHdUzcif52KK7' > /etc/ocserv/ocpasswd 58 | fi 59 | fi 60 | 61 | # Open ipv4 ip forward 62 | sysctl -w net.ipv4.ip_forward=1 63 | 64 | # Enable NAT forwarding 65 | iptables -t nat -A POSTROUTING -j MASQUERADE 66 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 67 | 68 | # Enable TUN device 69 | mkdir -p /dev/net 70 | mknod /dev/net/tun c 10 200 71 | chmod 600 /dev/net/tun 72 | 73 | # Run OpennConnect Server 74 | exec "$@" 75 | 76 | -------------------------------------------------------------------------------- /domain-common.txt: -------------------------------------------------------------------------------- 1 | # Google 2 | www.google.com 3 | 74.125.200.138 4 | 173.194.127.255 5 | www.google.com.hk 6 | www.google.sg 7 | www.google.co.jp 8 | accounts.google.com 9 | 216.58.217.205 10 | plus.google.com 11 | play.google.com 12 | news.google.com 13 | mail.google.com 14 | wallet.google.com 15 | www.gstatic.com 16 | ssl.gstatic.com 17 | lh5.googleusercontent.com 18 | 19 | # YouTube 20 | youtube.com 21 | www.youtube.com 22 | m.youtube.com 23 | i.ytimg.com 24 | s.ytimg.com 25 | r2---sn-npo7zn7s.googlevideo.com 26 | tc.v1.cache2.googlevideo.com 27 | tc.v10.cache1.googlevideo.com 28 | tc.v10.cache8.googlevideo.com 29 | manifest.googlevideo.com 30 | yt3.ggpht.com 31 | 32 | # Blogger 33 | www.blogger.com 34 | googleblog.blogspot.com 35 | 36 | # Facebook 37 | facebook.com 38 | www.facebook.com 39 | developers.facebook.com 40 | l.facebook.com 41 | static.xx.fbcdn.net 42 | scontent-a-sin.xx.fbcdn.net 43 | scontent-b-sin.xx.fbcdn.net 44 | fbcdn-profile-a.akamaihd.net 45 | 1.9.56.194 46 | 80.239.178.49 47 | fbexternal-a.akamaihd.net 48 | 184.25.56.194 49 | 23.62.109.81 50 | fbcdn-sphotos-d-a.akamaihd.net 51 | 165.254.12.34 52 | bit.ly 53 | 54 | # Twitter 55 | www.twitter.com 56 | m.twitter.com 57 | mobile.twitter.com 58 | support.twitter.com 59 | about.twitter.com 60 | 199.59.148.84 61 | twimg.com 62 | abs.twimg.com 63 | pbs.twimg.com 64 | ma.twimg.com 65 | t.co 66 | 67 | # Wordpress 68 | lb.wordpress.com 69 | vip-lb.wordpress.com 70 | 66.155.9.244 71 | 76.74.255.123 72 | 192.0.83.250 73 | 74 | # Instagram 75 | instagram.com 76 | 54.209.6.86 77 | 54.210.210.200 78 | 54.236.116.18 79 | 107.23.173.176 80 | i.instagram.com 81 | 54.84.23.82 82 | 54.84.62.9 83 | 54.84.154.64 84 | 54.236.180.84 85 | telegraph-ec2proxy.instagram.com 86 | 54.152.147.196 87 | help.instagram.com 88 | blog.instagram.com 89 | photos-e.ak.instagram.com 90 | 69.192.3.24 91 | instagramstatic-a.akamaihd.net 92 | igcdn-photos-h-a.akamaihd.net 93 | 92.122.190.32 94 | instagramimages-a.akamaihd.net 95 | scontent-a.cdninstagram.com 96 | 97 | # TuneIn 98 | api.tunein.com 99 | feed.tunein.com 100 | api.radiotime.com 101 | opml.radiotime.com 102 | 103 | # Amazon AWS 104 | s3.amazonaws.com 105 | 106 | # Gravatar 107 | gravatar.com 108 | 109 | # Wikipedia 110 | en.wikipedia.org 111 | 112 | # LinkedIn 113 | linkedin.com 114 | www.linkedin.com 115 | static.licdn.com 116 | -------------------------------------------------------------------------------- /domain-develop.txt: -------------------------------------------------------------------------------- 1 | # Shadowsocks 2 | shadowsocks.org 3 | 4 | # GitHub 5 | github.com 6 | 7 | # BitBucket 8 | bitbucket.org 9 | 10 | # Docker 11 | registry.hub.docker.com 12 | docker.io 13 | docker.com 14 | 15 | # SourceForge.net 16 | sourceforge.net 17 | sf.net 18 | 19 | -------------------------------------------------------------------------------- /domain-other.txt: -------------------------------------------------------------------------------- 1 | # KickAss 2 | kickass.to 3 | kastatic.com 4 | 5 | -------------------------------------------------------------------------------- /groupinfo.txt: -------------------------------------------------------------------------------- 1 | #default-select-group = Route[仅海外代理 Exclude CN] 2 | #select-group = All[全局代理 All Proxy] 3 | default-select-group = Local[Intranet Proxy] 4 | auto-select-group = false 5 | config-per-group = /etc/ocserv/config-per-group 6 | -------------------------------------------------------------------------------- /route.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | 5 | import glob 6 | import socket 7 | import xml.etree.ElementTree 8 | import urllib2 9 | 10 | 11 | def get_netmask(mask): 12 | bits = 0 13 | for i in xrange(32 - mask, 32): 14 | bits |= (1 << i) 15 | return "%d.%d.%d.%d" % ((bits & 0xff000000) >> 24, (bits & 0xff0000) >> 16, (bits & 0xff00) >> 8, (bits & 0xff)) 16 | 17 | 18 | def get_decimal_ip(ip): 19 | ip_split = ip.split('.') 20 | ip_decimal = 0 21 | 22 | for i in ip_split: 23 | ip_decimal += int(i) 24 | ip_decimal <<= 8 25 | 26 | ip_decimal >>= 8 27 | return ip_decimal 28 | 29 | 30 | def query_cidr(ip): 31 | url = "http://whois.arin.net/rest/nets;q=%s?showDetails=true&showARIN=false&ext=netref2" % ip 32 | f = urllib2.urlopen(url) 33 | root = xml.etree.ElementTree.fromstring(f.read()) 34 | net_block = root.find("{http://www.arin.net/whoisrws/core/v1}net").find( 35 | "{http://www.arin.net/whoisrws/core/v1}netBlocks").find("{http://www.arin.net/whoisrws/core/v1}netBlock") 36 | start_address = net_block.find("{http://www.arin.net/whoisrws/core/v1}startAddress").text 37 | cidr_length = int(net_block.find("{http://www.arin.net/whoisrws/core/v1}cidrLength").text) 38 | return start_address, get_netmask(cidr_length) 39 | 40 | 41 | if __name__ == "__main__": 42 | route_table = {} 43 | 44 | # Read the old route tables from file 45 | with open("route.txt", "r") as f: 46 | for line in f: 47 | l = line.strip() 48 | 49 | if len(l) != 0 and l[0] != '#': 50 | addr, mask = l.split('=')[1].strip().split('/') 51 | route_table[get_decimal_ip(addr)] = (addr, mask) 52 | 53 | for fn in glob.glob("domain-*.txt"): 54 | print("Read from file [%s]" % fn) 55 | with open(fn, "r") as f: 56 | for line in f: 57 | domain = line.strip() 58 | 59 | if len(domain) != 0 and domain[0] != '#': 60 | print(" Processing domain [%s] " % domain), 61 | ip = socket.gethostbyname(domain) 62 | print("IP: %s" % ip), 63 | decimal_ip = get_decimal_ip(ip) 64 | exist = False 65 | for t in route_table: 66 | if (get_decimal_ip(route_table[t][1]) & decimal_ip) == t: 67 | exist = True 68 | break 69 | if exist: 70 | print "exist, skip . . ." 71 | else: 72 | addr, mask = query_cidr(ip) 73 | route_table[get_decimal_ip(addr)] = (addr, mask) 74 | print("CIDR: %s/%s" % (addr, mask)) 75 | 76 | tables = sorted(route_table.items()) 77 | 78 | with open("route.txt", "w") as f: 79 | for route in tables: 80 | print("route = %s/%s" % (route[1][0], route[1][1])) 81 | f.write("route = %s/%s\n" % (route[1][0], route[1][1])) 82 | -------------------------------------------------------------------------------- /route.txt: -------------------------------------------------------------------------------- 1 | route = 1.0.0.0/255.0.0.0 2 | route = 4.0.0.0/255.0.0.0 3 | route = 8.0.0.0/252.0.0.0 4 | route = 16.0.0.0/255.0.0.0 5 | route = 23.0.0.0/255.0.0.0 6 | route = 31.0.0.0/255.0.0.0 7 | route = 38.0.0.0/255.0.0.0 8 | route = 46.4.0.0/255.255.0.0 9 | route = 50.0.0.0/255.0.0.0 10 | route = 54.0.0.0/255.0.0.0 11 | route = 58.0.0.0/255.0.0.0 12 | route = 59.0.0.0/255.0.0.0 13 | route = 60.0.0.0/248.0.0.0 14 | route = 68.0.0.0/254.0.0.0 15 | route = 72.0.0.0/254.0.0.0 16 | route = 74.0.0.0/255.0.0.0 17 | route = 76.0.0.0/255.0.0.0 18 | route = 78.0.0.0/255.0.0.0 19 | route = 80.0.0.0/255.0.0.0 20 | route = 92.0.0.0/254.0.0.0 21 | route = 96.0.0.0/254.0.0.0 22 | route = 100.0.0.0/255.0.0.0 23 | route = 101.0.0.0/255.0.0.0 24 | route = 103.0.0.0/255.0.0.0 25 | route = 107.0.0.0/255.0.0.0 26 | route = 108.174.0.0/255.255.240.0 27 | route = 109.0.0.0/255.0.0.0 28 | route = 111.0.0.0/255.0.0.0 29 | route = 117.0.0.0/255.0.0.0 30 | route = 119.0.0.0/255.0.0.0 31 | route = 125.0.0.0/255.0.0.0 32 | route = 128.0.0.0/255.0.0.0 33 | route = 131.103.0.0/255.255.0.0 34 | route = 134.0.0.0/255.0.0.0 35 | route = 141.0.0.0/255.0.0.0 36 | route = 162.242.128.0/255.255.128.0 37 | route = 168.0.0.0/255.0.0.0 38 | route = 173.0.0.0/255.0.0.0 39 | route = 174.0.0.0/255.0.0.0 40 | route = 176.0.0.0/255.0.0.0 41 | route = 178.0.0.0/255.0.0.0 42 | route = 184.0.0.0/254.0.0.0 43 | route = 190.0.0.0/255.0.0.0 44 | route = 192.0.0.0/255.0.0.0 45 | route = 198.0.0.0/254.0.0.0 46 | route = 203.0.0.0/255.0.0.0 47 | route = 204.0.0.0/254.0.0.0 48 | route = 206.0.0.0/255.0.0.0 49 | route = 208.0.0.0/255.0.0.0 50 | route = 209.0.0.0/255.0.0.0 51 | route = 210.0.0.0/255.0.0.0 52 | route = 212.0.0.0/255.0.0.0 53 | route = 216.0.0.0/254.0.0.0 54 | route = 218.0.0.0/255.0.0.0 55 | --------------------------------------------------------------------------------