diff --git a/Dockerfile b/Dockerfile index 0adf6568..98a81c51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,8 @@ FROM alpine:latest LABEL maintainer="Guorui Yu " # Testing: pamtester -RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ +RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories && \ + echo "http://mirrors.tuna.tsinghua.edu.cn/alpine/edge/testing/" >> /etc/apk/repositories && \ apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..6cf0992e --- /dev/null +++ b/Makefile @@ -0,0 +1,42 @@ +VERSION ?= latest + +.PHONY: init gen_config start stop reset clean +NETWORK_ID?=192.168.1.0 +MASK?=255.255.255.0 +# i.e: the game's under 192.168.1.*, then +# NETWORK_ID is 192.168.1.0, MASK is 255.255.255.0 + +TUN_INTERFACE?=tun0 +WAN_INTERFACE?=en0 + +init: + # docker pull alpine:latest + docker-compose build + docker-compose run --rm vpn /bin/bash -c " \ + ovpn_genconfig -u udp://$(HOST):$(PORT) && \ + ovpn_initpki nopass && \ + ovpn_addiroute $(NETWORK_ID) $(MASK)" + +gen_config: + docker-compose run --rm vpn /bin/bash -c " \ + easyrsa build-client-full router nopass && \ + easyrsa build-client-full player nopass " + docker-compose run --rm vpn ovpn_getclient router > router.ovpn + docker-compose run --rm vpn ovpn_getclient player > player.ovpn + +start: + docker-compose up -d vpn + +stop: + docker-compose down + +reset: + docker-compose run --rm vpn /bin/bash -c " \ + ovpn_cleariroute && \ + ovpn_addiroute $(NETWORK_ID) $(MASK)" + docker-compose down + # needs manual restart + +clean: + docker-compose down + rm -rf ./vpn_data diff --git a/README.md b/README.md index e39c4ab0..8c60b1ef 100644 --- a/README.md +++ b/README.md @@ -7,78 +7,49 @@ the external network accessing the game intranet without barriers. * GitHub @ [kylemanna/docker-openvpn](https://github.com/kylemanna/docker-openvpn) ## Quick Start -* Build the docker in order to use it. - git clone https://github.com/yuguorui/docker-offline-game-vpn - cd docker-offline-game-vpn/ - docker build . -t ctf_vpn_docker +### Configure VPS -* Pick a name for the `$OVPN_DATA` data volume container. It's recommended to - use the `ovpn-data-` prefix to operate seamlessly with the reference systemd - service. Users are encourage to replace `example` with a descriptive name of - their choosing. +> should be accessable from both the on-site players and the off-site players - OVPN_DATA="vpn_data" +1. export some variables: +1. just run `make init` and follow the command-line prompts +1. boot up with `make start` or `docker-compose up -d` +1. generate ovpn profiles (player/router.ovpn) with `make gen_config` -* Initialize the `$OVPN_DATA` container that will hold the configuration files - and certificates. +> the variables to be exported are: - docker volume create --name $OVPN_DATA - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_genconfig -u udp://YOUR_VPS_ADDRESS:4242 - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_initpki nopass +|name|description| +|-|-| +|HOST|your vps's IP address| +|PORT|some spare port on your vps| +|NETWORK_ID/MASK|on-site challenge network| -* Start OpenVPN server process +>The input format of the NETWORK_ID/MASK: +> NETWORK_ID is 192.168.1.0 and MASK is 255.255.255.0 if the game's running under 192.168.1.* - docker run -v $OVPN_DATA:/etc/openvpn -d -p 4242:1194/udp --cap-add=NET_ADMIN --name ctf_vpn ctf_vpn_docker +### Configure On-site Router -* Add new iroute to access the intranet and restart the docker. (You have to figure out the CTF subnet range to make the VPN work.) +>a raspi, maybe? +1. download the generated `router.ovpn` on the vps +1. run the script `router.sh`, look into it before running! - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_addiroute NETWORK_ID MASK - docker restart ctf_vpn +### ~~Configure~~ Off-site Clients -* Generate a router certificate without a passphrase (DO NOT CHANGE THE CERTIFICATE NAME "router") +1. download the generated `player.ovpn` on the vps +1. drop the file into a OpenVPN client and start H@ck1ng - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker easyrsa build-client-full router nopass - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_getclient router > router.ovpn - -* Generate a player certificate without a passphrase - - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker easyrsa build-client-full player nopass - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_getclient player > player.ovpn - -* Configure the Server(router or PC) in the playing field (used the file `router.ovpn` generated in last step) - - # Allow forward packets in kernel - sysctl -w net.ipv4.ip_forward=1 - - # Install OpenVPN client - apt update && apt install openvpn - - # Run VPN client - nohup openvpn --config router.ovpn & - - # Configure the iptables - tun_interface=tun0 # Attention: tun0 is your tun interface, you should modify the interface to fit your need. - wan_interface=eth0 # eth0 is your WAN interface - iptables -t filter -I FORWARD -i ${tun_interface} -o ${wan_interface} -j ACCEPT - iptables -t filter -I FORWARD -i ${wan_interface} -o ${tun_interface} -j ACCEPT # Dual direction - iptables -t nat -I POSTROUTING -o ${wan_interface} -j MASQUERADE # setting SNAT - -* Configure the client of offline player (used the file `player.ovpn` generated in last step, and you should distribute the `player.ovpn` file to your team members.) - - # Install OpenVPN client - apt update && apt install openvpn - # Run VPN client - nohup openvpn --config player.ovpn & - # It's OK! - -* Clear the iroute to reconfigure +## Next Steps - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_cleariroute - docker restart ctf_vpn - # Now, you can re-add new iroute rules. +### Reusing -## Next Steps +```bash +export NETWORK_ID=? +export MASK=? +make reset +make start +make gen_config +``` ### Network topology ![Network topology](imgs/Network_topology.svg) @@ -96,10 +67,6 @@ unexpectedly, and pull updates from Docker Hub to keep itself up to date. Please refer to the [systemd documentation](docs/systemd.md) to learn more. -### Docker Compose - -If you prefer to use `docker-compose` please refer to the [documentation](docs/docker-compose.md). - ## Debugging Tips * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..eb051b99 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,13 @@ +version: "3.5" +services: + vpn: + build: . + volumes: + - ./vpn_data:/etc/openvpn + logging: + driver: none + cap_add: + - NET_ADMIN + ports: + - 4242:1194/udp + diff --git a/router.sh b/router.sh new file mode 100644 index 00000000..3efd7267 --- /dev/null +++ b/router.sh @@ -0,0 +1,5 @@ +sudo sysctl -w net.ipv4.ip_forward=1 +screen -dmLS openvpn "openvpn --config router.ovpn" +sudo iptables -t filter -I FORWARD -i ${TUN_INTERFACE} -o ${WAN_INTERFACE} -j ACCEPT +sudo iptables -t filter -I FORWARD -i ${WAN_INTERFACE} -o ${TUN_INTERFACE} -j ACCEPT +sudo iptables -t nat -I POSTROUTING -o ${WAN_INTERFACE} -j MASQUERADE \ No newline at end of file