simplify configuration & switch mirror

Dockerfile

@@ -6,7 +6,8 @@ FROM alpine:latest
 LABEL maintainer="Guorui Yu <[email protected]@pku>"
 
 # Testing: pamtester
-RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
+RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories && \
+    echo "http://mirrors.tuna.tsinghua.edu.cn/alpine/edge/testing/" >> /etc/apk/repositories && \
     apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*

Makefile

@@ -0,0 +1,42 @@
+VERSION ?= latest
+
+.PHONY: init gen_config start stop reset clean
+NETWORK_ID?=192.168.1.0
+MASK?=255.255.255.0
+# i.e: the game's under 192.168.1.*, then
+# NETWORK_ID is 192.168.1.0, MASK is 255.255.255.0
+
+TUN_INTERFACE?=tun0
+WAN_INTERFACE?=en0
+
+init:
+	# docker pull alpine:latest
+	docker-compose build
+	docker-compose run --rm vpn /bin/bash -c " \
+		ovpn_genconfig -u udp://$(HOST):$(PORT) && \
+		ovpn_initpki nopass && \
+		ovpn_addiroute $(NETWORK_ID) $(MASK)"
+
+gen_config:
+	docker-compose run --rm vpn /bin/bash -c " \
+		easyrsa build-client-full router nopass && \
+		easyrsa build-client-full player nopass "
+	docker-compose run --rm vpn ovpn_getclient router > router.ovpn
+	docker-compose run --rm vpn ovpn_getclient player > player.ovpn
+
+start:
+	docker-compose up -d vpn
+
+stop:
+	docker-compose down
+
+reset:
+	docker-compose run --rm vpn /bin/bash -c " \
+		ovpn_cleariroute && \
+		ovpn_addiroute $(NETWORK_ID) $(MASK)"
+	docker-compose down
+	# needs manual restart
+
+clean:
+	docker-compose down
+	rm -rf ./vpn_data

README.md

@@ -7,78 +7,49 @@ the external network accessing the game intranet without barriers.
 * GitHub @ [kylemanna/docker-openvpn](https://github.com/kylemanna/docker-openvpn)
 
 ## Quick Start
-* Build the docker in order to use it.
 
-        git clone https://github.com/yuguorui/docker-offline-game-vpn
-        cd docker-offline-game-vpn/
-        docker build . -t ctf_vpn_docker
+### Configure VPS
 
-* Pick a name for the `$OVPN_DATA` data volume container. It's recommended to
-  use the `ovpn-data-` prefix to operate seamlessly with the reference systemd
-  service.  Users are encourage to replace `example` with a descriptive name of
-  their choosing.
+> should be accessable from both the on-site players and the off-site players
 
-        OVPN_DATA="vpn_data"
+1. export some variables:
+1. just run `make init` and follow the command-line prompts
+1. boot up with `make start` or `docker-compose up -d`
+1. generate ovpn profiles (player/router.ovpn) with `make gen_config`
 
-* Initialize the `$OVPN_DATA` container that will hold the configuration files
-  and certificates.
+> the variables to be exported are:
 
-        docker volume create --name $OVPN_DATA
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_genconfig -u udp://YOUR_VPS_ADDRESS:4242
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_initpki nopass
+|name|description|
+|-|-|
+|HOST|your vps's IP address|
+|PORT|some spare port on your vps|
+|NETWORK_ID/MASK|on-site challenge network|
 
-* Start OpenVPN server process
+>The input format of the NETWORK_ID/MASK:  
+>       NETWORK_ID is 192.168.1.0 and MASK is 255.255.255.0 if the game's running under 192.168.1.*
 
-        docker run -v $OVPN_DATA:/etc/openvpn -d -p 4242:1194/udp --cap-add=NET_ADMIN --name ctf_vpn ctf_vpn_docker
+### Configure On-site Router
 
-* Add new iroute to access the intranet and restart the docker. (You have to figure out the CTF subnet range to make the VPN work.)
+>a raspi, maybe?
+1. download the generated `router.ovpn` on the vps
+1. run the script `router.sh`, look into it before running!
 
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_addiroute NETWORK_ID MASK
-        docker restart ctf_vpn
+### ~~Configure~~ Off-site Clients
 
-* Generate a router certificate without a passphrase (DO NOT CHANGE THE CERTIFICATE NAME "router")
+1. download the generated `player.ovpn` on the vps
+1. drop the file into a OpenVPN client and start H@ck1ng
 
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker easyrsa build-client-full router nopass
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_getclient router > router.ovpn
-
-* Generate a player certificate without a passphrase
-
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker easyrsa build-client-full player nopass
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm ctf_vpn_docker ovpn_getclient player > player.ovpn
-
-* Configure the Server(router or PC) in the playing field (used the file `router.ovpn` generated in last step)
-
-        # Allow forward packets in kernel
-        sysctl -w net.ipv4.ip_forward=1
-
-        # Install OpenVPN client
-        apt update && apt install openvpn
-
-        # Run VPN client
-        nohup openvpn --config router.ovpn &
-
-        # Configure the iptables
-        tun_interface=tun0      # Attention: tun0 is your tun interface, you should modify the interface to fit your need.
-        wan_interface=eth0      # eth0 is your WAN interface
-        iptables -t filter -I FORWARD -i ${tun_interface} -o ${wan_interface} -j ACCEPT
-        iptables -t filter -I FORWARD -i ${wan_interface} -o ${tun_interface} -j ACCEPT         # Dual direction
-        iptables -t nat -I POSTROUTING -o ${wan_interface} -j MASQUERADE                        # setting SNAT
-
-* Configure the client of offline player (used the file `player.ovpn` generated in last step, and you should distribute the `player.ovpn` file to your team members.)
-
-        # Install OpenVPN client
-        apt update && apt install openvpn
-        # Run VPN client
-        nohup openvpn --config player.ovpn &
-        # It's OK!
-
-* Clear the iroute to reconfigure
+## Next Steps
 
-        docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it ctf_vpn_docker ovpn_cleariroute
-        docker restart ctf_vpn
-        # Now, you can re-add new iroute rules.
+### Reusing
 
-## Next Steps
+```bash
+export NETWORK_ID=?
+export MASK=?
+make reset
+make start
+make gen_config
+```
 
 ### Network topology
 ![Network topology](imgs/Network_topology.svg)
@@ -96,10 +67,6 @@ unexpectedly, and pull updates from Docker Hub to keep itself up to date.
 
 Please refer to the [systemd documentation](docs/systemd.md) to learn more.
 
-### Docker Compose
-
-If you prefer to use `docker-compose` please refer to the [documentation](docs/docker-compose.md).
-
 ## Debugging Tips
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").

docker-compose.yml

@@ -0,0 +1,13 @@
+version: "3.5"
+services:
+  vpn:
+    build: .
+    volumes:
+      - ./vpn_data:/etc/openvpn
+    logging:
+      driver: none
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - 4242:1194/udp
+

router.sh

@@ -0,0 +1,5 @@
+sudo sysctl -w net.ipv4.ip_forward=1
+screen -dmLS openvpn "openvpn --config router.ovpn"
+sudo iptables -t filter -I FORWARD -i ${TUN_INTERFACE} -o ${WAN_INTERFACE} -j ACCEPT
+sudo iptables -t filter -I FORWARD -i ${WAN_INTERFACE} -o ${TUN_INTERFACE} -j ACCEPT
+sudo iptables -t nat -I POSTROUTING -o ${WAN_INTERFACE} -j MASQUERADE