-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
start.sh
executable file
·308 lines (265 loc) · 11.5 KB
/
start.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
#!/bin/bash
##
# Get some initial setup out of the way.
##
set -e
source /etc/openvpn/utils.sh
if [[ -n "$REVISION" ]]; then
echo "Starting container with revision: $REVISION"
fi
# If openvpn-pre-start.sh exists, run it
if [[ -x /scripts/openvpn-pre-start.sh ]]; then
echo "Executing /scripts/openvpn-pre-start.sh"
/scripts/openvpn-pre-start.sh "$@"
echo "/scripts/openvpn-pre-start.sh returned $?"
fi
# Allow for overriding the DNS used directly in the /etc/resolv.conf
if compgen -e | grep -q "OVERRIDE_DNS"; then
echo "One or more OVERRIDE_DNS addresses found. Will use them to overwrite /etc/resolv.conf"
echo "" > /etc/resolv.conf
for var in $(compgen -e | grep "OVERRIDE_DNS"); do
echo "nameserver $(printenv "$var")" >> /etc/resolv.conf
done
fi
# Test DNS resolution
if ! nslookup ${HEALTH_CHECK_HOST:-"google.com"} 1>/dev/null 2>&1; then
echo "WARNING: initial DNS resolution test failed"
fi
# If create_tun_device is set, create /dev/net/tun
if [[ "${CREATE_TUN_DEVICE,,}" == "true" ]] ; then
echo "Creating TUN device /dev/net/tun"
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun
fi
##
# Configure OpenVPN.
# This basically means to figure out the config file to use as well as username/password
##
# If no OPENVPN_PROVIDER is given, we default to "custom" provider.
VPN_PROVIDER="${OPENVPN_PROVIDER:-custom}"
export VPN_PROVIDER="${VPN_PROVIDER,,}" # to lowercase
export VPN_PROVIDER_HOME="/etc/openvpn/${VPN_PROVIDER}"
mkdir -p "$VPN_PROVIDER_HOME"
# Make sure that we have enough information to start OpenVPN
if [[ -z $OPENVPN_CONFIG_URL ]] && [[ "${OPENVPN_PROVIDER}" == "**None**" ]] || [[ -z "${OPENVPN_PROVIDER-}" ]]; then
echo "ERROR: Cannot determine where to find your OpenVPN config. Both OPENVPN_CONFIG_URL and OPENVPN_PROVIDER is unset."
echo "You have to either provide a URL to the config you want to use, or set a configured provider that will download one for you."
echo "Exiting..." && exit 1
fi
echo "Using OpenVPN provider: ${VPN_PROVIDER^^}"
if [[ "${OPENVPN_PROVIDER}" == "CUSTOM" ]]; then
if [[ -x $VPN_PROVIDER_HOME/default.ovpn ]]; then
CHOSEN_OPENVPN_CONFIG=$VPN_PROVIDER_HOME/default.ovpn
fi
elif [[ -n $OPENVPN_CONFIG_URL ]]; then
echo "Found URL to single OpenVPN config, will download and use it."
CHOSEN_OPENVPN_CONFIG=$VPN_PROVIDER_HOME/downloaded_config.ovpn
curl -o "$CHOSEN_OPENVPN_CONFIG" -sSL "$OPENVPN_CONFIG_URL"
fi
if [[ -z ${CHOSEN_OPENVPN_CONFIG} ]]; then
# Support pulling configs from external config sources
VPN_CONFIG_SOURCE="${VPN_CONFIG_SOURCE:-auto}"
VPN_CONFIG_SOURCE="${VPN_CONFIG_SOURCE,,}" # to lowercase
echo "Running with VPN_CONFIG_SOURCE ${VPN_CONFIG_SOURCE}"
if [[ "${VPN_CONFIG_SOURCE}" == "auto" ]]; then
if [[ -x $VPN_PROVIDER_HOME/configure-openvpn.sh ]]; then
echo "Provider ${VPN_PROVIDER^^} has a bundled setup script. Defaulting to internal config"
VPN_CONFIG_SOURCE=internal
elif [[ "${OPENVPN_PROVIDER}" == "CUSTOM" ]]; then
echo "CUSTOM provider specified but not using default.ovpn, will try to find a valid config mounted to $VPN_PROVIDER_HOME"
VPN_CONFIG_SOURCE=custom
else
echo "No bundled config script found for ${VPN_PROVIDER^^}. Defaulting to external config"
VPN_CONFIG_SOURCE=external
fi
fi
if [[ "${VPN_CONFIG_SOURCE}" == "external" ]]; then
# shellcheck source=openvpn/fetch-external-configs.sh
./etc/openvpn/fetch-external-configs.sh
fi
if [[ -x $VPN_PROVIDER_HOME/configure-openvpn.sh ]]; then
echo "Executing setup script for $OPENVPN_PROVIDER"
# Preserve $PWD in case it changes when sourcing the script
pushd -n "$PWD" > /dev/null
# shellcheck source=/dev/null
. "$VPN_PROVIDER_HOME"/configure-openvpn.sh
# Restore previous PWD
popd > /dev/null
fi
fi
if [[ -z ${CHOSEN_OPENVPN_CONFIG:-""} ]]; then
# We still don't have a config. The user might have set a config in OPENVPN_CONFIG.
if [[ -n "${OPENVPN_CONFIG-}" ]]; then
# Read from file.
if [ -e /data/openvpn/OPENVPN_CONFIG ]; then
OPENVPN_CONFIG=$(cat /data/openvpn/OPENVPN_CONFIG)
fi
readarray -t OPENVPN_CONFIG_ARRAY <<< "${OPENVPN_CONFIG//,/$'\n'}"
## Trim leading and trailing spaces from all entries. Inefficient as all heck, but works like a champ.
for i in "${!OPENVPN_CONFIG_ARRAY[@]}"; do
OPENVPN_CONFIG_ARRAY[${i}]="${OPENVPN_CONFIG_ARRAY[${i}]#"${OPENVPN_CONFIG_ARRAY[${i}]%%[![:space:]]*}"}"
OPENVPN_CONFIG_ARRAY[${i}]="${OPENVPN_CONFIG_ARRAY[${i}]%"${OPENVPN_CONFIG_ARRAY[${i}]##*[![:space:]]}"}"
done
# If there were multiple configs (comma separated), select one of them.
if (( ${#OPENVPN_CONFIG_ARRAY[@]} > 1 )); then
if [[ ${OPENVPN_CONFIG_SEQUENTIAL:-false} == "false" ]]; then
# Select randomly.
OPENVPN_CONFIG_RANDOM=$((RANDOM%${#OPENVPN_CONFIG_ARRAY[@]}))
echo "${#OPENVPN_CONFIG_ARRAY[@]} servers found in OPENVPN_CONFIG, ${OPENVPN_CONFIG_ARRAY[${OPENVPN_CONFIG_RANDOM}]} chosen randomly"
OPENVPN_CONFIG="${OPENVPN_CONFIG_ARRAY[${OPENVPN_CONFIG_RANDOM}]}"
else
# Select sequentially.
echo "${#OPENVPN_CONFIG_ARRAY[@]} servers found in OPENVPN_CONFIG, ${OPENVPN_CONFIG_ARRAY[0]} chosen sequentially"
OPENVPN_CONFIG="${OPENVPN_CONFIG_ARRAY[0]}"
# Reorder and save to file.
OPENVPN_CONFIG_ARRAY=("${OPENVPN_CONFIG_ARRAY[@]:1}" "${OPENVPN_CONFIG_ARRAY[@]::1}")
mkdir -p /data/openvpn/
printf "%s," "${OPENVPN_CONFIG_ARRAY[@]}" | sed "s/,$//" > /data/openvpn/OPENVPN_CONFIG
fi
fi
# Check that the chosen config exists.
if [[ -f "${VPN_PROVIDER_HOME}/${OPENVPN_CONFIG}.ovpn" ]]; then
echo "Starting OpenVPN using config ${OPENVPN_CONFIG}.ovpn"
CHOSEN_OPENVPN_CONFIG="${VPN_PROVIDER_HOME}/${OPENVPN_CONFIG}.ovpn"
else
echo "Supplied config ${OPENVPN_CONFIG}.ovpn could not be found."
echo "Your options for this provider are:"
ls "${VPN_PROVIDER_HOME}" | grep .ovpn
echo "NB: Remember to not specify .ovpn as part of the config name."
exit 1 # No longer fall back to default. The user chose a specific config - we should use it or fail.
fi
else
echo "No VPN configuration provided. Using default."
CHOSEN_OPENVPN_CONFIG="${VPN_PROVIDER_HOME}/default.ovpn"
fi
fi
MODIFY_CHOSEN_CONFIG="${MODIFY_CHOSEN_CONFIG:-true}"
# The config file we're supposed to use is chosen, modify it to fit this container setup
if [[ "${MODIFY_CHOSEN_CONFIG,,}" == "true" ]]; then
# shellcheck source=openvpn/modify-openvpn-config.sh
/etc/openvpn/modify-openvpn-config.sh "$CHOSEN_OPENVPN_CONFIG"
fi
# If openvpn-post-config.sh exists, run it
if [[ -x /scripts/openvpn-post-config.sh ]]; then
echo "Executing /scripts/openvpn-post-config.sh"
/scripts/openvpn-post-config.sh "$CHOSEN_OPENVPN_CONFIG"
echo "/scripts/openvpn-post-config.sh returned $?"
fi
mkdir -p /config
#Handle secrets if found
if [[ -f /run/secrets/openvpn_creds ]]; then
#write creds if no file or contents are not the same.
if [[ ! -f /config/openvpn-credentials.txt ]] || [[ "$(cat /run/secrets/openvpn_creds)" != "$(cat /config/openvpn-credentials.txt)" ]]; then
echo "Setting OpenVPN credentials..."
cp /run/secrets/openvpn_creds /config/openvpn-credentials.txt
fi
else
# add OpenVPN user/pass
if [[ "${OPENVPN_USERNAME}" == "**None**" ]] || [[ "${OPENVPN_PASSWORD}" == "**None**" ]]; then
if [[ ! -f /config/openvpn-credentials.txt ]]; then
echo "OpenVPN credentials not set. Exiting."
exit 1
fi
echo "Found existing OPENVPN credentials at /config/openvpn-credentials.txt"
else
echo "Setting OpenVPN credentials..."
echo -e "${OPENVPN_USERNAME}\n${OPENVPN_PASSWORD}" > /config/openvpn-credentials.txt
chmod 600 /config/openvpn-credentials.txt
fi
fi
# add transmission credentials from env vars
echo "${TRANSMISSION_RPC_USERNAME}" > /config/transmission-credentials.txt
echo "${TRANSMISSION_RPC_PASSWORD}" >> /config/transmission-credentials.txt
# Persist transmission settings for use by transmission-daemon
python3 /etc/openvpn/persistEnvironment.py /etc/transmission/environment-variables.sh
TRANSMISSION_CONTROL_OPTS="--script-security 2 --route-up /etc/openvpn/tunnelUp.sh --route-pre-down /etc/openvpn/tunnelDown.sh"
## If we use UFW or the LOCAL_NETWORK we need to grab network config info
if [[ "${ENABLE_UFW,,}" == "true" ]] || [[ -n "${LOCAL_NETWORK-}" ]]; then
eval $(/sbin/ip route list match 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
## IF we use UFW_ALLOW_GW_NET along with ENABLE_UFW we need to know what our netmask CIDR is
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
eval $(/sbin/ip route list dev ${INT} | awk '{if($5=="link"){print "GW_CIDR="$1; exit}}')
fi
fi
## Open port to any address
function ufwAllowPort {
portNum=${1}
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]]; then
echo "allowing ${portNum} through the firewall"
ufw allow ${portNum}
fi
}
## Open port to specific address.
function ufwAllowPortLong {
portNum=${1}
sourceAddress=${2}
if [[ "${ENABLE_UFW,,}" == "true" ]] && [[ -n "${portNum-}" ]] && [[ -n "${sourceAddress-}" ]]; then
echo "allowing ${sourceAddress} through the firewall to port ${portNum}"
ufw allow from ${sourceAddress} to any port ${portNum}
fi
}
if [[ "${ENABLE_UFW,,}" == "true" ]]; then
if [[ "${UFW_DISABLE_IPTABLES_REJECT,,}" == "true" ]]; then
# A horrible hack to ufw to prevent it detecting the ability to limit and REJECT traffic
sed -i 's/return caps/return []/g' /usr/lib/python3/dist-packages/ufw/util.py
# force a rewrite on the enable below
echo "Disable and blank firewall"
ufw disable
echo "" > /etc/ufw/user.rules
fi
# Enable firewall
echo "enabling firewall"
sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
ufw enable
if [[ "${TRANSMISSION_PEER_PORT_RANDOM_ON_START,,}" == "true" ]]; then
PEER_PORT="${TRANSMISSION_PEER_PORT_RANDOM_LOW}:${TRANSMISSION_PEER_PORT_RANDOM_HIGH}"
else
PEER_PORT="${TRANSMISSION_PEER_PORT}"
fi
ufwAllowPort ${PEER_PORT}
if [[ "${WEBPROXY_ENABLED,,}" == "true" ]]; then
ufwAllowPort ${WEBPROXY_PORT}
fi
if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufwAllowPortLong ${TRANSMISSION_RPC_PORT} ${GW_CIDR}
else
ufwAllowPortLong ${TRANSMISSION_RPC_PORT} ${GW}
fi
if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do
if [[ "${UFW_ALLOW_GW_NET,,}" == "true" ]]; then
ufwAllowPortLong ${port} ${GW_CIDR}
else
ufwAllowPortLong ${port} ${GW}
fi
done
fi
fi
if [[ -n "${LOCAL_NETWORK-}" ]]; then
if [[ -n "${GW-}" ]] && [[ -n "${INT-}" ]]; then
for localNet in ${LOCAL_NETWORK//,/ }; do
echo "adding route to local network ${localNet} via ${GW} dev ${INT}"
/sbin/ip route add "${localNet}" via "${GW}" dev "${INT}"
if [[ "${ENABLE_UFW,,}" == "true" ]]; then
ufwAllowPortLong ${TRANSMISSION_RPC_PORT} ${localNet}
if [[ -n "${UFW_EXTRA_PORTS-}" ]]; then
for port in ${UFW_EXTRA_PORTS//,/ }; do
ufwAllowPortLong ${port} ${localNet}
done
fi
fi
done
fi
fi
# If routes-post-start.sh exists, run it
if [[ -x /scripts/routes-post-start.sh ]]; then
echo "Executing /scripts/routes-post-start.sh"
/scripts/routes-post-start.sh "$@"
echo "/scripts/routes-post-start.sh returned $?"
fi
if [[ ${SELFHEAL:-false} != "false" ]]; then
/etc/scripts/selfheal.sh &
fi
# shellcheck disable=SC2086
exec openvpn ${TRANSMISSION_CONTROL_OPTS} ${OPENVPN_OPTS} --config "${CHOSEN_OPENVPN_CONFIG}"