- no dockerhub

- trafic masking
2021-04-04 23:12:36 +03:00 · 2021-04-04 23:12:36 +03:00 · 85b6b06cc9
commit 85b6b06cc9
parent 059c6404ab
31 changed files with 1106 additions and 256 deletions
--- a/client/server_scripts/build_container.sh
+++ b/client/server_scripts/build_container.sh
@ -0,0 +1 @@
+sudo docker build -t $CONTAINER_NAME $DOCKERFILE_FOLDER
--- a/client/server_scripts/install_docker.sh
+++ b/client/server_scripts/install_docker.sh
@ -0,0 +1,6 @@
+pm_apt="/usr/bin/apt-get"; pm_yum="/usr/bin/yum"; if [[ -f "$pm_apt" ]]; then pm=$pm_apt; else pm=$pm_yum; fi; if [[ ! -f "/usr/bin/sudo" ]]; then $pm update -y -q; $pm install -y -q sudo; fi
+pm_apt="/usr/bin/apt-get"; pm_yum="/usr/bin/yum"; if [[ -f "$pm_apt" ]]; then pm=$pm_apt; else pm=$pm_yum; fi; sudo $pm update -y -q
+pm_apt="/usr/bin/apt-get"; pm_yum="/usr/bin/yum"; if [[ -f "$pm_apt" ]]; then pm=$pm_apt; else pm=$pm_yum; fi; sudo $pm install -y -q curl
+pm_apt="/usr/bin/apt-get"; pm_yum="/usr/bin/yum"; if [[ -f "$pm_apt" ]]; then sudo export DEBIAN_FRONTEND=noninteractive; sudo $pm_apt install -y -q docker.io; else sudo $pm_yum install -y -q docker; fi
+sudo systemctl start docker
+
--- a/client/server_scripts/openvpn_cloak/Dockerfile
+++ b/client/server_scripts/openvpn_cloak/Dockerfile
@ -0,0 +1,52 @@
+FROM alpine:latest
+
+LABEL maintainer="AmneziaVPN"
+
+#Install required packages
+RUN apk add --no-cache curl openvpn easy-rsa bash netcat-openbsd dumb-init rng-tools
+RUN apk --update upgrade --no-cache
+
+ENV EASYRSA_BATCH 1
+ENV PATH="/usr/share/easy-rsa:${PATH}"
+
+RUN mkdir -p /opt/amnezia
+RUN echo -e "#!/bin/bash\ntail -f /dev/null" > /opt/amnezia/start.sh
+RUN chmod a+x /opt/amnezia/start.sh
+
+RUN curl -L https://github.com/cbeuw/Cloak/releases/download/v2.5.3/ck-server-linux-amd64-v2.5.3 > /usr/bin/ck-server
+RUN chmod a+x /usr/bin/ck-server
+
+# Tune network  
+RUN echo -e " \n\
+  fs.file-max = 51200 \n\
+  \n\
+  net.core.rmem_max = 67108864 \n\
+  net.core.wmem_max = 67108864 \n\
+  net.core.netdev_max_backlog = 250000 \n\
+  net.core.somaxconn = 4096 \n\
+  \n\
+  net.ipv4.tcp_syncookies = 1 \n\
+  net.ipv4.tcp_tw_reuse = 1 \n\
+  net.ipv4.tcp_tw_recycle = 0 \n\
+  net.ipv4.tcp_fin_timeout = 30 \n\
+  net.ipv4.tcp_keepalive_time = 1200 \n\
+  net.ipv4.ip_local_port_range = 10000 65000 \n\
+  net.ipv4.tcp_max_syn_backlog = 8192 \n\
+  net.ipv4.tcp_max_tw_buckets = 5000 \n\
+  net.ipv4.tcp_fastopen = 3 \n\
+  net.ipv4.tcp_mem = 25600 51200 102400 \n\
+  net.ipv4.tcp_rmem = 4096 87380 67108864 \n\
+  net.ipv4.tcp_wmem = 4096 65536 67108864 \n\
+  net.ipv4.tcp_mtu_probing = 1 \n\
+  net.ipv4.tcp_congestion_control = hybla \n\
+  # for low-latency network, use cubic instead \n\
+  # net.ipv4.tcp_congestion_control = cubic \n\
+  " | sed -e 's/^\s\+//g' | tee -a /etc/sysctl.conf && \
+  mkdir -p /etc/security && \
+  echo -e " \n\
+  * soft nofile 51200 \n\
+  * hard nofile 51200 \n\
+  " | sed -e 's/^\s\+//g' | tee -a /etc/security/limits.conf  
+
+ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ]
+CMD [ "" ]
--- a/client/server_scripts/openvpn_cloak/configure_container.sh
+++ b/client/server_scripts/openvpn_cloak/configure_container.sh
@ -0,0 +1,84 @@
+# CONTAINER_NAME=... this var will be set in ServerController
+# Don't run commands in background like sh -c "openvpn &"
+# SERVER_PORT=443
+
+#sudo docker stop $CONTAINER_NAME
+#sudo docker rm -f $CONTAINER_NAME
+#sudo docker pull amneziavpn/openvpn-cloak:latest
+#sudo docker run -d --restart always --cap-add=NET_ADMIN -p $SERVER_PORT:443/tcp --name $CONTAINER_NAME amneziavpn/openvpn-cloak:latest
+
+sudo docker stop $CONTAINER_NAME
+sudo docker rm -f $CONTAINER_NAME
+sudo docker run -d --restart always --cap-add=NET_ADMIN -p $SERVER_PORT:443/tcp --name $CONTAINER_NAME $CONTAINER_NAME
+
+# Create tun device if not exist
+sudo docker exec -i $CONTAINER_NAME bash -c 'mkdir -p /dev/net; if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200; fi'
+
+# Prevent to route packets outside of the container in case if server behind of the NAT
+sudo docker exec -i $CONTAINER_NAME sh -c "ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up"
+
+# OpenVPN config
+sudo docker exec -i $CONTAINER_NAME bash -c 'mkdir -p /opt/amnezia/openvpn/clients; \
+cd /opt/amnezia/openvpn && easyrsa init-pki; \
+cd /opt/amnezia/openvpn && easyrsa gen-dh; \
+cd /opt/amnezia/openvpn && cp pki/dh.pem /opt/amnezia/openvpn && easyrsa build-ca nopass << EOF yes EOF && easyrsa gen-req AmneziaReq nopass << EOF2 yes EOF2;\
+cd /opt/amnezia/openvpn && easyrsa sign-req server AmneziaReq << EOF3 yes EOF3;\
+cd /opt/amnezia/openvpn && openvpn --genkey --secret ta.key << EOF4;\
+cd /opt/amnezia/openvpn && cp pki/ca.crt pki/issued/AmneziaReq.crt pki/private/AmneziaReq.key /opt/amnezia/openvpn'
+
+sudo docker exec -i $CONTAINER_NAME bash -c '\
+echo -e "\
+port 1194 \\n\
+proto tcp \\n\
+dev tun \\n\
+ca /opt/amnezia/openvpn/ca.crt \\n\
+cert /opt/amnezia/openvpn/AmneziaReq.crt \\n\
+key /opt/amnezia/openvpn/AmneziaReq.key \\n\
+dh /opt/amnezia/openvpn/dh.pem \\n\
+server $VPN_SUBNET_IP $VPN_SUBNET_MASK \\n\
+ifconfig-pool-persist ipp.txt \\n\
+duplicate-cn \\n\
+keepalive 10 120 \\n\
+cipher AES-256-GCM \\n\
+ncp-ciphers AES-256-GCM:AES-256-CBC \\n\
+auth SHA512 \\n\
+user nobody \\n\
+group nobody \\n\
+persist-key \\n\
+persist-tun \\n\
+status openvpn-status.log \\n\
+verb 1 \\n\
+tls-server \\n\
+tls-version-min 1.2 \\n\
+tls-auth /opt/amnezia/openvpn/ta.key 0" >>/opt/amnezia/openvpn/server.conf'
+
+#sudo docker exec -d $CONTAINER_NAME sh -c "openvpn --config /opt/amnezia/openvpn/server.conf"
+
+# Cloak config
+sudo docker exec -i $CONTAINER_NAME bash -c '\
+mkdir -p /opt/amnezia/cloak; \
+cd /opt/amnezia/cloak || exit 1; \
+CLOAK_ADMIN_UID=$(ck-server -u) && echo $CLOAK_ADMIN_UID > /opt/amnezia/cloak/cloak_admin_uid.key; \
+CLOAK_BYPASS_UID=$(ck-server -u) && echo $CLOAK_BYPASS_UID > /opt/amnezia/cloak/cloak_bypass_uid.key; \
+IFS=, read CLOAK_PUBLIC_KEY CLOAK_PRIVATE_KEY <<<$(ck-server -k); \
+echo $CLOAK_PUBLIC_KEY > /opt/amnezia/cloak/cloak_public.key; \
+echo $CLOAK_PRIVATE_KEY > /opt/amnezia/cloak/cloak_private.key; \
+echo -e "{\\n\
+  \"ProxyBook\": {\\n\
+     \"openvpn\": [\\n\
+      \"tcp\",\\n\
+      \"localhost:1194\"\\n\
+    ]\\n\
+  },\\n\
+  \"BypassUID\": [\\n\
+    \"$CLOAK_BYPASS_UID\"\\n\
+  ],\\n\
+  \"BindAddr\":[\":443\"],\\n\
+  \"RedirAddr\": \"$FAKE_WEB_SITE_ADDRESS\",\\n\
+  \"PrivateKey\": \"$CLOAK_PRIVATE_KEY\",\\n\
+  \"AdminUID\": \"$CLOAK_ADMIN_UID\",\\n\
+  \"DatabasePath\": \"userinfo.db\",\\n\
+  \"StreamTimeout\": 300\\n\
+}" >>/opt/amnezia/cloak/ck-config.json'
+
+#sudo docker exec -d $CONTAINER_NAME sh -c "/usr/bin/ck-server -c /opt/amnezia/cloak/ck-config.json"
--- a/client/server_scripts/openvpn_cloak/start.sh
+++ b/client/server_scripts/openvpn_cloak/start.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+# This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts
+
+echo "Container Startup start"
+
+if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi
+
+# Allow traffic on the TUN interface.
+iptables -A INPUT -i tun0 -j ACCEPT
+iptables -A FORWARD -i tun0 -j ACCEPT
+iptables -A OUTPUT -o tun0 -j ACCEPT
+
+# Allow forwarding traffic only from the VPN.
+iptables -A FORWARD -i tun0 -o eth0 -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+iptables -t nat -A POSTROUTING -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -o eth0 -j MASQUERADE
+
+if [ -f /opt/amnezia/openvpn/ca.crt ]; then (openvpn --config /opt/amnezia/openvpn/server.conf --daemon); fi
+if [ -f /opt/amnezia/cloak/ck-config.json ]; then (ck-server -c /opt/amnezia/cloak/ck-config.json &); fi
+
+tail -f /dev/null
--- a/client/server_scripts/openvpn_cloak/template.ovpn
+++ b/client/server_scripts/openvpn_cloak/template.ovpn
@ -0,0 +1,35 @@
+client
+dev tun
+proto $PROTO
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+cipher AES-256-GCM
+auth SHA512
+verb 3
+tls-client
+tls-version-min 1.2
+key-direction 1
+remote-cert-tls server
+redirect-gateway def1 bypass-dhcp
+
+dhcp-option DNS $PRIMARY_DNS
+dhcp-option DNS $SECONDARY_DNS
+block-outside-dns
+
+route $REMOTE_HOST 255.255.255.255 net_gateway
+remote 127.0.0.1 1194
+
+<ca>
+$CA_CERT
+</ca>
+<cert>
+$CLIENT_CERT
+</cert>
+<key>
+$PRIV_KEY
+</key>
+<tls-auth>
+$TA_KEY
+</tls-auth>
--- a/client/server_scripts/prepare_host.sh
+++ b/client/server_scripts/prepare_host.sh
@ -0,0 +1,3 @@
+CUR_USER=$(whoami);\
+sudo mkdir -p $DOCKERFILE_FOLDER;\
+sudo chown $CUR_USER $DOCKERFILE_FOLDER
--- a/client/server_scripts/setup_host_firewall.sh
+++ b/client/server_scripts/setup_host_firewall.sh
@ -1,24 +1,31 @@
 sudo sysctl -w net.ipv4.ip_forward=1
-sudo iptables -P FORWARD ACCEPT
 sudo iptables -C INPUT -p icmp --icmp-type echo-request -j DROP || sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

+#sudo iptables -P FORWARD ACCEPT
+sudo iptables -A FORWARD -j DOCKER-USER
+sudo iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1
+sudo iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -A FORWARD -o docker0 -j DOCKER
+sudo iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+sudo iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+
 # Tuning network
-sudo sysctl fs.file-max=51200
-sudo sysctl net.core.rmem_max=67108864
-sudo sysctl net.core.wmem_max=67108864
-sudo sysctl net.core.netdev_max_backlog=250000
-sudo sysctl net.core.somaxconn=4096
-sudo sysctl net.ipv4.tcp_syncookies=1
-sudo sysctl net.ipv4.tcp_tw_reuse=1
-sudo sysctl net.ipv4.tcp_tw_recycle=0
-sudo sysctl net.ipv4.tcp_fin_timeout=30
-sudo sysctl net.ipv4.tcp_keepalive_time=1200
-sudo sysctl net.ipv4.ip_local_port_range="10000 65000"
-sudo sysctl net.ipv4.tcp_max_syn_backlog=8192
-sudo sysctl net.ipv4.tcp_max_tw_buckets=5000
-sudo sysctl net.ipv4.tcp_fastopen=3
-sudo sysctl net.ipv4.tcp_mem="25600 51200 102400"
-sudo sysctl net.ipv4.tcp_rmem="4096 87380 67108864"
-sudo sysctl net.ipv4.tcp_wmem="4096 65536 67108864"
-sudo sysctl net.ipv4.tcp_mtu_probing=1
+sudo sysctl fs.file-max=51200; \
+sudo sysctl net.core.rmem_max=67108864; \
+sudo sysctl net.core.wmem_max=67108864; \
+sudo sysctl net.core.netdev_max_backlog=250000; \
+sudo sysctl net.core.somaxconn=4096; \
+sudo sysctl net.ipv4.tcp_syncookies=1; \
+sudo sysctl net.ipv4.tcp_tw_reuse=1; \
+sudo sysctl net.ipv4.tcp_tw_recycle=0; \
+sudo sysctl net.ipv4.tcp_fin_timeout=30; \
+sudo sysctl net.ipv4.tcp_keepalive_time=1200; \
+sudo sysctl net.ipv4.ip_local_port_range="10000 65000"; \
+sudo sysctl net.ipv4.tcp_max_syn_backlog=8192; \
+sudo sysctl net.ipv4.tcp_max_tw_buckets=5000; \
+sudo sysctl net.ipv4.tcp_fastopen=3; \
+sudo sysctl net.ipv4.tcp_mem="25600 51200 102400"; \
+sudo sysctl net.ipv4.tcp_rmem="4096 87380 67108864"; \
+sudo sysctl net.ipv4.tcp_wmem="4096 65536 67108864"; \
+sudo sysctl net.ipv4.tcp_mtu_probing=1; \
 sudo sysctl net.ipv4.tcp_congestion_control=hybla
--- a/client/server_scripts/setup_shadowsocks_server.sh
+++ b/client/server_scripts/setup_shadowsocks_server.sh
@ -12,17 +12,18 @@ sudo systemctl start docker
 sudo docker stop $CONTAINER_NAME
 sudo docker rm -f $CONTAINER_NAME
 sudo docker pull amneziavpn/shadowsocks:latest
-sudo docker run -d --restart always --cap-add=NET_ADMIN -p 1194:1194/tcp -p 6789:6789/tcp --name $CONTAINER_NAME amneziavpn/shadowsocks:latest
+sudo docker run -d --restart always --cap-add=NET_ADMIN -p 6789:6789/tcp --name $CONTAINER_NAME amneziavpn/shadowsocks:latest

 # Prevent to route packets outside of the container in case if server behind of the NAT
 sudo docker exec -i $CONTAINER_NAME sh -c "ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up"

-sudo docker exec -i $CONTAINER_NAME sh -c "mkdir -p /opt/amneziavpn_data/clients"
-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && easyrsa init-pki"
-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && easyrsa gen-dh"
+# OpenVpn
+sudo docker exec -i $CONTAINER_NAME bash -c 'mkdir -p /opt/amneziavpn_data/clients;\
+cd /opt/amneziavpn_data && easyrsa init-pki;\
+cd /opt/amneziavpn_data && easyrsa gen-dh;\
+cd /opt/amneziavpn_data && cp pki/dh.pem /etc/openvpn && easyrsa build-ca nopass << EOF yes EOF && easyrsa gen-req MyReq nopass << EOF2 yes EOF2;\
+cd /opt/amneziavpn_data && easyrsa sign-req server MyReq << EOF3 yes EOF3;\
+cd /opt/amneziavpn_data && openvpn --genkey --secret ta.key << EOF4;\
+cd /opt/amneziavpn_data && cp pki/ca.crt pki/issued/MyReq.crt pki/private/MyReq.key ta.key /etc/openvpn'

-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && cp pki/dh.pem /etc/openvpn && easyrsa build-ca nopass << EOF yes EOF && easyrsa gen-req MyReq nopass << EOF2 yes EOF2"
-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && easyrsa sign-req server MyReq << EOF3 yes EOF3"
-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && openvpn --genkey --secret ta.key << EOF4"
-sudo docker exec -i $CONTAINER_NAME sh -c "cd /opt/amneziavpn_data && cp pki/ca.crt pki/issued/MyReq.crt pki/private/MyReq.key ta.key /etc/openvpn"
 sudo docker exec -d $CONTAINER_NAME sh -c "openvpn --config /etc/openvpn/server.conf"
				`@ -0,0 +1 @@`
				`sudo docker build -t $CONTAINER_NAME $DOCKERFILE_FOLDER`