diff --git a/README.md b/README.md index 377eb3a..9d07dac 100644 --- a/README.md +++ b/README.md @@ -246,6 +246,7 @@ A collection of delicious docker recipes. ## VPN +- [x] dsvpn :+1: - [x] n2n :+1: - [x] ocserv :+1: - [x] openconnect diff --git a/dsvpn/Dockerfile b/dsvpn/Dockerfile new file mode 100644 index 0000000..7b4496a --- /dev/null +++ b/dsvpn/Dockerfile @@ -0,0 +1,27 @@ +FROM alpine AS builder + +ENV DSVPN_VERSION=0.1.4 +ENV DSVPN_URL=https://github.com/jedisct1/dsvpn/archive/${DSVPN_VERSION}.tar.gz + +RUN set -xe \ + && apk add --no-cache build-base curl linux-headers \ + && curl -sSL ${DSVPN_URL} | tar xz \ + && cd dsvpn-${DSVPN_VERSION} \ + && make PREFIX=/usr install + +# +# Dockerfile for dsvpn +# + +FROM alpine +MAINTAINER EasyPi Software Foundation + +RUN apk add --no-cache iptables +COPY --from=builder /usr/sbin/dsvpn /usr/sbin/ + +WORKDIR /etc/dsvpn + +EXPOSE 443 + +ENTRYPOINT ["dsvpn"] +CMD ["server", "vpn.key"] diff --git a/dsvpn/README.md b/dsvpn/README.md new file mode 100644 index 0000000..f1da32c --- /dev/null +++ b/dsvpn/README.md @@ -0,0 +1,43 @@ +dsvpn +===== + +[DSVPN][1] is a Dead Simple VPN + +docker-compose.yml +------------------ + +```yaml +dsvpn: + image: vimagick/dsvpn + command: server vpn.key auto 1959 + ports: + - "1959:1959" + volumes: + - ./data:/etc/dsvpn + working_dir: /etc/dsvpn + devices: + - /dev/net/tun + privileged: true + restart: unless-stopped +``` + +server +------ + +```bash +$ mkdir -p data +$ dd if=/dev/urandom of=data/vpn.key count=1 bs=32 +$ docker-compose up -d +$ docker-compose logs -f +``` + +client +------ + +```bash +$ sudo dsvpn vpn.key 1.2.3.4 1959 +$ ifconfig tun0 +$ ping 192.168.192.254 +``` + +[1]: https://github.com/jedisct1/dsvpn diff --git a/dsvpn/docker-compose.yml b/dsvpn/docker-compose.yml new file mode 100644 index 0000000..5e139df --- /dev/null +++ b/dsvpn/docker-compose.yml @@ -0,0 +1,11 @@ +dsvpn: + image: vimagick/dsvpn + command: server vpn.key auto 1959 + ports: + - "1959:1959" + volumes: + - ./data:/etc/dsvpn + devices: + - /dev/net/tun + privileged: true + restart: unless-stopped diff --git a/nginx-sso/nginx/conf.d/include/ssl.inc b/nginx-sso/nginx/conf.d/include/ssl.inc new file mode 100644 index 0000000..1510e4a --- /dev/null +++ b/nginx-sso/nginx/conf.d/include/ssl.inc @@ -0,0 +1,8 @@ +ssl_certificate /etc/nginx/certs/yourdomain.com.crt; +ssl_certificate_key /etc/nginx/certs/yourdomain.com.key; + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; +ssl_prefer_server_ciphers on; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; diff --git a/nginx-sso/nginx/conf.d/include/sso.inc b/nginx-sso/nginx/conf.d/include/sso.inc new file mode 100644 index 0000000..3e6188f --- /dev/null +++ b/nginx-sso/nginx/conf.d/include/sso.inc @@ -0,0 +1,36 @@ +# Protect this location using the auth_request +auth_request /sso-auth; + +# Redirect the user to the login page when they are not logged in +error_page 401 = @error401; + +location /sso-auth { + # Do not allow requests from outside + internal; + + # Access /auth endpoint to query login state + proxy_pass http://172.17.0.1:8082/auth; + + # Do not forward the request body (nginx-sso does not care about it) + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + # Set custom information for ACL matching: Each one is available as + # a field for matching: X-Host = x-host, ... + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header X-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} + +# If the user is lead to /logout redirect them to the logout endpoint +# of ngninx-sso which then will redirect the user to / on the current host +location /sso-logout { + return 302 https://login.yourdomain.com/logout?go=$scheme://$http_host/; +} + +# Define where to send the user to login and specify how to get back +location @error401 { + return 302 https://login.yourdomain.com/login?go=$scheme://$http_host$request_uri; +} diff --git a/nginx-sso/nginx/sites-enabled/000-nginx-sso.conf b/nginx-sso/nginx/sites-enabled/000-nginx-sso.conf new file mode 100644 index 0000000..06c1dfc --- /dev/null +++ b/nginx-sso/nginx/sites-enabled/000-nginx-sso.conf @@ -0,0 +1,22 @@ +# Redirect all requests to this server to https +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name login.yourdomain.com; + + access_log /var/log/nginx/login.yourdomain.com_access.log; + error_log /var/log/nginx/login.yourdomain.com_error.log; + + include conf.d/include/ssl.inc; + + location / { + proxy_pass http://172.17.0.1:8082/; + } +} diff --git a/nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf b/nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf new file mode 100644 index 0000000..b80481d --- /dev/null +++ b/nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf @@ -0,0 +1,31 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name hass.yourdomain.com; + + access_log /var/log/nginx/hass.yourdomain.com_access.log; + error_log /var/log/nginx/hass.yourdomain.com_error.log; + + include conf.d/include/ssl.inc; + include conf.d/include/sso.inc; + + location / { + # Automatically renew SSO cookie on request + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; + + proxy_pass http://172.17.0.1:8123/; + + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf b/nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf new file mode 100644 index 0000000..aa22a14 --- /dev/null +++ b/nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name portainer.yourdomain.com; + + access_log /var/log/nginx/portainer.yourdomain.com_access.log; + error_log /var/log/nginx/portainer.yourdomain.com_error.log; + + include conf.d/include/ssl.inc; + include conf.d/include/sso.inc; + + location / { + # Automatically renew SSO cookie on request + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; + + proxy_pass http://172.17.0.1:9000/; + } +}