search

azinchen / nordvpn

NordVPN Docker Client
GNU Affero General Public License v3.0
98 stars 19 forks source link

Some help with forwarding requests from an adapter TO the VPN #521

Closed Dethkiller15 closed 3 months ago

Dethkiller15 commented 3 months ago

I had been researching how to do this for the past few days and quite frankly I am out of my depth.

What I am attempting to do specifically is have the VPN container act as a host for all connections going out from a specific docker network adapter. Besides the ones that are to and from assigned ports that is.

All I know is that the iptables and/or ip commands are needed both in the host machine and in the container itself.

Why do I specifically want to do it this way instead of doing by attaching a container to the VPN container? In all honesty its to make it easier to manage my containers via Synologys docker webui and bypass "container needs 1 network" error I get when trying to start it via the webui instead of the "docker container start"

Dethkiller15 commented 3 months ago

as I dont know what I am doing I like most tech savy people who are slightly/heavily out of their depth do I asked chatGPT and it gave the following dockerfile

I basically gave it the prompt to make it so that the dockerfile for this allows the container to also host a VPN server that runs the traffic through the main VPN connection. I just hope someone could test it for me and potentially correct some mistakes. I am out of brain juice after doing research and testing the past couple of days since making this request for help/issue.

# s6 overlay builder
FROM alpine:3.20.2 AS s6-builder

ENV PACKAGE="just-containers/s6-overlay"
ENV PACKAGEVERSION="3.2.0.0"
ARG TARGETPLATFORM

RUN echo "**** install security fix packages ****" && \
    echo "**** install mandatory packages ****" && \
    apk --no-cache --no-progress add \
        tar=1.35-r2 \
        xz=5.6.2-r0 \
        && \
    echo "**** create folders ****" && \
    mkdir -p /s6 && \
    echo "**** download ${PACKAGE} ****" && \
    PACKAGEPLATFORM=$(case ${TARGETPLATFORM} in \
        "linux/amd64")    echo "x86_64"   ;; \
        "linux/386")      echo "i486"     ;; \
        "linux/arm64")    echo "aarch64"  ;; \
        "linux/arm/v7")   echo "armhf"    ;; \
        "linux/arm/v6")   echo "arm"      ;; \
        *)                echo ""         ;; esac) && \
    echo "Package ${PACKAGE} platform ${PACKAGEPLATFORM} version ${PACKAGEVERSION}" && \
    wget -q "https://github.com/${PACKAGE}/releases/download/v${PACKAGEVERSION}/s6-overlay-noarch.tar.xz" -qO /tmp/s6-overlay-noarch.tar.xz && \
    wget -q "https://github.com/${PACKAGE}/releases/download/v${PACKAGEVERSION}/s6-overlay-${PACKAGEPLATFORM}.tar.xz" -qO /tmp/s6-overlay-binaries.tar.xz && \
    tar -C /s6/ -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
    tar -C /s6/ -Jxpf /tmp/s6-overlay-binaries.tar.xz

# rootfs builder
FROM alpine:3.20.2 AS rootfs-builder

RUN echo "**** install security fix packages ****" && \
    echo "**** end run statement ****"

COPY root/ /rootfs/
RUN chmod +x /rootfs/usr/bin/*
RUN chmod +x /rootfs/etc/nordvpn/init/*
COPY --from=s6-builder /s6/ /rootfs/

# Main image
FROM alpine:3.20.2

LABEL maintainer="Alexander Zinchenko <alexander@zinchenko.com>"

ENV TECHNOLOGY=openvpn_udp \
    RANDOM_TOP=0 \
    CHECK_CONNECTION_ATTEMPTS=5 \
    CHECK_CONNECTION_ATTEMPT_INTERVAL=10 \
    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=120000

RUN echo "**** install security fix packages ****" && \
    echo "**** install mandatory packages ****" && \
    apk --no-cache --no-progress add \
        bash=5.2.26-r0 \
        curl=8.9.0-r0 \
        iptables=1.8.10-r3 \
        ip6tables=1.8.10-r3 \
        jq=1.7.1-r0 \
        shadow=4.15.1-r0 \
        shadow-login=4.15.1-r0 \
        openvpn=2.6.11-r0 \
        easy-rsa=3.1.3-r0 \
        bind-tools=9.18.27-r0 \
        && \
    echo "**** create process user ****" && \
    addgroup --system --gid 912 nordvpn && \
    adduser --system --uid 912 --disabled-password --no-create-home --ingroup nordvpn nordvpn && \
    echo "**** cleanup ****" && \
    rm -rf /tmp/* && \
    rm -rf /var/cache/apk/*

COPY --from=rootfs-builder /rootfs/ /

# Set up OpenVPN server configuration
RUN echo "**** configure OpenVPN server ****" && \
    mkdir -p /etc/openvpn/server && \
    mkdir -p /etc/openvpn/easy-rsa && \
    ln -s /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ && \
    cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/ && \
    sed -i 's/;tls-auth ta.key 0/tls-auth ta.key 0/g' /etc/openvpn/server/server.conf && \
    sed -i 's/;user nobody/user nordvpn/g' /etc/openvpn/server/server.conf && \
    sed -i 's/;group nogroup/group nordvpn/g' /etc/openvpn/server/server.conf && \
    sed -i 's/port 1194/port 1194/g' /etc/openvpn/server/server.conf && \
    sed -i 's/;log-append openvpn.log/log-append \/var\/log\/openvpn.log/g' /etc/openvpn/server/server.conf

# Generate server keys and certificates
RUN echo "**** generate OpenVPN server keys ****" && \
    cd /etc/openvpn/easy-rsa && \
    ./easyrsa init-pki && \
    ./easyrsa build-ca nopass && \
    ./easyrsa gen-dh && \
    openvpn --genkey --secret /etc/openvpn/server/ta.key && \
    ./easyrsa build-server-full server nopass && \
    ./easyrsa gen-crl && \
    cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/server/ && \
    cp pki/dh.pem /etc/openvpn/server/

# Expose necessary ports
EXPOSE 1194/udp

ENTRYPOINT ["/init"]

# Start OpenVPN server
CMD ["openvpn", "--config", "/etc/openvpn/server/server.conf"]

idk if this would work or not but it would be easier to route traffic through it if it is done this way for me.

Dethkiller15 commented 3 months ago

I had decided to go with a fork more towards my use case.

https://github.com/jiriteach/nvpn-router/issues/31