Closed panzerchris closed 6 years ago
qdm12
commented
6 years ago There is a healthcheck which marks the container as unhealthy if the IP address changes from the initial VPN IP address. In this case, you can work with Docker and add the flag --restart=on-failure:1 so that it forces the container to stop.
If the VPN connection fails, the container does not stop instantly until the next healthcheck indeed. I will thus add this kill switch in the next commit soon.
qdm12
commented
6 years ago Let me know if everything works smoothly or if you think i missed anything in the "killswitch" firewall (see entrypoint.sh).
It also adapts the firewall rules to your vpn country, protocol and encryption strength to match the corresponding and up to date pia server ip addresses on the right port, so it might look confusing...
panzerchris
commented
6 years ago I gave this a test but struggled to get it working. Deleted all my instances and then started over:
Getting public IP address...DONE
Changing DNS to localhost...DONE
Starting Unbound to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint...DONE
Setting firewall for killswitch purposes...
Detecting local subnet...172.18.0.0/16
nslookup: can't resolve 'Norway.privateinternetaccess.com': Name does not resolve
Detecting IP addresses corresponding to Norway.privateinternetaccess.com...
Deleting all iptables rules...DONE
Adding rules to accept local loopback traffic...DONE
Adding rules to accept traffic of subnet 172.18.0.0/16...DONE
Determining port to be used with PIA...udp 1197
Adding rules to accept traffic going through the tun device...DONE
Starting OpenVPN using udp with strong encryption
Thu Jun 7 19:42:58 2018 WARNING: file '/auth.conf' is group or others accessible
Thu Jun 7 19:42:58 2018 OpenVPN 2.4.4 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 9 2017
Thu Jun 7 19:42:58 2018 library versions: LibreSSL 2.6.3, LZO 2.10
Thu Jun 7 19:43:03 2018 RESOLVE: Cannot resolve host address: no.privateinternetaccess.com:1197 (Try again)
Thu Jun 7 19:43:08 2018 RESOLVE: Cannot resolve host address: no.privateinternetaccess.com:1197 (Try again)
Thu Jun 7 19:43:08 2018 Could not determine IPv4/IPv6 protocol
Thu Jun 7 19:43:08 2018 SIGUSR1[soft,init_instance] received, process restarting
Thu Jun 7 19:43:18 2018 RESOLVE: Cannot resolve host address: no.privateinternetaccess.com:1197 (Try again)
Thu Jun 7 19:43:23 2018 RESOLVE: Cannot resolve host address: no.privateinternetaccess.com:1197 (Try again)
Thu Jun 7 19:43:23 2018 Could not determine IPv4/IPv6 protocol
Thu Jun 7 19:43:23 2018 SIGUSR1[soft,init_instance] received, process restartingAny ideas what might be wrong with it?
qdm12
commented
6 years ago Yes it's my fault (latest commit), I will fix it for tomorrow, sorry for the delay. It's because I thought all pia domain names would be countryname.privateinternetaccess.com but it appears it's also countrycode.privateinternetaccess.com depending on your country chosen.
panzerchris
commented
6 years ago No problem! A few of them have spaces in the name too, which I think might cause a problem based on the current code there (e.g. UK London -> uk-london .privateinternetaccess.com).
qdm12
commented
6 years ago All should be fixed now.
The container scans through the ovpn file needed (i. e. UK London.ovpn) and detects the domain name and port needed, depending on your parameters (udp, tcp, strong etc.).
It then only allows traffic through the tunnel device and to the IP addresses corresponding to the PIA regional subdomain name. Use docker logs if you're curious!
There isn't any mention in the documentation about whether a kill switch is enabled but I can see a few docker images out there that support it. Is this something that would be possible to add, if it isn't already an option?