diff --git a/docker-compose.yaml b/docker-compose.yaml index 759e151..5d717ae 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,12 @@ version: '3' +networks: + vpn-internal: + driver: bridge + ipam: + config: + - subnet: 172.18.0.0/16 + services: openvpn: build: @@ -8,17 +15,23 @@ services: image: openvpn:local command: /etc/openvpn/setup/configure.sh environment: - OVPN_SERVER_NET: "192.168.100.0" + OVPN_SERVER_NET: "10.8.0.0" OVPN_SERVER_MASK: "255.255.255.0" OVPN_PASSWD_AUTH: "true" + OVPN_CUSTOM_ROUTES: "172.18.0.0 255.255.0.0" cap_add: - NET_ADMIN + sysctls: + - net.ipv4.ip_forward=1 ports: - - 7777:1194 # for openvpn + - 7777:1194/udp # Changed to UDP for better performance - 8080:8080 # for ovpn-admin because of network_mode volumes: - ./easyrsa_master:/etc/openvpn/easyrsa - ./ccd_master:/etc/openvpn/ccd + networks: + - vpn-internal + ovpn-admin: build: context: . @@ -28,16 +41,25 @@ services: environment: OVPN_DEBUG: "true" OVPN_VERBOSE: "true" - OVPN_NETWORK: "192.168.100.0/24" + OVPN_NETWORK: "10.8.0.0/24" OVPN_CCD: "true" OVPN_CCD_PATH: "/mnt/ccd" EASYRSA_PATH: "/mnt/easyrsa" - OVPN_SERVER: "127.0.0.1:7777:tcp" + OVPN_SERVER: "13.127.115.63:7777:udp" # Changed to UDP OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt" OVPN_AUTH: "true" + OVPN_CIPHER: "AES-256-GCM" OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db" LOG_LEVEL: "debug" network_mode: service:openvpn volumes: - ./easyrsa_master:/mnt/easyrsa - ./ccd_master:/mnt/ccd + + nginx: + image: nginx:alpine + container_name: vpn-nginx + networks: + vpn-internal: + ipv4_address: 172.18.0.10 + restart: unless-stopped \ No newline at end of file diff --git a/setup/configure.sh b/setup/configure.sh index 109a7c6..2688fda 100644 --- a/setup/configure.sh +++ b/setup/configure.sh @@ -4,10 +4,9 @@ set -ex EASY_RSA_LOC="/etc/openvpn/easyrsa" SERVER_CERT="${EASY_RSA_LOC}/pki/issued/server.crt" -OVPN_SRV_NET=${OVPN_SERVER_NET:-172.16.100.0} +OVPN_SRV_NET=${OVPN_SERVER_NET:-10.8.0.0} OVPN_SRV_MASK=${OVPN_SERVER_MASK:-255.255.255.0} - cd $EASY_RSA_LOC if [ -e "$SERVER_CERT" ]; then @@ -34,6 +33,9 @@ easyrsa gen-crl iptables -t nat -D POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE || true iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE +# Fixed: Use environment variables instead of hardcoded values +iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -d 172.18.0.0/16 -j MASQUERADE + mkdir -p /dev/net if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200 @@ -41,6 +43,11 @@ fi cp -f /etc/openvpn/setup/openvpn.conf /etc/openvpn/openvpn.conf +# Add custom routes if specified +if [ ! -z "${OVPN_CUSTOM_ROUTES}" ]; then + echo 'push "route '${OVPN_CUSTOM_ROUTES}'"' >> /etc/openvpn/openvpn.conf +fi + if [ ${OVPN_PASSWD_AUTH} = "true" ]; then mkdir -p /etc/openvpn/scripts/ cp -f /etc/openvpn/setup/auth.sh /etc/openvpn/scripts/auth.sh @@ -56,4 +63,5 @@ fi mkdir -p /etc/openvpn/ccd -openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK} +# Fixed: Changed to UDP and use environment variables +openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto udp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK} \ No newline at end of file diff --git a/setup/openvpn.conf b/setup/openvpn.conf index 3934a2e..76cf2cc 100644 --- a/setup/openvpn.conf +++ b/setup/openvpn.conf @@ -8,7 +8,12 @@ dh /etc/openvpn/easyrsa/pki/dh.pem crl-verify /etc/openvpn/easyrsa/pki/crl.pem tls-auth /etc/openvpn/easyrsa/pki/ta.key key-direction 0 -cipher AES-128-CBC + +# Modern cipher configuration - UPDATED +cipher AES-256-GCM +data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC +data-ciphers-fallback AES-128-CBC + #management 127.0.0.1 8989 keepalive 10 60 persist-key @@ -23,4 +28,4 @@ user nobody group nogroup push "topology subnet" push "route-metric 9999" -push "dhcp-option DNS 1.1.1.1" +push "dhcp-option DNS 1.1.1.1" \ No newline at end of file diff --git a/start.sh b/start.sh index 2594dcb..6ee97b6 100755 --- a/start.sh +++ b/start.sh @@ -2,4 +2,4 @@ # About 'docker compose' and 'docker-compose' # We are using Docker Compose in plugin mode with Docker. For more details, see: https://docs.docker.com/compose/install/linux/. If you need to use the standalone Docker Compose, you can modify the command `docker compose` to `docker-compose` accordingly. -docker compose -p openvpn-master up -d --build +docker compose -f docker-compose.yaml up -d --build diff --git a/templates/client.conf.tpl b/templates/client.conf.tpl index 0043b5c..9153303 100644 --- a/templates/client.conf.tpl +++ b/templates/client.conf.tpl @@ -2,24 +2,36 @@ remote {{ $server.Host }} {{ $server.Port }} {{ $server.Protocol }} {{- end }} +# -- General Settings -- # + verb 4 client nobind dev tun -cipher AES-128-CBC + +# -- Security & Encryption -- # + +cipher AES-256-GCM key-direction 1 -#redirect-gateway def1 tls-client remote-cert-tls server + +# uncomment below line if want to redirect all trafic from vpn +# redirect-gateway def1 + +# -- DNS Handing -- # + # uncomment below lines for use with linux + #script-security 2 -# if you use resolved #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf + # if you use systemd-resolved first install openvpn-systemd-resolved package #up /etc/openvpn/update-systemd-resolved #down /etc/openvpn/update-systemd-resolved + {{- if .PasswdAuth }} auth-user-pass {{- end }}