See description

- Update OpenVPN pull-filter to ignore all IPv6 related pushed config (#17) - Fix detecting the default gateway (#17) - Rename services "run.sh" files to "run"
Trigus42 · Mar 25, 2022 · 2e93f77 · 2e93f77
1 parent d0b9f76
commit 2e93f77
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 33 deletions.
diff --git a/rootfs/etc/cont-init.d/01-environment.sh b/rootfs/etc/cont-init.d/01-environment.sh
@@ -27,6 +27,38 @@ else
     echo "$(date +'%Y-%m-%d %H:%M:%S') [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)"
 fi
 
+##########
+# Network environment
+
+# Identify docker bridge interface name (probably eth0)
+DOCKER_INTERFACE="$(netstat -ie | grep -vE "lo|tun|tap|wg" | sed -n '1!p' | grep -P -o -m 1 '^[\w]+')"
+if [[ "${DEBUG}" == "yes" ]]; then
+	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker interface defined as ${DOCKER_INTERFACE}"
+fi
+
+# Identify ip of docker bridge interface
+docker_ip="$(ip -4 addr show "${DOCKER_INTERFACE}" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
+if [[ "${DEBUG}" == "yes" ]]; then
+	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker IP defined as ${docker_ip}"
+fi
+
+# Identify netmask of docker bridge interface
+docker_mask=$(ifconfig "${DOCKER_INTERFACE}" | grep -o "Mask:[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
+if [[ "${DEBUG}" == "yes" ]]; then
+	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker netmask defined as ${docker_mask}"
+fi
+
+# Convert netmask into CIDR format
+DOCKER_NETWORK_CIDR=$(ipcalc "${docker_ip}" "${docker_mask}" | grep -P -o -m 1 "(?<=Network:)\s+[^\s]+" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
+echo "$(date +'%Y-%m-%d %H:%M:%S') [INFO] Docker network defined as ${DOCKER_NETWORK_CIDR}"
+
+# Get default gateway of interfaces as looping through them
+DEFAULT_GATEWAY=$(ip -4 route list 0/0 | cut -d ' ' -f 3)
+if [[ "${DEBUG}" == "yes" ]]; then
+	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Default gateway defined as ${DEFAULT_GATEWAY}"
+fi
+
+
 ##########
 # PUID/PGID
 
@@ -115,7 +147,7 @@ done
 
 CONT_INIT_ENV="/var/run/s6/container_environment"
 mkdir -p $CONT_INIT_ENV
-export_vars=("LAN_NETWORK" "PUID" "PGID" "VPN_TYPE")
+export_vars=("LAN_NETWORK" "DOCKER_INTERFACE" "DOCKER_NETWORK_CIDR" "DEFAULT_GATEWAY" "PUID" "PGID" "VPN_TYPE")
 
 for name in "${export_vars[@]}"; do
 	echo -n "${!name}" > "$CONT_INIT_ENV/$name"

diff --git a/rootfs/etc/cont-init.d/02-vpn.sh b/rootfs/etc/cont-init.d/02-vpn.sh
@@ -203,9 +203,9 @@ if [[ $VPN_ENABLED == "yes" ]]; then
         echo "--------------------"
         # Check if credential file exists and is not empty
         if [[ -s /config/openvpn/"${VPN_CONFIG_NAME}"_credentials.conf ]]; then
-            exec openvpn --pull-filter ignore route-ipv6 --pull-filter ignore ifconfig-ipv6 --auth-user-pass /config/openvpn/"${VPN_CONFIG_NAME}"_credentials.conf --config "${VPN_CONFIG}" --script-security 2 --up /helper/resume-after-connect &
+            exec openvpn --pull-filter ignore "route-ipv6" --pull-filter ignore "ifconfig-ipv6" --pull-filter ignore "tun-ipv6" --pull-filter ignore "redirect-gateway ipv6" --pull-filter ignore "dhcp-option DNS6" --auth-user-pass /config/openvpn/"${VPN_CONFIG_NAME}"_credentials.conf --config "${VPN_CONFIG}" --script-security 2 --up /helper/resume-after-connect &
         else
-            exec openvpn --pull-filter ignore route-ipv6 --pull-filter ignore ifconfig-ipv6 --config "${VPN_CONFIG}" --script-security 2 --up /helper/resume-after-connect &
+            exec openvpn --pull-filter ignore "route-ipv6" --pull-filter ignore "ifconfig-ipv6" --pull-filter ignore "tun-ipv6" --pull-filter ignore "redirect-gateway ipv6" --pull-filter ignore "dhcp-option DNS6" --config "${VPN_CONFIG}" --script-security 2 --up /helper/resume-after-connect &
         fi
 
         # Pause execution (until openvpn connection is established and resume-after-connect script is run)

diff --git a/rootfs/etc/cont-init.d/03-network.sh b/rootfs/etc/cont-init.d/03-network.sh
@@ -8,37 +8,9 @@ if [[ $VPN_ENABLED == "no" ]]; then
     exit 0
 fi
 
-##########
-# Network environment
-
-# Identify docker bridge interface name (probably eth0)
-DOCKER_INTERFACE="$(netstat -ie | grep -vE "lo|tun|tap|wg|${VPN_CONFIG_NAME}" | sed -n '1!p' | grep -P -o -m 1 '^[\w]+')"
-if [[ "${DEBUG}" == "yes" ]]; then
-	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker interface defined as ${DOCKER_INTERFACE}"
-fi
-
-# Identify ip for docker bridge interface
-docker_ip="$(ip -4 addr show "${DOCKER_INTERFACE}" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
-if [[ "${DEBUG}" == "yes" ]]; then
-	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker IP defined as ${docker_ip}"
-fi
-
-# Identify netmask for docker bridge interface
-docker_mask=$(ifconfig "${DOCKER_INTERFACE}" | grep -o "Mask:[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
-if [[ "${DEBUG}" == "yes" ]]; then
-	echo "$(date +'%Y-%m-%d %H:%M:%S') [DEBUG] Docker netmask defined as ${docker_mask}"
-fi
-
-# Convert netmask into CIDR format
-docker_network_cidr=$(ipcalc "${docker_ip}" "${docker_mask}" | grep -P -o -m 1 "(?<=Network:)\s+[^\s]+" | sed -e 's~^[ \t]*~~;s~[ \t]*$~~')
-echo "$(date +'%Y-%m-%d %H:%M:%S') [INFO] Docker network defined as ${docker_network_cidr}"
-
 ##########
 # Packet routing
 
-# get default gateway of interfaces as looping through them
-DEFAULT_GATEWAY=$(ip -4 route list 0/0 | cut -d ' ' -f 3)
-
 # Split comma separated string into list from LAN_NETWORK env variable
 IFS=',' read -ra lan_network_list <<< "${LAN_NETWORK}"
 
@@ -104,7 +76,7 @@ fi
 iptables -A INPUT -i "${VPN_DEVICE_TYPE}" -m comment --comment "Accept input from tunnel adapter" -j ACCEPT
 
 # Accept input from/to internal docker network
-iptables -A INPUT -s "${docker_network_cidr}" -d "${docker_network_cidr}" -m comment --comment "Accept input from internal Docker network" -j ACCEPT
+iptables -A INPUT -s "${DOCKER_NETWORK_CIDR}" -d "${DOCKER_NETWORK_CIDR}" -m comment --comment "Accept input from internal Docker network" -j ACCEPT
 
 # Accept input to vpn gateway
 iptables -A INPUT -i "${DOCKER_INTERFACE}" -p "$VPN_PROTOCOL" --sport "$VPN_PORT" -s "${VPN_REMOTE}" -m comment --comment "Accept input of VPN gateway" -j ACCEPT
@@ -139,7 +111,7 @@ iptables -A INPUT -i lo -m comment --comment "Accept input to internal loopback"
 iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -m comment --comment "Accept output to tunnel adapter" -j ACCEPT
 
 # Accept output to/from internal docker network
-iptables -A OUTPUT -s "${docker_network_cidr}" -d "${docker_network_cidr}" -m comment --comment "Accept output to internal Docker network" -j ACCEPT
+iptables -A OUTPUT -s "${DOCKER_NETWORK_CIDR}" -d "${DOCKER_NETWORK_CIDR}" -m comment --comment "Accept output to internal Docker network" -j ACCEPT
 
 # Accept output from vpn gateway
 iptables -A OUTPUT -o "${DOCKER_INTERFACE}" -p "$VPN_PROTOCOL" --dport "$VPN_PORT" -d "${VPN_REMOTE}" -m comment --comment "Accept output of VPN gateway" -j ACCEPT

diff --git a/rootfs/etc/services.d/healthcheck/run.sh → rootfs/etc/services.d/healthcheck/run b/rootfs/etc/services.d/healthcheck/run.sh → rootfs/etc/services.d/healthcheck/run
diff --git a/rootfs/etc/services.d/qbittorrent/run.sh → rootfs/etc/services.d/qbittorrent/run b/rootfs/etc/services.d/qbittorrent/run.sh → rootfs/etc/services.d/qbittorrent/run