From 3bd0ac0fbc72349559e8d828339c167a9409c172 Mon Sep 17 00:00:00 2001 From: aliasmee Date: Tue, 24 Jul 2018 15:32:57 +0000 Subject: [PATCH] add radius version --- Dockerfile | 35 +++++++++++++++++++++-------------- docker-run.txt | 1 + vpn | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 14 deletions(-) create mode 100644 docker-run.txt create mode 100644 vpn diff --git a/Dockerfile b/Dockerfile index dd78f48..2f236da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,46 +4,53 @@ FROM alpine:latest MAINTAINER @aliasmee # Define a dynamic variable for Certificate CN -ENV HOST_IP '' +ENV HOSTIP '' ENV VPNUSER '' ENV VPNPASS '' ENV TZ=Asia/Shanghai +#ARG CERT_FILE=./conf/io.xio2.ml.cer +#ARG KEY_FILE=./conf/io.xio2.ml.key # strongSwan Version -ARG SS_VERSION="https://download.strongswan.org/strongswan-5.6.2.tar.gz" - -# download en -ARG BUILD_DEPS="gettext" -ARG RUNTIME_DEPS="libintl" +ARG SS_VERSION="https://download.strongswan.org/strongswan-5.5.3.tar.gz" # Install dep packge , Configure,make and install strongSwan -RUN apk --update add build-base curl bash iproute2 iptables-dev openssl openssl-dev supervisor bash && mkdir -p /tmp/strongswan \ - && apk add --update $RUNTIME_DEPS && apk add --virtual build_deps $BUILD_DEPS && cp /usr/bin/envsubst /usr/local/bin/envsubst \ +RUN apk --update add build-base curl bash iproute2 iptables-dev openssl openssl-dev supervisor && mkdir -p /tmp/strongswan \ && curl -Lo /tmp/strongswan.tar.gz $SS_VERSION && tar --strip-components=1 -C /tmp/strongswan -xf /tmp/strongswan.tar.gz \ && cd /tmp/strongswan \ - && ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp && make && make install \ - && rm -rf /tmp/* && apk del build-base curl openssl-dev build_deps && rm -rf /var/cache/apk/* \ + && ./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp && make && make install && rm -rf /tmp/* && apk del build-base curl openssl-dev && rm -rf /var/cache/apk/* \ && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # Change local zonetime(BeiJing) # RUN \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # Create cert dir -RUN mkdir -p /data/key_files +#RUN mkdir -p /data/key_files # Copy configure file to ipsec\iptables +COPY ./conf/ipsec.conf /usr/local/etc/ipsec.conf COPY ./conf/strongswan.conf /usr/local/etc/strongswan.conf COPY ./conf/ipsec.secrets /usr/local/etc/ipsec.secrets COPY ./conf/iptables /etc/sysconfig/iptables COPY ./conf/supervisord.conf /etc/supervisord.conf -COPY ./conf/eap-radius.conf.template eap-radius.conf.template -COPY ./conf/ipsec.conf.template ipsec.conf.template + +# Copy let's ssl cert +#COPY ./conf/io.xio2.ml.cer /usr/local/etc/ipsec.d/certs/server.cert.pem +#COPY ./conf/io.xio2.ml.key /usr/local/etc/ipsec.d/private/server.pem +#COPY ./conf/io.xio2.ml.cer /usr/local/etc/ipsec.d/certs/client.cert.pem +#COPY ./conf/io.xio2.ml.key /usr/local/etc/ipsec.d/private/client.pem + +COPY ./conf/io.xio2.ml.cer /usr/local/etc/ipsec.d/certs/server.cert.pem +COPY ./conf/io.xio2.ml.key /usr/local/etc/ipsec.d/private/server.pem +COPY ./conf/io.xio2.ml.cer /usr/local/etc/ipsec.d/certs/client.cert.pem +COPY ./conf/io.xio2.ml.key /usr/local/etc/ipsec.d/private/client.pem # Make cert script and copy cert to ipsec dir COPY ./scripts/vpn /usr/bin/vpn # Open udp 500\4500 port -EXPOSE 500:500/udp 4500:4500/udp +EXPOSE 500:500/udp +EXPOSE 4500:4500/udp # Privilege mode #CMD ["/usr/bin/supervisord"] diff --git a/docker-run.txt b/docker-run.txt new file mode 100644 index 0000000..d455d24 --- /dev/null +++ b/docker-run.txt @@ -0,0 +1 @@ +docker run -itd --restart=always --privileged -v /lib/modules:/lib/modules -e HOST_IP='io.xio2.ml' -e VPNUSER=jack -e VPNPASS="ijackman" -e ACCOUNTING='yes' -e RADIUS_PORT='1812' -e RADIUS_SERVER='61' -e RADIUS_SECRET='.456' -e EAP_TYPE='eap-radius' -p 500:500/udp -p 4500:4500/udp --name=ikev2 e4d66c05c64f diff --git a/vpn b/vpn new file mode 100644 index 0000000..ba5b0e6 --- /dev/null +++ b/vpn @@ -0,0 +1,42 @@ +#!/bin/bash +#Author by Yifeng Han +#Time 2017-07-30 00:30 + +# Create certificate +#cd /data/key_files +#ipsec pki --gen --outform pem > ca.pem +#ipsec pki --self --in ca.pem --dn "C=cn, O=ilove, CN=Free vpn" --ca --lifetime 3650 --outform pem >ca.cert.pem +#ipsec pki --gen --outform pem > server.pem +#ipsec pki --gen --outform pem > client.pem +#ipsec pki --pub --in server.pem | ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.pem --dn "C=cn, O=ilove, CN=$HOSTIP" --san="$HOSTIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem +#ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=cn, O=ilove, CN=Free vpn client" --outform pem > client.cert.pem + +# Copy certificate to ipsec dir +#\cp ca.cert.pem /usr/local/etc/ipsec.d/cacerts/ +#\cp server.cert.pem /usr/local/etc/ipsec.d/certs/ +#\cp server.pem /usr/local/etc/ipsec.d/private/ +#\cp client.cert.pem /usr/local/etc/ipsec.d/certs/ +#\cp client.pem /usr/local/etc/ipsec.d/private/ + +# Dynamic modification of IPSec.conf +sed -i "s/\$LEFTID/$HOSTIP/g" /usr/local/etc/ipsec.conf + +# Enable system forward +sysctl -w net.ipv4.ip_forward=1 +sysctl -w net.ipv4.ip_no_pmtu_disc=1 + +# Load iptables rules +iptables-restore < /etc/sysconfig/iptables + +# Custom connection VPN username password +sed -i "$ a $VPNUSER %any : EAP '$VPNPASS'" /usr/local/etc/ipsec.secrets + +# Reboot ipsec vpn +supervisorctl restart ipsec + +# View the certificate contents and save file +#echo "Below the horizontal line is the content of the certificate. Copy the content to a file in the .cert suffix format. Such as: vpn.cert" +#echo "______________________________________________________________" +#cat /data/key_files/ca.cert.pem + +echo "Congratulations, every successful step. Now, only fly it!"