Add initial docker files

kitten · kitten · commit 78e26a6631df · 2015-11-21T07:10:25.000+01:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+.*
+LICENSE
+README.md
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,17 @@
+# http://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = tab
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[COMMIT_EDITMSG]
+max_line_length = 0
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,33 @@
+FROM buildpack-deps:jessie
+
+RUN mkdir -p /conf
+
+RUN apt-get update && apt-get install -y \
+  libgmp-dev \
+  iptables
+
+ENV STRONGSWAN_VERSION 5.3.4
+
+RUN mkdir -p /usr/src/strongswan \
+	&& curl -SL "https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.gz" \
+	| tar -zxC /usr/src/strongswan --strip-components 1 \
+	&& cd /usr/src/strongswan \
+	&& ./configure --prefix=/usr --sysconfdir=/etc --enable-kernel-libipsec \
+	&& make \
+	&& make install \
+	&& rm -rf /usr/src/strongswan
+
+# Configuration files
+ADD ipsec.conf /etc/ipsec.conf
+ADD strongswan.conf /etc/strongswan.conf
+ADD run.sh /run.sh
+
+# The password is later on replaced with a random string
+ENV VPN_USER user
+ENV VPN_PASSWORD password
+ENV VPN_PSK password
+
+VOLUME ["/etc/ipsec.d"]
+EXPOSE 4500/udp 500/udp
+
+CMD ["/run.sh"]
diff --git a/ipsec.conf b/ipsec.conf
@@ -0,0 +1,53 @@
+# ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	uniqueids=never
+	charondebug="cfg 2, dmn 2, ike 2, net 0"
+
+conn %default
+	ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes128-sha256-modp1536,aes256-sha3$
+	esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4$
+	dpdaction=clear
+	dpddelay=300s
+	rekey=no
+	left=%defaultroute
+	leftsubnet=0.0.0.0/0
+	leftfirewall=yes
+	right=%any
+	rightsubnet=10.0.0.0/24
+	rightsourceip=10.0.0.0/24
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	auto=add
+
+###################################
+# PSK Connections
+###################################
+
+conn IPSec-IKEv2-PSK
+	keyexchange=ikev2
+	authby=secret
+
+conn CiscoIPSec
+	keyexchange=ikev1
+	leftauth=psk
+	rightauth=psk
+	rightauth2=xauth
+
+###################################
+# XAuth and Pubkey Connections
+###################################
+
+conn CiscoIPSec-XAuth
+	keyexchange=ikev1
+	rightauth=pubkey
+	rightauth2=xauth
+	auto=add
+
+conn IPSec-IKEv2-EAP
+	keyexchange=ikev2
+	leftsendcert=always
+	eap_identity=%any
+	rightauth=eap-mschapv2
diff --git a/run.sh b/run.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+sysctl -w net.ipv4.conf.all.rp_filter=2
+
+iptables --table nat --append POSTROUTING --jump MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+for each in /proc/sys/net/ipv4/conf/*
+do
+	echo 0 > $each/accept_redirects
+	echo 0 > $each/send_redirects
+done
+
+if [ "$VPN_PASSWORD" = "password" ] || [ "$VPN_PASSWORD" = "" ]; then
+	# Generate a random password
+	P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	VPN_PASSWORD="$P1$P2$P3"
+	echo "No VPN_PASSWORD set! Generated a random password: $VPN_PASSWORD"
+fi
+
+if [ "$VPN_PSK" = "password" ] || [ "$VPN_PSK" = "" ]; then
+	# Generate a random password
+	P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	VPN_PSK="$P1$P2$P3"
+	echo "No VPN_PSK set! Generated a random PSK key: $VPN_PSK"
+fi
+
+cat > /etc/ipsec.secrets <<EOF
+# This file holds shared secrets or RSA private keys for authentication.
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
+# or configuration of other implementations, can be extracted conveniently
+# with "ipsec showhostkey".
+
+: PSK "$VPN_PSK"
+
+$VPN_USER : EAP "$VPN_PASSWORD"
+$VPN_USER : XAUTH "$VPN_PASSWORD"
+EOF
+
+if [ -f "/etc/ipsec.d/ipsec.secrets" ]; then
+	echo "Overwriting standard /etc/ipsec.secrets with /etc/ipsec.d/ipsec.secrets"
+	cp -f /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
+fi
+
+if [ -f "/etc/ipsec.d/ipsec.conf" ]; then
+	echo "Overwriting standard /etc/ipsec.conf with /etc/ipsec.d/ipsec.conf"
+	cp -f /etc/ipsec.d/ipsec.conf /etc/ipsec.conf
+fi
+
+if [ -f "/conf/strongswan.conf" ]; then
+	echo "Overwriting standard /etc/strongswan.conf with /etc/ipsec.d/strongswan.conf"
+	cp -f /conf/strongswan.conf /etc/strongswan.conf
+fi
+
+ipsec start --nofork
diff --git a/strongswan.conf b/strongswan.conf
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+
+charon {
+	load_modular = yes
+	plugins {
+		include strongswan.d/charon/*.conf
+		attr {
+			dns = 8.8.8.8, 8.8.4.4
+		}
+		kernel-netlink {
+			fwmark = !0x42
+		}
+		socket-default {
+			fwmark = 0x42
+		}
+		kernel-libipsec {
+			allow_peer_ts = yes
+		}
+	}
+}
+
+include strongswan.d/*.conf
