fixing bug that prevented adding two dns servers separated by a comma

fixing SAFE_SSID example, fixes #6
updating README example to have a volume and to only require NET_ADMIN instead of privileged; fixes #1
2019-08-02 09:40:33 -04:00 · 2019-06-30 13:46:53 -04:00 · 2019-06-15 21:09:15 -04:00 · 2019-06-05 00:09:21 -04:00 · 2019-06-04 23:50:59 -04:00 · 2019-06-04 18:19:21 -04:00
5 changed files with 37 additions and 12 deletions
--- a/6
+++ b/6
@ -2,16 +2,12 @@ FROM ubuntu:16.04

 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get -y install strongswan iptables uuid-runtime ndppd openssl \
-
-RUN rm /etc/ipsec.secrets
-RUN mkdir /config
-RUN (cd /etc && ln -s /config/ipsec.secrets .)
+    && rm /etc/ipsec.secrets

 ADD ./etc/* /etc/
 ADD ./bin/* /usr/bin/

 VOLUME /etc
-VOLUME /config

 # http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx
 EXPOSE 500/udp 4500/udp
--- a/1
+++ b/1
@ -1,5 +1,6 @@
 The MIT License (MIT)

+Copyright (c) 2019 Andrew Davidson
 Copyright (c) 2016 Mengdi Gao

 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/README.md
+++ b/README.md
@ -6,13 +6,25 @@ Recipe to build [`amdavidson/vpn-server`](https://registry.hub.docker.com/u/amda

 ### 1. Start the IKEv2 VPN Server

-    docker run --privileged -d --name vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp amdavidson/vpn-server:latest
+    docker run -d \
+    --name vpn-server \
+    --restart=always \
+    --cap-add=NET_ADMIN \
+    -v vpn-server-etc:/etc \
+    -p 500:500/udp -p 4500:4500/udp \
+    -e "DNS=9.9.9.9" \
+    amdavidson/vpn-server:latest

 ### 2. Generate the .mobileconfig (for iOS / macOS)

-    docker run --privileged -i -t --rm --volumes-from vpn-server -e "HOST=vpn1.example.com" amdavidson/vpn-server:latest generate-mobileconfig > ikev2-vpn.mobileconfig
+    docker run -it --rm \
+    --volumes-from vpn-server \
+    -e "HOST=vpn1.example.com" \
+    -e "SAFE_SSID=my home ssid" \
+    amdavidson/vpn-server:latest \
+    generate-mobileconfig > ikev2-vpn.mobileconfig

-*Be sure to replace `vpn1.example.com` with your own domain name and resolve it to you server's IP address. 
+Be sure to replace `vpn1.example.com` with your own domain name and resolve it to you server's IP address. 

 Transfer the generated `ikev2-vpn.mobileconfig` file to your local computer via SSH tunnel (`scp`) or any other secure methods.

--- a/bin/generate-mobileconfig
+++ b/bin/generate-mobileconfig
@ -22,18 +22,16 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.

-# TODO: add regenerate shared secret option
-
 # In normal cases, you will only need to pass the HOST of your server.
 [ "no${HOST}" = "no" ] && echo "\$HOST environment variable required." && exit 1

-: ${PROFILE_NAME="My IKEv2 VPN Profile"}
+: ${PROFILE_NAME="IKEv2 VPN Profile"}
 : ${PROFILE_IDENTIFIER=$(echo -n "${HOST}." | tac -s. | sed 's/\.$//g')}
 : ${PROFILE_UUID=$(hostname)}

 # These variable, especially CONN_UUID, are bind to per username,
 # which currently, all users share the same secrets and configurations.
-: ${CONN_NAME="My IKEv2 VPN"}
+: ${CONN_NAME="IKEv2 VPN"}
 : ${CONN_IDENTIFIER="${PROFILE_IDENTIFIER}.shared-configuration"}
 : ${CONN_UUID=$(uuidgen)}
 : ${CONN_HOST=${HOST}}
@ -105,6 +103,19 @@ cat <<EOF
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
+                            <key>InterfaceTypeMatch</key>
+                            <string>WiFi</string>
+                        </dict>
+                        <dict>
+                            <key>Action</key>
+                            <string>Disconnect</string>
+                            <key>InterfaceTypeMatch</key>
+                            <string>WiFi</string>
+                            <key>SSIDMatch</key>
+                            <array>
+                                <!-- List one or more WiFi networks -->
+                                <string>${SAFE_SSID}</string>
+                            </array>
                        </dict>
                    </array>
                    <!-- The server is authenticated using a certificate -->
--- a/bin/start-vpn
+++ b/bin/start-vpn
@ -39,6 +39,11 @@ SHARED_SECRET="123$(openssl rand -base64 32 2>/dev/null)"
 # hotfix for https://github.com/gaomd/docker-ikev2-vpn-server/issues/7
 rm -f /var/run/starter.charon.pid

+# Allow DNS changes https://github.com/amdavidson/vpn-server/issues/5
+if [ -n $DNS ]; then
+    sed -i "s/dns = .*/dns = ${DNS}/" /etc/strongswan.conf
+fi
+
 service ndppd start
 # http://wiki.loopop.net/doku.php?id=server:vpn:strongswanonopenvz
 /usr/sbin/ipsec start --nofork
Author	SHA1	Message	Date
Andrew Davidson	a10810b85d	fixing bug that prevented adding two dns servers separated by a comma	2019-08-02 09:40:33 -04:00
Andrew Davidson	c7b8dfb8ed	fixing SAFE_SSID example, fixes #6	2019-06-30 13:46:53 -04:00
Andrew Davidson	db2e8e53dc	updating README example to have a volume and to only require NET_ADMIN instead of privileged; fixes #1	2019-06-15 21:09:15 -04:00
Andrew Davidson	488186781c	adding SAFE_SSID to allow for prevening connect-on-demand for a home network; fixes #4	2019-06-05 00:09:21 -04:00
Andrew Davidson	e9d3a90275	added line to start-vpn to adjust dns settings as required; fixes #5	2019-06-04 23:50:59 -04:00
Andrew Davidson	0446e53e4d	removing pre-installed ipsec.secrets file during build. will be created on first run	2019-06-04 18:19:21 -04:00
amdavidson	404ac49a50	Don’t store the config file on a separate volume	2019-05-15 06:13:29 -04:00
amdavidson	d8f5e86e15	Removing apparently unused /config volume	2019-05-13 09:21:20 -04:00
Andrew Davidson	076434917c	removing errant continuation.	2019-05-11 07:19:22 -04:00
amdavidson	5b0f3e64df	Update LICENSE	2019-05-10 12:18:34 -04:00