mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-16 03:48:44 +00:00
add strongswan
This commit is contained in:
parent
f481ed97c3
commit
e7f692539b
@ -117,6 +117,7 @@ A collection of delicious docker recipes.
|
||||
- [x] shadowvpn
|
||||
- [x] snort :beetle:
|
||||
- [x] squid
|
||||
- [x] strongswan :+1:
|
||||
- [x] swarm-arm
|
||||
- [x] taskd
|
||||
- [x] telegraf
|
||||
|
25
strongswan/Dockerfile
Normal file
25
strongswan/Dockerfile
Normal file
@ -0,0 +1,25 @@
|
||||
#
|
||||
# Dockerfile for ipsec
|
||||
#
|
||||
|
||||
FROM alpine
|
||||
MAINTAINER kev <noreply@easypi.info>
|
||||
|
||||
RUN set -xe \
|
||||
&& apk add --no-cache iptables openssl strongswan util-linux \
|
||||
&& ln -sf /etc/ipsec.d/ipsec.conf /etc/ipsec.conf \
|
||||
&& ln -sf /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
|
||||
|
||||
COPY init.sh /
|
||||
|
||||
VOLUME /etc/ipsec.d /etc/strongswan.d
|
||||
|
||||
ENV VPN_SUBNET=10.20.30.0/24
|
||||
|
||||
EXPOSE 500/udp 4500/udp
|
||||
|
||||
CMD set -xe \
|
||||
&& /init.sh \
|
||||
&& sysctl -w net.ipv4.ip_forward=1 \
|
||||
&& iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o eth0 -j MASQUERADE \
|
||||
&& ipsec start --nofork
|
45
strongswan/README.md
Normal file
45
strongswan/README.md
Normal file
@ -0,0 +1,45 @@
|
||||
strongswan
|
||||
==========
|
||||
|
||||
![](https://badge.imagelayers.io/vimagick/strongswan:latest.svg)
|
||||
|
||||
[strongSwan][1] is an Open Source IPsec-based VPN solution for Linux and other
|
||||
UNIX based operating systems implementing both the IKEv1 and IKEv2 key exchange
|
||||
protocols.
|
||||
|
||||
> :warning: This docker image only support IKEv2!
|
||||
|
||||
### docker-compose.yml
|
||||
|
||||
```yaml
|
||||
strongswan:
|
||||
image: vimagick/strongswan
|
||||
ports:
|
||||
- 500:500/udp
|
||||
- 4500:4500/udp
|
||||
volumes:
|
||||
- ./log:/var/log
|
||||
- /lib/modules:/lib/modules
|
||||
- /etc/localtime:/etc/localtime
|
||||
environment:
|
||||
- VPN_DOMAIN=vpn.easypi.info
|
||||
- VPN_DNS=8.8.8.8
|
||||
- VPN_SUBNET=10.20.30.0/24
|
||||
- VPN_P12_PASSWORD=secret
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
privileged: yes
|
||||
restart: always
|
||||
```
|
||||
|
||||
### up and running
|
||||
|
||||
```bash
|
||||
docker-compose up -d
|
||||
docker cp strongswan_strongswan_1:/etc/ipsec.d/client.mobileconfig .
|
||||
tail -f log/charon.log
|
||||
```
|
||||
|
||||
> File `client.mobileconfig` can be imported into MacOSX as `VPN (IKEv2)`.
|
||||
|
||||
[1]: https://strongswan.org/
|
18
strongswan/docker-compose.yml
Normal file
18
strongswan/docker-compose.yml
Normal file
@ -0,0 +1,18 @@
|
||||
strongswan:
|
||||
image: vimagick/strongswan
|
||||
ports:
|
||||
- 500:500/udp
|
||||
- 4500:4500/udp
|
||||
volumes:
|
||||
- ./log:/var/log
|
||||
- /lib/modules:/lib/modules
|
||||
- /etc/localtime:/etc/localtime
|
||||
environment:
|
||||
- VPN_DOMAIN=vpn.easypi.info
|
||||
- VPN_DNS=8.8.8.8
|
||||
- VPN_SUBNET=10.20.30.0/24
|
||||
- VPN_P12_PASSWORD=secret
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
privileged: yes
|
||||
restart: always
|
281
strongswan/init.sh
Executable file
281
strongswan/init.sh
Executable file
@ -0,0 +1,281 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# gen config files for strongswan
|
||||
#
|
||||
# - VPN_SUBNET
|
||||
# - VPN_DOMAIN
|
||||
# - VPN_DNS
|
||||
# - VPN_P12_PASSWORD
|
||||
#
|
||||
|
||||
if [ -e /etc/ipsec.d/ipsec.conf ]
|
||||
then
|
||||
echo "Already Initialized!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cat > /etc/ipsec.d/ipsec.conf <<_EOF_
|
||||
config setup
|
||||
uniqueids=never
|
||||
|
||||
conn %default
|
||||
keyexchange=ike
|
||||
dpdaction=clear
|
||||
dpddelay=300s
|
||||
rekey=no
|
||||
left=%any
|
||||
leftsubnet=0.0.0.0/0
|
||||
right=%any
|
||||
|
||||
conn IKE-BASE
|
||||
leftca=ca.cert.pem
|
||||
leftcert=server.cert.pem
|
||||
rightsourceip=${VPN_SUBNET}
|
||||
|
||||
conn IPSec-IKEv2
|
||||
also=IKE-BASE
|
||||
keyexchange=ikev2
|
||||
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
|
||||
esp=aes256-sha256,3des-sha1,aes256-sha1!
|
||||
leftid="${VPN_DOMAIN}"
|
||||
leftsendcert=always
|
||||
leftauth=pubkey
|
||||
rightauth=pubkey
|
||||
rightid="client.${VPN_DOMAIN}"
|
||||
rightcert=client.cert.pem
|
||||
auto=add
|
||||
_EOF_
|
||||
|
||||
|
||||
cat > /etc/ipsec.d/ipsec.secrets <<_EOF_
|
||||
: RSA server.pem
|
||||
_EOF_
|
||||
|
||||
|
||||
cat > /etc/strongswan.d/charon.conf <<_EOF_
|
||||
charon {
|
||||
duplicheck.enable = no
|
||||
dns1 = ${VPN_DNS}
|
||||
filelog {
|
||||
/var/log/charon.log {
|
||||
time_format = %b %e %T
|
||||
ike_name = yes
|
||||
append = yes
|
||||
default = 1
|
||||
flush_line = yes
|
||||
}
|
||||
}
|
||||
user = root
|
||||
}
|
||||
_EOF_
|
||||
|
||||
|
||||
# gen ca key and cert
|
||||
ipsec pki --gen --outform pem > /etc/ipsec.d/private/ca.pem
|
||||
|
||||
ipsec pki --self \
|
||||
--in /etc/ipsec.d/private/ca.pem \
|
||||
--dn "C=CN, O=ING, CN=StrongSwan CA" \
|
||||
--ca \
|
||||
--lifetime 3650 \
|
||||
--outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
|
||||
|
||||
# gen server key and cert
|
||||
ipsec pki --gen --outform pem > /etc/ipsec.d/private/server.pem
|
||||
|
||||
ipsec pki --pub --in /etc/ipsec.d/private/server.pem |
|
||||
ipsec pki --issue --lifetime 1200 --cacert /etc/ipsec.d/cacerts/ca.cert.pem \
|
||||
--cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=${VPN_DOMAIN}" \
|
||||
--san="${VPN_DOMAIN}" --flag serverAuth --flag ikeIntermediate \
|
||||
--outform pem > /etc/ipsec.d/certs/server.cert.pem
|
||||
|
||||
# gen client key and cert
|
||||
ipsec pki --gen --outform pem > /etc/ipsec.d/private/client.pem
|
||||
|
||||
ipsec pki --pub --in /etc/ipsec.d/private/client.pem |
|
||||
ipsec pki --issue \
|
||||
--cacert /etc/ipsec.d/cacerts/ca.cert.pem \
|
||||
--cakey /etc/ipsec.d/private/ca.pem --dn "C=CN, O=ING, CN=client.${VPN_DOMAIN}" \
|
||||
--san="client.${VPN_DOMAIN}" \
|
||||
--outform pem > /etc/ipsec.d/certs/client.cert.pem
|
||||
|
||||
openssl pkcs12 -export \
|
||||
-inkey /etc/ipsec.d/private/client.pem \
|
||||
-in /etc/ipsec.d/certs/client.cert.pem \
|
||||
-name "client.${VPN_DOMAIN}" \
|
||||
-certfile /etc/ipsec.d/cacerts/ca.cert.pem \
|
||||
-caname "StrongSwan CA" \
|
||||
-out /etc/ipsec.d/client.cert.p12 \
|
||||
-passout pass:${VPN_P12_PASSWORD}
|
||||
|
||||
# gen mobileconfig for mac
|
||||
|
||||
UUID1=$(uuidgen)
|
||||
UUID2=$(uuidgen)
|
||||
UUID3=$(uuidgen)
|
||||
UUID4=$(uuidgen)
|
||||
UUID5=$(uuidgen)
|
||||
UUID6=$(uuidgen)
|
||||
|
||||
cat > /etc/ipsec.d/client.mobileconfig <<_EOF_
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>Password</key>
|
||||
<string>${VPN_P12_PASSWORD}</string>
|
||||
<key>PayloadCertificateFileName</key>
|
||||
<string>client.cert.p12</string>
|
||||
<key>PayloadContent</key>
|
||||
<data>
|
||||
$(base64 /etc/ipsec.d/client.cert.p12)
|
||||
</data>
|
||||
<key>PayloadDescription</key>
|
||||
<string>添加 PKCS#12 格式的证书</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>client.cert.p12</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.apple.security.pkcs12.${UUID1}</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.security.pkcs12</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>${UUID1}</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>PayloadCertificateFileName</key>
|
||||
<string>ca.cer</string>
|
||||
<key>PayloadContent</key>
|
||||
<data>
|
||||
$(base64 /etc/ipsec.d/cacerts/ca.cert.pem)
|
||||
</data>
|
||||
<key>PayloadDescription</key>
|
||||
<string>添加 CA 根证书</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>StrongSwan CA</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.apple.security.root.${UUID2}</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.security.root</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>${UUID2}</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>IKEv2</key>
|
||||
<dict>
|
||||
<key>AuthenticationMethod</key>
|
||||
<string>Certificate</string>
|
||||
<key>ChildSecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>2</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>3DES</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA1-96</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1440</integer>
|
||||
</dict>
|
||||
<key>DeadPeerDetectionRate</key>
|
||||
<string>Medium</string>
|
||||
<key>DisableMOBIKE</key>
|
||||
<integer>0</integer>
|
||||
<key>DisableRedirect</key>
|
||||
<integer>0</integer>
|
||||
<key>EnableCertificateRevocationCheck</key>
|
||||
<integer>0</integer>
|
||||
<key>EnablePFS</key>
|
||||
<integer>0</integer>
|
||||
<key>IKESecurityAssociationParameters</key>
|
||||
<dict>
|
||||
<key>DiffieHellmanGroup</key>
|
||||
<integer>2</integer>
|
||||
<key>EncryptionAlgorithm</key>
|
||||
<string>3DES</string>
|
||||
<key>IntegrityAlgorithm</key>
|
||||
<string>SHA1-96</string>
|
||||
<key>LifeTimeInMinutes</key>
|
||||
<integer>1440</integer>
|
||||
</dict>
|
||||
<key>LocalIdentifier</key>
|
||||
<string>client.${VPN_DOMAIN}</string>
|
||||
<key>PayloadCertificateUUID</key>
|
||||
<string>${UUID1}</string>
|
||||
<key>RemoteAddress</key>
|
||||
<string>${VPN_DOMAIN}</string>
|
||||
<key>RemoteIdentifier</key>
|
||||
<string>${VPN_DOMAIN}</string>
|
||||
<key>UseConfigurationAttributeInternalIPSubnet</key>
|
||||
<integer>0</integer>
|
||||
</dict>
|
||||
<key>IPv4</key>
|
||||
<dict>
|
||||
<key>OverridePrimary</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Configures VPN settings</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>VPN</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.apple.vpn.managed.${UUID4}</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.vpn.managed</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>${UUID4}</string>
|
||||
<key>PayloadVersion</key>
|
||||
<real>1</real>
|
||||
<key>Proxies</key>
|
||||
<dict>
|
||||
<key>HTTPEnable</key>
|
||||
<integer>0</integer>
|
||||
<key>HTTPSEnable</key>
|
||||
<integer>0</integer>
|
||||
</dict>
|
||||
<key>UserDefinedName</key>
|
||||
<string>VPN (IKEv2)</string>
|
||||
<key>VPNType</key>
|
||||
<string>IKEv2</string>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>PayloadCertificateFileName</key>
|
||||
<string>server.cer</string>
|
||||
<key>PayloadContent</key>
|
||||
<data>
|
||||
$(base64 /etc/ipsec.d/certs/server.cert.pem)
|
||||
</data>
|
||||
<key>PayloadDescription</key>
|
||||
<string>添加 PKCS#1 格式的证书</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>${VPN_DOMAIN}</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.apple.security.pkcs1.${UUID5}</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.security.pkcs1</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>${UUID5}</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>VPN</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.github.vimagick.strongswan</string>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<false/>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>${UUID6}</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
||||
_EOF_
|
Loading…
Reference in New Issue
Block a user