forked from TommyLau/docker-ocserv
-
Notifications
You must be signed in to change notification settings - Fork 6
/
docker-entrypoint.sh
executable file
·75 lines (62 loc) · 1.73 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/sh
if [ ! -f /etc/ocserv/server-key.pem ] || [ ! -f /etc/ocserv/server-cert.pem ]; then
# Check environment variables
if [ -z "$CA_CN" ]; then
CA_CN="VPN CA"
fi
if [ -z "$CA_ORG" ]; then
CA_ORG="Big Corp"
fi
if [ -z "$CA_DAYS" ]; then
CA_DAYS=9999
fi
if [ -z "$SRV_CN" ]; then
SRV_CN="www.example.com"
fi
if [ -z "$SRV_ORG" ]; then
SRV_ORG="MyCompany"
fi
if [ -z "$SRV_DAYS" ]; then
SRV_DAYS=9999
fi
# No certification found, generate one
cd /etc/ocserv
certtool --generate-privkey --outfile ca-key.pem
cat > ca.tmpl <<-EOCA
cn = "$CA_CN"
organization = "$CA_ORG"
serial = 1
expiration_days = $CA_DAYS
ca
signing_key
cert_signing_key
crl_signing_key
EOCA
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca.pem
certtool --generate-privkey --outfile server-key.pem
cat > server.tmpl <<-EOSRV
cn = "$SRV_CN"
organization = "$SRV_ORG"
expiration_days = $SRV_DAYS
signing_key
encryption_key
tls_www_server
EOSRV
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
# Create a test user
if [ -z "$NO_TEST_USER" ] && [ ! -f /etc/ocserv/ocpasswd ]; then
echo "Create test user 'test' with password 'test'"
echo 'test:Route,All:$5$DktJBFKobxCFd7wN$sn.bVw8ytyAaNamO.CvgBvkzDiFR6DaHdUzcif52KK7' > /etc/ocserv/ocpasswd
fi
fi
# Open ipv4 ip forward
sysctl -w net.ipv4.ip_forward=1
# Enable NAT forwarding
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Enable TUN device
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
# Run OpennConnect Server
exec "$@"