Upload 15 files

.dockerignore

@@ -0,0 +1,3 @@
+.*
+LICENSE
+README.md

.editorconfig

@@ -0,0 +1,17 @@
+# http://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = tab
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[COMMIT_EDITMSG]
+max_line_length = 0

Dockerfile

@@ -0,0 +1,76 @@
+FROM buildpack-deps:jessie
+
+WORKDIR /app
+
+
+RUN mkdir -p /conf
+
+RUN apt-get update && apt-get install -y \
+  libgmp-dev \
+  iptables \
+  xl2tpd \
+  module-init-tools \
+  supervisor
+
+ENV STRONGSWAN_VERSION 5.5.0
+ENV GPG_KEY 948F158A4E76A27BF3D07532DF42C170B34DBA77
+
+RUN mkdir -p /usr/src/strongswan \
+	&& cd /usr/src \
+	&& curl -SOL "https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.gz.sig" \
+	&& curl -SOL "https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.gz" \
+	&& export GNUPGHOME="$(mktemp -d)" \
+	&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEY" \
+	&& gpg --batch --verify strongswan-$STRONGSWAN_VERSION.tar.gz.sig strongswan-$STRONGSWAN_VERSION.tar.gz \
+	&& tar -zxf strongswan-$STRONGSWAN_VERSION.tar.gz -C /usr/src/strongswan --strip-components 1 \
+	&& cd /usr/src/strongswan \
+	&& ./configure --prefix=/usr --sysconfdir=/etc \
+		--enable-eap-radius \
+		--enable-eap-mschapv2 \
+		--enable-eap-identity \
+		--enable-eap-md5 \
+		--enable-eap-tls \
+		--enable-eap-ttls \
+		--enable-eap-peap \
+		--enable-eap-tnc \
+		--enable-eap-dynamic \
+		--enable-xauth-eap \
+		--enable-openssl \
+	&& make -j \
+	&& make install \
+	&& rm -rf "/usr/src/strongswan*"
+
+# Strongswan Configuration
+ADD ipsec.conf /etc/ipsec.conf
+ADD strongswan.conf /etc/strongswan.conf
+
+# XL2TPD Configuration
+ADD xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
+ADD options.xl2tpd /etc/ppp/options.xl2tpd
+
+# Supervisor config
+ADD supervisord.conf supervisord.conf
+ADD kill_supervisor.py /usr/bin/kill_supervisor.py
+
+ADD run.sh /run.sh
+ADD vpn_adduser /usr/local/bin/vpn_adduser
+ADD vpn_deluser /usr/local/bin/vpn_deluser
+ADD vpn_setpsk /usr/local/bin/vpn_setpsk
+ADD vpn_unsetpsk /usr/local/bin/vpn_unsetpsk
+ADD vpn_apply /usr/local/bin/vpn_apply
+
+# The password is later on replaced with a random string
+ENV VPN_USER user
+ENV VPN_PASSWORD password
+ENV VPN_PSK password
+
+RUN useradd -m -u 1000 user
+USER user
+ENV PATH="/home/user/.local/bin:$PATH"
+
+RUN chmod -R 777 /app
+VOLUME ["/etc/ipsec.d"]
+
+EXPOSE 4500/udp 500/udp 1701/udp
+
+CMD ["/run.sh"]

ipsec.conf

@@ -0,0 +1,69 @@
+# ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	uniqueids=no
+	charondebug="cfg 2, dmn 2, ike 2, net 0"
+
+conn %default
+	dpdaction=clear
+	dpddelay=300s
+	rekey=no
+	left=%defaultroute
+	leftfirewall=yes
+	right=%any
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	auto=add
+
+#######################################
+# L2TP Connections
+#######################################
+
+conn L2TP-IKEv1-PSK
+	type=transport
+	keyexchange=ikev1
+	authby=secret
+	leftprotoport=udp/l2tp
+	left=%any
+	right=%any
+	rekey=no
+	forceencaps=yes
+
+#######################################
+# Default non L2TP Connections
+#######################################
+
+conn Non-L2TP
+	leftsubnet=0.0.0.0/0
+	rightsubnet=10.0.0.0/24
+	rightsourceip=10.0.0.0/24
+
+#######################################
+# EAP Connections
+#######################################
+
+# This detects a supported EAP method
+conn IKEv2-EAP
+	also=Non-L2TP
+	keyexchange=ikev2
+	eap_identity=%any
+	rightauth=eap-dynamic
+
+#######################################
+# PSK Connections
+#######################################
+
+conn IKEv2-PSK
+	also=Non-L2TP
+	keyexchange=ikev2
+	authby=secret
+
+# Cisco IPSec
+conn IKEv1-PSK-XAuth
+	also=Non-L2TP
+	keyexchange=ikev1
+	leftauth=psk
+	rightauth=psk
+	rightauth2=xauth

kill_supervisor.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+import sys
+import os
+import signal
+
+def write_stdout(s):
+   sys.stdout.write(s)
+   sys.stdout.flush()
+
+def write_stderr(s):
+   sys.stderr.write(s)
+   sys.stderr.flush()
+
+def main():
+   while 1:
+       write_stdout('READY\n')
+       line = sys.stdin.readline()
+       write_stdout('This line kills supervisor: ' + line);
+       try:
+               pidfile = open('/var/run/supervisord.pid','r')
+               pid = int(pidfile.readline());
+               os.kill(pid, signal.SIGQUIT)
+       except Exception as e:
+               write_stdout('Could not kill supervisor: ' + e.strerror + '\n')
+       write_stdout('RESULT 2\nOK')
+
+if __name__ == '__main__':
+   main()

options.xl2tpd

@@ -0,0 +1,14 @@
+ipcp-accept-local
+ipcp-accept-remote
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
+noccp
+auth
+crtscts
+idle 1800
+mtu 1280
+mru 1280
+lock
+lcp-echo-failure 10
+lcp-echo-interval 60
+connect-delay 5000

run.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+
+sysctl -w net.ipv4.conf.all.rp_filter=2
+
+iptables --table nat --append POSTROUTING --jump MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+for each in /proc/sys/net/ipv4/conf/*
+do
+	echo 0 > $each/accept_redirects
+	echo 0 > $each/send_redirects
+done
+
+if [ "$VPN_PASSWORD" = "password" ] || [ "$VPN_PASSWORD" = "" ]; then
+	# Generate a random password
+	P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	VPN_PASSWORD="$P1$P2$P3"
+	echo "No VPN_PASSWORD set! Generated a random password: $VPN_PASSWORD"
+fi
+
+if [ "$VPN_PSK" = "password" ] || [ "$VPN_PSK" = "" ]; then
+	# Generate a random password
+	P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
+	VPN_PSK="$P1$P2$P3"
+	echo "No VPN_PSK set! Generated a random PSK key: $VPN_PSK"
+fi
+
+if [ "$VPN_PASSWORD" = "$VPN_PSK" ]; then
+	echo "It is not recommended to use the same secret as password and PSK key!"
+fi
+
+cat > /etc/ppp/l2tp-secrets <<EOF
+# This file holds secrets for L2TP authentication.
+# Username  Server  Secret  Hosts
+
+"$VPN_USER" "*" "$VPN_PASSWORD" "*"
+EOF
+
+cat > /etc/ipsec.secrets <<EOF
+# This file holds shared secrets or RSA private keys for authentication.
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
+# or configuration of other implementations, can be extracted conveniently
+# with "ipsec showhostkey".
+
+: PSK "$VPN_PSK"
+
+$VPN_USER : EAP "$VPN_PASSWORD"
+$VPN_USER : XAUTH "$VPN_PASSWORD"
+EOF
+
+if [ -f "/etc/ipsec.d/l2tp-secrets" ]; then
+	echo "Overwriting standard /etc/ppp/l2tp-secrets with /etc/ipsec.d/l2tp-secrets"
+	cp -f /etc/ipsec.d/l2tp-secrets /etc/ppp/l2tp-secrets
+fi
+
+if [ -f "/etc/ipsec.d/ipsec.secrets" ]; then
+	echo "Overwriting standard /etc/ipsec.secrets with /etc/ipsec.d/ipsec.secrets"
+	cp -f /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
+fi
+
+if [ -f "/etc/ipsec.d/ipsec.conf" ]; then
+	echo "Overwriting standard /etc/ipsec.conf with /etc/ipsec.d/ipsec.conf"
+	cp -f /etc/ipsec.d/ipsec.conf /etc/ipsec.conf
+fi
+
+if [ -f "/etc/ipsec.d/strongswan.conf" ]; then
+	echo "Overwriting standard /etc/strongswan.conf with /etc/ipsec.d/strongswan.conf"
+	cp -f /etc/ipsec.d/strongswan.conf /etc/strongswan.conf
+fi
+
+if [ -f "/etc/ipsec.d/xl2tpd.conf" ]; then
+	echo "Overwriting standard /etc/xl2tpd/xl2tpd.conf with /etc/ipsec.d/xl2tpd.conf"
+	cp -f /etc/ipsec.d/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
+fi
+
+mkdir -p /var/run/xl2tpd
+
+exec /usr/bin/supervisord -c /supervisord.conf

strongswan.conf

@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+
+charon {
+	load_modular = yes
+	send_vendor_id = yes
+	plugins {
+		include strongswan.d/charon/*.conf
+		attr {
+			dns = 8.8.8.8, 8.8.4.4
+		}
+	}
+}
+
+include strongswan.d/*.conf

supervisord.conf

@@ -0,0 +1,26 @@
+[supervisord]
+nodaemon=true
+
+[program:xl2tpd]
+command=/usr/sbin/xl2tpd -c /etc/xl2tpd/xl2tpd.conf -D
+redirect_stderr=true
+numprocs=1
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+
+[program:ipsec]
+command=ipsec start --nofork
+redirect_stderr=true
+numprocs=1
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+
+[eventlistener:ipsec_exit]
+command=/usr/bin/kill_supervisor.py
+process_name=ipsec
+events=PROCESS_STATE_FATAL
+
+[eventlistener:xl2tpd_exit]
+command=/usr/bin/kill_supervisor.py
+process_name=xl2tpd
+events=PROCESS_STATE_FATAL

vpn_adduser

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+vpn_user=$1
+vpn_password=$2
+
+if [ -z ${vpn_user} ] || [ -z ${vpn_password} ]; then
+	echo "Usage: $0 user password"
+	exit 1
+fi
+
+vpn_deluser ${vpn_user}
+
+cat >> /etc/ipsec.d/l2tp-secrets <<EOF
+"${vpn_user}" "*" "${vpn_password}" "*"
+EOF
+
+cat >> /etc/ipsec.d/ipsec.secrets <<EOF
+${vpn_user} : EAP "${vpn_password}"
+${vpn_user} : XAUTH "${vpn_password}"
+EOF

vpn_apply

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ -f "/etc/ipsec.d/l2tp-secrets" ]; then
+        cp -f /etc/ipsec.d/l2tp-secrets /etc/ppp/l2tp-secrets
+fi
+
+if [ -f "/etc/ipsec.d/ipsec.secrets" ]; then
+        cp -f /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
+fi
+
+ipsec rereadsecrets

vpn_deluser

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+vpn_user=$1
+
+if [ -z ${vpn_user} ]; then
+	echo "Usage: $0 user"
+	exit 1
+fi
+
+touch /etc/ipsec.d/ipsec.secrets
+touch /etc/ipsec.d/l2tp-secrets
+
+sed -i "/${vpn_user} :/d" /etc/ipsec.d/ipsec.secrets
+sed -i "/\"${vpn_user}\" \"*\"/d" /etc/ipsec.d/l2tp-secrets

vpn_setpsk

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+psk=$1
+
+if [ -z ${psk} ]; then
+	echo "Usage: $0 psk"
+	exit 1
+fi
+
+vpn_unsetpsk
+
+touch /etc/ipsec.d/ipsec.secrets
+cat >> /etc/ipsec.d/ipsec.secrets <<EOF
+: PSK "${psk}"
+EOF

vpn_unsetpsk

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+touch /etc/ipsec.d/ipsec.secrets
+sed '/: PSK/d' /etc/ipsec.d/ipsec.secrets

xl2tpd.conf

@@ -0,0 +1,17 @@
+[global]
+port = 1701
+auth file = /etc/ppp/l2tp-secrets
+debug avp = yes
+debug network = yes
+debug state = yes
+debug tunnel = yes
+[lns default]
+ip range = 10.1.0.2-10.1.0.254
+local ip = 10.1.0.1
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+;ppp debug = yes
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes