basic_nat: Added Firewall & wizard

Added basic firewall rules & NAT rules to basic_nat example. Wizard was also added to make usage easier.

Author: SloCompTech

root/defaults/example/config/basic_nat/client/client.conf

@@ -14,7 +14,7 @@ pull
 
 
 # Remote info
-remote <SERVER ADDRESS> <PORT>
+remote $SERVER_IP $PORT
 
 # Connection settings
 resolv-retry infinite

root/defaults/example/config/basic_nat/hooks/down/10-network.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#
+#   Network clear
+#
+
+# Close OpenVPN port to outside
+ovpn-iptables -D INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Disable Routing Internet <--> VPN network
+ovpn-iptables -D FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -D FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Disable NAT for VPN traffic
+ovpn-iptables -t nat -D POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+

root/defaults/example/config/basic_nat/hooks/init/10-network.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+#
+# Because default iptables rules are set to ACCEPT all connection, we need to put some
+# security settings in place
+#
+
+# Drop everything from input
+ovpn-iptables -P INPUT DROP
+
+# Allow established connection 
+ovpn-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept traffic from established connections"
+
+# Drop all forwarded traffic
+ovpn-iptables -P FORWARD DROP

root/defaults/example/config/basic_nat/hooks/up/10-network.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#
+#   Network initialization
+#
+
+# Open OpenVPN port to outside
+ovpn-iptables -A INPUT -p udp -m udp --dport $PORT -j ACCEPT -m comment --comment "Open OpenVPN port"
+
+# Allow Routing Internet <--> VPN network
+ovpn-iptables -A FORWARD -i tun0 -s $NETWORK_ADDRESS/24 -o eth0 -j ACCEPT -m comment --comment "Allow traffic VPN --> Internet"
+ovpn-iptables -A FORWARD -i eth0 -d $NETWORK_ADDRESS/24 -o tun0 -j ACCEPT -m comment --comment "Allow traffic Internet --> VPN"
+
+# Preform NAT for VPN traffic
+ovpn-iptables -t nat -A POSTROUTING -s $NETWORK_ADDRESS/24 -o eth0 -j MASQUERADE -m comment --comment "NAT traffic VPN --> Internet"
+

root/defaults/example/config/basic_nat/server/server.conf

@@ -6,16 +6,16 @@
 #
 
 # Basic info
-proto udp
-port 1194
+proto $PROTO
+port $PORT
 
 # Network info (local VPN network)
 topology subnet
-server <NETWORK ADDRESS> <MASK>
+server $NETWORK_ADDRESS 255.255.255.0
 
 push "redirect-gateway def1 bypass-dhcp"
-push "dhcp-option <DNS 1>"
-push "dhcp-option <DNS 2>"
+push "dhcp-option $DNS1"
+push "dhcp-option $DNS2"
 
 ifconfig-pool-persist tmp/ipp.txt
 

root/defaults/example/config/basic_nat/wizard

@@ -0,0 +1,84 @@
+#!/usr/bin/python
+
+#
+#   Config wizard for basic_nat example
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+
+#   Defaults:
+#       Protocol: udp
+#       Network: 10.0.0.0
+#       Port: 1194
+#       DNS: 8.8.8.8, 8.8.4.4
+#
+
+import sys, os
+
+# Import libraries included in this docker
+sys.path.insert(0, '/app/lib')
+import libovpn
+
+# Check if temporary path was passed to this script
+if len(sys.argv) < 2:
+    print("Temporary path was not passed to wizard")
+    sys.exit(1)
+TEMP_PATH = sys.argv[1]
+if not os.path.isdir(TEMP_PATH):
+    print("Specified directory does not exist")
+    sys.exit(2)
+
+# Select protocol
+protocol = input("Protocol udp, tcp, udp6, tcp6 [udp]:")
+AVAILABLE_PROTOCOLS = ["udp", "tcp", "udp6", "tcp6"]
+if len(protocol) != 0 and protocol not in AVAILABLE_PROTOCOLS:
+    print("Invalid protocol")
+    sys.exit(3)
+if len(protocol) == 0:
+    protocol = "udp"
+
+# Select network
+network = input("VPN network [10.0.0.0]:")
+if len(network) == 0:
+    network = "10.0.0.0"
+
+# Select port
+port = input("Port [1104]:")
+if len(port) == 0:
+    port="1194"
+
+# Select Public IP or domain
+public = input("Public IP or domain of server:")
+if len(public) == 0:
+    print("Invalid Public IP")
+    sys.exit(4)
+
+# DNS servers
+dns1 = input("DNS1 [8.8.8.8]:")
+if len(dns1) == 0:
+    dns1 = "8.8.8.8"
+dns2 = input("DNS2 [8.8.4.4]:")
+if len(dns2) == 0:
+    dns2 = "8.8.4.4"
+
+
+# Write to server config
+vars = [
+    ("$PROTO", protocol),
+    ("$PORT", port),
+    ("$NETWORK_ADDRESS", network),
+    ("$SERVER_IP", public),
+    ("$DNS1", dns1),
+    ("$DNS2", dns2)
+]
+
+# Process config files
+confs = [
+    "/server/server.conf",
+    "/client/client.conf",
+    "/hooks/down/10-network.sh",
+    "/hooks/up/10-network.sh"
+]
+for config_file in confs:
+    libovpn.conf_envsubst(TEMP_PATH + config_file, vars)