diff options
| author | maride <maride@darknebu.la> | 2018-09-05 15:33:03 +0200 |
|---|---|---|
| committer | maride <maride@darknebu.la> | 2018-09-05 15:33:03 +0200 |
| commit | 2f94d8b6cdf325f23a0e40db1097ebbcd7f7c0e1 (patch) | |
| tree | e4ddf1a1f17233df53da33c84b5f0706db250738 | |
| parent | cd3b7488d3851d4b21321b4b257bf85f2e9ffa08 (diff) | |
Forward IP range of containers and subnet to VPN container
| -rw-r--r-- | src/access.go | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/src/access.go b/src/access.go index c22754c..4ae96ed 100644 --- a/src/access.go +++ b/src/access.go @@ -9,7 +9,9 @@ import ( "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/network" "github.com/docker/go-connections/nat" + "net" "net/http" + "os" "time" ) @@ -46,12 +48,26 @@ func startVPN() (err error) { return err } - // Create container + // Get subnet of challenge container network, to hand it over to our VPN container for routes + inspectResp, err := dockerCli.NetworkInspect(dockerCtx, vpnNetworkID, types.NetworkInspectOptions{}) + if err != nil { + return err + } + + // Parse subnet (in CIDR notation) + _, ipnet, err := net.ParseCIDR(inspectResp.IPAM.Config[0].Subnet) + if err != nil { + return err + } + + // Create VPN container resp, err := dockerCli.ContainerCreate(dockerCtx, &container.Config{ Image: vpnContainerName, Env: []string{ fmt.Sprintf("remoteAddress=%s", *remoteAddress), fmt.Sprintf("remotePort=%d", *remotePort), + fmt.Sprintf("subnet=%s", ipnet.IP.String()), + fmt.Sprintf("subnetMask=%d.%d.%d.%d", ipnet.Mask[0], ipnet.Mask[1], ipnet.Mask[2], ipnet.Mask[3]), }, ExposedPorts: map[nat.Port]struct{}{ "1194/udp": {}, @@ -90,6 +106,15 @@ func startVPN() (err error) { return err } + // We now need to do a little stunt. If the companion is started inside a container, it's not possible to dial to port 9999 of the VPN container. + // However, getCertificate() requires that port 9999 of the VPN container hosts the configuration files for our client. + // That means we need to attach our own container - thanks to --privileged mode - into the VPN container network. + // We get the ID of our container from the "hostname" environment variable. That's a bit dirty, but works for the moment. TODO: solve this better. + err = dockerCli.NetworkConnect(dockerCtx, vpnNetworkID, os.Getenv("HOSTNAME"), &network.EndpointSettings{}) + if err != nil { + return err + } + vpnContainerID = resp.ID return nil |
