about summary refs log tree commit diff
path: root/src/access.go
blob: 233b11caa021c79e1cb659698460db153c3af712 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
package main

import (
	"bytes"
	"errors"
	"flag"
	"fmt"
	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/container"
	"github.com/docker/docker/api/types/network"
	"github.com/docker/go-connections/nat"
	"net"
	"net/http"
	"os"
	"time"
)

const(
	vpnContainerName = "circus-vpn"
)

var vpnContainerID string
var remoteAddress* string
var remotePort* int

func registerAccessFlags() {
	remoteAddress = flag.String("vpnRemoteAddress", "", "The remote domain name or IP the VPN will run on")
	remotePort = flag.Int("vpnRemotePort", 1194, "The port the VPN should listen on")
}

func startVPN() (err error) {
	// First: try to stop an existing container with that name, to avoid collision
	// This container may exist if we didn't properly clean up on the last run, e.g. if the companion crashed.
	stopVPN()
	// stopVPN() as first command in startVPN()... This looks strange, but is perfectly fine ;)

	// Set up our context and Docker CLI connection
	setupContext()
	setupDockerCLI()

	// Set up VPN host network
	if vpnHostNetworkID == "" {
		id, err := setupNetwork(getVPNNetworkName(), false)
		if (err != nil) {
			return err
		}
		vpnHostNetworkID = id
	}

	// Set up container network
	if containerNetworkID == "" {
		id, err := setupNetwork(getChallengeNetworkName(), true)
		if (err != nil) {
			return err
		}
		containerNetworkID = id
	}

	// Get subnet of challenge container network, to hand it over to our VPN container for routes
	inspectResp, err := dockerCli.NetworkInspect(dockerCtx, containerNetworkID, types.NetworkInspectOptions{})
	if err != nil {
		return err
	}

	// Parse subnet (in CIDR notation)
	_, ipnet, err := net.ParseCIDR(inspectResp.IPAM.Config[0].Subnet)
	if err != nil {
		return err
	}

	// Create VPN container
	resp, err := dockerCli.ContainerCreate(dockerCtx, &container.Config{
		Image: vpnContainerName,
		Env: []string{
			fmt.Sprintf("remoteAddress=%s", *remoteAddress),
			fmt.Sprintf("remotePort=%d", *remotePort),
			fmt.Sprintf("subnet=%s", ipnet.IP.String()),
			fmt.Sprintf("subnetMask=%d.%d.%d.%d", ipnet.Mask[0], ipnet.Mask[1], ipnet.Mask[2], ipnet.Mask[3]),
		},
		ExposedPorts: map[nat.Port]struct{}{
			"1194/udp": {},
		},
	}, &container.HostConfig{
		Privileged: true,
		PortBindings: nat.PortMap{
			"1194/udp": []nat.PortBinding{
				{
					HostIP: "0.0.0.0",
					HostPort: fmt.Sprintf("%d", *remotePort),
				},
			},
		},
	}, &network.NetworkingConfig{
		EndpointsConfig: map[string]*network.EndpointSettings{
			"startpoint": {
				NetworkID: vpnHostNetworkID,
			},
		},
	}, "")

	if err != nil {
		return err
	}

	// Attach container network to VPN container
	err = dockerCli.NetworkConnect(dockerCtx, containerNetworkID, resp.ID, &network.EndpointSettings{})
	if err != nil {
		return err
	}

	// Start container
	err = dockerCli.ContainerStart(dockerCtx, resp.ID, types.ContainerStartOptions{})
	if err != nil {
		return err
	}

	// We now need to do a little stunt. If the companion is started inside a container, it's not possible to dial to port 9999 of the VPN container.
	// However, getCertificate() requires that port 9999 of the VPN container hosts the configuration files for our client.
	// That means we need to attach our own container - thanks to --privileged mode - into the VPN container network.
	// We get the ID of our container from the "hostname" environment variable. That's a bit dirty, but works for the moment. TODO: solve this better.
	err = dockerCli.NetworkConnect(dockerCtx, vpnHostNetworkID, os.Getenv("HOSTNAME"), &network.EndpointSettings{})
	if err != nil {
		return err
	}

	vpnContainerID = resp.ID

	return nil
}

func stopVPN() {
	setupContext()
	setupDockerCLI()

	timeout := time.Second * 5
	dockerCli.ContainerStop(dockerCtx, vpnContainerID, &timeout)

	// We need to undo our stunt! Else, the network won't be deletable because "there are active endpoints"
	dockerCli.NetworkDisconnect(dockerCtx, vpnHostNetworkID, os.Getenv("HOSTNAME"), true)

	vpnContainerID = ""
}

func getCertificate() (string, error) {
	if vpnContainerID == "" {
		return "", errors.New("VPN container not up")
	}

	// Get IP of VPN container
	inspectJSON, err := dockerCli.ContainerInspect(dockerCtx, vpnContainerID)
	if err != nil {
		return "", err
	}

	// get certificate
	var certResponse *http.Response

	// retry for 10 seconds to dial to the VPN container
	for i := 0; i < 10; i++ {
		// Check if the VPN container is already part of our challenge container network
		if inspectJSON.NetworkSettings.Networks[getVPNNetworkName()] != nil {
			// it is - get the IP address and dial to it
			certResponse, err = http.Get(fmt.Sprintf("http://%s:9999/", inspectJSON.NetworkSettings.Networks[getVPNNetworkName()].IPAddress))

			if err == nil {
				break
			}
		}

		time.Sleep(time.Second)
	}

	if err != nil || certResponse == nil {
		return "", err
	}

	buffer := make([]byte, 1024)
	certResponse.Body.Read(buffer)

	return string(bytes.Trim(buffer, "\x00")), nil
}