1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
package main
import (
"bytes"
"errors"
"flag"
"fmt"
"net"
"net/http"
"os"
"time"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/network"
"github.com/docker/go-connections/nat"
)
const (
vpnContainerName = "registry.darknebu.la/circus/vpn"
)
var vpnContainerID string
var remoteAddress *string
var remotePort *int
func registerAccessFlags() {
remoteAddress = flag.String("vpnRemoteAddress", "", "The remote domain name or IP the VPN will run on")
remotePort = flag.Int("vpnRemotePort", 1194, "The port the VPN should listen on")
}
func startVPN() (err error) {
// First: try to stop an existing container with that name, to avoid collision
// This container may exist if we didn't properly clean up on the last run, e.g. if the companion crashed.
stopVPN()
// stopVPN() as first command in startVPN()... This looks strange, but is perfectly fine ;)
// Set up our context and Docker CLI connection
setupContext()
setupDockerCLI()
// Set up VPN host network
if vpnHostNetworkID == "" {
id, err := setupNetwork(getVPNNetworkName(), false)
if err != nil {
return err
}
vpnHostNetworkID = id
}
// Set up container network
if containerNetworkID == "" {
id, err := setupNetwork(getChallengeNetworkName(), true)
if err != nil {
return err
}
containerNetworkID = id
}
// Get subnet of challenge container network, to hand it over to our VPN container for routes
inspectResp, err := dockerCli.NetworkInspect(dockerCtx, containerNetworkID, types.NetworkInspectOptions{})
if err != nil {
return err
}
// Parse subnet (in CIDR notation)
_, ipnet, err := net.ParseCIDR(inspectResp.IPAM.Config[0].Subnet)
if err != nil {
return err
}
// Create VPN container
resp, err := dockerCli.ContainerCreate(dockerCtx, &container.Config{
Image: vpnContainerName,
Env: []string{
fmt.Sprintf("remoteAddress=%s", *remoteAddress),
fmt.Sprintf("remotePort=%d", *remotePort),
fmt.Sprintf("subnet=%s", ipnet.IP.String()),
fmt.Sprintf("subnetMask=%d.%d.%d.%d", ipnet.Mask[0], ipnet.Mask[1], ipnet.Mask[2], ipnet.Mask[3]),
},
ExposedPorts: map[nat.Port]struct{}{
"1194/udp": {},
},
}, &container.HostConfig{
Privileged: true,
PortBindings: nat.PortMap{
"1194/udp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: fmt.Sprintf("%d", *remotePort),
},
},
},
}, &network.NetworkingConfig{
EndpointsConfig: map[string]*network.EndpointSettings{
"startpoint": {
NetworkID: vpnHostNetworkID,
},
},
}, "")
if err != nil {
return err
}
// Attach container network to VPN container
err = dockerCli.NetworkConnect(dockerCtx, containerNetworkID, resp.ID, &network.EndpointSettings{})
if err != nil {
return err
}
// Start container
err = dockerCli.ContainerStart(dockerCtx, resp.ID, types.ContainerStartOptions{})
if err != nil {
return err
}
// We now need to do a little stunt. If the companion is started inside a container, it's not possible to dial to port 9999 of the VPN container.
// However, getCertificate() requires that port 9999 of the VPN container hosts the configuration files for our client.
// That means we need to attach our own container - thanks to --privileged mode - into the VPN container network.
// We get the ID of our container from the "hostname" environment variable. That's a bit dirty, but works for the moment. TODO: solve this better.
err = dockerCli.NetworkConnect(dockerCtx, vpnHostNetworkID, os.Getenv("HOSTNAME"), &network.EndpointSettings{})
if err != nil {
return err
}
vpnContainerID = resp.ID
return nil
}
func stopVPN() {
setupContext()
setupDockerCLI()
timeout := time.Second * 5
dockerCli.ContainerStop(dockerCtx, vpnContainerID, &timeout)
// We need to undo our stunt! Else, the network won't be deletable because "there are active endpoints"
dockerCli.NetworkDisconnect(dockerCtx, vpnHostNetworkID, os.Getenv("HOSTNAME"), true)
vpnContainerID = ""
}
func getCertificate() (string, error) {
if vpnContainerID == "" {
return "", errors.New("VPN container not up")
}
// Get IP of VPN container
inspectJSON, err := dockerCli.ContainerInspect(dockerCtx, vpnContainerID)
if err != nil {
return "", err
}
// get certificate
var certResponse *http.Response
// retry for 10 seconds to dial to the VPN container
for i := 0; i < 10; i++ {
// Check if the VPN container is already part of our challenge container network
if inspectJSON.NetworkSettings.Networks[getVPNNetworkName()] != nil {
// it is - get the IP address and dial to it
certResponse, err = http.Get(fmt.Sprintf("http://%s:9999/", inspectJSON.NetworkSettings.Networks[getVPNNetworkName()].IPAddress))
if err == nil {
break
}
}
time.Sleep(time.Second)
}
if err != nil || certResponse == nil {
return "", err
}
buffer := make([]byte, 1024)
certResponse.Body.Read(buffer)
return string(bytes.Trim(buffer, "\x00")), nil
}
|