Merge pull request #71 from leojonathanoh/enhancement/add-openvpn-2.6.14-variants

Enhancement: Add openvpn 2.6.14 variants

Author: leojonathanoh

.github/workflows/ci-master-pr.yml

@@ -33,7 +33,7 @@ jobs:
       run: |
         git diff --exit-code
 
-  build-2-6-12:
+  build-2-6-14:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
@@ -64,9 +64,9 @@ jobs:
       uses: actions/cache@v4
       with:
         path: /tmp/.buildx-cache
-        key: ${{ runner.os }}-buildx-2.6.12-${{ github.sha }}
+        key: ${{ runner.os }}-buildx-2.6.14-${{ github.sha }}
         restore-keys: |
-          ${{ runner.os }}-buildx-2.6.12-
+          ${{ runner.os }}-buildx-2.6.14-
           ${{ runner.os }}-buildx-
 
     - name: Login to Docker Hub registry
@@ -79,7 +79,7 @@ jobs:
 
     # This step generates the docker tags
     - name: Prepare
-      id: prep-2-6-12-alpine-edge
+      id: prep-2-6-14-alpine-3-22
       run: |
         set -e
 
@@ -92,7 +92,7 @@ jobs:
         # Generate docker image tags
         # E.g. 'v0.0.0-<variant>' and 'v0.0.0-abc0123-<variant>'
         # E.g. 'master-<variant>' and 'master-abc0123-<variant>'
-        VARIANT="2.6.12-alpine-edge"
+        VARIANT="2.6.14-alpine-3.22"
         REF_VARIANT="${REF}-${VARIANT}"
         REF_SHA_VARIANT="${REF}-${SHA}-${VARIANT}"
 
@@ -102,45 +102,45 @@ jobs:
         echo "REF_VARIANT=$REF_VARIANT" >> $GITHUB_OUTPUT
         echo "REF_SHA_VARIANT=$REF_SHA_VARIANT" >> $GITHUB_OUTPUT
 
-    - name: 2.6.12-alpine-edge - Build (PRs)
+    - name: 2.6.14-alpine-3.22 - Build (PRs)
       # Run only on pull requests
       if: github.event_name == 'pull_request'
       uses: docker/build-push-action@v5
       with:
-        context: variants/2.6.12-alpine-edge
+        context: variants/2.6.14-alpine-3.22
         platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
         push: false
         tags: |
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_VARIANT }}
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_SHA_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_SHA_VARIANT }}
         cache-from: type=local,src=/tmp/.buildx-cache
         cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
-    - name: 2.6.12-alpine-edge - Build and push (master)
+    - name: 2.6.14-alpine-3.22 - Build and push (master)
       # Run only on master
       if: github.ref == 'refs/heads/master'
       uses: docker/build-push-action@v5
       with:
-        context: variants/2.6.12-alpine-edge
+        context: variants/2.6.14-alpine-3.22
         platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
         push: true
         tags: |
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_VARIANT }}
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_SHA_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_SHA_VARIANT }}
         cache-from: type=local,src=/tmp/.buildx-cache
         cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
-    - name: 2.6.12-alpine-edge - Build and push (release)
+    - name: 2.6.14-alpine-3.22 - Build and push (release)
       if: startsWith(github.ref, 'refs/tags/')
       uses: docker/build-push-action@v5
       with:
-        context: variants/2.6.12-alpine-edge
+        context: variants/2.6.14-alpine-3.22
         platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/s390x
         push: true
         tags: |
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.VARIANT }}
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_VARIANT }}
-          ${{ github.repository }}:${{ steps.prep-2-6-12-alpine-edge.outputs.REF_SHA_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_VARIANT }}
+          ${{ github.repository }}:${{ steps.prep-2-6-14-alpine-3-22.outputs.REF_SHA_VARIANT }}
           ${{ github.repository }}:latest
         cache-from: type=local,src=/tmp/.buildx-cache
         cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
@@ -1323,7 +1323,7 @@ jobs:
 
   update-draft-release:
     needs:
-      - build-2-6-12
+      - build-2-6-14
       - build-2-6-11
       - build-2-5-10
       - build-2-4-12
@@ -1344,7 +1344,7 @@ jobs:
 
   publish-draft-release:
     needs:
-      - build-2-6-12
+      - build-2-6-14
       - build-2-6-11
       - build-2-5-10
       - build-2-4-12
@@ -1367,7 +1367,7 @@ jobs:
 
   update-dockerhub-description:
     needs:
-      - build-2-6-12
+      - build-2-6-14
       - build-2-6-11
       - build-2-5-10
       - build-2-4-12

README.md

@@ -12,7 +12,7 @@ Dockerized `openvpn`.
 
 | Tag | Dockerfile Build Context |
 |:-------:|:---------:|
-| `:2.6.12-alpine-edge`, `:latest` | [View](variants/2.6.12-alpine-edge) |
+| `:2.6.14-alpine-3.22`, `:latest` | [View](variants/2.6.14-alpine-3.22) |
 | `:2.6.11-alpine-3.18` | [View](variants/2.6.11-alpine-3.18) |
 | `:2.5.10-alpine-3.17` | [View](variants/2.5.10-alpine-3.17) |
 | `:2.4.12-alpine-3.12` | [View](variants/2.4.12-alpine-3.12) |
@@ -38,7 +38,7 @@ It is assumed that you have knowledge of configuring `openvpn`. If needed, refer
 To run the image, at the least you should mount a `/etc/openvpn/server.conf`, which may be a unified openvpn profile (see INLINE FILE SUPPORT section in the [openvpn manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)).
 
 ```sh
-docker run --rm -it --cap-add NET_ADMIN -v /path/to/server.conf:/etc/openvpn/server.conf theohbrothers/docker-openvpn:2.6.12-alpine-edge
+docker run --rm -it --cap-add NET_ADMIN -v /path/to/server.conf:/etc/openvpn/server.conf theohbrothers/docker-openvpn:2.6.14-alpine-3.22
 ```
 
 ## Environment variables

generate/definitions/VARIANTS.ps1

@@ -2,9 +2,9 @@
 $local:VARIANTS_MATRIX = @(
     @{
         package = 'openvpn'
-        package_version = '2.6.12'
+        package_version = '2.6.14'
         distro = 'alpine'
-        distro_version = 'edge'
+        distro_version = '3.22'
         subvariants = @(
             @{ components = @() }
         )

variants/2.6.14-alpine-3.22/Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine:3.22
+
+RUN set -eux; \
+    apk add --no-cache openvpn~=2.6.14 iptables; \
+    # Workaround openvpn --version exiting with non-zero exit code on openvpn <= 2.4.x
+    openvpn --version | grep -A100 -B100 2.6.14
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

variants/2.6.14-alpine-3.22/docker-compose.yml

@@ -0,0 +1,45 @@
+version: '2.1'
+services:
+  openvpn-server:
+    build:
+      dockerfile: Dockerfile
+      context: .
+    environment:
+      - OPENVPN_CONFIG_FILE=/etc/openvpn/server.conf
+      - NAT_MASQUERADE=1
+      # - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh
+    volumes:
+      - ./openvpn/server.conf:/etc/openvpn/server.conf
+      # - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh
+    ports:
+      - 1194:1194/udp
+    cap_add:
+      - NET_ADMIN
+    # sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls
+    sysctls:
+      - net.ipv4.conf.all.forwarding=1
+      # - net.ipv6.conf.all.disable_ipv6=0
+      # - net.ipv6.conf.default.forwarding=1
+      # - net.ipv6.conf.all.forwarding=1
+    restart: unless-stopped
+
+  openvpn-client:
+    build:
+      dockerfile: Dockerfile
+      context: .
+    environment:
+      - OPENVPN_CONFIG_FILE=/etc/openvpn/client.conf
+      - NAT_MASQUERADE=0
+      # - CUSTOM_FIREWALL_SCRIPT=/etc/openvpn/firewall.sh
+    volumes:
+      - ./openvpn/client.conf:/etc/openvpn/client.conf
+      # - ./openvpn/firewall.sh:/etc/openvpn/firewall.sh
+    cap_add:
+      - NET_ADMIN
+    # sysctls for the container if it is not set on the host. See: https://docs.docker.com/compose/compose-file/compose-file-v2/#sysctls
+    sysctls:
+      - net.ipv4.conf.all.forwarding=1
+      # - net.ipv6.conf.all.disable_ipv6=0
+      # - net.ipv6.conf.default.forwarding=1
+      # - net.ipv6.conf.all.forwarding=1
+    restart: unless-stopped

variants/2.6.14-alpine-3.22/docker-entrypoint.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+set -eu
+
+# Env vars
+OPENVPN_CONFIG_FILE=${OPENVPN_CONFIG_FILE:-/etc/openvpn/server.conf}
+OPENVPN_SERVER_CONFIG_FILE=${OPENVPN_SERVER_CONFIG_FILE:-} # Deprecated. For backward compatibility
+OPENVPN_ROUTES=${OPENVPN_ROUTES:-}
+NAT=${NAT:-1}
+NAT_INTERFACE=${NAT_INTERFACE:-eth0}
+NAT_MASQUERADE=${NAT_MASQUERADE:-1}
+CUSTOM_FIREWALL_SCRIPT=${CUSTOM_FIREWALL_SCRIPT:-/etc/openvpn/firewall.sh}
+
+# Normalization
+if [ -n "$OPENVPN_SERVER_CONFIG_FILE" ]; then
+    echo "Warning: OPENVPN_SERVER_CONFIG_FILE is deprecated. Use OPENVPN_CONFIG_FILE instead."
+    OPENVPN_CONFIG_FILE="$OPENVPN_SERVER_CONFIG_FILE"
+fi
+
+# If no args are passed, run the entrypoint. If a flag is passed, run openvpn directly. Else, run the passed command
+if [ "$#" -eq 0 ]; then
+    # Provision
+    echo "Provisioning tun device"
+    mkdir -p /dev/net
+    if [ ! -c /dev/net/tun ]; then
+        mknod /dev/net/tun c 10 200
+    fi
+    if [ -f "$CUSTOM_FIREWALL_SCRIPT" ]; then
+        echo "Executing custom firewall script: $CUSTOM_FIREWALL_SCRIPT"
+        . "$CUSTOM_FIREWALL_SCRIPT"
+    else
+        echo "Not executing custom firewall script $CUSTOM_FIREWALL_SCRIPT because it does not exist"
+    fi
+    if [ "$NAT" = 1 ]; then
+        echo "NAT is enabled"
+        echo "Provisioning NAT iptables rules"
+        echo "NAT_INTERFACE: $NAT_INTERFACE"
+        if [ "$NAT_MASQUERADE" = 1 ]; then
+            echo "NAT_MASQUERADE is enabled"
+            iptables -t nat -C POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE
+            if [ -n "$OPENVPN_ROUTES" ]; then
+                echo "Provisioning NAT iptables rules for OPENVPN_ROUTES=$OPENVPN_ROUTES"
+                for r in $OPENVPN_ROUTES; do
+                    iptables -t nat -C POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE > dev/null 2>&1 || iptables -t nat -A POSTROUTING -s "$r" -o "$NAT_INTERFACE" -j MASQUERADE
+                done
+            else
+                echo "Not provisioning route iptables rules because OPENVPN_ROUTES is empty"
+            fi
+        else
+            echo "Not provisioning NAT iptables rules because NAT_MASQUERADE is disabled."
+        fi
+    else
+        echo "NAT is disabled."
+        echo "Not adding NAT iptables rules"
+    fi
+
+    echo "Listing iptables rules:"
+    iptables -L -nv
+    echo "Listing iptables NAT rules:"
+    iptables -L -nv -t nat
+
+    # Generate the command line. openvpn man: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
+    set openvpn --cd /etc/openvpn --config "$OPENVPN_CONFIG_FILE"
+    echo "openvpn command line: $@"
+    exec "$@"
+elif [ "$#" -gt 0 ] && [ "${1#-}" != "$1" ]; then
+    echo "openvpn command line: $@"
+    exec openvpn "$@"
+fi
+
+exec "$@"