forked from limosek/lvpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathentrypoint.sh
349 lines (306 loc) · 8.71 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
#!/bin/sh
. /etc/profile
haproxy_cfg(){
cat /home/lvpn/server/etc/ca/certs/localhost/*.pem /home/lvpn/server/etc/ca/certs/localhost/*.crt >/home/lvpn/server/etc/ca-combined.pem
cp /home/lvpn/server/etc/ca/ca.crt /home/lvpn/server/etc/ca.crt
cat >/home/lvpn/server/etc/haproxy.cfg <<EOF
global
daemon
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode tcp
option dontlognull
timeout connect 5000
timeout client 600000
timeout server 600000
timeout tunnel 0
option http-keep-alive
http-reuse safe
frontend authenticated-tls-proxy
bind 0.0.0.0:8880 ssl crt /home/lvpn/server/etc/ca-combined.pem ca-file /home/lvpn/server/etc/ca.crt verify required tfo
default_backend http-proxy
frontend manager-tls-proxy
bind 0.0.0.0:8881 ssl crt /home/lvpn/server/etc/ca-combined.pem ca-file /home/lvpn/server/etc/ca.crt verify none tfo
default_backend manager
backend http-proxy
mode http
# Must be directed to your HTTP proxy instance
server localproxy 127.0.0.1:8888
backend manager
mode http
# Must be directed to your lvpns manager
server localproxy 127.0.0.1:8123
EOF
}
tinyproxy_cfg(){
cat >/home/lvpn/server/etc/tinyproxy.cfg <<EOF
Port 8888
Syslog Yes
LogLevel Warning
PidFile "/tmp/tinyproxy.pid"
XTinyproxy Yes
MaxClients 100
PidFile "/tmp/tinyproxy.pid"
DisableViaHeader On
Allow 100.64.0.0/10
ConnectPort 443
ConnectPort 8080
EOF
}
server_ini(){
cat >"$WLS_CFG_DIR/server.ini" <<EOF
[global]
enable-wg=1
wg-cmd-prefix=sudo
manager-local-bind=0.0.0.0
EOF
}
client_ini(){
cat >"$WLC_CFG_DIR/client.ini" <<EOF
[global]
enable-wg=1
wg-cmd-prefix=sudo
local-bind=0.0.0.0
manager-local-bind=0.0.0.0
wg-shutdown-on-disconnect=0
EOF
}
mkdir -p "$WLS_TMP_DIR" "$WLC_TMP_DIR" "$WLC_CFG_DIR" "$WLC_VAR_DIR" "$WLS_VAR_DIR" "$WLS_CFG_DIR"
if ! [ -f "$WLC_CFG_DIR/client.ini" ]
then
client_ini
fi
if ! [ -f "$WLS_CFG_DIR/server.ini" ]
then
server_ini
fi
if [ -n "$DAEMON_HOST" ]
then
CARGS="--daemon-host $DAEMON_HOST"
fi
if [ -z "$DAEMON_ARGS" ]
then
DAEMON_ARGS="--non-interactive --confirm-external-bind --data-dir=/home/lvpn/blockchain \
--p2p-bind-ip=0.0.0.0 --rpc-bind-ip=0.0.0.0 --log-level=0 --restricted-rpc --add-exclusive-node 172.31.129.19 --add-priority-node 172.31.129.19 --add-peer 172.31.129.19"
fi
# Main logic here
case $1 in
client|lvpnc)
shift
echo "Starting client:" lvpnc $LVPNC_ARGS $CARGS "$@"
lvpnc $LVPNC_ARGS $CARGS "$@"
;;
server|lvpns)
shift
echo "Starting server:" lvpns $LVPNS_ARGS "$@"
lvpns $LVPNS_ARGS "$@"
;;
mgmt|lmgmt)
shift
lmgmt "$@"
;;
node)
if ! [ -d /home/lvpn/blockchain ]
then
mkdir /home/lvpn/blockchain
fi
$0 set-perms
# Run local daemon
echo "Running local daemon"
while true;
do
letheand $DAEMON_ARGS >/home/lvpn/daemon.log 2>&1
sleep 5
done &
# Wait for daemon to start
echo "Waiting for daemon to start."
while ! curl -q http://127.0.0.1:48782/json_rpc 2>/dev/null >/dev/null
do
sleep 1
echo "."
done
echo OK
while true
do
if [ -f $WLS_CFG_DIR/wallet_pass ]
then
export EASY_WALLET_PASSWORD=$(cat $WLS_CFG_DIR/wallet_pass)
export EASY_WALLET_RPC_PASSWORD=$(cat $WLS_CFG_DIR/wallet_rpc_pass)
fi
# First, let us start client
$0 lvpnc $LVPNC_ARGS --run-wallet=0 --run-gui=0 --auto-reconnect=20 --auto-pay-days=30 \
--wallet-rpc-url=http://localhost:1444/json_rpc --wallet-rpc-password="$EASY_WALLET_RPC_PASSWORD" \
--wallet-password="$EASY_WALLET_PASSWORD" --wallet-name=vpn-wallet \
--daemon-rpc-url="http://172.31.129.19:48782/json_rpc" --daemon-host="172.31.129.19" \
--auto-connect=${NODE_AUTO_CONNECT} >/home/lvpn/client.log 2>&1
sleep 10
done &
# Wait for client to connect
echo "Waiting for lvpnc to connect."
while ! curl -q http://127.0.0.1:8124/api/connections 2>/dev/null | grep endpoint >/dev/null
do
sleep 1
echo "."
done
echo OK
# Wait for client to have wg session
echo "Waiting for working WG session."
while ! curl -q http://127.0.0.1:8124/api/sessions 2>/dev/null | grep client_ipv4_address >/dev/null
do
sleep 1
echo "."
done
IP=$(curl -q http://localhost:8124/api/sessions | json_pp | grep client_ipv4_address | cut -d '"' -f 4)
echo "OK (IP=$IP)"
# Generate VDP
if ! [ -f "$WLS_CFG_DIR"/provider.private ]
then
echo "Running easy-provider"
export EASY_WALLET_PASSWORD=$(pwgen 12)
export EASY_WALLET_RPC_PASSWORD=$(pwgen 12)
export EASY_ENDPOINT=$IP
rm -rf /home/lvpn/easy
$0 easy-provider
cp -R /home/lvpn/easy/* "$WLS_CFG_DIR"/
# Configure haproxy
haproxy_cfg
# Configure tinyproxy
tinyproxy_cfg
else
export EASY_WALLET_PASSWORD=$(cat $WLS_CFG_DIR/wallet_pass)
export EASY_WALLET_RPC_PASSWORD=$(cat $WLS_CFG_DIR/wallet_rpc_pass)
fi
# Remove stale files which blocks wallets to start
rm -f /tmp/*.login
# Run client wallet
echo "Running client wallet"
while true;
do
cd /tmp && lethean-wallet-rpc --wallet-dir="$WLS_CFG_DIR" --rpc-login="vpn:$EASY_WALLET_RPC_PASSWORD" \
--rpc-bind-port=1444 --trusted-daemon >/home/lvpn/client-wallet.log 2>&1
sleep 5
done &
# Run server wallet
echo "Running server wallet"
while true;
do
cd /tmp && lethean-wallet-rpc --wallet-file="$WLS_CFG_DIR"/vpn-wallet --rpc-login="vpn:$EASY_WALLET_RPC_PASSWORD" \
--rpc-bind-port=1445 --trusted-daemon --password "$EASY_WALLET_PASSWORD" >/home/lvpn/server-wallet.log 2>&1
sleep 5
done &
# Wait for client wallet
echo "Waiting for client wallet."
while ! curl -q http://localhost:1444/json_rpc 2>/dev/null >/dev/null
do
sleep 1
echo "."
done
echo "OK"
# Wait for client wallet
echo "Waiting for server wallet."
while ! curl -q http://localhost:1445/json_rpc 2>/dev/null >/dev/null
do
sleep 1
echo "."
done
echo "OK"
# Run the server
echo "Running server"
while true
do
$0 lvpns $LVPNS_ARGS \
--wallet-rpc-url=http://localhost:1445/json_rpc --wallet-rpc-password="$EASY_WALLET_RPC_PASSWORD" >/home/lvpn/server.log 2>&1
sleep 10
done &
# Regularly Push new VDP to server and fetch fresh VDP
while true
do
# Refresh VDP timestamps
if [ -n "$NODE_BEHIND_GW" ]
then
$0 lmgmt refresh-vdp "$NODE_BEHIND_GW"
else
$0 lmgmt refresh-vdp
fi
# Push our VDP
$0 lmgmt push-vdp 94ece0b789b1031e0e285a7439205942eb8cb74b4df7c9854c0874bd3d8cd091 || true
# Fetch fresh VDP from main server for client and server
$0 lmgmt fetch-vdp 94ece0b789b1031e0e285a7439205942eb8cb74b4df7c9854c0874bd3d8cd091 || true
WLC_CLIENT=1 $0 lmgmt fetch-vdp 94ece0b789b1031e0e285a7439205942eb8cb74b4df7c9854c0874bd3d8cd091 || true
sleep 3500
done &
if [ "${NODE_RUN_SERVER}" = "yes" ]
then
echo "Running haproxy"
/usr/sbin/haproxy -f /home/lvpn/server/etc/haproxy.cfg
echo "Running tinyproxy"
tinyproxy -c /home/lvpn/server/etc/tinyproxy.cfg
fi
if [ "${NODE_RUN_SHARE}" = "yes" ] && [ -d "${NODE_SHARE_DIR}" ]
then
echo "Running ctorrent"
rm -f ${NODE_SHARE_DIR}/node.torrent
cd ${NODE_SHARE_DIR} && ctorrent -t -u "${NODE_TRACKER_URL}" -s "node.torrent" ./
ctorrent -p 2706 -d node.torrent
else
echo "Sharing files disabled"
fi
echo "Everythig UP! Great!"
# Wait for background processes
wait
;;
easy-provider)
shift
echo "Generating new provider to /home/lvpn/easy."
echo "You can tune this wizard by setting variables"
echo "EASY_FQDN - FQDN or IP of your provider"
echo "EASY_CA_CN - CN for generated CA"
if [ -z "$EASY_FQDN" ]
then
export EASY_FQDN=localhost
fi
if [ -z "$EASY_ENDPOINT" ]
then
export EASY_ENDPOINT=localhost
fi
WLS_CFG_DIR=/home/lvpn/easy LMGMT="/usr/src/lvpn/venv/bin/python3 /usr/src/lvpn/mgmt.py" easy-provider.sh "$@"
echo "Do not forget to save /home/lvpn/easy directory!"
;;
tests)
shift
set -e
cp -R /usr/src/lvpn/tests/ /tmp/tests
cd /tmp/tests
sudo ./tests.sh /usr/src/lvpn
$0 easy-provider
echo "========================================================"
echo "Easy provider test passed"
echo "========================================================"
;;
set-perms)
sudo mkdir -p "$WLS_TMP_DIR" "$WLC_TMP_DIR" "$WLC_CFG_DIR" "$WLC_VAR_DIR" "$WLS_VAR_DIR"
sudo chown -R lvpn:lvpn /home/lvpn
;;
sh)
shift
bash --init-file /etc/profile "$@"
;;
*)
case $MODE in
"server")
$0 server "$@"
;;
"client")
$0 client "$@"
;;
"node")
$0 node "$@"
;;
*)
echo "Use client|server|node|mgmt|set-perms|easy-provider|sh"
exit 1
;;
esac
esac