rooty
diff --git a/‎.github/dependabot.yml
+11 b/‎.github/dependabot.yml
+11
diff --git a/‎.github/workflows/docker-image.yml
+60 b/‎.github/workflows/docker-image.yml
+60
diff --git a/‎Dockerfile
+55 b/‎Dockerfile
+55
diff --git a/‎README.md
+88 b/‎README.md
+88
diff --git a/‎compose.yaml
+16 b/‎compose.yaml
+16
diff --git a/‎rootfs/bin/docker-entrypoint.sh
+63 b/‎rootfs/bin/docker-entrypoint.sh
+63
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 3
+updates:
+  - package-ecosystem: "docker" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
@@ -0,0 +1,60 @@
+name: Create and publish a Docker image
+
+# Configures this workflow to run every time a change is pushed to the branch called `release`.
+on:
+  push:
+    #branches: ['release']
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      # 
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      
+      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
@@ -0,0 +1,55 @@
+# syntax=docker/dockerfile:1
+FROM alpine:latest
+
+LABEL org.opencontainers.image.source="https://github.com/rooty/proxy-vpn"
+LABEL org.opencontainers.image.description="OpenVPN+Proxy"
+LABEL org.opencontainers.image.licenses=MIT
+
+# Install packages
+RUN apk --no-cache add \
+        runit \
+        curl \
+        bash \
+        wireguard-tools-wg-quick \
+	openresolv \
+	iptables \
+
+# Bring in gettext so we can get `envsubst`, then throw
+# the rest away. To do this, we need to install `gettext`
+# then move `envsubst` out of the way so `gettext` can
+# be deleted completely, then move `envsubst` back.
+    && apk add --no-cache --virtual .gettext gettext \
+    && mv /usr/bin/envsubst /tmp/ \
+    && runDeps="$( \
+        scanelf --needed --nobanner /tmp/envsubst \
+            | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
+            | sort -u \
+            | xargs -r apk info --installed \
+            | sort -u \
+    )" \
+    && apk add --no-cache $runDeps \
+    && apk del .gettext \
+    && mv /tmp/envsubst /usr/local/bin/ \
+# Remove alpine cache
+    && rm -rf /var/cache/apk/* \
+# Make sure files/folders needed by the processes are accessable when they run under the nobody user
+    && chown -R nobody.nobody /run 
+RUN curl -L  -qs  https://github.com/SenseUnit/dumbproxy/releases/download/v1.12.0/dumbproxy.linux-amd64 --output  /usr/local/bin/dumbproxy && chmod +x /usr/local/bin/dumbproxy 
+
+# Add configuration files
+COPY --chown=nobody rootfs/ /
+
+
+# Add application
+WORKDIR /etc/openvpn
+
+# Expose the port nginx is reachable on
+EXPOSE 8888
+
+# Let runit start nginx & php-fpm
+# Ensure /bin/docker-entrypoint.sh is always executed
+ENTRYPOINT ["/bin/docker-entrypoint.sh"]
+
+
+# Configure a healthcheck to validate that everything is up&running
+#HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1:8080/fpm-ping || exit 1
@@ -0,0 +1,88 @@
+# proxy-vpn
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/rooty/proxy-vpn/docker-image.yml)
+
+## Features
+
+- Supports CONNECT method and forwarding of HTTPS connections
+- Supports TLS operation mode (HTTP(S) proxy over TLS)
+- Supports client authentication with client TLS certificates
+- Supports HTTP/2
+
+## Usage
+For run OpenVPN prepare 2 files
+- login/password file: auth
+- client VPN config: client.ovpn
+
+
+### Example auth file
+```
+login
+pasword
+```
+
+### Example  client.ovpn file
+```
+client
+dev tun
+reneg-sec 0
+persist-tun
+persist-key
+ping 5
+nobind
+allow-compression no
+remote-random
+remote-cert-tls server
+auth-nocache
+route-metric 1
+cipher AES-256-CBC
+auth sha512
+<ca>
+-----BEGIN CERTIFICATE-----
+.......................
+.......................
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+.......................
+.......................
+-----END CERTIFICATE-----
+</ca>
+<cert>
+
+-----BEGIN CERTIFICATE-----
+.......................
+.......................
+-----END CERTIFICATE-----
+</cert>
+<key>
+-----BEGIN PRIVATE KEY-----
+.......................
+.......................
+-----END PRIVATE KEY-----
+
+</key>
+remote server.example.com
+proto udp
+
+port 1194
+```
+### Exmaple compose.yaml file
+```yaml
+services:
+  proxy:
+    image: ghcr.io/rooty/proxy-vpn:latest
+    restart: always
+    privileged: true
+    devices:
+      - /dev/net/tun
+    dns:
+      - 8.8.8.8
+    volumes:
+        - '/path/to/file.ovpn':/etc/openvpn/client.ovpn:ro
+        - '/path/to/file.auth':/etc/openvpn/auth:ro
+    ports:
+       - 127.0.0.1:8888:8888
+    networks:
+         - vpn-net
+```
+
+
@@ -0,0 +1,16 @@
+services:
+  proxy-de:
+    image: ghcr.io/rooty/proxy-vpn:latest
+    restart: always
+    privileged: true
+    devices:
+      - /dev/net/tun
+    dns:
+      - 8.8.8.8
+    volumes:
+        - /path/to/file.ovpn:/etc/openvpn/client.ovpn:ro
+        - /path/to/file.auth:/etc/openvpn/auth:ro
+    ports:
+       - 127.0.0.1:8888:8888
+    networks:
+         - vpn-net
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+shutdown() {
+  echo "shutting down container"
+
+  # first shutdown any service started by runit
+  for _srv in $(ls -1 /etc/service); do
+    sv force-stop $_srv
+  done
+
+  # shutdown runsvdir command
+  kill -HUP $RUNSVDIR
+  wait $RUNSVDIR
+
+  # give processes time to stop
+  sleep 0.5
+
+  # kill any other processes still running in the container
+  for _pid  in $(ps -eo pid | grep -v PID  | tr -d ' ' | grep -v '^1$' | head -n -6); do
+    timeout 5 /bin/sh -c "kill $_pid && wait $_pid || kill -9 $_pid"
+  done
+  exit
+}
+
+
+
+echo "Starting startup scripts in /docker-entrypoint-init.d ..."
+for script in $(find /docker-entrypoint-init.d/ -executable -type f | sort); do
+
+    echo >&2 "*** Running: $script"
+    $script
+    retval=$?
+    if [ $retval != 0 ];
+    then
+        echo >&2 "*** Failed with return value: $?"
+        exit $retval
+    fi
+
+done
+echo "Finished startup scripts in /docker-entrypoint-init.d"
+
+echo "Starting runit..."
+exec runsvdir -P /etc/service &
+
+RUNSVDIR=$!
+echo "Started runsvdir, PID is $RUNSVDIR"
+echo "wait for processes to start...."
+
+sleep 5
+for _srv in $(ls -1 /etc/service); do
+    sv status $_srv
+done
+
+# If there are additional arguments, execute them
+if [ $# -gt 0 ]; then
+    exec "$@"
+fi
+
+# catch shutdown signals
+trap shutdown SIGTERM SIGHUP SIGQUIT SIGINT
+wait $RUNSVDIR
+
+shutdown