Docker containers for OpenVPN and transparent Proxy (Squid+C-ICAP+ClamAV)
This creates several containers to server as VPN server with explicit and transparent proxy capability. The OpenVPN container will forward all HTTP (Port 80) / HTTPS (Port 443) traffic to the Squid container. All other VPN traffic will be SNAT'd. Squid is configured to scan all traffic via ClamAV for Virii and against Google Safebrowsing database. Additionally the Shallalist blacklist is configured. Dnsmasq has been recently added to the landscape to ensure Squid and VPN clients will use the same DNS server, and furthermore it allows resolution of Docker network hostnames.
I currently do not plan to push the individual container images to Docker Hub because this doesn't seem to make sense for just individual Service Images. Docker Hub does not support Docker Compose.
However it is easy to build the images your self, and instruction given below.
It has been tested on Windows OpenVPN client as well as IOS 11
+----------------------------------------------------------------------------+
| |
| 3128/tcp |
| +-------------+ 80/tcp 3129/tcp TPROXY http +------------+ |
| | | 443/tcp 3130/tcp TPROXY https | | |
| | openvpn +-----------------------------------------> squid | |
| | | | | |
| +------^------+ +------+-----+ |
| | 1194/udp | |
| | | |
| | 1344/tcp | |
| | +------------+ +------v-----+ |
| | | | | | |
| | | clamav <---------------------------+ cicap | |
| | | | 3310/tcp | | |
| | +------------+ +------------+ |
| | |
| | 5443/udp |
+-------------------------------------------------------------- Docker-host -+
|
|
+-----------------------------------------------------------------------+
| | |
| | |
| +-----+------+ |
| | VPN client | |
| +------------+ |
| |
| |
+-------------------------------------------------------------Internet--+
Requires Docker 17.06 or later, and Docker Compose 1.13.0 or later
docker-compose -p vpnbox build- Start service once, to build volumes, networks (can be aborted after a minute or so)
docker-compose -p vpnbox up- Initialize OpenVPN CA Example (has to run interactively)
docker run --rm -ti --volume=vpnbox_data:/data --volume=vpnbox_openvpn_priv:/data-priv vpnbox_openvpn --init=udp://vpn.example.com:5443Note: Some password choices will be offered. Make sure to store the CA password somewhere safely, you need it again to create Client certificates.
- Retrieve the CA generated by SQUID
docker run --rm -ti --volume=vpnbox_data:/data --volume=vpnbox_squid_priv:/data-priv vpnbox_squid --getcaNote: This will output the CA to be stored into the Browser Truststores
- After steps above have been executed, the containers can be started
docker-compose -p vpnbox upNote: Make sure to read the output, and if everything went well, the containers keep running
- Add a client to certificate store
docker run -ti --rm --volume=vpnbox_data:/data --volume=vpnbox_openvpn_priv:/data-priv vpnbox_openvpn --getclient=<client_cn>Note: Feel free to use a descriptive string of the purpose of the VPN client
- Save the programs output as *.ovpn file
- Configuring proxy explicitly is definetly recommended. Squid bump works generally more reliable with explicit configured proxy.
- Hint: Use Foxyproxy (Firefox) or similar Proxy switcher utility, to simply turn Proxy on when VPN is enabled.
- Proxy: IP 192.168.50.5:3128
- OpenVPN on Windows is easy to use. Just copy the *.ovpn file over to C:\Program Files\OpenVPN\config (adjust if needed)
- Start OpenVPN, you will probably Admin permissions or else the Tunnel will not be properly created.
- Import Squid CA into Certificate Stores
- create file squidCA.crt with content you saved
- double click the file (info window should be presented)
- click "Install Certificate"
- pick local user as install destination
- select "Trusted Root Certification Authorities" / "Vertrauenswürdige Stammzertifizierungsstellen" as store
- verify in Internet Explorer that e.g. on https://www.google.com no certificate error is popping up anymore (Note: Google Chrome is using also the Windows store)
- Firefox uses its own Cert store (Settings -> Extended -> Certificates)
- Application & VPN Profile
- Install on your device OpenVPN Connect
- Use Itunes put the *.ovpn file in the OpenVPN Connect files. The application will then offer to import the profile
- Squid CA to prevent SSL errors
- Store CA as PEM (.crt) in Dropbox or Icloud and open the file. There should be a popup presenting the possibility to import the certificate and set it to trusted.
- Alternatively install the iPhone Configuration Utility on MacOS / Windows
- Create a profile and add the Squid CA to the certificate store. Then assign the profile to your device.
After the tunnel has been established, make sure it is working:
- Ping the VPN server:
ping 10.128.81.1- Check Transparent Proxy is working by downloading a (harmless) Eicar Test Virus
Note: Try the different variants, SSL should also work. If it works you will see a message from Squid/ClamAV, and not from your local Virus Scanner.
- I decided to use CentOS whenver flexibility is required (image size ~350MB)
- Atomic Linux is used for Dnsmasq (image size ~5MB)
- Each application has its own container, thus high isolation
- Applications run non-root
- VPN CA is kept in a separate Docker Volume. Password should be kept at a secure location
- VPN is using TLS 1.2 with Elliptic Curve certificates, DHE and tls-crypt channel.
- The blacklists can be configured by adjusting the Squid containers ENV var SQUIDGUARD_FILTER (list of space separated categories)
- Check a list of supported Shallalist Categories
- SSL bump (man in the middle) can be disabled for defined sites by modifying /data/squid/nobump.txt.
- The file is located on the Docker 'vpnbox_data' volume
- In case you want to remove the Docker containers, networks and volumes, the following steps can be used after stopping the services:
docker rm vpnbox_clamav_1 vpnbox_squid_1 vpnbox_cicap_1 vpnbox_openvpn_1 vpnbox_dnsmasq_1
docker network rm vpnbox_main
docker image prune