Automatically add routes through VPN

Dockerfile

@@ -16,6 +16,7 @@ COPY ipsec.conf /etc/ipsec.conf
 COPY ipsec.secrets /etc/ipsec.secrets
 COPY xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
 COPY options.l2tpd.client /etc/ppp/options.l2tpd.client
+COPY ppp-ip-up /etc/ppp/ip-up
 COPY startup.sh /
 
 CMD ["/startup.sh"]

README.md

@@ -14,6 +14,7 @@ here is all you need:
 2. Pre Shared Key
 3. Username
 4. Password
+5. Optionally, list of networks to route through VPN
 
 ## Run
 Setup environment variables for your credentials and config:
@@ -22,6 +23,7 @@ Setup environment variables for your credentials and config:
     export VPN_PSK='my pre shared key'
     export VPN_USERNAME='[email protected]'
     export VPN_PASSWORD='mypass'
+    export VPN_ROUTES='10.0.0.0/8+172.16.0.0/12+...' (separated by '+')
 
 Now run it (you can daemonize of course after debugging):
 
@@ -31,23 +33,21 @@ Now run it (you can daemonize of course after debugging):
                -e VPN_PSK \
                -e VPN_USERNAME \
                -e VPN_PASSWORD \
+               -e VPN_ROUTES \
                   ubergarm/l2tp-ipsec-vpn-client
 
 ## Route
-From the host machine configure traffic to route through VPN link:
+Routes to destinations listed in VPN\_ROUTES are added automatically.
+This fails if there is an existing route to named destination.
+To add a route through VPN along with existing one,
+assign a unique metric to existing route before starting VPN container.
+For example, to effectively replace and then restore default route:
 
-    # confirm the ppp0 link and get the peer e.g. (192.0.2.1) IPV4 address
-    ip a show ppp0
-    # route traffic for a specific target ip through VPN tunnel address
-    sudo ip route add 1.2.3.4 via 192.0.2.1 dev ppp0
-    # route all traffice through VPN tunnel address
-    sudo ip route add default via 192.0.2.1 dev ppp0
-    # or
-    sudo route add -net default gw 192.0.2.1 dev ppp0
-    # and delete old default routes e.g.
+    # list current route
+    ip route show default
+    # change metric for current route
+    sudo route add -net default gw 10.0.1.1 dev eth0 metric 100
     sudo route del -net default gw 10.0.1.1 dev eth0
-    # when your done add your normal routes and delete the VPN routes
-    # or just `docker stop` and you'll probably be okay
 
 ## Test
 You can see if your IP address changes after adding appropriate routes e.g.:

options.l2tpd.client

@@ -13,3 +13,4 @@ debug
 connect-delay 5000
 name [email protected]
 password myuserpassword
+ipparam none

ppp-ip-up

@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# ppp ip-up hook for l2tp client docker container
+
+PPP_IFACE="$1"
+PPP_TTY="$2"
+PPP_SPEED="$3"
+PPP_LOCAL="$4"
+PPP_REMOTE="$5"
+PPP_IPPARAM="$6"
+
+# parse ipparam routes=x.x.x.x/y+a.a.a.a/b+...
+if [ -n "$PPP_IPPARAM" ] ; then
+    OFS="$IFS"
+    IFS=,
+    for p in $PPP_IPPARAM ; do
+        k=`echo $p | cut -d = -f 1`
+        v=`echo $p | cut -d = -f 2`
+        eval "export $k=\"$v\""
+    done
+    IFS=$OFS
+fi
+
+# install routes
+if [ -n "$routes" -a -n "$PPP_REMOTE" -a -n "$PPP_IFACE" ] ; then
+    OFS="$IFS"
+    IFS="+"
+    for ro in $routes ; do
+        ip ro add "$ro" via "$PPP_REMOTE" dev "$PPP_IFACE"
+    done
+    IFS="$OFS"
+fi

startup.sh

@@ -6,6 +6,11 @@ echo ': PSK "'$VPN_PSK'"' > /etc/ipsec.secrets
 sed -i 's/lns = .*/lns = '$VPN_SERVER_IPV4'/' /etc/xl2tpd/xl2tpd.conf
 sed -i 's/name .*/name '$VPN_USERNAME'/' /etc/ppp/options.l2tpd.client
 sed -i 's/password .*/password '$VPN_PASSWORD'/' /etc/ppp/options.l2tpd.client
+if [ -n "$VPN_ROUTES" ] ; then
+    VPN_ROUTES_ESCAPED=$(echo $VPN_ROUTES | sed 's/\//\\\//g')
+    sed -i 's/ipparam .*/ipparam routes='$VPN_ROUTES_ESCAPED'/' \
+        /etc/ppp/options.l2tpd.client
+fi
 
 # startup ipsec tunnel
 ipsec initnss