Added Cloudflare 1.1.1.1 DNS over TLS

.dockerignore

@@ -1,6 +1,6 @@
-.git/
+.git
 .travis.yml
-readme/
+readme
 tun.sh
 docker-compose.yml
 README.md

Dockerfile

@@ -1,18 +1,19 @@
 FROM alpine:3.7
 LABEL maintainer="quentin.mcgaw@gmail.com" \
-      description="VPN client container to private internet access servers based on Alpine Linux and OpenVPN" \
+      description="VPN client to private internet access servers using OpenVPN, Alpine and Cloudflare 1.1.1.1 DNS over TLS" \
-      download="3.3MB" \
+      download="?MB" \
-      size="8MB" \
+      size="12.9MB" \
-      ram="4.3MB" \
+      ram="?MB" \
       cpu_usage="Very low" \
       github="https://github.com/qdm12/private-internet-access-docker"
-COPY script.sh .
+RUN apk add -q --progress --no-cache --update openvpn unbound && \
-RUN chmod +x script.sh && \
+    apk add -q --progress --no-cache --update --virtual build-dependencies ca-certificates wget unzip && \
-    apk add -q --progress --no-cache --update openvpn && \
+    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
-    apk add -q --progress --no-cache --update --virtual build-dependencies wget unzip && \
+    unzip -q openvpn.zip && \
-    wget https://www.privateinternetaccess.com/openvpn/openvpn.zip && \
-    unzip openvpn.zip && \
-    rm openvpn.zip && \
     apk del -q --progress --purge build-dependencies && \
-    rm -rf /var/cache/apk/*
+    rm -rf /var/cache/apk/* /etc/unbound/unbound.conf /openvpn.zip
-ENTRYPOINT /script.sh
+COPY unbound.conf /etc/unbound/unbound.conf
+ENTRYPOINT echo "nameserver 127.0.0.1" > /etc/resolv.conf && \
+           echo "options ndots:0" >> /etc/resolv.conf && \
+           unbound && \
+           openvpn --config "$REGION".ovpn --auth-user-pass auth.conf

README.md

@@ -1,6 +1,6 @@
 # Private Internet Access Docker (OpenVPN, Alpine)
 
-Docker VPN client to private internet access servers based on [Alpine Linux](https://alpinelinux.org/) and [OpenVPN](https://openvpn.net/)
+Docker VPN client to private internet access servers based on [Alpine Linux](https://alpinelinux.org/) using [OpenVPN](https://openvpn.net/) and Unbound to connect to [Cloudflare DNS 1.1.1.1 over TLS](https://developers.cloudflare.com/1.1.1.1/dns-over-tls)
 
 [![PIA Docker OpenVPN](https://github.com/qdm12/private-internet-access-docker/raw/master/readme/title.png)](https://hub.docker.com/r/qmcgaw/private-internet-access/)
 
@@ -11,13 +11,22 @@ Docker VPN client to private internet access servers based on [Alpine Linux](htt
 
 | Download size | Image size | RAM usage | CPU usage |
 | --- | --- | --- | --- |
-| 3.3MB | 8.02MB | 4.3MB | Very low |
+| ?MB | 12.9MB | ?MB | Very low |
 
 It requires:
 - A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
 - [Docker](https://docs.docker.com/install/) installed on the host
 
-The PIA configuration files are downloaded from [the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) when the Docker image gets built.
+The PIA *.ovpn* configuration files are downloaded from 
+[the PIA website](https://www.privateinternetaccess.com/openvpn/openvpn.zip) 
+when the Docker image is built.
+
+Cloudflare **DNS 1.1.1.1 over TLS** is used to connect to any PIA server for multiple reasons:
+- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name. 
+    *For example, `austria.privateinternetaccess.com` maps to `185.216.34.229`*
+- Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when.
+    *As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved*
+- Lower latency than other DNS such as Google DNS, Open DNS or your ISP DNS.
 
 ## Installation & Testing
 
@@ -29,45 +38,35 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
     ./tun.sh
     ```
     
+1. Create a network to be used by this container and other containers connecting to it with:
+
+    ```bash
+    docker network create pianet
+    ```
+
 1. Create a file *auth.conf* in `/yourhostpath` (for example), with:
     - On the first line: your PIA username (i.e. `js89ds7`)
     - On the second line: your PIA password (i.e. `8fd9s239G`)
     
 ### Using Docker only
 
-1. Test the container by connecting another container to it
+Run the container with (change `/yourhostpath` to your actual path, and optionally `Germany`):
-    1. Run the container interactively with (and change `/yourhostpath/auth.conf`):
 
-        ```bash
+```bash
-        docker run --rm --name=piaTEST --cap-add=NET_ADMIN \
+docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
-        --device=/dev/net/tun --dns 209.222.18.222 --dns 209.222.18.218 \
+--device=/dev/net/tun --network=pianet \
-        -e 'REGION=Germany' -v '/yourhostpath/auth.conf:/pia/auth.conf:ro' \
+-e REGION=Germany -v /yourhostpath/auth.conf:/auth.conf:ro \
-        qmcgaw/private-internet-access
+qmcgaw/private-internet-access
-        ```
+```
 
-        Wait about 5 seconds for it to connect to the PIA server.
+Wait about 5 seconds for it to connect to the PIA server.
-    1. Check your host IP address with:
+You can check with:
 
-        ```bash
+```bash
-        curl -s ifconfig.co
+docker logs pia
-        ```
+```
 
-    1. Run the **curl** Docker container using your *piaTEST* container with:
+You should now check it works following the [Testing section](#testing)
-
-        ```bash
-        docker run --rm --net=container:piaTEST tutum/curl curl -s ifconfig.co
-        ```
-
-        If the displayed IP address appears and is different that your host IP address, your PIA OpenVPN client works !    
-
-1. Run the container as a daemon in the background with (and change the `/yourhostpath/auth.conf`):
-
-   ```bash
-    docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
-    --device=/dev/net/tun --dns 209.222.18.222 --dns 209.222.18.218 \
-    -e 'REGION=Germany' -v '/yourhostpath/auth.conf:/pia/auth.conf' \
-    qmcgaw/private-internet-access
-    ```
 
 ### Using Docker Compose
 
@@ -80,6 +79,16 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
     ```
 
     Wait about 5 seconds for it to connect to the PIA server.
+    You can check with:
+
+    ```bash
+    docker logs pia
+    ```
+    
+1. You should now check it works following the [Testing section](#testing)
+
+## Testing
+
 1. Check your host IP address with:
 
     ```bash
@@ -89,30 +98,32 @@ The PIA configuration files are downloaded from [the PIA website](https://www.pr
 1. Run the **curl** Docker container using your *pia* container with:
 
     ```bash
-    docker run --rm --net=container:pia tutum/curl curl -s ifconfig.co
+    docker run --rm --network=container:pia tutum/curl curl -s ifconfig.co
     ```
 
-    If the displayed IP address appears and is different that your host IP address, your PIA OpenVPN client works !    
+    If the displayed IP address appears and is different that your host IP address, 
-
+    the PIA client should fully work !
-
-## Connect other containers to it
-
-Connect other Docker containers to the VPN connection by adding `--net=container:pia` when launching them.
 
 ## Container launch parameters
 
-- You can change the `--name=` parameter to anything you like
+- You can change the `REGION` environment variable to one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/)
-- You can change the `REGION=` parameter to one of the [regions supported by private internet access](https://www.privateinternetaccess.com/pages/network/)
+- If you know what you're doing, you can change the container name (`pia`), 
-- You must adapt the `/yourhostpath/auth.conf` path to your host path where you created `auth.conf`
+  the hostname (`piaclient`) and the network name (`pianet`)
+
+## Connect other containers to it
+
+Connect other Docker containers to the PIA VPN connection by adding 
+`--network=container:pia` when launching them.
   
 ## Access ports of containers connected to the VPN container
 
 You have to use another container acting as a Reverse Proxy such as Nginx. 
 
 **Example**:
+- *Deluge* container with name **deluge** connected to the `pia` container with `--network=container:pia`
+- Deluge's WebUI runs on port TCP 8112
 
-1. I have a *Deluge* container connected to the PIA container with `--net=container:pia` and its WebUI runs on port 8112.
+1. Create the Nginx configuration file *nginx.conf*:
-2. I create the following Nginx configuration file *nginx.conf*:
 
     ```
     user  nginx;
@@ -142,12 +153,14 @@ You have to use another container acting as a Reverse Proxy such as Nginx.
     }
     ```
 
-3. I run the Alpine [Nginx container](https://hub.docker.com/_/nginx/) with:
+1. Run the Alpine [Nginx container](https://hub.docker.com/_/nginx) with:
 
     ```bash
-    sudo docker -d --restart=always --name=proxypia -p 8000:80 --link pia:deluge \
+    docker -d --restart=always --name=proxypia -p 8000:80 \
+    --network=pianet --link pia:deluge \
     -v /mypathto/nginx.conf:/etc/nginx/nginx.conf:ro nginx:alpine
     ```
     
-4. Now I can access the WebUI of Deluge at `localhost:8000`
+1. Access the WebUI of Deluge at [localhost:8000](http://localhost:8000)
-5. You can add more `--link pia:xxx` for more containers and you have to modify *nginx.conf*
+
+For more containers, add more `--link pia:xxx` and modify *nginx.conf* accordingly

docker-compose.yml

@@ -7,9 +7,8 @@ services:
             - NET_ADMIN
         devices:
             - /dev/net/tun
-        dns:
+        networks:
-            - 209.222.18.222
+            - pianet
-            - 209.222.18.218
         volumes:
             - /yourpath/auth.conf:/auth.conf:ro
         environment:

script.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -e
-if [ ! -f "/auth.conf" ]]; then
-    echo "File auth.conf was not found, aborting !"
-    exit 1
-fi
-openvpn --config "$REGION".ovpn --auth-user-pass auth.conf

unbound.conf

@@ -0,0 +1,15 @@
+server:
+  verbosity: 0
+  use-syslog: no
+  qname-minimisation: yes
+  do-tcp: yes
+  prefetch: yes
+  rrset-roundrobin: yes
+  use-caps-for-id: yes
+  do-ip4: yes
+  do-ip6: no
+forward-zone:
+  name: "."
+  forward-addr: 1.1.1.1@853
+  forward-addr: 1.0.0.1@853
+  forward-ssl-upstream: yes