Install SSH VPN server

export CONTAINER=vpn
 
# create container
# TODO: configure MAC on create container
wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/lxc/master/create.jessie.sh -O - | bash -s -- -f
 
# configure container MAC address
sed -i 's|lxc.network.hwaddr = .*|lxc.network.hwaddr = 00:11:22:33:44:5e|' /var/lib/lxc/${CONTAINER}/config
 
# enable autostart
echo "lxc.start.auto = 1" | tee -a /var/lib/lxc/${CONTAINER}/config
 
# configure container
##echo "lxc.hook.autodev=/var/lib/lxc/vpn/autodev" >> /var/lib/lxc/${CONTAINER}/config
#echo "lxc.cgroup.devices.allow = c 10:200 rwm" >> /var/lib/lxc/${CONTAINER}/config
 
# do we need this outside of container?
#cat <<EOF> /var/lib/lxc/${CONTAINER}/autodev 
##!/bin/bash
 
# dep
#cd \${LXC_ROOTFS_MOUNT}/dev
#mkdir net
#mknod net/tun c 10 200
#chmod 0666 net/tun
#EOF
#chmod +x /var/lib/lxc/${CONTAINER}/autodev
 
# configure SSH access
# generating SSH key for root
sudo lxc-attach -n ${CONTAINER} -- ssh-keygen -q -f /root/.ssh/id_rsa -N ''
 
# disable SSH password login
sudo lxc-attach -n ${CONTAINER} -- sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
sudo lxc-attach -n ${CONTAINER} -- sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
sudo lxc-attach -n ${CONTAINER} -- service ssh restart
 
# configure SSH server
echo "PermitTunnel yes" >> /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/sshd_config
# do we need this?
###sed -i 's|#   Tunnel no|    Tunnel no|' /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/ssh_config
sed -i 's|#   TunnelDevice any:any|    TunnelDevice any:any|' /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/ssh_config
#sudo lxc-attach -n ${CONTAINER} -- service ssh restart
 
# enable forwarding
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /var/lib/lxc/${CONTAINER}/rootfs/etc/sysctl.conf
# echo "1" > /proc/sys/net/ipv4/ip_forward
 
# load iptables module (on LXC host)
sudo echo 'ip_tables' >> /etc/modules
 
sudo lxc-attach -n ${CONTAINER} -- apt-get install -y iptables
 
# TODO: create init script
sed -i '$i mkdir /dev/net' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local
sed -i '$i mknod /dev/net/tun c 10 200' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local
sed -i '$i chmod 666 /dev/net/tun' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local
 
# enable masquerade (load module on lxc host?)
sed -i '$i iptables -t nat -A POSTROUTING -j MASQUERADE' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local
 
# allow additional user to login
ssh -A root@vpn.example.com
cat /tmp/id_rsa.pub | tee -a /root/.ssh/authorized_keys
 
# restart container to load all settings
lxc-stop -n ${CONTAINER}
lxc-start -d -n ${CONTAINER}