export CONTAINER=vpn # create container # TODO: configure MAC on create container wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/lxc/master/create.jessie.sh -O - | bash -s -- -f # configure container MAC address sed -i 's|lxc.network.hwaddr = .*|lxc.network.hwaddr = 00:11:22:33:44:5e|' /var/lib/lxc/${CONTAINER}/config # enable autostart echo "lxc.start.auto = 1" | tee -a /var/lib/lxc/${CONTAINER}/config # configure container ##echo "lxc.hook.autodev=/var/lib/lxc/vpn/autodev" >> /var/lib/lxc/${CONTAINER}/config #echo "lxc.cgroup.devices.allow = c 10:200 rwm" >> /var/lib/lxc/${CONTAINER}/config # do we need this outside of container? #cat <<EOF> /var/lib/lxc/${CONTAINER}/autodev ##!/bin/bash # dep #cd \${LXC_ROOTFS_MOUNT}/dev #mkdir net #mknod net/tun c 10 200 #chmod 0666 net/tun #EOF #chmod +x /var/lib/lxc/${CONTAINER}/autodev # configure SSH access # generating SSH key for root sudo lxc-attach -n ${CONTAINER} -- ssh-keygen -q -f /root/.ssh/id_rsa -N '' # disable SSH password login sudo lxc-attach -n ${CONTAINER} -- sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config sudo lxc-attach -n ${CONTAINER} -- sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config sudo lxc-attach -n ${CONTAINER} -- service ssh restart # configure SSH server echo "PermitTunnel yes" >> /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/sshd_config # do we need this? ###sed -i 's|# Tunnel no| Tunnel no|' /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/ssh_config sed -i 's|# TunnelDevice any:any| TunnelDevice any:any|' /var/lib/lxc/${CONTAINER}/rootfs/etc/ssh/ssh_config #sudo lxc-attach -n ${CONTAINER} -- service ssh restart # enable forwarding sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /var/lib/lxc/${CONTAINER}/rootfs/etc/sysctl.conf # echo "1" > /proc/sys/net/ipv4/ip_forward # load iptables module (on LXC host) sudo echo 'ip_tables' >> /etc/modules sudo lxc-attach -n ${CONTAINER} -- apt-get install -y iptables # TODO: create init script sed -i '$i mkdir /dev/net' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local sed -i '$i mknod /dev/net/tun c 10 200' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local sed -i '$i chmod 666 /dev/net/tun' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local # enable masquerade (load module on lxc host?) sed -i '$i iptables -t nat -A POSTROUTING -j MASQUERADE' /var/lib/lxc/${CONTAINER}/rootfs/etc/rc.local # allow additional user to login ssh -A root@vpn.example.com cat /tmp/id_rsa.pub | tee -a /root/.ssh/authorized_keys # restart container to load all settings lxc-stop -n ${CONTAINER} lxc-start -d -n ${CONTAINER}