Feat: tls_crypt

README.md

@@ -5,7 +5,7 @@ Easy-to-use Docker image based upon original [AntiZapret LXD image](https://bitb
 
 # Improvements
 
-- Patches: [Apple](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/etc/knot-resolver/kresd.conf), [IDN](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/root/patches/parse.patch)
+- Patches: [Apple](./rootfs/etc/knot-resolver/kresd.conf#L53-L61), [IDN](./rootfs/root/patches/parse.patch#L16), [RU](./rootfs/etc/knot-resolver/kresd.conf#L117)
 - [Community-driven list](https://github.com/xtrime-ru/antizapret-vpn-docker/blob/master/rootfs/root/antizapret/config/include-hosts-dist.txt) with geoblocked and unlisted domains: youtube, microsoft, openai and more
 - [openvpn-dco](https://openvpn.net/as-docs/tutorials/tutorial--turn-on-openvpn-dco.html) - a kernel extension for improving performance
 - Option to [forwarding queries](./rootfs/init.sh#L21-L35) to an external resolver
@@ -73,7 +73,7 @@ Here is few regex example:
 
 ## Keys/Configs Persistence
 
-Client and server keys are stored in [keys](./keys).
+Client and server keys are stored in `./keys`.
 They are persistent between container and host restarts.
 
 To regenerating the keys use the following commands:
@@ -90,10 +90,11 @@ You can define these variables in docker-compose.yml file for your needs:
 - `DOMAIN=example.com` — will be used as a server address in .ovpn profiles upon keys generation (default: your server's IP)
 - `PORT=1194` — will be used as a server port in .ovpn profiles upon keys generation (default: 1194)
 - `DNS=1.1.1.1` — DNS server to resolve domains (default: host DNS server)
-- `DNS_RU=77.88.8.8` — russian DNS server; used to fix issues with geo zones mismatch for domains like [apple.com](apple.com)
+- `DNS_RU=77.88.8.8` — russian DNS server; used to fix issues with geo zones mismatch for domains like `apple.com`
 - `ADGUARD=1` - Resolve .ru, .рф and .su via DNS. By default, this zones resolved through DNS_RU.
 - `CBC_CIPHERS=1` - Enable support of [legacy clients](#legacy-clients). WIll disable [DCO](#enable-openvpn-data-channel-offload-dco) 
 - `SCRAMBLE=1` - Enable additional obfuscation [XOR Tunneblick patch](https://tunnelblick.net/cOpenvpn_xorpatch.html) 
+- `TLS_CRYPT=1` - Enable additional tls encryption in openvpn. May help with connection obfuscation.
 
 
 ## Enable OpenVPN Data Channel Offload (DCO)

docker-compose.yml

@@ -14,6 +14,7 @@ services:
       - DNS
       - DNS_RU
       - ADGUARD
+      - TLS_CRYPT
     ports:
       - 1194:1194/tcp
       - 1194:1194/udp
@@ -23,6 +24,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
       - ./keys:/etc/openvpn
       - ./config:/root/antizapret/config/custom
+      - ./rootfs/init.sh:/init.sh
     logging:
       driver: json-file
       options:

rootfs/etc/openvpn/server/antizapret-tcp.conf

@@ -18,6 +18,7 @@ persist-tun
 persist-key
 tun-mtu 1420
 #scramble obfuscate password
+#tls-crypt keys/antizapret-tls-crypt.key 0
 tcp-nodelay
 
 user nobody

rootfs/etc/openvpn/server/antizapret.conf

@@ -18,6 +18,7 @@ persist-tun
 persist-key
 tun-mtu 1420
 #scramble obfuscate password
+#tls-crypt keys/antizapret-tls-crypt.key 0
 fast-io
 
 user nobody

rootfs/init.sh

@@ -37,7 +37,25 @@ function set_scramble () {
         sed -i "s/^scramble/#scramble/g" /root/openvpn/templates/*.conf
         sed -i "s/^scramble/#scramble/g" /etc/openvpn/server/*.conf
     fi
+}
+
+function set_tls_crypt () {
+    local ENABLE=$1
+    if [[ "$ENABLE" == 1 ]]; then
+        sed -i "s/^#key-direction/key-direction/g" /root/openvpn/templates/*.conf
+        sed -i "s/^#<tls-crypt>/<tls-crypt>/g" /root/openvpn/templates/*.conf
+        sed -i "s/^#\${CLIENT_TLS_CRYPT}/\${CLIENT_TLS_CRYPT}/g" /root/openvpn/templates/*.conf
+        sed -i "s/^#<\/tls-crypt>/<\/tls-crypt>/g" /root/openvpn/templates/*.conf
 
+        sed -i "s/^#tls-crypt/tls-crypt/g" /etc/openvpn/server/*.conf
+    else
+        sed -i "s/^key-direction/#key-direction/g" /root/openvpn/templates/*.conf
+        sed -i "s/^<tls-crypt>/#<tls-crypt>/g" /root/openvpn/templates/*.conf
+        sed -i "s/^\${CLIENT_TLS_CRYPT}/#\${CLIENT_TLS_CRYPT}/g" /root/openvpn/templates/*.conf
+        sed -i "s/^<\/tls-crypt>/#<\/tls-crypt>/g" /root/openvpn/templates/*.conf
+
+        sed -i "s/^tls-crypt/#tls-crypt/g" /etc/openvpn/server/*.conf
+    fi
 }
 
 
@@ -50,6 +68,7 @@ SCRAMBLE=${SCRAMBLE:-0}
 DNS=$(resolve $DNS)
 DNS_RU=$(resolve $DNS_RU 77.88.8.8)
 ADGUARD=${ADGUARD:-0}
+TLS_CRYPT=${TLS_CRYPT:-0}
 PYTHONUNBUFFERED=1
 EOF
 
@@ -77,6 +96,7 @@ done
 # enable tunneblick xor scramble patch
 set_scramble "$SCRAMBLE"
 
+set_tls_crypt "$TLS_CRYPT"
 
 # output systemd logs to docker logs since container boot
 postrun 'journalctl --boot --follow --lines=all --no-hostname'

rootfs/root/openvpn/generate.sh

@@ -26,7 +26,7 @@ render() {
     local IFS=''
     local File="$1"
     while read -r line ; do
-        while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]] ; do
+        while [[ "$line" =~ ^[^#] ]] && [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]] ; do
         local LHS=${BASH_REMATCH[1]}
         local RHS="$(eval echo "\"$LHS\"")"
         line=${line//$LHS/$RHS}
@@ -39,7 +39,8 @@ load_key() {
     CA_CERT=$(grep -A 999 'BEGIN CERTIFICATE' -- "/etc/openvpn/server/keys/ca.crt")
     CLIENT_CERT=$(grep -A 999 'BEGIN CERTIFICATE' -- "/etc/openvpn/client/keys/antizapret-client.crt")
     CLIENT_KEY=$(cat -- "/etc/openvpn/client/keys/antizapret-client.key")
-    if [ ! "$CA_CERT" ] || [ ! "$CLIENT_CERT" ] || [ ! "$CLIENT_KEY" ]
+    CLIENT_TLS_CRYPT=$(grep -v '^#' -- "/etc/openvpn/server/keys/antizapret-tls-crypt.key")
+    if [ ! "$CA_CERT" ] || [ ! "$CLIENT_CERT" ] || [ ! "$CLIENT_KEY" ] || [ ! "$CLIENT_TLS_CRYPT" ]
     then
             echo "Can't load client keys!"
             exit 7
@@ -63,6 +64,10 @@ copy_keys() {
     cp ./pki/private/antizapret-client.key /etc/openvpn/client/keys/antizapret-client.key
 }
 
+if [[ ! -f  /etc/openvpn/server/keys/antizapret-tls-crypt.key ]]
+then
+	openvpn --genkey secret /etc/openvpn/server/keys/antizapret-tls-crypt.key
+fi
 
 if [[ ! -f /etc/openvpn/server/keys/ca.crt ]] || \
    [[ ! -f /etc/openvpn/server/keys/antizapret-server.crt ]] || \

rootfs/root/openvpn/templates/tcp.conf

@@ -40,6 +40,7 @@ proto tcp
 keepalive 2 10
 tun-mtu 1420
 #scramble obfuscate antizapret
+#key-direction 1
 sndbuf 3670016
 rcvbuf 3670016
 tcp-nodelay
@@ -62,3 +63,7 @@ ${CLIENT_CERT}
 <key>
 ${CLIENT_KEY}
 </key>
+
+#<tls-crypt>
+#${CLIENT_TLS_CRYPT}
+#</tls-crypt>

rootfs/root/openvpn/templates/udp.conf

@@ -40,6 +40,7 @@ proto udp
 keepalive 2 10
 tun-mtu 1420
 #scramble obfuscate password
+#key-direction 1
 sndbuf 3670016
 rcvbuf 3670016
 fast-io
@@ -62,3 +63,7 @@ ${CLIENT_CERT}
 <key>
 ${CLIENT_KEY}
 </key>
+
+#<tls-crypt>
+#${CLIENT_TLS_CRYPT}
+#</tls-crypt>