From 19e10df9cefee74ab2d943bad2a58267e9cc2b71 Mon Sep 17 00:00:00 2001
From: Hu Xiaohong <xiaohong@pandas.run>
Date: Tue, 7 May 2024 20:43:31 +0800
Subject: [PATCH] update to 1.3.0 and enable ipv6 support

---
 .github/workflows/docker-image.yml | 11 +++--
 Dockerfile                         |  2 +-
 README.md                          | 66 +++++++++++++++++++-----------
 docker-compose.yml                 | 10 ++++-
 docker-entrypoint.sh               |  2 +
 5 files changed, 59 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 6defed1..e8ca8c7 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -11,24 +11,23 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: pandasrun/ocserv:latest
-
diff --git a/Dockerfile b/Dockerfile
index 61f7bd2..c51e70a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 FROM ubuntu:rolling
-LABEL maintainer="Hu Xiaohong <xiaohong@duckduck.io>"
+LABEL maintainer="Hu Xiaohong <xiaohong@pandas.run>"
 
 ENV URL="https://www.infradead.org/ocserv/download/"
 
diff --git a/README.md b/README.md
index 08adc5a..9239f8d 100644
--- a/README.md
+++ b/README.md
@@ -8,29 +8,29 @@ This repo combines [ocserv](https://ocserv.gitlab.io/www/recipes.html) VPN serve
 
 This image provided a default config in `/etc/ocserv/ocserv.conf`. If you don't mount a conf file, it will generate a new one. And [ENV file](https://github.com/PandaRyshan/ocserv/blob/main/.env) is used to request a Letsencrypt certificate and create a default username. If no ENV is provided, the ocserv service will be started with a locally generated certificate.
 
-The latest version is 1.2.4, and dockerhub page is [here](https://ocserv.gitlab.io/www/download.html).
+The latest version is 1.3.0, and dockerhub page is [here](https://ocserv.gitlab.io/www/download.html).
 
 ---
 
-Usage:
+## Usage
 
-Server:
+### Server
 
-  * clone this repo
-  * check the environment config in `docker-compose.yml`. email address is optional and only for certs expiration remind if certs renew failed
-  * (optional) mount your local dir to keep your certificates and config files
-    * if you want get certs via cloudflare api token, please mount config file into config/ folder
-    * if you want to get certs via http, please make sure 80 port is open
-  * run `docker-compose up -d`
-  * keep in mind add `listen-proxy-proto = true` in your `ocserv.conf` if you want to put ocserv in the back of proxy, like haproxy. 
-  * if you don't provide a default user/pass, there's a new user/pass will be generated by default, and you could check it at `$HOME/initial_pass.txt` or `docker compose logs ocserv`
-  * added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: [link](https://github.com/ufoscout/docker-compose-wait/tree/2.12.0)
+* clone this repo
+* check the environment config in `docker-compose.yml`. email address is optional and only for certs expiration remind if certs renew failed
+* (optional) mount your local dir to keep your certificates and config files
+  * if you want get certs via cloudflare api token, please mount config file into config/ folder
+  * if you want to get certs via http, please make sure 80 port is open
+* run `docker-compose up -d`
+* keep in mind add `listen-proxy-proto = true` in your `ocserv.conf` if you want to put ocserv in the back of proxy, like haproxy.
+* if you don't provide a default user/pass, there's a new user/pass will be generated by default, and you could check it at `$HOME/initial_pass.txt` or `docker compose logs ocserv`
+* added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: [link](https://github.com/ufoscout/docker-compose-wait/tree/2.12.0)
   
-Client:
+### Client
 
 You could use a Cisco Anyconnect client or Cisco secure client to connect the server, or use openconnect client by following steps.
 
-  * prepare connect and disconnect scripts and save them to somewhere in your user space:
+* prepare connect and disconnect scripts and save them to somewhere in your user space:
 
     **anyconnect.sh**
 
@@ -51,7 +51,7 @@ You could use a Cisco Anyconnect client or Cisco secure client to connect the se
     sudo pkill openconnect
     ```
 
-  * create a soft link of script as a system command:
+* create a soft link of script as a system command:
 
     ```shell
     sudo ln -s <your-srcipt.sh> /usr/local/bin/<command-you-want>
@@ -59,18 +59,38 @@ You could use a Cisco Anyconnect client or Cisco secure client to connect the se
 
 See more usage: `openconnect --help`
 
+### IPv6 support
+
+Please make sure your docker service has been enabled ipv6 support, if not yet, you could add config below into your docker daemon settings `/etc/docker/daemon.json`:
+
+```json
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "2001:db8:1::/64",
+  "experimental": true,
+  "ip6tables": true
+}
+```
+
+then, restart your docker service:
+
+```shell
+sudo systemctl restart docker.service
+```
+
 ---
 
-References:
-  - [Recipes for Openconnect VPN - Official](https://ocserv.gitlab.io/www/recipes.html)
-  - [Openconnect VPN Manual - Official](https://ocserv.gitlab.io/www/manual.html)
-  - [Ocserv Advanced](https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced)
-  - [Block Visitors by Country Using Firewall](https://www.ip2location.com/free/visitor-blocker)
-  - [ocserv changelog](https://ocserv.gitlab.io/www/changelog.html)
+## References
+
+* [Recipes for Openconnect VPN - Official](https://ocserv.gitlab.io/www/recipes.html)
+* [Openconnect VPN Manual - Official](https://ocserv.gitlab.io/www/manual.html)
+* [Ocserv Advanced](https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced)
+* [Block Visitors by Country Using Firewall](https://www.ip2location.com/free/visitor-blocker)
+* [ocserv changelog](https://ocserv.gitlab.io/www/changelog.html)
+* [Docker Enable IPv6 support](https://docs.docker.com/config/daemon/ipv6/)
 
 ---
 
-Known issues:
+## Known issues
 
 * [ ] [cannot connect with Cisco secure client on macOS](https://github.com/PandaRyshan/ocserv/issues/4)
-
diff --git a/docker-compose.yml b/docker-compose.yml
index 2024fd8..42d19bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,6 @@
-version: '3.8'
 services:
   ocserv:
-    image: duckduckio/ocserv:latest
+    image: /ocserv:latest
     container_name: ocserv
     environment:
       - TZ=Asia/Hong_Kong
@@ -23,9 +22,16 @@ services:
     #   - <your-cloudflare-dns-conf>:/etc/ocserv/cloudflare.ini
     sysctls:
       - net.ipv4.ip_forward=1
+      - net.ipv6.conf.all.forwarding=1
     cap_add:
       - NET_ADMIN
     security_opt:
       - no-new-privileges
     restart: unless-stopped
 
+networks:
+  ipv6:
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: fda9:4efe:7e3b:03ea::/48
\ No newline at end of file
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 2915ce9..9633f8e 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -29,6 +29,8 @@ if [ ! -f "/etc/ocserv/ocserv.conf" ]; then
 
 	ipv4-network = 192.168.100.0/24
 	ipv4-netmask = 255.255.255.0
+	ipv6-network = fda9:4efe:7e3b:03ea::/48
+	ipv6-subnet-prefix = 64
 	ping-leases = false
 
 	route = default