From 609f5c4ca24461d01622a3119d668263288a151a Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 3 Jan 2026 10:04:53 +0000 Subject: [PATCH] =?UTF-8?q?Sentinel:=20=F0=9F=9B=A1=EF=B8=8F=20Restore=20s?= =?UTF-8?q?ecure=20entrypoint=20for=20random=20password=20generation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CRITICAL FIX: The previous Dockerfile bypassed the initialization script, causing the VPN server to start with NO admin password (default insecure state). This change: 1. Restores `entrypoint.sh` to generate a secure random admin password on first run. 2. Fixes binary paths in `entrypoint.sh` and `gencert.sh` (from `/usr/bin` to `/usr/local/bin`). 3. Installs `bash` and `unzip` required by the initialization scripts. 4. Ensures the server is securely configured before accepting connections. --- copyables/entrypoint.sh | 12 ++++++------ copyables/gencert.sh | 8 ++++---- dockerfile | 9 ++++++++- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh index 5a76b5c..71e278f 100644 --- a/copyables/entrypoint.sh +++ b/copyables/entrypoint.sh @@ -23,7 +23,7 @@ if [[ $? -ne 0 ]]; then fi set -e -CONFIG=/usr/vpnserver/vpn_server.config +CONFIG=/var/lib/softether/vpn_server.config if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then : ${PSK:='notasecret'} @@ -51,14 +51,14 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then echo vpncmd_server() { - /usr/bin/vpncmd localhost /SERVER /CSV /CMD "$@" + /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD "$@" } vpncmd_hub() { - /usr/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@" + /usr/local/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD "$@" } - /usr/bin/vpnserver start 2>&1 >/dev/null + /usr/local/bin/vpnserver start 2>&1 >/dev/null # while-loop to wait until server comes up # switch cipher @@ -71,7 +71,7 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then done # About command to grab version number - # /usr/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;' + # /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD About | head -2 | tail -1 | sed 's/^/# /;' vpncmd_server About | head -2 | tail -1 | sed 's/^/# /;' # enable L2TP_IPsec @@ -173,7 +173,7 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then : ${SPW:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)} vpncmd_server ServerPasswordSet ${SPW} - /usr/bin/vpnserver stop 2>&1 >/dev/null + /usr/local/bin/vpnserver stop 2>&1 >/dev/null # while-loop to wait until server goes away set +e diff --git a/copyables/gencert.sh b/copyables/gencert.sh index 6bc9223..5be601a 100644 --- a/copyables/gencert.sh +++ b/copyables/gencert.sh @@ -1,20 +1,20 @@ #!/bin/bash set -e -/usr/bin/vpnserver start 2>&1 >/dev/null +/usr/local/bin/vpnserver start 2>&1 >/dev/null # while-loop to wait until server comes up # switch cipher while :; do set +e - /usr/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 2>&1 >/dev/null + /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 2>&1 >/dev/null [[ $? -eq 0 ]] && break set -e sleep 1 done -/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertGet cert -/usr/bin/vpncmd localhost /SERVER /CSV /CMD ServerKeyGet key +/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD ServerCertGet cert +/usr/local/bin/vpncmd localhost /SERVER /CSV /CMD ServerKeyGet key CERT=$(cat cert | sed -r 's/\-{5}[^\-]+\-{5}//g;s/[^A-Za-z0-9\+\/\=]//g;' | tr -d '\r\n') KEY=$(cat key | sed -r 's/\-{5}[^\-]+\-{5}//g;s/[^A-Za-z0-9\+\/\=]//g;' | tr -d '\r\n') diff --git a/dockerfile b/dockerfile index 0d64f8e..64da165 100644 --- a/dockerfile +++ b/dockerfile @@ -35,7 +35,9 @@ RUN apk add --no-cache readline \ openssl \ libsodium \ gnu-libiconv \ - iptables + iptables \ + bash \ + unzip ENV LD_PRELOAD=/usr/lib/preloadable_libiconv.so WORKDIR /usr/local/bin VOLUME /var/log/softether @@ -47,5 +49,10 @@ COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src FROM base AS vpnserver COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./ +COPY copyables/entrypoint.sh /entrypoint.sh +COPY copyables/gencert.sh /gencert.sh +RUN chmod +x /entrypoint.sh /gencert.sh + EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp +ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/local/bin/vpnserver", "execsvc"] \ No newline at end of file