From 0ad23ceab9b93941235d54cc240b1f9d1f4c6256 Mon Sep 17 00:00:00 2001
From: Doug Warren <doug.warren@gmail.com>
Date: Wed, 11 Mar 2020 17:35:38 +0000
Subject: [PATCH] Enable sudo for iptables so an on_connect script can set DNAT
 and forward connections correctly.

---
 Dockerfile           | 5 ++++-
 etc/openvpn_iptables | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 etc/openvpn_iptables

diff --git a/Dockerfile b/Dockerfile
index a85cb24b..c8e5a4b6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@ LABEL maintainer="Kyle Manna <kyle@kylemanna.com>"
 
 # Testing: pamtester
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
-    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
+    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester sudo && \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 
@@ -32,3 +32,6 @@ RUN chmod a+x /usr/local/bin/*
 
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
+
+# Allow Openvpn to modify iptables
+ADD ./etc/openvpn_iptables /etc/sudoers.d/openvpn_iptables
diff --git a/etc/openvpn_iptables b/etc/openvpn_iptables
new file mode 100644
index 00000000..31b4fdd4
--- /dev/null
+++ b/etc/openvpn_iptables
@@ -0,0 +1,3 @@
+Defaults:nobody !requiretty
+
+nobody ALL = NOPASSWD: /sbin/iptables