From 15190941272fb20b89f4092d84f8661c39f29610 Mon Sep 17 00:00:00 2001 From: Tony Outis <3321213+tony-0tis@users.noreply.github.com> Date: Wed, 14 Sep 2022 02:56:21 +0300 Subject: [PATCH] Update openvpn-install.sh #417 done --- openvpn-install.sh | 53 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 64d8ed0..ef82d6c 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -956,40 +956,71 @@ verb 3" >>/etc/openvpn/server.conf if [[ $DNS == 2 ]]; then installUnbound fi + + if pgrep firewalld; then + IP=$(hostname -I | awk '{print $1}') + echo "#!/bin/sh +# Allow incoming traffic +firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL +firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL - # Add iptables rules in two scripts - mkdir -p /etc/iptables +# Add trusted zone +firewall-cmd --zone=trusted --add-source=10.8.0.0/24 +firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 - # Script to add rules - echo "#!/bin/sh +# Set NAT for the VPN subnet +firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" >/etc/iptables/add-openvpn-rules.sh + + echo "#!/bin/sh +# Remove firewall rules +firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL +firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL + +# remove trusted zone +firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 +firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 + +# Remove NAT for the VPN subnet +firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" >/etc/iptables/rm-openvpn-rules.sh + + else + + # Add iptables rules in two scripts + mkdir -p /etc/iptables + + # Script to add rules + echo "#!/bin/sh iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh - if [[ $IPV6_SUPPORT == 'y' ]]; then - echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE + if [[ $IPV6_SUPPORT == 'y' ]]; then + echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh - fi + fi - # Script to remove rules - echo "#!/bin/sh + # Script to remove rules + echo "#!/bin/sh iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh - if [[ $IPV6_SUPPORT == 'y' ]]; then - echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE + if [[ $IPV6_SUPPORT == 'y' ]]; then + echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh + fi fi chmod +x /etc/iptables/add-openvpn-rules.sh