forked from areyer/ffs-make-gateway
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup_openvpn_ubuntu.sh
106 lines (98 loc) · 4.89 KB
/
setup_openvpn_ubuntu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
setup_openvpn() {
cat <<-EOF >/usr/local/bin/switch-vpn
#! /bin/bash
ovpn=/etc/openvpn
prg=openvpn
# Config wechseln
echo "Config rotieren!"
mv \$ovpn/00.conf \$ovpn/00.ovpn
mv \$ovpn/01.ovpn \$ovpn/00.conf
mv \$ovpn/02.ovpn \$ovpn/01.ovpn
mv \$ovpn/00.ovpn \$ovpn/02.ovpn
service \$prg restart
EOF
chmod +x /usr/local/bin/switch-vpn
cat <<-EOF >/etc/openvpn/openvpn-up
#!/bin/sh
ip rule add from \$ifconfig_local table stuttgart priority 7000
ip rule add from \$ifconfig_local table ffsdefault priority 10000
ip route add default via \$route_vpn_gateway dev \$dev table ffsdefault metric 2000
#ip route add 0.0.0.0/1 via \$route_vpn_gateway dev \$dev table stuttgart
#ip route add 128.0.0.0/1 via \$route_vpn_gateway dev \$dev table stuttgart
# NAT aktivieren und NAT Tabelle vergroessern, wird benötigt wenn NICHT Berlin
iptables -t nat -A POSTROUTING -o \$dev -j MASQUERADE
sysctl -w net.netfilter.nf_conntrack_max=500000
sysctl -w net.netfilter.nf_conntrack_buckets=65536
#sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400
#exit 0
EOF
if [ "x$DIRECTTCP" != "x" ]; then
PORTS=$(echo "$DIRECTTCP" | tr " " ",")
cat <<-EOF >>/etc/openvpn/openvpn-up
# https+Mailports direkt ausleiten
ip rule add fwmark 0x2000 lookup main priority 9000
iptables -t mangle -A PREROUTING -j MARK --set-xmark 0x0/0xffffffff
iptables -t mangle -A FORWARD -j MARK --set-xmark 0x0/0xffffffff
#for port in $DIRECTTCP; do
# iptables -t mangle -A PREROUTING -s 10.190.0.0/15 -p tcp -m tcp --dport \$port -j MARK --set-xmark 0x2000/0xffffffff
# iptables -t mangle -A FORWARD -s 10.190.0.0/15 -p tcp -m tcp --dport \$port -j MARK --set-xmark 0x2000/0xffffffff
# iptables -t nat -A POSTROUTING -o $EXT_IF_V4 -p tcp --dport \$port -j SNAT --to-source $EXT_IP_V4
#done
iptables -t mangle -A PREROUTING -s 10.190.0.0/15 -p tcp -m tcp -m multiport --dports $PORTS -j MARK --set-xmark 0x2000/0xffffffff
iptables -t mangle -A FORWARD -s 10.190.0.0/15 -p tcp -m tcp -m multiport --dports $PORTS -j MARK --set-xmark 0x2000/0xffffffff
iptables -t nat -A POSTROUTING -o $EXT_IF_V4 -p tcp -m multiport --dports $PORTS -j SNAT --to-source $EXT_IP_V4
#ip route show table main | while read ROUTE ; do ip route add table ffsdefault \$ROUTE ; done
exit 0
EOF
fi
chmod +x /etc/openvpn/openvpn-up
cat <<-EOF >/etc/openvpn/openvpn-down
#!/bin/sh
ip rule del from \$ifconfig_local table stuttgart priority 7000
ip rule del from \$ifconfig_local table ffsdefault priority 10000
# NAT deaktivieren, wird benötigt wenn NICHT Berlin
iptables -t nat -D POSTROUTING -o \$dev -j MASQUERADE
#exit 0
# https+Mailports direkt ausleiten
ip rule del fwmark 0x2000 lookup main priority 9000
iptables -t mangle -D PREROUTING -j MARK --set-xmark 0x0/0xffffffff
iptables -t mangle -D FORWARD -j MARK --set-xmark 0x0/0xffffffff
for port in $DIRECTTCP; do
iptables -t mangle -D PREROUTING -s 10.190.0.0/15 -p tcp -m tcp --dport \$port -j MARK --set-xmark 0x2000/0xffffffff
iptables -t mangle -D FORWARD -s 10.190.0.0/15 -p tcp -m tcp --dport \$port -j MARK --set-xmark 0x2000/0xffffffff
iptables -t nat -D POSTROUTING -o $EXT_IF_V4 -p tcp --dport \$port -j SNAT --to-source $EXT_IP_V4
done
iptables -t mangle -D PREROUTING -s 10.190.0.0/15 -p tcp -m tcp -m multiport --dports $PORTS -j MARK --set-xmark 0x2000/0xffffffff
iptables -t mangle -D FORWARD -s 10.190.0.0/15 -p tcp -m tcp -m multiport --dports $PORTS -j MARK --set-xmark 0x2000/0xffffffff
iptables -t nat -D POSTROUTING -o $EXT_IF_V4 -p tcp -m multiport --dports $PORTS -j SNAT --to-source $EXT_IP_V4
iptables -t mangle -D PREROUTING -j MARK --set-xmark 0x0/0xffffffff
#ip route flush table ffsdefault
exit 0
EOF
chmod +x /etc/openvpn/openvpn-down
# Config anpassen
ensureline "route-noexec" /etc/openvpn/00.conf
ensureline "script-security 2" /etc/openvpn/00.conf
ensureline_tr "up \"openvpn-up\"" /etc/openvpn/00.conf
ensureline_tr "down \"openvpn-down\"" /etc/openvpn/00.conf
ensureline "sndbuf 393216" /etc/openvpn/00.conf
ensureline "rcvbuf 393216" /etc/openvpn/00.conf
ensureline_tr "push \"sndbuf 393216\"" /etc/openvpn/00.conf
ensureline_tr "push \"rcvbuf 393216\"" /etc/openvpn/00.conf
ensureline "route-noexec" /etc/openvpn/01.ovpn
ensureline "script-security 2" /etc/openvpn/01.ovpn
ensureline_tr "up \"openvpn-up\"" /etc/openvpn/01.ovpn
ensureline_tr "down \"openvpn-down\"" /etc/openvpn/01.ovpn
ensureline "sndbuf 393216" /etc/openvpn/01.ovpn
ensureline "rcvbuf 393216" /etc/openvpn/01.ovpn
ensureline_tr "push \"sndbuf 393216\"" /etc/openvpn/01.ovpn
ensureline_tr "push \"rcvbuf 393216\"" /etc/openvpn/01.ovpn
ensureline "route-noexec" /etc/openvpn/02.ovpn
ensureline "script-security 2" /etc/openvpn/02.ovpn
ensureline_tr "up \"openvpn-up\"" /etc/openvpn/02.ovpn
ensureline_tr "down \"openvpn-down\"" /etc/openvpn/02.ovpn
ensureline "sndbuf 393216" /etc/openvpn/02.ovpn
ensureline "rcvbuf 393216" /etc/openvpn/02.ovpn
ensureline_tr "push \"sndbuf 393216\"" /etc/openvpn/02.ovpn
ensureline_tr "push \"rcvbuf 393216\"" /etc/openvpn/02.ovpn
}