VPN Client Script Padavan

1. #!/bin/sh
2.  
3. ### Custom user script
4. ### Called after internal VPN client connected/disconnected to remote VPN server
5. ### $1        - action (up/down)
6. ### $IFNAME   - tunnel interface name (e.g. ppp5 or tun0)
7. ### $IPLOCAL  - tunnel local IP address
8. ### $IPREMOTE - tunnel remote IP address
9. ### $DNS1     - peer DNS1
10. ### $DNS2     - peer DNS2
11.  
12. # private LAN subnet behind a remote server (example)
13. peer_lan="192.168.9.0"
14. peer_msk="255.255.255.0"
15.  
16. ### example: add static route to private LAN subnet behind a remote server
17.  
18. func_ipup()
19. {
20. ## CUSTOMIZE YOUR SCRIPT VARIABLES
21. #
22. ## Uncomment and set value(s) as needed to customize your rules
23. #
24. # IP addresses, contiguous range AND/OR individual.
25. #
26. ip_addrs_lst="192.168.1.50-192.168.1.99"
27.  
28. ##Server ports to bypass VPN
29. #server_ports="3389,27,23045"
30.  
31. #
32. # Specific destination websites ip range - Spotify , Netflix...
33. #
34. #web_range_lst="72.44.32.1-72.44.63.254
35. #67.202.0.1-67.202.63.254
36. #207.223.0.1-207.223.15.254
37. #98.207.0.1-98.207.255.254
38. #208.85.40.1-208.85.47.254
39. #78.31.8.1-78.31.15.254
40. #193.182.8.1-193.182.15.254"
41.  
42. ########################################
43. # NO NEED TO CHANGE BELOW THIS LINE #
44. ########################################
45.  
46. # SHELL COMMANDS FOR MAINTENANCE.
47. # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
48. #
49. #  List Contents by line number
50. # iptables -L PREROUTING -t mangle -n --line-numbers
51. #
52. #  Delete rules from mangle by line number
53. # iptables -D PREROUTING type-line-number-here -t mangle
54. #
55. #  To list the current rules on the router, issue the command:
56. #     iptables -t mangle -L PREROUTING
57. #
58. #  Flush/reset all the rules to default by issuing the command:
59. #     iptables -t mangle -F PREROUTING
60. sleep 1
61. #
62. # First it is necessary to disable Reverse Path Filtering on all
63. # current and future network interfaces:
64. #
65. for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
66.   echo 0 > $i
67. done
68.  
69. #
70. # Delete table 100 and flush any existing rules if they exist.
71. #
72. ip route flush table 100
73. ip route del default table 100
74. ip rule del fwmark 1 table 100
75. ip route flush cache
76. iptables -t mangle -F PREROUTING
77.  
78. #
79. # Let's find out the tunnel interface
80. #
81. iface_lst=`route | awk ' {print $8}'`
82. for tun_if in $iface_lst; do
83.     if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
84.     break
85.   fi
86. done
87.  
88. #
89. # Copy all non-default and non-VPN related routes from the main table into table 100.
90. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
91. #
92. ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
93.   | while read ROUTE ; do
94.      ip route add table 100 $ROUTE
95. done
96. ip route add default table 100 via $(nvram get wan0_gateway)
97. ip rule add fwmark 1 table 100
98. ip route flush cache
99.  
100. # EXAMPLES:
101. #
102. #  All LAN traffic will bypass the VPN (Useful to put this rule first,
103. #  so all traffic bypasses the VPN and you can configure exceptions afterwards)
104. #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
105. #
106. #  Ports 80 and 443 will bypass the VPN
107. #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
108. #
109. #  All traffic from a particular computer on the LAN will use the VPN
110. #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
111. #
112. #  All traffic to a specific Internet IP address will use the VPN
113. #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
114. #
115. #  All UDP and ICMP traffic will bypass the VPN
116. #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
117. #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
118.  
119. # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
120. iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
121.  
122. # IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
123. for ip_addrs in $ip_addrs_lst ; do
124.   iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
125. done
126.  
127. ######   Ports that bypass VPN    ######
128. ###### Normal portforwarding will ######
129. ######    need to be applied      ######
130.  
131. iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
132. iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1
133.  
134. # WEBSITES_IP_RANGES -
135. for web_dst_range in $web_range_lst ; do
136.   iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
137. done
138. #  Testing Environment
139. for ip_addrs in $ip_addrs_lst ; do
140.   iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j ACCEPT
141. done
142. #  End Test Environment
143.    return 0
144. }
145.  
146. func_ipdown()
147. {
148. #  Testing Environment
149. for ip_addrs in $ip_addrs_lst ; do
150.   iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j DROP
151. done
152. #  End Test Environment
153.    return 0
154. }
155.  
156. logger -t vpnc-script "$IFNAME $1"
157.  
158. case "$1" in
159. up)
160.   func_ipup
161.   ;;
162. down)
163.   func_ipdown
164.   ;;
165. esac