Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # (Credit to SmallNetBuilder member DJR747 and Jobongo's Wiki - Howto Set SSID VPN)
- # This script 'VPN_Select.sh' allows selective VPN routing:
- #
- # A single device, or
- # A range of devices, or
- # A subnet
- # A Guest WiFi SSID
- #
- # The optional args passed to this script is a list of Guest SSID interfaces:
- # e.g.
- # wl1.3 # 5GHz Guest #3 will use this VPN (if defined in /etc/dnsmasq.conf)
- # wl0.1 wl1.3 # 2.4GHz Guest #1 and 5GHz Guest #3 will use this VPN (if defined in /etc/dnsmasq.conf)
- # *" # All Guests defined in /etc/dnsmasq.conf will use this VPN.
- # The following two custom variables are used:
- #
- # e.g. Table 100 will be used and any device tagged with 'fwmark 1' (ON/OFF) will use this VPN Client
- #MY_VPNTAB=100 # Now read from /jffs/configs/VPNSelect
- #TAG_MARK=1 # Now read from /jffs/configs/VPNSelect
- # To overcome timing issues, this method relies on the VPN Client custom configuration to call this script.
- # The following VPN client custom configuration directives MUST be defined:
- # *************************************************************************
- # route-nopull
- # script-security 2
- # route-up "/jffs/scripts/VPN_Select.sh [Guest_SSID_interfaces]"
- # **************************************************************************
- # These optional VPN client custom configuration directives help to keep the VPN connection alive,
- # although the Host VPN server can terminate the connection based on their lease renewal policy
- #inactive 0
- #keepalive 5 60
- # Also /jffs/configs/dnsmasq.conf must also define the Guest WiFi interface to be used by this VPN
- # So include the following three directives in /jffs/configs/dnsmasq.config.add
- #
- # e.g. wl0.1 represents 2.4GHz Guest #1 aka '241' octet
- # so
- # wl1.3 5GHz Guest #3 would use '53' octet ...to aid debugging! connection by I/P
- #
- # interface=wl0.1
- # dhcp-range=wl0.1,192.168.241.2,192.168.241.20,255.255.255.0,21600s
- # dhcp-option=wl0.1,3,192.168.241.1
- # NOTE: These commands may be specified in wan-start to block ALL WAN access except http/https until the VPN Client is UP
- # i.e. when this script runs.
- # iptables -I FORWARD -i br0 -s xxx.xxx.xxx.0/24 -o `nvram get wan0_ifname` -j DROP
- # iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp --dport 80 -j ACCEPT
- # iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp --dport 443 -j ACCEPT
- # iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp -m multiport --dport 80,443,25,110,143,8888 -j ACCEPT
- logger -s -t "($(basename $0))" $$ OpenVPN Client`echo -n $dev | tail -c -1` Selective routing starting.... " $0${*:+ $*}"
- MYROUTER=$(nvram get computer_name)
- USEPATH="/tmp/mnt/$MYROUTER"
- # Get the values from /jffs/scripts/configs/VPNSelect
- VPN_ID=`echo -n $dev | tail -c -1`
- MY_VPNTAB=`grep -i "VPN$VPN_ID" /jffs/configs/VPNSelect | awk '{print $2}'`
- TAG_MARK=`grep -i "VPN$VPN_ID" /jffs/configs/VPNSelect | awk '{print $3}'`
- #MY_VPNTAB=100 # Now read from /jffs/configs/VPNSelect
- #TAG_MARK=1 # Now read from /jffs/configs/VPNSelect
- # Use the OpenVPN environment variables
- if [ "X$dev" = "X" ]; then
- logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
- exit
- fi
- # Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
- # or to be associated with a WiFi Guest SSID.
- ip route flush table $MY_VPNTAB
- ip rule del fwmark $TAG_MARK $MY_VPNTAB
- ip rule del table $MY_VPNTAB
- ip route flush cache
- iptables -t mangle -F PREROUTING
- # Disable Reverse Path Filtering on current VPN network interface:
- echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- logger -s -t "($(basename $0))" $$ "CMD: ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB"
- ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
- logger -s -t "($(basename $0))" $$ "CMD: ip rule add fwmark $TAG_MARK table $MY_VPNTAB"
- ip rule add fwmark $TAG_MARK table $MY_VPNTAB
- # Mark the Guest SSID(s) to use this VPN Client
- GUEST_IFS=${*:+ $*} # List of Guest WiFi interfaces to use this VPN
- if [ "$GUEST_IFS" != "" ];then
- for GUEST_IF in $GUEST_IFS
- do
- SSID=$(nvram get $GUEST_IF"_ssid")
- logger -s -t "($(basename $0))" $$ "SSID $SSID is being configured to use OpenVPN Client`echo -n $dev | tail -c -1`....."
- # Validate the Guest SSID(s) to be forced to use this VPN
- GUEST_IF_IP=`grep -i "dhcp-option=$GUEST_IF,3" /etc/dnsmasq.conf | awk 'BEGIN { FS = "," } {print $3}'` # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
- GUEST_SUBNET_PREFIX=`echo $GUEST_IF_IP | awk 'BEGIN { FS = "." } {print $1"."$2"."$3}'` # Extract first three octets of I/P
- logger -s -t "($(basename $0))" $$ " Lookup '$GUEST_IF' in DNSMASQ returned:>$GUEST_IF_IP< and Subnet Prefix >$GUEST_SUBNET_PREFIX<"
- if [ "$GUEST_IF_IP" != "" ];then
- logger -s -t "($(basename $0))" $$ " CMD: ip rule add dev $GUEST_IF table $MY_VPNTAB"
- ip rule del dev $GUEST_IF
- ip rule add dev $GUEST_IF table $MY_VPNTAB
- logger -s -t "($(basename $0))" $$ "SSID $SSID is configured to use OpenVPN Client`echo -n $dev | tail -c -1`."
- else
- logger -s -t "($(basename $0))" $$ "*** ERROR SSID $SSID cannot be configured to use OpenVPN Client`echo -n $dev | tail -c -1`."
- fi
- done
- fi
- # To list if custom MARK tables exist use
- #
- # ip rule
- logger -s -t "($(basename $0))" $$ "CMD: ip rule"
- logger -s -t "($(basename $0))" $$ " `ip rule`"
- # To list if custom route tables exist use
- #
- # ip route show table $MY_VPNTAB
- logger -s -t "($(basename $0))" $$ "CMD: ip route show table $MY_VPNTAB"
- logger -s -t "($(basename $0))" $$ " `ip route show table $MY_VPNTAB`"
- # If the VPN isn't firewalled by the ISP, then this rule should protect inbound access to the router
- #iptables -I INPUT -i $dev -p tcp --dport 0:1023 -m state --state NEW -j DROP
- # Select the I/P devices to be routed.
- # ====================================
- if [ -e "/jffs/scripts/VPN_Select_ON_OFF.sh" ]; then
- # Call VPN_select_ON_OFF [host.dnsmasq | ip_address | KEY_tag] [ON | OFF] {FORCE}
- #
- #
- # where Host.dnsmasq will be matched against /etc/hosts.dnsmasq contents
- #
- # Key_tag will be matched against /mnt/$MYROUTER/VPN_MASKS.txt
- #
- # FORCE will ensure designated target will ONLY use the VPN.
- #
- # Use HOSTS.DNSMASQ lookup to resolve PS3-Bedroom and ensure it ONLY uses the VPN
- if [ -e "/jffs/scripts/VPN_Select_ON_OFF.sh" ]; then
- /jffs/scripts/VPN_Select_ON_OFF.sh PS3-Bedroom ON FORCE
- # Others that are not individual I/P addresses.......
- #/jffs/scripts/VPN_Select_ON_OFF.sh ALL ON
- #/jffs/scripts/VPN_Select_ON_OFF.sh ANDROID ON
- fi
- else
- # Explicitly select the I/P devices to be routed.
- logger -s -t "($(basename $0))" $$ "Manually issue iptables -t mangle -A PREROUTING -i br0 commands"
- # Examples for routing a specific device, all devices on the subnet or a range of devices via VPN
- #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK --set-mark $TAG_MARK
- #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.0/24 -j MARK --set-mark $TAG_MARK
- #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.nnn-xxx.xxx.xxx.nnn+y -j MARK --set-mark $TAG_MARK
- # Example for routing a specific port via VPN
- # iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp --dport ppppp -j MARK --set-mark $TAG_MARK
- fi
- # Debug the routing tables
- if [ -e "/jffs/scripts/IPTablesDump.sh" ]; then
- /jffs/scripts/IPTablesDump.sh "VPN_Client_Select"`echo -n $dev | tail -c -1`
- fi
- logger -s -t "($(basename $0))" $$ OpenVPN Client`echo -n $dev | tail -c -1` Selective routing completed....
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement