Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- set -u
- # Debug
- # set -x
- # This script should run only once at startup.
- if [[ -e '/tmp/openvpn/_done' ]]; then
- exit
- fi
- # We need to know default route anyway, so proceeding without the knowledge
- # is useless.
- timer=0
- while true; do
- if ! ip r | grep default; then
- [[ $timer -ge 120 ]] && exit 1
- sleep 2
- (( timer=timer+2 ))
- else
- break
- fi
- done
- unset timer
- # Mount net_cls cgroup and setup it.
- mkdir -p /sys/fs/cgroup/net_cls
- mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
- cgcreate -t root:novpn -a root:novpn -d 775 -f 664 -s 664 -g net_cls:novpn
- echo 0x00110011 > /sys/fs/cgroup/net_cls/novpn/net_cls.classid
- # Apply nftables rules.
- nft -f /etc/nftables.conf
- # Find out default gateway and its device. The first matched
- #'default' will be used.
- read -r ip dev <<<"$(ip r | awk '/default/ {
- split($0, pieces, "[[:space:]]")
- for (i=1;i <= length(pieces);i++) {
- if (pieces[i] == "via") {
- ipaddr=pieces[i+1]
- } else
- if (pieces[i] == "dev") {
- phydev=pieces[i+1]
- }
- }
- printf "%s %s", ipaddr, phydev
- exit 0
- }')"
- # Check in case something unexpected occured (
- # happened to me before).
- if [[ -z $ip ]] || [[ -z $dev ]]; then
- echo "Retrieving default gateway and/or device" \
- "failed for some reason." 1>&2
- exit 1
- fi
- # Configure additional routing table
- ip route add default via "$ip" table novpn
- ip route add 192.168.1.0/24 dev "$dev" table novpn
- ip rule add fwmark 11 table novpn
- # If successful, mark as run.
- mkdir -p /tmp/openvpn
- touch /tmp/openvpn/_done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
