eibgrad

ddwrt-ovpn-kill-switch.sh

Apr 4th, 2021 (edited)
164
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. DEBUG=; set -x # uncomment/comment to enable/disable debug mode
  3.  
  4. #          name: ddwrt-ovpn-kill-switch.sh
  5. #       version: 1.0.1, 10-apr-2021, by eibgrad
  6. #       purpose: block access LAN->WAN for gui openvpn client (pbr and non-pbr)
  7. #   script type: wanup (autostart)
  8. #  installation:
  9. #    1. enable jffs2 (administration->jffs2)
  10. #    2. enable syslogd (services->services->system log)
  11. #    3. use shell (telnet/ssh) to execute one of the following commands:
  12. #         curl -kLs bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- TKdKUmY1 wanup
  13. #       or
  14. #         wget -qO - bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- TKdKUmY1 wanup
  15. #    4. (optional): use vi editor to modify options:
  16. #         vi /jffs/etc/config/ddwrt-ovpn-kill-switch.wanup
  17. #    5. reboot
  18. #   limitations:
  19. #    - this script is NOT compatible w/ the ddwrt-ovpn-split-basic.sh or
  20. #      ddwrt-ovpn-split-advanced.sh scripts
  21. #    - changes to the openvpn client or this script will only be recognized
  22. #      upon reboot or reinitialization of the WAN
  23.  
  24. # ------------------------------ BEGIN OPTIONS ------------------------------- #
  25.  
  26. VPN_ENABLED_ONLY='1' # 0: apply rules 24/7, 1: apply rules only if VPN enabled
  27.  
  28. # state checking: "state NEW" vs. no state
  29. #   state NEW (default):
  30. #     * any pre-existing LAN->WAN connections persist until/unless they
  31. #       timeout/close
  32. #     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
  33. #     * more efficient (only LAN->WAN packets used to establish NEW connections
  34. #       are inspected)
  35. #   no state:
  36. #     * any pre-existing LAN->WAN connections are stopped/blocked
  37. #     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
  38. #     * less efficient (every LAN->WAN packet is inspected)
  39. {
  40. FW_STATE='-m state --state NEW'
  41. #FW_STATE='' # uncomment/comment to disable/enable state checking
  42.  
  43. # ------------------------------- END OPTIONS -------------------------------- #
  44.  
  45. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
  46.  
  47. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
  48. FW_CHAIN='ovpn-block-lan2wan'
  49.  
  50. # cleanup from possible prior execution
  51. {
  52. iptables -D FORWARD -o $WAN_IF $FW_STATE -j REJECT
  53. iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
  54. iptables -F $FW_CHAIN
  55. iptables -X $FW_CHAIN
  56. } >/dev/null 2>&1
  57.  
  58. # quit if vpn disabled (unless firewall rules still need to be enforced)
  59. [[ "$(nvram get openvpncl_enable)" == '0' && "$VPN_ENABLED_ONLY" != '0' ]] && exit 0
  60.  
  61. # block *all* if nothing in policy based routing
  62. if [ ! "$(nvram get openvpncl_route)" ]; then
  63.     iptables -I FORWARD -o $WAN_IF $FW_STATE -j REJECT
  64.     exit 0
  65. fi
  66.  
  67. # create firewall chain for blocked ip(s)/network(s)
  68. iptables -N $FW_CHAIN
  69.  
  70. # read ip/network addresses from openvpn client policy based routing
  71. echo -e "$(nvram get openvpncl_route)" | \
  72.     while read ip; do
  73.         ip="${ip//$'\r'}" # remove carriage returns
  74.  
  75.         # block access LAN->WAN for this ip/network address
  76.         [ "$ip" ] && iptables -A $FW_CHAIN -s "$ip" -j REJECT
  77.     done
  78.  
  79. # begin blocking: force LAN->WAN traffic thru firewall chain for inspection
  80. iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
  81.  
  82. exit 0
  83.  
  84. } 2>&1 | logger -p user.$([ ${DEBUG+x} ] && echo 'debug' || echo 'notice') \
  85.     -t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$]
RAW Paste Data