Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts# ls -l
- -rwxr-xr-x 1 ADMIN root 7510 Feb 10 23:42 ChkVPNConfig.sh
- -rwxr-xr-x 1 ADMIN root 2920 Feb 20 21:50 Debug_VPN.sh
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts# ./Debug_VPN.sh
- -sh: ./Debug_VPN.sh: not found
- ADMIN@RT-AC68U-85F8:/jffs/scripts# ./ChkVPNConfig.sh
- -sh: ./ChkVPNConfig.sh: not found
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts# cat Debug_VPN.sh
- #!/bin/sh
- # Debugging Selective routing use cru/cron
- Say(){
- echo -e $$ $@ | logger -st "($(basename $0))"
- }
- SayT() {
- echo -e $$ $@ | logger -t "($(basename $0))"
- }
- ANSIColours() {
- cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
- cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
- aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
- cRED_="\e[41m";cGRE_="\e[42m"
- }
- ANSIColours
- VPN_ROUTES=
- WAN_IP=
- for VPN_TAB in 254 $(ip route show table 254 | grep -oE "tun1[1|2|3|4|5]" | sort )
- do
- [ "$VPN_TAB" != "254" ] && VPN_TAB=$(echo $VPN_TAB | sed 's/tun1/11/')
- echo -e $cBWHT
- Say "VPN Client" ${VPN_TAB:2:1} "route Table:" $VPN_TAB
- echo -en $cBMAG
- AROUTE=$(ip route show table $VPN_TAB | awk ' /default/ {print $3}')
- if [ -z "$(echo "$VPN_ROUTES" | grep -oF $AROUTE )" ];then
- VPN_ROUTES=$VPN_ROUTES" "$AROUTE
- else
- echo -e $cBRED"\a"
- TXT="ALREADY used by a previous VPN Client"
- if [ "$WAN_IP" == "$AROUTE" ];then
- TXT="is via the WAN!!!"
- fi
- Say "***ERROR*** VPN Client" ${VPN_TAB:2:1} "route" $AROUTE $TXT
- echo -e $cRESET
- fi
- # Obfuscate IP address <optional>
- ip route show table $VPN_TAB | grep -E "^0\.|^128.|^default|tun1"
- ip route show table $VPN_TAB | grep -E "^0\.|^128.|^default|tun1" >>/tmp/syslog.log
- if [ "$VPN_TAB" != "254" ];then
- DEV=$(ip route show table $VPN_TAB | grep -v "default" | grep -oE "tun1[1|2|3|4|5]" )
- if [ "tun1"${VPN_TAB:2:1} != "$DEV" ];then
- echo -e $cBRED"\a"
- Say "***ERROR*** RPDB rules will be misdirected for VPN Client" ${VPN_TAB:2:1}
- echo -e $cRESET
- else
- if [ ! -z "$(ip route show table $VPN_TAB | grep -E "^0\.|^128.]")" ];then
- echo -e $cBRED"\a"
- Say "***ERROR***Selective routing NOT enabled! - table 'main' is routing ALL traffic via VPN"
- echo -e $cRESET
- fi
- fi
- else
- WAN_IP=$AROUTE
- fi
- done
- echo -e $cBWHT
- Say "RPDB rules:"
- echo -en $cBMAG
- ip rule;ip rule >>/tmp/syslog.log
- echo -e $cBWHT
- Say "Count of active RPDB rules:"
- echo -en $cBGRE
- # How many entities Selectively routed
- ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c
- ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c >>/tmp/syslog.log
- SayT "Summary:$(ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c)"
- echo -e $cRESET
- ADMIN@RT-AC68U-85F8:/jffs/scripts# cat ChkVPNConfig.sh
- #!/bin/sh
- VER="v1.01b3"
- #============================================================================== © 2018 Martineau, v01.01b3
- # Check VPN Selective routing.
- #
- # Schedule via cru/cron to have the VPN status tracked/dumped to Syslog.
- #
- #*=====================================Functions=====================================================
- # Print between line beginning with'#==' to first blank line inclusive
- ShowHelp() {
- echo -en $cBWHT >&2
- awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
- echo -en $cRESET >&2
- }
- Say(){
- echo -e $$ $@ | logger -st "($(basename $0))"
- }
- SayT(){
- echo -e $$ $@ | logger -t "($(basename $0))"
- }
- ANSIColours() {
- cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
- cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
- aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
- cRED_="\e[41m";cGRE_="\e[42m"
- }
- Check_DuplicateVPNPorts() {
- local VPN_ID=
- local VPN_ADDR=
- local VPN_PORTS=
- local VPN_ID_LIST="1 2 3 4 5"
- #local VPN_CLIENTPORTS=$(nvram show 2> /dev/null | grep -E "vpn_client.*port" | grep -v "client_port")
- for VPN_ID in $VPN_ID_LIST
- do
- VPN_ADDR=$(nvram get vpn_client${VPN_ID}_addr)
- if [ -z "$VPN_ADDR" ];then
- continue # VPN Client instance not configured?
- fi
- # vpn_client1_port=553
- # vpn_client1_proto=udp
- if [ "$1" == "2" ];then
- local VPN_STATE=$(nvram get "vpn_client"$VPN_ID"_state")
- if [ "$VPN_STATE" != "2" ];then
- continue
- fi
- fi
- local THIS=$(echo $(nvram get vpn_client${VPN_ID}_port)":"$(nvram get vpn_client${VPN_ID}_proto | tr "a-z" "A-Z") )
- if [ "$2" == "diag" ];then
- local VPN_PORTS=$( echo -e "$VPN_PORTS VPN client" $VPN_ID "ACTIVE using port" $THIS", ")
- else
- local VPN_PORTS=$(echo -e "$VPN_PORTS ${THIS}\n")
- fi
- done
- if [ "$2" != "diag" ];then
- # Convert words to individual lines and report on duplicates
- echo $VPN_PORTS | tr ' ' '\n' | sort -n | uniq -d
- else
- echo $VPN_PORTS
- fi
- }
- #============================================Main==================================================
- ANSIColours
- # Provide assistance
- if [ "$1" = "-h" ] || [ "$1" = "help" ]; then
- ShowHelp # Show help
- exit 0
- fi
- echo -e $cBWHT
- Say $VER "VPN Selective Routing configuration checker ....."
- VPN_ROUTES=
- WAN_IP=
- MULTI_FOUND=
- for VPN_TAB in 254 $(ip route show table 254 | grep -oE "tun1[1|2|3|4|5]" | sort | uniq )
- do
- [ "$VPN_TAB" != "254" ] && VPN_TAB=$(echo $VPN_TAB | sed 's/tun1/11/')
- echo -e $cBWHT
- if [ "$VPN_TAB" != "254" ];then
- Say "VPN Client" ${VPN_TAB:2:1} "route Table:" $VPN_TAB
- else
- Say "WAN (main) route Table:" $VPN_TAB
- fi
- echo -en $cBCYA
- # Obfuscate IP address
- AROUTE=$(ip route show table $VPN_TAB | awk ' /default/ {print $3}')
- ip route show table $VPN_TAB | grep -E "^0\.|^128.|^default|tun1"
- ip route show table $VPN_TAB | grep -E "^0\.|^128.|^default|tun1" >>/tmp/syslog.log
- if [ -z "$(echo "$VPN_ROUTES" | grep -oF "\-${AROUTE}" )" ];then
- if [ "$VPN_TAB" != "254" ];then
- if [ ! -z "$AROUTE" ];then
- VPN_ROUTES=$VPN_ROUTES" "${VPN_TAB:2:1}-${AROUTE}
- fi
- else
- VPN_ROUTES=$VPN_ROUTES" 0-"$AROUTE
- fi
- else
- echo -e $cBRED"\a"
- TXT="ALREADY used by VPN Client "$(echo "$VPN_ROUTES" | grep -oE "${AROUTE}\-[1-5]+" | cut -d'-' -f2)
- if [ "$WAN_IP" == "$AROUTE" ];then
- TXT="is via the WAN!!!"
- fi
- Say "***ERROR*** VPN Client" ${VPN_TAB:2:1} "route" $AROUTE $TXT
- echo -en $cRESET
- fi
- # Check default route matches this VPN Client
- # default via xxx.xxx.xxx.xxx dev tunXX
- if [ "$VPN_TAB" != "254" ];then
- DEV=$(ip route show table $VPN_TAB | awk ' /default/ {print $5}')
- if [ "tun1"${VPN_TAB:2:1} != "$DEV" ];then
- if [ ! -z "$DEV" ];then
- echo -e $cBRED"\a"
- Say "***ERROR*** RPDB rules will be misdirected for VPN Client" ${VPN_TAB:2:1} "via" $DEV
- echo -en $cRESET
- fi
- fi
- # Check for either of these in this VPN Client but its OK if ONLY 1 VPN Client ACTIVE!
- # 0.0.0.0/1 via xxx.xxx.xxx.xxx dev tunXX
- # 128.0.0.0/1 via xxx.xxx.xxx.xxx dev tunXX
- MULTI_DEFAULT=$(ip route show table $VPN_TAB | grep -E -m 1 "^0\.|^128.")
- if [ ! -z "$MULTI_DEFAULT" ];then
- MULTI_FOUND=$MULTI_FOUND" "${VPN_TAB:2:1}
- if [ $(ip route show table 254 | grep -oE "tun1[1|2|3|4|5]" | wc -w) -gt 1 ];then
- echo -e $cBRED"\a"
- Say "**Warning '"$MULTI_DEFAULT"' found in VPN Client" ${VPN_TAB:2:1}
- echo -en $cRESET
- fi
- fi
- # Can 'prohibit default' exist if VPN is UP..?? - YES if 'Redirect Internet traffic=ALL' ???
- if [ ! -z "$(ip route show table $VPN_TAB | grep "prohibit default")" ];then
- echo -e $cRED"\a"
- Say "**Warning RPDB routing traffic is BLOCKED - ('prohibit default') for VPN Client" ${VPN_TAB:2:1}
- echo -en $cRESET
- fi
- else
- WAN_IP=$AROUTE
- # Check if pushed VPN override routes are still present in table main
- MULTI_DEFAULT=$(ip route show table $VPN_TAB | grep -E -m 1 "^0\.|^128.")
- if [ ! -z "$MULTI_DEFAULT" ];then
- echo -e $cBRED"\a"
- Say "***ERROR***Selective Routing NOT enabled! - table 'main' is FORCE routing ALL traffic via VPN Client" $(echo $MULTI_DEFAULT | awk '{print $5}' | sed 's/tun1//')
- echo -en $cRESET
- fi
- fi
- done
- echo -e $cBWHT
- Say "RPDB rules:"
- echo -en $cBCYA
- ip rule;ip rule >>/tmp/syslog.log
- echo -e $cBWHT
- Say "Count of active RPDB rules:"
- echo -en $cBGRE
- # How many entities Selectively routed
- ip rule | grep -v "fwmark" | grep -v "all lookup main" | grep -oE "lookup.*main|lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c
- ip rule | grep -v "fwmark" | grep -v "all lookup main" | grep -oE "lookup.*main|lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c >>/tmp/syslog.log
- SayT "Summary:$(ip rule | grep -v "fwmark" | grep -v "all lookup main" | grep -oE "lookup.*|lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c)"
- SayT "VPNRoutes:"$VPN_ROUTES
- PORTS="$(Check_DuplicateVPNPorts "2")" # Only interested in ACTIVE VPN Clients (state="2") rather than any configured
- if [ ! -z $PORTS ];then
- echo -e "\n"$cYEL
- Say "**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port" $PORTS "is configured for use by several VPN Clients"
- fi
- echo -e $cRESET
- exit 0ADMIN@RT-AC68U-85F8:/jffs/scripts#
- ADMIN@RT-AC68U-85F8:/jffs/scripts#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
