From 1e9cfc0fbbf2c64d1c867c78c0e6d0758cdb47aa Mon Sep 17 00:00:00 2001 From: brnl <3243133+brnl@users.noreply.github.com> Date: Fri, 28 Feb 2020 00:21:13 +0100 Subject: [PATCH 1/3] Allow split-tunnel via custom CIDR blocks This change allows the tunnel to be split-tunnel, routing only the selected subnets through the tunnel. The notation is in CIDR-format. Example usage: `sudo PUSH_CIDR_BLOCKS=(192.168.1.0/24 172.16.0.0/16) ./openvpn-install.sh` --- openvpn-install.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 90ea433..2d86ff0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -787,7 +787,26 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf fi ;; esac - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf + + # Allow split-tunnel via custom CIDR blocks (ie. 192.168.0.0/24) + if [ ${#PUSH_CIDR_BLOCKS[@]} -gt 0 ]; then + for cidr in ${PUSH_CIDR_BLOCKS[@]}; do + echo "Adding $cidr to routed subnets..."; + ROUTE_IP=$(echo $cidr | cut -d"/" -f1) + ROUTE_BITS=$(echo $cidr | cut -d"/" -f2) + + case $ROUTE_BITS in + 8) ROUTE_MASK="255.0.0.0" ;; + 16) ROUTE_MASK="255.255.0.0" ;; + 24) ROUTE_MASK="255.255.255.0" ;; + 32) ROUTE_MASK="255.255.255.255" ;; + esac + + echo "push \"route ${ROUTE_IP} ${ROUTE_MASK}\"" >> /etc/openvpn/server.conf + done + else + echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf + fi # IPv6 network settings if needed if [[ "$IPV6_SUPPORT" = 'y' ]]; then From 64e7dd4dd0789cfb0d7c44090b13fd7f6a1af938 Mon Sep 17 00:00:00 2001 From: brnl <3243133+brnl@users.noreply.github.com> Date: Fri, 28 Feb 2020 00:37:38 +0100 Subject: [PATCH 2/3] Update README.md --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index ca3cdf7..6c23613 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ If you want to customise your installation, you can export them or specify them - `CUSTOMIZE_ENC=n` - `CLIENT=clientname` - `PASS=1` +- `TUNNEL_CIDR_BLOCKS="10.0.1.0/24 10.0.2.0/16"` If the server is behind NAT, you can specify its endpoint with the `ENDPOINT` variable. If the endpoint is the public IP address which it is behind, you can use `ENDPOINT=$(curl -4 ifconfig.co)` (the script will default to this). The endpoint can be an IPv4 or a domain. @@ -83,6 +84,23 @@ export PASS="1" ./openvpn-install.sh ``` +### Split-tunnel usage +If you only want to tunnel specific subnets through the VPN-tunnel, you can enable Split-tunnel configuration by passing the TUNNEL_CIDR_BLOCKS environment variable. For example, if you want to tunnel just the subnets 10.0.1.0 with netmask 255.255.255.0 and 10.0.2.0 with netmask 255.255.255.0, you specify 10.0.1.0/24 and 10.0.2.0/24: + +On the command line: +```bash +TUNNEL_CIDR_BLOCKS=(10.0.1.0/24 10.0.2.0/24) ./openvpn-install.sh +``` +On in a script: +```bash +#!/bin/bash +export TUNNEL_CIDR_BLOCKS="10.0.1.0/24 10.0.2.0/24" +./openvpn-install.sh +``` +_Notes:_ +- _Currently only 8-, 16-, 24- and 32-bits subnets are supported!_ +- _/bin/sh doesn't support array's, so bash is required._ + ## Features - Installs and configures a ready-to-use OpenVPN server @@ -99,6 +117,7 @@ export PASS="1" - Block DNS leaks on Windows 10 - Randomised server certificate name - Choice to protect clients with a password (private key encryption) +- Split-tunnel configuration (experimental) - Many other little things! ## Compatibility From a3153868aa0f2bd96ababb6ee5f1428788afeac8 Mon Sep 17 00:00:00 2001 From: brnl <3243133+brnl@users.noreply.github.com> Date: Fri, 28 Feb 2020 00:40:01 +0100 Subject: [PATCH 3/3] Made Split-Tunnel variable name more descriptive Renamed to PUSH_CIDR_BLOCKS to TUNNEL_CIDR_BLOCKS so it is more descriptive of what it does. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2d86ff0..03491bb 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -789,8 +789,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf esac # Allow split-tunnel via custom CIDR blocks (ie. 192.168.0.0/24) - if [ ${#PUSH_CIDR_BLOCKS[@]} -gt 0 ]; then - for cidr in ${PUSH_CIDR_BLOCKS[@]}; do + if [ ${#TUNNEL_CIDR_BLOCKS[@]} -gt 0 ]; then + for cidr in ${TUNNEL_CIDR_BLOCKS[@]}; do echo "Adding $cidr to routed subnets..."; ROUTE_IP=$(echo $cidr | cut -d"/" -f1) ROUTE_BITS=$(echo $cidr | cut -d"/" -f2)