Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add IPv6 NAT support

Browse source
This commit is contained in:
Angristan 2018-06-06 22:15:57 +02:00
parent b8f0b44c55
commit 91a69b4779
1 changed files with 41 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
openvpn-install.sh
View file

@ -168,6 +168,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -D POSTROUTING -o $NIC -s fd6c:62d9:eb8c::/112 -j MASQUERADE
fi
iptables-save > $IPTABLES iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@ -232,6 +235,11 @@ else
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done done
echo "" echo ""
echo "Do you want to enable IPv6 support?"
while [[ $IPV6 != "y" && $IPV6 != "n" ]]; do
read -p "IPv6 support? [y/n]: " -e -i n IPV6
done
echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (from /etc/resolv.conf)" echo " 1) Current system resolvers (from /etc/resolv.conf)"
echo " 2) Cloudflare (Anycast: worldwide)" echo " 2) Cloudflare (Anycast: worldwide)"
@ -556,6 +564,16 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
if [[ "$IPV6" = 'y' ]]; then
echo 'server-ipv6 fd6c:62d9:eb8c::/112
proto udp6
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
fi
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
@ -575,15 +593,18 @@ verb 3" >> /etc/openvpn/server.conf
touch $SYSCTL touch $SYSCTL
fi fi
# Enable net.ipv4.ip_forward for the system # Enable routing
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL echo 'net.ipv4.ip_forward=1' >> $SYSCTL
if [[ "$IPV6" = 'y' ]]; then
echo 'net.ipv6.ip_forward=1' >> $SYSCTL
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -p
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -A POSTROUTING -o $NIC -s fd6c:62d9:eb8c::/112 -j MASQUERADE
fi
# Save persitent iptables rules # Save persitent iptables rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
if pgrep firewalld; then if pgrep firewalld; then
@ -614,6 +635,19 @@ verb 3" >> /etc/openvpn/server.conf
# Save persitent OpenVPN rules # Save persitent OpenVPN rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
if [[ "$IPV6" = 'y' ]]; then
if ip6tables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
ip6tables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
ip6tables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
ip6tables -I FORWARD -s fd6c:62d9:eb8c::/112 -j ACCEPT
ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules
iptables-save > $IPTABLES
fi
fi
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then