Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge c9f0fba117 into 30735c91d8

Browse source
This commit is contained in:
BornToBeRoot 2019-08-19 21:43:56 +00:00 committed by GitHub
commit bfa9ad7601
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 71 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
openvpn-install.sh
View file

@ -870,6 +870,25 @@ verb 3" >> /etc/openvpn/server.conf
installUnbound installUnbound
fi fi
# Add firewall rules --> firewalld / iptable (systemd scripts)
if pgrep firewalld; then
# Allow incoming traffic
if [[ "$PORT" == '1194' ]] && [[ "$PROTOCOL" == "udp" ]]; then
firewall-cmd --zone=public --add-service=openvpn
firewall-cmd --permanent --zone=public --add-service=openvpn
else
firewall-cmd --zone=public --add-port="$PORT/$PROTOCOL"
firewall-cmd --permanent --zone=public --add-port="$PORT/$PROTOCOL"
fi
# Add trusted zone
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# Set NAT for the VPN subnet
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
else
# Add iptables rules in two scripts # Add iptables rules in two scripts
mkdir /etc/iptables mkdir /etc/iptables
@ -925,6 +944,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables-openvpn systemctl enable iptables-openvpn
systemctl start iptables-openvpn systemctl start iptables-openvpn
fi
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ "$ENDPOINT" != "" ]]; then if [[ "$ENDPOINT" != "" ]]; then
@ -1142,14 +1162,37 @@ function removeOpenVPN () {
rm /etc/systemd/system/openvpn\@.service rm /etc/systemd/system/openvpn\@.service
fi fi
# Remove firewall rules --> firewalld / iptable (systemd scripts)
if pgrep firewalld; then
# Get IP from firewall-cmd
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
# Get OpenVPN protocol from the configuration
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
if [[ "$PORT" == '1194' ]] && [[ "$PROTOCOL" == "udp" ]]; then
firewall-cmd --zone=public --remove-service=openvpn
firewall-cmd --permanent --zone=public --remove-service=openvpn
else
firewall-cmd --zone=public --remove-port="$PORT/$PROTOCOL"
firewall-cmd --permanent --zone=public --remove-port="$PORT/$PROTOCOL"
fi
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
else
# Remove the iptables rules related to the script # Remove the iptables rules related to the script
systemctl stop iptables-openvpn systemctl stop iptables-openvpn
# Cleanup # Cleanup
systemctl disable iptables-openvpn systemctl disable iptables-openvpn
rm /etc/systemd/system/iptables-openvpn.service rm /etc/systemd/system/iptables-openvpn.service
systemctl daemon-reload systemctl daemon-reload
rm /etc/iptables/add-openvpn-rules.sh rm /etc/iptables/add-openvpn-rules.sh
rm /etc/iptables/rm-openvpn-rules.sh rm /etc/iptables/rm-openvpn-rules.sh
fi
# SELinux # SELinux
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then