From 3f7755069e1238ee414590e5785caa443b0d065a Mon Sep 17 00:00:00 2001 From: Nebula Date: Thu, 1 Dec 2022 23:52:38 -0400 Subject: [PATCH] Update openvpn-install.sh Removed iptables script & added normal iptable setup --- openvpn-install.sh | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4235723d..ef955634 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -205,7 +205,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then # Install a firewall if firewalld or iptables are not already available if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then - firewall="firewalld" + firewall="iptables" # We don't want to silently enable firewalld, so we give a subtle warning # If the user continues, firewalld will be installed and enabled during setup echo "firewalld, which is required to manage routing tables, will also be installed." @@ -223,10 +223,10 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall + apt-get install -y --no-install-recommends openvpn openssl ca-certificates iptables netfilter-persistent iptables-persistent elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn openssl ca-certificates tar $firewall + yum install -y openvpn openssl ca-certificates tar iptables netfilter-persistent iptables-persistent else # Else, OS must be Fedora dnf install -y openvpn openssl ca-certificates tar $firewall @@ -362,7 +362,7 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" fi else - # Create a service to set up persistent iptables rules + # Create IPtables rules & save them iptables_path=$(command -v iptables) ip6tables_path=$(command -v ip6tables) # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy @@ -371,30 +371,9 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf iptables_path=$(command -v iptables-legacy) ip6tables_path=$(command -v ip6tables-legacy) fi - echo "[Unit] -Before=network.target -[Service] -Type=oneshot -ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT -ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT -ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service - if [[ -n "$ip6" ]]; then - echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service - fi - echo "RemainAfterExit=yes -[Install] -WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service - systemctl enable --now openvpn-iptables.service + $iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip + ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 + netfilter-persistent save fi # If SELinux is enabled and a custom port was selected, we need this if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then