change: add openvpn ip pool list for iptable rules

Aetherinox · Aug 6, 2024 · 27ab5c4 · 27ab5c4
1 parent e7d06c3
commit 27ab5c4
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -895,6 +895,9 @@ ETH_ADAPTER=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")
 TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}')
 IP_PUBLIC=$(curl ipinfo.io/ip)
 DEBUG_ENABLED="false"
+IP_POOL=(
+    '10.8.0.0/24'
+)
 ```
 
 <br />
@@ -907,6 +910,7 @@ Each setting is defined below:
 | `TUN_ADAPTER` | <br>openvpn tunnel adapter <br><br> |
 | `IP_PUBLIC` | <br>server's public ip address <br><br> |
 | `DEBUG_ENABLED` | <br>debugging / better logs <br><br> |
+| `IP_POOL` | <br>openvpn ip pool <br><br> |
 
 <br />
 
@@ -1029,6 +1033,8 @@ All steps performed by the script will be displayed in terminal:
                   + RULE                   -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
                   + RULE                   -A FORWARD -i tun+ -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT
                   + RULE                   -A FORWARD -i enp0s3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+                  + RULE                   -t nat -A POSTROUTING -j SNAT --to-source XX.XXX.XXX.XXX
+                  + RULE                   -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE
 ```
 
 <br />

diff --git a/patch/openvpn.sh b/patch/openvpn.sh
@@ -39,6 +39,16 @@ TUN_ADAPTER=$(ip -br l | awk '$1 ~ "^tun[0-9]" { print $1}')
 IP_PUBLIC=$(curl ipinfo.io/ip)
 DEBUG_ENABLED="false"
 
+# #
+#   list > vpn ips
+#
+#   this is the IP pool assigned to a user who connects to your vpn server
+# #
+
+IP_POOL=(
+    '10.8.0.0/24'
+)
+
 # #
 #   vars > colors
 #
@@ -337,10 +347,28 @@ fi
 
 if [ ! -z "${ETH_ADAPTER}" ]; then
     ${PATH_IPTABLES} -t nat -A POSTROUTING -o ${ETH_ADAPTER} -j MASQUERADE
+    printf '\n%-17s %-35s %-55s' " " "${DEVGREY}+ RULE" "${FUCHSIA}-t nat -A POSTROUTING -o ${ETH_ADAPTER} -j MASQUERADE${NORMAL}"
+
+    # #
+    #   get vpn ip pool and add firewall rule for each ip in the pool
+    # #
+
+    for j in "${!IP_POOL[@]}"; do
+
+        # #
+        #   get vpn pool
+        # #
+
+        vpn_ip_pool=${IP_POOL[$j]}
+
+        ${PATH_IPTABLES} -t nat -A POSTROUTING -s ${vpn_ip_pool} -o ${ETH_ADAPTER} -j MASQUERADE
+        printf '\n%-17s %-35s %-55s' " " "${DEVGREY}+ RULE" "${FUCHSIA}-t nat -A POSTROUTING -s ${vpn_ip_pool} -o ${ETH_ADAPTER} -j MASQUERADE${NORMAL}"
+
+    done
+
     ${PATH_IPTABLES} -A FORWARD -i tun+ -o ${ETH_ADAPTER} -m state --state RELATED,ESTABLISHED -j ACCEPT
     ${PATH_IPTABLES} -A FORWARD -i ${ETH_ADAPTER} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-    printf '\n%-17s %-35s %-55s' " " "${DEVGREY}+ RULE" "${FUCHSIA}-t nat -A POSTROUTING -o ${ETH_ADAPTER} -j MASQUERADE${NORMAL}"
     printf '\n%-17s %-35s %-55s' " " "${DEVGREY}+ RULE" "${FUCHSIA}-A FORWARD -i tun+ -o ${ETH_ADAPTER} -m state --state RELATED,ESTABLISHED -j ACCEPT${NORMAL}"
     printf '\n%-17s %-35s %-55s' " " "${DEVGREY}+ RULE" "${FUCHSIA}-A FORWARD -i ${ETH_ADAPTER} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT${NORMAL}"
 else