Geofferey/android-openvpn_chroot.sh

## android-openvpn_chroot.sh
#!/bin/bash

## This up script only serves as an example and
# will need to be customized to ones needs.

## Sets up an internet capable OpenVPN tunnel
# from within a debian chroot running under
# android.

## For more info on APP UIDs for
# manipulation of tables See:
# https://developer.android.com/reference/android/os/Process#FIRST_APPLICATION_UID

## Designed by:
# Geofferey for OmniHax0r ROM

## IFS hack for carriage return delimited list ##

OG_IFS=${IFS}

NEW_IFS='
'

OVPN_CONF=/reserve/.conf/openvpn/client.ovpn
SILENT=>> /dev/null 2>&1

DEV=$(cat ${OVPN_CONF} |grep "dev " |cut -d ' ' -f2)

## Space delimited list(s) of table ids ##
RMNET_TABS="1013 1014"
WLAN_TAB="1021"
TUN_TAB="8860"
TUN_IN_TAB="8861"

## Goto pref for bypassing VPN ##
SKIP_VPN="19000"

## Space delimited list of v4/v6 nets/ips to always route over VPN ##
V4_NETWORKS="10.0.0.0/24 10.1.2.0/24 10.8.4.0/24 10.168.0.2/32 172.16.20.0/30"

V6_NETWORKS="2001:470:f023::/48 2001:470:f0e8::/48"

V6_GATEWAY="2001:470:c:20c::2"

## Space delimited list of nets/ips to not route over VPN ##

V4_EXCLUDED="208.54.0.0/16 66.94.0.0/19"

V6_EXCLUDED=""

##^ v4 default example excludes T-Mobile WiFi Calling ^##

## Android APPs to not route over VPN ##
EXCLUDE_PKGS="com.nuance.nmc.sihome.metropcs com.tmobile.pr.mytmobile"

get_app_uid() {

  APP_UID=$(unchroot dumpsys package ${PKG} |grep userId |cut -d ' ' -f 5 |cut -d '=' -f 2)

}

# Get default chroot UID so they can use VPN #
DEFAULT_USER="d3b14n"
DEFAULT_UID=$(id ${DEFAULT_USER} |cut -d '=' -f 2 |cut -d '(' -f 1)

if ifconfig rmnet_data0 |grep -q -w "inet"; then
  interface=rmnet_data0
elif ifconfig rmnet_data1 |grep -q -w "inet"; then
  interface=rmnet_data1
elif ifconfig rmnet_data2 |grep -q -w "inet"; then
  interface=rmnet_data2
elif ifconfig rmnet_data3 |grep -q -w "inet"; then
  interface=rmnet_data3
fi

RMNET_INT=${interface}

#######################################################

## Add IPv4 routes

for NETWORK in ${V4_NETWORKS}; do

  ip route add ${NETWORK} dev ${DEV} table ${TUN_TAB} metric 1000

done

#######################################################

## Add IPv6 Routes

for NETWORK in ${V6_NETWORKS}; do

  ip -6 route add ${NETWORK} dev ${DEV} tab ${TUN_TAB}
  ip -6 ru add to ${NETWORK} tab ${TUN_IN_TAB} pref 18010
  ip -6 ru add from ${NETWORK} tab ${TUN_IN_TAB} pref 18010

done

## Unset MTU on command below

ip -6 route add default dev ${DEV} tab ${TUN_IN_TAB}

#######################################################

## Establish v4 routing tables

# Skipping to end of routing rules so VPN doesn't use itself #

REMOTES=$(cat ${OVPN_CONF} |grep "[r]emote[ ]")

IFS=${NEW_IFS}

for REMOTE in ${REMOTES}; do

  IFS=${OG_IFS}

  SERVER=$(echo ${REMOTE} |grep "remote " |cut -d ' ' -f2)
  PORT=$(echo ${REMOTE} |grep "remote " |cut -d ' ' -f3)
  PROTO=$(cat ${OVPN_CONF} |grep "proto " |cut -d ' ' -f2 |sed 's/[0-9]//g')

  DEV=$(cat ${OVPN_CONF} |grep "dev " |cut -d ' ' -f2)
  SERVER_IP=$(dig ${SERVER} +short)

  ip rule add to ${SERVER_IP} ipproto ${PROTO} dport ${PORT} goto ${SKIP_VPN} pref 1000


  echo $SERVER $PROTO $PORT

  IFS=${NEW_IFS}

done

IFS=${OG_IFS}

# Skip VPN on v4 for marked packages #

for PKG in ${EXCLUDE_PKGS}; do

  get_app_uid

  if [ ! -z ${APP_UID} ]; then

    ip ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025
    unset APP_UID

  fi

done

# Skip v4 Networks #

for NETWORK in ${V4_EXCLUDED}; do

  ip ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100

done

ip rule add uidrange 0-0 table ${TUN_TAB} pref 18125

ip rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150

ip rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175

ip rule add tab main pref 18200

#######################################################

## Establish v6 routing tables

# Skip VPN on v6 for marked packages #

for PKG in ${EXCLUDE_PKGS}; do

  get_app_uid

  if [ ! -z ${APP_UID} ]; then

    ip -6 ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025
    unset APP_UID

  fi

done

# Skip v6 Networks #

for NETWORK in ${V6_EXCLUDED}; do

  ip -6 ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100

done

ip -6 rule add uidrange 0-0 table ${TUN_TAB} pref 18125

ip -6 rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150

ip -6 rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175

ip -6 rule add table main pref 31000

####################################################

## MLDB Evil GW TTL hack to bypass firewall(s) on private nets when routed to via VPN client ##

echo "## You may safely ignore these iptables errors:"

echo "Removing the evil GW TTL hack..."

unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64

unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64

unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64

unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64

echo "^ You may safely ignore these iptables errors ^"

echo "Applying the evil GW TTL hack..."

unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64

unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64

unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64

unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64

####################################################

exit 0
	#!/bin/bash

	## This up script only serves as an example and
	# will need to be customized to ones needs.

	## Sets up an internet capable OpenVPN tunnel
	# from within a debian chroot running under
	# android.

	## For more info on APP UIDs for
	# manipulation of tables See:
	# https://developer.android.com/reference/android/os/Process#FIRST_APPLICATION_UID

	## Designed by:
	# Geofferey for OmniHax0r ROM

	## IFS hack for carriage return delimited list ##

	OG_IFS=${IFS}

	NEW_IFS='
	'

	OVPN_CONF=/reserve/.conf/openvpn/client.ovpn
	SILENT=>> /dev/null 2>&1

	DEV=$(cat ${OVPN_CONF} \|grep "dev " \|cut -d ' ' -f2)

	## Space delimited list(s) of table ids ##
	RMNET_TABS="1013 1014"
	WLAN_TAB="1021"
	TUN_TAB="8860"
	TUN_IN_TAB="8861"

	## Goto pref for bypassing VPN ##
	SKIP_VPN="19000"

	## Space delimited list of v4/v6 nets/ips to always route over VPN ##
	V4_NETWORKS="10.0.0.0/24 10.1.2.0/24 10.8.4.0/24 10.168.0.2/32 172.16.20.0/30"

	V6_NETWORKS="2001:470:f023::/48 2001:470:f0e8::/48"

	V6_GATEWAY="2001:470:c:20c::2"

	## Space delimited list of nets/ips to not route over VPN ##

	V4_EXCLUDED="208.54.0.0/16 66.94.0.0/19"

	V6_EXCLUDED=""

	##^ v4 default example excludes T-Mobile WiFi Calling ^##

	## Android APPs to not route over VPN ##
	EXCLUDE_PKGS="com.nuance.nmc.sihome.metropcs com.tmobile.pr.mytmobile"

	get_app_uid() {

	APP_UID=$(unchroot dumpsys package ${PKG} \|grep userId \|cut -d ' ' -f 5 \|cut -d '=' -f 2)

	}

	# Get default chroot UID so they can use VPN #
	DEFAULT_USER="d3b14n"
	DEFAULT_UID=$(id ${DEFAULT_USER} \|cut -d '=' -f 2 \|cut -d '(' -f 1)

	if ifconfig rmnet_data0 \|grep -q -w "inet"; then
	interface=rmnet_data0
	elif ifconfig rmnet_data1 \|grep -q -w "inet"; then
	interface=rmnet_data1
	elif ifconfig rmnet_data2 \|grep -q -w "inet"; then
	interface=rmnet_data2
	elif ifconfig rmnet_data3 \|grep -q -w "inet"; then
	interface=rmnet_data3
	fi

	RMNET_INT=${interface}

	#######################################################

	## Add IPv4 routes

	for NETWORK in ${V4_NETWORKS}; do

	ip route add ${NETWORK} dev ${DEV} table ${TUN_TAB} metric 1000

	done

	#######################################################

	## Add IPv6 Routes

	for NETWORK in ${V6_NETWORKS}; do

	ip -6 route add ${NETWORK} dev ${DEV} tab ${TUN_TAB}
	ip -6 ru add to ${NETWORK} tab ${TUN_IN_TAB} pref 18010
	ip -6 ru add from ${NETWORK} tab ${TUN_IN_TAB} pref 18010

	done

	## Unset MTU on command below

	ip -6 route add default dev ${DEV} tab ${TUN_IN_TAB}

	#######################################################

	## Establish v4 routing tables

	# Skipping to end of routing rules so VPN doesn't use itself #

	REMOTES=$(cat ${OVPN_CONF} \|grep "[r]emote[ ]")

	IFS=${NEW_IFS}

	for REMOTE in ${REMOTES}; do

	IFS=${OG_IFS}

	SERVER=$(echo ${REMOTE} \|grep "remote " \|cut -d ' ' -f2)
	PORT=$(echo ${REMOTE} \|grep "remote " \|cut -d ' ' -f3)
	PROTO=$(cat ${OVPN_CONF} \|grep "proto " \|cut -d ' ' -f2 \|sed 's/[0-9]//g')

	DEV=$(cat ${OVPN_CONF} \|grep "dev " \|cut -d ' ' -f2)
	SERVER_IP=$(dig ${SERVER} +short)

	ip rule add to ${SERVER_IP} ipproto ${PROTO} dport ${PORT} goto ${SKIP_VPN} pref 1000


	echo $SERVER $PROTO $PORT

	IFS=${NEW_IFS}

	done

	IFS=${OG_IFS}

	# Skip VPN on v4 for marked packages #

	for PKG in ${EXCLUDE_PKGS}; do

	get_app_uid

	if [ ! -z ${APP_UID} ]; then

	ip ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025
	unset APP_UID

	fi

	done

	# Skip v4 Networks #

	for NETWORK in ${V4_EXCLUDED}; do

	ip ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100

	done

	ip rule add uidrange 0-0 table ${TUN_TAB} pref 18125

	ip rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150

	ip rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175

	ip rule add tab main pref 18200

	#######################################################

	## Establish v6 routing tables

	# Skip VPN on v6 for marked packages #

	for PKG in ${EXCLUDE_PKGS}; do

	get_app_uid

	if [ ! -z ${APP_UID} ]; then

	ip -6 ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025
	unset APP_UID

	fi

	done

	# Skip v6 Networks #

	for NETWORK in ${V6_EXCLUDED}; do

	ip -6 ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100

	done

	ip -6 rule add uidrange 0-0 table ${TUN_TAB} pref 18125

	ip -6 rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150

	ip -6 rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175

	ip -6 rule add table main pref 31000

	####################################################

	## MLDB Evil GW TTL hack to bypass firewall(s) on private nets when routed to via VPN client ##

	echo "## You may safely ignore these iptables errors:"

	echo "Removing the evil GW TTL hack..."

	unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64

	echo "^ You may safely ignore these iptables errors ^"

	echo "Applying the evil GW TTL hack..."

	unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64

	unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64

	####################################################

	exit 0