Last active
August 11, 2023 08:39
-
-
Save Geofferey/2debe2fa274d6f28b756f517b85bd033 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## This up script only serves as an example and | |
# will need to be customized to ones needs. | |
## Sets up an internet capable OpenVPN tunnel | |
# from within a debian chroot running under | |
# android. | |
## For more info on APP UIDs for | |
# manipulation of tables See: | |
# https://developer.android.com/reference/android/os/Process#FIRST_APPLICATION_UID | |
## Designed by: | |
# Geofferey for OmniHax0r ROM | |
## IFS hack for carriage return delimited list ## | |
OG_IFS=${IFS} | |
NEW_IFS=' | |
' | |
OVPN_CONF=/reserve/.conf/openvpn/client.ovpn | |
SILENT=>> /dev/null 2>&1 | |
DEV=$(cat ${OVPN_CONF} |grep "dev " |cut -d ' ' -f2) | |
## Space delimited list(s) of table ids ## | |
RMNET_TABS="1013 1014" | |
WLAN_TAB="1021" | |
TUN_TAB="8860" | |
TUN_IN_TAB="8861" | |
## Goto pref for bypassing VPN ## | |
SKIP_VPN="19000" | |
## Space delimited list of v4/v6 nets/ips to always route over VPN ## | |
V4_NETWORKS="10.0.0.0/24 10.1.2.0/24 10.8.4.0/24 10.168.0.2/32 172.16.20.0/30" | |
V6_NETWORKS="2001:470:f023::/48 2001:470:f0e8::/48" | |
V6_GATEWAY="2001:470:c:20c::2" | |
## Space delimited list of nets/ips to not route over VPN ## | |
V4_EXCLUDED="208.54.0.0/16 66.94.0.0/19" | |
V6_EXCLUDED="" | |
##^ v4 default example excludes T-Mobile WiFi Calling ^## | |
## Android APPs to not route over VPN ## | |
EXCLUDE_PKGS="com.nuance.nmc.sihome.metropcs com.tmobile.pr.mytmobile" | |
get_app_uid() { | |
APP_UID=$(unchroot dumpsys package ${PKG} |grep userId |cut -d ' ' -f 5 |cut -d '=' -f 2) | |
} | |
# Get default chroot UID so they can use VPN # | |
DEFAULT_USER="d3b14n" | |
DEFAULT_UID=$(id ${DEFAULT_USER} |cut -d '=' -f 2 |cut -d '(' -f 1) | |
if ifconfig rmnet_data0 |grep -q -w "inet"; then | |
interface=rmnet_data0 | |
elif ifconfig rmnet_data1 |grep -q -w "inet"; then | |
interface=rmnet_data1 | |
elif ifconfig rmnet_data2 |grep -q -w "inet"; then | |
interface=rmnet_data2 | |
elif ifconfig rmnet_data3 |grep -q -w "inet"; then | |
interface=rmnet_data3 | |
fi | |
RMNET_INT=${interface} | |
####################################################### | |
## Add IPv4 routes | |
for NETWORK in ${V4_NETWORKS}; do | |
ip route add ${NETWORK} dev ${DEV} table ${TUN_TAB} metric 1000 | |
done | |
####################################################### | |
## Add IPv6 Routes | |
for NETWORK in ${V6_NETWORKS}; do | |
ip -6 route add ${NETWORK} dev ${DEV} tab ${TUN_TAB} | |
ip -6 ru add to ${NETWORK} tab ${TUN_IN_TAB} pref 18010 | |
ip -6 ru add from ${NETWORK} tab ${TUN_IN_TAB} pref 18010 | |
done | |
## Unset MTU on command below | |
ip -6 route add default dev ${DEV} tab ${TUN_IN_TAB} | |
####################################################### | |
## Establish v4 routing tables | |
# Skipping to end of routing rules so VPN doesn't use itself # | |
REMOTES=$(cat ${OVPN_CONF} |grep "[r]emote[ ]") | |
IFS=${NEW_IFS} | |
for REMOTE in ${REMOTES}; do | |
IFS=${OG_IFS} | |
SERVER=$(echo ${REMOTE} |grep "remote " |cut -d ' ' -f2) | |
PORT=$(echo ${REMOTE} |grep "remote " |cut -d ' ' -f3) | |
PROTO=$(cat ${OVPN_CONF} |grep "proto " |cut -d ' ' -f2 |sed 's/[0-9]//g') | |
DEV=$(cat ${OVPN_CONF} |grep "dev " |cut -d ' ' -f2) | |
SERVER_IP=$(dig ${SERVER} +short) | |
ip rule add to ${SERVER_IP} ipproto ${PROTO} dport ${PORT} goto ${SKIP_VPN} pref 1000 | |
echo $SERVER $PROTO $PORT | |
IFS=${NEW_IFS} | |
done | |
IFS=${OG_IFS} | |
# Skip VPN on v4 for marked packages # | |
for PKG in ${EXCLUDE_PKGS}; do | |
get_app_uid | |
if [ ! -z ${APP_UID} ]; then | |
ip ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025 | |
unset APP_UID | |
fi | |
done | |
# Skip v4 Networks # | |
for NETWORK in ${V4_EXCLUDED}; do | |
ip ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100 | |
done | |
ip rule add uidrange 0-0 table ${TUN_TAB} pref 18125 | |
ip rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150 | |
ip rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175 | |
ip rule add tab main pref 18200 | |
####################################################### | |
## Establish v6 routing tables | |
# Skip VPN on v6 for marked packages # | |
for PKG in ${EXCLUDE_PKGS}; do | |
get_app_uid | |
if [ ! -z ${APP_UID} ]; then | |
ip -6 ru add uidrange ${APP_UID}-${APP_UID} goto ${SKIP_VPN} pref 18025 | |
unset APP_UID | |
fi | |
done | |
# Skip v6 Networks # | |
for NETWORK in ${V6_EXCLUDED}; do | |
ip -6 ru add to ${NETWORK} goto ${SKIP_VPN} pref 18100 | |
done | |
ip -6 rule add uidrange 0-0 table ${TUN_TAB} pref 18125 | |
ip -6 rule add uidrange ${DEFAULT_UID}-${DEFAULT_UID} table ${TUN_TAB} pref 18150 | |
ip -6 rule add uidrange 10000-100000 table ${TUN_TAB} pref 18175 | |
ip -6 rule add table main pref 31000 | |
#################################################### | |
## MLDB Evil GW TTL hack to bypass firewall(s) on private nets when routed to via VPN client ## | |
echo "## You may safely ignore these iptables errors:" | |
echo "Removing the evil GW TTL hack..." | |
unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -D FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -D FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64 | |
echo "^ You may safely ignore these iptables errors ^" | |
echo "Applying the evil GW TTL hack..." | |
unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o eth0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i eth0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -I FORWARD -i tun_vpn0 -o wlan0 -j TTL --ttl-set 64 | |
unchroot iptables -t mangle -I FORWARD -o tun_vpn0 -i wlan0 -j TTL --ttl-set 64 | |
#################################################### | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment