austinhappel/get-pia-openvpn-iptables.sh

## get-pia-openvpn-iptables.sh
#!/bin/bash

# vars

IPTABLESFILE="/tmp/iptables.vpn"


# Get openvpn configuration zip from PIA
echo "piavpn: getting openvpn.zip"
mkdir -p /tmp/pia
wget -q --directory-prefix=/tmp/pia https://www.privateinternetaccess.com/openvpn/openvpn.zip
echo "piavpn: openvpn.zip retrieved successfully"
unzip -q /tmp/pia/openvpn.zip -d /tmp/pia/
grep -h "remote " /tmp/pia/*ovpn | cut -d ' ' -f 2 | sort -u > /tmp/piaservers
dig -f /tmp/piaservers A +short | sort > /tmp/piaserverips
echo "piavpn: PIA server IP's retrieved, building iptables."


# Start building iptables script - starts by overwriting old file
echo -e "# Flush iptables" > $IPTABLESFILE
echo "iptables -F" >> $IPTABLESFILE
echo "iptables -X" >> $IPTABLESFILE
echo -e "\n\n# Allow vpn tunnel and loopback connections" >> $IPTABLESFILE
echo "iptables -A INPUT -i tun+ -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A OUTPUT -o tun+ -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT" >> $IPTABLESFILE


# accept openvpn port 1194 traffic
echo -e "\n\n# Accept openvpn port 1194 traffic (needed for restarts)" >> $IPTABLESFILE
echo "iptables -A INPUT -p udp --dport 1194 -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT" >> $IPTABLESFILE

# Add PIA server IPs to script
echo -e "\n\n# Allow all PIA server IPS" >> $IPTABLESFILE
IP_LIST=$(tr '\n' ' ' < /tmp/piaserverips)
for IP in $IP_LIST; do
   echo "iptables -A INPUT -s" $IP "-j ACCEPT" >> $IPTABLESFILE
   echo "iptables -A OUTPUT -d" $IP "-j ACCEPT" >> $IPTABLESFILE
done


# Next two lines give me access to/from my internal servers
echo -e "\n\n# Allow LAN connections" >> $IPTABLESFILE
echo "iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT" >> $IPTABLESFILE


# Allow existing established connections
echo -e "\n\n# Allow existing established connections" >> $IPTABLESFILE
echo "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLESFILE
echo "iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLESFILE


# Stop anything not from PIA or internal or localhost
echo -e "\n\n# Drop everything else" >> $IPTABLESFILE
echo "iptables -A INPUT -j DROP" >> $IPTABLESFILE
echo "iptables -A OUTPUT -j DROP" >> $IPTABLESFILE


# ipv6: drop everything
echo -e "\n\n# IPV6: Drop/reject everything ####" >> $IPTABLESFILE
echo "ip6tables -F" >> $IPTABLESFILE
echo "ip6tables -X" >> $IPTABLESFILE
echo "ip6tables -A INPUT -j DROP" >> $IPTABLESFILE
echo "ip6tables -A OUTPUT -j REJECT" >> $IPTABLESFILE
echo "ip6tables -A FORWARD -j REJECT" >> $IPTABLESFILE


# make the vpn file executable, delete everything else
chmod 744 $IPTABLESFILE
rm -r /tmp/piaservers /tmp/piaserverips /tmp/pia

# replace this line with the directory of your choice
mv $IPTABLESFILE /root/vpn-profiles/pia-openvpn/
echo "piavpn: complete. file in /root/vpn-profiles/pia-openvpn"
	#!/bin/bash

	# vars

	IPTABLESFILE="/tmp/iptables.vpn"


	# Get openvpn configuration zip from PIA
	echo "piavpn: getting openvpn.zip"
	mkdir -p /tmp/pia
	wget -q --directory-prefix=/tmp/pia https://www.privateinternetaccess.com/openvpn/openvpn.zip
	echo "piavpn: openvpn.zip retrieved successfully"
	unzip -q /tmp/pia/openvpn.zip -d /tmp/pia/
	grep -h "remote " /tmp/pia/*ovpn \| cut -d ' ' -f 2 \| sort -u > /tmp/piaservers
	dig -f /tmp/piaservers A +short \| sort > /tmp/piaserverips
	echo "piavpn: PIA server IP's retrieved, building iptables."


	# Start building iptables script - starts by overwriting old file
	echo -e "# Flush iptables" > $IPTABLESFILE
	echo "iptables -F" >> $IPTABLESFILE
	echo "iptables -X" >> $IPTABLESFILE
	echo -e "\n\n# Allow vpn tunnel and loopback connections" >> $IPTABLESFILE
	echo "iptables -A INPUT -i tun+ -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -o tun+ -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT" >> $IPTABLESFILE


	# accept openvpn port 1194 traffic
	echo -e "\n\n# Accept openvpn port 1194 traffic (needed for restarts)" >> $IPTABLESFILE
	echo "iptables -A INPUT -p udp --dport 1194 -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT" >> $IPTABLESFILE

	# Add PIA server IPs to script
	echo -e "\n\n# Allow all PIA server IPS" >> $IPTABLESFILE
	IP_LIST=$(tr '\n' ' ' < /tmp/piaserverips)
	for IP in $IP_LIST; do
	echo "iptables -A INPUT -s" $IP "-j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -d" $IP "-j ACCEPT" >> $IPTABLESFILE
	done


	# Next two lines give me access to/from my internal servers
	echo -e "\n\n# Allow LAN connections" >> $IPTABLESFILE
	echo "iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT" >> $IPTABLESFILE


	# Allow existing established connections
	echo -e "\n\n# Allow existing established connections" >> $IPTABLESFILE
	echo "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLESFILE


	# Stop anything not from PIA or internal or localhost
	echo -e "\n\n# Drop everything else" >> $IPTABLESFILE
	echo "iptables -A INPUT -j DROP" >> $IPTABLESFILE
	echo "iptables -A OUTPUT -j DROP" >> $IPTABLESFILE


	# ipv6: drop everything
	echo -e "\n\n# IPV6: Drop/reject everything ####" >> $IPTABLESFILE
	echo "ip6tables -F" >> $IPTABLESFILE
	echo "ip6tables -X" >> $IPTABLESFILE
	echo "ip6tables -A INPUT -j DROP" >> $IPTABLESFILE
	echo "ip6tables -A OUTPUT -j REJECT" >> $IPTABLESFILE
	echo "ip6tables -A FORWARD -j REJECT" >> $IPTABLESFILE


	# make the vpn file executable, delete everything else
	chmod 744 $IPTABLESFILE
	rm -r /tmp/piaservers /tmp/piaserverips /tmp/pia

	# replace this line with the directory of your choice
	mv $IPTABLESFILE /root/vpn-profiles/pia-openvpn/
	echo "piavpn: complete. file in /root/vpn-profiles/pia-openvpn"