Skip to content

Instantly share code, notes, and snippets.

@chtzvt
Last active September 26, 2022 16:00
Show Gist options
  • Save chtzvt/ef9d3d210e910eaf948bae0d6ab8e4dc to your computer and use it in GitHub Desktop.
Save chtzvt/ef9d3d210e910eaf948bae0d6ab8e4dc to your computer and use it in GitHub Desktop.
AnyConnect transparent VPN bridge/router
SYSTEM_LAN_IFACE="eth0"
VPN_CLIENT_IFACE="tun0"
DEST_IP="10.173.204.63"
FWDED_PORT="22"
SOURCE_NET_WHITELIST="10.0.2.0/24,10.0.3.0/24"
get_iface_ip() {
IP=`ip addr show $1 | grep -o "inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"`
if [[ $? -ne 0 ]];
then
echo "nil"
else
echo $IP
fi
}
if [[ "$1" == "up" || "$1" == "down" ]];
then
echo "Flushing iptables..."
# Flush iptables rules prior to applying up rules or when bringing fwd down
iptables -t nat -F
iptables -F
else
echo "No action specified: $0 [up down]"
exit
fi
if [[ "$1" == "up" ]];
then
echo "Enabling IP forwarding..."
sysctl -w net.ipv4.ip_forward=1
SYSTEM_LAN_IP=$(get_iface_ip $SYSTEM_LAN_IFACE)
VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)
TRIES=1
MAXTRIES=5
while [[ $VPN_CLIENT_IP == "nil" && $TRIES -lt $(($MAXTRIES + 1)) ]];
do
echo "$VPN_CLIENT_IFACE IP unassigned, sleeping 5s before retrying (attempt $TRIES of $MAXTRIES)..."
VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)
TRIES=$((TRIES+1))
sleep 5
done
if [[ $VPN_CLIENT_IP == "nil" || $SYSTEM_LAN_IP == "nil" ]];
then
echo "FAILED to get required IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
exit 1
else
echo "Determined IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
fi
echo "Allowing incoming traffic on $SYSTEM_LAN_IP:$FWDED_PORT from $SOURCE_NET_WHITELIST..."
iptables -t filter -A INPUT -s $SOURCE_NET_WHITELIST -p tcp --dport $FWDED_PORT -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport $FWDED_PORT -j REJECT
echo "Enabling NAT rules ($SYSTEM_LAN_IP:$FWDED_PORT snat-> $VPN_CLIENT_IP:$FWDED_PORT dnat-> $DEST_IP:$FWDED_PORT)"
iptables -t nat -A PREROUTING -d $SYSTEM_LAN_IP -p tcp --dport $FWDED_PORT -j DNAT --to-dest $DEST_IP:$FWDED_PORT
iptables -t nat -A POSTROUTING -d $DEST_IP -p tcp --dport $FWDED_PORT -j SNAT --to-source $VPN_CLIENT_IP
elif [[ "$1" == "down" ]];
then
echo "Disabling IP forwarding..."
sysctl -w net.ipv4.ip_forward=0
fi
server="ucfvpn-1.vpn.ucf.edu"
user=""
password=""
group='UCF Students'
[Unit]
Description=UCF OpenConnect VPN
Wants=network.target
Before=network.target
[Service]
Type=forking
RemainAfterExit=no
PIDFile=/var/run/ucf-vpn.pid
Restart=on-failure
RestartSec=5s
KillSignal=SIGINT
EnvironmentFile=/etc/default/ucf-vpn.env
ExecStart=/bin/bash -c "echo -e \"$group\n$password\" | /usr/sbin/openconnect -u $user -b --pid-file=/var/run/ucf-vpn.pid $server"
ExecStartPre=-/sbin/ip route add 10.0.3.0/24 via 10.0.2.1
ExecStartPost=/bin/bash /root/iptables_rules.sh up
ExecStopPre=-/bin/bash /root/iptables_rules.sh down
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment