-
-
Save derfalx/7296a0f0a12f3fa532e3de9d1d18e02e to your computer and use it in GitHub Desktop.
Bypass VPN for specific apps [Linux / OpenVPN]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# === INFO === | |
# NoVPN | |
# Description: Bypass VPN tunnel for applications run through this tool. | |
VERSION="1.0.2" | |
# Author: KrisWebDev | |
# Requirements: Linux with kernel > 2.6.4 (released in 2008). | |
# Only tested on Ubuntu 15 with bash. | |
# Main dependencies are automatically installed. | |
# Script will guide you for iptables 1.6.0 install. | |
# === LICENSE === | |
# This program is free software: you can redistribute it and/or modify | |
# it under the terms of the GNU General Public License as published by | |
# the Free Software Foundation, either version 3 of the License, or | |
# (at your option) any later version. | |
# | |
# This program is distributed in the hope that it will be useful, | |
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
# GNU General Public License for more details. | |
# | |
# You should have received a copy of the GNU General Public License | |
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |
# === CONFIGURATION === | |
real_interface="eth0" | |
# === ADVANCES CONFIGURATION === | |
cgroup_name="novpn" # Better keep it with purely lowercase alphabetic & underscore | |
net_cls_classid="0x00110011" # Anything from 0x00000001 to 0xFFFFFFFF | |
ip_table_fwmark="11" # Anything from 1 to 2147483647 | |
ip_table_number="11" # Anything from 1 to 252 | |
ip_table_name="$cgroup_name" | |
# === CODE === | |
real_interface_gateway=`ip route | grep "dev ${real_interface}" | awk '/^default/ { print $3 }'` | |
#real_interface_ip=`ip addr show "$real_interface" | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'` | |
# Handle options | |
action="command" | |
background=false | |
skip=false | |
init_nb_args="$#" | |
while [ "$#" -gt 0 ]; do | |
case "$1" in | |
-b|--background) background=true; shift 1;; | |
-o|--outside) action="outside"; shift 1;; | |
-i|--inside) action="inside"; shift 1;; | |
-l|--list) action="list"; shift 1;; | |
-s|--skip) skip=true; shift 1;; | |
-l|--clean) action="clean"; shift 1;; | |
-h|--help) action="help"; shift 1;; | |
-v|--version) echo "novpn v$VERSION"; exit 0;; | |
-*) echo "Unknown option: $1. Try --help." >&2; exit 1;; | |
*) break;; # Start of COMMAND or LIST | |
esac | |
done | |
if [ "$init_nb_args" -lt 1 ] || [ "$action" = "help" ] ; then | |
me=`basename "$0"` | |
echo -e "Usage : \e[1m$me [\e[4mOPTIONS\e[24m] [\e[4mCOMMAND\e[24m [\e[4mCOMMAND PARAMETERS\e[24m]]\e[0m" | |
echo -e " or : \e[1m$me [\e[4mOPTIONS\e[24m] { --outside | --inside } \e[4mLIST\e[24m\e[0m" | |
echo -e "Run command outside the VPN tunnel." | |
echo | |
echo -e "\e[1m\e[4mOPTIONS\e[0m:" | |
echo -e "\e[1m-b, --background\e[0m Start \e[4mCOMMAND\e[24m as background process (release the shell)." | |
echo -e "\e[1m-o, --outside \e[4mLIST\e[24m\e[0m Move running process \e[4mLIST\e[24m outside tunnel. (BROKEN)" | |
echo -e "\e[1m-i, --inside \e[4mLIST\e[24m\e[0m Move back running process \e[4mLIST\e[24m inside tunnel." | |
echo -e "\e[1m-l, --list\e[0m List processes going outside tunnel." | |
echo -e "\e[1m-s, --skip\e[0m Don't check/setup system config & don't ask for root,\n\ | |
run \e[4mCOMMAND\e[24m or move process \e[4mLIST\e[24m even if tunnel bypass fails." | |
echo -e "\e[1m-c, --clean\e[0m Move back all proceses inside tunnel and remove system config." | |
echo -e "\e[1m-v, --version\e[0m Print this program version." | |
echo -e "\e[1m-h, --help\e[0m This help." | |
echo | |
echo -e "\e[1m\e[4mLIST\e[0m: List of process ID or names separated by spaces." | |
exit 1 | |
fi | |
# Helper functions | |
# Check the presence of required system packages | |
check_package(){ | |
nothing_installed=1 | |
for package_name in "$@" | |
do | |
if ! dpkg -l "$package_name" &> /dev/null; then | |
echo "Installing $package_name" | |
sudo apt-get install "$package_name" | |
nothing_installed=0 | |
fi | |
done | |
return $nothing_installed | |
} | |
# List processes bypassing the VPN | |
list_outside(){ | |
return_status=1 | |
echo -e "PID""\t""CMD" | |
while read task_pid | |
do | |
echo -e "${task_pid}""\t""`ps -p ${task_pid} -o comm=`"; | |
return_status=0 | |
done < /sys/fs/cgroup/net_cls/${cgroup_name}/tasks | |
return $return_status | |
} | |
# Check and setup iptables - requires root even for check | |
iptable_checked=false | |
setup_iptables(){ | |
if ! sudo iptables -t mangle -C OUTPUT -m cgroup --cgroup "$net_cls_classid" -j MARK --set-mark "$ip_table_fwmark" 2>/dev/null; then | |
echo "Adding iptables MANGLE rule to set firewall mark $ip_table_fwmark on packets with class identifier $net_cls_classid" >&2 | |
sudo iptables -t mangle -A OUTPUT -m cgroup --cgroup "$net_cls_classid" -j MARK --set-mark "$ip_table_fwmark" | |
fi | |
if ! sudo iptables -t nat -C POSTROUTING -m cgroup --cgroup "$net_cls_classid" -o "$real_interface" -j MASQUERADE 2>/dev/null; then | |
echo "Adding iptables NAT rule force the packets with class identifier $net_cls_classid to exit through $real_interface" >&2 | |
sudo iptables -t nat -A POSTROUTING -m cgroup --cgroup "$net_cls_classid" -o "$real_interface" -j MASQUERADE | |
fi | |
iptable_checked=true | |
} | |
# Test if config is working, IPv4 only | |
testresult=true | |
test_bypass(){ | |
exit_ip=`cgexec -g net_cls:"$cgroup_name" traceroute -m 1 -n 8.8.8.8 | sed -n '2{p;q}' | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"` | |
if [ "$exit_ip" == "$real_interface_gateway" ]; then | |
echo -e "\e[32mTest OK. Trafic exits with IP $exit_ip.\e[0m" >&2 | |
testresult=true | |
return 0 | |
else | |
echo -e "\e[31mTest failed: Trafic exits with $exit_ip instead of $real_interface_gateway. Aborting.\e[0m" >&2 | |
testresult=false | |
return 1 | |
fi | |
} | |
check_iptables=false | |
if [ "$action" = "command" ] || [ "$action" = "outside" ]; then | |
# SETUP config | |
if [ "$skip" = false ]; then | |
echo "Checking/setting forced routing config (skip with $0 -s ...)" >&2 | |
if check_package cgroup-lite cgmanager cgroup-tools inetutils-traceroute; then | |
echo "You may want to reboot now. But that's probably not necessary." >&2 | |
exit 1 | |
fi | |
if dpkg --compare-versions `iptables --version | grep -oP "iptables v\K.*$"` "lt" "1.6"; then | |
echo -e "\e[31mYou need iptables 1.6.0+. Please install manually. Aborting.\e[0m" >&2 | |
echo "Find latest iptables at http://www.netfilter.org/projects/iptables/downloads.html" >&2 | |
echo "Commands to install iptables 1.6.0:" >&2 | |
echo -e "\e[34msudo apt-get install dh-autoreconf bison flex | |
cd /tmp | |
curl http://www.netfilter.org/projects/iptables/files/iptables-1.6.0.tar.bz2 | tar xj | |
cd iptables-1.6.0 | |
./configure --prefix=/usr \\ | |
--sbindir=/sbin \\ | |
--disable-nftables \\ | |
--enable-libipq \\ | |
--with-xtlibdir=/lib/xtables \\ | |
&& make \\ | |
&& sudo make install | |
iptables --version\e[0m" >&2 | |
exit 1 | |
fi | |
if [ ! -d "/sys/fs/cgroup/net_cls/$cgroup_name" ]; then | |
echo "Creating net_cls control group $cgroup_name" >&2 | |
sudo mkdir -p "/sys/fs/cgroup/net_cls/$cgroup_name" | |
check_iptables=true | |
fi | |
if [ `cat "/sys/fs/cgroup/net_cls/$cgroup_name/net_cls.classid" | xargs -n 1 printf "0x%08x"` != "$net_cls_classid" ]; then | |
echo "Applying net_cls class identifier $net_cls_classid to cgroup $cgroup_name" >&2 | |
echo "$net_cls_classid" | sudo tee "/sys/fs/cgroup/net_cls/$cgroup_name/net_cls.classid" > /dev/null | |
fi | |
if ! grep -E "^${ip_table_number}\s+$ip_table_name" /etc/iproute2/rt_tables &>/dev/null; then | |
if grep -E "^${ip_table_number}\s+" /etc/iproute2/rt_tables; then | |
echo "ERROR: Table ${ip_table_number} already exists in /etc/iproute2/rt_tables with a different name than $ip_table_name" >&2 | |
exit 1 | |
fi | |
echo "Creating ip routing table: number=$ip_table_number name=$ip_table_name" >&2 | |
echo "$ip_table_number $ip_table_name" | sudo tee -a /etc/iproute2/rt_tables > /dev/null | |
check_iptables=true | |
fi | |
if ! ip rule list | grep " lookup $ip_table_name" | grep " fwmark " &>/dev/null; then | |
echo "Adding rule to use ip routing table $ip_table_name for packets with firewall mark $ip_table_fwmark" >&2 | |
sudo ip rule add fwmark "$ip_table_fwmark" table "$ip_table_name" | |
check_iptables=true | |
fi | |
if [ -z "`ip route list table "$ip_table_name" default via $real_interface_gateway dev ${real_interface} 2>/dev/null`" ]; then | |
echo "Adding default route in ip routing table $ip_table_name via $real_interface_gateway dev $real_interface" >&2 | |
sudo ip route add default via "$real_interface_gateway" dev "$real_interface" table "$ip_table_name" | |
# Useless? | |
echo "Flushing ip route cache" >&2 | |
sudo ip route flush cache | |
check_iptables=true | |
fi | |
if [ "`cat /proc/sys/net/ipv4/conf/all/rp_filter`" != "0" ] || [ "`cat /proc/sys/net/ipv4/conf/all/rp_filter`" != "2" ]; then | |
echo "Unset reverse path filtering for interface \"all\"" >&2 | |
echo 2 | sudo tee "/proc/sys/net/ipv4/conf/all/rp_filter" > /dev/null | |
check_iptables=true | |
fi | |
if [ "`cat /proc/sys/net/ipv4/conf/${real_interface}/rp_filter`" != "0" ] || [ "`cat /proc/sys/net/ipv4/conf/${real_interface}/rp_filter`" != "2" ]; then | |
echo "Unset reverse path filtering for interface \"${real_interface}\"" >&2 | |
echo 2 | sudo tee "/proc/sys/net/ipv4/conf/${real_interface}/rp_filter" > /dev/null | |
check_iptables=true | |
fi | |
if [ -z "`lscgroup net_cls:$cgroup_name`" ] || [ `stat -c "%U" /sys/fs/cgroup/net_cls/${cgroup_name}/tasks` != "$USER" ]; then | |
echo "Creating cgroup net_cls:${cgroup_name}. User $USER will be able to move tasks to it without root permissions." >&2 | |
sudo cgcreate -t "$USER":"$USER" -a `id -g -n "$USER"`:`id -g -n "$USER"` -g net_cls:"$cgroup_name" | |
check_iptables=true | |
fi | |
if [ "$check_iptables" = true ]; then | |
setup_iptables | |
fi | |
fi | |
# TEST bypass | |
test_bypass | |
if [ "$force" != true ]; then | |
if [ "$testresult" = false ]; then | |
if [ "$iptable_checked" = false ]; then | |
echo -e "Testing iptables..." >&2 | |
setup_iptables | |
test_bypass | |
fi | |
fi | |
if [ "$testresult" = false ]; then | |
exit 1 | |
fi | |
fi | |
fi | |
# RUN command | |
if [ "$action" = "command" ]; then | |
if [ "$#" -eq 0 ]; then | |
echo "Error: COMMAND not provided." >&2 | |
exit 1 | |
fi | |
if [ "$background" = true ]; then | |
cgexec -g net_cls:"$cgroup_name" "$@" &>/dev/null & | |
exit 0 | |
else | |
cgexec -g net_cls:"$cgroup_name" "$@" | |
exit $? | |
fi | |
# List process OUTSIDE tunnel | |
# Exit code 0 (true) if at least 1 process is outside the tunnel | |
elif [ "$action" = "list" ]; then | |
echo "List of processes bypassing tunnel:" | |
list_outside | |
exit $? | |
# Move process OUTSIDE tunnel | |
elif [ "$action" = "outside" ]; then | |
exit_code=1 | |
for process in "$@" | |
do | |
if [ "$process" -eq "$process" ] 2>/dev/null; then | |
# Is integer (PID) | |
echo "$process" | sudo tee /sys/fs/cgroup/net_cls/${cgroup_name}/tasks > /dev/null | |
exit_code=0 | |
else | |
# Is process name | |
pids=$(pidof "$process") | |
for pid in $pids | |
do | |
echo "$pid" | sudo tee /sys/fs/cgroup/net_cls/${cgroup_name}/tasks > /dev/null | |
exit_code=0 | |
done | |
fi | |
done | |
echo -e "\e[31mWARNING: Moving running processes outside the VPN tunnel DOES NOT WORK.\e[0m" >&2 | |
echo -e "\e[31mYou should start new processes and beware processes that have already opened windows: they may reuse existing PID.\e[0m" >&2 | |
echo "List of processes bypassing tunnel:" | |
list_outside | |
exit $exit_code | |
# Move process INSIDE tunnel | |
elif [ "$action" = "inside" ]; then | |
for process in "$@" | |
do | |
if [ "$process" -eq "$process" ] 2>/dev/null; then | |
# Is integer (PID) | |
echo "$process" | sudo tee /sys/fs/cgroup/net_cls/tasks > /dev/null | |
else | |
# Is process name | |
pids=$(pidof "$process") | |
for pid in $pids | |
do | |
echo "$pid" | sudo tee /sys/fs/cgroup/net_cls/tasks > /dev/null | |
done | |
fi | |
done | |
echo "Remaining processes bypassing tunnel:" | |
list_outside | |
# CLEAN the mess | |
elif [ "$action" = "clean" ]; then | |
echo -e "Cleaning forced routing config generated by this script." | |
echo -e "Don't bother with errors meaning there's nothing to remove." | |
# Remove tasks | |
if [ -f "/sys/fs/cgroup/net_cls/${cgroup_name}/tasks" ]; then | |
while read task_pid; do echo ${task_pid} | sudo tee /sys/fs/cgroup/net_cls/tasks > /dev/null; done < "/sys/fs/cgroup/net_cls/${cgroup_name}/tasks" | |
fi | |
# Delete cgroup | |
if [ -d "/sys/fs/cgroup/net_cls/${cgroup_name}" ]; then | |
sudo find "/sys/fs/cgroup/net_cls/${cgroup_name}" -depth -type d -print -exec rmdir {} \; | |
fi | |
# This can cause issues if reverse path filtering is normally disabled on the system | |
echo 1 | sudo tee "/proc/sys/net/ipv4/conf/all/rp_filter" > /dev/null | |
echo 1 | sudo tee "/proc/sys/net/ipv4/conf/${real_interface}/rp_filter" > /dev/null | |
sudo iptables -t mangle -D OUTPUT -m cgroup --cgroup "$net_cls_classid" -j MARK --set-mark "$ip_table_fwmark" | |
sudo iptables -t nat -D POSTROUTING -m cgroup --cgroup "$net_cls_classid" -o "$real_interface" -j MASQUERADE | |
sudo ip rule del fwmark "$ip_table_fwmark" table "$ip_table_name" | |
sudo ip route del default table "$ip_table_name" | |
sudo sed -i '/^${ip_table_number}\s\+${ip_table_name}\s*$/d' /etc/iproute2/rt_tables | |
if [ -n "`lscgroup net_cls:$cgroup_name`" ]; then | |
sudo cgdelete net_cls:"$cgroup_name" | |
fi | |
echo "All done." | |
fi | |
# BONUS: Useful commands: | |
# ./novpn.sh traceroute www.google.com | |
# Note: 1 firefox profile = 1 process only | |
# ./novpn.sh --outside firefox; ./novpn.sh --background firefox https://ipleak.net/ | |
# ip=$(./novpn.sh curl 'https://wtfismyip.com/text' 2>/dev/null); echo "$ip"; whois "$ip" | grep -E "inetnum|route|netname|descr" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment