juris/OpenVPN-per-client-iptables-README.md

## OpenVPN-per-client-iptables-README.md

      
    Raw
  

              OpenVPN-per-client-iptables-README.md
            
          
    Every time a new client connects to OpenVPN server, ovpn_connect.sh script creates set of individual iptables rules based on client common name and content of ccd files.
When client disconnects from OpenVPN server, ovpn_disconnect.sh removes these individual rules.
opvn_run.sh can be used to launch OpenVPN in docker contaner.
This should be a part of openvpn.conf file for scripts to work
# Client configuration
script-security 2
ccd-exclusive
client-config-dir  /etc/openvpn/ccd
client-connect     /etc/openvpn/scripts/ovpn_connect.sh
client-disconnect  /etc/openvpn/scripts/ovpn_disconnect.sh


## opvn_run.sh
#!/usr/bin/env bash

# Cleanup iptables
iptables -F
iptables -X
iptables -t raw -F
iptables -t raw -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I OUTPUT -o lo -j ACCEPT
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Launch OpenVPN
exec openvpn --config /etc/openvpn/openvpn.conf

## ovpn_connect.sh
#!/usr/bin/env bash
#
#  Add iptables rules based on CCD client config.
#

CCD_DIR="/etc/openvpn/ccd"

# iptables rule comment - the disconnect script will
# remove all strings matching this pattern
RULE_COMMENT="OVPN_"$common_name

if [ -f $CCD_DIR/$common_name ]; then
  sudo /sbin/iptables -N $RULE_COMMENT
  grep "^push \"route" $CCD_DIR/$common_name | tr -d '"' | \
  while read line; do
    network=$(echo $line | cut -f3 -d" ")
    netmask=$(echo $line | cut -f4 -d" ")
    sudo /sbin/iptables -A $RULE_COMMENT -i $dev \
                        -s $ifconfig_pool_remote_ip/32 -o eth0 \
                        -d $network/$netmask -j ACCEPT \
                        -m comment --comment $RULE_COMMENT
  done
  sudo /sbin/iptables -A FORWARD -j $RULE_COMMENT
  sudo /sbin/iptables -t nat -A POSTROUTING \
                      -s $ifconfig_pool_remote_ip/32 -o eth0 \
                      -j MASQUERADE \
                      -m comment --comment $RULE_COMMENT
fi

exit 0

## ovpn_disconnect.sh
#!/usr/bin/env bash
#
#  Remove iptables rules based on CCD client config.
#

# 1st param - name of table
# 2nd param - rule comment
get_iptables_rule_by_comment () {
  echo $(sudo /sbin/iptables -nL $1 --line-numbers | grep -m 1 $2 | cut -f1 -d" ")
}

get_iptables_nat_rule_by_comment () {
  echo $(sudo /sbin/iptables -nL $1 -t nat --line-numbers | grep -m 1 $2 | cut -f1 -d" ")
}

RULE_COMMENT="OVPN_"$common_name

# Delete link to FORWARD rule first
rule_number=$(get_iptables_rule_by_comment FORWARD $RULE_COMMENT)
if [ "$rule_number" ]; then
  sudo /sbin/iptables -D FORWARD $rule_number
fi

# Delete MASQUERADE rule
rule_number=$(get_iptables_nat_rule_by_comment POSTROUTING $RULE_COMMENT)
if [ "$rule_number" ]; then
  sudo /sbin/iptables -D POSTROUTING $rule_number -t nat
fi

# Delete user-specific chain
if [ "$RULE_COMMENT" ]; then
  echo $RULE_COMMENT
  sudo /sbin/iptables -F $RULE_COMMENT
  sudo /sbin/iptables -X $RULE_COMMENT
fi

exit 0
	#!/usr/bin/env bash

	# Cleanup iptables
	iptables -F
	iptables -X
	iptables -t raw -F
	iptables -t raw -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -t security -F
	iptables -t security -X
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	iptables -I INPUT -i lo -j ACCEPT
	iptables -I INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
	iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	iptables -I OUTPUT -o lo -j ACCEPT
	iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT

	iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

	# Launch OpenVPN
	exec openvpn --config /etc/openvpn/openvpn.conf
	#!/usr/bin/env bash
	#
	# Add iptables rules based on CCD client config.
	#

	CCD_DIR="/etc/openvpn/ccd"

	# iptables rule comment - the disconnect script will
	# remove all strings matching this pattern
	RULE_COMMENT="OVPN_"$common_name

	if [ -f $CCD_DIR/$common_name ]; then
	sudo /sbin/iptables -N $RULE_COMMENT
	grep "^push \"route" $CCD_DIR/$common_name \| tr -d '"' \| \
	while read line; do
	network=$(echo $line \| cut -f3 -d" ")
	netmask=$(echo $line \| cut -f4 -d" ")
	sudo /sbin/iptables -A $RULE_COMMENT -i $dev \
	-s $ifconfig_pool_remote_ip/32 -o eth0 \
	-d $network/$netmask -j ACCEPT \
	-m comment --comment $RULE_COMMENT
	done
	sudo /sbin/iptables -A FORWARD -j $RULE_COMMENT
	sudo /sbin/iptables -t nat -A POSTROUTING \
	-s $ifconfig_pool_remote_ip/32 -o eth0 \
	-j MASQUERADE \
	-m comment --comment $RULE_COMMENT
	fi

	exit 0
	#!/usr/bin/env bash
	#
	# Remove iptables rules based on CCD client config.
	#

	# 1st param - name of table
	# 2nd param - rule comment
	get_iptables_rule_by_comment () {
	echo $(sudo /sbin/iptables -nL $1 --line-numbers \| grep -m 1 $2 \| cut -f1 -d" ")
	}

	get_iptables_nat_rule_by_comment () {
	echo $(sudo /sbin/iptables -nL $1 -t nat --line-numbers \| grep -m 1 $2 \| cut -f1 -d" ")
	}

	RULE_COMMENT="OVPN_"$common_name

	# Delete link to FORWARD rule first
	rule_number=$(get_iptables_rule_by_comment FORWARD $RULE_COMMENT)
	if [ "$rule_number" ]; then
	sudo /sbin/iptables -D FORWARD $rule_number
	fi

	# Delete MASQUERADE rule
	rule_number=$(get_iptables_nat_rule_by_comment POSTROUTING $RULE_COMMENT)
	if [ "$rule_number" ]; then
	sudo /sbin/iptables -D POSTROUTING $rule_number -t nat
	fi

	# Delete user-specific chain
	if [ "$RULE_COMMENT" ]; then
	echo $RULE_COMMENT
	sudo /sbin/iptables -F $RULE_COMMENT
	sudo /sbin/iptables -X $RULE_COMMENT
	fi

	exit 0