teraflik/vpn_share.sh

## vpn_share.sh
#!/bin/sh

# https://roelant.net/2015/share-your-vpn-mac-el-capitan.html
# https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf

# clear all rules and reload pf conf
sudo pfctl -F all -f /etc/pf.conf

if [ "$1" =  "off" ]
then
    echo "VPN sharing turned off"
    exit 0
elif [ "$1" = "on" ]
then
    # enable gateway
    sudo sysctl net.inet.ip.forwarding=1
    sudo sysctl net.inet6.ip6.forwarding=1

    # Replace with the interface used by internet sharing
    HOTSPOT_INTERFACE=bridge100

    # Replace utun3 with the current VPN interface, ifconfig | grep -A 2 <vpn_client_ip>
    VPN_INTERFACE=utun3

    RULE="nat on $VPN_INTERFACE from $HOTSPOT_INTERFACE:network to any -> ($VPN_INTERFACE)"
    FILE=./rule.conf

    if [ -f $FILE ]; then
        echo "Existing rule file found, deleting..."
        rm $FILE
    fi

    echo $RULE | tee -a $FILE
    sudo pfctl -f $FILE -e
    echo "VPN sharing turned ON"
fi


# # enable gateway at system boot
# sysrc gateway_enable=yes
# sysrc ipv6_gateway_enable=yes


###########################################
# #
# # Default PF configuration file.
# #
# # This file contains the main ruleset, which gets automatically loaded
# # at startup.  PF will not be automatically enabled, however.  Instead,
# # each component which utilizes PF is responsible for enabling and disabling
# # PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# # is disabled only when the last enable reference is released.
# #
# # Care must be taken to ensure that the main ruleset does not get flushed,
# # as the nested anchors rely on the anchor point defined here. In addition,
# # to the anchors loaded by this file, some system services would dynamically
# # insert anchors into the main ruleset. These anchors will be added only when
# # the system service is used and would removed on termination of the service.
# #
# # See pf.conf(5) for syntax.
# #

# #
# # com.apple anchor point
# #
# scrub-anchor "com.apple/*"
# nat-anchor "com.apple/*"
# rdr-anchor "com.apple/*"
# dummynet-anchor "com.apple/*"
# anchor "com.apple/*"
# load anchor "com.apple" from "/etc/pf.anchors/com.apple"
	#!/bin/sh

	# https://roelant.net/2015/share-your-vpn-mac-el-capitan.html
	# https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf

	# clear all rules and reload pf conf
	sudo pfctl -F all -f /etc/pf.conf

	if [ "$1" = "off" ]
	then
	echo "VPN sharing turned off"
	exit 0
	elif [ "$1" = "on" ]
	then
	# enable gateway
	sudo sysctl net.inet.ip.forwarding=1
	sudo sysctl net.inet6.ip6.forwarding=1

	# Replace with the interface used by internet sharing
	HOTSPOT_INTERFACE=bridge100

	# Replace utun3 with the current VPN interface, ifconfig \| grep -A 2 <vpn_client_ip>
	VPN_INTERFACE=utun3

	RULE="nat on $VPN_INTERFACE from $HOTSPOT_INTERFACE:network to any -> ($VPN_INTERFACE)"
	FILE=./rule.conf

	if [ -f $FILE ]; then
	echo "Existing rule file found, deleting..."
	rm $FILE
	fi

	echo $RULE \| tee -a $FILE
	sudo pfctl -f $FILE -e
	echo "VPN sharing turned ON"
	fi


	# # enable gateway at system boot
	# sysrc gateway_enable=yes
	# sysrc ipv6_gateway_enable=yes


	###########################################
	# #
	# # Default PF configuration file.
	# #
	# # This file contains the main ruleset, which gets automatically loaded
	# # at startup. PF will not be automatically enabled, however. Instead,
	# # each component which utilizes PF is responsible for enabling and disabling
	# # PF via -E and -X as documented in pfctl(8). That will ensure that PF
	# # is disabled only when the last enable reference is released.
	# #
	# # Care must be taken to ensure that the main ruleset does not get flushed,
	# # as the nested anchors rely on the anchor point defined here. In addition,
	# # to the anchors loaded by this file, some system services would dynamically
	# # insert anchors into the main ruleset. These anchors will be added only when
	# # the system service is used and would removed on termination of the service.
	# #
	# # See pf.conf(5) for syntax.
	# #

	# #
	# # com.apple anchor point
	# #
	# scrub-anchor "com.apple/*"
	# nat-anchor "com.apple/*"
	# rdr-anchor "com.apple/*"
	# dummynet-anchor "com.apple/*"
	# anchor "com.apple/*"
	# load anchor "com.apple" from "/etc/pf.anchors/com.apple"