forked from tasket/qubes-tunnel
-
Notifications
You must be signed in to change notification settings - Fork 4
/
qtunnel-connect
executable file
·75 lines (67 loc) · 2.46 KB
/
qtunnel-connect
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/bash
###########################################################################
## qtunnel-connect
##
## Handles DHCP-source DNS addresses & link notification for Qubes VPN VMs.
## To use, set as 'up' and 'down' script with parameter in your VPN config.
##
## Use 'tunnel_dns' environment var as override/alternative.
## In openvpn config, format is: setenv tunnel_dns 'X.X.X.X Y.Y.Y.Y [...]'
##
## Christopher Laprise, 2018 - https://github.com/tasket
set -e
export PATH="$PATH:/usr/sbin:/sbin:/bin"
nspath=/var/run/qubes/qubes-tunnel-ns
rm -f $nspath
case "$1" in
up|test-up)
rm -f $nspath
if [[ -z "$tunnel_dns" ]] ; then
# Parses DHCP option variables to set DNS address translation:
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
unset fops; fops=($option)
if [ ${fops[1]} == "DNS" ] ; then tunnel_dns="${fops[2]} $tunnel_dns" ; fi
done
fi
;;&
up)
if [[ -n "$tunnel_dns" ]] ; then
# Set DNS address translation in firewall:
echo "$tunnel_dns " >$nspath
echo "Using DNS servers $tunnel_dns"
iptables -t nat -F PR-QBS
# Securely restart firewall (Qubes ver <4 only)
if ! iptables -L QBS-FORWARD; then
systemctl restart qubes-firewall
else
. /var/run/qubes/qubes-ns
q_addr=""
for DNS in $tunnel_dns; do
iptables -t nat -I PR-QBS $q_addr -i vif+ -p tcp --dport 53 -j DNAT --to $DNS
iptables -t nat -I PR-QBS $q_addr -i vif+ -p udp --dport 53 -j DNAT --to $DNS
q_addr="-d $NS1"
done
fi
su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
else
su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
fi
;;
test-up)
## Use test-up parameter to test your basic VPN link before enabling firewall script.
## Do NOT use beyond testing period.
if [[ -z "$tunnel_dns" ]]; then echo "NO DNS ADDRESS FOUND."; exit 0; fi
[ -e /etc/resolv.vpnbak ] || cp -a /etc/resolv.conf /etc/resolv.vpnbak
rm /etc/resolv.conf
for DNS in $tunnel_dns; do
echo "nameserver $DNS" >>/etc/resolv.conf
done
/usr/lib/qubes/qubes-setup-dnat-to-ns
su - -c 'notify-send "$(hostname): TEST LINK IS UP." --icon=network-idle' user
;;
down)
iptables -t nat -F PR-QBS
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
;;
esac