#!/bin/bash
#
# Parses options from openvpn to update resolv.conf
#
# The only way to enforce that a linux system will not leak DNS
# queries is to replace /etc/resolv.conf with a file that only
# has the DNS resolver specified by the VPN.
#
# That is what this script does. This is what resolvconf is for,
# but sadly it does not always work.
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

function up() {

  comment=$(
cat <<SETVAR
#
# This is a temporary resolv.conf set by the LEAP Client in order to
# strictly enforce that DNS lookups are secured by the VPN.
#
# When the LEAP Client quits or the VPN connection it manages is dropped,
# this file will be replace with the regularly scheduled /etc/resolv.conf
#
# If you want custom entries to appear in this file while LEAP is running,
# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files
# should only be writable by root.
#

SETVAR
)

  if [ -f /etc/leap/resolv-head ] ; then
    custom_head=$(cat /etc/leap/resolv-head)
  else
    custom_head=""
  fi

  if [ -f /etc/leap/resolv-tail ] ; then
    custom_tail=$(cat /etc/leap/resolv-tail)
  else
    custom_tail=""
  fi

  for optionname in ${!foreign_option_*} ; do
    option="${!optionname}"
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
      fi
      if [ "$part2" == "DOMAIN" ] ; then
        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
      fi
    fi
  done
  R=""
  for SS in $IF_DNS_SEARCH ; do
          R="${R}search $SS
"
  done
  for NS in $IF_DNS_NAMESERVERS ; do
          R="${R}nameserver $NS
"
  done
  mv /etc/resolv.conf /etc/resolv.conf.bak
  echo "$comment
$custom_head
$R
$custom_tail" > /etc/resolv.conf
}

function down() {
  if [ -f /etc/resolv.conf.bak ] ; then
    unlink /etc/resolv.conf
    mv /etc/resolv.conf.bak /etc/resolv.conf
  fi
}

case $script_type in
  up)   up   ;;
  down) down ;;
esac