diff options
Diffstat (limited to 'bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00')
3 files changed, 115 insertions, 0 deletions
diff --git a/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/README new file mode 100644 index 00000000..66fe61ad --- /dev/null +++ b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/README @@ -0,0 +1,44 @@ +OpenVPN fwmark Routing +Sean Reifschneider, <jafo@tummy.com> +Thursday November 27, 2003 +========================== + +These scripts can be used with OpenVPN up and down scripts to set up +routing on a Linux system such that the VPN traffic is sent via normal +network connectivity, but other traffic to that network runs over the VPN. +The idea is to allow encryption of data to the network the remote host is +on, without interfering with the VPN traffic. You can't simply add a route +to the remote network, becaues that will cause the VPN traffic to also try +to run over the VPN, and breaks the VPN. + +These scripts use the Linux "fwmark" iptables rules to specify routing +based not only on IP address, but also by port and protocol. This allows +you to effectively say "if the packet is to this IP address on this port +using this protocol, then use the normal default gateway, otherwise use the +VPN gateway. + +This is set up on the client VPN system, not the VPN server. These scripts +also set up all ICMP echo-responses to run across the VPN. You can +comment the lines in the scripts to disable this, but I find this useful +at coffee shops which have networks that block ICMP. + +To configure this, you need to set up these scripts as your up and down +scripts in the config file. You will need to set these values in the +config file: + + up /etc/openvpn/fwmarkroute.up + down /etc/openvpn/fwmarkroute.down + up-restart + up-delay + + setenv remote_netmask_bits 24 + +Note: For this to work, you can't set the "user" or "group" config options, +because then the scripts will not run as root. + +The last setting allows you to control the size of the network the remote +system is on. The remote end has to be set up to route, probably with +masquerading or NAT. The network this netmask relates to is calculated +using the value of "remote" in the conf file. + +Sean diff --git a/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down new file mode 100755 index 00000000..87d67d4d --- /dev/null +++ b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Bring down vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# clear routing via VPN +ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route del table vpnonly.out via "$5" +iptables -D OUTPUT -t mangle -p "$proto" \ + -d "$remote_network"/"$remote_netmask_bits" \ + --dport "$remote_port" -j ACCEPT +iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 + +# undo the ICMP ping tunneling +iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# flush route cache +ip route flush cache diff --git a/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up new file mode 100755 index 00000000..661ec313 --- /dev/null +++ b/bitmask_android/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Bring up vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# add the stuff that doesn't change if it's not already there +grep -q '^202 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 202 vpn.out >> /etc/iproute2/rt_tables +fi +grep -q '^203 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 203 vpnonly.out >> /etc/iproute2/rt_tables +fi +ip rule ls | grep -q 'lookup vpn.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 2 table vpn.out +fi +ip rule ls | grep -q 'lookup vpnonly.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 3 table vpnonly.out +fi + +# route VPN traffic using the normal table +iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ + -j ACCEPT + +# route all other traffic to that host via VPN +iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ + -j MARK --set-mark 2 + +# route all ICMP pings over the VPN +iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# NAT traffic going over the VPN, so it doesn't have an unknown address +iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" + +# add routing commands +ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route add table vpnonly.out via "$5" +ip route flush cache |