2014-07-06 04:39:50 +00:00
|
|
|
#!/bin/bash
|
2014-06-04 18:13:59 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Run the OpenVPN server normally
|
|
|
|
|
#
|
|
|
|
|
|
2015-02-28 10:45:31 +00:00
|
|
|
if [ "$DEBUG" == "1" ]; then
|
|
|
|
|
set -x
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
set -e
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2016-05-29 02:39:47 +00:00
|
|
|
cd $OPENVPN
|
|
|
|
|
|
2015-07-28 03:20:46 +00:00
|
|
|
# Build runtime arguments array based on environment
|
2016-05-29 02:36:02 +00:00
|
|
|
USER_ARGS=("${@}")
|
|
|
|
|
ARGS=()
|
|
|
|
|
|
|
|
|
|
# Checks if ARGS already contains the given value
|
|
|
|
|
function hasArg {
|
|
|
|
|
local element
|
|
|
|
|
for element in "${@:2}"; do
|
|
|
|
|
[ "${element}" == "${1}" ] && return 0
|
|
|
|
|
done
|
|
|
|
|
return 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Adds the given argument if it's not already specified.
|
|
|
|
|
function addArg {
|
|
|
|
|
local arg="${1}"
|
|
|
|
|
[ $# -ge 1 ] && local val="${2}"
|
|
|
|
|
if ! hasArg "${arg}" "${USER_ARGS[@]}"; then
|
|
|
|
|
ARGS+=("${arg}")
|
|
|
|
|
[ $# -ge 1 ] && ARGS+=("${val}")
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
addArg "--config" "$OPENVPN/openvpn.conf"
|
2015-07-28 03:20:46 +00:00
|
|
|
|
2014-07-06 04:39:50 +00:00
|
|
|
source "$OPENVPN/ovpn_env.sh"
|
|
|
|
|
|
2014-06-04 18:13:59 +00:00
|
|
|
mkdir -p /dev/net
|
|
|
|
|
if [ ! -c /dev/net/tun ]; then
|
|
|
|
|
mknod /dev/net/tun c 10 200
|
|
|
|
|
fi
|
|
|
|
|
|
2015-07-28 03:20:46 +00:00
|
|
|
if [ -d "$OPENVPN/ccd" ]; then
|
2016-05-29 02:36:02 +00:00
|
|
|
addArg "--client-config-dir" "$OPENVPN/ccd"
|
2014-06-30 06:22:03 +00:00
|
|
|
fi
|
|
|
|
|
|
2015-08-24 15:19:40 +00:00
|
|
|
# When using --net=host, use this to specify nat device.
|
|
|
|
|
[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0
|
|
|
|
|
|
2014-07-06 04:39:50 +00:00
|
|
|
# Setup NAT forwarding if requested
|
2015-01-17 09:00:18 +00:00
|
|
|
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
|
2015-08-24 15:19:40 +00:00
|
|
|
iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
|
|
|
|
|
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
|
2014-10-23 13:16:51 +00:00
|
|
|
}
|
2014-07-09 17:34:39 +00:00
|
|
|
for i in "${OVPN_ROUTES[@]}"; do
|
2015-08-24 15:19:40 +00:00
|
|
|
iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
|
|
|
|
|
iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
|
2014-10-23 13:16:51 +00:00
|
|
|
}
|
2014-07-06 04:39:50 +00:00
|
|
|
done
|
|
|
|
|
fi
|
2014-07-01 05:56:26 +00:00
|
|
|
|
2015-05-12 07:59:43 +00:00
|
|
|
# Use a hacky hardlink as the CRL Needs to be readable by the user/group
|
|
|
|
|
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
|
|
|
|
|
if [ -r "$EASYRSA_PKI/crl.pem" ]; then
|
|
|
|
|
if [ ! -r "$OPENVPN/crl.pem" ]; then
|
|
|
|
|
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
|
|
|
|
chmod 644 "$OPENVPN/crl.pem"
|
|
|
|
|
fi
|
2016-05-29 02:36:02 +00:00
|
|
|
addArg "--crl-verify" "$OPENVPN/crl.pem"
|
2015-05-12 07:59:43 +00:00
|
|
|
fi
|
|
|
|
|
|
2015-07-06 04:07:06 +00:00
|
|
|
ip -6 route show default 2>/dev/null
|
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
|
echo "Enabling IPv6 Forwarding"
|
|
|
|
|
# If this fails, ensure the docker container is run with --privileged
|
|
|
|
|
# Could be side stepped with `ip netns` madness to drop privileged flag
|
|
|
|
|
|
2015-12-29 21:33:55 +00:00
|
|
|
sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default"
|
|
|
|
|
sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding"
|
2015-07-06 04:07:06 +00:00
|
|
|
fi
|
|
|
|
|
|
2016-05-29 02:36:02 +00:00
|
|
|
echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
|
|
|
|
|
exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
|
|
|
|
|
|
