From a2adb59d693ae295cb1ef4c827d2d54796826667 Mon Sep 17 00:00:00 2001 From: r0p0s3c Date: Tue, 14 Feb 2017 15:34:24 -0500 Subject: [PATCH 1/5] move iptables/nat functionality to a function (setupIptablesAndRouting) This allows iptables rule update to be overridden by creating/supplying that function in, for example, ovpn_env.sh --- bin/ovpn_run | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/bin/ovpn_run b/bin/ovpn_run index 7ba16b1..0112a0e 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -35,6 +35,18 @@ function addArg { fi } +function setupIptablesAndRouting { + iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE + } + for i in "${OVPN_ROUTES[@]}"; do + iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE + } + done +} + + addArg "--config" "$OPENVPN/openvpn.conf" source "$OPENVPN/ovpn_env.sh" @@ -53,14 +65,7 @@ fi # Setup NAT forwarding if requested if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then - iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { - iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE - } - for i in "${OVPN_ROUTES[@]}"; do - iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || { - iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE - } - done + setupIptablesAndRouting fi # Use a hacky hardlink as the CRL Needs to be readable by the user/group @@ -85,4 +90,3 @@ fi echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'" exec openvpn ${ARGS[@]} ${USER_ARGS[@]} - From e8b568a0b96b2a39c35f6d1d73ff4fc30ee05908 Mon Sep 17 00:00:00 2001 From: r0p0s3c Date: Tue, 14 Feb 2017 16:40:40 -0500 Subject: [PATCH 2/5] add additional documentation clarifying calling of function, purpose, and how to override it --- bin/ovpn_run | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/ovpn_run b/bin/ovpn_run index 0112a0e..14db9f0 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -35,6 +35,9 @@ function addArg { fi } +# set up iptables rules and routing +# this allows rules/routing to be altered by supplying this function +# in an included file, such as ovpn_env.sh function setupIptablesAndRouting { iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE @@ -65,6 +68,9 @@ fi # Setup NAT forwarding if requested if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then + # call function to setup iptables rules and routing + # this allows rules to be customized by supplying + # a replacement function in, for example, ovpn_env.sh setupIptablesAndRouting fi From 0e3f34effd5a02150a97d937d86bbff66fae59fe Mon Sep 17 00:00:00 2001 From: r0p0s3c Date: Thu, 16 Feb 2017 15:04:06 -0500 Subject: [PATCH 3/5] add test for iptables rules customization functionality --- test/tests/iptables/run.sh | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 test/tests/iptables/run.sh diff --git a/test/tests/iptables/run.sh b/test/tests/iptables/run.sh new file mode 100644 index 0000000..b35cefd --- /dev/null +++ b/test/tests/iptables/run.sh @@ -0,0 +1,38 @@ +#!/bin/bash +set -e + +[ -n "${DEBUG+x}" ] && set -x +OVPN_DATA=basic-data +IMG="kylemanna/openvpn" +NAME="ovpn-test" +SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) + +# generate server config including iptables nat-ing +docker volume create --name $OVPN_DATA +docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP -N +docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass + +# Fire up the server +docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG + +# check default iptables rules +docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' + +# append new setupIptablesAndRouting function to config +docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh' + +# kill server in preparation to modify config +docker kill $NAME +docker rm $NAME + +# check that overridden function exists and that test iptables rules is active +docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG +docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIptablesAndRouting && iptables -t nat -C POSTROUTING -m comment --comment "test"' + +# +# kill server +# + +docker kill $NAME +docker rm $NAME +docker volume rm $OVPN_DATA From 4fd8296a62ee9dcae0194457ad8d949d9a1d35f7 Mon Sep 17 00:00:00 2001 From: r0p0s3c Date: Thu, 16 Feb 2017 15:09:22 -0500 Subject: [PATCH 4/5] add iptables test to list of tests --- test/config.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/config.sh b/test/config.sh index 1f7e82c..4beb51f 100644 --- a/test/config.sh +++ b/test/config.sh @@ -12,5 +12,6 @@ imageTests+=( basic dual-proto otp + iptables ' ) From cbf9cbf43337f9e6547de9b1a8c020a518609989 Mon Sep 17 00:00:00 2001 From: r0p0s3c Date: Thu, 16 Feb 2017 15:28:31 -0500 Subject: [PATCH 5/5] fix permission on test script --- test/tests/iptables/run.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 test/tests/iptables/run.sh diff --git a/test/tests/iptables/run.sh b/test/tests/iptables/run.sh old mode 100644 new mode 100755