Merge pull request #219 from r0p0s3c/iptables

move iptables/nat functionality to a function

bin/ovpn_run

@@ -35,6 +35,21 @@ function addArg {
     fi
 }
 
+# set up iptables rules and routing
+# this allows rules/routing to be altered by supplying this function
+# in an included file, such as ovpn_env.sh
+function setupIptablesAndRouting {
+    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
+      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
+    }
+    for i in "${OVPN_ROUTES[@]}"; do
+        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
+          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
+        }
+    done
+}
+
+
 addArg "--config" "$OPENVPN/openvpn.conf"
 
 source "$OPENVPN/ovpn_env.sh"
@@ -53,14 +68,10 @@ fi
 
 # Setup NAT forwarding if requested
 if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
-    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
+	# call function to setup iptables rules and routing
-      iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
+	# this allows rules to be customized by supplying
-    }
+	# a replacement function in, for example, ovpn_env.sh
-    for i in "${OVPN_ROUTES[@]}"; do
+	setupIptablesAndRouting
-        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
-          iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
-        }
-    done
 fi
 
 # Use a hacky hardlink as the CRL Needs to be readable by the user/group
@@ -85,4 +96,3 @@ fi
 
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
-

test/config.sh

@@ -12,5 +12,6 @@ imageTests+=(
         basic
         dual-proto
         otp
+	iptables
 	'
 )

test/tests/iptables/run.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -e
+
+[ -n "${DEBUG+x}" ] && set -x
+OVPN_DATA=basic-data
+IMG="kylemanna/openvpn"
+NAME="ovpn-test"
+SERV_IP=$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
+
+# generate server config including iptables nat-ing
+docker volume create --name $OVPN_DATA
+docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP -N
+docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
+
+# Fire up the server
+docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
+
+# check default iptables rules
+docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE'
+
+# append new setupIptablesAndRouting function to config
+docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh'
+
+# kill server in preparation to modify config
+docker kill $NAME
+docker rm $NAME
+
+# check that overridden function exists and that test iptables rules is active
+docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
+docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIptablesAndRouting && iptables -t nat -C POSTROUTING -m comment --comment "test"'
+
+#
+# kill server
+#
+
+docker kill $NAME
+docker rm $NAME
+docker volume rm $OVPN_DATA