#! /bin/sh -xe # # vpn.sh -- Simple lil-stupid OpenBSD 6.3 -> Debian 9.13/Linux 2.6.32 VPN. Good # enough. The ip6tables parts are untested (lack of IPv6 NAT support # @ GleSYS OpenVZ VPS) so please mail me if it works. Thanks! # # Copyright (C) 2018-2024 Andreas Forsgren # All rights reserved. # S=$* [ "$S" = "" ] && exit 1 if ! ifconfig tap0; then (route del -inet6 default ::1 -priority 7 -blackhole; route del \ default 127.0.0.1 -priority 7 -blackhole; cat /etc/pf.conf | \ pfctl -f -) || true # Plug in the cable... socat -b 1514 EXEC:"ssh $S socat \ TUN\,tun-name=tap0\,tun-type=tap\,iff-no-pi -" GOPEN:/dev/tap0 & \ while ! ssh $S ifconfig tap0 || ! ifconfig tap0; do sleep 1 done # Setup server... ssh $S ifconfig tap0 inet 192.168.123.0 netmask 255.255.255.254 ssh $S ifconfig tap0 add fe80::192.168.123.0/127 ssh $S echo 1 \> /proc/sys/net/ipv4/ip_forward ssh $S echo 1 \> /proc/sys/net/ipv6/conf/all/forwarding ssh $S iptables -t nat -A POSTROUTING -s 192.168.123.1 -j MASQUERADE ssh $S ip6tables -t nat -A POSTROUTING -s fe80::192.168.123.1 -j \ MASQUERADE || true # XXX: Remove true & test works later. # Redirect DNS... s4=$(ssh $S cat /etc/resolv.conf | egrep '^nameserver .*\.' | head \ -1 | awk '{ print $2 }') s6=$(ssh $S cat /etc/resolv.conf | egrep '^nameserver .*:' | head \ -1 | awk '{ print $2 }') ( egrep '^nameserver .*\.' /etc/resolv.conf | while read x c4; do echo "match out proto { tcp, udp } to $c4 \ port 53 rdr-to $s4" echo "pass out quick proto { tcp, udp } to $s4 \ port 53 nat-to 192.168.123.1" done egrep '^nameserver .*:' /etc/resolv.conf | while read x c6; do echo "match out proto { tcp, udp } to $c6 \ port 53 rdr-to $s6" echo "pass out quick proto { tcp, udp } to $s6 \ port 53 nat-to fe80::192.168.123.1" done ) | cat - /etc/pf.conf | pfctl -e -f - 2>&1 | tee /dev/stderr | egrep \ -q '^(pf enabled|pfctl: pf already enabled)$' # Enable protection... route add default 127.0.0.1 -priority 7 -blackhole route add -inet6 default ::1 -priority 7 -blackhole # Setup client... ifconfig tap0 inet 192.168.123.1 netmask 255.255.255.254 ifconfig tap0 inet6 fe80::192.168.123.1 prefixlen 127 route add default 192.168.123.0 -priority 6 route add -inet6 default fe80::192.168.123.0%tap0 -priority 6 else # Teardown client... route del -inet6 default fe80::192.168.123.0%tap0 -priority 6 route del default 192.168.123.0 -priority 6 ifconfig tap0 inet6 delete fe80::192.168.123.1 prefixlen 127 ifconfig tap0 inet delete 192.168.123.1 netmask 255.255.255.254 # Disable protection... route del -inet6 default ::1 -priority 7 -blackhole route del default 127.0.0.1 -priority 7 -blackhole # Restore DNS... cat /etc/pf.conf | pfctl -f - # Teardown server... ssh $S ip6tables -t nat -D POSTROUTING -s fe80::192.168.123.1 -j \ MASQUERADE || true # XXX: Remove true & test works later. ssh $S iptables -t nat -D POSTROUTING -s 192.168.123.1 -j MASQUERADE ssh $S echo 0 \> /proc/sys/net/ipv6/conf/all/forwarding ssh $S echo 0 \> /proc/sys/net/ipv4/ip_forward ssh $S ifconfig tap0 del fe80::192.168.123.0/127 ssh $S ifconfig tap0 del 192.168.123.0 netmask 255.255.255.254 # Unplug the cable... pkill socat; while ifconfig tap0 || ssh $S ifconfig tap0; do sleep 1 done fi exit 0