diff --git a/openvpn-install.sh b/openvpn-install.sh index 0d2c796..7b79512 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -122,14 +122,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then - IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) + IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.15.30.0/24 '"'"'!'"'"' -d 10.15.30.0/24 -j SNAT --to ' | cut -d " " -f 10) # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL - firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --zone=trusted --remove-source=10.15.30.0/24 firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL - firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --permanent --zone=trusted --remove-source=10.15.30.0/24 + firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP + firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP else systemctl disable --now openvpn-iptables.service rm -f /etc/systemd/system/openvpn-iptables.service @@ -256,7 +256,7 @@ dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet -server 10.8.0.0 255.255.255.0 +server 10.15.30.0 255.255.255.0 ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # DNS @@ -310,25 +310,25 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf # We don't use --add-service=openvpn because that would only work with # the default port and protocol. firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL - firewall-cmd --zone=trusted --add-source=10.8.0.0/24 + firewall-cmd --zone=trusted --add-source=10.15.30.0/24 firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL - firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 + firewall-cmd --permanent --zone=trusted --add-source=10.15.30.0/24 # Set NAT for the VPN subnet - firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP + firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP else # Create a service to set up persistent iptables rules echo "[Unit] Before=network.target [Service] Type=oneshot -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT -ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=/sbin/iptables -I FORWARD -s 10.15.30.0/24 -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.15.30.0/24 ! -d 10.15.30.0/24 -j SNAT --to $IP ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=/sbin/iptables -D FORWARD -s 10.15.30.0/24 -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes [Install]