X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-server-setup;h=6254f0f7a9fe0825232959245f0786b9f82ba311;hb=e6ee9ad43e4e1605f27d73555045f1e82ea5bc1c;hp=0710dc801072e749df602364226a5fbd216d082b;hpb=1b488c8053cff1f09d025a20dc765a2079417eff;p=vpn-setup

diff --git a/vpn-server-setup b/vpn-server-setup
index 0710dc8..6254f0f 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -21,14 +21,16 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
   cat <<'EOF'
-usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
-
--4  I prefix of range for ipv4, default 10.8.0
--d  Do not push dns
--n  Name. default = server. 2 servers on the same host need different names.
--p  Port. default 1194
--r  Do not push default route
--s  Do not start openvpn
+usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS]
+
+-4   Prefix of range for ipv4, default 10.8.0
+-6  IP6_NETWORK  Do ip6 nat for this network. ipv6 will work without nat,
+     but you may want it in certain circumstances.
+-d   Do not push dns
+-n  NAME  default = server. 2 servers on the same host need different names.
+-p  PORT  default 1194
+-r   Do not push default route
+-s   Do not start openvpn
 -h --help print help
 
 Sets up a vpn server which pushes gateway route and dns server so all
@@ -37,7 +39,7 @@ debian specific paths.
 
 For ipv6, we assume ipv6_addr routes to the server.
 
-You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
+You can save all the keys by storing /etc/openvpn/easy-rsa-NAME/keys, and
 the script will not generate them if it sees they exist already.
 
 For future updates to this script, this is a good place to
@@ -54,11 +56,12 @@ route=true
 start=true
 ip4=10.8.0
 name=server
-temp=$(getopt -l help 4:dn:p:rsh "$@") || usage 1
+temp=$(getopt -l help 4:6:dn:p:rsh "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
     -4) ip4=$2; shift 2 ;;
+    -6) ip6net=$2; shift 2 ;;
     -d) dns=false; shift ;;
     -n) name=$2; shift 2 ;;
     -p) port=$2; shift 2 ;;
@@ -210,9 +213,6 @@ s/^dh dh1024.pem/dh dh2048.pem/
 EOF
 
 
-mkdir -p /etc/openvpn/client-config
-
-
 if $dns; then
   # Be the dns server for clients
   cat >>$conf <<EOF
@@ -223,7 +223,8 @@ fi
 if [[ $ip6 ]]; then
   cat >>$conf <<EOF
 push tun-ipv6 # legacy option that flidas needs, has no harm.
-ifconfig-ipv6 $ip6 $ip6route
+# the ::1 is not used, i just put a short valid address there
+ifconfig-ipv6 $ip6 ::1
 EOF
 
   sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc/sysctl.conf
@@ -260,24 +261,23 @@ sysctl -p /etc/sysctl.conf
 
 gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1)
 
-cat >/etc/systemd/system/vpnnat.service <<EOF
-[Unit]
-Description=Turns on nat iptables setting
-
+d=/etc/systemd/system/$vpn_service.service.d
+mkdir -p $d
+f=$d/nat.conf
+cat >$f <<EOF
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
-
-[Install]
-WantedBy=$vpn_service.service
+ExecStartPre=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStopPost=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+EOF
+if [[ $ip6net ]]; then
+  cat >>$f <<EOF
+ExecStartPre=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+ExecStopPost=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
 EOF
-systemctl daemon-reload # needed if the file was already there
-# note, no need to start it, the vpn_service does that.
-systemctl enable vpnnat
+  systemctl daemon-reload # needed if the file was already there
 
-if $start; then
-  systemctl enable $vpn_service
-  systemctl restart $vpn_service
+  if $start; then
+    systemctl enable $vpn_service
+    systemctl restart $vpn_service
+  fi
 fi