usage() {
cat <<'EOF'
-usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
-
--4 I prefix of range for ipv4, default 10.8.0
--d Do not push dns
--n Name. default = server. 2 servers on the same host need different names.
--p Port. default 1194
--r Do not push default route
--s Do not start openvpn
+usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS]
+
+-4 Prefix of range for ipv4, default 10.8.0
+-6 IP6_NETWORK Do ip6 nat for this network. ipv6 will work without nat,
+ but you may want it in certain circumstances.
+-d Do not push dns
+-n NAME default = server. 2 servers on the same host need different names.
+-p PORT default 1194
+-r Do not push default route
+-s Do not start openvpn
-h --help print help
Sets up a vpn server which pushes gateway route and dns server so all
start=true
ip4=10.8.0
name=server
-temp=$(getopt -l help 4:dn:p:rsh "$@") || usage 1
+temp=$(getopt -l help 4:6:dn:p:rsh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-4) ip4=$2; shift 2 ;;
+ -6) ip6net=$2; shift 2 ;;
-d) dns=false; shift ;;
-n) name=$2; shift 2 ;;
-p) port=$2; shift 2 ;;
EOF
-mkdir -p /etc/openvpn/client-config
-
-
if $dns; then
# Be the dns server for clients
cat >>$conf <<EOF
if [[ $ip6 ]]; then
cat >>$conf <<EOF
push tun-ipv6 # legacy option that flidas needs, has no harm.
-ifconfig-ipv6 $ip6 $ip6route
+# the ::1 is not used, i just put a short valid address there
+ifconfig-ipv6 $ip6 ::1
EOF
sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc/sysctl.conf
gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1)
-cat >/etc/systemd/system/vpnnat.service <<EOF
-[Unit]
-Description=Turns on nat iptables setting
-
+d=/etc/systemd/system/$vpn_service.service.d
+mkdir -p $d
+f=$d/nat.conf
+cat >$f <<EOF
[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
-
-[Install]
-WantedBy=$vpn_service.service
+ExecStartPre=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStopPost=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+EOF
+if [[ $ip6net ]]; then
+ cat >>$f <<EOF
+ExecStartPre=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+ExecStopPost=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
EOF
-systemctl daemon-reload # needed if the file was already there
-# note, no need to start it, the vpn_service does that.
-systemctl enable vpnnat
+ systemctl daemon-reload # needed if the file was already there
-if $start; then
- systemctl enable $vpn_service
- systemctl restart $vpn_service
+ if $start; then
+ systemctl enable $vpn_service
+ systemctl restart $vpn_service
+ fi
fi
iankelling.org / git / vpn-setup / blobdiff