From: Ian Kelling <iank@fsf.org>
Date: Tue, 10 Nov 2020 19:58:44 +0000 (-0500)
Subject: allow no script, refactor systemd service
X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=commitdiff_plain;h=aa9be22d2798d15580907238cfdbf8f3ffd7364d

allow no script, refactor systemd service
---

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 68f0744..59ddda5 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -39,8 +39,10 @@ usage: ${0##*/} VPN_SERVER_HOST
 -f               Force. Proceed even if cert already exists.
 -n CONFIG_NAME   default is client
 -o SERVER_CONFIG_NAME  Default is CONFIG_NAME
--s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. copied to same path
-                 on client, if client is not localhost.
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. If client host is
+                 not localhost, the script is copied to it. The default
+                 script used to be /etc/openvpn/update-resolv-conf, but now
+                 that systemd-resolved is becoming popular, there is no default.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -65,8 +67,6 @@ EOF
 
 shell="bash -c"
 name=client
-custom_script=false
-script=/etc/openvpn/update-resolv-conf
 client_host=$CLIENT_HOST
 force=false
 
@@ -79,7 +79,7 @@ while true; do
     -f) force=true; shift ;;
     -n) name="$2"; shift 2 ;;
     -o) server_name="$2"; shift 2 ;;
-    -s) custom_script=true; script="$2"; shift 2 ;;
+    -s) script="$2"; shift 2 ;;
     -h|--help) usage ;;
     --) shift; break ;;
     *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
@@ -174,14 +174,12 @@ EOF
 
 if [[ $script ]]; then
   $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
-# This script will update local dns
-# to what the server sends, if it sends dns.
 script-security 2
 up "$script"
 down "$script"
 EOF
 
-  if [[ $client_host ]] && $custom_script; then
+  if [[ $client_host && $script ]]; then
     $shell "dd of=$script" <$script
     $shell "chmod +x $script"
   fi
diff --git a/vpn-server-setup b/vpn-server-setup
index 7975946..312ddff 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -261,31 +261,23 @@ sysctl -p /etc/sysctl.conf
 
 gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1)
 
-cat >/etc/systemd/system/vpnnat.service <<EOF
-[Unit]
-Description=Turns on nat iptables setting
-
-[Install]
-WantedBy=$vpn_service.service
-
+d=/etc/systemd/system/$vpn_service.service.d
+mkdir -p $d
+f=$d/nat.conf
+cat >$f <<EOF
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStartPre=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStopPost=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
 EOF
-
-
 if [[ $ip6net ]]; then
-  cat >>/etc/systemd/system/vpnnat.service <<EOF
-ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
-ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+  cat >>$f <<EOF
+ExecStartPre=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+ExecStopPost=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
 EOF
-systemctl daemon-reload # needed if the file was already there
-# note, no need to start it, the vpn_service does that.
-systemctl enable vpnnat
+  systemctl daemon-reload # needed if the file was already there
 
-if $start; then
-  systemctl enable $vpn_service
-  systemctl restart $vpn_service
+  if $start; then
+    systemctl enable $vpn_service
+    systemctl restart $vpn_service
+  fi
 fi