/
vpnserver
127 lines (111 loc) · 5.12 KB
/
vpnserver
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/bin/sh
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable Softether by daemon.
### END INIT INFO
##########################################################################################################################################
### Configuration
#############################
DAEMON=/usr/local/vpnserver/vpnserver # Change this only if you have installed the vpnserver to an alternate location.
LOCK=/var/lock/vpnserver # No need to edit this.
TAP_ADDR=10.0.13.1 # Main IP of your TAP interface
TAP_INTERFACE=tap_softether # The name of your TAP interface.
VPN_SUBNET=10.0.13.0/24 # Virtual IP subnet you want to use within your VPN
NET_INTERFACE=eth0 # Your network adapter that connects you to the world.In OpenVZ this is venet0 for example.
IPV6_ADDR=2001:XXX:YYY:ZZZ:110:110:110:110 # You can also assign this as DNS server in dnsmasq config.
IPV6_SUBNET=2001:XXX:YYY:ZZZ::/64 # Used to assign IPv6 to connecting clients. Remember to use the same subnet in dnsmasq.conf
YOUREXTERNALIP=xxx.xxx.xxx.xxx # Your machines external IPv4 address.
# Write down you IP or one of the IP adresses if you have more than one.
# Warning! NAT Machine users, here write the local IP address of your VPS instead of the external IP.
#############################
### End of Configuration
##########################################################################################################################################
test -x $DAEMON || exit 0
case "$1" in
start)
###################################### START
$DAEMON start
touch $LOCK
sleep 4
#######################################################################################
# Rules for IPTables. You can remove and use these iptables-persistent if you want
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# Forward all VPN traffic that comes from VPN_SUBNET through $NET_INTERFACE interface for outgoing packets.
iptables -t nat -A POSTROUTING -s $VPN_SUBNET -j SNAT --to-source $YOUREXTERNALIP
# Alternate rule if your server has dynamic IP
#iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
#
# Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT
#
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
# Let's define forwarding rules for IPv6 as well...
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT
# You can enable this for kernels 3.13 and up
# ip6tables -t nat -A POSTROUTING -o $TAP_INTERFACE -j MASQUERADE
#######################################################################################
# End of IPTables Rules
#######################################################################################
/etc/init.d/dnsmasq restart
;;
###################################### STOP
stop)
$DAEMON stop
rm $LOCK
;;
###################################### RESTART
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
#######################################################################################
# Rules for IPTables.
# I used these here as well since sometimes the IP addresses tend to disappear
# So now at least we ensure they exist whilst we restart
#######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# End of IPTables Rules
#######################################################################################
/etc/init.d/dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0