Jump to content
Not connected, Your IP: 3.141.27.70
Sign in to follow this  
mr.Rhee

ANSWERED [Linux] Script - start IPTables, swap DNS, call OpenVPN, restore DNS on OpenVPN closing:

Recommended Posts

OK, I posted a support query on shutting down OpenVPN. As it turned out OpenVPN is set to automatically restart if the connection is dropped. Shutting down via Ctrl C is (as a Linux user at least) apparently the way to do it if you have started OpenVPN in a Terminal.

 

My shutting down using Ctrl C was causing the /usr/share/openvpn/update-resolv-conf script to become confused as it was out of sync with itself & threw an error whenever I tried to start OpenVPN after it had been closed via Ctrl C. (Which is why this thread & the support ticket started.)

 

The start.VPN.sh script was born:

 

It requires that you make the following two files;

 

/etc/resolv.conf_VPN

/etc/resolv.conf_VPN.bak

 

These two identical files carry the following:

# For use when OpenVPN is running:

domain home

nameserver 10.4.0.1 # AirVPN DNS

nameserver 8.8.8.8  # Backup DNS (Google DNS)

 

 

Following is what the script does, in order:

 

* The script calls IPTables at its beginning, & shows the user that it is running via output to the Terminal. (See link to how-to at the bottom of the page.)

 

* It then checks that /etc/resolv.conf & /etc/resolv.conf_VPN exist.

 

* Then it checks to see if they are the same size, (which is to protect from the resolv.conf_VPN having not been swapped back to having the AirVPN DNS on the last OpenVPN shutdown.

 

* If the files are the same size, then the script copies the /etc/resolv.conf_VPN.bak file to /etc/resolv.conf_VPN .

 

* Now the contents of the /etc/resolv.conf & the /etc/resolv.conf_VPN files are swapped. Meaning /etc/resolv.conf now has the AirVPN DNS followed by the Google DNS in it.

 

* Now is the time to call OpenVPN & your chosen server, my current call follows:

 

openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpn

AirVPN using its own DNS should now be running.

 

* When OpenVPN is closed via Ctlr C or via the Disconnect Now button, or however else you can close it. The first thing that happens (providing that you have IPTables setup correctly) is all internet connections are terminated. This is all in the hands of the IPTables that was started at the beginning of the script (IPTables must be setup by you before hand).

 

* Then /etc/resolv.conf & the /etc/resolv.conf_VPN files swap their contents again. Meaning that the /etc/resolv.conf now has the DNS or your routers IP address, that it had in it before this script was started.

 

That is it for what the script does.

 

 

The start.VPN.sh script:

 

#!/bin/bash

## Starts IPTables & shows that it is running.

## Then:

## Function to swap 2 files holding DNS addresses, /etc/resolv.conf

## & /etc/resolv.conf_VPN.

## To protect from the possibility of the resolv.conf with non-VPN

## DNS address overwriting your resolv.conf_VPN & causing you to use

## the wrong DNS, this script now checks whether resolv.conf &

## resolv.conf_VPN are the same, & if they are, then resolv.conf_VPN

## is replaced by its backup, ie, /etc/resolv.conf_VPN.bak.

##

## After the above is done, then OpenVPN with AirVPN server is

## called. When OpenVPN closes, the resolv.conf files are swapped

## back again, so the original, non VPN file (DNS) is restored to

## /etc/resolv.conf .

## You need to create the /etc/resolv.conf_VPN & the

## /etc/resolv.conf.VPN.bak files with the AirVPN DNS & a backup

## DNS that is NOT your ISP's DNS.

##

## I use the following 4 lines of text for those two previously

## mentioned files:

##

## # AirVPN DNS followed by Google's DNS:

##   domain home

##   nameserver 10.4.0.1

##   nameserver 8.8.8.8

##

###########################################



# Turn on iptables - which protects my IP by allowing only VPN DNS

# if I lose VPN all internet connections are imediately stopped.

systemctl start iptables.service



systemctl status iptables.service



iptables -nvL --line-numbers





#Check entered arguments

if [ ! $1 ] || [ ! $2 ]

then

    echo "Using inbuilt defaults"

    file1="/etc/resolv.conf"

    file2="/etc/resolv.conf_VPN"

else

    file1=$1

    file2=$2

fi



#Check if the files exist

if [ ! -f $file1 ] || [ ! -f $file2 ]

then

    echo "File(s) doesnt exist"

    exit 1

fi



#Check whether the files are same

if [[ ! `cmp $file1 $file2` ]]

then

    echo "Files $file1 $file2 same"

    echo "Replacing $file2 with $file2.bak"

    if [ ! -f "$file2.bak" ]

    then

        echo "File $file2.bak doesnt exist"

        echo "Exiting.."

        exit 1

    else

        cp "$file2.bak" "$file2"

    fi

fi



#The swap function

swap()

{

    cp $file2 file.bak

    mv $file1 $file2

    mv file.bak $file1

}



#Swap the files

swap $file1 $file2

echo "Files $file1 and $file2 swapped"



#Do openVPN stuff

openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpn



#Again swap the files, ie, go back to the original state

swap $file2 $file1

echo "Files $file2 and $file1 swapped"



# Turn off iptables - this allows usage of NON-VPN internet & DNS

# this is here for certain circumstances when it may be useful.

# Just uncomment the following two lines if needed. Doing so

# renders the identity protection that may be offered by your

# IPTables setup useless.

#systemctl stop iptables.service

#echo "Turned off iptables - normal internet is now accessible BEWARE!"



#Done

exit 0

 

Calling the script via a ~/.bashrc alias:

 

By adding the (see below) following alias to your ~/.bashrc you can call the start.VPN.sh script by just entering vpn at the Terminal prompt. (You need to change the path to the start.VPN.sh script to suit where you have it stored on your system.

 

alias vpn="sudo su -c ~/.config/openvpn/start.VPN.sh"

 

 

After having entered any alias (or making any other edits) in your ~/.bashrc you need to reinitialize the Terminal to activate any changes to your ~/.bashrc. You can do this by closing & restarting your Teminal, or you can enter the following in the Terminal:

 

source .bashrc

 

I actually have an alias for the above command in my ~/.bashrc too, as follows:

 

alias src="/external_image/?url=source+.bashrc"

 

Using the above alias src in the Terminal, runs the source .bashrc command.

 

I've not yet tried running the start.VPN.sh script from inside of the /etc/openvpn/AirVPN .ovpn file. I'll post my results when I have some.

 

Associated Links:

 

I haven't yet tried calling the script from inside of the /etc/openvnp/AirVPN .ovnp file. I'll post & hopefully edit the page when I've tried that.

 

This is the how-to that I used to get IPTables setup:

 

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/?hl=%2Biptables+%2Bleaks+%2Blinux

 

Here is the solution to my silly error when setting up IPTables:

 

https://airvpn.org/topic/10598-linux-set-up-firewall-as-per-how-to-from-staff-member/

 

This is the link to the update-resolv-conf page:

 

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Share this post


Link to post

I noticed that a small though important part of the script was missing. It is up near the top titled The start.VPN.sh script was born:

 

I was interrupted when editing the new OP yesterday (for some hours) & had to log in again or something & it looks like it caused me to loose a bit of the post for some reason?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...