1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-feeds.git synced 2025-03-09 15:40:03 +00:00

Add ByPass via server VPN support

This commit is contained in:
Ycarus (Yannick Chabanois) 2023-12-30 08:50:57 +01:00
parent 2160d47f4f
commit 5427b7a40c
3 changed files with 84 additions and 16 deletions

View file

@ -48,10 +48,13 @@ return L.view.extend({
o = s.option(form.Value, 'name', _('Domain'));
o.rmempty = false;
o = s.option(form.Flag, 'vpn', _('VPN on server'),_('Bypass using VPN configured on server.'));
o = s.option(widgets.DeviceSelect, 'interface', _('Interface'),_('When none selected, MPTCP master interface is used.'));
o.noaliases = true;
o.noinactive = true;
o.nocreate = true;
o.depends('vpn', '0');
o = s.option(form.Value, 'note', _('Note'));
o.rmempty = true;
@ -78,10 +81,13 @@ return L.view.extend({
o = s.option(form.Value, 'ip', _('IP'));
o.rmempty = false;
o = s.option(form.Flag, 'vpn', _('VPN on server'),_('Bypass using VPN configured on server.'));
o = s.option(widgets.DeviceSelect, 'interface', _('Interface'),_('When none selected, MPTCP master interface is used.'));
o.noaliases = true;
o.noinactive = true;
o.nocreate = true;
o.depends('vpn', '0');
o = s.option(form.Value, 'note', _('Note'));
o.rmempty = true;
@ -199,10 +205,14 @@ return L.view.extend({
o = s.option(form.Value, 'asn', _('ASN'));
o.rmempty = false;
o = s.option(form.Flag, 'vpn', _('VPN on server'),_('Bypass using VPN configured on server.'));
o = s.option(widgets.DeviceSelect, 'interface', _('Interface'),_('When none selected, MPTCP master interface is used.'));
o.noaliases = true;
o.noinactive = true;
o.nocreate = true;
o.depends('vpn', '0');
o = s.option(form.Value, 'note', _('Note'));
o.rmempty = true;
@ -255,10 +265,13 @@ return L.view.extend({
},this));
};
o = s.option(form.Flag, 'vpn', _('VPN on server'),_('Bypass using VPN configured on server.'));
o = s.option(widgets.DeviceSelect, 'interface', _('Interface'),_('When none selected, MPTCP master interface is used (or an other interface if master is down).'));
o.noaliases = true;
o.noinactive = true;
o.nocreate = true;
o.depends('vpn', '0');
o = s.option(form.Value, 'note', _('Note'));
o.rmempty = true;
@ -278,6 +291,7 @@ return L.view.extend({
o = s.option(form.Flag, 'ndpi', _('Enable ndpi'));
o.default = o.enabled;
o.modalonly = true
o.depends('vpn', '0');
}
return m.render();

View file

@ -73,8 +73,8 @@ _bypass_domains() {
config_get enabled $1 enabled
config_get noipv6 $1 noipv6
config_get family $1 family
config_get vpn $1 vpn
[ -z "$intf" ] && intf="all"
config_get vpn $1 vpn
[ "$vpn" = "1" ] && intf="srv_vpn1"
[ "$enabled" = "0" ] && return
[ -z "$domain" ] && return
@ -391,6 +391,9 @@ _bypass_proto() {
config_get ndpi $1 ndpi
config_get noipv6 $1 noipv6
config_get family $1 family
config_get vpn $1 vpn
[ "$vpn" = "1" ] && intf="srv_vpn1"
[ "$enabled" = "0" ] && return
[ -z "$noipv6" ] && noipv6="0"
[ -z "$family" ] && family="ipv4ipv6"
@ -400,7 +403,7 @@ _bypass_proto() {
[ -z "$intf" ] && intf="all"
[ -z "$proto" ] && return
if [ "$(uci -q get openmptcprouter.settings.ndpi)" != "0" ] && [ "$ndpi" != "0" ]; then
if [ "$(uci -q get openmptcprouter.settings.ndpi)" != "0" ] && [ "$ndpi" != "0" ] && [ "$vpn" != "1" ]; then
if [ "$intf" = "all" ]; then
if [ "$family" = "ipv4" ] || [ "$family" = "ipv4ipv6" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
@ -487,6 +490,9 @@ _bypass_proto_without_ndpi() {
config_get ndpi $1 ndpi "0"
config_get noipv6 $1 noipv6
config_get family $1 family
config_get vpn $1 vpn
[ "$vpn" = "1" ] && intf="srv_vpn1"
[ "$enabled" = "0" ] && return
[ -z "$noipv6" ] && noipv6="0"
[ -z "$family" ] && family="ipv4ipv6"
@ -496,22 +502,32 @@ _bypass_proto_without_ndpi() {
[ -z "$intf" ] && intf="all"
[ -z "$proto" ] && return
if [ "$(uci -q get openmptcprouter.settings.ndpi)" == "0" ] || [ "$ndpi" == "0" ]; then
if [ "$(uci -q get openmptcprouter.settings.ndpi)" == "0" ] || [ "$ndpi" == "0" ] || [ "$vpn" = "1" ]; then
ALLIPS=$(sqlite3 /usr/share/omr-bypass/omr-bypass.db "select ip from ipproto where proto=\"$proto\";" ".exit")
if [ -n "$ALLIPS" ]; then
ipset -q flush bypass_$proto > /dev/null 2>&1
ipset -q flush bypass6_$proto > /dev/null 2>&1
ipset -q --exist restore <<-EOF
create bypass_$proto hash:net hashsize 64
create bypass6_$proto hash:net family inet6 hashsize 64
EOF
if [ "$vpn" != "1" ]; then
ipset -q flush bypass_$proto > /dev/null 2>&1
ipset -q flush bypass6_$proto > /dev/null 2>&1
ipset -q --exist restore <<-EOF
create bypass_$proto hash:net hashsize 64
create bypass6_$proto hash:net family inet6 hashsize 64
EOF
fi
for ip in $ALLIPS; do
valid_ip4=$( valid_subnet4 $ip)
valid_ip6=$( valid_subnet6 $ip)
if [ "$valid_ip4" = "ok" ]; then
ipset -q add bypass_$proto $ip
if [ "$vpn" != "1" ]; then
ipset -q add bypass_$proto $ip
else
ipset -q add omr_dst_bypass_$intf $ip
fi
elif [ "$valid_ip6" = "ok" ]; then
ipset -q add bypass6_$proto $ip
if [ "$vpn" != "1" ]; then
ipset -q add bypass6_$proto $ip
else
ipset -q add omr6_dst_bypass_$intf $ip
fi
fi
done
if [ "$intf" = "all" ]; then
@ -531,7 +547,7 @@ _bypass_proto_without_ndpi() {
COMMIT
EOF
fi
else
elif [ "$vpn" != "1" ]; then
if [ "$family" = "ipv4" ] || [ "$family" = "ipv4ipv6" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
@ -1025,6 +1041,12 @@ start_service() {
-A PREROUTING -j omr-bypass6
COMMIT
EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass6-local -
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass6-local
COMMIT
EOF
fi
config_load network
@ -1080,7 +1102,22 @@ start_service() {
COMMIT
EOF
fi
if [ "$disableipv6" = "0" ]; then
if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x539
-A omr-bypass6 -m mark --mark 0x539 -j RETURN
COMMIT
EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6-local -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x539
-A omr-bypass6-local -m mark --mark 0x539 -j RETURN
COMMIT
EOF
fi
fi
config_load shadowsocks-libev
config_foreach _ss_rules_config
config_load shadowsocks-rust

View file

@ -1,12 +1,12 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2018-2019 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
# Copyright (C) 2018-2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
# Released under GPL 3. See LICENSE for the full terms.
START=99
USE_PROCD=1
EXTRA_COMMANDS="set_pihole backup_send backup_get backup_list set_vps_firewall get_openvpn_key set_gre_tunnel token"
EXTRA_COMMANDS="set_pihole backup_send backup_get backup_list set_vps_firewall get_openvpn_key set_gre_tunnel token set_bypass_ips"
. /usr/lib/unbound/iptools.sh
@ -944,6 +944,22 @@ _set_lan_ip() {
fi
}
_set_bypass_ips() {
local settings
[ -z "$servername" ] && servername=$1
bypassipv4s=$(ipset -q -o save list omr_dst_bypass_srv_vpn1 | awk '/add/ NF {print "\""$3"\""}' | tr '\n' ',' | sed 's/,$//')
bypassipv6s=$(ipset -q -o save list omr6_dst_bypass_srv_vpn1 | awk '/add/ NF {print "\""$3"\""}' | tr '\n' ',' | sed 's/,$//')
if [ "$bypassipv4s" != "" ] || [ "$bypassipv6s" != "" ]; then
settings='{"ipv4s" : ['$bypassipv4s'],"ipv6s" : ['$bypassipv6s'],"intf" : "vpn1"}'
result=$(_set_json "bypass" "$settings")
fi
}
set_bypass_ips() {
config_load openmptcprouter
config_foreach _set_bypass_ips server
}
_set_vpn_ip() {
local settings
[ -z "$vps_config" ] && vps_config=$(_get_json "config")
@ -997,7 +1013,7 @@ _set_client2client() {
c2cid=$((c2cid+1))
targetip=$(echo $lanip | awk -F '/' '{print $1}' | tr -d "\n")
netmask=$(echo $lanip | awk -F '/' '{print $2}' | tr -d "\n")
target=$(ipcalc.sh $targetip $netmask | grep NETWORK | awk -F '=' '{print $2}' | tr -d "\n")
target=$(ipcalc.sh $targetip/$netmask | grep NETWORK | awk -F '=' '{print $2}' | tr -d "\n")
uci -q batch <<-EOF >/dev/null
set network.omr_client2client_${c2cid}=route
set network.omr_client2client_${c2cid}.interface=omrvpn
@ -2264,6 +2280,7 @@ _config_service() {
config_foreach _get_lan_ip interface
_set_lan_ip
_set_sipalg
_set_bypass_ips
config_foreach _delete_client2client route
if [ "$(uci -q get openmptcprouter.settings.vpn)" != "openvpn" ] && [ "$(echo "$vps_config" | jsonfilter -q -e '@.client2client.enabled')" == "true" ]; then
_set_client2client