Merge pull request #125 from YunoHost-Apps/remove-dns-resolution-ipv6-route

Remove DNS resolution for IPv6 route

conf/hook_post-iptable-rules

@@ -1,27 +1,32 @@
 #!/bin/bash
 
-server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
-
-# In case an ip has been provided in ovpn conf
-host4=""
-host6=""
-for i in ${server_names}; do
-  if [[ "${i}" =~ : ]]; then
+if [[ -z "${trusted_ip}" && -z "${trusted_ip6}" ]]; then
+  server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
+
+  # In case an ip has been provided in ovpn conf
+  host4=""
+  host6=""
+  for i in ${server_names}; do
+    if [[ "${i}" =~ : ]]; then
       host6+=" ${i}"
-  elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+    elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
       host4+=" ${i}"
+    else
+      host6+=" $(dig AAAA +short "${i}" @127.0.0.1 | grep -v '\.$' | grep -v "timed out")"
+      host4+=" $(dig A +short "${i}" @127.0.0.1 | grep -v '\.$' | grep -v "timed out")"
+    fi
+  done
+else
+  if [[ -n "${trusted_ip6}" ]]; then
+    host6=${trusted_ip6}
   fi
-done
 
-if [[ -z "${host6}" ]]; then
-  host6=$(dig AAAA +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
-fi
-
-if [[ -z "${host4}" ]]; then
-  host4=$(dig A +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
+  if [[ -n "${trusted_ip}" ]]; then
+    host4=${trusted_ip}
+  fi
 fi
 
-interface=$(ip route | awk '/default via/ { print $5; }')
+wired_device=$(ip route | awk '/default via/ { print $5; }')
 dns=$(grep -o -P '^\s*nameserver\s+\K[a-fA-F\d.:]+$' /etc/resolv.dnsmasq.conf | sort | uniq)
 
 # IPv6
@@ -37,14 +42,13 @@ ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
 ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 ip6tables -w -A vpnclient_in -j DROP
 
-if [ ! -z "${host6}" ]; then
+if [[ ! -z "${host6}" ]]; then
   for i in ${host6}; do
     ip6tables -w -A vpnclient_out -d "${i}" -j ACCEPT
   done
 fi
 
-for i in ${dns};
-do
+for i in ${dns}; do
   if [[ "${i}" =~ : ]]; then
     ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
   fi
@@ -58,9 +62,9 @@ ip6tables -w -A vpnclient_out -j DROP
 
 ip6tables -w -A vpnclient_fwd -j DROP
 
-ip6tables -w -I INPUT 1 -i $interface -j vpnclient_in
-ip6tables -w -I OUTPUT 1 -o $interface -j vpnclient_out
-ip6tables -w -I FORWARD 1 -o $interface -j vpnclient_fwd
+ip6tables -w -I INPUT 1 -i $wired_device -j vpnclient_in
+ip6tables -w -I OUTPUT 1 -o $wired_device -j vpnclient_out
+ip6tables -w -I FORWARD 1 -o $wired_device -j vpnclient_fwd
 
 # IPv4
 
@@ -75,14 +79,13 @@ iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
 iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -w -A vpnclient_in -j DROP
 
-if [ ! -z "${host4}" ]; then
+if [[ ! -z "${host4}" ]]; then
   for i in ${host4}; do
     iptables -w -A vpnclient_out -d "${i}" -j ACCEPT
   done
 fi
 
-for i in ${dns};
-do
+for i in ${dns}; do
   if [[ "${i}" =~ \. ]]; then
     iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
   fi
@@ -95,8 +98,8 @@ iptables -w -A vpnclient_out -j DROP
 
 iptables -w -A vpnclient_fwd -j DROP
 
-iptables -w -I INPUT 1 -i $interface -j vpnclient_in
-iptables -w -I OUTPUT 1 -o $interface -j vpnclient_out
-iptables -w -I FORWARD 1 -o  $interface -j vpnclient_fwd
+iptables -w -I INPUT 1 -i $wired_device -j vpnclient_in
+iptables -w -I OUTPUT 1 -o $wired_device -j vpnclient_out
+iptables -w -I FORWARD 1 -o  $wired_device -j vpnclient_fwd
 
 exit 0

conf/scripts/route-down.d/30-vpnclient-unset-server-ipv6-route

@@ -1,36 +1,35 @@
 #!/bin/bash
 
 is_serverip6route_set() {
-  local server_ip6s=${1}
+  local server_ip6=${1}
 
-  if [[ -z "${server_ip6s}" ]]; then
+  if [[ -z "${server_ip6}" ]]; then
     return 0
   fi
 
-  for server_ip6 in ${server_ip6s}; do
-    if ! ip -6 route | grep -q "^${server_ip6}"; then
-      return 1
-    fi
-  done
+  if ! ip -6 route | grep -q "^${server_ip6}"; then
+    return 1
+  fi
 }
 
 unset_serverip6route() {
-  local server_ip6s=${1}
+  local server_ip6=${1}
   local ip6_gw=${2}
   local wired_device=${3}
 
-  for server_ip6 in ${server_ip6s}; do
-    ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
-  done
+  ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
 }
 
-old_ip6_gw=$(yunohost app setting vpnclient ip6_gw)
-old_wired_device=$(yunohost app setting vpnclient wired_device)
-old_server_ip6=$(yunohost app setting vpnclient server_ip6)
+wired_device=$(ip route | awk '/default via/ { print $5; }')
+
+# See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#environmental-variables
+# to have a list of variables provided by OpenVPN, i.e:
+# - ifconfig_ipv6_remote
+# - net_gateway_ipv6
 
 # Check old state of the server ipv6 route
-if [[ -n "${old_server_ip6}" && -n "${old_ip6_gw}" && -n "${old_wired_device}" ]]; then
-  if is_serverip6route_set "${old_server_ip6}"; then
-    unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
+if [[ -n "${ifconfig_ipv6_remote}" && -n "${net_gateway_ipv6}" && -n "${wired_device}" ]]; then
+  if is_serverip6route_set "${ifconfig_ipv6_remote}"; then
+    unset_serverip6route "${ifconfig_ipv6_remote}" "${net_gateway_ipv6}" "${wired_device}"
   fi
 fi

conf/scripts/route-down.d/40-vpnclient-unset-ipv6

@@ -2,10 +2,13 @@
 
 is_ip6addr_set() {
   local ip6_addr=${1}
-  ip address show dev tun0 2> /dev/null | grep -q "${ip6_addr}/"
+  ip address show dev "${gateway_interface}" 2> /dev/null | grep -q "${ip6_addr}/"
 }
 
 ip6_addr=$(yunohost app setting "vpnclient" "ip6_addr")
+# cf https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#environmental-variables for where 'dev' comes from
+gateway_interface=${dev}
+
 if [[ -n "${ip6_addr}" ]] && [[ "${ip6_addr}" != none ]] && is_ip6addr_set "${ip6_addr}"; then
-  ip address delete "${ip6_addr}/64" dev tun0
+  ip address delete "${ip6_addr}/64" dev "${gateway_interface}"
 fi

conf/scripts/route-up.d/30-vpnclient-set-server-ipv6-route

@@ -1,88 +1,51 @@
 #!/bin/bash
 
-has_nativeip6() {
-  ip -6 route | grep -q "default via"
-}
-
 is_serverip6route_set() {
-  local server_ip6s=${1}
+  local server_ip6=${1}
 
-  if [[ -z "${server_ip6s}" ]]; then
+  if [[ -z "${server_ip6}" ]]; then
     return 0
   fi
 
-  for server_ip6 in ${server_ip6s}; do
-    if ! ip -6 route | grep -q "^${server_ip6}"; then
-      return 1
-    fi
-  done
+  if ! ip -6 route | grep -q "^${server_ip6}"; then
+    return 1
+  fi
 }
 
 set_serverip6route() {
-  local server_ip6s=${1}
-  local ip6_gw=${2}
-  local wired_device=${3}
-
-  for server_ip6 in ${server_ip6s}; do
-    ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
-  done
-}
-
-unset_serverip6route() {
-  local server_ip6s=${1}
+  local server_ip6=${1}
   local ip6_gw=${2}
   local wired_device=${3}
 
-  for server_ip6 in ${server_ip6s}; do
-    ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
-  done
+  ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
 }
 
-old_ip6_gw=$(yunohost app setting vpnclient ip6_gw)
-old_wired_device=$(yunohost app setting vpnclient wired_device)
-old_server_ip6=$(yunohost app setting vpnclient server_ip6)
+wired_device=$(ip route | awk '/default via/ { print $5; }')
 
-new_ip6_gw=$(ip -6 route | awk '/default via/ { print $3 }')
-new_wired_device=$(ip route | awk '/default via/ { print $5; }')
-ynh_server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
+# See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#environmental-variables
+# to have a list of variables provided by OpenVPN, i.e:
+# - ifconfig_ipv6_remote
+# - net_gateway_ipv6
 
-# In case an ip has been provided in ovpn conf
-new_server_ip6=""
-new_server_ip4=""
-for i in $ynh_server_names; do
-  if [[ "${i}" =~ : ]]; then
-    new_server_ip6+=" ${i}"
-  elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-    new_server_ip4+=" ${i}"
-  fi
-done
-
-if [[ -z "${new_server_ip6}" && -z "${new_server_ip4}" ]]; then
-  new_server_ip6=$(dig AAAA +short $ynh_server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out" | sort | uniq)
-fi
-
-echo "[INFO] Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
-echo "[INFO] Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
-
-# Check old state of the server ipv6 route
-if [[ -n "${old_server_ip6}" && -n "${old_ip6_gw}" && -n "${old_wired_device}" ]]; then
-  if [[ "${new_server_ip6}" != "${old_server_ip6}" || "${new_ip6_gw}" != "${old_ip6_gw}" || "${new_wired_device}" != "${old_wired_device}" ]]; then
-    if is_serverip6route_set "${old_server_ip6}"; then
-      unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
-    fi
-  fi
+echo "[INFO] Autodetected internet interface: ${wired_device}"
+if [[ -n "${ifconfig_ipv6_remote}" ]]; then
+  echo "[INFO] Autodetected IPv6 address for the VPN server: ${ifconfig_ipv6_remote}"
+else
+  echo "[INFO] No IPv6 address for the VPN server detected"
+  echo "[INFO] No IPv6 route set"
+  exit 0
 fi
 
 # Set the new server ipv6 route
-if has_nativeip6; then
-  if ! is_serverip6route_set "${new_server_ip6}"; then
-    set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
+if [[ -n "${net_gateway_ipv6}" ]]; then
+  if ! is_serverip6route_set "${ifconfig_ipv6_remote}"; then
+    set_serverip6route "${ifconfig_ipv6_remote}" "${net_gateway_ipv6}" "${wired_device}"
   fi
 
   echo "[INFO] Native IPv6 detected"
-  echo "[INFO] Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
+  echo "[INFO] Autodetected native IPv6 gateway: ${net_gateway_ipv6}"
 
-  if is_serverip6route_set "${new_server_ip6}"; then
+  if is_serverip6route_set "${ifconfig_ipv6_remote}"; then
     echo "[ OK ] IPv6 server route correctly set"
   else
     echo "[FAIL] No IPv6 server route set" >&2
@@ -92,7 +55,3 @@ else
   echo "[INFO] No native IPv6 detected"
   echo "[INFO] No IPv6 server route to set"
 fi
-
-yunohost app setting vpnclient server_ip6 --value "${new_server_ip6}"
-yunohost app setting vpnclient ip6_gw --value "${new_ip6_gw}"
-yunohost app setting vpnclient wired_device --value "${new_wired_device}"

conf/scripts/route-up.d/40-vpnclient-set-ipv6

@@ -2,13 +2,16 @@
 
 is_ip6addr_set() {
   local ip6_addr=${1}
-  ip address show dev tun0 2> /dev/null | grep -q "${ip6_addr}/"
+  ip address show dev "${gateway_interface}" 2> /dev/null | grep -q "${ip6_addr}/"
 }
 
 ip6_addr=$(yunohost app setting "vpnclient" "ip6_addr")
+# cf https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#environmental-variables for where 'dev' comes from
+gateway_interface=${dev}
+
 if [[ -n "${ip6_addr}" ]] && [[ "${ip6_addr}" != none ]]; then
   if ! is_ip6addr_set "${ip6_addr}"; then
-    ip address add "${ip6_addr}/64" dev tun0
+    ip address add "${ip6_addr}/64" dev "${gateway_interface}"
   fi
 
   echo "[INFO] IPv6 delegated prefix found"

scripts/_common.sh

@@ -17,7 +17,6 @@ function vpnclient_deploy_files_and_services()
   mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
   mkdir -pm 0755 /etc/systemd/system/openvpn@.service.d/
 
-  install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
   install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/openvpn@.service.d/override.conf
 
   # Create certificates directory

scripts/backup

@@ -10,8 +10,6 @@ ynh_print_info "Backing up the main app directory..."
 
 ynh_backup --src_path="/usr/local/bin/$service_name-loadcubefile.sh"
 
-ynh_backup --src_path="/etc/yunohost/hooks.d/90-vpnclient.tpl"
-
 ynh_backup --src_path="/etc/openvpn/client.conf" --not_mandatory
 ynh_backup --src_path="/etc/openvpn/client.cube" --not_mandatory
 ynh_backup --src_path="/etc/openvpn/client.ovpn" --not_mandatory

scripts/remove

@@ -40,9 +40,6 @@ for FILE in $(ls /etc/openvpn/scripts/route-up.d/*-vpnclient-* /etc/openvpn/scri
     ynh_secure_remove "$FILE"
 done
 
-# Remove YunoHost hook
-ynh_secure_remove /etc/yunohost/hooks.d/90-vpnclient.tpl
-
 # Remove openvpn service
 ynh_secure_remove /etc/systemd/system/openvpn@.service.d/override.conf
 

scripts/upgrade

@@ -36,6 +36,10 @@ if [ -e "/etc/sudoers.d/${app}_ynh" ]; then
   ynh_secure_remove "/etc/sudoers.d/${app}_ynh"
 fi
 
+if [ -e "/etc/yunohost/hooks.d/90-vpnclient.tpl" ]; then
+  ynh_secure_remove "/etc/yunohost/hooks.d/90-vpnclient.tpl"
+fi
+
 if [ -e "/etc/openvpn/client.conf.tpl" ]; then
   ynh_secure_remove "/etc/openvpn/client.conf.tpl"
 fi