set/unset firewall outside openvpn connection

conf/scripts/route-down.d/10-vpnclient-unset-firewall

@@ -1,39 +0,0 @@
-#!/bin/bash
-
-is_firewall_set() {
-  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
-  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
-}
-
-wired_device=$(ip route | awk '/default via/ { print $5; }')
-
-rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-if is_firewall_set; then  
-  # IPv4
-
-  iptables -w -D INPUT -i "${wired_device}" -j vpnclient_in
-  iptables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
-  iptables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
-
-  iptables -w -F vpnclient_in
-  iptables -w -F vpnclient_out
-  iptables -w -F vpnclient_fwd
-
-  iptables -w -X vpnclient_in
-  iptables -w -X vpnclient_out
-  iptables -w -X vpnclient_fwd
-
-  # IPv6
-  
-  ip6tables -w -D INPUT -i "${wired_device}" -j vpnclient_in
-  ip6tables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
-  ip6tables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
-
-  ip6tables -w -F vpnclient_in
-  ip6tables -w -F vpnclient_out
-  ip6tables -w -F vpnclient_fwd
-
-  ip6tables -w -X vpnclient_in
-  ip6tables -w -X vpnclient_out
-  ip6tables -w -X vpnclient_fwd
-fi

conf/scripts/route-up.d/10-vpnclient-set-firewall

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-is_firewall_set() {
-  local wired_device=$(ip route | awk '/default via/ { print $5; }')
-
-  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
-  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
-}
-
-if ! is_firewall_set; then
-  bash /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules
-fi
-cp /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-
-if is_firewall_set; then
-  echo "[ OK ] IPv6/IPv4 firewall set"
-else
-  echo "[FAIL] No IPv6/IPv4 firewall set" >&2
-  exit 1
-fi

conf/ynh-vpnclient

@@ -126,6 +126,62 @@ check_config() {
   fi
 }
 
+is_firewall_set() {
+  local wired_device="$1"
+  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
+  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
+}
+
+set_firewall() {
+  local wired_device=$(ip route | awk '/default via/ { print $5; }')
+
+  if ! is_firewall_set "${wired_device}"; then
+    bash /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules
+  fi
+  cp /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+
+  if is_firewall_set "${wired_device}"; then
+    success "IPv6/IPv4 firewall set"
+  else
+    error "[FAIL] No IPv6/IPv4 firewall set" >&2
+  fi
+}
+
+unset_firewall() {
+  local wired_device=$(ip route | awk '/default via/ { print $5; }')
+
+  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  if is_firewall_set "${wired_device}"; then  
+    # IPv4
+
+    iptables -w -D INPUT -i "${wired_device}" -j vpnclient_in
+    iptables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
+    iptables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
+
+    iptables -w -F vpnclient_in
+    iptables -w -F vpnclient_out
+    iptables -w -F vpnclient_fwd
+
+    iptables -w -X vpnclient_in
+    iptables -w -X vpnclient_out
+    iptables -w -X vpnclient_fwd
+
+    # IPv6
+    
+    ip6tables -w -D INPUT -i "${wired_device}" -j vpnclient_in
+    ip6tables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
+    ip6tables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
+
+    ip6tables -w -F vpnclient_in
+    ip6tables -w -F vpnclient_out
+    ip6tables -w -F vpnclient_fwd
+
+    ip6tables -w -X vpnclient_in
+    ip6tables -w -X vpnclient_out
+    ip6tables -w -X vpnclient_fwd
+  fi
+}
+
 action=${1}
 if [[ "$action" != restart ]]; then
   # Variables
@@ -163,6 +219,8 @@ case "$action" in
     sync_time
     check_config
 
+    set_firewall
+
     info "Now actually starting OpenVPN client..."
 
     if systemctl start openvpn@client.service; then
@@ -234,6 +292,8 @@ case "$action" in
         fi
       done
     fi
+
+    unset_firewall
   ;;
 
   # ########## #

scripts/_common.sh

@@ -18,7 +18,6 @@ function vpnclient_deploy_files_and_services()
   mkdir -pm 0755 /etc/systemd/system/openvpn@.service.d/
 
   install -b -o root -g ${app} -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
-  install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
   install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/openvpn@.service.d/override.conf
 
   # Create certificates directory

scripts/backup

@@ -10,8 +10,6 @@ ynh_print_info "Backing up the main app directory..."
 
 ynh_backup --src_path="/usr/local/bin/$service_name-loadcubefile.sh"
 
-ynh_backup --src_path="/etc/yunohost/hooks.d/90-vpnclient.tpl"
-
 ynh_backup --src_path="/etc/openvpn/client.conf.tpl"
 ynh_backup --src_path="/etc/openvpn/client.conf" --not_mandatory
 ynh_backup --src_path="/etc/openvpn/client.cube" --not_mandatory

scripts/remove

@@ -41,9 +41,6 @@ for FILE in $(ls /etc/openvpn/scripts/route-up.d/*-vpnclient-* /etc/openvpn/scri
     ynh_secure_remove "$FILE"
 done
 
-# Remove YunoHost hook
-ynh_secure_remove /etc/yunohost/hooks.d/90-vpnclient.tpl
-
 # Remove openvpn service
 ynh_secure_remove /etc/systemd/system/openvpn@.service.d/override.conf
 

scripts/upgrade

@@ -36,6 +36,14 @@ if [ -e "/etc/sudoers.d/${app}_ynh" ]; then
   ynh_secure_remove "/etc/sudoers.d/${app}_ynh"
 fi
 
+for script_path in $(ls /etc/openvpn/scripts/route-*.d/10-vpnclient-{set-firewall,unset-firewall} 2> /dev/null); then
+  ynh_secure_remove "$script_path"
+fi
+
+if [ -e "/etc/yunohost/hooks.d/90-vpnclient.tpl" ]; then
+  ynh_secure_remove "/etc/yunohost/hooks.d/90-vpnclient.tpl"
+fi
+
 # New stuff
 
 if [ -z "${dns_method:-}" ]; then