#!/bin/bash

server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)

# In case an ip has been provided in ovpn conf
host4=""
host6=""
for i in ${server_names}; do
  if [[ "${i}" =~ : ]]; then
      host6+=" ${i}"
  elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
      host4+=" ${i}"
  fi
done

if [[ -z "${host6}" ]]; then
  host6=$(dig AAAA +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
fi

if [[ -z "${host4}" ]]; then
  host4=$(dig A +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
fi

interface=$(ip route | awk '/default via/ { print $5; }')
dns=$(grep -o -P '^\s*nameserver\s+\K[a-fA-F\d.:]+$' /etc/resolv.dnsmasq.conf | sort | uniq)

# IPv6

ip6tables -w -N vpnclient_in
ip6tables -w -N vpnclient_out
ip6tables -w -N vpnclient_fwd

ip6tables -w -A vpnclient_in -p icmpv6 -j ACCEPT
ip6tables -w -A vpnclient_in -s fd00::/8,fe80::/10 -j ACCEPT
ip6tables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -w -A vpnclient_in -j DROP

if [ ! -z "${host6}" ]; then
  for i in ${host6}; do
    ip6tables -w -A vpnclient_out -d "${i}" -j ACCEPT
  done
fi

for i in ${dns};
do
  if [[ "${i}" =~ : ]]; then
    ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
  fi
done

ip6tables -w -A vpnclient_out -d fd00::/8,fe80::/10 -j ACCEPT
ip6tables -w -A vpnclient_out -p icmpv6 -j ACCEPT
ip6tables -w -A vpnclient_out -p udp --dport 5353 -d ff02::fb -j ACCEPT
ip6tables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -w -A vpnclient_out -j DROP

ip6tables -w -A vpnclient_fwd -j DROP

ip6tables -w -I INPUT 1 -i $interface -j vpnclient_in
ip6tables -w -I OUTPUT 1 -o $interface -j vpnclient_out
ip6tables -w -I FORWARD 1 -o $interface -j vpnclient_fwd

# IPv4

iptables -w -N vpnclient_in
iptables -w -N vpnclient_out
iptables -w -N vpnclient_fwd

iptables -w -A vpnclient_in -p icmp -j ACCEPT
iptables -w -A vpnclient_in -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
iptables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -w -A vpnclient_in -j DROP

if [ ! -z "${host4}" ]; then
  for i in ${host4}; do
    iptables -w -A vpnclient_out -d "${i}" -j ACCEPT
  done
fi

for i in ${dns};
do
  if [[ "${i}" =~ \. ]]; then
    iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
  fi
done

iptables -w -A vpnclient_out -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
iptables -w -A vpnclient_out -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
iptables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -w -A vpnclient_out -j DROP

iptables -w -A vpnclient_fwd -j DROP

iptables -w -I INPUT 1 -i $interface -j vpnclient_in
iptables -w -I OUTPUT 1 -o $interface -j vpnclient_out
iptables -w -I FORWARD 1 -o  $interface -j vpnclient_fwd

exit 0