merlin-ovpn-port-forward.sh

1. #!/bin/sh
2. #DEBUG= # uncomment/comment to enable/disable debug mode
3.  
4. #          name: merlin-ovpn-port-forward.sh
5. #       version: 2.0.0, 22-jul-2022, by eibgrad
6. #       purpose: openvpn client firewall-based killswitch
7. #       type(s): nat-start
8. #          href: https://tinyurl.com/3ebyzyyu
9. #  installation:
10. #    1. enable jffs custom scripts and configs (administration->system)
11. #    2. ssh to router and copy/paste the following command:
12. #         curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s SqReWZnB
13. #    3. modify script w/ your preferred options using nano editor:
14. #         nano /jffs/scripts/merlin-ovpn-port-forward.sh
15. #    4. reboot
16.  
17. SCRIPTS_DIR="/jffs/scripts"
18. SCRIPT1="$SCRIPTS_DIR/merlin-ovpn-port-forward.sh"
19. SCRIPT2="$SCRIPTS_DIR/nat-start"
20.  
21. mkdir -p $SCRIPTS_DIR
22.  
23. # ---------------------- begin merlin-ovpn-port-forward ---------------------- #
24. cat << 'EOF' > $SCRIPT1
25. #!/bin/sh
26. #set -x # comment/uncomment to disable/enable debug mode
27. {
28. # ------------------------------ BEGIN OPTIONS ------------------------------- #
29.  
30. # interface source-ip/net proto extern-port intern-ip intern-port [comments...]
31. PORT_FORWARDS="
32. tun11 0.0.0.0/0 tcp 10022 $(nvram get lan_ipaddr) 22 router ssh server
33. tun12 0.0.0.0/0 tcp 10080 192.168.1.200 80
34. tun12 0.0.0.0/0 tcp 10443 192.168.1.200 443
35. #tun12 188.188.188.188 tcp 10088 192.168.1.210 8088
36. tun+ 199.199.199.0/24 udp 10999 192.168.1.210 999 all vpn network interfaces
37. "
38. # ------------------------------- END OPTIONS -------------------------------- #
39.  
40. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
41.  
42. ipt() { iptables ${@/-[IA]/-D} 2>/dev/null; iptables $@; }
43.  
44. OIFS="$IFS"; IFS=$'\n'
45.  
46. for pf in $PORT_FORWARDS; do
47.     # skip comments and blank lines
48.     echo $pf | grep -Eq '^[[:space:]]*(#|$)' && continue
49.  
50.     # parse port forward into separate fields
51.     for i in 1 2 3 4 5 6; do eval f$i="$(echo $pf | cut -d' ' -f$i)"; done
52.  
53.     # redirect external port on vpn to internal ip+port
54.     ipt -t nat -I PREROUTING -i $f1 -s $f2 -p $f3 --dport $f4 \
55.         -j DNAT --to $f5:$f6
56. done
57.  
58. IFS="$OIFS"
59.  
60. # allow routing from vpn to router internal port
61. ipt -I INPUT -i tun+ -m conntrack --ctstate DNAT -j ACCEPT
62.  
63. # allow routing from vpn to lan internal ip+port
64. ipt -I FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT
65.  
66. exit 0
67. } 2>&1 | logger -t $(basename $0 .sh)[$$]
68. EOF
69. [ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT1
70. chmod +x $SCRIPT1
71. echo "installed: $SCRIPT1"
72. # ----------------------- end merlin-ovpn-port-forward ----------------------- #
73.  
74. # ----------------------------- begin nat-start ------------------------------ #
75. create_script() {
76. cat << 'EOF' > $SCRIPT2
77. #!/bin/sh
78. #set -x # comment/uncomment to disable/enable debug mode
79. {
80. $SCRIPT1
81. } 2>&1 | logger -t $(basename $0)[$$]
82. EOF
83. [ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT2
84. sed -i "s:\$SCRIPT1:$SCRIPT1:g" $SCRIPT2
85. chmod +x $SCRIPT2
86. }
87.  
88. if [ -f $SCRIPT2 ]; then
89.     echo "error: $SCRIPT2 already exists; requires manual installation"
90. else
91.     create_script
92.     echo "installed: $SCRIPT2"
93. fi
94. # ------------------------------ end nat-start ------------------------------- #