ddwrt-ovpn-client-killswitch.sh

1. #!/bin/sh
2. DEBUG=; set -x # uncomment/comment to enable/disable debug mode
3.  
4. #          name: ddwrt-ovpn-client-killswitch.sh
5. #       version: 1.0.2, 24-jul-2022, by eibgrad
6. #       purpose: block access LAN->WAN for gui openvpn client (pbr and non-pbr)
7. #   script type: wanup (autostart)
8. #  installation:
9. #    1. enable jffs2 (administration->jffs2)
10. #    2. enable syslogd (services->services->system log)
11. #    3. use shell (telnet/ssh) to execute one of the following commands:
12. #         curl -kLs bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- TKdKUmY1 wanup
13. #       or
14. #         wget -qO - bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- TKdKUmY1 wanup
15. #    4. (optional): use vi editor to modify options:
16. #         vi /jffs/etc/config/ddwrt-ovpn-client-killswitch.wanup
17. #    5. reboot
18. #   limitations:
19. #    - this script is NOT compatible w/ the ddwrt-ovpn-split-basic.sh or
20. #      ddwrt-ovpn-split-advanced.sh scripts
21. #    - changes to the openvpn client or this script will only be recognized
22. #      upon reboot or reinitialization of the WAN
23.  
24. # ------------------------------ BEGIN OPTIONS ------------------------------- #
25.  
26. VPN_ENABLED_ONLY='1' # 0: apply rules 24/7, 1: apply rules only if VPN enabled
27.  
28. # state checking: "state NEW" vs. no state
29. #   state NEW (default):
30. #     * any pre-existing LAN->WAN connections persist until/unless they
31. #       timeout/close
32. #     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
33. #     * more efficient (only LAN->WAN packets used to establish NEW connections
34. #       are inspected)
35. #   no state:
36. #     * any pre-existing LAN->WAN connections are stopped/blocked
37. #     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
38. #     * less efficient (every LAN->WAN packet is inspected)
39. {
40. FW_STATE='-m state --state NEW'
41. #FW_STATE='' # uncomment/comment to disable/enable state checking
42.  
43. # ------------------------------- END OPTIONS -------------------------------- #
44.  
45. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
46.  
47. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
48. FW_CHAIN='ovpn-block-lan2wan'
49.  
50. # cleanup from possible prior execution
51. {
52. iptables -D FORWARD -o $WAN_IF $FW_STATE -j REJECT
53. iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
54. iptables -F $FW_CHAIN
55. iptables -X $FW_CHAIN
56. } >/dev/null 2>&1
57.  
58. # quit if vpn disabled (unless firewall rules still need to be enforced)
59. [[ "$(nvram get openvpncl_enable)" == '0' && "$VPN_ENABLED_ONLY" != '0' ]] && exit 0
60.  
61. # block *all* if nothing in policy based routing
62. if [ ! "$(nvram get openvpncl_route)" ]; then
63.     iptables -I FORWARD -o $WAN_IF $FW_STATE -j REJECT
64.     exit 0
65. fi
66.  
67. # create firewall chain for blocked ip(s)/network(s)
68. iptables -N $FW_CHAIN
69.  
70. # read ip/network addresses from openvpn client policy based routing
71. echo -e "$(nvram get openvpncl_route)" | \
72.     while read ip; do
73.         ip="${ip//$'\r'}" # remove carriage returns
74.  
75.         # block access LAN->WAN for this ip/network address
76.         [ "$ip" ] && iptables -A $FW_CHAIN -s "$ip" -j REJECT
77.     done
78.  
79. # begin blocking: force LAN->WAN traffic thru firewall chain for inspection
80. iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
81.  
82. exit 0
83.  
84. } 2>&1 | logger -p user.$([ ${DEBUG+x} ] && echo 'debug' || echo 'notice') \
85.     -t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$]