View Single Post
  #4   (View Single Post)  
Old 11th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

In the following scripts the original "/etc/resolv.conf' is saved, and a new one is generated, using the nameservers passed by the VPN server.
After the VPN connection has been terminated, the original resolv.conf is restored.

The relevant code of the new startup script
Code:
# ============== active code 

/usr/local/sbin/openvpn \
        --config ${CONFIG} \
        --verb 4 \
        --script-security 2 execve \
        --ifconfig-noexec \
        --up /etc/openvpn/up \
        --down /etc/openvpn/up          # yes, 'up', we handle everything in one script

# EXPLANTION OF OPTIONS (see 'man openvpn' for the details)
# -----------------------------------------------------------------------------------------------
# --config                      : specifies the configuration file supplied by the VPN service
# --verb                        : the verbosity level
# --script-security 2 execve    : allow scripts to be executed
# --ifconfig-noexec             : do not execute/run/do an 'ifconfig' on the device we are using
# --up                          : specify the name of the script where we do our own 'ifconfig'
# --down                        : script after tun0 has been torn down
# -----------------------------------------------------------------------------------------------
The new 'up' script :
Code:
#!/bin/sh
# $Id: up,v 1.5 2011/02/11 04:00:21 root Exp $

_log_environment() {
    LOG="/var/log/OpenVPN-up-$(date '+%m%d_%H%M').log"
    cat <<-END >> ${LOG}
        DATE: $(date '+%Y%m%d_%H%M')
        -------- Available environment variables -------- 
        $(env | sort)
        ----------------------------------------
END
}


_do_ifconfig() {
    /sbin/ifconfig ${dev} ${ifconfig_local} netmask ${ifconfig_netmask} mtu ${tun_mtu}
   cat <<-END 
        Configuration of ${dev} :
        # ifconfig ${dev} 
        $(ifconfig $dev)
        ---------------------------------------------
END
}


_show_resolv.conf() {
    cat <<-END
        Contents of /etc/resolv.conf
        -------------------------------------------
        $(cat /etc/resolv.conf)
        -------------------------------------------
        $(ls -l /etc/resolv.conf*)
        -------------------------------------------
END
}


_create_new_resolv.conf() {
    TEMP=resolv.conf.TEMP
    install -o root -g wheel -m u=rw,g=r,o=r /dev/null ${TEMP} 

    cat <<-END >>${TEMP}
        # $(date) : resolv.conf generated for OpenVPN connection 
        lookup file bind
END

    # --- environment variables wich hold nameserver addresses
    #foreign_option_1='dhcp-option DNS 80.254.79.157'
    #foreign_option_2='dhcp-option DNS 80.254.77.39'

    if [ ! X"${foreign_option_1}" = X ] ; then
        if (echo ${foreign_option_1} | grep 'dhcp-option DNS' >/dev/null ) ; then
            echo ${foreign_option_1} | sed -e 's/^..*DNS/nameserver/' >> ${TEMP}
        fi
    fi

    if [ ! X"${foreign_option_2}" = X ] ; then
        if (echo ${foreign_option_2} | grep 'dhcp-option DNS' >/dev/null ) ; then
            echo ${foreign_option_2} | sed -e 's/^..*DNS/nameserver/' >> ${TEMP}
        fi
    fi

    # get nr of 'nameserver ww.xx.yy.zz' lines
    count=$(egrep -c '^nameserver +[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' ${TEMP})

    if [ ${count} -gt 0 ] ; then 
        if [ -f /etc/resolv.conf ]; then
           cat /etc/resolv.conf > /etc/resolv.conf.beforeVPN
        fi
        install -S -m u=rw,g=r,o=r ${TEMP} /etc/resolv.conf && echo 'resolv.conf for VPN installed'
    fi
}


_restore_resolv.conf() {

    if [ -f /etc/resolv.conf -a -f /etc/resolv.conf.beforeVPN ] ; then
        printf "\nSaving 'resolv.conf used during VPN ... "
        install -S -m u=rw,g=r,o=r /etc/resolv.conf /etc/resolv.conf.duringVPN  && echo OK 
        printf "\nRestoring original pre-VPN 'resolv.conf' ... "
        install -S -m u=rw,g=r,o=r  /etc/resolv.conf.beforeVPN /etc/resolv.conf && echo OK
    else
        echo Sorry: Cannot restore original resolv.conf
        echo ------------------------------------------
        ls -l /etc/resolv.conf*
        echo -----------------------
    fi
}


# ==================== active code 

_log_environment

if [ ${script_context} = "init" -a ${script_type} = 'up' ] ; then
    _do_ifconfig 
    echo 'Setting up resolv.conf ....'
    _show_resolv.conf
    _create_new_resolv.conf
    _show_resolv.conf
fi

if [ ${script_context} = "init" -a ${script_type} = 'down' ] ; then
    echo 'Restoring previous resolv.conf ....'
    _show_resolv.conf
    _restore_resolv.conf
    _show_resolv.conf
fi


# --- EOF --
EDIT: specified the exact file permissions for 'install(1)' so we don't get the default 'x' (eXecute) permissions.

Code:
RCS file: RCS/up,v
retrieving revision 1.4
diff -u -r1.4 up
--- up  2011/02/11 02:19:03     1.4
+++ up  2011/02/11 03:46:44
@@ -67,7 +67,7 @@
        if [ -f /etc/resolv.conf ]; then
           cat /etc/resolv.conf > /etc/resolv.conf.beforeVPN
        fi
-       install -S ${TEMP} /etc/resolv.conf && echo 'resolv.conf for VPN installed'
+       install -S -m u=rw,g=r,o=r ${TEMP} /etc/resolv.conf && echo 'resolv.conf for VPN installed'
     fi
 
 }
@@ -77,9 +77,9 @@
 
     if [ -f /etc/resolv.conf -a -f /etc/resolv.conf.beforeVPN ] ; then
        printf "\nSaving 'resolv.conf used during VPN ... "
-       install -S /etc/resolv.conf /etc/resolv.conf.duringVPN  && echo OK 
+       install -S -m u=rw,g=r,o=r /etc/resolv.conf /etc/resolv.conf.duringVPN  && echo OK 
        printf "\nRestoring original pre-VPN 'resolv.conf' ... "
-       install -S /etc/resolv.conf.beforeVPN /etc/resolv.conf && echo OK
+       install -S -m u=rw,g=r,o=r  /etc/resolv.conf.beforeVPN /etc/resolv.conf && echo OK
     else
        echo Sorry: Cannot restore original resolv.conf
        echo ------------------------------------------
Another reason for not pasting the files but to download the now corrected versions.
Attached Files
File Type: sh up.sh (2.9 KB, 130 views)
File Type: sh startup.sh (2.2 KB, 124 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 11th February 2011 at 04:34 AM. Reason: Replaced the 'up' script with a correct one, which does not set the eXecute bit on /etc/resolv.conf
Reply With Quote