Add support for restricted VPN networks.

2023-09-27 17:41:09 +02:00
parent c427d4fefd
commit 4c98319ddf
5 changed files with 397 additions and 0 deletions
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -563,6 +563,47 @@ vpn_local_net_ports="1194"
 vpn_out_ports="$standard_vpn_port"


+# -----
+# - Restrict VPN Network to local Service
+# -----#
+
+# - restrict_vpn_net_to_local_service
+# -
+# -    allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -
+# - Example:
+# -   restrict_vpn_net_to_local_service="
+# -      10.100.112.0/24:192.168.112.192/27:80:tcp
+# -      10.100.112.0/24:192.168.112.192/27:443:tcp
+# -    "
+# -
+# - Blank separated list
+# -
+restrict_vpn_net_to_local_service=""
+
+
+# -----
+# - Restrict VPN Network to local (Sub) network
+# -----
+
+# - restrict_vpn_net_to_local_subnet
+# -
+# -    restrict_vpn_net_to_local_subnet="<src-vpn-net>:<dst-local-net> [<src-vpn-net>:<dst-local-net>} [..]
+# -
+# - Example:
+# -   restrict_vpn_net_to_local_subnet="
+# -      10.100.112.0/24:192.168.112.192/27
+# -    "
+# -
+# - Blank separated list
+# -
+restrict_vpn_net_to_local_subnet=""
+
+
 # ======
 # - WireGuard Service
 # ======
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -548,6 +548,47 @@ vpn_local_net_ports="1194"
 vpn_out_ports="$standard_vpn_port"


+# -----
+# - Restrict VPN Network to local Service
+# -----#
+
+# - restrict_vpn_net_to_local_service
+# -
+# -    allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -
+# - Example:
+# -   restrict_vpn_net_to_local_service="
+# -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp
+# -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp
+# -    "
+# -
+# - Blank separated list
+# -
+restrict_vpn_net_to_local_service=""
+
+
+# -----
+# - Restrict VPN Network to local (Sub) network
+# -----
+
+# - restrict_vpn_net_to_local_subnet
+# -
+# -    restrict_vpn_net_to_local_subnet="<src-vpn-net>,<dst-local-net> [<src-vpn-net>,<dst-local-net>} [..]
+# -
+# - Example:
+# -   restrict_vpn_net_to_local_subnet="
+# -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64
+# -    "
+# -
+# - Blank separated list
+# -
+restrict_vpn_net_to_local_subnet=""
+
+
 # ======
 # - WireGuard Service
 # ======
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -130,6 +130,22 @@ for _dev in $unprotected_ifs ; do
   unprotected_if_arr+=("$_dev")
 done

+# ---
+# -  Restrict VPN Network to local Service
+# ---
+declare -a restrict_vpn_net_to_local_service_arr=()
+for _val in $restrict_vpn_net_to_local_service ; do
+   restrict_vpn_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# -  Restrict VPN Network to local (Sub) network
+# ---
+declare -a restrict_vpn_net_to_local_subnet_arr=()
+for _val in $restrict_vpn_net_to_local_subnet ; do
+   restrict_vpn_net_to_local_subnet_arr+=("$_val")
+done
+
 # ---
 # - Allow these local networks any access to the internet
 # ---