forked from tasket/qubes-tunnel
-
Notifications
You must be signed in to change notification settings - Fork 4
/
qtunnel-setup
executable file
·156 lines (138 loc) · 3.94 KB
/
qtunnel-setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/usr/bin/sh
export PATH="$PATH:/usr/sbin:/sbin:/bin"
[ `id -u` -eq 0 ] || exit 1
qtunpath=/rw/config/qtunnel
upfile=tunneluserpwd.txt
tmppath=/tmp/$upfile
do_userpass () {
bash /usr/lib/qubes/qtunnel-setup --userpass-bash
}
# Need bash for password prompt
do_userpass_bash () {
echo
echo "Enter VPN/tunnel login credentials."
echo "Leave blank if not required..."
echo
read -p "Username: " username
read -s -p "Password: " upassword
echo
if [[ -z $username && -z $upassword ]]; then
touch $qtunpath/no-$upfile
rm -f $qtunpath/$upfile
echo "Password login deactivated."
else
rm -f $qtunpath/no-$upfile
echo "$username" >$tmppath.tmp
echo "$upassword" >>$tmppath.tmp
chmod 600 $tmppath.tmp
mv $tmppath.tmp $tmppath
cp -a $tmppath $qtunpath/$upfile
echo -e "\nLogin info saved to $qtunpath/$upfile"
fi
sleep 1s
echo
}
# needs source dir passed as first arg
firewall_link () {
if iptables -L QBS-FORWARD >/dev/null; then
# firewall for Qubes 4
mkdir -p /rw/config/qubes-firewall.d
ln -s -f $1/tunnel-restrict-firewall \
/rw/config/qubes-firewall.d/90_tunnel-restrict
else
ln -s -f -b $1/tunnel-restrict-firewall \
/rw/config/qubes-firewall-user-script
fi
}
case "$1" in
--pre-start)
# Check for login file and prompt if necessary.
if [ ! -f $qtunpath/$upfile ] && [ ! -f $qtunpath/no-$upfile ]; then
if [ ! -f /tmp/qtunnel-askpass ]; then
systemd-run --unit=qtunnel-askpass -E DISPLAY=:0 sh -c \
'sleep 2s; /usr/bin/xterm \
-T "Tunnel Login" -e /usr/lib/qubes/qtunnel-setup --xterm'
fi
elif [ ! -f $tmppath ] && [ ! -f $qtunpath/no-$upfile ]; then
cp -aL $qtunpath/$upfile $tmppath.tmp
mv $tmppath.tmp $tmppath
fi
if [ -n "$filter_opts" ]; then
# workaround for option parser bugs and overrides:
# process config to remove options.
grep -Ev '^[[:space:]]*('"$filter_opts"')[[:space:]]*' \
$qtunpath/qtunnel.conf >/tmp/qtunnel.conf
else
cp -aL $qtunpath/qtunnel.conf /tmp
fi
sync
su - -c 'notify-send "$(hostname): Ready to start link."' user
;;
--start-exec)
if [ -f $qtunpath/no-$upfile ]; then
userpassword_opt=""
fi
echo EXEC $client_cmd $client_opt1 $client_opt2 $client_opt3 $client_opt4 \
$client_opt5 $userpassword_opt
eval $client_cmd $client_opt1 $client_opt2 $client_opt3 $client_opt4 \
$client_opt5 $userpassword_opt
;;
--post-start)
echo "START-ing network forwarding!"
echo '1' > /proc/sys/net/ipv4/ip_forward
# '0' appears to be default setting for ipv6
# echo '1' > /proc/sys/net/ipv6/conf/all/forwarding
;;
--check-firewall)
for i in 1 2 3; do
if iptables -C FORWARD -o eth0 -j DROP \
&& iptables -C FORWARD -i eth0 -j DROP ; then
exit 0
elif [ $i = 3 ]; then
echo "Error: Firewall rule(s) not enabled!"
exit 1
fi
sleep 2s
done
;;
--post-stop)
echo "STOP-ing network forwarding!"
echo '0' > /proc/sys/net/ipv4/ip_forward
echo '0' > /proc/sys/net/ipv6/conf/all/forwarding
;;
--config)
. /usr/lib/qubes/init/functions
if is_proxyvm ; then
mkdir -p $qtunpath
firewall_link /usr/lib/qubes
do_userpass
echo "Done!"
if [ ! -e $qtunpath/qtunnel.conf ]; then
echo "Next, copy or link your config file to $qtunpath/qtunnel.conf"
fi
else
echo "Error: Not a proxyVM. Please check instructions."
exit 1
fi
;;
--config-nm)
. /usr/lib/qubes/init/functions
if is_proxyvm ; then
firewall_link /usr/lib/qubes
echo "Done!"
else
echo "Error: Not a proxyVM. Please check instructions."
exit 1
fi
;;
--xterm)
touch /tmp/qtunnel-askpass
do_userpass
;;
--userpass-bash)
do_userpass_bash
;;
--version)
echo "1.4.0"
;;
esac