From 5f057c50ed1993d9ce0b444879679b9cc03abe19 Mon Sep 17 00:00:00 2001 From: alexz Date: Sat, 17 Jan 2026 17:56:45 +0000 Subject: [PATCH] Add TARGET_SUBNET to openconnect-vpn script Derive TARGET_SUBNET from TARGET_IP (first 3 octets + .0/24) for iptables FORWARD rules to allow full subnet routing. --- apps/cistech-tunnel/shared/openconnect-vpn | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/apps/cistech-tunnel/shared/openconnect-vpn b/apps/cistech-tunnel/shared/openconnect-vpn index 7d5bd60..6d74304 100755 --- a/apps/cistech-tunnel/shared/openconnect-vpn +++ b/apps/cistech-tunnel/shared/openconnect-vpn @@ -17,6 +17,7 @@ VPN_PASSWORD="${VPN_PASSWORD:-}" VPN_TOTP_SECRET="${VPN_TOTP_SECRET:-}" VPN_HOST="${VPN_HOST:-}" TARGET_IP="${TARGET_IP:-10.3.1.0}" +TARGET_SUBNET="$(echo "$TARGET_IP" | cut -d. -f1-3).0/24" VPN_INTERFACE="${VPN_INTERFACE:-tun0}" CONTAINER_NETWORK="172.30.0.0/24" @@ -336,7 +337,7 @@ disconnect_vpn() { } setup_forwarding() { - log INFO "Setting up IP forwarding rules for $TARGET_IP..." + log INFO "Setting up IP forwarding rules for $TARGET_SUBNET..." local vpn_iface=$(get_vpn_interface) if [ -z "$vpn_iface" ]; then @@ -362,15 +363,15 @@ setup_forwarding() { fi # Forward rules at position 1 - iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true - iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true + iptables -D FORWARD -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true + iptables -D FORWARD -s "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -s "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -d "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d "$CONTAINER_NETWORK" -j ACCEPT run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s "$CONTAINER_NETWORK" -j ACCEPT - run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT - run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT + run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_SUBNET" -j ACCEPT + run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_SUBNET" -j ACCEPT log INFO "Forwarding rules configured" echo "" @@ -385,7 +386,7 @@ setup_forwarding() { log WARN "Host watcher may not be running (trigger file still exists)" fi - log INFO "Routing configured for $TARGET_IP through VPN tunnel" + log INFO "Routing configured for $TARGET_SUBNET through VPN tunnel" echo "" } @@ -613,6 +614,7 @@ echo "" log DEBUG "VPN_EMAIL=$VPN_EMAIL" log DEBUG "VPN_HOST=$VPN_HOST" log DEBUG "TARGET_IP=$TARGET_IP" +log DEBUG "TARGET_SUBNET=$TARGET_SUBNET" log DEBUG "VPN_TOTP_SECRET is $([ -n "$VPN_TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')" print_banner