alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add TARGET_SUBNET to openconnect-vpn script

Browse Source 
Derive TARGET_SUBNET from TARGET_IP (first 3 octets + .0/24)
for iptables FORWARD rules to allow full subnet routing.
This commit is contained in:
Alex Zaw
2026-01-17 17:56:45 +00:00
parent b2e38b3cb4
commit 5f057c50ed
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/cistech-tunnel/shared/openconnect-vpn
View File

@@ -17,6 +17,7 @@ VPN_PASSWORD="${VPN_PASSWORD:-}"
VPN_TOTP_SECRET="${VPN_TOTP_SECRET:-}" VPN_TOTP_SECRET="${VPN_TOTP_SECRET:-}"
VPN_HOST="${VPN_HOST:-}" VPN_HOST="${VPN_HOST:-}"
TARGET_IP="${TARGET_IP:-10.3.1.0}" TARGET_IP="${TARGET_IP:-10.3.1.0}"
TARGET_SUBNET="$(echo "$TARGET_IP" | cut -d. -f1-3).0/24"
VPN_INTERFACE="${VPN_INTERFACE:-tun0}" VPN_INTERFACE="${VPN_INTERFACE:-tun0}"
CONTAINER_NETWORK="172.30.0.0/24" CONTAINER_NETWORK="172.30.0.0/24"
@@ -336,7 +337,7 @@ disconnect_vpn() {
} }
setup_forwarding() { setup_forwarding() {
log INFO "Setting up IP forwarding rules for $TARGET_IP..." log INFO "Setting up IP forwarding rules for $TARGET_SUBNET..."
local vpn_iface=$(get_vpn_interface) local vpn_iface=$(get_vpn_interface)
if [ -z "$vpn_iface" ]; then if [ -z "$vpn_iface" ]; then
@@ -362,15 +363,15 @@ setup_forwarding() {
fi fi
# Forward rules at position 1 # Forward rules at position 1
iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -s "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -s "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -d "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true iptables -D FORWARD -d "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true
run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d "$CONTAINER_NETWORK" -j ACCEPT run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d "$CONTAINER_NETWORK" -j ACCEPT
run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s "$CONTAINER_NETWORK" -j ACCEPT run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s "$CONTAINER_NETWORK" -j ACCEPT
run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_SUBNET" -j ACCEPT
run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_SUBNET" -j ACCEPT
log INFO "Forwarding rules configured" log INFO "Forwarding rules configured"
echo "" echo ""
@@ -385,7 +386,7 @@ setup_forwarding() {
log WARN "Host watcher may not be running (trigger file still exists)" log WARN "Host watcher may not be running (trigger file still exists)"
fi fi
log INFO "Routing configured for $TARGET_IP through VPN tunnel" log INFO "Routing configured for $TARGET_SUBNET through VPN tunnel"
echo "" echo ""
} }
@@ -613,6 +614,7 @@ echo ""
log DEBUG "VPN_EMAIL=$VPN_EMAIL" log DEBUG "VPN_EMAIL=$VPN_EMAIL"
log DEBUG "VPN_HOST=$VPN_HOST" log DEBUG "VPN_HOST=$VPN_HOST"
log DEBUG "TARGET_IP=$TARGET_IP" log DEBUG "TARGET_IP=$TARGET_IP"
log DEBUG "TARGET_SUBNET=$TARGET_SUBNET"
log DEBUG "VPN_TOTP_SECRET is $([ -n "$VPN_TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')" log DEBUG "VPN_TOTP_SECRET is $([ -n "$VPN_TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
print_banner print_banner