|
|
Stephan Zalewski wrote:
Hi, Here's another one. This uses supplementalmatchdomains, which appears to be the recommended way of doing things. It also edits resolv.conf, which is needed by a few older programs. Lawrence #!/bin/sh # # openvpn-up-down.sh # # # A script to be used as an OpenVPN up/down script on Mac OSX 10.4 # to set nameservers and search domains pushed from an OpenVPN server # # Use in your OpenVPN config file as follows: # # up "openvpn-up-down.sh up" # down "openvpn-up-down.sh down" # # Note: If OpenVPN drops privileges once started, the down script will # be executed with reduced privileges, and will not be able to restore # /etc/resolv.conf to its original state. Accordingly you must run the # down-root plugin. See # http://svn.openvpn.net/projects/openvpn/trunk/openvpn/plugin/down-root/README # eg plugin /path/to/openvpn-down-root.so "openvpn-up-down.sh down" # This needs some changes to the Makefile to compile cleanly on OSX # http://sourceforge.net/mailarchive/forum.php?thread_id=9625252&forum_id=8453 # Based heavily on the python script by Nicholas Riley at # http://web.sabi.net/nriley/software/openvpn/acm-client.py # and the bash script by Arjan van der Velde at # http://njr.sabi.net/2005/11/07/alternate-openvpn-os-x-dns-updating-script/ # # Modifications by Lawrence Akka, 1/2/2005 ## Set up the necessary commands, with absolute paths for security ENV="/usr/bin/env" SED="/usr/bin/sed" TR="/usr/bin/tr" SCUTIL="/usr/sbin/scutil" CAT="/bin/cat" ## Check how we are called. $script_type is set by OpenVPN. case "$1" in up) export action="up" ;; down) export action="down" ;; *) echo "Invalid script action." && exit 1 ;; esac ## Gather the required information # OpenVPN will pass the following parameters: # tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] export tun_dev="$2" export ns="`$ENV | $SED '/^foreign_option_[0-9].*DNS /!d; s/^.*DNS //' | $TR \"\n\" \" \"`" export domain="`$ENV | $SED '/^foreign_option_[0-9].*DOMAIN /!d; s/^.*DOMAIN //' | $TR \"\n\" \" \"`" ## Sanity check [ ! "$tun_dev" ] && echo "No tunnel device specified." && exit 1 [ ! "$ns" ] && echo "No name server specified." && exit 1 [ ! "$domain" ] && echo "No domain name specified." && exit 1 ## Save current value of resolv file resolv_path="/etc/resolv.conf" if [ -f /var/run/resolv.conf ]; then resolv_path="/var/run/resolv.conf"; fi cur_resolv="`$CAT $resolv_path | $SED '/^## OPENVPN START - '"$tun_dev"' ##$/,/^## OPENVPN END - '"$tun_dev"' ##$/d'`" ## Do stuff for action "up". if [ "$action" = "up" ]; then ## Update dynamic store # Use the supplementalmatchdomains - see # <http://lists.apple.com/archives/Macnetworkprog/2005/Jun/msg00011.html> $SCUTIL <<EOF open d.init get State:/Network/Interface/$tun_dev/IPv4 d.add InterfaceName $tun_dev set State:/Network/Service/openvpn-$tun_dev/IPv4 d.init d.add ServerAddresses * $ns d.add SupplementalMatchDomains * $domain set State:/Network/Service/openvpn-$tun_dev/DNS EOF ## Update resolv.conf # NB search and domain entries in resolv.conf are mutually exclusive. search can take more than # one argument however, so is better for our purposes. If both are specified, the last on wins. # Each nameserver entry should be on its own line new_resolv=" $cur_resolv ## OPENVPN START - $tun_dev ## " for i in $ns; do new_resolv="`echo \"${new_resolv}nameserver $i\n\"`" ; done new_resolv="${new_resolv}search $domain ## OPENVPN END - $tun_dev ##" new_resolv="`echo \"$new_resolv\" | $SED '/^ *$/d'`" echo -e "$new_resolv" > $resolv_path fi ## Do stuff for action "down". if [ "$action" = "down" ]; then ## Remove lines from resolv.conf new_resolv="`echo \"$cur_resolv\" | $SED '/^ *$/d'`" echo "$new_resolv" > $resolv_path ## Remove information from dynamic store $SCUTIL <<EOF open d.init remove State:/Network/Service/openvpn-$tun_dev/IPv4 remove State:/Network/Service/openvpn-$tun_dev/DNS EOF fi # End |