[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] DNS update script, revisited


  • Subject: [Openvpn-users] DNS update script, revisited
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Thu, 11 Aug 2005 19:07:45 -0500

In answering a question asked on the #openvpn channel on
irc.freenode.org, I noticed that the origional mailing list post with my
DNS update script isn't readily available via either Google, GMANE or
the openvpn.net archive.

There was at one point in time when I had a message sent to this mailing
list removed at the request of my employer -- I suspect that this was
the message in question, and will this time avoid making the extranious
comment which resulted in said request being sent.

In any event, this permits me to post a version with any bug fixes (and,
IIRC, there have indeed been some). Note that it's expected that:

      * all certificates' common names will be valid DNS names
        (foo.vpn.mycompany.com)
      * FWDZONE is set to the forward-lookup zone where such names will
        be added (vpn.mycompany.com)
      * REVZONE is set to the reverse-lookup zone appropriate given the
        address range in use (99.168.192.in-addr.arpa)

Have fun!

------------------------------------------------------------------------------

#!/bin/bash

DNSSERVER="10.0.0.254"            ## your DNS server
FWDZONE="vpn.isgenesis.com"       ## forward resolution zone (ie. vpn.company.com)
REVZONE="99.168.192.in-addr.arpa" ## reverse resolution zone (ie. "1.0.0.in-addr.arpa")
NSUOPTS=""                        ## extra arguments for nsupdate (ie. "-k /path/to/key")

if [ -n "$DEBUG" ] ; then
	NSUOPTS="$NSUOPTS -d"
	set -x
fi

reverseRecord() {
	echo $1 | sed -re 's/^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$/\4.\3.\2.\1.in-addr.arpa./'
}

addRecord() {
	local ADDRESS="$1"
	local CN="$2"
	local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
	local REVERSE=$(reverseRecord $ADDRESS)

	cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
update delete ${CN}. A
update add ${CN}. 3600 A $ADDRESS
send
EOF
	if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
	nsupdate $NSUOPTS $TEMPFILE
	cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
update delete $REVERSE PTR
update add $REVERSE 3600 PTR $CN.
send
EOF
	if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
	nsupdate $NSUOPTS $TEMPFILE
	rm -f $TEMPFILE
}

removeRecord() {
	local ADDRESS="$1"
	local CN="$2"
	local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
	local REVERSE=$(reverseRecord $ADDRESS)

	cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
update delete ${CN}. A
send
EOF
	if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
	nsupdate $NSUOPTS $TEMPFILE
	cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
update delete $REVERSE PTR
send
EOF
	if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
	nsupdate $NSUOPTS $TEMPFILE
	rm -f $TEMPFILE
}

getCN() {
	local IPADDR=$1
	local FULLNAME=$(dig +noadditional +noqr +noquestion +nocmd +noauthority +nostats +nocomments -x ${IPADDR} | gawk '{print $5}')
	if [ -n "$FULLNAME" ] ; then
		echo $FULLNAME | sed -re 's/\.$//'
		return 0
	else
		return 1
	fi
}

case "$script_type" in
	learn-address)
		OPERATION=$1
		ADDRESS=$2
		CN=$3

		REVERSE=$(reverseRecord $ADDRESS)

		case "$OPERATION" in
			add|update)
				addRecord "$ADDRESS" "$CN"
				;;
			delete)
				CN=$(getCN "$ADDRESS")
				removeRecord "$ADDRESS" "$CN"
				;;
			*)
				echo "ERROR: don't know operation \"$OPERATION\"."
				exit 1
		esac
		;;
	*)
		echo "\"${script_type}\" not handled"
esac


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users