vpn-killswitch

#!/bin/bash

# SPDX-FileCopyrightText: 2020 - 2024 sudorook <daemon@nullcodon.com>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <https://www.gnu.org/licenses/>.

set -euo pipefail

ROOT="$(dirname "${0}")"

source "${ROOT}"/globals

! check_command drill ufw nmcli && exit 3

#
# Functions
#

function get_device() {
  nmcli device status |
    grep -v bridge |
    sed -n "s/\(\S\+\)\s\+\S\+\s\+connected\s\+\(\S\+\)\s*$/\1/p"
}

function get_vpn_data() {
  local device
  local vpnid
  local cmd
  device="${1}"
  vpnid="$(nmcli connection show |
           sed -n "s/^\(.*\)\+\s\+\([0-9a-z\-]\+\)\s\+vpn\s\+${device}/\2/p")"
  if [ -z "${vpnid}" ]; then
    return
  else
    cmd="nmcli conn show ${vpnid}"
    eval "${cmd}"
  fi
}

function get_vpn_dns() {
  local vpndata
  vpndata="${1}"
  echo "${vpndata}" | sed -n "s/^IP4.GATEWAY:\s\+\([0-9\.]\+\)/\1/p"
}

function get_vpn_ip() {
  local vpnip=
  local iplist=
  local vpndata
  vpndata="${1}"
  for addr in $(echo "${vpndata}" | sed -n "s/^VPN.GATEWAY:\s\+\(.*\)/\1/p" | sed -e "s/,//g"); do
    vpnip=$(drill "${addr%:*}" | grep "^${addr%:*}" | cut -d"	" -f5)
    if [[ -z "${iplist}" ]]; then
      iplist="${vpnip}/32"
    elif ! [[ "${iplist}" =~ ${vpnip} ]]; then
      iplist="${iplist} ${vpnip}/32"
    fi
  done
  echo "${iplist}"
}

function get_vpn_port() {
  local vpnport=
  local portlist=
  local vpndata
  vpndata="${1}"
  for addr in $(echo "${vpndata}" | sed -n "s/^VPN.GATEWAY:\s\+\(.*\)/\1/p" | sed -e "s/,//g"); do
    vpnport="${addr##*:}"
    if [[ -z "${portlist}" ]]; then
      portlist="${vpnport}"
    elif ! [[ "${portlist}" =~ ${vpnport} ]]; then
      portlist="${portlist},${vpnport}"
    fi
  done
  echo "${portlist}"
}

function enable_killswitch() {
  local device
  local vpndata
  local dns
  local iplist
  local portlist

  device="$(get_device)"
  vpndata="$(get_vpn_data "${device}")"
  if [ -z "${vpndata}" ]; then
    show_error "VPN info not found. Exiting."
    exit 2
  fi
  dns="$(get_vpn_dns "${vpndata}")"
  iplist="$(get_vpn_ip "${vpndata}")"
  portlist="$(get_vpn_port "${vpndata}")"

  sudo ufw --force reset
  sudo ufw default deny incoming
  sudo ufw default deny outgoing
  sudo ufw allow out on tun0 to 0.0.0.0/0
  for ip in ${iplist}; do
    sudo ufw allow in on "${device}" from "${ip}" port "${portlist}"
    sudo ufw allow out on "${device}" to "${ip}" port "${portlist}"
  done
  sudo ufw allow out on "${device}" to "${dns}" port 53
  sudo ufw enable
}

function print_usage() {
  show_header "Usage: vpn-killswitch"
  show_listitem "  -e|--enable   enable firewall 'killswitch'"
  show_listitem "  -d|--disable  disable 'killswitch' and reset firewall rules"
}

#
# Main
#

function disable_killswitch() {
  sudo ufw --force reset
  sudo ufw default deny incoming
  sudo ufw default allow outgoing
  sudo ufw enable
}

OPTIONS=deh
LONGOPTIONS=disable,enable,help
PARSED=$(getopt -o "${OPTIONS}" --long "${LONGOPTIONS}" -n "${0}" -- "${@}")
eval set -- "${PARSED}"

while [ ${#} -ge 1 ]; do
  case "${1}" in
    -d | --disable)
      disable_killswitch
      shift
      ;;
    -e | --enable)
      enable_killswitch
      shift
      ;;
    -h | --help)
      print_usage
      exit
      ;;
    --)
      shift
      break
      ;;
    *)
      show_error "What was that?"
      exit 3
      ;;
  esac
done