colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-vpn: cleanup the CLI ergonomics

Browse Source
This commit is contained in:
Colin
2024-07-16 10:52:42 +00:00
parent ef1be364e7
commit fcd13d4f6f
1 changed files with 58 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
pkgs/additional/sane-scripts/src/sane-vpn
View File

@@ -13,14 +13,22 @@ usageDescription() {
echo "" echo ""
echo "flags:" echo "flags:"
echo " --debug" echo " --debug"
echo " --no-proxy-dns"
echo "" echo ""
echo "operations:" echo "operations:"
echo "sane-vpn up [REGION]" echo "sane-vpn up [REGION]"
echo "sane-vpn down [REGION]" echo "sane-vpn down [REGION]"
echo "sane-vpn do [REGION [COMMAND ...] ]" echo "sane-vpn do [REGION [COMMAND ...] ]"
echo "sane-vpn do -- [COMMAND ...]" echo "sane-vpn do -- [COMMAND ...]"
echo "sane-vpn dns-fix"
echo "sane-vpn help" echo "sane-vpn help"
echo ""
echo "idioms:"
echo "- sane-vpn do none [COMMAND ...]"
echo " - run the command with a stub resolver instead of my recursive resolver, but no VPN."
echo "- sane-vpn up none"
echo " - patch the entire system to use a stub resolver, but no VPN."
echo "- sane-vpn --no-proxy-dns up -- [COMMAND ...]"
echo " - patch the system to route all traffic over the VPN, but use our stub resolver (still through the VPN) instead of delegating to the VPN owner's resolver"
} }
@@ -95,57 +103,53 @@ vpnToggle() {
debug " priorityFwMark='$priorityFwMark'" debug " priorityFwMark='$priorityFwMark'"
set +e set +e
echo before: $(sane-ip-check --no-upnp) echo before: $(sane-ip-check --no-upnp)
set -e
# first, allow all non-default routes (prefix-length != 0) a chance to route the packet. if [ "$region" != none ]; then
# - this allows the wireguard tunnel itself to pass traffic via our LAN gateway. # first, allow all non-default routes (prefix-length != 0) a chance to route the packet.
# - incidentally, it allows traffic to LAN devices and other machine-local or virtual networks. # - this allows the wireguard tunnel itself to pass traffic via our LAN gateway.
ip rule "$verb" from all lookup main suppress_prefixlength 0 priority "$priorityMain" # - incidentally, it allows traffic to LAN devices and other machine-local or virtual networks.
ip rule "$verb" from all lookup main suppress_prefixlength 0 priority "$priorityMain"
# then, forward DNS to the VPN's resolver. # if packet hasn't gone through the wg device yet (fwmark), then move it to the table which will cause it to.
# this isn't *strictly* necessary; i'm effectively doing a system-wide `dns-fix`. ip rule "$verb" not from all fwmark "$fwmark" lookup "$id" priority "$priorityFwMark"
case "$verb" in fi
add)
cat > /var/lib/trust-dns/dhcp-configs/sane-vpn.toml <<EOF
[[zones]]
zone = "."
zone_type = "Forward"
stores = { type = "forward", name_servers = [
{ socket_addr = "$dns:53", protocol = "udp", trust_nx_responses = false }
]}
EOF
;;
del)
rm -f /var/lib/trust-dns/dhcp-configs/sane-vpn.toml
;;
esac
systemctl restart trust-dns-localhost
# if packet hasn't gone through the wg device yet (fwmark), then move it to the table which will cause it to. dnsToggle "$verb"
ip rule "$verb" not from all fwmark "$fwmark" lookup "$id" priority "$priorityFwMark"
echo after: $(sane-ip-check --no-upnp) echo after: $(sane-ip-check --no-upnp)
} }
dnsToggle() {
# forward DNS to the VPN's resolver.
# we don't generally need to do this. only makes sense if our local recursive resolver isn't up to the job.
local verb="$1"
local zone=
if [ -n "$dns" ] && [ "$verb" = add ]; then
zone="
[[zones]]
zone = \".\"
zone_type = \"Forward\"
stores = { type = \"forward\", name_servers = [
{ socket_addr = \"$dns:53\", protocol = \"udp\", trust_nx_responses = false }
]}
"
fi
echo "$zone" > /var/lib/trust-dns/dhcp-configs/sane-vpn.toml
systemctl restart trust-dns-localhost
}
vpnDo() { vpnDo() {
debug "vpnDo with:" debug "vpnDo with:"
debug " name='$name'" debug " name='$name'"
debug " addrV4='$addrV4'" debug " addrV4='$addrV4'"
debug " dns='$dns'" debug " dns='$dns'"
debug "command: ${command[*]}" debug "command: ${command[*]}"
local dnsFlags=${dns:+--sanebox-dns $dns}
# sanebox --sanebox-method pastaonly --sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" --sanebox-dns "$dns" "${command[@]}" # sanebox --sanebox-method pastaonly --sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" --sanebox-dns "$dns" "${command[@]}"
sanebox --sanebox-method bwrap --sanebox-keep-namespace all --sanebox-path / --sanebox-no-portal \ sanebox --sanebox-method bwrap --sanebox-keep-namespace all --sanebox-path / --sanebox-no-portal \
--sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" --sanebox-dns "$dns" \ --sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" $dnsFlags \
"${command[@]}"
}
dnsFix() {
local dev=$(ip -j route get 255 | jq --raw-output '.[0]["dev"]')
debug "dev: $dev"
debug "command: ${command[*]}"
sanebox --sanebox-method bwrap --sanebox-keep-namespace all --sanebox-path / --sanebox-no-portal \
--sanebox-net-dev "$dev" --sanebox-dns "1.1.1.1" \
"${command[@]}" "${command[@]}"
} }
@@ -166,6 +170,7 @@ usage() {
} }
parseCli() { parseCli() {
local noProxyDns=
while [ $# -ne 0 ]; do while [ $# -ne 0 ]; do
local arg="$1" local arg="$1"
case "$arg" in case "$arg" in
@@ -173,6 +178,13 @@ parseCli() {
SANE_VPN_DEBUG=1 SANE_VPN_DEBUG=1
shift shift
;; ;;
(--no-proxy-dns)
noProxyDns=1
shift
;;
(-*)
usage 1 "unexpected flag: $arg"
;;
(*) (*)
break break
;; ;;
@@ -187,7 +199,16 @@ parseCli() {
getVpns getVpns
canonicalizeRegion canonicalizeRegion
fixupCommand "$@" fixupCommand "$@"
sourceVpn "$region" if [ "$region" == none ]; then
name=$(ip -j route get 255 | jq --raw-output '.[0]["dev"]')
dns=(1.1.1.1 8.8.8.8)
else
sourceVpn "$region"
fi
if [ -n "$noProxyDns" ]; then
dns=()
fi
case $oper in case $oper in
(up) (up)
@@ -199,9 +220,6 @@ parseCli() {
(do) (do)
vpnDo "$@" vpnDo "$@"
;; ;;
(dns-fix)
dnsFix "$@"
;;
(--help|help|"") (--help|help|"")
usage 0 usage 0
;; ;;