private static function getClientToClient(PoolConfig $poolConfig) { if (!$poolConfig->v('clientToClient')) { return []; } $rangeIp = new IP($poolConfig->v('range')); $range6Ip = new IP($poolConfig->v('range6')); return ['client-to-client', sprintf('push "route %s %s"', $rangeIp->getAddress(), $rangeIp->getNetmask()), sprintf('push "route-ipv6 %s"', $range6Ip->getAddressPrefix())]; }
private static function getForwardChain(InstanceConfig $instanceConfig, $inetFamily) { $forwardChain = []; foreach (array_keys($instanceConfig->v('vpnPools')) as $poolNumber => $poolId) { $poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId)); if (6 === $inetFamily && !$poolConfig->v('forward6')) { // IPv6 forwarding was disabled continue; } if (4 === $inetFamily) { // get the IPv4 range $srcNet = $poolConfig->v('range'); } else { // get the IPv6 range $srcNet = $poolConfig->v('range6'); } $forwardChain[] = sprintf('-N vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber); $forwardChain[] = sprintf('-A FORWARD -i tun-%s-%s+ -s %s -j vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet, $instanceConfig->v('instanceNumber'), $poolNumber); // merge outgoing forwarding firewall rules to prevent certain // traffic $forwardChain = array_merge($forwardChain, self::getForwardFirewall($instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig, $inetFamily)); if ($poolConfig->v('clientToClient')) { // allow client-to-client $forwardChain[] = sprintf('-A vpn-%s-%s -o tun-%s-%s+ -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet); } if ($poolConfig->v('defaultGateway')) { // allow traffic to all outgoing destinations $forwardChain[] = sprintf('-A vpn-%s-%s -o %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $srcNet); } else { // only allow certain traffic to the external interface foreach ($poolConfig->v('routes') as $route) { $routeIp = new IP($route); if ($inetFamily === $routeIp->getFamily()) { $forwardChain[] = sprintf('-A vpn-%s-%s -o %s -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $route); } } } } return $forwardChain; }