Merge 15fb5075ec into f642f4c6da

2021-03-17 14:52:54 +08:00 · 2021-03-17 14:52:54 +08:00 · 75392a938a
commit 75392a938a
parent f642f4c6da 15fb5075ec
1 changed files with 29 additions and 75 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -102,34 +102,12 @@ function installUnbound() {
 		if [[ $OS =~ (debian|ubuntu) ]]; then
 			apt-get install -y unbound
 			# Configuration
 			echo 'interface: 10.8.0.1
 access-control: 10.8.0.1/24 allow
 hide-identity: yes
 hide-version: yes
 use-caps-for-id: yes
 prefetch: yes' >>/etc/unbound/unbound.conf
 		elif [[ $OS =~ (centos|amzn) ]]; then
 			yum install -y unbound
 			# Configuration
 			sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
 			sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 		elif [[ $OS == "fedora" ]]; then
 			dnf install -y unbound
 			# Configuration
 			sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
 			sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 			sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 		elif [[ $OS == "arch" ]]; then
 			pacman -Syu --noconfirm unbound
@ -141,66 +119,42 @@ prefetch: yes' >>/etc/unbound/unbound.conf
 			fi
 			echo 'server:
 	use-syslog: yes
 	do-daemonize: no
 	username: "unbound"
 	directory: "/etc/unbound"
 	trust-anchor-file: trusted-key.key
 	root-hints: root.hints
 	num-threads: 2' >/etc/unbound/unbound.conf
 		fi
 	fi
 	# Add Unbound 'server' for the OpenVPN subnet
 	mkdir -p /etc/unbound/unbound.conf.d
 	echo 'server:
 	interface: 10.8.0.1
 	access-control: 10.8.0.1/24 allow
 	port: 53
 	num-threads: 2
 	use-caps-for-id: yes
 	harden-glue: yes
 	hide-identity: yes
 	hide-version: yes
 	qname-minimisation: yes
-	prefetch: yes' >/etc/unbound/unbound.conf
+	prefetch: yes
-		fi
+	# DNS Rebinding fix
 	private-address: 10.0.0.0/8
 	private-address: 172.16.0.0/12
 	private-address: 192.168.0.0/16
 	private-address: 169.254.0.0/16
 	private-address: fd00::/8
 	private-address: fe80::/10
 	private-address: 127.0.0.0/8
 	private-address: ::ffff:0:0/96' >/etc/unbound/unbound.conf.d/openvpn.conf
 	# IPv6 DNS for all OS
 	if [[ $IPV6_SUPPORT == 'y' ]]; then
 		echo '	interface: fd42:42:42:42::1
-access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf
+	access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf.d/openvpn.conf
 	fi
-		if [[ ! $OS =~ (fedora|centos|amzn) ]]; then
+	# Add as include, if no wildcard include exist
-			# DNS Rebinding fix
+	if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then
-			echo "private-address: 10.0.0.0/8
+		echo 'include: /etc/unbound/unbound.conf.d/openvpn.conf' >>/etc/unbound/unbound.conf
 private-address: fd42:42:42:42::/112
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
 private-address: fd00::/8
 private-address: fe80::/10
 private-address: 127.0.0.0/8
 private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf
 		fi
 	else # Unbound is already installed
 		echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf
 		# Add Unbound 'server' for the OpenVPN subnet
 		echo 'server:
 interface: 10.8.0.1
 access-control: 10.8.0.1/24 allow
 hide-identity: yes
 hide-version: yes
 use-caps-for-id: yes
 prefetch: yes
 private-address: 10.0.0.0/8
 private-address: fd42:42:42:42::/112
 private-address: 172.16.0.0/12
 private-address: 192.168.0.0/16
 private-address: 169.254.0.0/16
 private-address: fd00::/8
 private-address: fe80::/10
 private-address: 127.0.0.0/8
 private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
 		if [[ $IPV6_SUPPORT == 'y' ]]; then
 			echo 'interface: fd42:42:42:42::1
 access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
 		fi
 	fi
 	systemctl enable unbound
@ -322,7 +276,7 @@ function installQuestions() {
 			echo ""
 			echo "Unbound is already installed."
 			echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
-			echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
+			echo "We will simply add a second server to /etc/unbound/unbound.conf.d/openvpn.conf for the OpenVPN subnet."
 			echo "No changes are made to the current configuration."
 			echo ""
@ -1180,8 +1134,8 @@ function revokeClient() {
 function removeUnbound() {
 	# Remove OpenVPN-related config
-	sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf
+	sed -i '/include: \/etc\/unbound\/unbound\.conf\.d\/openvpn\.conf/d' /etc/unbound/unbound.conf
-	rm /etc/unbound/openvpn.conf
+	rm /etc/unbound/unbound.conf.d/openvpn.conf
 	until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
 		echo ""
@ -1279,7 +1233,7 @@ function removeOpenVPN() {
 		rm -rf /var/log/openvpn
 		# Unbound
-		if [[ -e /etc/unbound/openvpn.conf ]]; then
+		if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then
 			removeUnbound
 		fi
 		echo ""