Last active
August 23, 2024 04:52
-
-
Save TheTechromancer/2770f70d275a2782a34fe0fa55dae673 to your computer and use it in GitHub Desktop.
Prevent VPN from locking out SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo <<EOF > /etc/systemd/system/vpn-bypass.service | |
| [Unit] | |
| Description=VPN Bypass for SSH and UDP ports 60000-61000 | |
| After=network.target | |
| [Service] | |
| Type=oneshot | |
| # ExecStart=/bin/sh -c 'grep -q "200 vpnbypass" /etc/iproute2/rt_tables || echo "200 vpnbypass" >> /etc/iproute2/rt_tables' | |
| # ExecStart=/bin/sh -c 'ip rule del fwmark 0xca6c lookup 200 priority 100 2>/dev/null || true' | |
| # ExecStart=/bin/sh -c 'ip route add unreachable default metric 4278198272 table 200 2>/dev/null || true' | |
| # ExecStart=/bin/sh -c 'ip route flush table 200' | |
| # ExecStart=/bin/sh -c 'ip rule add fwmark 0xca6c lookup 200 priority 100' | |
| # ExecStart=/bin/sh -c 'ip route add default via $(ip route show default | head -n1 | cut -d" " -f3) dev $(ip route show default | head -n1 | cut -d" " -f5) table 200' | |
| ExecStart=/sbin/iptables -t mangle -F | |
| ExecStart=/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0xca6c | |
| ExecStart=/sbin/iptables -t mangle -A PREROUTING -p udp --dport 60000:61000 -j MARK --set-mark 0xca6c | |
| ExecStart=/sbin/iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 0xca6c | |
| ExecStart=/sbin/iptables -t mangle -A OUTPUT -p udp --sport 60000:61000 -j MARK --set-mark 0xca6c | |
| RemainAfterExit=yes | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| systemctl enable vpn-bypass.service --now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment