#-------------------------------------------------------------------- # /etc/rc.d/rc990.openvpn - create openvpn configuration # # Creation: 04.10.2003 Claas Hilbrecht # Last Update: $Id$ #-------------------------------------------------------------------- case $OPT_OPENVPN in yes) begin_script OPENVPN "configuring OpenVPN..." # remove limits for locked memory and core dumps ulimit -l unlimited ulimit -c unlimited # create links ln -s openvpn_fwrules-helper.sh /usr/bin/openvpn_fwrules-helper-up ln -s openvpn_fwrules-helper.sh /usr/bin/openvpn_fwrules-helper-down # tun/tap Device-Treiber laden do_modprobe tun ovpn_wpr() { ovpn_table=$1 ovpn_list=$2 ovpn_chain=$3 ovpn_outfile=$4 ovpn_rule= ovpn_orig_rule= ovpn_rlnum= ovpn_rnet= ovpn_ipv6rules='no' case $ovpn_list in PF6*) ovpn_ipv6rules='yes' ovpn_remote_vpn_ipv6_brackets="[$ovpn_remote_vpn_ipv6]" if echo "$ovpn_local_vpn_ipv6" | grep -q '/' then ovpn_local_vpn_ipv6_brackets="[$ovpn_local_vpn_ipv6]" else ovpn_local_vpn_ipv6_brackets="[$ovpn_local_vpn_ipv6/64]" fi ;; esac { eval ovpn_rlnum='$OPENVPN_'$ovpn_idx'_'$ovpn_list'_N' # case $ovpn_list in # *INPUT|*FORWARD) # [ 0$ovpn_rlnum -gt 0 ] && echo "$ovpn_table $ovpn_chain state:ESTABLISHED,RELATED ACCEPT" # ;; # esac [ 0$ovpn_rlnum -eq 0 ] || for ovpn_tdx in `seq 1 $ovpn_rlnum` do eval ovpn_rule='$OPENVPN_'$ovpn_idx'_'$ovpn_list'_'$ovpn_tdx case $ovpn_ipv6rules in yes) ovpn_rule=`echo $ovpn_rule | sed -e "s#\(^\|[[:space:]]\)REMOTE-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_remote_vpn_ipv6_brackets\2#I" \ -e "s#\(^\|[[:space:]]\)LOCAL-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_local_vpn_ipv6_brackets\2#I"` ;; no) ovpn_rule=`echo $ovpn_rule | sed -e "s#\(^\|[SD]NAT:\|[[:space:]]\)REMOTE-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_remote_vpn_ip\2#I" \ -e "s#\(^\|[SD]NAT:\|[[:space:]]\)LOCAL-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_local_vpn_ip\2#I"` ;; esac if echo $ovpn_rule | grep -iq REMOTE-NET then ovpn_orig_rule=$ovpn_rule case $ovpn_ipv6rules in yes) ovpn_rule=`echo $ovpn_orig_rule | sed "s#\(^\|[[:space:]]\)REMOTE-NET\([:[:space:]]\)#\1$ovpn_remote_vpn_ipv6_brackets\2#I"`;; no) ovpn_rule=`echo $ovpn_orig_rule | sed "s#\(^\|[[:space:]]\)REMOTE-NET\([:[:space:]]\)#\1$ovpn_remote_vpn_ip\2#I"`;; esac echo "$ovpn_table $ovpn_chain $ovpn_rule" # eval ovpn_rnum='$OPENVPN_'$ovpn_idx'_ROUTE_N' [ 0$ovpn_rnum -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rnum` do eval ovpn_rnet='$OPENVPN_'$ovpn_idx'_ROUTE_'$ovpn_rdx case $ovpn_ipv6rules in yes) case "$ovpn_rnet" in *:*) ovpn_rnet="[$ovpn_rnet]" ;; *) continue;; esac ;; no) case "$ovpn_rnet" in *:*) continue;; "0.0.0.0/0 "*) ovpn_rnet=`echo $ovpn_rnet|sed -e 's#\(0\.0\.0\.0/0\) .*#\1#'` ;; esac ;; esac ovpn_rule=`echo $ovpn_orig_rule | sed -e "s#\(^\|[[:space:]]\)REMOTE-NET\([:[:space:]]\)#\1$ovpn_rnet\2#I"` echo "$ovpn_table $ovpn_chain $ovpn_rule" done else echo "$ovpn_table $ovpn_chain $ovpn_rule" fi done } >>$ovpn_outfile } ovpn_setup_logging() { ovpn_policy=$1 ovpn_logging=$2 ovpn_chain=$3 case $ovpn_logging in yes) log=-log ;; *) log= ;; esac case $ovpn_policy in ACCEPT) action=ACCEPT ;; REJECT) action=${reject_name}$log ;; DROP) action=${drop_name}$log ;; esac echo "filter $ovpn_chain $action" } OVPN_VAR=/var/run/openvpn mkdir -p $OVPN_VAR OVPN_IPUP=/etc/ppp/ip-up800.openvpn echo "cd $OVPN_VAR" > $OVPN_IPUP chmod 755 $OVPN_IPUP OVPN_CFG=/etc/openvpn mkdir -p $OVPN_CFG cd $OVPN_CFG chmod 600 * 2>/dev/null case $OPENVPN_EXPERT in yes) for config in /etc/openvpn/*.conf do mkdir -p $OVPN_VAR/`basename ${config%.conf}` openvpn --config $config --daemon openvpn-`basename ${config%.conf}` done ;; *) [ ! "$OPENVPN_DEFAULT_CIPHER" -a "$OPENVPN_FEATURES" = min ] && : ${OPENVPN_DEFAULT_CIPHER:=DESX-CBC} || : ${OPENVPN_DEFAULT_CIPHER:=BF-CBC} : ${OPENVPN_DEFAULT_COMPRESS:=yes} : ${OPENVPN_DEFAULT_CREATE_SECRET:=no} : ${OPENVPN_DEFAULT_DIGEST:=SHA1} : ${OPENVPN_DEFAULT_FLOAT:=yes} : ${OPENVPN_DEFAULT_OPEN_OVPNPORT:=yes} : ${OPENVPN_DEFAULT_PING:=60} : ${OPENVPN_DEFAULT_PING_RESTART:=180} : ${OPENVPN_DEFAULT_PROTOCOL:=udp} : ${OPENVPN_DEFAULT_RENEG_SEC:=3600} : ${OPENVPN_DEFAULT_RESOLV_RETRY:=infinite} : ${OPENVPN_DEFAULT_RESTART:=ip-up} : ${OPENVPN_DEFAULT_START:=always} : ${OPENVPN_DEFAULT_VERBOSE:=2} : ${OPENVPN_DEFAULT_PF_INPUT_POLICY:=REJECT} : ${OPENVPN_DEFAULT_PF_FORWARD_POLICY:=REJECT} : ${OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE:=100} [ -z "$OPENVPN_DEFAULT_LINK_MTU" ] && : ${OPENVPN_DEFAULT_TUN_MTU:=1500} : ${OPENVPN_DEFAULT_FRAGMENT:=1300} : ${OPENVPN_DEFAULT_MUTE_REPLAY_WARNINGS:=no} # setup packetfilter defaults, allow icmp : ${OPENVPN_DEFAULT_ALLOW_ICMPPING:=yes} case $OPT_DYNDNS in yes) : ${OPENVPN_DEFAULT_PERSIST_REMOTE_IP:=yes} ;; *) : ${OPENVPN_DEFAULT_PERSIST_REMOTE_IP:=no} ;; esac case $OPENVPN_DEFAULT_ALLOW_ICMPPING in yes) add_rule filter in-ovpn "if:tun+:any prot:icmp:8 ACCEPT" add_rule filter fw-ovpn "if:any:tun+ prot:icmp:8 ACCEPT" add_rule filter fw-ovpn "if:tun+:any prot:icmp:8 ACCEPT" ;; esac : ${OPENVPN_DEFAULT_PF_INPUT_LOG:=BASE} [ $OPENVPN_DEFAULT_PF_INPUT_LOG = BASE ] && OPENVPN_DEFAULT_PF_INPUT_LOG=$PF_INPUT_LOG . /var/run/fwrules-helper.state.INPUT add_rule `ovpn_setup_logging $OPENVPN_DEFAULT_PF_INPUT_POLICY $OPENVPN_DEFAULT_PF_INPUT_LOG in-ovpn` : ${OPENVPN_DEFAULT_PF_FORWARD_LOG:=BASE} [ $OPENVPN_DEFAULT_PF_FORWARD_LOG = BASE ] && OPENVPN_DEFAULT_PF_FORWARD_LOG=$PF_FORWARD_LOG . /var/run/fwrules-helper.state.FORWARD add_rule `ovpn_setup_logging $OPENVPN_DEFAULT_PF_FORWARD_POLICY $OPENVPN_DEFAULT_PF_FORWARD_LOG fw-ovpn` # don't masq traffic that's routed via a tun device ins_rule nat po-ovpn "if:any:tun+ ACCEPT" # add chain in-ovpn-ports to add rules where openvpn will listen to get_count INPUT add_chain in-ovpn-ports ins_rule filter INPUT 'in-ovpn-ports' $res "ovpn access" case $PF_INPUT_ACCEPT_DEF in yes) get_count INPUT ins_rule filter INPUT 'if:tun+:any in-ovpn' $res "ovpn VPN traffic" ;; esac case $PF_FORWARD_ACCEPT_DEF in yes) get_count FORWARD ins_rule filter FORWARD 'if:tun+:any fw-ovpn BIDIRECTIONAL' $res "ovpn VPN traffic" ;; esac case $OPT_IPV6 in yes) get_count6 INPUT add_chain6 in-ovpn-ports ins_rule6 filter INPUT 'in-ovpn-ports' $res "ovpn access" case $PF6_INPUT_ACCEPT_DEF in yes) get_count6 INPUT ins_rule6 filter INPUT 'if:tun+:any in-ovpn' $res "ovpn VPN traffic" ;; esac case $PF6_FORWARD_ACCEPT_DEF in yes) get_count6 FORWARD ins_rule6 filter FORWARD 'if:tun+:any fw-ovpn BIDIRECTIONAL' $res "ovpn VPN traffic" ;; esac ;; esac [ "$OPENVPN_N" -eq 0 ] || for ovpn_idx in `seq 1 $OPENVPN_N` do eval ovpn_activ='$OPENVPN_'$ovpn_idx'_ACTIV' [ "$ovpn_activ" = no ] && continue eval ovpn_name='$OPENVPN_'$ovpn_idx'_NAME' echo ${ovpn_name} >> $OVPN_CFG/openvpn.names log_info "configuring OpenVPN peer $ovpn_name" eval ovpn_ipv6='$OPENVPN_'$ovpn_idx'_IPV6' eval ovpn_bridge='$OPENVPN_'$ovpn_idx'_BRIDGE' eval ovpn_cipher='$OPENVPN_'$ovpn_idx'_CIPHER' eval ovpn_compress='$OPENVPN_'$ovpn_idx'_COMPRESS' eval ovpn_create_secret='$OPENVPN_'$ovpn_idx'_CREATE_SECRET' eval ovpn_digest='$OPENVPN_'$ovpn_idx'_DIGEST' eval ovpn_float='$OPENVPN_'$ovpn_idx'_FLOAT' eval ovpn_isdn_circ_name='$OPENVPN_'$ovpn_idx'_ISDN_CIRC_NAME' eval ovpn_keysize='$OPENVPN_'$ovpn_idx'_KEYSIZE' eval ovpn_local_host='$OPENVPN_'$ovpn_idx'_LOCAL_HOST' eval ovpn_local_vpn_ip='$OPENVPN_'$ovpn_idx'_LOCAL_VPN_IP' eval ovpn_local_vpn_ipv6='$OPENVPN_'$ovpn_idx'_LOCAL_VPN_IPV6' eval ovpn_lport='$OPENVPN_'$ovpn_idx'_LOCAL_PORT' eval ovpn_openport='$OPENVPN_'$ovpn_idx'_OPEN_OVPNPORT' eval ovpn_ping='$OPENVPN_'$ovpn_idx'_PING' eval ovpn_ping_restart='$OPENVPN_'$ovpn_idx'_PING_RESTART' eval ovpn_pf_input_log='$OPENVPN_'$ovpn_idx'_PF_INPUT_LOG' eval ovpn_pf_input_policy='$OPENVPN_'$ovpn_idx'_PF_INPUT_POLICY' eval ovpn_pf_forward_log='$OPENVPN_'$ovpn_idx'_PF_FORWARD_LOG' eval ovpn_pf_forward_policy='$OPENVPN_'$ovpn_idx'_PF_FORWARD_POLICY' eval ovpn_protocol='$OPENVPN_'$ovpn_idx'_PROTOCOL' eval ovpn_remote_host='$OPENVPN_'$ovpn_idx'_REMOTE_HOST' eval ovpn_remote_vpn_ip='$OPENVPN_'$ovpn_idx'_REMOTE_VPN_IP' eval ovpn_remote_vpn_ipv6='$OPENVPN_'$ovpn_idx'_REMOTE_VPN_IPV6' eval ovpn_reneg_sec='$OPENVPN_'$ovpn_idx'_RENEG_SEC' eval ovpn_resolv_retry='$OPENVPN_'$ovpn_idx'_RESOLV_RETRY' eval ovpn_restart='$OPENVPN_'$ovpn_idx'_RESTART' eval ovpn_rport='$OPENVPN_'$ovpn_idx'_REMOTE_PORT' eval ovpn_secret='$OPENVPN_'$ovpn_idx'_SECRET' eval ovpn_shaper='$OPENVPN_'$ovpn_idx'_SHAPER' eval ovpn_link_mtu='$OPENVPN_'$ovpn_idx'_LINK_MTU' eval ovpn_tun_mtu='$OPENVPN_'$ovpn_idx'_TUN_MTU' eval ovpn_tun_mtu_extra='$OPENVPN_'$ovpn_idx'_TUN_MTU_EXTRA' eval ovpn_mlogcache='$OPENVPN_'$ovpn_idx'_MANAGEMENT_LOG_CACHE' eval ovpn_mport='$OPENVPN_'$ovpn_idx'_MANAGEMENT_PORT' eval ovpn_mssfix='$OPENVPN_'$ovpn_idx'_MSSFIX' eval ovpn_fragment='$OPENVPN_'$ovpn_idx'_FRAGMENT' eval ovpn_start='$OPENVPN_'$ovpn_idx'_START' eval ovpn_type='$OPENVPN_'$ovpn_idx'_TYPE' eval ovpn_verbose='$OPENVPN_'$ovpn_idx'_VERBOSE' eval ovpn_mute_replay_warnings='$OPENVPN_'$ovpn_idx'_MUTE_REPLAY_WARNINGS' eval ovpn_devnum='$OPENVPN_'$ovpn_idx'_DEVNUM' : ${ovpn_ipv6:=no} : ${ovpn_compress:=$OPENVPN_DEFAULT_COMPRESS} : ${ovpn_create_secret:=$OPENVPN_DEFAULT_CREATE_SECRET} : ${ovpn_digest:=$OPENVPN_DEFAULT_DIGEST} : ${ovpn_float:=$OPENVPN_DEFAULT_FLOAT} : ${ovpn_openport:=$OPENVPN_DEFAULT_OPEN_OVPNPORT} : ${ovpn_ping:=$OPENVPN_DEFAULT_PING} : ${ovpn_protocol:=$OPENVPN_DEFAULT_PROTOCOL} : ${ovpn_restart:=$OPENVPN_DEFAULT_RESTART} : ${ovpn_start:=$OPENVPN_DEFAULT_START} : ${ovpn_verbose:=$OPENVPN_DEFAULT_VERBOSE} : ${ovpn_keysize:=$OPENVPN_DEFAULT_KEYSIZE} : ${ovpn_cipher:=$OPENVPN_DEFAULT_CIPHER} : ${ovpn_shaper:=$OPENVPN_DEFAULT_SHAPER} : ${ovpn_mssfix:=$OPENVPN_DEFAULT_MSSFIX} : ${ovpn_fragment:=$OPENVPN_DEFAULT_FRAGMENT} : ${ovpn_tun_mtu_extra:=$OPENVPN_DEFAULT_TUN_MTU_EXTRA} : ${ovpn_mport:=0} : ${ovpn_mlogcache:=$OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE} : ${ovpn_pf_input_log:=$OPENVPN_DEFAULT_PF_INPUT_LOG} : ${ovpn_pf_input_policy:=$OPENVPN_DEFAULT_PF_INPUT_POLICY} : ${ovpn_pf_forward_log:=$OPENVPN_DEFAULT_PF_FORWARD_LOG} : ${ovpn_pf_forward_policy:=$OPENVPN_DEFAULT_PF_FORWARD_POLICY} : ${ovpn_mute_replay_warnings:=$OPENVPN_DEFAULT_MUTE_REPLAY_WARNINGS} : ${ovpn_reneg_sec:=$OPENVPN_DEFAULT_RENEG_SEC} if [ "$OPT_IPV6" != "yes" ] then ovpn_protocol=`echo $ovpn_protocol | sed 's/6$//'` ovpn_ipv6='no' fi eval ovpn_rhosts='$OPENVPN_'$ovpn_idx'_REMOTE_HOST_N' if [ 0$ovpn_rhosts -gt 0 ] then : ${ovpn_resolv_retry:=30} else : ${ovpn_resolv_retry:=$OPENVPN_DEFAULT_RESOLV_RETRY} fi : ${ovpn_ping_restart:=$OPENVPN_DEFAULT_PING_RESTART} if [ -z "$ovpn_link_mtu" -a -z "$ovpn_tun_mtu" ] then : ${ovpn_link_mtu:=$OPENVPN_DEFAULT_LINK_MTU} : ${ovpn_tun_mtu:=$OPENVPN_DEFAULT_TUN_MTU} fi mkdir -p $OVPN_VAR/$ovpn_name [ "$ovpn_restart" = raw-up -a "$ovpn_isdn_circ_name" ] && echo "$OVPN_VAR/$ovpn_name/pid" >$OVPN_CFG/isdnraw.$ovpn_isdn_circ_name cat <$ovpn_name.conf cipher $ovpn_cipher auth $ovpn_digest ping-timer-rem lport $ovpn_lport proto $ovpn_protocol verb $ovpn_verbose resolv-retry $ovpn_resolv_retry writepid $OVPN_VAR/$ovpn_name/pid persist-key persist-tun persist-local-ip mlock remote-random reneg-sec $ovpn_reneg_sec status $OVPN_VAR/$ovpn_name/status 15 status-version 1 mtu-disc yes management 127.0.0.1 $ovpn_mport management-log-cache $ovpn_mlogcache management-writeport $OVPN_VAR/$ovpn_name/mport EOF cat <>$ovpn_name.conf script-security 2 EOF { if [ "$OPT_IPV6" = "yes" -a "$ovpn_ipv6" = "yes" -a -n "$ovpn_local_vpn_ipv6" -a -n "$ovpn_remote_vpn_ipv6" -a "$ovpn_type" = "tunnel" ] then echo tun-ipv6 echo setenv ovpn_ipv6 yes echo ifconfig-ipv6 $ovpn_local_vpn_ipv6 $ovpn_remote_vpn_ipv6 else ovpn_ipv6='no' echo setenv ovpn_ipv6 no fi [ "$ovpn_secret" ] && echo "secret $OVPN_CFG/$ovpn_secret" if [ "$ovpn_float" = "no" -a "$OPENVPN_DEFAULT_PERSIST_REMOTE_IP" = "yes" -a -n "$ovpn_remote_host" ] then echo "persist-remote-ip" fi [ $ovpn_mute_replay_warnings = yes ] && echo "mute-replay-warnings" [ "$ovpn_rport" ] && echo "rport $ovpn_rport" case $ovpn_protocol in *6) if netcalc isipv4 "$ovpn_remote_host" then ovpn_remote_host="::ffff:$ovpn_remote_host" fi ;; esac [ "$ovpn_remote_host" ] && echo "remote $ovpn_remote_host" eval ovpn_rhosts='$OPENVPN_'$ovpn_idx'_REMOTE_HOST_N' [ 0$ovpn_rhosts -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rhosts` do eval ovpn_tmp='$OPENVPN_'$ovpn_idx'_REMOTE_HOST_'$ovpn_rdx case $ovpn_protocol in *6) if netcalc isipv4 $ovpn_tmp then ovpn_tmp="::ffff:$ovpn_tmp" fi ;; esac echo "remote $ovpn_tmp" done case $ovpn_protocol in *6) if netcalc isipv4 "$ovpn_local_host" then ovpn_local_host="::ffff:$ovpn_local_host" fi ;; esac [ "$ovpn_local_host" ] && echo "local $ovpn_local_host" [ "$ovpn_keysize" ] && echo "keysize $ovpn_keysize" [ $ovpn_float = yes ] && echo "float" [ $ovpn_compress = yes ] && echo "comp-lzo" if [ "$ovpn_shaper" ] then echo "shaper $ovpn_shaper" elif [ $ovpn_protocol = udp ] then echo "fast-io" fi [ 0"$ovpn_mssfix" -gt 0 ] && echo "mssfix $ovpn_mssfix" case $ovpn_protocol in udp*) if [ 0"$ovpn_fragment" -gt 0 ] then echo "fragment $ovpn_fragment" [ -z "$ovpn_mssfix" ] && echo "mssfix" fi ;; esac [ "$ovpn_tun_mtu" ] && echo "tun-mtu $ovpn_tun_mtu" [ $ovpn_type = bridge ] && : ${ovpn_tun_mtu_extra:=32} [ "$ovpn_tun_mtu_extra" ] && echo "tun-mtu-extra $ovpn_tun_mtu_extra" [ "$ovpn_link_mtu" ] && echo "link-mtu $ovpn_link_mtu" [ $ovpn_ping != off ] && echo "ping $ovpn_ping" [ $ovpn_ping_restart != off ] && echo "ping-restart $ovpn_ping_restart" ovpn_signal_type=SIGUSR1 case $ovpn_type in tunnel) if [ "x$ovpn_devnum" != "x" ] then echo "dev tun$ovpn_devnum" else echo "dev tun" fi echo "ifconfig $ovpn_local_vpn_ip $ovpn_remote_vpn_ip" ovpn_default_route=no eval ovpn_rnum='$OPENVPN_'$ovpn_idx'_ROUTE_N' [ 0$ovpn_rnum -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rnum` do eval ovpn_tmp='$OPENVPN_'$ovpn_idx'_ROUTE_'$ovpn_rdx case "$ovpn_tmp" in "0.0.0.0/0 "*) ovpn_default_route=yes ovpn_signal_type=SIGHUP #ovpn_network=0.0.0.0 #ovpn_netmask=0.0.0.0 ovpn_redirect_flags=`echo $ovpn_tmp|sed -e 's#0\.0\.0\.0/0 \(.*\)#\1#'` ;; # Filter out all IPv6 Routes as thse ones need to be configured other way *:*) if [ "$ovpn_ipv6" = "yes" ] then echo route-ipv6 $ovpn_tmp fi ;; *) ovpn_network=`netcalc network $ovpn_tmp` ovpn_netmask=`netcalc netmask $ovpn_tmp` echo "route $ovpn_network $ovpn_netmask" ;; esac done case "$ovpn_default_route" in yes) echo "redirect-gateway $ovpn_redirect_flags" ;; *) echo "down-pre" echo "plugin /usr/lib/openvpn-plugin-down-root.so \"/usr/bin/openvpn_fwrules-helper-down\"" #echo "user nobody" #echo "group nogroup" # create chroot jail #mkdir -p $OVPN_VAR/$ovpn_name/chroot #chmod 777 $OVPN_VAR/$ovpn_name/chroot #chown nobody.nogroup $OVPN_VAR/$ovpn_name/chroot #echo "chroot $OVPN_VAR/$ovpn_name/chroot" ;; esac ovpn_rulefile=$OVPN_VAR/$ovpn_name/fwrules echo "up /usr/bin/openvpn_fwrules-helper-up" ovpn_wpr filter PF_INPUT in-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr filter PF_FORWARD fw-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr nat PF_PREROUTING pi-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr nat PF_POSTROUTING po-ovpn-$ovpn_name $ovpn_rulefile if [ $ovpn_ipv6 = "yes" ] then ovpn_wpr filter PF6_INPUT in-ovpn-$ovpn_name ${ovpn_rulefile}.ipv6 ovpn_wpr filter PF6_FORWARD fw-ovpn-$ovpn_name ${ovpn_rulefile}.ipv6 fi if [ $ovpn_pf_input_policy != $OPENVPN_DEFAULT_PF_INPUT_POLICY ] then echo `ovpn_setup_logging $ovpn_pf_input_policy $ovpn_pf_input_log in-ovpn-$ovpn_name` >> $ovpn_rulefile fi if [ $ovpn_pf_forward_policy != $OPENVPN_DEFAULT_PF_FORWARD_POLICY ] then echo `ovpn_setup_logging $ovpn_pf_forward_policy $ovpn_pf_forward_log fw-ovpn-$ovpn_name` >> $ovpn_rulefile fi case "$ovpn_default_route" in yes) echo "\$IPTABLES -I fw-ovpn-$ovpn_name -o \$dev -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu">>$ovpn_rulefile.up.post ;; esac ;; bridge) if [ "x$ovpn_devnum" != "x" ] then echo "dev tap$ovpn_devnum" else echo "dev tap" fi ovpn_bridge=`cat /var/run/bridge/$ovpn_bridge` ovpn_bridge_up=$OVPN_VAR/$ovpn_name/bridge-up ovpn_bridge_down=$OVPN_VAR/$ovpn_name/bridge-down eval ovpn_cost='$OPENVPN_'$ovpn_idx'_BRIDGE_COST' eval ovpn_priority='$OPENVPN_'$ovpn_idx'_BRIDGE_PRIORITY' echo "up $ovpn_bridge_up" { echo "#!/bin/sh" echo ". /etc/boot.d/network_aliases" echo "ip addr flush dev \$dev" echo "ip link set dev \$dev mtu \$tun_mtu up" echo "net_alias_add $ovpn_name \$dev" echo "brctl addif $ovpn_bridge \$dev" [ 0$cost -gt 0 ] && echo "brctl setpathcost $ovpn_bridge \$dev $ovpn_cost" [ 0$priority -gt 0 ] && echo "brctl setportprio $ovpn_bridge \$dev $ovpn_priority" }>$ovpn_bridge_up chmod 700 $ovpn_bridge_up echo "plugin openvpn-plugin-down-root.so \"$ovpn_bridge_down\"" { echo "#!/bin/sh" echo ". /etc/boot.d/network_aliases" echo "net_alias_del $ovpn_name" }>$ovpn_bridge_down chmod 700 $ovpn_bridge_down # create chroot jail #mkdir -p $OVPN_VAR/$ovpn_name/chroot #chmod 777 $OVPN_VAR/$ovpn_name/chroot #chown nobody.nogroup $OVPN_VAR/$ovpn_name/chroot #echo "chroot $OVPN_VAR/$ovpn_name/chroot" ;; esac if [ $ovpn_restart = ip-up ] then ( echo "if [ -f $ovpn_name/pid ]" echo "then" echo "ovpnctrl \"hold off\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "ovpnctrl \"hold release\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "ovpnctrl \"signal SIGUSR1\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "fi" )>>$OVPN_IPUP fi }>>$ovpn_name.conf ovpn_pktflt_src= ovpn_pktflt_dst= ovpn_pktflt_dev= # create packetfilter rules case $ovpn_openport in yes) ovpn_pktflt_proto6='' case $ovpn_protocol in udp6) ovpn_pktflt_proto=udp; ovpn_pktflt_proto6=udp;; udp) ovpn_pktflt_proto=udp;; tcp*6) ovpn_pktflt_proto=tcp; ovpn_pktflt_proto6=tcp;; tcp*) ovpn_pktflt_proto=tcp;; esac ovpn_pktflt_src="any" ovpn_pktflt_src6="any" if [ "$ovpn_remote_host" ] then if netcalc isipv4 $ovpn_remote_host then ovpn_pktflt_src="$ovpn_remote_host" elif netcalc isipv6 $ovpn_remote_host then ovpn_pktflt_src6="$ovpn_remote_host" fi fi ovpn_pktflt_dst="any" ovpn_pktflt_dst6="any" ovpn_pktflt_dev="any" if [ "$ovpn_local_host" ] then if netcalc isipv4 $ovpn_local_host then ovpn_pktflt_dst="$ovpn_local_host" # find out device according to the local ip address ovpn_pktflt_dev=$(ip addr show | grep "inet $ovpn_local_host[ /].*$ovpn_remote_host[ /].*tun" | sed "s/.* \(tun.*\)$/\1/") # find non tun devices, too [ $ovpn_pktflt_dev ] || ovpn_pktflt_dev=$(ip addr show | grep "inet $ovpn_local_host[ /]" | sed "s/.* \([a-z]\+[0-9]\+\([.][0-9]\+\)\?\)$/\1/") elif netcalc isipv6 $ovpn_local_host then ovpn_pktflt_dst="$ovpn_local_host" # find out device according to the local ip address for dev in `ip a s | sed -n 's/^[0-9]\+: \([^ ]\+\):.*/\1/p'` do if [ -n "`ip a s $dev | grep $ip`" ] then ovpn_pktflt_dev=$dev fi done fi fi if [ -z "$ovpn_pktflt_dev" ] then log_error "Can't determinate device for $ovpn_name, this OpenVPN connection won't work!" else if [ -n "$ovpn_pktflt_proto6" ] then if [ "$ovpn_pktflt_dst6" = "any" ] then add_rule6 filter in-ovpn-ports "prot:$ovpn_pktflt_proto6 if:$ovpn_pktflt_dev:any $ovpn_pktflt_src6 $ovpn_lport ACCEPT" else add_rule6 filter in-ovpn-ports "prot:$ovpn_pktflt_proto6 if:$ovpn_pktflt_dev:any $ovpn_pktflt_src6 $ovpn_pktflt_dst6 $ovpn_lport ACCEPT" fi else add_rule filter in-ovpn-ports "prot:$ovpn_pktflt_proto if:$ovpn_pktflt_dev:any $ovpn_pktflt_src $ovpn_pktflt_dst:$ovpn_lport ACCEPT" fi fi ;; esac case $ovpn_create_secret in yes) log_info "creating OpenVPN secret $ovpn_secret for $ovpn_name" openvpn --genkey --secret $ovpn_secret ;; webgui) log_info "OpenVPN secret $ovpn_secret should be created with webgui for $ovpn_name" ;; no) case $ovpn_start in always) ovpn_extra_opt= ovpn_extra_text= if [ $ovpn_restart = ip-up ] then ovpn_extra_opt="--management-hold" ovpn_extra_text=" in HOLD mode" fi ;; isdn) ovpn_extra_text=" (via ISDN link)" ;; esac case $ovpn_start in on-demand) log_info "OpenVPN peer $ovpn_name will be started on-demand" ;; *) log_info "starting OpenVPN peer $ovpn_name$ovpn_extra_text" openvpn --config $OVPN_CFG/$ovpn_name.conf --daemon openvpn-$ovpn_name $ovpn_extra_opt ;; esac ;; esac done ;; esac # Make entry to menu of httpd case $OPT_HTTPD$OPENVPN_WEBGUI in yesyes) httpd-menu.sh add -p 365 status_OpenVPN.cgi "OpenVPN" '$_MT_firewall' openvpn;; esac end_script esac