#-------------------------------------------------------------------- # /etc/rc.d/rc990.openvpn - create openvpn configuration # # Creation: 04.10.2003 Claas Hilbrecht # Last Update: $Id$ #-------------------------------------------------------------------- case $OPT_OPENVPN in yes) begin_script OPENVPN "configuring OpenVPN..." # remove limits for locked memory and core dumps ulimit -l unlimited ulimit -c unlimited # create links ln -s openvpn_fwrules-helper.sh /usr/bin/openvpn_fwrules-helper-up ln -s openvpn_fwrules-helper.sh /usr/bin/openvpn_fwrules-helper-down # tun/tap Device-Treiber laden do_modprobe tun ovpn_wpr() { ovpn_table=$1 ovpn_list=$2 ovpn_chain=$3 ovpn_outfile=$4 ovpn_rule= ovpn_orig_rule= ovpn_rlnum= ovpn_rnet= { eval ovpn_rlnum='$OPENVPN_'$ovpn_idx'_'$ovpn_list'_N' case $ovpn_list in INPUT|FORWARD) [ 0$ovpn_rlnum -gt 0 ] && echo "$ovpn_table $ovpn_chain state:ESTABLISHED,RELATED ACCEPT" ;; esac [ 0$ovpn_rlnum -eq 0 ] || for ovpn_tdx in `seq 1 $ovpn_rlnum` do eval ovpn_rule='$OPENVPN_'$ovpn_idx'_'$ovpn_list'_'$ovpn_tdx ovpn_rule=`echo $ovpn_rule | \ sed -e "s#\(^\|[SD]NAT:\|[[:space:]]\)REMOTE-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_remote_vpn_ip\2#I" \ -e "s#\(^\|[SD]NAT:\|[[:space:]]\)LOCAL-VPN-IP\($\|[:[:space:]]\)#\1$ovpn_local_vpn_ip\2#I"` if echo $ovpn_rule | grep -iq REMOTE-NET then ovpn_orig_rule=$ovpn_rule ovpn_rule=`echo $ovpn_orig_rule | \ sed -e "s#\(^\|[[:space:]]\)REMOTE-NET\([:[:space:]]\)#\1$ovpn_remote_vpn_ip\2#I"` echo "$ovpn_table $ovpn_chain $ovpn_rule" # eval ovpn_rnum='$OPENVPN_'$ovpn_idx'_ROUTE_N' [ 0$ovpn_rnum -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rnum` do eval ovpn_rnet='$OPENVPN_'$ovpn_idx'_ROUTE_'$ovpn_rdx case "$ovpn_rnet" in "0.0.0.0/0 "*) ovpn_rnet=`echo $ovpn_rnet|sed -e 's#\(0\.0\.0\.0/0\) .*#\1#'` ;; esac ovpn_rule=`echo $ovpn_orig_rule | sed -e "s#\(^\|[[:space:]]\)REMOTE-NET\([:[:space:]]\)#\1$ovpn_rnet\2#I"` echo "$ovpn_table $ovpn_chain $ovpn_rule" done else echo "$ovpn_table $ovpn_chain $ovpn_rule" fi done } >>$ovpn_outfile } ovpn_setup_logging() { ovpn_policy=$1 ovpn_logging=$2 ovpn_chain=$3 case $ovpn_logging in yes) log=-log ;; *) log= ;; esac case $ovpn_policy in ACCEPT) action=ACCEPT ;; REJECT) action=${reject_name}$log ;; DROP) action=${drop_name}$log ;; esac echo "filter $ovpn_chain $action" } OVPN_VAR=/var/run/openvpn mkdir -p $OVPN_VAR if [ $ip_up_events = yes ] then OVPN_IPUP=/etc/ppp/ip-up800.openvpn echo "cd $OVPN_VAR" > $OVPN_IPUP chmod 755 $OVPN_IPUP fi OVPN_CFG=/etc/openvpn mkdir -p $OVPN_CFG cd $OVPN_CFG chmod 600 * 2>/dev/null case $OPENVPN_EXPERT in yes) for config in /etc/openvpn/*.conf do mkdir -p $OVPN_VAR/`basename ${config%.conf}` openvpn --config $config --daemon openvpn-`basename ${config%.conf}` done ;; *) [ ! "$OPENVPN_DEFAULT_CIPHER" -a "$OPENVPN_FEATURES" = min ] && : ${OPENVPN_DEFAULT_CIPHER:=DESX-CBC} || : ${OPENVPN_DEFAULT_CIPHER:=BF-CBC} : ${OPENVPN_DEFAULT_COMPRESS:=yes} : ${OPENVPN_DEFAULT_CREATE_SECRET:=no} : ${OPENVPN_DEFAULT_DIGEST:=SHA1} : ${OPENVPN_DEFAULT_FLOAT:=yes} : ${OPENVPN_DEFAULT_OPEN_OVPNPORT:=yes} : ${OPENVPN_DEFAULT_PING:=60} : ${OPENVPN_DEFAULT_PING_RESTART:=180} : ${OPENVPN_DEFAULT_PROTOCOL:=udp} : ${OPENVPN_DEFAULT_RESOLV_RETRY:=infinite} : ${OPENVPN_DEFAULT_RESTART:=ip-up} : ${OPENVPN_DEFAULT_START:=always} : ${OPENVPN_DEFAULT_VERBOSE:=2} : ${OPENVPN_DEFAULT_PF_DMZ_TYPE:=none} : ${OPENVPN_DEFAULT_PF_INPUT_POLICY:=REJECT} : ${OPENVPN_DEFAULT_PF_FORWARD_POLICY:=REJECT} : ${OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE:=100} [ -z "$OPENVPN_DEFAULT_LINK_MTU" ] && : ${OPENVPN_DEFAULT_TUN_MTU:=1500} : ${OPENVPN_DEFAULT_FRAGMENT:=1300} : ${OPENVPN_DEFAULT_MUTE_REPLAY_WARNINGS:=no} # setup packetfilter defaults, allow icmp : ${OPENVPN_DEFAULT_ALLOW_ICMPPING:=yes} case $OPT_DYNDNS in yes) : ${OPENVPN_DEFAULT_PERSIST_REMOTE_IP:=yes} ;; *) : ${OPENVPN_DEFAULT_PERSIST_REMOTE_IP:=no} ;; esac case $OPENVPN_DEFAULT_ALLOW_ICMPPING in yes) add_rule filter in-ovpn "if:tun+:any prot:icmp:8 ACCEPT" add_rule filter fw-ovpn "if:any:tun+ prot:icmp:8 ACCEPT" add_rule filter fw-ovpn "if:tun+:any prot:icmp:8 ACCEPT" ;; esac : ${OPENVPN_DEFAULT_PF_INPUT_LOG:=BASE} [ $OPENVPN_DEFAULT_PF_INPUT_LOG = BASE ] && OPENVPN_DEFAULT_PF_INPUT_LOG=$PF_INPUT_LOG . /var/run/fwrules-helper.state.INPUT add_rule `ovpn_setup_logging $OPENVPN_DEFAULT_PF_INPUT_POLICY $OPENVPN_DEFAULT_PF_INPUT_LOG in-ovpn` : ${OPENVPN_DEFAULT_PF_FORWARD_LOG:=BASE} [ $OPENVPN_DEFAULT_PF_FORWARD_LOG = BASE ] && OPENVPN_DEFAULT_PF_FORWARD_LOG=$PF_FORWARD_LOG . /var/run/fwrules-helper.state.FORWARD add_rule `ovpn_setup_logging $OPENVPN_DEFAULT_PF_FORWARD_POLICY $OPENVPN_DEFAULT_PF_FORWARD_LOG fw-ovpn` # don't masq traffic that's routed via a tun device ins_rule nat post-out-ovpn "if:any:tun+ ACCEPT" # add chain in-ovpn-ports to add rules where openvpn will listen to get_count INPUT add_chain in-ovpn-ports ins_rule filter INPUT 'in-ovpn-ports' $res "ovpn access" case $PF_INPUT_ACCEPT_DEF in yes) get_count INPUT ins_rule filter INPUT 'if:tun+:any in-ovpn' $res "ovpn VPN traffic" ;; esac case $PF_FORWARD_ACCEPT_DEF in yes) get_count FORWARD ins_rule filter FORWARD 'if:tun+:any fw-ovpn BIDIRECTIONAL' $res "ovpn VPN traffic" ;; esac [ "$OPENVPN_N" -eq 0 ] || for ovpn_idx in `seq 1 $OPENVPN_N` do eval ovpn_activ='$OPENVPN_'$ovpn_idx'_ACTIV' [ "$ovpn_activ" = no ] && continue eval ovpn_name='$OPENVPN_'$ovpn_idx'_NAME' echo "configuring OpenVPN peer $ovpn_name" eval ovpn_bridge='$OPENVPN_'$ovpn_idx'_BRIDGE' eval ovpn_cipher='$OPENVPN_'$ovpn_idx'_CIPHER' eval ovpn_compress='$OPENVPN_'$ovpn_idx'_COMPRESS' eval ovpn_create_secret='$OPENVPN_'$ovpn_idx'_CREATE_SECRET' eval ovpn_digest='$OPENVPN_'$ovpn_idx'_DIGEST' eval ovpn_float='$OPENVPN_'$ovpn_idx'_FLOAT' eval ovpn_isdn_circ_name='$OPENVPN_'$ovpn_idx'_ISDN_CIRC_NAME' eval ovpn_keysize='$OPENVPN_'$ovpn_idx'_KEYSIZE' eval ovpn_local_host='$OPENVPN_'$ovpn_idx'_LOCAL_HOST' eval ovpn_local_vpn_ip='$OPENVPN_'$ovpn_idx'_LOCAL_VPN_IP' eval ovpn_lport='$OPENVPN_'$ovpn_idx'_LOCAL_PORT' eval ovpn_openport='$OPENVPN_'$ovpn_idx'_OPEN_OVPNPORT' eval ovpn_ping='$OPENVPN_'$ovpn_idx'_PING' eval ovpn_ping_restart='$OPENVPN_'$ovpn_idx'_PING_RESTART' eval ovpn_pf_dmz_type='$OPENVPN_'$ovpn_idx'_PF_DMZ_TYPE' eval ovpn_pf_input_log='$OPENVPN_'$ovpn_idx'_PF_INPUT_LOG' eval ovpn_pf_input_policy='$OPENVPN_'$ovpn_idx'_PF_INPUT_POLICY' eval ovpn_pf_forward_log='$OPENVPN_'$ovpn_idx'_PF_FORWARD_LOG' eval ovpn_pf_forward_policy='$OPENVPN_'$ovpn_idx'_PF_FORWARD_POLICY' eval ovpn_protocol='$OPENVPN_'$ovpn_idx'_PROTOCOL' eval ovpn_remote_host='$OPENVPN_'$ovpn_idx'_REMOTE_HOST' eval ovpn_remote_vpn_ip='$OPENVPN_'$ovpn_idx'_REMOTE_VPN_IP' eval ovpn_resolv_retry='$OPENVPN_'$ovpn_idx'_RESOLV_RETRY' eval ovpn_restart='$OPENVPN_'$ovpn_idx'_RESTART' eval ovpn_rport='$OPENVPN_'$ovpn_idx'_REMOTE_PORT' eval ovpn_secret='$OPENVPN_'$ovpn_idx'_SECRET' eval ovpn_shaper='$OPENVPN_'$ovpn_idx'_SHAPER' eval ovpn_link_mtu='$OPENVPN_'$ovpn_idx'_LINK_MTU' eval ovpn_tun_mtu='$OPENVPN_'$ovpn_idx'_TUN_MTU' eval ovpn_tun_mtu_extra='$OPENVPN_'$ovpn_idx'_TUN_MTU_EXTRA' eval ovpn_mlogcache='$OPENVPN_'$ovpn_idx'_MANAGEMENT_LOG_CACHE' eval ovpn_mport='$OPENVPN_'$ovpn_idx'_MANAGEMENT_PORT' eval ovpn_mssfix='$OPENVPN_'$ovpn_idx'_MSSFIX' eval ovpn_fragment='$OPENVPN_'$ovpn_idx'_FRAGMENT' eval ovpn_start='$OPENVPN_'$ovpn_idx'_START' eval ovpn_type='$OPENVPN_'$ovpn_idx'_TYPE' eval ovpn_verbose='$OPENVPN_'$ovpn_idx'_VERBOSE' eval ovpn_mute_replay_warnings='$OPENVPN_'$ovpn_idx'_MUTE_REPLAY_WARNINGS' : ${ovpn_compress:=$OPENVPN_DEFAULT_COMPRESS} : ${ovpn_create_secret:=$OPENVPN_DEFAULT_CREATE_SECRET} : ${ovpn_digest:=$OPENVPN_DEFAULT_DIGEST} : ${ovpn_float:=$OPENVPN_DEFAULT_FLOAT} : ${ovpn_openport:=$OPENVPN_DEFAULT_OPEN_OVPNPORT} : ${ovpn_ping:=$OPENVPN_DEFAULT_PING} : ${ovpn_protocol:=$OPENVPN_DEFAULT_PROTOCOL} : ${ovpn_restart:=$OPENVPN_DEFAULT_RESTART} : ${ovpn_start:=$OPENVPN_DEFAULT_START} : ${ovpn_verbose:=$OPENVPN_DEFAULT_VERBOSE} : ${ovpn_keysize:=$OPENVPN_DEFAULT_KEYSIZE} : ${ovpn_cipher:=$OPENVPN_DEFAULT_CIPHER} : ${ovpn_shaper:=$OPENVPN_DEFAULT_SHAPER} : ${ovpn_mssfix:=$OPENVPN_DEFAULT_MSSFIX} : ${ovpn_fragment:=$OPENVPN_DEFAULT_FRAGMENT} : ${ovpn_tun_mtu_extra:=$OPENVPN_DEFAULT_TUN_MTU_EXTRA} : ${ovpn_mport:=0} : ${ovpn_mlogcache:=$OPENVPN_DEFAULT_MANAGEMENT_LOG_CACHE} : ${ovpn_pf_dmz_type:=$OPENVPN_DEFAULT_PF_DMZ_TYPE} : ${ovpn_pf_input_log:=$OPENVPN_DEFAULT_PF_INPUT_LOG} : ${ovpn_pf_input_policy:=$OPENVPN_DEFAULT_PF_INPUT_POLICY} : ${ovpn_pf_forward_log:=$OPENVPN_DEFAULT_PF_FORWARD_LOG} : ${ovpn_pf_forward_policy:=$OPENVPN_DEFAULT_PF_FORWARD_POLICY} : ${ovpn_mute_replay_warnings:=$OPENVPN_DEFAULT_MUTE_REPLAY_WARNINGS} eval ovpn_rhosts='$OPENVPN_'$ovpn_idx'_REMOTE_HOSTS_N' if [ 0$ovpn_rhosts -gt 0 ] then : ${ovpn_resolv_retry:=30} else : ${ovpn_resolv_retry:=$OPENVPN_DEFAULT_RESOLV_RETRY} fi : ${ovpn_ping_restart:=$OPENVPN_DEFAULT_PING_RESTART} if [ -z "$ovpn_link_mtu" -a -z "$ovpn_tun_mtu" ] then : ${ovpn_link_mtu:=$OPENVPN_DEFAULT_LINK_MTU} : ${ovpn_tun_mtu:=$OPENVPN_DEFAULT_TUN_MTU} fi mkdir -p $OVPN_VAR/$ovpn_name [ "$ovpn_restart" = raw-up -a "$ovpn_isdn_circ_name" ] && echo "$OVPN_VAR/$ovpn_name/pid" >$OVPN_CFG/isdnraw.$ovpn_isdn_circ_name cat <$ovpn_name.conf cipher $ovpn_cipher auth $ovpn_digest ping-timer-rem lport $ovpn_lport secret $OVPN_CFG/$ovpn_secret proto $ovpn_protocol verb $ovpn_verbose resolv-retry $ovpn_resolv_retry writepid $OVPN_VAR/$ovpn_name/pid persist-key persist-tun persist-local-ip mlock remote-random status $OVPN_VAR/$ovpn_name/status 15 status-version 1 mtu-disc yes management 127.0.0.1 $ovpn_mport management-log-cache $ovpn_mlogcache management-writeport $OVPN_VAR/$ovpn_name/mport EOF case $OPENVPN_VERSION in 2.0) ;; 2.1) cat <>$ovpn_name.conf script-security 2 EOF ;; esac { if [ "$OPENVPN_DEFAULT_PERSIST_REMOTE_IP" = "yes" -a "$ovpn_remote_host" ] then echo "persist-remote-ip" fi [ $ovpn_mute_replay_warnings = yes ] && echo "mute-replay-warnings" [ "$ovpn_rport" ] && echo "rport $ovpn_rport" [ "$ovpn_remote_host" ] && echo "remote $ovpn_remote_host" eval ovpn_rhosts='$OPENVPN_'$ovpn_idx'_REMOTE_HOSTS_N' [ 0$ovpn_rhosts -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rhosts` do eval ovpn_tmp='$OPENVPN_'$ovpn_idx'_REMOTE_HOST_'$ovpn_rdx echo "remote $ovpn_tmp" done [ "$ovpn_local_host" ] && echo "local $ovpn_local_host" [ "$ovpn_keysize" ] && echo "keysize $ovpn_keysize" [ $ovpn_float = yes ] && echo "float" [ $ovpn_compress = yes ] && echo "comp-lzo" if [ "$ovpn_shaper" ] then echo "shaper $ovpn_shaper" elif [ $ovpn_protocol = udp ] then echo "fast-io" fi [ 0"$ovpn_mssfix" -gt 0 ] && echo "mssfix $ovpn_mssfix" case $ovpn_protocol in udp) if [ 0"$ovpn_fragment" -gt 0 ] then echo "fragment $ovpn_fragment" [ -z "$ovpn_mssfix" ] && echo "mssfix" fi ;; esac [ "$ovpn_tun_mtu" ] && echo "tun-mtu $ovpn_tun_mtu" [ $ovpn_type = bridge ] && : ${ovpn_tun_mtu_extra:=32} [ "$ovpn_tun_mtu_extra" ] && echo "tun-mtu-extra $ovpn_tun_mtu_extra" [ "$ovpn_link_mtu" ] && echo "link-mtu $ovpn_link_mtu" [ $ovpn_ping != off ] && echo "ping $ovpn_ping" [ $ovpn_ping_restart != off ] && echo "ping-restart $ovpn_ping_restart" ovpn_signal_type=SIGUSR1 case $ovpn_type in tunnel) echo "dev tun" echo "ifconfig $ovpn_local_vpn_ip $ovpn_remote_vpn_ip" ovpn_default_route=no eval ovpn_rnum='$OPENVPN_'$ovpn_idx'_ROUTE_N' [ 0$ovpn_rnum -eq 0 ] || for ovpn_rdx in `seq 1 $ovpn_rnum` do eval ovpn_tmp='$OPENVPN_'$ovpn_idx'_ROUTE_'$ovpn_rdx case "$ovpn_tmp" in "0.0.0.0/0 "*) ovpn_default_route=yes ovpn_signal_type=SIGHUP #ovpn_network=0.0.0.0 #ovpn_netmask=0.0.0.0 ovpn_redirect_flags=`echo $ovpn_tmp|sed -e 's#0\.0\.0\.0/0 \(.*\)#\1#'` ;; *) ovpn_network=`netcalc network $ovpn_tmp` ovpn_netmask=`netcalc netmask $ovpn_tmp` echo "route $ovpn_network $ovpn_netmask" ;; esac done case "$ovpn_default_route" in yes) echo "redirect-gateway $ovpn_redirect_flags" ;; *) echo "down-pre" echo "plugin /usr/lib/openvpn-down-root.so \"/usr/bin/openvpn_fwrules-helper-down\"" #echo "user nobody" #echo "group nogroup" # create chroot jail #mkdir -p $OVPN_VAR/$ovpn_name/chroot #chmod 777 $OVPN_VAR/$ovpn_name/chroot #chown nobody.nogroup $OVPN_VAR/$ovpn_name/chroot #echo "chroot $OVPN_VAR/$ovpn_name/chroot" ;; esac ovpn_rulefile=$OVPN_VAR/$ovpn_name/fwrules echo "up /usr/bin/openvpn_fwrules-helper-up" ovpn_wpr filter PF_INPUT in-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr filter PF_FORWARD fw-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr nat PF_PREROUTING pre-in-ovpn-$ovpn_name $ovpn_rulefile ovpn_wpr nat PF_POSTROUTING post-out-ovpn-$ovpn_name $ovpn_rulefile if [ $ovpn_pf_input_policy != $OPENVPN_DEFAULT_PF_INPUT_POLICY ] then echo `ovpn_setup_logging $ovpn_pf_input_policy $ovpn_pf_input_log in-ovpn-$ovpn_name` >> $ovpn_rulefile fi if [ $ovpn_pf_forward_policy != $OPENVPN_DEFAULT_PF_FORWARD_POLICY ] then echo `ovpn_setup_logging $ovpn_pf_forward_policy $ovpn_pf_forward_log fw-ovpn-$ovpn_name` >> $ovpn_rulefile fi case $ovpn_pf_dmz_type in green) > $OVPN_VAR/$ovpn_name/dmz.green ;; esac case "$ovpn_default_route" in yes) echo "\$IPTABLES -I fw-ovpn-$ovpn_name -o \$dev -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu">>$ovpn_rulefile.up.post ;; esac ;; bridge) echo "dev tap" ovpn_bridge=`cat /var/run/bridge/$ovpn_bridge` ovpn_bridge_up=$OVPN_VAR/$ovpn_name/bridge-up ovpn_bridge_down=$OVPN_VAR/$ovpn_name/bridge-down eval ovpn_cost='$OPENVPN_'$ovpn_idx'_BRIDGE_COST' eval ovpn_priority='$OPENVPN_'$ovpn_idx'_BRIDGE_PRIORITY' echo "up $ovpn_bridge_up" { echo "#!/bin/sh" echo ". /etc/boot.d/network_aliases" echo "ip addr flush dev \$dev" echo "ip link set \$dev mtu \$tun_mtu up" echo "net_alias_add $ovpn_name \$dev" echo "brctl addif $ovpn_bridge \$dev" [ 0$cost -gt 0 ] && echo "brctl setpathcost $ovpn_bridge \$dev $ovpn_cost" [ 0$priority -gt 0 ] && echo "brctl setportprio $ovpn_bridge \$dev $ovpn_priority" }>$ovpn_bridge_up chmod 700 $ovpn_bridge_up echo "plugin openvpn-down-root.so \"$ovpn_bridge_down\"" { echo "#!/bin/sh" echo ". /etc/boot.d/network_aliases" echo "net_alias_del $ovpn_name" }>$ovpn_bridge_down chmod 700 $ovpn_bridge_down # create chroot jail #mkdir -p $OVPN_VAR/$ovpn_name/chroot #chmod 777 $OVPN_VAR/$ovpn_name/chroot #chown nobody.nogroup $OVPN_VAR/$ovpn_name/chroot #echo "chroot $OVPN_VAR/$ovpn_name/chroot" ;; esac if [ $ip_up_events = yes -a $ovpn_restart = ip-up ] then ( echo "if [ -f $ovpn_name/pid ]" echo "then" echo "ovpnctrl \"hold off\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "ovpnctrl \"hold release\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "ovpnctrl \"signal SIGUSR1\" \"^SUCCESS:\" 127.0.0.1 \`cat $ovpn_name/mport\`" echo "fi" )>>$OVPN_IPUP fi }>>$ovpn_name.conf ovpn_pktflt_src= ovpn_pktflt_dst= ovpn_pktflt_dev= # create packetfilter rules case $ovpn_openport in yes) [ $ovpn_protocol = udp ] && ovpn_pktflt_proto=udp || ovpn_pktflt_proto=tcp ovpn_pktflt_src="any" if [ "$ovpn_remote_host" ] then netcalc isip $ovpn_remote_host [ $? = 1 ] && ovpn_pktflt_src="$ovpn_remote_host" fi ovpn_pktflt_dst="any" ovpn_pktflt_dev="any" if [ "$ovpn_local_host" ] then netcalc isip $ovpn_local_host if [ $? = 1 ] then ovpn_pktflt_dst="$ovpn_local_host" # find out device according to the local ip address ovpn_pktflt_dev=$(ip addr show | grep "inet $ovpn_local_host[ /].*$ovpn_remote_host[ /].*tun" | sed "s/.* \(tun.*\)$/\1/") # find non tun devices, too [ $ovpn_pktflt_dev ] || ovpn_pktflt_dev=$(ip addr show | grep "inet $ovpn_local_host[ /]" | sed "s/.* \([a-z]*[0-9]*\)$/\1/") fi fi if [ -z "$ovpn_pktflt_dev" ] then log_error "Can't determinate device for $ovpn_name, this OpenVPN connection won't work!" else add_rule filter in-ovpn-ports "prot:$ovpn_pktflt_proto if:$ovpn_pktflt_dev:any $ovpn_pktflt_src $ovpn_pktflt_dst:$ovpn_lport ACCEPT" fi ;; esac case $ovpn_create_secret in yes) log_info "creating OpenVPN secret $ovpn_secret for $ovpn_name" openvpn --genkey --secret $ovpn_secret ;; webgui) log_info "OpenVPN secret $ovpn_secret should be created with webgui for $ovpn_name" ;; no) case $ovpn_start in always) ovpn_extra_opt= ovpn_extra_text= if [ $ip_up_events = yes -a $ovpn_restart = ip-up ] then ovpn_extra_opt="--management-hold" ovpn_extra_text=" in HOLD mode" fi ;; isdn) ovpn_extra_text=" (via ISDN link)" ;; esac case $ovpn_start in on-demand) log_info "OpenVPN peer $ovpn_name will be started on-demand" ;; *) log_info "starting OpenVPN peer $ovpn_name$ovpn_extra_text" openvpn --config $OVPN_CFG/$ovpn_name.conf --daemon openvpn-$ovpn_name $ovpn_extra_opt ;; esac ;; esac done ;; esac # Make entry to menu of httpd case $OPT_HTTPD$OPENVPN_WEBGUI in yesyes) httpd-menu.sh add -p 210 status_OpenVPN.cgi "OpenVPN" '$_MT_stat' openvpn;; esac end_script esac