Context Navigation

source: src/router/services/services/openvpn.c @ 18562

Last change on this file since 18562 was 18562, checked in by sash, 15 months ago
ovpn: typos
File size: 13.6 KB

Line
1	/*
2	* openvpn.c
3	*
4	* Copyright (C) 2005 - 2006 Sebastian Gottschall <gottschall@dd-wrt.com
5	*
6	* This program is free software; you can redistribute it and/or
7	* modify it under the terms of the GNU General Public License
8	* as published by the Free Software Foundation; either version 2
9	* of the License.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, write to the Free Software
18	* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19	*
20	* $Id:
21	*/
22
23	#include <ctype.h>
24	#include <string.h>
25	#include <stdio.h>
26	#include <stdlib.h>
27	#include <signal.h>
28	#include <bcmnvram.h>
29	#include <bcmutils.h>
30	#include <shutils.h>
31	#include <services.h>
32
33	#ifdef HAVE_OPENVPN
34
35	void start_openvpnserver(void)
36	{
37
38	if (nvram_invmatch("openvpn_enable", "1"))
39	return;
40	mkdir("/tmp/openvpn", 0700);
41	mkdir("/tmp/openvpn/ccd", 0700);
42	write_nvram("/tmp/openvpn/ccd/DEFAULT", "openvpn_ccddef");
43	write_nvram("/tmp/openvpn/dh.pem", "openvpn_dh");
44	write_nvram("/tmp/openvpn/ca.crt", "openvpn_ca");
45	write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt");
46	write_nvram("/tmp/openvpn/ca.crl", "openvpn_crl");
47	write_nvram("/tmp/openvpn/key.pem", "openvpn_key");
48	write_nvram("/tmp/openvpn/ta.key", "openvpn_tlsauth");
49
50	FILE *fp = fopen("/tmp/openvpn/openvpn.conf", "wb");
51	if (fp == NULL)
52	return;
53	if (nvram_invmatch("openvpn_dh", ""))
54	fprintf(fp, "dh /tmp/openvpn/dh.pem\n");
55	if (nvram_invmatch("openvpn_ca", ""))
56	fprintf(fp, "ca /tmp/openvpn/ca.crt\n");
57	if (nvram_invmatch("openvpn_crt", ""))
58	fprintf(fp, "cert /tmp/openvpn/cert.pem\n");
59	if (nvram_invmatch("openvpn_key", ""))
60	fprintf(fp, "key /tmp/openvpn/key.pem\n");
61	//be sure Chris old style config is still working
62	if (nvram_match("openvpn_switch", "1")) {
63	write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt");
64	fprintf(fp, "keepalive 10 120\n"
65	"verb 4\n" "mute 5\n"
66	"log-append /var/log/openvpn\n"
67	"writepid /var/log/openvpnd.pid\n"
68	"management 127.0.0.1 5002\n"
69	"management-log-cache 50\n"
70	"mtu-disc yes\n"
71	"topology subnet\n"
72	"client-config-dir /tmp/openvpn/ccd\n"
73	"script-security 2\n"
74	"port %s\n"
75	"proto %s\n"
76	"cipher %s\n"
77	"auth %s\n", nvram_safe_get("openvpn_port"),
78	nvram_safe_get("openvpn_proto"),
79	nvram_safe_get("openvpn_cipher"),
80	nvram_safe_get("openvpn_auth"));
81	if (nvram_invmatch("openvpn_auth", "none")) //not needed if we have no auth anyway
82	fprintf(fp, "tls-server\n");
83	if (nvram_match("openvpn_dupcn", "1"))
84	fprintf(fp, "duplicate-cn\n");
85	//keep peer ip persistant for x sec. works only when dupcn=off & no proxy mode
86	if (nvram_match("openvpn_dupcn", "0")
87	&& nvram_match("openvpn_proxy", "0"))
88	fprintf(fp,
89	"ifconfig-pool-persist /tmp/openvpn/ip-pool 86400\n");
90	// if (nvram_match("openvpn_certtype", "1")) //server doenst need this
91	// fprintf(fp, "ns-cert-type server\n");
92	if (nvram_match("openvpn_lzo", "1"))
93	fprintf(fp, "comp-lzo yes\n"); //yes/no/adaptive
94	else
95	fprintf(fp, "comp-lzo no\n");
96	if (nvram_match("openvpn_cl2cl", "1"))
97	fprintf(fp, "client-to-client\n");
98	if (nvram_match("openvpn_redirgate", "1"))
99	fprintf(fp, "push \"redirect-gateway def1\"\n");
100	if (nvram_invmatch("openvpn_tlscip", "0"))
101	fprintf(fp, "tls-cipher %s\n",
102	nvram_safe_get("openvpn_tlscip"));
103	if (nvram_match("openvpn_proto", "udp"))
104	fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10%
105	else //TCP_NODELAY is generally a good latency optimization
106	fprintf(fp, "tcp-nodelay\n");
107	if (nvram_invmatch("openvpn_mtu", ""))
108	fprintf(fp, "tun-mtu %s\n",
109	nvram_safe_get("openvpn_mtu"));
110	if (nvram_invmatch("openvpn_mssfix", "")
111	&& nvram_match("openvpn_proto", "udp")) {
112	fprintf(fp, "mssfix\n"); //fragment==mssfix
113	fprintf(fp, "fragment %s\n",
114	nvram_safe_get("openvpn_mssfix"));
115	}
116	if (nvram_match("openvpn_tuntap", "tun")) {
117	fprintf(fp, "server %s %s\n",
118	nvram_safe_get("openvpn_net"),
119	nvram_safe_get("openvpn_mask"));
120	fprintf(fp, "dev tun0\n");
121	// fprintf(fp, "tun-ipv6\n"); //enable ipv6 support. not supported on server in version 2.1.3
122	} else if (nvram_match("openvpn_tuntap", "tap") &&
123	nvram_match("openvpn_proxy", "0")) {
124	fprintf(fp, "server-bridge %s %s %s %s\n",
125	nvram_safe_get("openvpn_gateway"),
126	nvram_safe_get("openvpn_mask"),
127	nvram_safe_get("openvpn_startip"),
128	nvram_safe_get("openvpn_endip"));
129	fprintf(fp, "dev tap0\n");
130	} else if (nvram_match("openvpn_tuntap", "tap") &&
131	nvram_match("openvpn_proxy", "1") &&
132	nvram_match("openvpn_redirgate", "1"))
133	fprintf(fp, "server-bridge\n" "dev tap0\n");
134	else
135	fprintf(fp, "server-bridge nogw\n" "dev tap0\n");
136	if (strlen(nvram_safe_get("openvpn_tlsauth")) > 0)
137	fprintf(fp, "tls-auth /tmp/openvpn/ta.key 0\n");
138	if (strlen(nvram_safe_get("openvpn_crl")) > 0)
139	fprintf(fp, "crl-verify /tmp/openvpn/ca.crl\n");
140	/* for QOS */
141	if (nvram_invmatch("wshaper_enable", "0"))
142	fprintf(fp, "passtos\n");
143	} else
144	write_nvram("/tmp/openvpn/cert.pem", "openvpn_client");
145
146	fprintf(fp, "%s\n", nvram_safe_get("openvpn_config"));
147	fclose(fp);
148
149	fp = fopen("/tmp/openvpn/route-up.sh", "wb");
150	if (fp == NULL)
151	return;
152	fprintf(fp, "#!/bin/sh\n");
153	#if defined(HAVE_TMK) \|\| defined(HAVE_BKM)
154	char *gpiovpn = nvram_get("gpiovpn");
155	if (gpiovpn != NULL) {
156	fprintf(fp, "gpio enable %s\n", gpiovpn);
157	}
158	#endif
159	//bring up tap interface when choosen
160	if (nvram_match("openvpn_tuntap", "tap")) {
161	fprintf(fp, "brctl addif br0 tap0\n"
162	"ifconfig tap0 0.0.0.0 promisc up\n"
163	"stopservice wshaper\n"
164	"startservice wshaper\n");
165	}
166	fprintf(fp, "startservice set_routes\n");
167	fclose(fp);
168
169	fp = fopen("/tmp/openvpn/route-down.sh", "wb");
170	if (fp == NULL)
171	return;
172	fprintf(fp, "#!/bin/sh\n");
173	#if defined(HAVE_TMK) \|\| defined(HAVE_BKM)
174	if (gpiovpn != NULL)
175	fprintf(fp, "gpio disable %s\n", gpiovpn);
176	#endif
177	if (nvram_match("openvpn_tuntap", "tap")) {
178	fprintf(fp, "brctl delif br0 tap0\n" "ifconfig tap0 down\n");
179	}
180	fclose(fp);
181
182	chmod("/tmp/openvpn/route-up.sh", 0700);
183	chmod("/tmp/openvpn/route-down.sh", 0700);
184	eval("ln", "-s", "/usr/sbin/openvpn", "/tmp/openvpnserver");
185
186	if (nvram_match("use_crypto", "1"))
187	eval("/tmp/openvpnserver", "--config",
188	"/tmp/openvpn/openvpn.conf", "--route-up",
189	"/tmp/openvpn/route-up.sh", "--down-pre",
190	"/tmp/openvpn/route-down.sh", "--daemon", "--engine",
191	"cryptodev");
192	else
193	eval("/tmp/openvpnserver", "--config",
194	"/tmp/openvpn/openvpn.conf", "--route-up",
195	"/tmp/openvpn/route-up.sh", "--down-pre",
196	"/tmp/openvpn/route-down.sh", "--daemon");
197
198	eval("stopservice", "wshaper");
199	eval("startservice", "wshaper");
200	}
201
202	void stop_openvpnserver(void)
203	{
204	#if defined(HAVE_TMK) \|\| defined(HAVE_BKM)
205	char *gpiovpn = nvram_get("gpiovpn");
206	if (gpiovpn != NULL) {
207	set_gpio(atoi(gpiovpn), 0);
208	}
209	#endif
210	stop_process("openvpnserver", "OpenVPN daemon (Server)");
211
212	eval("stopservice", "wshaper");
213	eval("startservice", "wshaper");
214
215	return;
216	}
217
218	void start_openvpnserverwan(void)
219	{
220	if (nvram_match("openvpn_onwan", "1"))
221	start_openvpnserver();
222	return;
223	}
224
225	void stop_openvpnserverwan(void)
226	{
227	if (nvram_match("openvpn_onwan", "1"))
228	stop_openvpnserver();
229	return;
230	}
231
232	void start_openvpnserversys(void)
233	{
234	if (nvram_match("openvpn_onwan", "0"))
235	start_openvpnserver();
236	return;
237	}
238
239	void stop_openvpnserversys(void)
240	{
241	if (nvram_match("openvpn_onwan", "0"))
242	stop_openvpnserver();
243	return;
244	}
245
246	void start_openvpn(void)
247	{
248	if (nvram_invmatch("openvpncl_enable", "1"))
249	return;
250	mkdir("/tmp/openvpncl", 0700);
251	write_nvram("/tmp/openvpncl/ca.crt", "openvpncl_ca");
252	write_nvram("/tmp/openvpncl/client.crt", "openvpncl_client");
253	write_nvram("/tmp/openvpncl/client.key", "openvpncl_key");
254	write_nvram("/tmp/openvpncl/ta.key", "openvpncl_tlsauth");
255	chmod("/tmp/openvpn/client.key", 0600);
256
257	FILE *fp = fopen("/tmp/openvpncl/openvpn.conf", "wb");
258	if (fp == NULL)
259	return;
260	if (nvram_invmatch("openvpncl_ca", ""))
261	fprintf(fp, "ca /tmp/openvpncl/ca.crt\n");
262	if (nvram_invmatch("openvpncl_client", ""))
263	fprintf(fp, "cert /tmp/openvpncl/client.crt\n");
264	if (nvram_invmatch("openvpncl_key", ""))
265	fprintf(fp, "key /tmp/openvpncl/client.key\n");
266	fprintf(fp,
267	"management 127.0.0.1 5001\n"
268	"management-log-cache 50\n"
269	"verb 4\n" "mute 5\n"
270	"log-append /var/log/openvpncl\n"
271	"writepid /var/log/openvpncl.pid\n"
272	"client\n"
273	"resolv-retry infinite\n"
274	"nobind\n" "persist-key\n" "persist-tun\n"
275	"script-security 2\n" "mtu-disc yes\n");
276	fprintf(fp, "dev %s1\n", nvram_safe_get("openvpncl_tuntap"));
277	fprintf(fp, "proto %s\n", nvram_safe_get("openvpncl_proto"));
278	fprintf(fp, "cipher %s\n", nvram_safe_get("openvpncl_cipher"));
279	fprintf(fp, "auth %s\n", nvram_safe_get("openvpncl_auth"));
280	fprintf(fp, "remote %s %s\n",
281	nvram_safe_get("openvpncl_remoteip"),
282	nvram_safe_get("openvpncl_remoteport"));
283	if (nvram_invmatch("openvpncl_auth", "none")) //not needed if we have no auth anyway
284	fprintf(fp, "tls-client\n");
285	if (nvram_invmatch("openvpncl_mtu", ""))
286	fprintf(fp, "tun-mtu %s\n", nvram_safe_get("openvpncl_mtu"));
287	if (nvram_invmatch("openvpncl_mssfix", "")
288	&& nvram_match("openvpn_proto", "udp")) {
289	fprintf(fp, "mssfix\n"); //fragment=mssfix
290	fprintf(fp, "fragment %s\n",
291	nvram_safe_get("openvpncl_mssfix"));
292	}
293	if (nvram_match("openvpncl_lzo", "1"))
294	fprintf(fp, "comp-lzo adaptive\n");
295	else
296	fprintf(fp, "comp-lzo no\n");
297	if (nvram_match("openvpncl_certtype", "1"))
298	fprintf(fp, "ns-cert-type server\n");
299	if (nvram_match("openvpncl_proto", "udp"))
300	fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10%
301	// if (nvram_match("openvpncl_tuntap", "tun"))
302	// fprintf(fp, "tun-ipv6\n"); //enable ipv6 support. not supported on server in version 2.1.3
303	if (strlen(nvram_safe_get("openvpncl_tlsauth")) > 0)
304	fprintf(fp, "tls-auth /tmp/openvpncl/ta.key 1\n");
305	if (nvram_invmatch("openvpncl_tlscip", "0"))
306	fprintf(fp, "tls-cipher %s\n",
307	nvram_safe_get("openvpncl_tlscip"));
308	/* for QOS */
309	if (nvram_invmatch("wshaper_enable", "0"))
310	fprintf(fp, "passtos\n");
311
312	fprintf(fp, "%s\n", nvram_safe_get("openvpncl_config"));
313	fclose(fp);
314	fp = fopen("/tmp/openvpncl/route-up.sh", "wb");
315	if (fp == NULL) {
316	return;
317	}
318	fprintf(fp, "#!/bin/sh\n");
319	//bridge tap interface to br0 when choosen
320	if (nvram_match("openvpncl_tuntap", "tap")
321	&& nvram_match("openvpncl_bridge", "1")
322	&& nvram_match("openvpncl_nat", "0")) {
323	fprintf(fp, "brctl addif br0 tap1\n"
324	"ifconfig tap1 0.0.0.0 promisc up\n"
325	"stopservice wshaper\n"
326	"startservice wshaper\n");
327	} else {
328	if (nvram_match("openvpncl_tuntap", "tap")
329	&& strlen(nvram_safe_get("openvpncl_ip")) > 0)
330	fprintf(fp, "ifconfig tap1 %s netmask %s up\n",
331	nvram_safe_get("openvpncl_ip"),
332	nvram_safe_get("openvpncl_mask"));
333	}
334	if (nvram_match("openvpncl_nat", "1"))
335	fprintf(fp,
336	"iptables -I POSTROUTING -t nat -o %s1 -j MASQUERADE\n",
337	nvram_safe_get("openvpncl_tuntap"));
338	else {
339	fprintf(fp,
340	"iptables -I FORWARD -i %s1 -j logaccept\n",
341	"iptables -I FORWARD -o %s1 -j logaccept\n",
342	nvram_safe_get("openvpncl_tuntap"),
343	nvram_safe_get("openvpncl_tuntap"));
344	}
345	if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing
346	write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route");
347	fprintf(fp, "ip route add default via %s table 10\n",
348	nvram_safe_get("wan_gateway"));
349	//sort -r /var/log/openvpncl \|grep gateway
350	fprintf(fp,
351	"for IP in `cat /tmp/openvpncl/policy_ips` ; do\n"
352	" ip rule add from $IP table 10\n" "done\n");
353	}
354	fclose(fp);
355	fp = fopen("/tmp/openvpncl/route-down.sh", "wb");
356	if (fp == NULL)
357	return;
358	fprintf(fp, "#!/bin/sh\n");
359	if (nvram_match("openvpncl_tuntap", "tap")
360	&& nvram_match("openvpncl_bridge", "1")
361	&& nvram_match("openvpncl_nat", "0"))
362	fprintf(fp, "brctl delif br0 tap1\n" "ifconfig tap1 down\n");
363	else if (nvram_match("openvpncl_tuntap", "tap")
364	&& strlen(nvram_safe_get("openvpn_ip")) > 0)
365	fprintf(fp, "ifconfig tap1 down\n");
366	if (nvram_match("openvpncl_nat", "1"))
367	fprintf(fp,
368	"iptables -D POSTROUTING -t nat -o %s1 -j MASQUERADE\n",
369	nvram_safe_get("openvpncl_tuntap"));
370	else {
371	fprintf(fp,
372	"iptables -D FORWARD -i %s1 -j logaccept\n",
373	"iptables -D FORWARD -o %s1 -j logaccept\n",
374	nvram_safe_get("openvpncl_tuntap"),
375	nvram_safe_get("openvpncl_tuntap"));
376	}
377	if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing
378	write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route");
379	fprintf(fp, "ip route del default via %s table 10\n",
380	nvram_safe_get("wan_gateway"));
381	fprintf(fp,
382	"for IP in `cat /tmp/openvpn/policy_ips` ; do\n"
383	" ip rule del from $IP table 10\n" "done\n");
384	}
385	fclose(fp);
386
387	chmod("/tmp/openvpncl/route-up.sh", 0700);
388	chmod("/tmp/openvpncl/route-down.sh", 0700);
389
390	if (nvram_match("use_crypto", "1"))
391	eval("openvpn", "--config",
392	"/tmp/openvpncl/openvpn.conf", "--route-up",
393	"/tmp/openvpn/route-up.sh", "--down-pre",
394	"/tmp/openvpn/route-down.sh", "--daemon",
395	"--engine", "cryptodev");
396	else
397	eval("openvpn", "--config",
398	"/tmp/openvpncl/openvpn.conf", "--route-up",
399	"/tmp/openvpncl/route-up.sh", "--down-pre",
400	"/tmp/openvpncl/route-down.sh", "--daemon");
401
402	eval("stopservice", "wshaper");
403	eval("startservice", "wshaper");
404
405	return;
406	}
407
408	void stop_openvpn(void)
409	{
410	stop_process("openvpn", "OpenVPN daemon (Client)");
411
412	eval("stopservice", "wshaper");
413	eval("startservice", "wshaper");
414	}
415
416	void stop_openvpn_wandone(void)
417	{
418	if (nvram_invmatch("openvpncl_enable", "1"))
419	return;
420	stop_process("openvpn", "OpenVPN daemon (Client)");
421	}
422
423	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: