commit e201d0a9b0c059f23eb9750f383fc2a5f331663e Author: Daniel Berteaud Date: Fri May 24 15:38:55 2013 +0200 FIrst commit diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..52d71a0 --- /dev/null +++ b/createlinks @@ -0,0 +1,31 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed"); +safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed"); +safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed"); + +service_link_enhanced("openvpn-routed", "S80", "7"); +service_link_enhanced("openvpn-routed", "K25", "6"); +service_link_enhanced("openvpn-routed", "K25", "0"); + +safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed'); +safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed'); + +safe_touch("root/var/service/openvpn-routed/down"); + +#panel_link("openvpnrouted", 'manager'); + +templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update"); + +templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save)); +templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete)); +templates2events("/etc/crontab", qw(openvpn-routed-update)); + +#event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20"); +event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30"); +event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40"); +#event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20"); +event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30"); + diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort new file mode 100644 index 0000000..9f6bb62 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort @@ -0,0 +1 @@ +1194 diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access new file mode 100644 index 0000000..a48cf0d --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access @@ -0,0 +1 @@ +public diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass b/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass new file mode 100644 index 0000000..9956c65 --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass @@ -0,0 +1,9 @@ +{ + my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'}); + my $management = $openvpn->prop('ManagementPassword') || ''; + return "" if ($management ne ''); + + # Generate a random password + $pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`; + $openvpn->set_prop('ManagementPassword',"$pass"); +} diff --git a/root/etc/e-smith/events/actions/openvpn-routed-delete-net b/root/etc/e-smith/events/actions/openvpn-routed-delete-net new file mode 100644 index 0000000..778b7f3 --- /dev/null +++ b/root/etc/e-smith/events/actions/openvpn-routed-delete-net @@ -0,0 +1,45 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# copyright (C) 2013 Firewall Services +# Daniel Berteaud +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#---------------------------------------------------------------------- + +use strict; +use esmith::ConfigDB; +use esmith::NetworksDB; +use esmith::event; + +my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n"; +my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n"; +my @nets = $n->networks; +my $net = ${'openvpn-routed'}{Network} || '192.168.29.0/255.255.255.0'; +my ($vpnnet,$mask) = split /\//, $net; + +foreach my $net (@nets){ + my $key = $net->key; + my $vpn = $n->get_prop($key,"VPNRouted") || ''; + + if ($vpn eq 'yes'){ + unless ($key eq $vpnnet){ + $n->set_prop($key, type=>'network-deleted'); + event_signal("network-delete","$key"); + $n->get($key)->delete; + } + } +} + diff --git a/root/etc/e-smith/events/actions/openvpn-routed-update-crl b/root/etc/e-smith/events/actions/openvpn-routed-update-crl new file mode 100644 index 0000000..6327aa6 --- /dev/null +++ b/root/etc/e-smith/events/actions/openvpn-routed-update-crl @@ -0,0 +1,28 @@ +#!/bin/bash + +URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl) +DOMAIN=$(/sbin/e-smith/db configuration get DomainName) + +/usr/bin/wget $URL -O /tmp/cacrl.pem > /dev/null 2>&1 + +/usr/bin/openssl crl -inform PEM -in /tmp/cacrl.pem -text > /dev/null 2>&1 + +if [ "$?" -eq "0" ]; then + /bin/mv -f /tmp/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1 +else + cat > /tmp/crlmail <> /tmp/crlmail + mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail +fi + +rm -f /tmp/cacrl.pem +rm -f /tmp/crlmail diff --git a/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl b/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl new file mode 100644 index 0000000..bb45375 --- /dev/null +++ b/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl @@ -0,0 +1,7 @@ +{ +my $url = ${'openvpn-routed'}{'CrlUrl'} || ''; +if ($url =~ /^http(s)?:\/\/.*$/){ + $OUT .= "# Update OpenVPN routed CRL\n"; + $OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n"; +} +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All b/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All new file mode 100644 index 0000000..ba32597 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All @@ -0,0 +1,4 @@ +{ + my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret'; + $OUT = "$pass"; +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev new file mode 100644 index 0000000..f938443 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev @@ -0,0 +1,21 @@ +{ + my $OUT=''; + my $protocol = ${'openvpn-routed'}{Protocol} || 'udp'; + my $port=''; + if ($protocol eq 'udp'){ + $port = ${'openvpn-routed'}{UDPPort} || '1194'; + } + if ($protocol eq 'tcp'){ + $port = ${'openvpn-routed'}{TCPPort} || '1194'; + $protocol = 'tcp-server'; + } + +$OUT .=<<"HERE"; + +port $port +proto $protocol +dev tunvpn0 + +HERE + +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon new file mode 100644 index 0000000..915f1ac --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon @@ -0,0 +1,5 @@ +user openvpn +group openvpn +chroot /etc/openvpn/routed +persist-key +persist-tun diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert new file mode 100644 index 0000000..f570af1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert @@ -0,0 +1,17 @@ +# Certificates config +dh pub/dh.pem +ca pub/cacert.pem +cert pub/cert.pem +key priv/key.pem +tls-server + +{ + +$OUT .= "tls-auth priv/takey.pem 0\n" if + (-e "/etc/openvpn/routed/priv/takey.pem" && + !-z "/etc/openvpn/routed/priv/takey.pem"); + +} + +# CRL file for certificates verification +crl-verify pub/cacrl.pem diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth new file mode 100644 index 0000000..03f38e1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth @@ -0,0 +1,9 @@ +{ + my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass'; + if ($userAuth eq 'CrtWithPass'){ + my $plugin_dir = (-d "/usr/share/openvpn/plugin/lib") ? + '/usr/share/openvpn/plugin/lib':'/usr/lib/openvpn/plugin/lib'; + $OUT .= "plugin ".$plugin_dir."/openvpn-auth-pam.so login\n"; + } + $OUT .= ''; +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server new file mode 100644 index 0000000..b286d6a --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server @@ -0,0 +1,6 @@ +{ + my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0'; + my ($addr,$mask) = split /\//, $net; + $OUT = "server $addr $mask\n"; +} +topology subnet diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options new file mode 100644 index 0000000..792d1af --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options @@ -0,0 +1,60 @@ +# Options +{ + +my $tunMtu = ${'openvpn-routed'}{Mtu} || ''; +my $fragment = ${'openvpn-routed'}{Fragment}; +my $cipher = ${'openvpn-routed'}{Cipher} || ''; +my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || ''; +my $proto = ${'openvpn-routed'}{Protocol} || 'udp'; +my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled'; +my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled'; +my $compress = ${'openvpn-routed'}{Compression} || 'enabled'; + +if ($proto eq 'tcp'){ + $mtuTest = 'disabled'; + $fragment = ''; +} + +$OUT .=<<"HERE"; +keepalive 40 180 +push "dhcp-option DOMAIN $DomainName" +push "dhcp-option DNS $LocalIP" +push "dhcp-option WINS $LocalIP" + +HERE + +if ($tunMtu !~ /^\d+$/){ + $OUT .= "mtu-test\n"; +} +else{ + if ($tunMtu ne ''){ + $OUT .= "tun-mtu $tunMtu\n"; + } +} + +if (($proto eq 'udp') && ($fragment ne '')){ + $OUT .= "fragment $fragment\n"; +} +$OUT .= "mssfix\n"; + +if ($cipher ne ''){ + $OUT .= "cipher $cipher\n"; +} + +if ($duplicate eq 'enabled'){ + $OUT .= "duplicate-cn\n"; +} + +if ($passtos eq 'enabled'){ + $OUT .= "passtos\n"; +} + +if ($compress eq 'enabled'){ + $OUT .= "comp-lzo adaptive\n"; + $OUT .= "push \"comp-lzo adaptive\"\n"; +} + +} + +nice 5 + diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes new file mode 100644 index 0000000..146929c --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes @@ -0,0 +1,30 @@ +{ + +my $pushRoutes = ${'openvpn-routed'}{PushLocalNetworks} || 'enabled'; +my $redirectGW = ${'openvpn-routed'}{RedirectGW} || 'disabled'; + +use esmith::NetworksDB; +my $ndb = esmith::NetworksDB->open_ro() || + die('Can not open Networks DB'); + +my @networks = $ndb->networks(); + +if ($redirectGW eq 'enabled'){ + $OUT .= "push \"redirect-gateway def1\"\n"; +} +elsif ($pushRoutes eq 'enabled'){ + foreach my $network (@networks) { + my $route = ''; + my $addr = $network->key; + my $mask = $network->prop('Mask'); + my $gw = $network->prop('Router') || ''; + my $vpn = $network->prop('VPN') || ''; + if ($gw ne '') { + $route .= "push \"route $addr $mask"; + $route .= " $gw" if ($vpn eq ''); + $OUT .= "$route\"\n"; + } + } +} + +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management new file mode 100644 index 0000000..8e74018 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management @@ -0,0 +1,5 @@ +{ + my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret'; + $OUT ="management 127.0.0.1 11195 management-pass.txt\n"; + +} diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients new file mode 100644 index 0000000..502b409 --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients @@ -0,0 +1,13 @@ +{ + my $OUT = ''; + my $maxClient = ${'openvpn-routed'}{MaxClients} || ''; + my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled'; + + if ($configRequired eq 'enabled'){ + $OUT .= 'ccd-exclusive\n'; + } + if ($maxClient =~ /^\d+$/){ + $OUT .= "max-clients $maxClient\n"; + } +} +client-config-dir ccd diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs new file mode 100644 index 0000000..f942e7d --- /dev/null +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs @@ -0,0 +1,8 @@ +status-version 2 +status bridge-status.txt +suppress-timestamps +{ + my $OUT = ''; + my $verb = ${'openvpn-routed'}{Verbose} || '3'; + $OUT .= "verb $verb\n"; +} diff --git a/root/etc/openvpn/routed/bin/up b/root/etc/openvpn/routed/bin/up new file mode 100644 index 0000000..267346e --- /dev/null +++ b/root/etc/openvpn/routed/bin/up @@ -0,0 +1,31 @@ +#!/bin/bash + +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall Services +# Daniel Berteaud +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#---------------------------------------------------------------------- + +net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network) +addr=${net%%/*} +mask=${net#*/} + +db=$(/sbin/e-smith/db networks getprop $addr RoutedVPN) +if [ -z $db ]; then + /sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no + /sbin/e-smith/signal-event network-create $addr +fi + diff --git a/root/var/service/openvpn-routed/log/run b/root/var/service/openvpn-routed/log/run new file mode 100644 index 0000000..0479041 --- /dev/null +++ b/root/var/service/openvpn-routed/log/run @@ -0,0 +1,6 @@ +#!/bin/sh + +exec \ + /usr/local/bin/setuidgid smelog \ + /usr/local/bin/multilog t s5000000 \ + /var/log/openvpn-routed diff --git a/root/var/service/openvpn-routed/run b/root/var/service/openvpn-routed/run new file mode 100644 index 0000000..e78ed1e --- /dev/null +++ b/root/var/service/openvpn-routed/run @@ -0,0 +1,5 @@ +#!/bin/sh + +exec 2>&1 + +exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed diff --git a/smeserver-openvpn-routed.spec b/smeserver-openvpn-routed.spec new file mode 100644 index 0000000..550bb35 --- /dev/null +++ b/smeserver-openvpn-routed.spec @@ -0,0 +1,69 @@ +# Authority: vip-ire +# Name: Daniel Berteaud + +Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode +Name: smeserver-openvpn-routed +%define version 0.0.1 +%define release 1.beta0 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Networking/Remote access +Source: %{name}-%{version}.tar.gz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArchitectures: noarch + +BuildRequires: e-smith-devtools + +Requires: e-smith-base +Requires: openvpn +#Requires: perl(Net::OpenVPN::Manage) + +%description +This package contains all the needed scripts and templates +to have a full working openvpn server running in routed mode. + + +%changelog +* Fri May 24 2013 Daniel Berteaud 0.1.0-1 +- initial release + +%prep +%setup -q -n %{name}-%{version} + +%build +perl createlinks + +%{__mkdir_p} root/etc/openvpn/routed/ccd +%{__mkdir_p} root/etc/openvpn/routed/priv +%{__mkdir_p} root/etc/openvpn/routed/pub +%{__mkdir_p} root/etc/openvpn/routed/tmp +%{__mkdir_p} root/var/log/openvpn-routed + +%install +/bin/rm -rf $RPM_BUILD_ROOT +(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --file /var/service/openvpn-routed/run 'attr(0755,root,root)' \ + --file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \ + --dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \ + --dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \ + --dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \ + --dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \ + --dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \ + --file /usr/bin/ovpn-routed-update-crl 'attr(0750,root,root)' \ + > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%clean +rm -rf $RPM_BUILD_ROOT + + +%post + +%preun +