FIrst commit

tags/0.0.1
Daniel Berteaud 12 years ago
commit e201d0a9b0
  1. 31
      createlinks
  2. 1
      root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
  3. 1
      root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
  4. 1
      root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
  5. 1
      root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
  6. 9
      root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
  7. 45
      root/etc/e-smith/events/actions/openvpn-routed-delete-net
  8. 28
      root/etc/e-smith/events/actions/openvpn-routed-update-crl
  9. 7
      root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
  10. 4
      root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
  11. 21
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
  12. 5
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
  13. 17
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
  14. 9
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
  15. 6
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
  16. 60
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
  17. 30
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
  18. 5
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
  19. 13
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
  20. 8
      root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
  21. 31
      root/etc/openvpn/routed/bin/up
  22. 6
      root/var/service/openvpn-routed/log/run
  23. 5
      root/var/service/openvpn-routed/run
  24. 69
      smeserver-openvpn-routed.spec

@ -0,0 +1,31 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed");
safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed");
safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed");
service_link_enhanced("openvpn-routed", "S80", "7");
service_link_enhanced("openvpn-routed", "K25", "6");
service_link_enhanced("openvpn-routed", "K25", "0");
safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed');
safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed');
safe_touch("root/var/service/openvpn-routed/down");
#panel_link("openvpnrouted", 'manager');
templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update");
templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save));
templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete));
templates2events("/etc/crontab", qw(openvpn-routed-update));
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20");
event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30");
event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40");
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20");
event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30");

@ -0,0 +1,9 @@
{
my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'});
my $management = $openvpn->prop('ManagementPassword') || '';
return "" if ($management ne '');
# Generate a random password
$pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`;
$openvpn->set_prop('ManagementPassword',"$pass");
}

@ -0,0 +1,45 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2013 Firewall Services
# Daniel Berteaud <daniel@firewall-services.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#----------------------------------------------------------------------
use strict;
use esmith::ConfigDB;
use esmith::NetworksDB;
use esmith::event;
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n";
my @nets = $n->networks;
my $net = ${'openvpn-routed'}{Network} || '192.168.29.0/255.255.255.0';
my ($vpnnet,$mask) = split /\//, $net;
foreach my $net (@nets){
my $key = $net->key;
my $vpn = $n->get_prop($key,"VPNRouted") || '';
if ($vpn eq 'yes'){
unless ($key eq $vpnnet){
$n->set_prop($key, type=>'network-deleted');
event_signal("network-delete","$key");
$n->get($key)->delete;
}
}
}

@ -0,0 +1,28 @@
#!/bin/bash
URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl)
DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
/usr/bin/wget $URL -O /tmp/cacrl.pem > /dev/null 2>&1
/usr/bin/openssl crl -inform PEM -in /tmp/cacrl.pem -text > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
/bin/mv -f /tmp/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1
else
cat > /tmp/crlmail <<END
An error occured while updating the CRL for OpenVPN-Bridge
because openssl didn't recognize the file as a valid CRL.
Below is the copy of the latest CRL downloaded from
$URL
END
cat /tmp/cacrl.pem >> /tmp/crlmail
mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail
fi
rm -f /tmp/cacrl.pem
rm -f /tmp/crlmail

@ -0,0 +1,7 @@
{
my $url = ${'openvpn-routed'}{'CrlUrl'} || '';
if ($url =~ /^http(s)?:\/\/.*$/){
$OUT .= "# Update OpenVPN routed CRL\n";
$OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n";
}
}

@ -0,0 +1,4 @@
{
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
$OUT = "$pass";
}

@ -0,0 +1,21 @@
{
my $OUT='';
my $protocol = ${'openvpn-routed'}{Protocol} || 'udp';
my $port='';
if ($protocol eq 'udp'){
$port = ${'openvpn-routed'}{UDPPort} || '1194';
}
if ($protocol eq 'tcp'){
$port = ${'openvpn-routed'}{TCPPort} || '1194';
$protocol = 'tcp-server';
}
$OUT .=<<"HERE";
port $port
proto $protocol
dev tunvpn0
HERE
}

@ -0,0 +1,5 @@
user openvpn
group openvpn
chroot /etc/openvpn/routed
persist-key
persist-tun

@ -0,0 +1,17 @@
# Certificates config
dh pub/dh.pem
ca pub/cacert.pem
cert pub/cert.pem
key priv/key.pem
tls-server
{
$OUT .= "tls-auth priv/takey.pem 0\n" if
(-e "/etc/openvpn/routed/priv/takey.pem" &&
!-z "/etc/openvpn/routed/priv/takey.pem");
}
# CRL file for certificates verification
crl-verify pub/cacrl.pem

@ -0,0 +1,9 @@
{
my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
if ($userAuth eq 'CrtWithPass'){
my $plugin_dir = (-d "/usr/share/openvpn/plugin/lib") ?
'/usr/share/openvpn/plugin/lib':'/usr/lib/openvpn/plugin/lib';
$OUT .= "plugin ".$plugin_dir."/openvpn-auth-pam.so login\n";
}
$OUT .= '';
}

@ -0,0 +1,6 @@
{
my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
my ($addr,$mask) = split /\//, $net;
$OUT = "server $addr $mask\n";
}
topology subnet

@ -0,0 +1,60 @@
# Options
{
my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
my $fragment = ${'openvpn-routed'}{Fragment};
my $cipher = ${'openvpn-routed'}{Cipher} || '';
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
if ($proto eq 'tcp'){
$mtuTest = 'disabled';
$fragment = '';
}
$OUT .=<<"HERE";
keepalive 40 180
push "dhcp-option DOMAIN $DomainName"
push "dhcp-option DNS $LocalIP"
push "dhcp-option WINS $LocalIP"
HERE
if ($tunMtu !~ /^\d+$/){
$OUT .= "mtu-test\n";
}
else{
if ($tunMtu ne ''){
$OUT .= "tun-mtu $tunMtu\n";
}
}
if (($proto eq 'udp') && ($fragment ne '')){
$OUT .= "fragment $fragment\n";
}
$OUT .= "mssfix\n";
if ($cipher ne ''){
$OUT .= "cipher $cipher\n";
}
if ($duplicate eq 'enabled'){
$OUT .= "duplicate-cn\n";
}
if ($passtos eq 'enabled'){
$OUT .= "passtos\n";
}
if ($compress eq 'enabled'){
$OUT .= "comp-lzo adaptive\n";
$OUT .= "push \"comp-lzo adaptive\"\n";
}
}
nice 5

@ -0,0 +1,30 @@
{
my $pushRoutes = ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
my $redirectGW = ${'openvpn-routed'}{RedirectGW} || 'disabled';
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro() ||
die('Can not open Networks DB');
my @networks = $ndb->networks();
if ($redirectGW eq 'enabled'){
$OUT .= "push \"redirect-gateway def1\"\n";
}
elsif ($pushRoutes eq 'enabled'){
foreach my $network (@networks) {
my $route = '';
my $addr = $network->key;
my $mask = $network->prop('Mask');
my $gw = $network->prop('Router') || '';
my $vpn = $network->prop('VPN') || '';
if ($gw ne '') {
$route .= "push \"route $addr $mask";
$route .= " $gw" if ($vpn eq '');
$OUT .= "$route\"\n";
}
}
}
}

@ -0,0 +1,5 @@
{
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
$OUT ="management 127.0.0.1 11195 management-pass.txt\n";
}

@ -0,0 +1,13 @@
{
my $OUT = '';
my $maxClient = ${'openvpn-routed'}{MaxClients} || '';
my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled';
if ($configRequired eq 'enabled'){
$OUT .= 'ccd-exclusive\n';
}
if ($maxClient =~ /^\d+$/){
$OUT .= "max-clients $maxClient\n";
}
}
client-config-dir ccd

@ -0,0 +1,8 @@
status-version 2
status bridge-status.txt
suppress-timestamps
{
my $OUT = '';
my $verb = ${'openvpn-routed'}{Verbose} || '3';
$OUT .= "verb $verb\n";
}

@ -0,0 +1,31 @@
#!/bin/bash
#----------------------------------------------------------------------
# copyright (C) 2010 Firewall Services
# Daniel Berteaud <daniel@firewall-services.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#----------------------------------------------------------------------
net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network)
addr=${net%%/*}
mask=${net#*/}
db=$(/sbin/e-smith/db networks getprop $addr RoutedVPN)
if [ -z $db ]; then
/sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no
/sbin/e-smith/signal-event network-create $addr
fi

@ -0,0 +1,6 @@
#!/bin/sh
exec \
/usr/local/bin/setuidgid smelog \
/usr/local/bin/multilog t s5000000 \
/var/log/openvpn-routed

@ -0,0 +1,5 @@
#!/bin/sh
exec 2>&1
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed

@ -0,0 +1,69 @@
# Authority: vip-ire
# Name: Daniel Berteaud
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
Name: smeserver-openvpn-routed
%define version 0.0.1
%define release 1.beta0
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Remote access
Source: %{name}-%{version}.tar.gz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
Requires: e-smith-base
Requires: openvpn
#Requires: perl(Net::OpenVPN::Manage)
%description
This package contains all the needed scripts and templates
to have a full working openvpn server running in routed mode.
%changelog
* Fri May 24 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
- initial release
%prep
%setup -q -n %{name}-%{version}
%build
perl createlinks
%{__mkdir_p} root/etc/openvpn/routed/ccd
%{__mkdir_p} root/etc/openvpn/routed/priv
%{__mkdir_p} root/etc/openvpn/routed/pub
%{__mkdir_p} root/etc/openvpn/routed/tmp
%{__mkdir_p} root/var/log/openvpn-routed
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
--file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
--dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
--dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
--dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
--file /usr/bin/ovpn-routed-update-crl 'attr(0750,root,root)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%post
%preun
Loading…
Cancel
Save