commit
e201d0a9b0
24 changed files with 413 additions and 0 deletions
@ -0,0 +1,31 @@ |
|||||||
|
#!/usr/bin/perl -w |
||||||
|
|
||||||
|
use esmith::Build::CreateLinks qw(:all); |
||||||
|
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed"); |
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed"); |
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed"); |
||||||
|
|
||||||
|
service_link_enhanced("openvpn-routed", "S80", "7"); |
||||||
|
service_link_enhanced("openvpn-routed", "K25", "6"); |
||||||
|
service_link_enhanced("openvpn-routed", "K25", "0"); |
||||||
|
|
||||||
|
safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed'); |
||||||
|
safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed'); |
||||||
|
|
||||||
|
safe_touch("root/var/service/openvpn-routed/down"); |
||||||
|
|
||||||
|
#panel_link("openvpnrouted", 'manager'); |
||||||
|
|
||||||
|
templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update"); |
||||||
|
|
||||||
|
templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save)); |
||||||
|
templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete)); |
||||||
|
templates2events("/etc/crontab", qw(openvpn-routed-update)); |
||||||
|
|
||||||
|
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20"); |
||||||
|
event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30"); |
||||||
|
event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40"); |
||||||
|
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20"); |
||||||
|
event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30"); |
||||||
|
|
@ -0,0 +1 @@ |
|||||||
|
1194 |
@ -0,0 +1 @@ |
|||||||
|
public |
@ -0,0 +1 @@ |
|||||||
|
enabled |
@ -0,0 +1 @@ |
|||||||
|
service |
@ -0,0 +1,9 @@ |
|||||||
|
{ |
||||||
|
my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'}); |
||||||
|
my $management = $openvpn->prop('ManagementPassword') || ''; |
||||||
|
return "" if ($management ne ''); |
||||||
|
|
||||||
|
# Generate a random password |
||||||
|
$pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`; |
||||||
|
$openvpn->set_prop('ManagementPassword',"$pass"); |
||||||
|
} |
@ -0,0 +1,45 @@ |
|||||||
|
#!/usr/bin/perl -w |
||||||
|
|
||||||
|
#---------------------------------------------------------------------- |
||||||
|
# copyright (C) 2013 Firewall Services |
||||||
|
# Daniel Berteaud <daniel@firewall-services.com> |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or modify |
||||||
|
# it under the terms of the GNU General Public License as published by |
||||||
|
# the Free Software Foundation; either version 2 of the License, or |
||||||
|
# (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
||||||
|
#---------------------------------------------------------------------- |
||||||
|
|
||||||
|
use strict; |
||||||
|
use esmith::ConfigDB; |
||||||
|
use esmith::NetworksDB; |
||||||
|
use esmith::event; |
||||||
|
|
||||||
|
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n"; |
||||||
|
my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n"; |
||||||
|
my @nets = $n->networks; |
||||||
|
my $net = ${'openvpn-routed'}{Network} || '192.168.29.0/255.255.255.0'; |
||||||
|
my ($vpnnet,$mask) = split /\//, $net; |
||||||
|
|
||||||
|
foreach my $net (@nets){ |
||||||
|
my $key = $net->key; |
||||||
|
my $vpn = $n->get_prop($key,"VPNRouted") || ''; |
||||||
|
|
||||||
|
if ($vpn eq 'yes'){ |
||||||
|
unless ($key eq $vpnnet){ |
||||||
|
$n->set_prop($key, type=>'network-deleted'); |
||||||
|
event_signal("network-delete","$key"); |
||||||
|
$n->get($key)->delete; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
@ -0,0 +1,28 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl) |
||||||
|
DOMAIN=$(/sbin/e-smith/db configuration get DomainName) |
||||||
|
|
||||||
|
/usr/bin/wget $URL -O /tmp/cacrl.pem > /dev/null 2>&1 |
||||||
|
|
||||||
|
/usr/bin/openssl crl -inform PEM -in /tmp/cacrl.pem -text > /dev/null 2>&1 |
||||||
|
|
||||||
|
if [ "$?" -eq "0" ]; then |
||||||
|
/bin/mv -f /tmp/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1 |
||||||
|
else |
||||||
|
cat > /tmp/crlmail <<END |
||||||
|
|
||||||
|
An error occured while updating the CRL for OpenVPN-Bridge |
||||||
|
because openssl didn't recognize the file as a valid CRL. |
||||||
|
Below is the copy of the latest CRL downloaded from |
||||||
|
$URL |
||||||
|
|
||||||
|
|
||||||
|
END |
||||||
|
|
||||||
|
cat /tmp/cacrl.pem >> /tmp/crlmail |
||||||
|
mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail |
||||||
|
fi |
||||||
|
|
||||||
|
rm -f /tmp/cacrl.pem |
||||||
|
rm -f /tmp/crlmail |
@ -0,0 +1,7 @@ |
|||||||
|
{ |
||||||
|
my $url = ${'openvpn-routed'}{'CrlUrl'} || ''; |
||||||
|
if ($url =~ /^http(s)?:\/\/.*$/){ |
||||||
|
$OUT .= "# Update OpenVPN routed CRL\n"; |
||||||
|
$OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n"; |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,4 @@ |
|||||||
|
{ |
||||||
|
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret'; |
||||||
|
$OUT = "$pass"; |
||||||
|
} |
@ -0,0 +1,21 @@ |
|||||||
|
{ |
||||||
|
my $OUT=''; |
||||||
|
my $protocol = ${'openvpn-routed'}{Protocol} || 'udp'; |
||||||
|
my $port=''; |
||||||
|
if ($protocol eq 'udp'){ |
||||||
|
$port = ${'openvpn-routed'}{UDPPort} || '1194'; |
||||||
|
} |
||||||
|
if ($protocol eq 'tcp'){ |
||||||
|
$port = ${'openvpn-routed'}{TCPPort} || '1194'; |
||||||
|
$protocol = 'tcp-server'; |
||||||
|
} |
||||||
|
|
||||||
|
$OUT .=<<"HERE"; |
||||||
|
|
||||||
|
port $port |
||||||
|
proto $protocol |
||||||
|
dev tunvpn0 |
||||||
|
|
||||||
|
HERE |
||||||
|
|
||||||
|
} |
@ -0,0 +1,5 @@ |
|||||||
|
user openvpn |
||||||
|
group openvpn |
||||||
|
chroot /etc/openvpn/routed |
||||||
|
persist-key |
||||||
|
persist-tun |
@ -0,0 +1,17 @@ |
|||||||
|
# Certificates config |
||||||
|
dh pub/dh.pem |
||||||
|
ca pub/cacert.pem |
||||||
|
cert pub/cert.pem |
||||||
|
key priv/key.pem |
||||||
|
tls-server |
||||||
|
|
||||||
|
{ |
||||||
|
|
||||||
|
$OUT .= "tls-auth priv/takey.pem 0\n" if |
||||||
|
(-e "/etc/openvpn/routed/priv/takey.pem" && |
||||||
|
!-z "/etc/openvpn/routed/priv/takey.pem"); |
||||||
|
|
||||||
|
} |
||||||
|
|
||||||
|
# CRL file for certificates verification |
||||||
|
crl-verify pub/cacrl.pem |
@ -0,0 +1,9 @@ |
|||||||
|
{ |
||||||
|
my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass'; |
||||||
|
if ($userAuth eq 'CrtWithPass'){ |
||||||
|
my $plugin_dir = (-d "/usr/share/openvpn/plugin/lib") ? |
||||||
|
'/usr/share/openvpn/plugin/lib':'/usr/lib/openvpn/plugin/lib'; |
||||||
|
$OUT .= "plugin ".$plugin_dir."/openvpn-auth-pam.so login\n"; |
||||||
|
} |
||||||
|
$OUT .= ''; |
||||||
|
} |
@ -0,0 +1,6 @@ |
|||||||
|
{ |
||||||
|
my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0'; |
||||||
|
my ($addr,$mask) = split /\//, $net; |
||||||
|
$OUT = "server $addr $mask\n"; |
||||||
|
} |
||||||
|
topology subnet |
@ -0,0 +1,60 @@ |
|||||||
|
# Options |
||||||
|
{ |
||||||
|
|
||||||
|
my $tunMtu = ${'openvpn-routed'}{Mtu} || ''; |
||||||
|
my $fragment = ${'openvpn-routed'}{Fragment}; |
||||||
|
my $cipher = ${'openvpn-routed'}{Cipher} || ''; |
||||||
|
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || ''; |
||||||
|
my $proto = ${'openvpn-routed'}{Protocol} || 'udp'; |
||||||
|
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled'; |
||||||
|
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled'; |
||||||
|
my $compress = ${'openvpn-routed'}{Compression} || 'enabled'; |
||||||
|
|
||||||
|
if ($proto eq 'tcp'){ |
||||||
|
$mtuTest = 'disabled'; |
||||||
|
$fragment = ''; |
||||||
|
} |
||||||
|
|
||||||
|
$OUT .=<<"HERE"; |
||||||
|
keepalive 40 180 |
||||||
|
push "dhcp-option DOMAIN $DomainName" |
||||||
|
push "dhcp-option DNS $LocalIP" |
||||||
|
push "dhcp-option WINS $LocalIP" |
||||||
|
|
||||||
|
HERE |
||||||
|
|
||||||
|
if ($tunMtu !~ /^\d+$/){ |
||||||
|
$OUT .= "mtu-test\n"; |
||||||
|
} |
||||||
|
else{ |
||||||
|
if ($tunMtu ne ''){ |
||||||
|
$OUT .= "tun-mtu $tunMtu\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
if (($proto eq 'udp') && ($fragment ne '')){ |
||||||
|
$OUT .= "fragment $fragment\n"; |
||||||
|
} |
||||||
|
$OUT .= "mssfix\n"; |
||||||
|
|
||||||
|
if ($cipher ne ''){ |
||||||
|
$OUT .= "cipher $cipher\n"; |
||||||
|
} |
||||||
|
|
||||||
|
if ($duplicate eq 'enabled'){ |
||||||
|
$OUT .= "duplicate-cn\n"; |
||||||
|
} |
||||||
|
|
||||||
|
if ($passtos eq 'enabled'){ |
||||||
|
$OUT .= "passtos\n"; |
||||||
|
} |
||||||
|
|
||||||
|
if ($compress eq 'enabled'){ |
||||||
|
$OUT .= "comp-lzo adaptive\n"; |
||||||
|
$OUT .= "push \"comp-lzo adaptive\"\n"; |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
|
|
||||||
|
nice 5 |
||||||
|
|
@ -0,0 +1,30 @@ |
|||||||
|
{ |
||||||
|
|
||||||
|
my $pushRoutes = ${'openvpn-routed'}{PushLocalNetworks} || 'enabled'; |
||||||
|
my $redirectGW = ${'openvpn-routed'}{RedirectGW} || 'disabled'; |
||||||
|
|
||||||
|
use esmith::NetworksDB; |
||||||
|
my $ndb = esmith::NetworksDB->open_ro() || |
||||||
|
die('Can not open Networks DB'); |
||||||
|
|
||||||
|
my @networks = $ndb->networks(); |
||||||
|
|
||||||
|
if ($redirectGW eq 'enabled'){ |
||||||
|
$OUT .= "push \"redirect-gateway def1\"\n"; |
||||||
|
} |
||||||
|
elsif ($pushRoutes eq 'enabled'){ |
||||||
|
foreach my $network (@networks) { |
||||||
|
my $route = ''; |
||||||
|
my $addr = $network->key; |
||||||
|
my $mask = $network->prop('Mask'); |
||||||
|
my $gw = $network->prop('Router') || ''; |
||||||
|
my $vpn = $network->prop('VPN') || ''; |
||||||
|
if ($gw ne '') { |
||||||
|
$route .= "push \"route $addr $mask"; |
||||||
|
$route .= " $gw" if ($vpn eq ''); |
||||||
|
$OUT .= "$route\"\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
} |
@ -0,0 +1,5 @@ |
|||||||
|
{ |
||||||
|
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret'; |
||||||
|
$OUT ="management 127.0.0.1 11195 management-pass.txt\n"; |
||||||
|
|
||||||
|
} |
@ -0,0 +1,13 @@ |
|||||||
|
{ |
||||||
|
my $OUT = ''; |
||||||
|
my $maxClient = ${'openvpn-routed'}{MaxClients} || ''; |
||||||
|
my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled'; |
||||||
|
|
||||||
|
if ($configRequired eq 'enabled'){ |
||||||
|
$OUT .= 'ccd-exclusive\n'; |
||||||
|
} |
||||||
|
if ($maxClient =~ /^\d+$/){ |
||||||
|
$OUT .= "max-clients $maxClient\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
client-config-dir ccd |
@ -0,0 +1,8 @@ |
|||||||
|
status-version 2 |
||||||
|
status bridge-status.txt |
||||||
|
suppress-timestamps |
||||||
|
{ |
||||||
|
my $OUT = ''; |
||||||
|
my $verb = ${'openvpn-routed'}{Verbose} || '3'; |
||||||
|
$OUT .= "verb $verb\n"; |
||||||
|
} |
@ -0,0 +1,31 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
#---------------------------------------------------------------------- |
||||||
|
# copyright (C) 2010 Firewall Services |
||||||
|
# Daniel Berteaud <daniel@firewall-services.com> |
||||||
|
# |
||||||
|
# This program is free software; you can redistribute it and/or modify |
||||||
|
# it under the terms of the GNU General Public License as published by |
||||||
|
# the Free Software Foundation; either version 2 of the License, or |
||||||
|
# (at your option) any later version. |
||||||
|
# |
||||||
|
# This program is distributed in the hope that it will be useful, |
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
# GNU General Public License for more details. |
||||||
|
# |
||||||
|
# You should have received a copy of the GNU General Public License |
||||||
|
# along with this program; if not, write to the Free Software |
||||||
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
||||||
|
#---------------------------------------------------------------------- |
||||||
|
|
||||||
|
net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network) |
||||||
|
addr=${net%%/*} |
||||||
|
mask=${net#*/} |
||||||
|
|
||||||
|
db=$(/sbin/e-smith/db networks getprop $addr RoutedVPN) |
||||||
|
if [ -z $db ]; then |
||||||
|
/sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no |
||||||
|
/sbin/e-smith/signal-event network-create $addr |
||||||
|
fi |
||||||
|
|
@ -0,0 +1,6 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
exec \ |
||||||
|
/usr/local/bin/setuidgid smelog \ |
||||||
|
/usr/local/bin/multilog t s5000000 \ |
||||||
|
/var/log/openvpn-routed |
@ -0,0 +1,5 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
exec 2>&1 |
||||||
|
|
||||||
|
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed |
@ -0,0 +1,69 @@ |
|||||||
|
# Authority: vip-ire |
||||||
|
# Name: Daniel Berteaud |
||||||
|
|
||||||
|
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode |
||||||
|
Name: smeserver-openvpn-routed |
||||||
|
%define version 0.0.1 |
||||||
|
%define release 1.beta0 |
||||||
|
Version: %{version} |
||||||
|
Release: %{release}%{?dist} |
||||||
|
License: GPL |
||||||
|
Group: Networking/Remote access |
||||||
|
Source: %{name}-%{version}.tar.gz |
||||||
|
|
||||||
|
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot |
||||||
|
BuildArchitectures: noarch |
||||||
|
|
||||||
|
BuildRequires: e-smith-devtools |
||||||
|
|
||||||
|
Requires: e-smith-base |
||||||
|
Requires: openvpn |
||||||
|
#Requires: perl(Net::OpenVPN::Manage) |
||||||
|
|
||||||
|
%description |
||||||
|
This package contains all the needed scripts and templates |
||||||
|
to have a full working openvpn server running in routed mode. |
||||||
|
|
||||||
|
|
||||||
|
%changelog |
||||||
|
* Fri May 24 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1 |
||||||
|
- initial release |
||||||
|
|
||||||
|
%prep |
||||||
|
%setup -q -n %{name}-%{version} |
||||||
|
|
||||||
|
%build |
||||||
|
perl createlinks |
||||||
|
|
||||||
|
%{__mkdir_p} root/etc/openvpn/routed/ccd |
||||||
|
%{__mkdir_p} root/etc/openvpn/routed/priv |
||||||
|
%{__mkdir_p} root/etc/openvpn/routed/pub |
||||||
|
%{__mkdir_p} root/etc/openvpn/routed/tmp |
||||||
|
%{__mkdir_p} root/var/log/openvpn-routed |
||||||
|
|
||||||
|
%install |
||||||
|
/bin/rm -rf $RPM_BUILD_ROOT |
||||||
|
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) |
||||||
|
/bin/rm -f %{name}-%{version}-filelist |
||||||
|
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ |
||||||
|
--file /var/service/openvpn-routed/run 'attr(0755,root,root)' \ |
||||||
|
--file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \ |
||||||
|
--dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \ |
||||||
|
--dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \ |
||||||
|
--dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \ |
||||||
|
--dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \ |
||||||
|
--dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \ |
||||||
|
--file /usr/bin/ovpn-routed-update-crl 'attr(0750,root,root)' \ |
||||||
|
> %{name}-%{version}-filelist |
||||||
|
|
||||||
|
%files -f %{name}-%{version}-filelist |
||||||
|
%defattr(-,root,root) |
||||||
|
|
||||||
|
%clean |
||||||
|
rm -rf $RPM_BUILD_ROOT |
||||||
|
|
||||||
|
|
||||||
|
%post |
||||||
|
|
||||||
|
%preun |
||||||
|
|
Loading…
Reference in new issue