search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Force kill OpenVPN process on stopping service
[tomato.git] / release / src / router / rc / vpn.c
blob10d842f350e28c4761759e5667673debd110d79d
1 /*
2
3 Copyright (C) 2008-2010 Keith Moyer, tomatovpn@keithmoyer.com
4
5 No part of this file may be used without permission.
6
7 */
8
9 #include "rc.h"
10 #include <sys/types.h>
11 #include <dirent.h>
12 #include <string.h>
13
14 // Line number as text string
15 #define __LINE_T__ __LINE_T_(__LINE__)
16 #define __LINE_T_(x) __LINE_T(x)
17 #define __LINE_T(x) # x
18
19 #define VPN_LOG_ERROR -1
20 #define VPN_LOG_NOTE 0
21 #define VPN_LOG_INFO 1
22 #define VPN_LOG_EXTRA 2
23 #define vpnlog(level,x...) if(nvram_get_int("vpn_debug")>=level) syslog(LOG_INFO, #level ": " __LINE_T__ ": " x)
24
25 #define CLIENT_IF_START 10
26 #define SERVER_IF_START 20
27
28 #define BUF_SIZE 128
29 #define IF_SIZE 8
30
31 void start_vpnclient(int clientNum)
32 {
33 FILE *fp;
34 char iface[IF_SIZE];
35 char buffer[BUF_SIZE];
36 char *argv[5];
37 int argc = 0;
38 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
39 enum { TAP, TUN } ifType = TUN;
40 enum { BRIDGE, NAT, NONE } routeMode = NONE;
41 int nvi, ip[4], nm[4];
42 long int nvl;
43
44 vpnlog(VPN_LOG_INFO,"VPN GUI client backend starting...");
45
46 sprintf(&buffer[0], "vpnclient%d", clientNum);
47 if ( pidof(&buffer[0]) >= 0 )
48 {
49 vpnlog(VPN_LOG_NOTE, "VPN Client %d already running...", clientNum);
50 vpnlog(VPN_LOG_INFO,"PID: %d", pidof(&buffer[0]));
51 return;
52 }
53
54 // Determine interface
55 sprintf(&buffer[0], "vpn_client%d_if", clientNum);
56 if ( nvram_contains_word(&buffer[0], "tap") )
57 ifType = TAP;
58 else if ( nvram_contains_word(&buffer[0], "tun") )
59 ifType = TUN;
60 else
61 {
62 vpnlog(VPN_LOG_ERROR, "Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
63 return;
64 }
65
66 // Build interface name
67 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), clientNum+CLIENT_IF_START);
68
69 // Determine encryption mode
70 sprintf(&buffer[0], "vpn_client%d_crypt", clientNum);
71 if ( nvram_contains_word(&buffer[0], "tls") )
72 cryptMode = TLS;
73 else if ( nvram_contains_word(&buffer[0], "secret") )
74 cryptMode = SECRET;
75 else if ( nvram_contains_word(&buffer[0], "custom") )
76 cryptMode = CUSTOM;
77 else
78 {
79 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
80 return;
81 }
82
83 // Determine if we should bridge the tunnel
84 sprintf(&buffer[0], "vpn_client%d_bridge", clientNum);
85 if ( ifType == TAP && nvram_get_int(&buffer[0]) == 1 )
86 routeMode = BRIDGE;
87
88 // Determine if we should NAT the tunnel
89 sprintf(&buffer[0], "vpn_client%d_nat", clientNum);
90 if ( (ifType == TUN || routeMode != BRIDGE) && nvram_get_int(&buffer[0]) == 1 )
91 routeMode = NAT;
92
93 // Make sure openvpn directory exists
94 mkdir("/etc/openvpn", 0700);
95 sprintf(&buffer[0], "/etc/openvpn/client%d", clientNum);
96 mkdir(&buffer[0], 0700);
97
98 // Make sure symbolic link exists
99 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d", clientNum);
100 unlink(&buffer[0]);
101 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
102 {
103 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
104 stop_vpnclient(clientNum);
105 return;
106 }
107
108 // Make sure module is loaded
109 modprobe("tun");
110
111 // Create tap/tun interface
112 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
113 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
114 if ( _eval(argv, NULL, 0, NULL) )
115 {
116 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
117 stop_vpnclient(clientNum);
118 return;
119 }
120
121 // Bring interface up (TAP only)
122 if( ifType == TAP )
123 {
124 if ( routeMode == BRIDGE )
125 {
126 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
127 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
128 if ( _eval(argv, NULL, 0, NULL) )
129 {
130 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
131 stop_vpnclient(clientNum);
132 return;
133 }
134 }
135
136 snprintf(&buffer[0], BUF_SIZE, "ifconfig %s promisc up", &iface[0]);
137 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
138 if ( _eval(argv, NULL, 0, NULL) )
139 {
140 vpnlog(VPN_LOG_ERROR,"Bringing interface up failed...");
141 stop_vpnclient(clientNum);
142 return;
143 }
144 }
145
146 // Build and write config file
147 vpnlog(VPN_LOG_EXTRA,"Writing config file");
148 sprintf(&buffer[0], "/etc/openvpn/client%d/config.ovpn", clientNum);
149 fp = fopen(&buffer[0], "w");
150 chmod(&buffer[0], S_IRUSR|S_IWUSR);
151 fprintf(fp, "# Automatically generated configuration\n");
152 fprintf(fp, "daemon\n");
153 if ( cryptMode == TLS )
154 fprintf(fp, "client\n");
155 fprintf(fp, "dev %s\n", &iface[0]);
156 sprintf(&buffer[0], "vpn_client%d_proto", clientNum);
157 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
158 sprintf(&buffer[0], "vpn_client%d_addr", clientNum);
159 fprintf(fp, "remote %s ", nvram_safe_get(&buffer[0]));
160 sprintf(&buffer[0], "vpn_client%d_port", clientNum);
161 fprintf(fp, "%d\n", nvram_get_int(&buffer[0]));
162 if ( cryptMode == SECRET )
163 {
164 if ( ifType == TUN )
165 {
166 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
167 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
168 sprintf(&buffer[0], "vpn_client%d_remote", clientNum);
169 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
170 }
171 else if ( ifType == TAP )
172 {
173 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
174 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
175 sprintf(&buffer[0], "vpn_client%d_nm", clientNum);
176 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
177 }
178 }
179 sprintf(&buffer[0], "vpn_client%d_retry", clientNum);
180 if ( (nvi = nvram_get_int(&buffer[0])) >= 0 )
181 fprintf(fp, "resolv-retry %d\n", nvi);
182 else
183 fprintf(fp, "resolv-retry infinite\n");
184 sprintf(&buffer[0], "vpn_client%d_reneg", clientNum);
185 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
186 fprintf(fp, "reneg-sec %ld\n", nvl);
187 fprintf(fp, "nobind\n");
188 fprintf(fp, "persist-key\n");
189 fprintf(fp, "persist-tun\n");
190 sprintf(&buffer[0], "vpn_client%d_comp", clientNum);
191 if ( nvram_get_int(&buffer[0]) >= 0 )
192 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
193 sprintf(&buffer[0], "vpn_client%d_cipher", clientNum);
194 if ( !nvram_contains_word(&buffer[0], "default") )
195 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
196 sprintf(&buffer[0], "vpn_client%d_rgw", clientNum);
197 if ( (nvi = nvram_get_int(&buffer[0])) )
198 {
199 sprintf(&buffer[0], "vpn_client%d_gw", clientNum);
200 if ( ifType == TAP && nvram_safe_get(&buffer[0])[0] != '\0' )
201 fprintf(fp, "route-gateway %s\n", nvram_safe_get(&buffer[0]));
202 fprintf(fp, "redirect-gateway%s\n", nvi>1? "": " def1");
203 }
204 fprintf(fp, "verb 3\n");
205 if ( cryptMode == TLS )
206 {
207 sprintf(&buffer[0], "vpn_client%d_adns", clientNum);
208 if ( nvram_get_int(&buffer[0]) > 0 )
209 {
210 sprintf(&buffer[0], "/etc/openvpn/client%d/updown.sh", clientNum);
211 symlink("/rom/openvpn/updown.sh", &buffer[0]);
212 fprintf(fp, "script-security 2\n");
213 fprintf(fp, "up updown.sh\n");
214 fprintf(fp, "down updown.sh\n");
215 }
216
217 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
218 nvi = nvram_get_int(&buffer[0]);
219 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
220 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
221 {
222 fprintf(fp, "tls-auth static.key");
223 if ( nvi < 2 )
224 fprintf(fp, " %d", nvi);
225 fprintf(fp, "\n");
226 }
227
228 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
229 if ( !nvram_is_empty(&buffer[0]) )
230 fprintf(fp, "ca ca.crt\n");
231 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
232 if ( !nvram_is_empty(&buffer[0]) )
233 fprintf(fp, "cert client.crt\n");
234 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
235 if ( !nvram_is_empty(&buffer[0]) )
236 fprintf(fp, "key client.key\n");
237 }
238 else if ( cryptMode == SECRET )
239 {
240 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
241 if ( !nvram_is_empty(&buffer[0]) )
242 fprintf(fp, "secret static.key\n");
243 }
244 fprintf(fp, "status-version 2\n");
245 fprintf(fp, "status status\n");
246 fprintf(fp, "\n# Custom Configuration\n");
247 sprintf(&buffer[0], "vpn_client%d_custom", clientNum);
248 fprintf(fp, nvram_safe_get(&buffer[0]));
249 fclose(fp);
250 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
251
252 // Write certification and key files
253 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
254 if ( cryptMode == TLS )
255 {
256 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
257 if ( !nvram_is_empty(&buffer[0]) )
258 {
259 sprintf(&buffer[0], "/etc/openvpn/client%d/ca.crt", clientNum);
260 fp = fopen(&buffer[0], "w");
261 chmod(&buffer[0], S_IRUSR|S_IWUSR);
262 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
263 fprintf(fp, nvram_safe_get(&buffer[0]));
264 fclose(fp);
265 }
266
267 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
268 if ( !nvram_is_empty(&buffer[0]) )
269 {
270 sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
271 fp = fopen(&buffer[0], "w");
272 chmod(&buffer[0], S_IRUSR|S_IWUSR);
273 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
274 fprintf(fp, nvram_safe_get(&buffer[0]));
275 fclose(fp);
276 }
277
278 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
279 if ( !nvram_is_empty(&buffer[0]) )
280 {
281 sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
282 fp = fopen(&buffer[0], "w");
283 chmod(&buffer[0], S_IRUSR|S_IWUSR);
284 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
285 fprintf(fp, nvram_safe_get(&buffer[0]));
286 fclose(fp);
287 }
288 }
289 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
290 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
291 {
292 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
293 if ( !nvram_is_empty(&buffer[0]) )
294 {
295 sprintf(&buffer[0], "/etc/openvpn/client%d/static.key", clientNum);
296 fp = fopen(&buffer[0], "w");
297 chmod(&buffer[0], S_IRUSR|S_IWUSR);
298 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
299 fprintf(fp, nvram_safe_get(&buffer[0]));
300 fclose(fp);
301 }
302 }
303 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
304
305 // Start the VPN client
306 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d --cd /etc/openvpn/client%d --config config.ovpn", clientNum, clientNum);
307 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
308 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
309 if ( _eval(argv, NULL, 0, NULL) )
310 {
311 vpnlog(VPN_LOG_ERROR,"Starting OpenVPN failed...");
312 stop_vpnclient(clientNum);
313 return;
314 }
315 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
316
317 // Handle firewall rules if appropriate
318 sprintf(&buffer[0], "vpn_client%d_firewall", clientNum);
319 if ( !nvram_contains_word(&buffer[0], "custom") )
320 {
321 // Create firewall rules
322 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
323 mkdir("/etc/openvpn/fw", 0700);
324 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
325 fp = fopen(&buffer[0], "w");
326 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
327 fprintf(fp, "#!/bin/sh\n");
328 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
329 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
330 if ( routeMode == NAT )
331 {
332 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
333 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
334 fprintf(fp, "iptables -t nat -I POSTROUTING -s %d.%d.%d.%d/%s -o %s -j MASQUERADE\n",
335 ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3], nvram_safe_get("lan_netmask"), &iface[0]);
336 }
337 fclose(fp);
338 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
339
340 // Run the firewall rules
341 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
342 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
343 argv[0] = &buffer[0];
344 argv[1] = NULL;
345 _eval(argv, NULL, 0, NULL);
346 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
347 }
348
349 // Set up cron job
350 sprintf(&buffer[0], "vpn_client%d_poll", clientNum);
351 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
352 {
353 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
354 argv[0] = "cru";
355 argv[1] = "a";
356 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
357 argv[2] = &buffer[0];
358 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnclient%d start", nvi, clientNum);
359 argv[3] = &buffer[strlen(&buffer[0])+1];
360 argv[4] = NULL;
361 _eval(argv, NULL, 0, NULL);
362 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
363 }
364
365 vpnlog(VPN_LOG_INFO,"VPN GUI client backend complete.");
366 }
367
368 void stop_vpnclient(int clientNum)
369 {
370 int argc;
371 char *argv[7];
372 char buffer[BUF_SIZE];
373
374 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI client backend.");
375
376 // Remove cron job
377 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
378 argv[0] = "cru";
379 argv[1] = "d";
380 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
381 argv[2] = &buffer[0];
382 argv[3] = NULL;
383 _eval(argv, NULL, 0, NULL);
384 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
385
386 // Remove firewall rules
387 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
388 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
389 argv[0] = "sed";
390 argv[1] = "-i";
391 argv[2] = "s/-A/-D/g;s/-I/-D/g";
392 argv[3] = &buffer[0];
393 argv[4] = NULL;
394 if (!_eval(argv, NULL, 0, NULL))
395 {
396 argv[0] = &buffer[0];
397 argv[1] = NULL;
398 _eval(argv, NULL, 0, NULL);
399 }
400 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
401
402 // Stop the VPN client
403 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN client.");
404 sprintf(&buffer[0], "vpnclient%d", clientNum);
405 killall(&buffer[0], SIGTERM);
406 vpnlog(VPN_LOG_EXTRA,"OpenVPN client stopped.");
407
408 // NVRAM setting for device type could have changed, just try to remove both
409 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
410 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", clientNum+CLIENT_IF_START);
411 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
412 _eval(argv, NULL, 0, NULL);
413
414 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", clientNum+CLIENT_IF_START);
415 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
416 _eval(argv, NULL, 0, NULL);
417 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
418
419 modprobe_r("tun");
420
421 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
422 {
423 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
424 // Delete all files for this client
425 sprintf(&buffer[0], "rm -rf /etc/openvpn/client%d /etc/openvpn/fw/client%d-fw.sh /etc/openvpn/vpnclient%d",clientNum,clientNum,clientNum);
426 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
427 _eval(argv, NULL, 0, NULL);
428
429 // Attempt to remove directories. Will fail if not empty
430 rmdir("/etc/openvpn/fw");
431 rmdir("/etc/openvpn");
432 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
433 }
434
435 // Force OpenVPN process to end. If we don't do this then it doesn't actually exit until
436 // all current queued service actions are run, including starting vpn back up (which
437 // will bail since the process is still running
438 vpnlog(VPN_LOG_EXTRA,"Killing OpenVPN client.");
439 sprintf(&buffer[0], "vpnclient%d", clientNum);
440 killall(&buffer[0], SIGKILL);
441 vpnlog(VPN_LOG_EXTRA,"OpenVPN client killed.");
442
443 vpnlog(VPN_LOG_INFO,"VPN GUI client backend stopped.");
444 }
445
446 void start_vpnserver(int serverNum)
447 {
448 FILE *fp, *ccd;
449 char iface[IF_SIZE];
450 char buffer[BUF_SIZE];
451 char *argv[6], *chp, *route;
452 int argc = 0;
453 int c2c = 0;
454 enum { TAP, TUN } ifType = TUN;
455 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
456 int nvi, ip[4], nm[4];
457 long int nvl;
458
459 vpnlog(VPN_LOG_INFO,"VPN GUI server backend starting...");
460
461 sprintf(&buffer[0], "vpnserver%d", serverNum);
462 if ( pidof(&buffer[0]) >= 0 )
463 {
464 vpnlog(VPN_LOG_NOTE, "VPN Server %d already running...", serverNum);
465 vpnlog(VPN_LOG_INFO,"PID: %d", pidof(&buffer[0]));
466 return;
467 }
468
469 // Determine interface type
470 sprintf(&buffer[0], "vpn_server%d_if", serverNum);
471 if ( nvram_contains_word(&buffer[0], "tap") )
472 ifType = TAP;
473 else if ( nvram_contains_word(&buffer[0], "tun") )
474 ifType = TUN;
475 else
476 {
477 vpnlog(VPN_LOG_ERROR,"Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
478 return;
479 }
480
481 // Build interface name
482 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), serverNum+SERVER_IF_START);
483
484 // Determine encryption mode
485 sprintf(&buffer[0], "vpn_server%d_crypt", serverNum);
486 if ( nvram_contains_word(&buffer[0], "tls") )
487 cryptMode = TLS;
488 else if ( nvram_contains_word(&buffer[0], "secret") )
489 cryptMode = SECRET;
490 else if ( nvram_contains_word(&buffer[0], "custom") )
491 cryptMode = CUSTOM;
492 else
493 {
494 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
495 return;
496 }
497
498 // Make sure openvpn directory exists
499 mkdir("/etc/openvpn", 0700);
500 sprintf(&buffer[0], "/etc/openvpn/server%d", serverNum);
501 mkdir(&buffer[0], 0700);
502
503 // Make sure symbolic link exists
504 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d", serverNum);
505 unlink(&buffer[0]);
506 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
507 {
508 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
509 stop_vpnserver(serverNum);
510 return;
511 }
512
513 // Make sure module is loaded
514 modprobe("tun");
515
516 // Create tap/tun interface
517 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
518 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
519 if ( _eval(argv, NULL, 0, NULL) )
520 {
521 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
522 stop_vpnserver(serverNum);
523 return;
524 }
525
526 // Add interface to LAN bridge (TAP only)
527 if( ifType == TAP )
528 {
529 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
530 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
531 if ( _eval(argv, NULL, 0, NULL) )
532 {
533 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
534 stop_vpnserver(serverNum);
535 return;
536 }
537 }
538
539 // Bring interface up
540 sprintf(&buffer[0], "ifconfig %s 0.0.0.0 promisc up", &iface[0]);
541 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
542 if ( _eval(argv, NULL, 0, NULL) )
543 {
544 vpnlog(VPN_LOG_ERROR,"Bringing up tunnel interface failed...");
545 stop_vpnserver(serverNum);
546 return;
547 }
548
549 // Build and write config files
550 vpnlog(VPN_LOG_EXTRA,"Writing config file");
551 sprintf(&buffer[0], "/etc/openvpn/server%d/config.ovpn", serverNum);
552 fp = fopen(&buffer[0], "w");
553 chmod(&buffer[0], S_IRUSR|S_IWUSR);
554 fprintf(fp, "# Automatically generated configuration\n");
555 fprintf(fp, "daemon\n");
556 if ( cryptMode == TLS )
557 {
558 if ( ifType == TUN )
559 {
560 sprintf(&buffer[0], "vpn_server%d_sn", serverNum);
561 fprintf(fp, "server %s ", nvram_safe_get(&buffer[0]));
562 sprintf(&buffer[0], "vpn_server%d_nm", serverNum);
563 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
564 }
565 else if ( ifType == TAP )
566 {
567 fprintf(fp, "server-bridge");
568 sprintf(&buffer[0], "vpn_server%d_dhcp", serverNum);
569 if ( nvram_get_int(&buffer[0]) == 0 )
570 {
571 fprintf(fp, " %s ", nvram_safe_get("lan_ipaddr"));
572 fprintf(fp, "%s ", nvram_safe_get("lan_netmask"));
573 sprintf(&buffer[0], "vpn_server%d_r1", serverNum);
574 fprintf(fp, "%s ", nvram_safe_get(&buffer[0]));
575 sprintf(&buffer[0], "vpn_server%d_r2", serverNum);
576 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
577 }
578 fprintf(fp, "\n");
579 }
580 }
581 else if ( cryptMode == SECRET )
582 {
583 if ( ifType == TUN )
584 {
585 sprintf(&buffer[0], "vpn_server%d_local", serverNum);
586 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
587 sprintf(&buffer[0], "vpn_server%d_remote", serverNum);
588 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
589 }
590 }
591 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
592 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
593 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
594 fprintf(fp, "port %d\n", nvram_get_int(&buffer[0]));
595 fprintf(fp, "dev %s\n", &iface[0]);
596 sprintf(&buffer[0], "vpn_server%d_cipher", serverNum);
597 if ( !nvram_contains_word(&buffer[0], "default") )
598 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
599 sprintf(&buffer[0], "vpn_server%d_comp", serverNum);
600 if ( nvram_get_int(&buffer[0]) >= 0 )
601 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
602 sprintf(&buffer[0], "vpn_server%d_reneg", serverNum);
603 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
604 fprintf(fp, "reneg-sec %ld\n", nvl);
605 fprintf(fp, "keepalive 15 60\n");
606 fprintf(fp, "verb 3\n");
607 if ( cryptMode == TLS )
608 {
609 sprintf(&buffer[0], "vpn_server%d_plan", serverNum);
610 if ( ifType == TUN && nvram_get_int(&buffer[0]) )
611 {
612 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
613 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
614 fprintf(fp, "push \"route %d.%d.%d.%d %s\"\n", ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3],
615 nvram_safe_get("lan_netmask"));
616 }
617
618 sprintf(&buffer[0], "vpn_server%d_ccd", serverNum);
619 if ( nvram_get_int(&buffer[0]) )
620 {
621 fprintf(fp, "client-config-dir ccd\n");
622
623 sprintf(&buffer[0], "vpn_server%d_c2c", serverNum);
624 if ( (c2c = nvram_get_int(&buffer[0])) )
625 fprintf(fp, "client-to-client\n");
626
627 sprintf(&buffer[0], "vpn_server%d_ccd_excl", serverNum);
628 if ( nvram_get_int(&buffer[0]) )
629 fprintf(fp, "ccd-exclusive\n");
630
631 sprintf(&buffer[0], "/etc/openvpn/server%d/ccd", serverNum);
632 mkdir(&buffer[0], 0700);
633 chdir(&buffer[0]);
634
635 sprintf(&buffer[0], "vpn_server%d_ccd_val", serverNum);
636 strcpy(&buffer[0], nvram_safe_get(&buffer[0]));
637 chp = strtok(&buffer[0],">");
638 while ( chp != NULL )
639 {
640 nvi = strlen(chp);
641
642 chp[strcspn(chp,"<")] = '\0';
643 vpnlog(VPN_LOG_EXTRA,"CCD: enabled: %d", atoi(chp));
644 if ( atoi(chp) == 1 )
645 {
646 nvi -= strlen(chp)+1;
647 chp += strlen(chp)+1;
648
649 ccd = NULL;
650 route = NULL;
651 if ( nvi > 0 )
652 {
653 chp[strcspn(chp,"<")] = '\0';
654 vpnlog(VPN_LOG_EXTRA,"CCD: Common name: %s", chp);
655 ccd = fopen(chp, "w");
656 chmod(chp, S_IRUSR|S_IWUSR);
657
658 nvi -= strlen(chp)+1;
659 chp += strlen(chp)+1;
660 }
661 if ( nvi > 0 && ccd != NULL && strcspn(chp,"<") != strlen(chp) )
662 {
663 chp[strcspn(chp,"<")] = ' ';
664 chp[strcspn(chp,"<")] = '\0';
665 route = chp;
666 vpnlog(VPN_LOG_EXTRA,"CCD: Route: %s", chp);
667 if ( strlen(route) > 1 )
668 {
669 fprintf(ccd, "iroute %s\n", route);
670 fprintf(fp, "route %s\n", route);
671 }
672
673 nvi -= strlen(chp)+1;
674 chp += strlen(chp)+1;
675 }
676 if ( ccd != NULL )
677 fclose(ccd);
678 if ( nvi > 0 && route != NULL )
679 {
680 chp[strcspn(chp,"<")] = '\0';
681 vpnlog(VPN_LOG_EXTRA,"CCD: Push: %d", atoi(chp));
682 if ( c2c && atoi(chp) == 1 && strlen(route) > 1 )
683 fprintf(fp, "push \"route %s\"\n", route);
684
685 nvi -= strlen(chp)+1;
686 chp += strlen(chp)+1;
687 }
688
689 vpnlog(VPN_LOG_EXTRA,"CCD leftover: %d", nvi+1);
690 }
691 // Advance to next entry
692 chp = strtok(NULL, ">");
693 }
694 vpnlog(VPN_LOG_EXTRA,"CCD processing complete");
695 }
696
697 sprintf(&buffer[0], "vpn_server%d_pdns", serverNum);
698 if ( nvram_get_int(&buffer[0]) )
699 {
700 if ( nvram_safe_get("wan_domain")[0] != '\0' )
701 fprintf(fp, "push \"dhcp-option DOMAIN %s\"\n", nvram_safe_get("wan_domain"));
702 if ( (nvram_safe_get("wan_wins")[0] != '\0' && strcmp(nvram_safe_get("wan_wins"), "0.0.0.0") != 0) )
703 fprintf(fp, "push \"dhcp-option WINS %s\"\n", nvram_safe_get("wan_wins"));
704 fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));
705 }
706
707 sprintf(&buffer[0], "vpn_server%d_rgw", serverNum);
708 if ( (nvi = nvram_get_int(&buffer[0])) )
709 {
710 if ( ifType == TAP )
711 fprintf(fp, "push \"route-gateway %s\"\n", nvram_safe_get("lan_ipaddr"));
712 fprintf(fp, "push \"redirect-gateway%s\"\n", nvi>1? "": "def1");
713 }
714
715 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
716 nvi = nvram_get_int(&buffer[0]);
717 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
718 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
719 {
720 fprintf(fp, "tls-auth static.key");
721 if ( nvi < 2 )
722 fprintf(fp, " %d", nvi);
723 fprintf(fp, "\n");
724 }
725
726 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
727 if ( !nvram_is_empty(&buffer[0]) )
728 fprintf(fp, "ca ca.crt\n");
729 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
730 if ( !nvram_is_empty(&buffer[0]) )
731 fprintf(fp, "dh dh.pem\n");
732 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
733 if ( !nvram_is_empty(&buffer[0]) )
734 fprintf(fp, "cert server.crt\n");
735 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
736 if ( !nvram_is_empty(&buffer[0]) )
737 fprintf(fp, "key server.key\n");
738 }
739 else if ( cryptMode == SECRET )
740 {
741 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
742 if ( !nvram_is_empty(&buffer[0]) )
743 fprintf(fp, "secret static.key\n");
744 }
745 fprintf(fp, "status-version 2\n");
746 fprintf(fp, "status status\n");
747 fprintf(fp, "\n# Custom Configuration\n");
748 sprintf(&buffer[0], "vpn_server%d_custom", serverNum);
749 fprintf(fp, nvram_safe_get(&buffer[0]));
750 fclose(fp);
751 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
752
753 // Write certification and key files
754 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
755 if ( cryptMode == TLS )
756 {
757 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
758 if ( !nvram_is_empty(&buffer[0]) )
759 {
760 sprintf(&buffer[0], "/etc/openvpn/server%d/ca.crt", serverNum);
761 fp = fopen(&buffer[0], "w");
762 chmod(&buffer[0], S_IRUSR|S_IWUSR);
763 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
764 fprintf(fp, nvram_safe_get(&buffer[0]));
765 fclose(fp);
766 }
767
768 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
769 if ( !nvram_is_empty(&buffer[0]) )
770 {
771 sprintf(&buffer[0], "/etc/openvpn/server%d/server.key", serverNum);
772 fp = fopen(&buffer[0], "w");
773 chmod(&buffer[0], S_IRUSR|S_IWUSR);
774 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
775 fprintf(fp, nvram_safe_get(&buffer[0]));
776 fclose(fp);
777 }
778
779 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
780 if ( !nvram_is_empty(&buffer[0]) )
781 {
782 sprintf(&buffer[0], "/etc/openvpn/server%d/server.crt", serverNum);
783 fp = fopen(&buffer[0], "w");
784 chmod(&buffer[0], S_IRUSR|S_IWUSR);
785 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
786 fprintf(fp, nvram_safe_get(&buffer[0]));
787 fclose(fp);
788 }
789
790 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
791 if ( !nvram_is_empty(&buffer[0]) )
792 {
793 sprintf(&buffer[0], "/etc/openvpn/server%d/dh.pem", serverNum);
794 fp = fopen(&buffer[0], "w");
795 chmod(&buffer[0], S_IRUSR|S_IWUSR);
796 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
797 fprintf(fp, nvram_safe_get(&buffer[0]));
798 fclose(fp);
799 }
800 }
801 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
802 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
803 {
804 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
805 if ( !nvram_is_empty(&buffer[0]) )
806 {
807 sprintf(&buffer[0], "/etc/openvpn/server%d/static.key", serverNum);
808 fp = fopen(&buffer[0], "w");
809 chmod(&buffer[0], S_IRUSR|S_IWUSR);
810 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
811 fprintf(fp, nvram_safe_get(&buffer[0]));
812 fclose(fp);
813 }
814 }
815 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
816
817 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d --cd /etc/openvpn/server%d --config config.ovpn", serverNum, serverNum);
818 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
819 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
820 if ( _eval(argv, NULL, 0, NULL) )
821 {
822 vpnlog(VPN_LOG_ERROR,"Starting VPN instance failed...");
823 stop_vpnserver(serverNum);
824 return;
825 }
826 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
827
828 // Handle firewall rules if appropriate
829 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
830 if ( !nvram_contains_word(&buffer[0], "custom") )
831 {
832 // Create firewall rules
833 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
834 mkdir("/etc/openvpn/fw", 0700);
835 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
836 fp = fopen(&buffer[0], "w");
837 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
838 fprintf(fp, "#!/bin/sh\n");
839 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
840 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
841 fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
842 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
843 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
844 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
845 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
846 fprintf(fp, "iptables -I INPUT -p %s ", strtok(&buffer[0], "-"));
847 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
848 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
849 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
850 if ( !nvram_contains_word(&buffer[0], "external") )
851 {
852 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
853 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
854 }
855 fclose(fp);
856 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
857
858 // Run the firewall rules
859 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
860 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
861 argv[0] = &buffer[0];
862 argv[1] = NULL;
863 _eval(argv, NULL, 0, NULL);
864 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
865 }
866
867 // Set up cron job
868 sprintf(&buffer[0], "vpn_server%d_poll", serverNum);
869 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
870 {
871 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
872 argv[0] = "cru";
873 argv[1] = "a";
874 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
875 argv[2] = &buffer[0];
876 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnserver%d start", nvi, serverNum);
877 argv[3] = &buffer[strlen(&buffer[0])+1];
878 argv[4] = NULL;
879 _eval(argv, NULL, 0, NULL);
880 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
881 }
882
883 vpnlog(VPN_LOG_INFO,"VPN GUI server backend complete.");
884 }
885
886 void stop_vpnserver(int serverNum)
887 {
888 int argc;
889 char *argv[9];
890 char buffer[BUF_SIZE];
891
892 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI server backend.");
893
894 // Remove cron job
895 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
896 argv[0] = "cru";
897 argv[1] = "d";
898 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
899 argv[2] = &buffer[0];
900 argv[3] = NULL;
901 _eval(argv, NULL, 0, NULL);
902 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
903
904 // Remove firewall rules
905 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
906 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
907 argv[0] = "sed";
908 argv[1] = "-i";
909 argv[2] = "s/-A/-D/g;s/-I/-D/g";
910 argv[3] = &buffer[0];
911 argv[4] = NULL;
912 if (!_eval(argv, NULL, 0, NULL))
913 {
914 argv[0] = &buffer[0];
915 argv[1] = NULL;
916 _eval(argv, NULL, 0, NULL);
917 }
918 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
919
920 // Stop the VPN server
921 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN server.");
922 sprintf(&buffer[0], "vpnserver%d", serverNum);
923 killall(&buffer[0], SIGTERM);
924 vpnlog(VPN_LOG_EXTRA,"OpenVPN server stopped.");
925
926 // NVRAM setting for device type could have changed, just try to remove both
927 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
928 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", serverNum+SERVER_IF_START);
929 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
930 _eval(argv, NULL, 0, NULL);
931
932 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", serverNum+SERVER_IF_START);
933 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
934 _eval(argv, NULL, 0, NULL);
935 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
936
937 modprobe_r("tun");
938
939 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
940 {
941 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
942 // Delete all files for this server
943 sprintf(&buffer[0], "rm -rf /etc/openvpn/server%d /etc/openvpn/fw/server%d-fw.sh /etc/openvpn/vpnserver%d",serverNum,serverNum,serverNum);
944 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
945 _eval(argv, NULL, 0, NULL);
946
947 // Attempt to remove directories. Will fail if not empty
948 rmdir("/etc/openvpn/fw");
949 rmdir("/etc/openvpn");
950 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
951 }
952
953 // Force OpenVPN process to end. If we don't do this then it doesn't actually exit until
954 // all current queued service actions are run, including starting vpn back up (which
955 // will bail since the process is still running
956 vpnlog(VPN_LOG_EXTRA,"Killing OpenVPN client.");
957 sprintf(&buffer[0], "vpnserver%d", serverNum);
958 killall(&buffer[0], SIGKILL);
959 vpnlog(VPN_LOG_EXTRA,"OpenVPN server killed.");
960
961 vpnlog(VPN_LOG_INFO,"VPN GUI server backend stopped.");
962 }
963
964 void start_vpn_eas()
965 {
966 char buffer[16], *cur;
967 int nums[4], i;
968
969 // Parse and start servers
970 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
971 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting servers (eas): %s", &buffer[0]);
972 i = 0;
973 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
974 nums[i] = 0;
975 for( i = 0; nums[i] > 0; i++ )
976 {
977 sprintf(&buffer[0], "vpnserver%d", nums[i]);
978 if ( pidof(&buffer[0]) >= 0 )
979 {
980 vpnlog(VPN_LOG_INFO, "Stopping server %d (eas)", nums[i]);
981 stop_vpnserver(nums[i]);
982 return;
983 }
984
985 vpnlog(VPN_LOG_INFO, "Starting server %d (eas)", nums[i]);
986 start_vpnserver(nums[i]);
987 }
988
989 // Parse and start clients
990 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
991 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting clients (eas): %s", &buffer[0]);
992 i = 0;
993 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
994 nums[i] = 0;
995 for( i = 0; nums[i] > 0; i++ )
996 {
997 sprintf(&buffer[0], "vpnclient%d", nums[i]);
998 if ( pidof(&buffer[0]) >= 0 )
999 {
1000 vpnlog(VPN_LOG_INFO, "Stopping client %d (eas)", nums[i]);
1001 stop_vpnclient(nums[i]);
1002 return;
1003 }
1004
1005 vpnlog(VPN_LOG_INFO, "Starting client %d (eas)", nums[i]);
1006 start_vpnclient(nums[i]);
1007 }
1008 }
1009
1010 void run_vpn_firewall_scripts()
1011 {
1012 DIR *dir;
1013 struct dirent *file;
1014 char *fn;
1015 char *argv[3];
1016
1017 if ( chdir("/etc/openvpn/fw") )
1018 return;
1019
1020 dir = opendir("/etc/openvpn/fw");
1021
1022 vpnlog(VPN_LOG_EXTRA,"Beginning all firewall scripts...");
1023 while ( (file = readdir(dir)) != NULL )
1024 {
1025 fn = file->d_name;
1026 if ( fn[0] == '.' )
1027 continue;
1028 vpnlog(VPN_LOG_INFO,"Running firewall script: %s", fn);
1029 argv[0] = "/bin/sh";
1030 argv[1] = fn;
1031 argv[2] = NULL;
1032 _eval(argv, NULL, 0, NULL);
1033 }
1034 vpnlog(VPN_LOG_EXTRA,"Done with all firewall scripts...");
1035
1036 closedir(dir);
1037 }
1038
1039 void write_vpn_dnsmasq_config(FILE* f)
1040 {
1041 char nv[16];
1042 char buf[24];
1043 char *pos, ch;
1044 int cur;
1045 DIR *dir;
1046 struct dirent *file;
1047 FILE *dnsf;
1048
1049 strlcpy(&buf[0], nvram_safe_get("vpn_server_dns"), sizeof(buf));
1050 for ( pos = strtok(&buf[0],","); pos != NULL; pos=strtok(NULL, ",") )
1051 {
1052 cur = atoi(pos);
1053 if ( cur )
1054 {
1055 vpnlog(VPN_LOG_EXTRA, "Adding server %d interface to dns config", cur);
1056 snprintf(&nv[0], sizeof(nv), "vpn_server%d_if", cur);
1057 fprintf(f, "interface=%s%d\n", nvram_safe_get(&nv[0]), SERVER_IF_START+cur);
1058 }
1059 }
1060
1061 if ( (dir = opendir("/etc/openvpn/dns")) != NULL )
1062 {
1063 while ( (file = readdir(dir)) != NULL )
1064 {
1065 if ( file->d_name[0] == '.' )
1066 continue;
1067
1068 if ( sscanf(file->d_name, "client%d.resol%c", &cur, &ch) == 2 )
1069 {
1070 vpnlog(VPN_LOG_EXTRA, "Checking ADNS settings for client %d", cur);
1071 snprintf(&buf[0], sizeof(buf), "vpn_client%d_adns", cur);
1072 if ( nvram_get_int(&buf[0]) == 2 )
1073 {
1074 vpnlog(VPN_LOG_INFO, "Adding strict-order to dnsmasq config for client %d", cur);
1075 fprintf(f, "strict-order\n");
1076 break;
1077 }
1078 }
1079
1080 if ( sscanf(file->d_name, "client%d.con%c", &cur, &ch) == 2 )
1081 {
1082 if ( (dnsf = fopen(file->d_name, "r")) != NULL )
1083 {
1084 vpnlog(VPN_LOG_INFO, "Adding Dnsmasq config from %s", file->d_name);
1085
1086 while( !feof(dnsf) )
1087 {
1088 ch = fgetc(dnsf);
1089 fputc(ch==EOF?'\n':ch, f);
1090 }
1091
1092 fclose(dnsf);
1093 }
1094 }
1095 }
1096 }
1097 }
1098
1099 int write_vpn_resolv(FILE* f)
1100 {
1101 DIR *dir;
1102 struct dirent *file;
1103 char *fn, ch, num, buf[24];
1104 FILE *dnsf;
1105 int exclusive = 0;
1106
1107 if ( chdir("/etc/openvpn/dns") )
1108 return 0;
1109
1110 dir = opendir("/etc/openvpn/dns");
1111
1112 vpnlog(VPN_LOG_EXTRA, "Adding DNS entries...");
1113 while ( (file = readdir(dir)) != NULL )
1114 {
1115 fn = file->d_name;
1116
1117 if ( fn[0] == '.' )
1118 continue;
1119
1120 if ( sscanf(fn, "client%c.resol%c", &num, &ch) == 2 )
1121 {
1122 if ( (dnsf = fopen(fn, "r")) == NULL )
1123 continue;
1124
1125 vpnlog(VPN_LOG_INFO,"Adding DNS entries from %s", fn);
1126
1127 while( !feof(dnsf) )
1128 {
1129 ch = fgetc(dnsf);
1130 fputc(ch==EOF?'\n':ch, f);
1131 }
1132
1133 fclose(dnsf);
1134
1135 snprintf(&buf[0], sizeof(buf), "vpn_client%c_adns", num);
1136 if ( nvram_get_int(&buf[0]) == 3 )
1137 exclusive = 1;
1138 }
1139 }
1140 vpnlog(VPN_LOG_EXTRA, "Done with DNS entries...");
1141
1142 closedir(dir);
1143
1144 return exclusive;
1145 }
1146
Tomato firmware and modifications.