search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Busybox: Upgrade to 1.21.1 (stable). lsof active.
[tomato.git] / release / src / router / rc / vpn.c
blobbd4104128e4dea61f38d5efcd8be1b3656e32a9f
1 /*
2
3 Copyright (C) 2008-2010 Keith Moyer, tomatovpn@keithmoyer.com
4
5 No part of this file may be used without permission.
6
7 */
8
9 #include "rc.h"
10
11 #include <sys/types.h>
12 #include <sys/wait.h>
13 #include <dirent.h>
14 #include <string.h>
15 #include <time.h>
16
17 // Line number as text string
18 #define __LINE_T__ __LINE_T_(__LINE__)
19 #define __LINE_T_(x) __LINE_T(x)
20 #define __LINE_T(x) # x
21
22 #define VPN_LOG_ERROR -1
23 #define VPN_LOG_NOTE 0
24 #define VPN_LOG_INFO 1
25 #define VPN_LOG_EXTRA 2
26 #define vpnlog(level,x...) if(nvram_get_int("vpn_debug")>=level) syslog(LOG_INFO, #level ": " __LINE_T__ ": " x)
27
28 #define CLIENT_IF_START 10
29 #define SERVER_IF_START 20
30
31 #define BUF_SIZE 256
32 #define IF_SIZE 8
33
34 static int waitfor(const char *name)
35 {
36 int pid, n = 5;
37
38 killall_tk(name);
39 while ( (pid = pidof(name)) >= 0 && (n-- > 0) )
40 {
41 // Reap the zombie if it has terminated
42 waitpid(pid, NULL, WNOHANG);
43 sleep(1);
44 }
45 return (pid >= 0);
46 }
47
48 void start_vpnclient(int clientNum)
49 {
50 FILE *fp;
51 char iface[IF_SIZE];
52 char buffer[BUF_SIZE];
53 char *argv[6];
54 int argc = 0;
55 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
56 enum { TAP, TUN } ifType = TUN;
57 enum { BRIDGE, NAT, NONE } routeMode = NONE;
58 int nvi, ip[4], nm[4];
59 long int nvl;
60 int pid;
61 int userauth, useronly;
62
63 sprintf(&buffer[0], "vpnclient%d", clientNum);
64 if (getpid() != 1) {
65 start_service(&buffer[0]);
66 return;
67 }
68
69 vpnlog(VPN_LOG_INFO,"VPN GUI client backend starting...");
70
71 if ( (pid = pidof(&buffer[0])) >= 0 )
72 {
73 vpnlog(VPN_LOG_INFO, "VPN Client %d already running...", clientNum);
74 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
75 return;
76 }
77
78 // Determine interface
79 sprintf(&buffer[0], "vpn_client%d_if", clientNum);
80 if ( nvram_contains_word(&buffer[0], "tap") )
81 ifType = TAP;
82 else if ( nvram_contains_word(&buffer[0], "tun") )
83 ifType = TUN;
84 else
85 {
86 vpnlog(VPN_LOG_ERROR, "Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
87 return;
88 }
89
90 // Build interface name
91 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), clientNum+CLIENT_IF_START);
92
93 // Determine encryption mode
94 sprintf(&buffer[0], "vpn_client%d_crypt", clientNum);
95 if ( nvram_contains_word(&buffer[0], "tls") )
96 cryptMode = TLS;
97 else if ( nvram_contains_word(&buffer[0], "secret") )
98 cryptMode = SECRET;
99 else if ( nvram_contains_word(&buffer[0], "custom") )
100 cryptMode = CUSTOM;
101 else
102 {
103 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
104 return;
105 }
106
107 // Determine if we should bridge the tunnel
108 sprintf(&buffer[0], "vpn_client%d_bridge", clientNum);
109 if ( ifType == TAP && nvram_get_int(&buffer[0]) == 1 )
110 routeMode = BRIDGE;
111
112 // Determine if we should NAT the tunnel
113 sprintf(&buffer[0], "vpn_client%d_nat", clientNum);
114 if ( (ifType == TUN || routeMode != BRIDGE) && nvram_get_int(&buffer[0]) == 1 )
115 routeMode = NAT;
116
117 // Make sure openvpn directory exists
118 mkdir("/etc/openvpn", 0700);
119 sprintf(&buffer[0], "/etc/openvpn/client%d", clientNum);
120 mkdir(&buffer[0], 0700);
121
122 // Make sure symbolic link exists
123 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d", clientNum);
124 unlink(&buffer[0]);
125 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
126 {
127 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
128 stop_vpnclient(clientNum);
129 return;
130 }
131
132 // Make sure module is loaded
133 modprobe("tun");
134 f_wait_exists("/dev/net/tun", 5);
135
136 // Create tap/tun interface
137 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
138 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
139 if ( _eval(argv, NULL, 0, NULL) )
140 {
141 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
142 stop_vpnclient(clientNum);
143 return;
144 }
145
146 // Bring interface up (TAP only)
147 if( ifType == TAP )
148 {
149 if ( routeMode == BRIDGE )
150 {
151 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
152 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
153 if ( _eval(argv, NULL, 0, NULL) )
154 {
155 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
156 stop_vpnclient(clientNum);
157 return;
158 }
159 }
160
161 snprintf(&buffer[0], BUF_SIZE, "ifconfig %s promisc up", &iface[0]);
162 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
163 if ( _eval(argv, NULL, 0, NULL) )
164 {
165 vpnlog(VPN_LOG_ERROR,"Bringing interface up failed...");
166 stop_vpnclient(clientNum);
167 return;
168 }
169 }
170
171 sprintf(&buffer[0], "vpn_client%d_userauth", clientNum);
172 userauth = nvram_get_int(&buffer[0]);
173 sprintf(&buffer[0], "vpn_client%d_useronly", clientNum);
174 useronly = userauth && nvram_get_int(&buffer[0]);
175
176 // Build and write config file
177 vpnlog(VPN_LOG_EXTRA,"Writing config file");
178 sprintf(&buffer[0], "/etc/openvpn/client%d/config.ovpn", clientNum);
179 fp = fopen(&buffer[0], "w");
180 chmod(&buffer[0], S_IRUSR|S_IWUSR);
181 fprintf(fp, "# Automatically generated configuration\n");
182 fprintf(fp, "daemon\n");
183 if ( cryptMode == TLS )
184 fprintf(fp, "client\n");
185 fprintf(fp, "dev %s\n", &iface[0]);
186 sprintf(&buffer[0], "vpn_client%d_proto", clientNum);
187 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
188 sprintf(&buffer[0], "vpn_client%d_addr", clientNum);
189 fprintf(fp, "remote %s ", nvram_safe_get(&buffer[0]));
190 sprintf(&buffer[0], "vpn_client%d_port", clientNum);
191 fprintf(fp, "%d\n", nvram_get_int(&buffer[0]));
192 if ( cryptMode == SECRET )
193 {
194 if ( ifType == TUN )
195 {
196 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
197 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
198 sprintf(&buffer[0], "vpn_client%d_remote", clientNum);
199 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
200 }
201 else if ( ifType == TAP )
202 {
203 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
204 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
205 sprintf(&buffer[0], "vpn_client%d_nm", clientNum);
206 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
207 }
208 }
209 sprintf(&buffer[0], "vpn_client%d_retry", clientNum);
210 if ( (nvi = nvram_get_int(&buffer[0])) >= 0 )
211 fprintf(fp, "resolv-retry %d\n", nvi);
212 else
213 fprintf(fp, "resolv-retry infinite\n");
214 sprintf(&buffer[0], "vpn_client%d_reneg", clientNum);
215 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
216 fprintf(fp, "reneg-sec %ld\n", nvl);
217 fprintf(fp, "nobind\n");
218 fprintf(fp, "persist-key\n");
219 fprintf(fp, "persist-tun\n");
220 sprintf(&buffer[0], "vpn_client%d_comp", clientNum);
221 if ( nvram_get_int(&buffer[0]) >= 0 )
222 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
223 sprintf(&buffer[0], "vpn_client%d_cipher", clientNum);
224 if ( !nvram_contains_word(&buffer[0], "default") )
225 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
226 sprintf(&buffer[0], "vpn_client%d_rgw", clientNum);
227 if ( nvram_get_int(&buffer[0]) )
228 {
229 sprintf(&buffer[0], "vpn_client%d_gw", clientNum);
230 if ( ifType == TAP && nvram_safe_get(&buffer[0])[0] != '\0' )
231 fprintf(fp, "route-gateway %s\n", nvram_safe_get(&buffer[0]));
232 fprintf(fp, "redirect-gateway def1\n");
233 }
234 fprintf(fp, "verb 3\n");
235 if ( cryptMode == TLS )
236 {
237 sprintf(&buffer[0], "vpn_client%d_adns", clientNum);
238 if ( nvram_get_int(&buffer[0]) > 0 )
239 {
240 sprintf(&buffer[0], "/etc/openvpn/client%d/updown.sh", clientNum);
241 symlink("/rom/openvpn/updown.sh", &buffer[0]);
242 fprintf(fp, "script-security 2\n");
243 fprintf(fp, "up updown.sh\n");
244 fprintf(fp, "down updown.sh\n");
245 }
246
247 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
248 nvi = nvram_get_int(&buffer[0]);
249 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
250 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
251 {
252 fprintf(fp, "tls-auth static.key");
253 if ( nvi < 2 )
254 fprintf(fp, " %d", nvi);
255 fprintf(fp, "\n");
256 }
257
258 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
259 if ( !nvram_is_empty(&buffer[0]) )
260 fprintf(fp, "ca ca.crt\n");
261 if (!useronly)
262 {
263 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
264 if ( !nvram_is_empty(&buffer[0]) )
265 fprintf(fp, "cert client.crt\n");
266 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
267 if ( !nvram_is_empty(&buffer[0]) )
268 fprintf(fp, "key client.key\n");
269 }
270 sprintf(&buffer[0], "vpn_client%d_tlsremote", clientNum);
271 if (nvram_get_int(&buffer[0]))
272 {
273 sprintf(&buffer[0], "vpn_client%d_cn", clientNum);
274 fprintf(fp, "tls-remote %s\n", nvram_safe_get(&buffer[0]));
275 }
276 if (userauth)
277 fprintf(fp, "auth-user-pass up\n");
278 }
279 else if ( cryptMode == SECRET )
280 {
281 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
282 if ( !nvram_is_empty(&buffer[0]) )
283 fprintf(fp, "secret static.key\n");
284 }
285 fprintf(fp, "status-version 2\n");
286 fprintf(fp, "status status\n");
287 fprintf(fp, "\n# Custom Configuration\n");
288 sprintf(&buffer[0], "vpn_client%d_custom", clientNum);
289 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
290 fclose(fp);
291 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
292
293 // Write certification and key files
294 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
295 if ( cryptMode == TLS )
296 {
297 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
298 if ( !nvram_is_empty(&buffer[0]) )
299 {
300 sprintf(&buffer[0], "/etc/openvpn/client%d/ca.crt", clientNum);
301 fp = fopen(&buffer[0], "w");
302 chmod(&buffer[0], S_IRUSR|S_IWUSR);
303 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
304 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
305 fclose(fp);
306 }
307
308 if (!useronly)
309 {
310 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
311 if ( !nvram_is_empty(&buffer[0]) )
312 {
313 sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
314 fp = fopen(&buffer[0], "w");
315 chmod(&buffer[0], S_IRUSR|S_IWUSR);
316 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
317 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
318 fclose(fp);
319 }
320
321 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
322 if ( !nvram_is_empty(&buffer[0]) )
323 {
324 sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
325 fp = fopen(&buffer[0], "w");
326 chmod(&buffer[0], S_IRUSR|S_IWUSR);
327 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
328 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
329 fclose(fp);
330 }
331 }
332 if (userauth)
333 {
334 sprintf(&buffer[0], "/etc/openvpn/client%d/up", clientNum);
335 fp = fopen(&buffer[0], "w");
336 chmod(&buffer[0], S_IRUSR|S_IWUSR);
337 sprintf(&buffer[0], "vpn_client%d_username", clientNum);
338 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
339 sprintf(&buffer[0], "vpn_client%d_password", clientNum);
340 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
341 fclose(fp);
342 }
343 }
344 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
345 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
346 {
347 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
348 if ( !nvram_is_empty(&buffer[0]) )
349 {
350 sprintf(&buffer[0], "/etc/openvpn/client%d/static.key", clientNum);
351 fp = fopen(&buffer[0], "w");
352 chmod(&buffer[0], S_IRUSR|S_IWUSR);
353 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
354 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
355 fclose(fp);
356 }
357 }
358 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
359
360 // Start the VPN client
361 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d --cd /etc/openvpn/client%d --config config.ovpn", clientNum, clientNum);
362 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
363 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
364 if ( _eval(argv, NULL, 0, &pid) )
365 {
366 vpnlog(VPN_LOG_ERROR,"Starting OpenVPN failed...");
367 stop_vpnclient(clientNum);
368 return;
369 }
370 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
371
372 // Handle firewall rules if appropriate
373 sprintf(&buffer[0], "vpn_client%d_firewall", clientNum);
374 if ( !nvram_contains_word(&buffer[0], "custom") )
375 {
376 // Create firewall rules
377 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
378 mkdir("/etc/openvpn/fw", 0700);
379 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
380 fp = fopen(&buffer[0], "w");
381 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
382 fprintf(fp, "#!/bin/sh\n");
383 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
384 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
385 if ( routeMode == NAT )
386 {
387 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
388 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
389 fprintf(fp, "iptables -t nat -I POSTROUTING -s %d.%d.%d.%d/%s -o %s -j MASQUERADE\n",
390 ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3], nvram_safe_get("lan_netmask"), &iface[0]);
391 }
392 fclose(fp);
393 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
394
395 // Run the firewall rules
396 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
397 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
398 argv[0] = &buffer[0];
399 argv[1] = NULL;
400 _eval(argv, NULL, 0, NULL);
401 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
402 }
403
404 // Set up cron job
405 sprintf(&buffer[0], "vpn_client%d_poll", clientNum);
406 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
407 {
408 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
409 argv[0] = "cru";
410 argv[1] = "a";
411 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
412 argv[2] = &buffer[0];
413 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnclient%d start", nvi, clientNum);
414 argv[3] = &buffer[strlen(&buffer[0])+1];
415 argv[4] = NULL;
416 _eval(argv, NULL, 0, NULL);
417 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
418 }
419
420 #ifdef LINUX26
421 sprintf(&buffer[0], "vpn_client%d", clientNum);
422 allow_fastnat(buffer, 0);
423 try_enabling_fastnat();
424 #endif
425 vpnlog(VPN_LOG_INFO,"VPN GUI client backend complete.");
426 }
427
428 void stop_vpnclient(int clientNum)
429 {
430 int argc;
431 char *argv[7];
432 char buffer[BUF_SIZE];
433
434 sprintf(&buffer[0], "vpnclient%d", clientNum);
435 if (getpid() != 1) {
436 stop_service(&buffer[0]);
437 return;
438 }
439
440 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI client backend.");
441
442 // Remove cron job
443 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
444 argv[0] = "cru";
445 argv[1] = "d";
446 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
447 argv[2] = &buffer[0];
448 argv[3] = NULL;
449 _eval(argv, NULL, 0, NULL);
450 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
451
452 // Remove firewall rules
453 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
454 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
455 argv[0] = "sed";
456 argv[1] = "-i";
457 argv[2] = "s/-A/-D/g;s/-I/-D/g";
458 argv[3] = &buffer[0];
459 argv[4] = NULL;
460 if (!_eval(argv, NULL, 0, NULL))
461 {
462 argv[0] = &buffer[0];
463 argv[1] = NULL;
464 _eval(argv, NULL, 0, NULL);
465 }
466 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
467
468 // Stop the VPN client
469 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN client.");
470 sprintf(&buffer[0], "vpnclient%d", clientNum);
471 if ( !waitfor(&buffer[0]) )
472 vpnlog(VPN_LOG_EXTRA,"OpenVPN client stopped.");
473
474 // NVRAM setting for device type could have changed, just try to remove both
475 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
476 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", clientNum+CLIENT_IF_START);
477 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
478 _eval(argv, NULL, 0, NULL);
479
480 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", clientNum+CLIENT_IF_START);
481 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
482 _eval(argv, NULL, 0, NULL);
483 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
484
485 modprobe_r("tun");
486
487 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
488 {
489 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
490 // Delete all files for this client
491 sprintf(&buffer[0], "rm -rf /etc/openvpn/client%d /etc/openvpn/fw/client%d-fw.sh /etc/openvpn/vpnclient%d",clientNum,clientNum,clientNum);
492 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
493 _eval(argv, NULL, 0, NULL);
494
495 // Attempt to remove directories. Will fail if not empty
496 rmdir("/etc/openvpn/fw");
497 rmdir("/etc/openvpn");
498 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
499 }
500
501 #ifdef LINUX26
502 sprintf(&buffer[0], "vpn_client%d", clientNum);
503 allow_fastnat(buffer, 1);
504 try_enabling_fastnat();
505 #endif
506 vpnlog(VPN_LOG_INFO,"VPN GUI client backend stopped.");
507 }
508
509 void start_vpnserver(int serverNum)
510 {
511 FILE *fp, *ccd;
512 char iface[IF_SIZE];
513 char buffer[BUF_SIZE];
514 char *argv[6], *chp, *route;
515 int argc = 0;
516 int c2c = 0;
517 enum { TAP, TUN } ifType = TUN;
518 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
519 int nvi, ip[4], nm[4];
520 long int nvl;
521 int pid;
522
523 sprintf(&buffer[0], "vpnserver%d", serverNum);
524 if (getpid() != 1) {
525 start_service(&buffer[0]);
526 return;
527 }
528
529 vpnlog(VPN_LOG_INFO,"VPN GUI server backend starting...");
530
531 if ( (pid = pidof(&buffer[0])) >= 0 )
532 {
533 vpnlog(VPN_LOG_INFO, "VPN Server %d already running...", serverNum);
534 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
535 return;
536 }
537
538 // Determine interface type
539 sprintf(&buffer[0], "vpn_server%d_if", serverNum);
540 if ( nvram_contains_word(&buffer[0], "tap") )
541 ifType = TAP;
542 else if ( nvram_contains_word(&buffer[0], "tun") )
543 ifType = TUN;
544 else
545 {
546 vpnlog(VPN_LOG_ERROR,"Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
547 return;
548 }
549
550 // Build interface name
551 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), serverNum+SERVER_IF_START);
552
553 // Determine encryption mode
554 sprintf(&buffer[0], "vpn_server%d_crypt", serverNum);
555 if ( nvram_contains_word(&buffer[0], "tls") )
556 cryptMode = TLS;
557 else if ( nvram_contains_word(&buffer[0], "secret") )
558 cryptMode = SECRET;
559 else if ( nvram_contains_word(&buffer[0], "custom") )
560 cryptMode = CUSTOM;
561 else
562 {
563 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
564 return;
565 }
566
567 // Make sure openvpn directory exists
568 mkdir("/etc/openvpn", 0700);
569 sprintf(&buffer[0], "/etc/openvpn/server%d", serverNum);
570 mkdir(&buffer[0], 0700);
571
572 // Make sure symbolic link exists
573 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d", serverNum);
574 unlink(&buffer[0]);
575 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
576 {
577 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
578 stop_vpnserver(serverNum);
579 return;
580 }
581
582 // Make sure module is loaded
583 modprobe("tun");
584 f_wait_exists("/dev/net/tun", 5);
585
586 // Create tap/tun interface
587 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
588 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
589 if ( _eval(argv, NULL, 0, NULL) )
590 {
591 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
592 stop_vpnserver(serverNum);
593 return;
594 }
595
596 // Add interface to LAN bridge (TAP only)
597 if( ifType == TAP )
598 {
599 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
600 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
601 if ( _eval(argv, NULL, 0, NULL) )
602 {
603 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
604 stop_vpnserver(serverNum);
605 return;
606 }
607 }
608
609 // Bring interface up
610 sprintf(&buffer[0], "ifconfig %s 0.0.0.0 promisc up", &iface[0]);
611 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
612 if ( _eval(argv, NULL, 0, NULL) )
613 {
614 vpnlog(VPN_LOG_ERROR,"Bringing up tunnel interface failed...");
615 stop_vpnserver(serverNum);
616 return;
617 }
618
619 // Build and write config files
620 vpnlog(VPN_LOG_EXTRA,"Writing config file");
621 sprintf(&buffer[0], "/etc/openvpn/server%d/config.ovpn", serverNum);
622 fp = fopen(&buffer[0], "w");
623 chmod(&buffer[0], S_IRUSR|S_IWUSR);
624 fprintf(fp, "# Automatically generated configuration\n");
625 fprintf(fp, "daemon\n");
626 if ( cryptMode == TLS )
627 {
628 if ( ifType == TUN )
629 {
630 sprintf(&buffer[0], "vpn_server%d_sn", serverNum);
631 fprintf(fp, "server %s ", nvram_safe_get(&buffer[0]));
632 sprintf(&buffer[0], "vpn_server%d_nm", serverNum);
633 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
634 }
635 else if ( ifType == TAP )
636 {
637 fprintf(fp, "server-bridge");
638 sprintf(&buffer[0], "vpn_server%d_dhcp", serverNum);
639 if ( nvram_get_int(&buffer[0]) == 0 )
640 {
641 fprintf(fp, " %s ", nvram_safe_get("lan_ipaddr"));
642 fprintf(fp, "%s ", nvram_safe_get("lan_netmask"));
643 sprintf(&buffer[0], "vpn_server%d_r1", serverNum);
644 fprintf(fp, "%s ", nvram_safe_get(&buffer[0]));
645 sprintf(&buffer[0], "vpn_server%d_r2", serverNum);
646 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
647 }
648 fprintf(fp, "\n");
649 }
650 }
651 else if ( cryptMode == SECRET )
652 {
653 if ( ifType == TUN )
654 {
655 sprintf(&buffer[0], "vpn_server%d_local", serverNum);
656 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
657 sprintf(&buffer[0], "vpn_server%d_remote", serverNum);
658 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
659 }
660 }
661 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
662 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
663 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
664 fprintf(fp, "port %d\n", nvram_get_int(&buffer[0]));
665 fprintf(fp, "dev %s\n", &iface[0]);
666 sprintf(&buffer[0], "vpn_server%d_cipher", serverNum);
667 if ( !nvram_contains_word(&buffer[0], "default") )
668 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
669 sprintf(&buffer[0], "vpn_server%d_comp", serverNum);
670 if ( nvram_get_int(&buffer[0]) >= 0 )
671 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
672 sprintf(&buffer[0], "vpn_server%d_reneg", serverNum);
673 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
674 fprintf(fp, "reneg-sec %ld\n", nvl);
675 fprintf(fp, "keepalive 15 60\n");
676 fprintf(fp, "verb 3\n");
677 if ( cryptMode == TLS )
678 {
679 sprintf(&buffer[0], "vpn_server%d_plan", serverNum);
680 if ( ifType == TUN && nvram_get_int(&buffer[0]) )
681 {
682 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
683 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
684 fprintf(fp, "push \"route %d.%d.%d.%d %s\"\n", ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3],
685 nvram_safe_get("lan_netmask"));
686 }
687
688 sprintf(&buffer[0], "vpn_server%d_ccd", serverNum);
689 if ( nvram_get_int(&buffer[0]) )
690 {
691 fprintf(fp, "client-config-dir ccd\n");
692
693 sprintf(&buffer[0], "vpn_server%d_c2c", serverNum);
694 if ( (c2c = nvram_get_int(&buffer[0])) )
695 fprintf(fp, "client-to-client\n");
696
697 sprintf(&buffer[0], "vpn_server%d_ccd_excl", serverNum);
698 if ( nvram_get_int(&buffer[0]) )
699 fprintf(fp, "ccd-exclusive\n");
700
701 sprintf(&buffer[0], "/etc/openvpn/server%d/ccd", serverNum);
702 mkdir(&buffer[0], 0700);
703 chdir(&buffer[0]);
704
705 sprintf(&buffer[0], "vpn_server%d_ccd_val", serverNum);
706 strcpy(&buffer[0], nvram_safe_get(&buffer[0]));
707 chp = strtok(&buffer[0],">");
708 while ( chp != NULL )
709 {
710 nvi = strlen(chp);
711
712 chp[strcspn(chp,"<")] = '\0';
713 vpnlog(VPN_LOG_EXTRA,"CCD: enabled: %d", atoi(chp));
714 if ( atoi(chp) == 1 )
715 {
716 nvi -= strlen(chp)+1;
717 chp += strlen(chp)+1;
718
719 ccd = NULL;
720 route = NULL;
721 if ( nvi > 0 )
722 {
723 chp[strcspn(chp,"<")] = '\0';
724 vpnlog(VPN_LOG_EXTRA,"CCD: Common name: %s", chp);
725 ccd = fopen(chp, "w");
726 chmod(chp, S_IRUSR|S_IWUSR);
727
728 nvi -= strlen(chp)+1;
729 chp += strlen(chp)+1;
730 }
731 if ( nvi > 0 && ccd != NULL && strcspn(chp,"<") != strlen(chp) )
732 {
733 chp[strcspn(chp,"<")] = ' ';
734 chp[strcspn(chp,"<")] = '\0';
735 route = chp;
736 vpnlog(VPN_LOG_EXTRA,"CCD: Route: %s", chp);
737 if ( strlen(route) > 1 )
738 {
739 fprintf(ccd, "iroute %s\n", route);
740 fprintf(fp, "route %s\n", route);
741 }
742
743 nvi -= strlen(chp)+1;
744 chp += strlen(chp)+1;
745 }
746 if ( ccd != NULL )
747 fclose(ccd);
748 if ( nvi > 0 && route != NULL )
749 {
750 chp[strcspn(chp,"<")] = '\0';
751 vpnlog(VPN_LOG_EXTRA,"CCD: Push: %d", atoi(chp));
752 if ( c2c && atoi(chp) == 1 && strlen(route) > 1 )
753 fprintf(fp, "push \"route %s\"\n", route);
754
755 nvi -= strlen(chp)+1;
756 chp += strlen(chp)+1;
757 }
758
759 vpnlog(VPN_LOG_EXTRA,"CCD leftover: %d", nvi+1);
760 }
761 // Advance to next entry
762 chp = strtok(NULL, ">");
763 }
764 vpnlog(VPN_LOG_EXTRA,"CCD processing complete");
765 }
766
767 sprintf(&buffer[0], "vpn_server%d_pdns", serverNum);
768 if ( nvram_get_int(&buffer[0]) )
769 {
770 if ( nvram_safe_get("wan_domain")[0] != '\0' )
771 fprintf(fp, "push \"dhcp-option DOMAIN %s\"\n", nvram_safe_get("wan_domain"));
772 if ( (nvram_safe_get("wan_wins")[0] != '\0' && strcmp(nvram_safe_get("wan_wins"), "0.0.0.0") != 0) )
773 fprintf(fp, "push \"dhcp-option WINS %s\"\n", nvram_safe_get("wan_wins"));
774 fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));
775 }
776
777 sprintf(&buffer[0], "vpn_server%d_rgw", serverNum);
778 if ( nvram_get_int(&buffer[0]) )
779 {
780 if ( ifType == TAP )
781 fprintf(fp, "push \"route-gateway %s\"\n", nvram_safe_get("lan_ipaddr"));
782 fprintf(fp, "push \"redirect-gateway def1\"\n");
783 }
784
785 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
786 nvi = nvram_get_int(&buffer[0]);
787 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
788 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
789 {
790 fprintf(fp, "tls-auth static.key");
791 if ( nvi < 2 )
792 fprintf(fp, " %d", nvi);
793 fprintf(fp, "\n");
794 }
795
796 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
797 if ( !nvram_is_empty(&buffer[0]) )
798 fprintf(fp, "ca ca.crt\n");
799 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
800 if ( !nvram_is_empty(&buffer[0]) )
801 fprintf(fp, "dh dh.pem\n");
802 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
803 if ( !nvram_is_empty(&buffer[0]) )
804 fprintf(fp, "cert server.crt\n");
805 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
806 if ( !nvram_is_empty(&buffer[0]) )
807 fprintf(fp, "key server.key\n");
808 }
809 else if ( cryptMode == SECRET )
810 {
811 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
812 if ( !nvram_is_empty(&buffer[0]) )
813 fprintf(fp, "secret static.key\n");
814 }
815 fprintf(fp, "status-version 2\n");
816 fprintf(fp, "status status\n");
817 fprintf(fp, "\n# Custom Configuration\n");
818 sprintf(&buffer[0], "vpn_server%d_custom", serverNum);
819 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
820 fclose(fp);
821 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
822
823 // Write certification and key files
824 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
825 if ( cryptMode == TLS )
826 {
827 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
828 if ( !nvram_is_empty(&buffer[0]) )
829 {
830 sprintf(&buffer[0], "/etc/openvpn/server%d/ca.crt", serverNum);
831 fp = fopen(&buffer[0], "w");
832 chmod(&buffer[0], S_IRUSR|S_IWUSR);
833 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
834 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
835 fclose(fp);
836 }
837
838 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
839 if ( !nvram_is_empty(&buffer[0]) )
840 {
841 sprintf(&buffer[0], "/etc/openvpn/server%d/server.key", serverNum);
842 fp = fopen(&buffer[0], "w");
843 chmod(&buffer[0], S_IRUSR|S_IWUSR);
844 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
845 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
846 fclose(fp);
847 }
848
849 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
850 if ( !nvram_is_empty(&buffer[0]) )
851 {
852 sprintf(&buffer[0], "/etc/openvpn/server%d/server.crt", serverNum);
853 fp = fopen(&buffer[0], "w");
854 chmod(&buffer[0], S_IRUSR|S_IWUSR);
855 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
856 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
857 fclose(fp);
858 }
859
860 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
861 if ( !nvram_is_empty(&buffer[0]) )
862 {
863 sprintf(&buffer[0], "/etc/openvpn/server%d/dh.pem", serverNum);
864 fp = fopen(&buffer[0], "w");
865 chmod(&buffer[0], S_IRUSR|S_IWUSR);
866 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
867 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
868 fclose(fp);
869 }
870 }
871 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
872 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
873 {
874 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
875 if ( !nvram_is_empty(&buffer[0]) )
876 {
877 sprintf(&buffer[0], "/etc/openvpn/server%d/static.key", serverNum);
878 fp = fopen(&buffer[0], "w");
879 chmod(&buffer[0], S_IRUSR|S_IWUSR);
880 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
881 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
882 fclose(fp);
883 }
884 }
885 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
886
887 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d --cd /etc/openvpn/server%d --config config.ovpn", serverNum, serverNum);
888 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
889 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
890 if ( _eval(argv, NULL, 0, &pid) )
891 {
892 vpnlog(VPN_LOG_ERROR,"Starting VPN instance failed...");
893 stop_vpnserver(serverNum);
894 return;
895 }
896 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
897
898 // Handle firewall rules if appropriate
899 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
900 if ( !nvram_contains_word(&buffer[0], "custom") )
901 {
902 // Create firewall rules
903 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
904 mkdir("/etc/openvpn/fw", 0700);
905 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
906 fp = fopen(&buffer[0], "w");
907 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
908 fprintf(fp, "#!/bin/sh\n");
909 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
910 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
911 fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
912 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
913 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
914 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
915 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
916 fprintf(fp, "iptables -I INPUT -p %s ", strtok(&buffer[0], "-"));
917 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
918 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
919 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
920 if ( !nvram_contains_word(&buffer[0], "external") )
921 {
922 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
923 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
924 }
925 fclose(fp);
926 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
927
928 // Run the firewall rules
929 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
930 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
931 argv[0] = &buffer[0];
932 argv[1] = NULL;
933 _eval(argv, NULL, 0, NULL);
934 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
935 }
936
937 // Set up cron job
938 sprintf(&buffer[0], "vpn_server%d_poll", serverNum);
939 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
940 {
941 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
942 argv[0] = "cru";
943 argv[1] = "a";
944 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
945 argv[2] = &buffer[0];
946 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnserver%d start", nvi, serverNum);
947 argv[3] = &buffer[strlen(&buffer[0])+1];
948 argv[4] = NULL;
949 _eval(argv, NULL, 0, NULL);
950 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
951 }
952
953 #ifdef LINUX26
954 sprintf(&buffer[0], "vpn_server%d", serverNum);
955 allow_fastnat(buffer, 0);
956 try_enabling_fastnat();
957 #endif
958 vpnlog(VPN_LOG_INFO,"VPN GUI server backend complete.");
959 }
960
961 void stop_vpnserver(int serverNum)
962 {
963 int argc;
964 char *argv[9];
965 char buffer[BUF_SIZE];
966
967 sprintf(&buffer[0], "vpnserver%d", serverNum);
968 if (getpid() != 1) {
969 stop_service(&buffer[0]);
970 return;
971 }
972
973 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI server backend.");
974
975 // Remove cron job
976 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
977 argv[0] = "cru";
978 argv[1] = "d";
979 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
980 argv[2] = &buffer[0];
981 argv[3] = NULL;
982 _eval(argv, NULL, 0, NULL);
983 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
984
985 // Remove firewall rules
986 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
987 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
988 argv[0] = "sed";
989 argv[1] = "-i";
990 argv[2] = "s/-A/-D/g;s/-I/-D/g";
991 argv[3] = &buffer[0];
992 argv[4] = NULL;
993 if (!_eval(argv, NULL, 0, NULL))
994 {
995 argv[0] = &buffer[0];
996 argv[1] = NULL;
997 _eval(argv, NULL, 0, NULL);
998 }
999 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
1000
1001 // Stop the VPN server
1002 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN server.");
1003 sprintf(&buffer[0], "vpnserver%d", serverNum);
1004 if ( !waitfor(&buffer[0]) )
1005 vpnlog(VPN_LOG_EXTRA,"OpenVPN server stopped.");
1006
1007 // NVRAM setting for device type could have changed, just try to remove both
1008 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
1009 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", serverNum+SERVER_IF_START);
1010 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1011 _eval(argv, NULL, 0, NULL);
1012
1013 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", serverNum+SERVER_IF_START);
1014 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1015 _eval(argv, NULL, 0, NULL);
1016 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
1017
1018 modprobe_r("tun");
1019
1020 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
1021 {
1022 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
1023 // Delete all files for this server
1024 sprintf(&buffer[0], "rm -rf /etc/openvpn/server%d /etc/openvpn/fw/server%d-fw.sh /etc/openvpn/vpnserver%d",serverNum,serverNum,serverNum);
1025 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1026 _eval(argv, NULL, 0, NULL);
1027
1028 // Attempt to remove directories. Will fail if not empty
1029 rmdir("/etc/openvpn/fw");
1030 rmdir("/etc/openvpn");
1031 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
1032 }
1033
1034 #ifdef LINUX26
1035 sprintf(&buffer[0], "vpn_server%d", serverNum);
1036 allow_fastnat(buffer, 1);
1037 try_enabling_fastnat();
1038 #endif
1039 vpnlog(VPN_LOG_INFO,"VPN GUI server backend stopped.");
1040 }
1041
1042 void start_vpn_eas()
1043 {
1044 char buffer[16], *cur;
1045 int nums[4], i;
1046
1047 if (strlen(nvram_safe_get("vpn_server_eas")) == 0 && strlen(nvram_safe_get("vpn_client_eas")) == 0) return;
1048 // wait for time sync for a while
1049 i = 10;
1050 while (time(0) < Y2K && i--) {
1051 sleep(1);
1052 }
1053
1054 // Parse and start servers
1055 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
1056 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting OpenVPN servers (eas): %s", &buffer[0]);
1057 i = 0;
1058 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1059 nums[i] = 0;
1060 for( i = 0; nums[i] > 0; i++ )
1061 {
1062 sprintf(&buffer[0], "vpnserver%d", nums[i]);
1063 if ( pidof(&buffer[0]) >= 0 )
1064 {
1065 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
1066 stop_vpnserver(nums[i]);
1067 }
1068
1069 vpnlog(VPN_LOG_INFO, "Starting OpenVPN server %d (eas)", nums[i]);
1070 start_vpnserver(nums[i]);
1071 }
1072
1073 // Parse and start clients
1074 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
1075 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting clients (eas): %s", &buffer[0]);
1076 i = 0;
1077 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1078 nums[i] = 0;
1079 for( i = 0; nums[i] > 0; i++ )
1080 {
1081 sprintf(&buffer[0], "vpnclient%d", nums[i]);
1082 if ( pidof(&buffer[0]) >= 0 )
1083 {
1084 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
1085 stop_vpnclient(nums[i]);
1086 }
1087
1088 vpnlog(VPN_LOG_INFO, "Starting OpenVPN client %d (eas)", nums[i]);
1089 start_vpnclient(nums[i]);
1090 }
1091 }
1092
1093 void stop_vpn_eas()
1094 {
1095 char buffer[16], *cur;
1096 int nums[4], i;
1097
1098 // Parse and stop servers
1099 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
1100 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN servers (eas): %s", &buffer[0]);
1101 i = 0;
1102 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1103 nums[i] = 0;
1104 for( i = 0; nums[i] > 0; i++ )
1105 {
1106 sprintf(&buffer[0], "vpnserver%d", nums[i]);
1107 if ( pidof(&buffer[0]) >= 0 )
1108 {
1109 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
1110 stop_vpnserver(nums[i]);
1111 }
1112 }
1113
1114 // Parse and stop clients
1115 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
1116 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN clients (eas): %s", &buffer[0]);
1117 i = 0;
1118 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1119 nums[i] = 0;
1120 for( i = 0; nums[i] > 0; i++ )
1121 {
1122 sprintf(&buffer[0], "vpnclient%d", nums[i]);
1123 if ( pidof(&buffer[0]) >= 0 )
1124 {
1125 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
1126 stop_vpnclient(nums[i]);
1127 }
1128 }
1129 }
1130
1131 void run_vpn_firewall_scripts()
1132 {
1133 DIR *dir;
1134 struct dirent *file;
1135 char *fn;
1136 char *argv[3];
1137
1138 if ( chdir("/etc/openvpn/fw") )
1139 return;
1140
1141 dir = opendir("/etc/openvpn/fw");
1142
1143 vpnlog(VPN_LOG_EXTRA,"Beginning all firewall scripts...");
1144 while ( (file = readdir(dir)) != NULL )
1145 {
1146 fn = file->d_name;
1147 if ( fn[0] == '.' )
1148 continue;
1149 vpnlog(VPN_LOG_INFO,"Running firewall script: %s", fn);
1150 argv[0] = "/bin/sh";
1151 argv[1] = fn;
1152 argv[2] = NULL;
1153 _eval(argv, NULL, 0, NULL);
1154 }
1155 vpnlog(VPN_LOG_EXTRA,"Done with all firewall scripts...");
1156
1157 closedir(dir);
1158 }
1159
1160 void write_vpn_dnsmasq_config(FILE* f)
1161 {
1162 char nv[16];
1163 char buf[24];
1164 char *pos, ch;
1165 int cur;
1166 DIR *dir;
1167 struct dirent *file;
1168 FILE *dnsf;
1169
1170 strlcpy(&buf[0], nvram_safe_get("vpn_server_dns"), sizeof(buf));
1171 for ( pos = strtok(&buf[0],","); pos != NULL; pos=strtok(NULL, ",") )
1172 {
1173 cur = atoi(pos);
1174 if ( cur )
1175 {
1176 vpnlog(VPN_LOG_EXTRA, "Adding server %d interface to dns config", cur);
1177 snprintf(&nv[0], sizeof(nv), "vpn_server%d_if", cur);
1178 fprintf(f, "interface=%s%d\n", nvram_safe_get(&nv[0]), SERVER_IF_START+cur);
1179 }
1180 }
1181
1182 if ( (dir = opendir("/etc/openvpn/dns")) != NULL )
1183 {
1184 while ( (file = readdir(dir)) != NULL )
1185 {
1186 if ( file->d_name[0] == '.' )
1187 continue;
1188
1189 if ( sscanf(file->d_name, "client%d.resol%c", &cur, &ch) == 2 )
1190 {
1191 vpnlog(VPN_LOG_EXTRA, "Checking ADNS settings for client %d", cur);
1192 snprintf(&buf[0], sizeof(buf), "vpn_client%d_adns", cur);
1193 if ( nvram_get_int(&buf[0]) == 2 )
1194 {
1195 vpnlog(VPN_LOG_INFO, "Adding strict-order to dnsmasq config for client %d", cur);
1196 fprintf(f, "strict-order\n");
1197 break;
1198 }
1199 }
1200
1201 if ( sscanf(file->d_name, "client%d.con%c", &cur, &ch) == 2 )
1202 {
1203 if ( (dnsf = fopen(file->d_name, "r")) != NULL )
1204 {
1205 vpnlog(VPN_LOG_INFO, "Adding Dnsmasq config from %s", file->d_name);
1206
1207 while( !feof(dnsf) )
1208 {
1209 ch = fgetc(dnsf);
1210 fputc(ch==EOF?'\n':ch, f);
1211 }
1212
1213 fclose(dnsf);
1214 }
1215 }
1216 }
1217 }
1218 }
1219
1220 int write_vpn_resolv(FILE* f)
1221 {
1222 DIR *dir;
1223 struct dirent *file;
1224 char *fn, ch, num, buf[24];
1225 FILE *dnsf;
1226 int exclusive = 0;
1227
1228 if ( chdir("/etc/openvpn/dns") )
1229 return 0;
1230
1231 dir = opendir("/etc/openvpn/dns");
1232
1233 vpnlog(VPN_LOG_EXTRA, "Adding DNS entries...");
1234 while ( (file = readdir(dir)) != NULL )
1235 {
1236 fn = file->d_name;
1237
1238 if ( fn[0] == '.' )
1239 continue;
1240
1241 if ( sscanf(fn, "client%c.resol%c", &num, &ch) == 2 )
1242 {
1243 if ( (dnsf = fopen(fn, "r")) == NULL )
1244 continue;
1245
1246 vpnlog(VPN_LOG_INFO,"Adding DNS entries from %s", fn);
1247
1248 while( !feof(dnsf) )
1249 {
1250 ch = fgetc(dnsf);
1251 fputc(ch==EOF?'\n':ch, f);
1252 }
1253
1254 fclose(dnsf);
1255
1256 snprintf(&buf[0], sizeof(buf), "vpn_client%c_adns", num);
1257 if ( nvram_get_int(&buf[0]) == 3 )
1258 exclusive = 1;
1259 }
1260 }
1261 vpnlog(VPN_LOG_EXTRA, "Done with DNS entries...");
1262
1263 closedir(dir);
1264
1265 return exclusive;
1266 }
1267
Tomato firmware and modifications.