search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'tomato-RT' into Toastman-RT
[tomato.git] / release / src / router / rc / vpn.c
blob44bdaaa26bf35c852e00402b702b276a52f7daa2
1 /*
2
3 Copyright (C) 2008-2010 Keith Moyer, tomatovpn@keithmoyer.com
4
5 No part of this file may be used without permission.
6
7 */
8
9 #include "rc.h"
10
11 #include <sys/types.h>
12 #include <sys/wait.h>
13 #include <dirent.h>
14 #include <string.h>
15 #include <time.h>
16
17 // Line number as text string
18 #define __LINE_T__ __LINE_T_(__LINE__)
19 #define __LINE_T_(x) __LINE_T(x)
20 #define __LINE_T(x) # x
21
22 #define VPN_LOG_ERROR -1
23 #define VPN_LOG_NOTE 0
24 #define VPN_LOG_INFO 1
25 #define VPN_LOG_EXTRA 2
26 #define vpnlog(level,x...) if(nvram_get_int("vpn_debug")>=level) syslog(LOG_INFO, #level ": " __LINE_T__ ": " x)
27
28 #define CLIENT_IF_START 10
29 #define SERVER_IF_START 20
30
31 #define BUF_SIZE 256
32 #define IF_SIZE 8
33
34 static int waitfor(const char *name)
35 {
36 int pid, n = 5;
37
38 killall_tk(name);
39 while ( (pid = pidof(name)) >= 0 && (n-- > 0) )
40 {
41 // Reap the zombie if it has terminated
42 waitpid(pid, NULL, WNOHANG);
43 sleep(1);
44 }
45 return (pid >= 0);
46 }
47
48 void start_vpnclient(int clientNum)
49 {
50 FILE *fp;
51 char iface[IF_SIZE];
52 char buffer[BUF_SIZE];
53 char *argv[6];
54 int argc = 0;
55 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
56 enum { TAP, TUN } ifType = TUN;
57 enum { BRIDGE, NAT, NONE } routeMode = NONE;
58 int nvi, ip[4], nm[4];
59 long int nvl;
60 int pid;
61
62 sprintf(&buffer[0], "vpnclient%d", clientNum);
63 if (getpid() != 1) {
64 start_service(&buffer[0]);
65 return;
66 }
67
68 vpnlog(VPN_LOG_INFO,"VPN GUI client backend starting...");
69
70 if ( (pid = pidof(&buffer[0])) >= 0 )
71 {
72 vpnlog(VPN_LOG_NOTE, "VPN Client %d already running...", clientNum);
73 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
74 return;
75 }
76
77 // Determine interface
78 sprintf(&buffer[0], "vpn_client%d_if", clientNum);
79 if ( nvram_contains_word(&buffer[0], "tap") )
80 ifType = TAP;
81 else if ( nvram_contains_word(&buffer[0], "tun") )
82 ifType = TUN;
83 else
84 {
85 vpnlog(VPN_LOG_ERROR, "Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
86 return;
87 }
88
89 // Build interface name
90 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), clientNum+CLIENT_IF_START);
91
92 // Determine encryption mode
93 sprintf(&buffer[0], "vpn_client%d_crypt", clientNum);
94 if ( nvram_contains_word(&buffer[0], "tls") )
95 cryptMode = TLS;
96 else if ( nvram_contains_word(&buffer[0], "secret") )
97 cryptMode = SECRET;
98 else if ( nvram_contains_word(&buffer[0], "custom") )
99 cryptMode = CUSTOM;
100 else
101 {
102 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
103 return;
104 }
105
106 // Determine if we should bridge the tunnel
107 sprintf(&buffer[0], "vpn_client%d_bridge", clientNum);
108 if ( ifType == TAP && nvram_get_int(&buffer[0]) == 1 )
109 routeMode = BRIDGE;
110
111 // Determine if we should NAT the tunnel
112 sprintf(&buffer[0], "vpn_client%d_nat", clientNum);
113 if ( (ifType == TUN || routeMode != BRIDGE) && nvram_get_int(&buffer[0]) == 1 )
114 routeMode = NAT;
115
116 // Make sure openvpn directory exists
117 mkdir("/etc/openvpn", 0700);
118 sprintf(&buffer[0], "/etc/openvpn/client%d", clientNum);
119 mkdir(&buffer[0], 0700);
120
121 // Make sure symbolic link exists
122 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d", clientNum);
123 unlink(&buffer[0]);
124 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
125 {
126 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
127 stop_vpnclient(clientNum);
128 return;
129 }
130
131 // Make sure module is loaded
132 modprobe("tun");
133 f_wait_exists("/dev/net/tun", 5);
134
135 // Create tap/tun interface
136 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
137 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
138 if ( _eval(argv, NULL, 0, NULL) )
139 {
140 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
141 stop_vpnclient(clientNum);
142 return;
143 }
144
145 // Bring interface up (TAP only)
146 if( ifType == TAP )
147 {
148 if ( routeMode == BRIDGE )
149 {
150 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
151 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
152 if ( _eval(argv, NULL, 0, NULL) )
153 {
154 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
155 stop_vpnclient(clientNum);
156 return;
157 }
158 }
159
160 snprintf(&buffer[0], BUF_SIZE, "ifconfig %s promisc up", &iface[0]);
161 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
162 if ( _eval(argv, NULL, 0, NULL) )
163 {
164 vpnlog(VPN_LOG_ERROR,"Bringing interface up failed...");
165 stop_vpnclient(clientNum);
166 return;
167 }
168 }
169
170 // Build and write config file
171 vpnlog(VPN_LOG_EXTRA,"Writing config file");
172 sprintf(&buffer[0], "/etc/openvpn/client%d/config.ovpn", clientNum);
173 fp = fopen(&buffer[0], "w");
174 chmod(&buffer[0], S_IRUSR|S_IWUSR);
175 fprintf(fp, "# Automatically generated configuration\n");
176 fprintf(fp, "daemon\n");
177 if ( cryptMode == TLS )
178 fprintf(fp, "client\n");
179 fprintf(fp, "dev %s\n", &iface[0]);
180 sprintf(&buffer[0], "vpn_client%d_proto", clientNum);
181 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
182 sprintf(&buffer[0], "vpn_client%d_addr", clientNum);
183 fprintf(fp, "remote %s ", nvram_safe_get(&buffer[0]));
184 sprintf(&buffer[0], "vpn_client%d_port", clientNum);
185 fprintf(fp, "%d\n", nvram_get_int(&buffer[0]));
186 if ( cryptMode == SECRET )
187 {
188 if ( ifType == TUN )
189 {
190 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
191 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
192 sprintf(&buffer[0], "vpn_client%d_remote", clientNum);
193 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
194 }
195 else if ( ifType == TAP )
196 {
197 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
198 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
199 sprintf(&buffer[0], "vpn_client%d_nm", clientNum);
200 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
201 }
202 }
203 sprintf(&buffer[0], "vpn_client%d_retry", clientNum);
204 if ( (nvi = nvram_get_int(&buffer[0])) >= 0 )
205 fprintf(fp, "resolv-retry %d\n", nvi);
206 else
207 fprintf(fp, "resolv-retry infinite\n");
208 sprintf(&buffer[0], "vpn_client%d_reneg", clientNum);
209 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
210 fprintf(fp, "reneg-sec %ld\n", nvl);
211 fprintf(fp, "nobind\n");
212 fprintf(fp, "persist-key\n");
213 fprintf(fp, "persist-tun\n");
214 sprintf(&buffer[0], "vpn_client%d_comp", clientNum);
215 if ( nvram_get_int(&buffer[0]) >= 0 )
216 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
217 sprintf(&buffer[0], "vpn_client%d_cipher", clientNum);
218 if ( !nvram_contains_word(&buffer[0], "default") )
219 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
220 sprintf(&buffer[0], "vpn_client%d_rgw", clientNum);
221 if ( nvram_get_int(&buffer[0]) )
222 {
223 sprintf(&buffer[0], "vpn_client%d_gw", clientNum);
224 if ( ifType == TAP && nvram_safe_get(&buffer[0])[0] != '\0' )
225 fprintf(fp, "route-gateway %s\n", nvram_safe_get(&buffer[0]));
226 fprintf(fp, "redirect-gateway def1\n");
227 }
228 fprintf(fp, "verb 3\n");
229 if ( cryptMode == TLS )
230 {
231 sprintf(&buffer[0], "vpn_client%d_adns", clientNum);
232 if ( nvram_get_int(&buffer[0]) > 0 )
233 {
234 sprintf(&buffer[0], "/etc/openvpn/client%d/updown.sh", clientNum);
235 symlink("/rom/openvpn/updown.sh", &buffer[0]);
236 fprintf(fp, "script-security 2\n");
237 fprintf(fp, "up updown.sh\n");
238 fprintf(fp, "down updown.sh\n");
239 }
240
241 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
242 nvi = nvram_get_int(&buffer[0]);
243 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
244 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
245 {
246 fprintf(fp, "tls-auth static.key");
247 if ( nvi < 2 )
248 fprintf(fp, " %d", nvi);
249 fprintf(fp, "\n");
250 }
251
252 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
253 if ( !nvram_is_empty(&buffer[0]) )
254 fprintf(fp, "ca ca.crt\n");
255 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
256 if ( !nvram_is_empty(&buffer[0]) )
257 fprintf(fp, "cert client.crt\n");
258 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
259 if ( !nvram_is_empty(&buffer[0]) )
260 fprintf(fp, "key client.key\n");
261 }
262 else if ( cryptMode == SECRET )
263 {
264 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
265 if ( !nvram_is_empty(&buffer[0]) )
266 fprintf(fp, "secret static.key\n");
267 }
268 fprintf(fp, "status-version 2\n");
269 fprintf(fp, "status status\n");
270 fprintf(fp, "\n# Custom Configuration\n");
271 sprintf(&buffer[0], "vpn_client%d_custom", clientNum);
272 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
273 fclose(fp);
274 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
275
276 // Write certification and key files
277 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
278 if ( cryptMode == TLS )
279 {
280 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
281 if ( !nvram_is_empty(&buffer[0]) )
282 {
283 sprintf(&buffer[0], "/etc/openvpn/client%d/ca.crt", clientNum);
284 fp = fopen(&buffer[0], "w");
285 chmod(&buffer[0], S_IRUSR|S_IWUSR);
286 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
287 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
288 fclose(fp);
289 }
290
291 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
292 if ( !nvram_is_empty(&buffer[0]) )
293 {
294 sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
295 fp = fopen(&buffer[0], "w");
296 chmod(&buffer[0], S_IRUSR|S_IWUSR);
297 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
298 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
299 fclose(fp);
300 }
301
302 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
303 if ( !nvram_is_empty(&buffer[0]) )
304 {
305 sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
306 fp = fopen(&buffer[0], "w");
307 chmod(&buffer[0], S_IRUSR|S_IWUSR);
308 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
309 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
310 fclose(fp);
311 }
312 }
313 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
314 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
315 {
316 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
317 if ( !nvram_is_empty(&buffer[0]) )
318 {
319 sprintf(&buffer[0], "/etc/openvpn/client%d/static.key", clientNum);
320 fp = fopen(&buffer[0], "w");
321 chmod(&buffer[0], S_IRUSR|S_IWUSR);
322 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
323 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
324 fclose(fp);
325 }
326 }
327 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
328
329 // Start the VPN client
330 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d --cd /etc/openvpn/client%d --config config.ovpn", clientNum, clientNum);
331 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
332 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
333 if ( _eval(argv, NULL, 0, &pid) )
334 {
335 vpnlog(VPN_LOG_ERROR,"Starting OpenVPN failed...");
336 stop_vpnclient(clientNum);
337 return;
338 }
339 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
340
341 // Handle firewall rules if appropriate
342 sprintf(&buffer[0], "vpn_client%d_firewall", clientNum);
343 if ( !nvram_contains_word(&buffer[0], "custom") )
344 {
345 // Create firewall rules
346 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
347 mkdir("/etc/openvpn/fw", 0700);
348 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
349 fp = fopen(&buffer[0], "w");
350 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
351 fprintf(fp, "#!/bin/sh\n");
352 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
353 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
354 if ( routeMode == NAT )
355 {
356 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
357 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
358 fprintf(fp, "iptables -t nat -I POSTROUTING -s %d.%d.%d.%d/%s -o %s -j MASQUERADE\n",
359 ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3], nvram_safe_get("lan_netmask"), &iface[0]);
360 }
361 fclose(fp);
362 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
363
364 // Run the firewall rules
365 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
366 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
367 argv[0] = &buffer[0];
368 argv[1] = NULL;
369 _eval(argv, NULL, 0, NULL);
370 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
371 }
372
373 // Set up cron job
374 sprintf(&buffer[0], "vpn_client%d_poll", clientNum);
375 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
376 {
377 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
378 argv[0] = "cru";
379 argv[1] = "a";
380 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
381 argv[2] = &buffer[0];
382 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnclient%d start", nvi, clientNum);
383 argv[3] = &buffer[strlen(&buffer[0])+1];
384 argv[4] = NULL;
385 _eval(argv, NULL, 0, NULL);
386 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
387 }
388
389 #ifdef LINUX26
390 sprintf(&buffer[0], "vpn_client%d", clientNum);
391 allow_fastnat(buffer, 0);
392 try_enabling_fastnat();
393 #endif
394 vpnlog(VPN_LOG_INFO,"VPN GUI client backend complete.");
395 }
396
397 void stop_vpnclient(int clientNum)
398 {
399 int argc;
400 char *argv[7];
401 char buffer[BUF_SIZE];
402
403 sprintf(&buffer[0], "vpnclient%d", clientNum);
404 if (getpid() != 1) {
405 stop_service(&buffer[0]);
406 return;
407 }
408
409 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI client backend.");
410
411 // Remove cron job
412 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
413 argv[0] = "cru";
414 argv[1] = "d";
415 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
416 argv[2] = &buffer[0];
417 argv[3] = NULL;
418 _eval(argv, NULL, 0, NULL);
419 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
420
421 // Remove firewall rules
422 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
423 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
424 argv[0] = "sed";
425 argv[1] = "-i";
426 argv[2] = "s/-A/-D/g;s/-I/-D/g";
427 argv[3] = &buffer[0];
428 argv[4] = NULL;
429 if (!_eval(argv, NULL, 0, NULL))
430 {
431 argv[0] = &buffer[0];
432 argv[1] = NULL;
433 _eval(argv, NULL, 0, NULL);
434 }
435 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
436
437 // Stop the VPN client
438 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN client.");
439 sprintf(&buffer[0], "vpnclient%d", clientNum);
440 if ( !waitfor(&buffer[0]) )
441 vpnlog(VPN_LOG_EXTRA,"OpenVPN client stopped.");
442
443 // NVRAM setting for device type could have changed, just try to remove both
444 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
445 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", clientNum+CLIENT_IF_START);
446 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
447 _eval(argv, NULL, 0, NULL);
448
449 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", clientNum+CLIENT_IF_START);
450 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
451 _eval(argv, NULL, 0, NULL);
452 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
453
454 modprobe_r("tun");
455
456 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
457 {
458 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
459 // Delete all files for this client
460 sprintf(&buffer[0], "rm -rf /etc/openvpn/client%d /etc/openvpn/fw/client%d-fw.sh /etc/openvpn/vpnclient%d",clientNum,clientNum,clientNum);
461 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
462 _eval(argv, NULL, 0, NULL);
463
464 // Attempt to remove directories. Will fail if not empty
465 rmdir("/etc/openvpn/fw");
466 rmdir("/etc/openvpn");
467 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
468 }
469
470 #ifdef LINUX26
471 sprintf(&buffer[0], "vpn_client%d", clientNum);
472 allow_fastnat(buffer, 1);
473 try_enabling_fastnat();
474 #endif
475 vpnlog(VPN_LOG_INFO,"VPN GUI client backend stopped.");
476 }
477
478 void start_vpnserver(int serverNum)
479 {
480 FILE *fp, *ccd;
481 char iface[IF_SIZE];
482 char buffer[BUF_SIZE];
483 char *argv[6], *chp, *route;
484 int argc = 0;
485 int c2c = 0;
486 enum { TAP, TUN } ifType = TUN;
487 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
488 int nvi, ip[4], nm[4];
489 long int nvl;
490 int pid;
491
492 sprintf(&buffer[0], "vpnserver%d", serverNum);
493 if (getpid() != 1) {
494 start_service(&buffer[0]);
495 return;
496 }
497
498 vpnlog(VPN_LOG_INFO,"VPN GUI server backend starting...");
499
500 if ( (pid = pidof(&buffer[0])) >= 0 )
501 {
502 vpnlog(VPN_LOG_NOTE, "VPN Server %d already running...", serverNum);
503 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
504 return;
505 }
506
507 // Determine interface type
508 sprintf(&buffer[0], "vpn_server%d_if", serverNum);
509 if ( nvram_contains_word(&buffer[0], "tap") )
510 ifType = TAP;
511 else if ( nvram_contains_word(&buffer[0], "tun") )
512 ifType = TUN;
513 else
514 {
515 vpnlog(VPN_LOG_ERROR,"Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
516 return;
517 }
518
519 // Build interface name
520 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), serverNum+SERVER_IF_START);
521
522 // Determine encryption mode
523 sprintf(&buffer[0], "vpn_server%d_crypt", serverNum);
524 if ( nvram_contains_word(&buffer[0], "tls") )
525 cryptMode = TLS;
526 else if ( nvram_contains_word(&buffer[0], "secret") )
527 cryptMode = SECRET;
528 else if ( nvram_contains_word(&buffer[0], "custom") )
529 cryptMode = CUSTOM;
530 else
531 {
532 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
533 return;
534 }
535
536 // Make sure openvpn directory exists
537 mkdir("/etc/openvpn", 0700);
538 sprintf(&buffer[0], "/etc/openvpn/server%d", serverNum);
539 mkdir(&buffer[0], 0700);
540
541 // Make sure symbolic link exists
542 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d", serverNum);
543 unlink(&buffer[0]);
544 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
545 {
546 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
547 stop_vpnserver(serverNum);
548 return;
549 }
550
551 // Make sure module is loaded
552 modprobe("tun");
553 f_wait_exists("/dev/net/tun", 5);
554
555 // Create tap/tun interface
556 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
557 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
558 if ( _eval(argv, NULL, 0, NULL) )
559 {
560 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
561 stop_vpnserver(serverNum);
562 return;
563 }
564
565 // Add interface to LAN bridge (TAP only)
566 if( ifType == TAP )
567 {
568 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
569 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
570 if ( _eval(argv, NULL, 0, NULL) )
571 {
572 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
573 stop_vpnserver(serverNum);
574 return;
575 }
576 }
577
578 // Bring interface up
579 sprintf(&buffer[0], "ifconfig %s 0.0.0.0 promisc up", &iface[0]);
580 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
581 if ( _eval(argv, NULL, 0, NULL) )
582 {
583 vpnlog(VPN_LOG_ERROR,"Bringing up tunnel interface failed...");
584 stop_vpnserver(serverNum);
585 return;
586 }
587
588 // Build and write config files
589 vpnlog(VPN_LOG_EXTRA,"Writing config file");
590 sprintf(&buffer[0], "/etc/openvpn/server%d/config.ovpn", serverNum);
591 fp = fopen(&buffer[0], "w");
592 chmod(&buffer[0], S_IRUSR|S_IWUSR);
593 fprintf(fp, "# Automatically generated configuration\n");
594 fprintf(fp, "daemon\n");
595 if ( cryptMode == TLS )
596 {
597 if ( ifType == TUN )
598 {
599 sprintf(&buffer[0], "vpn_server%d_sn", serverNum);
600 fprintf(fp, "server %s ", nvram_safe_get(&buffer[0]));
601 sprintf(&buffer[0], "vpn_server%d_nm", serverNum);
602 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
603 }
604 else if ( ifType == TAP )
605 {
606 fprintf(fp, "server-bridge");
607 sprintf(&buffer[0], "vpn_server%d_dhcp", serverNum);
608 if ( nvram_get_int(&buffer[0]) == 0 )
609 {
610 fprintf(fp, " %s ", nvram_safe_get("lan_ipaddr"));
611 fprintf(fp, "%s ", nvram_safe_get("lan_netmask"));
612 sprintf(&buffer[0], "vpn_server%d_r1", serverNum);
613 fprintf(fp, "%s ", nvram_safe_get(&buffer[0]));
614 sprintf(&buffer[0], "vpn_server%d_r2", serverNum);
615 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
616 }
617 fprintf(fp, "\n");
618 }
619 }
620 else if ( cryptMode == SECRET )
621 {
622 if ( ifType == TUN )
623 {
624 sprintf(&buffer[0], "vpn_server%d_local", serverNum);
625 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
626 sprintf(&buffer[0], "vpn_server%d_remote", serverNum);
627 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
628 }
629 }
630 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
631 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
632 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
633 fprintf(fp, "port %d\n", nvram_get_int(&buffer[0]));
634 fprintf(fp, "dev %s\n", &iface[0]);
635 sprintf(&buffer[0], "vpn_server%d_cipher", serverNum);
636 if ( !nvram_contains_word(&buffer[0], "default") )
637 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
638 sprintf(&buffer[0], "vpn_server%d_comp", serverNum);
639 if ( nvram_get_int(&buffer[0]) >= 0 )
640 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
641 sprintf(&buffer[0], "vpn_server%d_reneg", serverNum);
642 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
643 fprintf(fp, "reneg-sec %ld\n", nvl);
644 fprintf(fp, "keepalive 15 60\n");
645 fprintf(fp, "verb 3\n");
646 if ( cryptMode == TLS )
647 {
648 sprintf(&buffer[0], "vpn_server%d_plan", serverNum);
649 if ( ifType == TUN && nvram_get_int(&buffer[0]) )
650 {
651 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
652 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
653 fprintf(fp, "push \"route %d.%d.%d.%d %s\"\n", ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3],
654 nvram_safe_get("lan_netmask"));
655 }
656
657 sprintf(&buffer[0], "vpn_server%d_ccd", serverNum);
658 if ( nvram_get_int(&buffer[0]) )
659 {
660 fprintf(fp, "client-config-dir ccd\n");
661
662 sprintf(&buffer[0], "vpn_server%d_c2c", serverNum);
663 if ( (c2c = nvram_get_int(&buffer[0])) )
664 fprintf(fp, "client-to-client\n");
665
666 sprintf(&buffer[0], "vpn_server%d_ccd_excl", serverNum);
667 if ( nvram_get_int(&buffer[0]) )
668 fprintf(fp, "ccd-exclusive\n");
669
670 sprintf(&buffer[0], "/etc/openvpn/server%d/ccd", serverNum);
671 mkdir(&buffer[0], 0700);
672 chdir(&buffer[0]);
673
674 sprintf(&buffer[0], "vpn_server%d_ccd_val", serverNum);
675 strcpy(&buffer[0], nvram_safe_get(&buffer[0]));
676 chp = strtok(&buffer[0],">");
677 while ( chp != NULL )
678 {
679 nvi = strlen(chp);
680
681 chp[strcspn(chp,"<")] = '\0';
682 vpnlog(VPN_LOG_EXTRA,"CCD: enabled: %d", atoi(chp));
683 if ( atoi(chp) == 1 )
684 {
685 nvi -= strlen(chp)+1;
686 chp += strlen(chp)+1;
687
688 ccd = NULL;
689 route = NULL;
690 if ( nvi > 0 )
691 {
692 chp[strcspn(chp,"<")] = '\0';
693 vpnlog(VPN_LOG_EXTRA,"CCD: Common name: %s", chp);
694 ccd = fopen(chp, "w");
695 chmod(chp, S_IRUSR|S_IWUSR);
696
697 nvi -= strlen(chp)+1;
698 chp += strlen(chp)+1;
699 }
700 if ( nvi > 0 && ccd != NULL && strcspn(chp,"<") != strlen(chp) )
701 {
702 chp[strcspn(chp,"<")] = ' ';
703 chp[strcspn(chp,"<")] = '\0';
704 route = chp;
705 vpnlog(VPN_LOG_EXTRA,"CCD: Route: %s", chp);
706 if ( strlen(route) > 1 )
707 {
708 fprintf(ccd, "iroute %s\n", route);
709 fprintf(fp, "route %s\n", route);
710 }
711
712 nvi -= strlen(chp)+1;
713 chp += strlen(chp)+1;
714 }
715 if ( ccd != NULL )
716 fclose(ccd);
717 if ( nvi > 0 && route != NULL )
718 {
719 chp[strcspn(chp,"<")] = '\0';
720 vpnlog(VPN_LOG_EXTRA,"CCD: Push: %d", atoi(chp));
721 if ( c2c && atoi(chp) == 1 && strlen(route) > 1 )
722 fprintf(fp, "push \"route %s\"\n", route);
723
724 nvi -= strlen(chp)+1;
725 chp += strlen(chp)+1;
726 }
727
728 vpnlog(VPN_LOG_EXTRA,"CCD leftover: %d", nvi+1);
729 }
730 // Advance to next entry
731 chp = strtok(NULL, ">");
732 }
733 vpnlog(VPN_LOG_EXTRA,"CCD processing complete");
734 }
735
736 sprintf(&buffer[0], "vpn_server%d_pdns", serverNum);
737 if ( nvram_get_int(&buffer[0]) )
738 {
739 if ( nvram_safe_get("wan_domain")[0] != '\0' )
740 fprintf(fp, "push \"dhcp-option DOMAIN %s\"\n", nvram_safe_get("wan_domain"));
741 if ( (nvram_safe_get("wan_wins")[0] != '\0' && strcmp(nvram_safe_get("wan_wins"), "0.0.0.0") != 0) )
742 fprintf(fp, "push \"dhcp-option WINS %s\"\n", nvram_safe_get("wan_wins"));
743 fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));
744 }
745
746 sprintf(&buffer[0], "vpn_server%d_rgw", serverNum);
747 if ( nvram_get_int(&buffer[0]) )
748 {
749 if ( ifType == TAP )
750 fprintf(fp, "push \"route-gateway %s\"\n", nvram_safe_get("lan_ipaddr"));
751 fprintf(fp, "push \"redirect-gateway def1\"\n");
752 }
753
754 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
755 nvi = nvram_get_int(&buffer[0]);
756 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
757 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
758 {
759 fprintf(fp, "tls-auth static.key");
760 if ( nvi < 2 )
761 fprintf(fp, " %d", nvi);
762 fprintf(fp, "\n");
763 }
764
765 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
766 if ( !nvram_is_empty(&buffer[0]) )
767 fprintf(fp, "ca ca.crt\n");
768 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
769 if ( !nvram_is_empty(&buffer[0]) )
770 fprintf(fp, "dh dh.pem\n");
771 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
772 if ( !nvram_is_empty(&buffer[0]) )
773 fprintf(fp, "cert server.crt\n");
774 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
775 if ( !nvram_is_empty(&buffer[0]) )
776 fprintf(fp, "key server.key\n");
777 }
778 else if ( cryptMode == SECRET )
779 {
780 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
781 if ( !nvram_is_empty(&buffer[0]) )
782 fprintf(fp, "secret static.key\n");
783 }
784 fprintf(fp, "status-version 2\n");
785 fprintf(fp, "status status\n");
786 fprintf(fp, "\n# Custom Configuration\n");
787 sprintf(&buffer[0], "vpn_server%d_custom", serverNum);
788 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
789 fclose(fp);
790 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
791
792 // Write certification and key files
793 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
794 if ( cryptMode == TLS )
795 {
796 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
797 if ( !nvram_is_empty(&buffer[0]) )
798 {
799 sprintf(&buffer[0], "/etc/openvpn/server%d/ca.crt", serverNum);
800 fp = fopen(&buffer[0], "w");
801 chmod(&buffer[0], S_IRUSR|S_IWUSR);
802 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
803 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
804 fclose(fp);
805 }
806
807 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
808 if ( !nvram_is_empty(&buffer[0]) )
809 {
810 sprintf(&buffer[0], "/etc/openvpn/server%d/server.key", serverNum);
811 fp = fopen(&buffer[0], "w");
812 chmod(&buffer[0], S_IRUSR|S_IWUSR);
813 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
814 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
815 fclose(fp);
816 }
817
818 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
819 if ( !nvram_is_empty(&buffer[0]) )
820 {
821 sprintf(&buffer[0], "/etc/openvpn/server%d/server.crt", serverNum);
822 fp = fopen(&buffer[0], "w");
823 chmod(&buffer[0], S_IRUSR|S_IWUSR);
824 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
825 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
826 fclose(fp);
827 }
828
829 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
830 if ( !nvram_is_empty(&buffer[0]) )
831 {
832 sprintf(&buffer[0], "/etc/openvpn/server%d/dh.pem", serverNum);
833 fp = fopen(&buffer[0], "w");
834 chmod(&buffer[0], S_IRUSR|S_IWUSR);
835 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
836 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
837 fclose(fp);
838 }
839 }
840 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
841 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
842 {
843 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
844 if ( !nvram_is_empty(&buffer[0]) )
845 {
846 sprintf(&buffer[0], "/etc/openvpn/server%d/static.key", serverNum);
847 fp = fopen(&buffer[0], "w");
848 chmod(&buffer[0], S_IRUSR|S_IWUSR);
849 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
850 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
851 fclose(fp);
852 }
853 }
854 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
855
856 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d --cd /etc/openvpn/server%d --config config.ovpn", serverNum, serverNum);
857 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
858 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
859 if ( _eval(argv, NULL, 0, &pid) )
860 {
861 vpnlog(VPN_LOG_ERROR,"Starting VPN instance failed...");
862 stop_vpnserver(serverNum);
863 return;
864 }
865 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
866
867 // Handle firewall rules if appropriate
868 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
869 if ( !nvram_contains_word(&buffer[0], "custom") )
870 {
871 // Create firewall rules
872 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
873 mkdir("/etc/openvpn/fw", 0700);
874 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
875 fp = fopen(&buffer[0], "w");
876 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
877 fprintf(fp, "#!/bin/sh\n");
878 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
879 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
880 fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
881 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
882 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
883 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
884 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
885 fprintf(fp, "iptables -I INPUT -p %s ", strtok(&buffer[0], "-"));
886 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
887 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
888 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
889 if ( !nvram_contains_word(&buffer[0], "external") )
890 {
891 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
892 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
893 }
894 fclose(fp);
895 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
896
897 // Run the firewall rules
898 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
899 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
900 argv[0] = &buffer[0];
901 argv[1] = NULL;
902 _eval(argv, NULL, 0, NULL);
903 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
904 }
905
906 // Set up cron job
907 sprintf(&buffer[0], "vpn_server%d_poll", serverNum);
908 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
909 {
910 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
911 argv[0] = "cru";
912 argv[1] = "a";
913 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
914 argv[2] = &buffer[0];
915 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnserver%d start", nvi, serverNum);
916 argv[3] = &buffer[strlen(&buffer[0])+1];
917 argv[4] = NULL;
918 _eval(argv, NULL, 0, NULL);
919 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
920 }
921
922 #ifdef LINUX26
923 sprintf(&buffer[0], "vpn_server%d", serverNum);
924 allow_fastnat(buffer, 0);
925 try_enabling_fastnat();
926 #endif
927 vpnlog(VPN_LOG_INFO,"VPN GUI server backend complete.");
928 }
929
930 void stop_vpnserver(int serverNum)
931 {
932 int argc;
933 char *argv[9];
934 char buffer[BUF_SIZE];
935
936 sprintf(&buffer[0], "vpnserver%d", serverNum);
937 if (getpid() != 1) {
938 stop_service(&buffer[0]);
939 return;
940 }
941
942 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI server backend.");
943
944 // Remove cron job
945 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
946 argv[0] = "cru";
947 argv[1] = "d";
948 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
949 argv[2] = &buffer[0];
950 argv[3] = NULL;
951 _eval(argv, NULL, 0, NULL);
952 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
953
954 // Remove firewall rules
955 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
956 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
957 argv[0] = "sed";
958 argv[1] = "-i";
959 argv[2] = "s/-A/-D/g;s/-I/-D/g";
960 argv[3] = &buffer[0];
961 argv[4] = NULL;
962 if (!_eval(argv, NULL, 0, NULL))
963 {
964 argv[0] = &buffer[0];
965 argv[1] = NULL;
966 _eval(argv, NULL, 0, NULL);
967 }
968 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
969
970 // Stop the VPN server
971 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN server.");
972 sprintf(&buffer[0], "vpnserver%d", serverNum);
973 if ( !waitfor(&buffer[0]) )
974 vpnlog(VPN_LOG_EXTRA,"OpenVPN server stopped.");
975
976 // NVRAM setting for device type could have changed, just try to remove both
977 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
978 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", serverNum+SERVER_IF_START);
979 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
980 _eval(argv, NULL, 0, NULL);
981
982 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", serverNum+SERVER_IF_START);
983 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
984 _eval(argv, NULL, 0, NULL);
985 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
986
987 modprobe_r("tun");
988
989 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
990 {
991 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
992 // Delete all files for this server
993 sprintf(&buffer[0], "rm -rf /etc/openvpn/server%d /etc/openvpn/fw/server%d-fw.sh /etc/openvpn/vpnserver%d",serverNum,serverNum,serverNum);
994 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
995 _eval(argv, NULL, 0, NULL);
996
997 // Attempt to remove directories. Will fail if not empty
998 rmdir("/etc/openvpn/fw");
999 rmdir("/etc/openvpn");
1000 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
1001 }
1002
1003 #ifdef LINUX26
1004 sprintf(&buffer[0], "vpn_server%d", serverNum);
1005 allow_fastnat(buffer, 1);
1006 try_enabling_fastnat();
1007 #endif
1008 vpnlog(VPN_LOG_INFO,"VPN GUI server backend stopped.");
1009 }
1010
1011 void start_vpn_eas()
1012 {
1013 char buffer[16], *cur;
1014 int nums[4], i;
1015
1016 if (strlen(nvram_safe_get("vpn_server_eas")) == 0 && strlen(nvram_safe_get("vpn_client_eas")) == 0) return;
1017 // wait for time sync for a while
1018 i = 10;
1019 while (time(0) < Y2K && i--) {
1020 sleep(1);
1021 }
1022
1023 // Parse and start servers
1024 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
1025 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting servers (eas): %s", &buffer[0]);
1026 i = 0;
1027 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1028 nums[i] = 0;
1029 for( i = 0; nums[i] > 0; i++ )
1030 {
1031 sprintf(&buffer[0], "vpnserver%d", nums[i]);
1032 if ( pidof(&buffer[0]) >= 0 )
1033 {
1034 vpnlog(VPN_LOG_INFO, "Stopping server %d (eas)", nums[i]);
1035 stop_vpnserver(nums[i]);
1036 }
1037
1038 vpnlog(VPN_LOG_INFO, "Starting server %d (eas)", nums[i]);
1039 start_vpnserver(nums[i]);
1040 }
1041
1042 // Parse and start clients
1043 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
1044 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting clients (eas): %s", &buffer[0]);
1045 i = 0;
1046 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1047 nums[i] = 0;
1048 for( i = 0; nums[i] > 0; i++ )
1049 {
1050 sprintf(&buffer[0], "vpnclient%d", nums[i]);
1051 if ( pidof(&buffer[0]) >= 0 )
1052 {
1053 vpnlog(VPN_LOG_INFO, "Stopping client %d (eas)", nums[i]);
1054 stop_vpnclient(nums[i]);
1055 }
1056
1057 vpnlog(VPN_LOG_INFO, "Starting client %d (eas)", nums[i]);
1058 start_vpnclient(nums[i]);
1059 }
1060 }
1061
1062 void run_vpn_firewall_scripts()
1063 {
1064 DIR *dir;
1065 struct dirent *file;
1066 char *fn;
1067 char *argv[3];
1068
1069 if ( chdir("/etc/openvpn/fw") )
1070 return;
1071
1072 dir = opendir("/etc/openvpn/fw");
1073
1074 vpnlog(VPN_LOG_EXTRA,"Beginning all firewall scripts...");
1075 while ( (file = readdir(dir)) != NULL )
1076 {
1077 fn = file->d_name;
1078 if ( fn[0] == '.' )
1079 continue;
1080 vpnlog(VPN_LOG_INFO,"Running firewall script: %s", fn);
1081 argv[0] = "/bin/sh";
1082 argv[1] = fn;
1083 argv[2] = NULL;
1084 _eval(argv, NULL, 0, NULL);
1085 }
1086 vpnlog(VPN_LOG_EXTRA,"Done with all firewall scripts...");
1087
1088 closedir(dir);
1089 }
1090
1091 void write_vpn_dnsmasq_config(FILE* f)
1092 {
1093 char nv[16];
1094 char buf[24];
1095 char *pos, ch;
1096 int cur;
1097 DIR *dir;
1098 struct dirent *file;
1099 FILE *dnsf;
1100
1101 strlcpy(&buf[0], nvram_safe_get("vpn_server_dns"), sizeof(buf));
1102 for ( pos = strtok(&buf[0],","); pos != NULL; pos=strtok(NULL, ",") )
1103 {
1104 cur = atoi(pos);
1105 if ( cur )
1106 {
1107 vpnlog(VPN_LOG_EXTRA, "Adding server %d interface to dns config", cur);
1108 snprintf(&nv[0], sizeof(nv), "vpn_server%d_if", cur);
1109 fprintf(f, "interface=%s%d\n", nvram_safe_get(&nv[0]), SERVER_IF_START+cur);
1110 }
1111 }
1112
1113 if ( (dir = opendir("/etc/openvpn/dns")) != NULL )
1114 {
1115 while ( (file = readdir(dir)) != NULL )
1116 {
1117 if ( file->d_name[0] == '.' )
1118 continue;
1119
1120 if ( sscanf(file->d_name, "client%d.resol%c", &cur, &ch) == 2 )
1121 {
1122 vpnlog(VPN_LOG_EXTRA, "Checking ADNS settings for client %d", cur);
1123 snprintf(&buf[0], sizeof(buf), "vpn_client%d_adns", cur);
1124 if ( nvram_get_int(&buf[0]) == 2 )
1125 {
1126 vpnlog(VPN_LOG_INFO, "Adding strict-order to dnsmasq config for client %d", cur);
1127 fprintf(f, "strict-order\n");
1128 break;
1129 }
1130 }
1131
1132 if ( sscanf(file->d_name, "client%d.con%c", &cur, &ch) == 2 )
1133 {
1134 if ( (dnsf = fopen(file->d_name, "r")) != NULL )
1135 {
1136 vpnlog(VPN_LOG_INFO, "Adding Dnsmasq config from %s", file->d_name);
1137
1138 while( !feof(dnsf) )
1139 {
1140 ch = fgetc(dnsf);
1141 fputc(ch==EOF?'\n':ch, f);
1142 }
1143
1144 fclose(dnsf);
1145 }
1146 }
1147 }
1148 }
1149 }
1150
1151 int write_vpn_resolv(FILE* f)
1152 {
1153 DIR *dir;
1154 struct dirent *file;
1155 char *fn, ch, num, buf[24];
1156 FILE *dnsf;
1157 int exclusive = 0;
1158
1159 if ( chdir("/etc/openvpn/dns") )
1160 return 0;
1161
1162 dir = opendir("/etc/openvpn/dns");
1163
1164 vpnlog(VPN_LOG_EXTRA, "Adding DNS entries...");
1165 while ( (file = readdir(dir)) != NULL )
1166 {
1167 fn = file->d_name;
1168
1169 if ( fn[0] == '.' )
1170 continue;
1171
1172 if ( sscanf(fn, "client%c.resol%c", &num, &ch) == 2 )
1173 {
1174 if ( (dnsf = fopen(fn, "r")) == NULL )
1175 continue;
1176
1177 vpnlog(VPN_LOG_INFO,"Adding DNS entries from %s", fn);
1178
1179 while( !feof(dnsf) )
1180 {
1181 ch = fgetc(dnsf);
1182 fputc(ch==EOF?'\n':ch, f);
1183 }
1184
1185 fclose(dnsf);
1186
1187 snprintf(&buf[0], sizeof(buf), "vpn_client%c_adns", num);
1188 if ( nvram_get_int(&buf[0]) == 3 )
1189 exclusive = 1;
1190 }
1191 }
1192 vpnlog(VPN_LOG_EXTRA, "Done with DNS entries...");
1193
1194 closedir(dir);
1195
1196 return exclusive;
1197 }
1198
Tomato firmware and modifications.