search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
more advanced Nginx settings in GUI
[tomato.git] / release / src-rt-6.x.4708 / router / rc / vpn.c
blobdddfb5a4fea51f517d50596e44e444e25e43f3c2
1 /*
2
3 Copyright (C) 2008-2010 Keith Moyer, tomatovpn@keithmoyer.com
4
5 No part of this file may be used without permission.
6
7 */
8
9 #include "rc.h"
10
11 #include <sys/types.h>
12 #include <sys/wait.h>
13 #include <dirent.h>
14 #include <string.h>
15 #include <time.h>
16
17 // Line number as text string
18 #define __LINE_T__ __LINE_T_(__LINE__)
19 #define __LINE_T_(x) __LINE_T(x)
20 #define __LINE_T(x) # x
21
22 #define VPN_LOG_ERROR -1
23 #define VPN_LOG_NOTE 0
24 #define VPN_LOG_INFO 1
25 #define VPN_LOG_EXTRA 2
26 #define vpnlog(level,x...) if(nvram_get_int("vpn_debug")>=level) syslog(LOG_INFO, #level ": " __LINE_T__ ": " x)
27
28 #define CLIENT_IF_START 10
29 #define SERVER_IF_START 20
30
31 #define BUF_SIZE 256
32 #define IF_SIZE 8
33
34 static int waitfor(const char *name)
35 {
36 int pid, n = 5;
37
38 killall_tk(name);
39 while ( (pid = pidof(name)) >= 0 && (n-- > 0) )
40 {
41 // Reap the zombie if it has terminated
42 waitpid(pid, NULL, WNOHANG);
43 sleep(1);
44 }
45 return (pid >= 0);
46 }
47
48 void start_vpnclient(int clientNum)
49 {
50 FILE *fp;
51 char iface[IF_SIZE];
52 char buffer[BUF_SIZE];
53 char *argv[6];
54 int argc = 0;
55 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
56 enum { TAP, TUN } ifType = TUN;
57 enum { BRIDGE, NAT, NONE } routeMode = NONE;
58 int nvi, ip[4], nm[4];
59 long int nvl;
60 int pid;
61 int userauth, useronly;
62
63 sprintf(&buffer[0], "vpnclient%d", clientNum);
64 if (getpid() != 1) {
65 start_service(&buffer[0]);
66 return;
67 }
68
69 vpnlog(VPN_LOG_INFO,"VPN GUI client backend starting...");
70
71 if ( (pid = pidof(&buffer[0])) >= 0 )
72 {
73 vpnlog(VPN_LOG_INFO, "VPN Client %d already running...", clientNum);
74 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
75 return;
76 }
77
78 // Determine interface
79 sprintf(&buffer[0], "vpn_client%d_if", clientNum);
80 if ( nvram_contains_word(&buffer[0], "tap") )
81 ifType = TAP;
82 else if ( nvram_contains_word(&buffer[0], "tun") )
83 ifType = TUN;
84 else
85 {
86 vpnlog(VPN_LOG_ERROR, "Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
87 return;
88 }
89
90 // Build interface name
91 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), clientNum+CLIENT_IF_START);
92
93 // Determine encryption mode
94 sprintf(&buffer[0], "vpn_client%d_crypt", clientNum);
95 if ( nvram_contains_word(&buffer[0], "tls") )
96 cryptMode = TLS;
97 else if ( nvram_contains_word(&buffer[0], "secret") )
98 cryptMode = SECRET;
99 else if ( nvram_contains_word(&buffer[0], "custom") )
100 cryptMode = CUSTOM;
101 else
102 {
103 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
104 return;
105 }
106
107 // Determine if we should bridge the tunnel
108 sprintf(&buffer[0], "vpn_client%d_bridge", clientNum);
109 if ( ifType == TAP && nvram_get_int(&buffer[0]) == 1 )
110 routeMode = BRIDGE;
111
112 // Determine if we should NAT the tunnel
113 sprintf(&buffer[0], "vpn_client%d_nat", clientNum);
114 if ( (ifType == TUN || routeMode != BRIDGE) && nvram_get_int(&buffer[0]) == 1 )
115 routeMode = NAT;
116
117 // Make sure openvpn directory exists
118 mkdir("/etc/openvpn", 0700);
119 sprintf(&buffer[0], "/etc/openvpn/client%d", clientNum);
120 mkdir(&buffer[0], 0700);
121
122 // Make sure symbolic link exists
123 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d", clientNum);
124 unlink(&buffer[0]);
125 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
126 {
127 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
128 stop_vpnclient(clientNum);
129 return;
130 }
131
132 // Make sure module is loaded
133 modprobe("tun");
134 f_wait_exists("/dev/net/tun", 5);
135
136 // Create tap/tun interface
137 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
138 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
139 if ( _eval(argv, NULL, 0, NULL) )
140 {
141 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
142 stop_vpnclient(clientNum);
143 return;
144 }
145
146 // Bring interface up (TAP only)
147 if( ifType == TAP )
148 {
149 if ( routeMode == BRIDGE )
150 {
151 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
152 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
153 if ( _eval(argv, NULL, 0, NULL) )
154 {
155 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
156 stop_vpnclient(clientNum);
157 return;
158 }
159 }
160
161 snprintf(&buffer[0], BUF_SIZE, "ifconfig %s promisc up", &iface[0]);
162 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
163 if ( _eval(argv, NULL, 0, NULL) )
164 {
165 vpnlog(VPN_LOG_ERROR,"Bringing interface up failed...");
166 stop_vpnclient(clientNum);
167 return;
168 }
169 }
170
171 sprintf(&buffer[0], "vpn_client%d_userauth", clientNum);
172 userauth = nvram_get_int(&buffer[0]);
173 sprintf(&buffer[0], "vpn_client%d_useronly", clientNum);
174 useronly = userauth && nvram_get_int(&buffer[0]);
175
176 // Build and write config file
177 vpnlog(VPN_LOG_EXTRA,"Writing config file");
178 sprintf(&buffer[0], "/etc/openvpn/client%d/config.ovpn", clientNum);
179 fp = fopen(&buffer[0], "w");
180 chmod(&buffer[0], S_IRUSR|S_IWUSR);
181 fprintf(fp, "# Automatically generated configuration\n");
182 fprintf(fp, "daemon\n");
183 if ( cryptMode == TLS )
184 fprintf(fp, "client\n");
185 fprintf(fp, "dev %s\n", &iface[0]);
186 sprintf(&buffer[0], "vpn_client%d_proto", clientNum);
187 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
188 sprintf(&buffer[0], "vpn_client%d_addr", clientNum);
189 fprintf(fp, "remote %s ", nvram_safe_get(&buffer[0]));
190 sprintf(&buffer[0], "vpn_client%d_port", clientNum);
191 fprintf(fp, "%d\n", nvram_get_int(&buffer[0]));
192 if ( cryptMode == SECRET )
193 {
194 if ( ifType == TUN )
195 {
196 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
197 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
198 sprintf(&buffer[0], "vpn_client%d_remote", clientNum);
199 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
200 }
201 else if ( ifType == TAP )
202 {
203 sprintf(&buffer[0], "vpn_client%d_local", clientNum);
204 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
205 sprintf(&buffer[0], "vpn_client%d_nm", clientNum);
206 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
207 }
208 }
209 sprintf(&buffer[0], "vpn_client%d_retry", clientNum);
210 if ( (nvi = nvram_get_int(&buffer[0])) >= 0 )
211 fprintf(fp, "resolv-retry %d\n", nvi);
212 else
213 fprintf(fp, "resolv-retry infinite\n");
214 sprintf(&buffer[0], "vpn_client%d_reneg", clientNum);
215 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
216 fprintf(fp, "reneg-sec %ld\n", nvl);
217 fprintf(fp, "nobind\n");
218 fprintf(fp, "persist-key\n");
219 fprintf(fp, "persist-tun\n");
220 sprintf(&buffer[0], "vpn_client%d_comp", clientNum);
221 if ( nvram_get_int(&buffer[0]) >= 0 )
222 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
223 sprintf(&buffer[0], "vpn_client%d_cipher", clientNum);
224 if ( !nvram_contains_word(&buffer[0], "default") )
225 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
226 sprintf(&buffer[0], "vpn_client%d_rgw", clientNum);
227 if ( nvram_get_int(&buffer[0]) )
228 {
229 sprintf(&buffer[0], "vpn_client%d_gw", clientNum);
230 if ( ifType == TAP && nvram_safe_get(&buffer[0])[0] != '\0' )
231 fprintf(fp, "route-gateway %s\n", nvram_safe_get(&buffer[0]));
232 fprintf(fp, "redirect-gateway def1\n");
233 }
234 fprintf(fp, "verb 3\n");
235 if ( cryptMode == TLS )
236 {
237 sprintf(&buffer[0], "vpn_client%d_adns", clientNum);
238 if ( nvram_get_int(&buffer[0]) > 0 )
239 {
240 sprintf(&buffer[0], "/etc/openvpn/client%d/updown.sh", clientNum);
241 symlink("/rom/openvpn/updown.sh", &buffer[0]);
242 fprintf(fp, "script-security 2\n");
243 fprintf(fp, "up updown.sh\n");
244 fprintf(fp, "down updown.sh\n");
245 }
246
247 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
248 nvi = nvram_get_int(&buffer[0]);
249 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
250 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
251 {
252 fprintf(fp, "tls-auth static.key");
253 if ( nvi < 2 )
254 fprintf(fp, " %d", nvi);
255 fprintf(fp, "\n");
256 }
257
258 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
259 if ( !nvram_is_empty(&buffer[0]) )
260 fprintf(fp, "ca ca.crt\n");
261 if (!useronly)
262 {
263 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
264 if ( !nvram_is_empty(&buffer[0]) )
265 fprintf(fp, "cert client.crt\n");
266 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
267 if ( !nvram_is_empty(&buffer[0]) )
268 fprintf(fp, "key client.key\n");
269 }
270 sprintf(&buffer[0], "vpn_client%d_tlsremote", clientNum);
271 if (nvram_get_int(&buffer[0]))
272 {
273 sprintf(&buffer[0], "vpn_client%d_cn", clientNum);
274 fprintf(fp, "tls-remote %s\n", nvram_safe_get(&buffer[0]));
275 }
276 if (userauth)
277 fprintf(fp, "auth-user-pass up\n");
278 }
279 else if ( cryptMode == SECRET )
280 {
281 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
282 if ( !nvram_is_empty(&buffer[0]) )
283 fprintf(fp, "secret static.key\n");
284 }
285 fprintf(fp, "status-version 2\n");
286 fprintf(fp, "status status\n");
287 fprintf(fp, "\n# Custom Configuration\n");
288 sprintf(&buffer[0], "vpn_client%d_custom", clientNum);
289 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
290 fclose(fp);
291 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
292
293 // Write certification and key files
294 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
295 if ( cryptMode == TLS )
296 {
297 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
298 if ( !nvram_is_empty(&buffer[0]) )
299 {
300 sprintf(&buffer[0], "/etc/openvpn/client%d/ca.crt", clientNum);
301 fp = fopen(&buffer[0], "w");
302 chmod(&buffer[0], S_IRUSR|S_IWUSR);
303 sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
304 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
305 fclose(fp);
306 }
307
308 if (!useronly)
309 {
310 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
311 if ( !nvram_is_empty(&buffer[0]) )
312 {
313 sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
314 fp = fopen(&buffer[0], "w");
315 chmod(&buffer[0], S_IRUSR|S_IWUSR);
316 sprintf(&buffer[0], "vpn_client%d_key", clientNum);
317 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
318 fclose(fp);
319 }
320
321 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
322 if ( !nvram_is_empty(&buffer[0]) )
323 {
324 sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
325 fp = fopen(&buffer[0], "w");
326 chmod(&buffer[0], S_IRUSR|S_IWUSR);
327 sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
328 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
329 fclose(fp);
330 }
331 }
332 if (userauth)
333 {
334 sprintf(&buffer[0], "/etc/openvpn/client%d/up", clientNum);
335 fp = fopen(&buffer[0], "w");
336 chmod(&buffer[0], S_IRUSR|S_IWUSR);
337 sprintf(&buffer[0], "vpn_client%d_username", clientNum);
338 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
339 sprintf(&buffer[0], "vpn_client%d_password", clientNum);
340 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
341 fclose(fp);
342 }
343 }
344 sprintf(&buffer[0], "vpn_client%d_hmac", clientNum);
345 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
346 {
347 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
348 if ( !nvram_is_empty(&buffer[0]) )
349 {
350 sprintf(&buffer[0], "/etc/openvpn/client%d/static.key", clientNum);
351 fp = fopen(&buffer[0], "w");
352 chmod(&buffer[0], S_IRUSR|S_IWUSR);
353 sprintf(&buffer[0], "vpn_client%d_static", clientNum);
354 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
355 fclose(fp);
356 }
357 }
358 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
359
360 // Start the VPN client
361 sprintf(&buffer[0], "/etc/openvpn/vpnclient%d --cd /etc/openvpn/client%d --config config.ovpn", clientNum, clientNum);
362 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
363 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
364 if ( _eval(argv, NULL, 0, &pid) )
365 {
366 vpnlog(VPN_LOG_ERROR,"Starting OpenVPN failed...");
367 stop_vpnclient(clientNum);
368 return;
369 }
370 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
371
372 // Handle firewall rules if appropriate
373 sprintf(&buffer[0], "vpn_client%d_firewall", clientNum);
374 if ( !nvram_contains_word(&buffer[0], "custom") )
375 {
376 // Create firewall rules
377 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
378 mkdir("/etc/openvpn/fw", 0700);
379 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
380 fp = fopen(&buffer[0], "w");
381 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
382 fprintf(fp, "#!/bin/sh\n");
383 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
384 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
385 if ( routeMode == NAT )
386 {
387 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
388 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
389 fprintf(fp, "iptables -t nat -I POSTROUTING -s %d.%d.%d.%d/%s -o %s -j MASQUERADE\n",
390 ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3], nvram_safe_get("lan_netmask"), &iface[0]);
391 }
392 fclose(fp);
393 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
394
395 // Run the firewall rules
396 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
397 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
398 argv[0] = &buffer[0];
399 argv[1] = NULL;
400 _eval(argv, NULL, 0, NULL);
401 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
402 }
403
404 // Set up cron job
405 sprintf(&buffer[0], "vpn_client%d_poll", clientNum);
406 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
407 {
408 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
409 argv[0] = "cru";
410 argv[1] = "a";
411 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
412 argv[2] = &buffer[0];
413 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnclient%d start", nvi, clientNum);
414 argv[3] = &buffer[strlen(&buffer[0])+1];
415 argv[4] = NULL;
416 _eval(argv, NULL, 0, NULL);
417 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
418 }
419
420 #ifdef LINUX26
421 sprintf(&buffer[0], "vpn_client%d", clientNum);
422 allow_fastnat(buffer, 0);
423 try_enabling_fastnat();
424 #endif
425 vpnlog(VPN_LOG_INFO,"VPN GUI client backend complete.");
426 }
427
428 void stop_vpnclient(int clientNum)
429 {
430 int argc;
431 char *argv[7];
432 char buffer[BUF_SIZE];
433
434 sprintf(&buffer[0], "vpnclient%d", clientNum);
435 if (getpid() != 1) {
436 stop_service(&buffer[0]);
437 return;
438 }
439
440 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI client backend.");
441
442 // Remove cron job
443 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
444 argv[0] = "cru";
445 argv[1] = "d";
446 sprintf(&buffer[0], "CheckVPNClient%d", clientNum);
447 argv[2] = &buffer[0];
448 argv[3] = NULL;
449 _eval(argv, NULL, 0, NULL);
450 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
451
452 // Remove firewall rules
453 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
454 sprintf(&buffer[0], "/etc/openvpn/fw/client%d-fw.sh", clientNum);
455 argv[0] = "sed";
456 argv[1] = "-i";
457 argv[2] = "s/-A/-D/g;s/-I/-D/g";
458 argv[3] = &buffer[0];
459 argv[4] = NULL;
460 if (!_eval(argv, NULL, 0, NULL))
461 {
462 argv[0] = &buffer[0];
463 argv[1] = NULL;
464 _eval(argv, NULL, 0, NULL);
465 }
466 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
467
468 // Stop the VPN client
469 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN client.");
470 sprintf(&buffer[0], "vpnclient%d", clientNum);
471 if ( !waitfor(&buffer[0]) )
472 vpnlog(VPN_LOG_EXTRA,"OpenVPN client stopped.");
473
474 // NVRAM setting for device type could have changed, just try to remove both
475 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
476 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", clientNum+CLIENT_IF_START);
477 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
478 _eval(argv, NULL, 0, NULL);
479
480 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", clientNum+CLIENT_IF_START);
481 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
482 _eval(argv, NULL, 0, NULL);
483 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
484
485 modprobe_r("tun");
486
487 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
488 {
489 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
490 // Delete all files for this client
491 sprintf(&buffer[0], "rm -rf /etc/openvpn/client%d /etc/openvpn/fw/client%d-fw.sh /etc/openvpn/vpnclient%d",clientNum,clientNum,clientNum);
492 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
493 _eval(argv, NULL, 0, NULL);
494
495 // Attempt to remove directories. Will fail if not empty
496 rmdir("/etc/openvpn/fw");
497 rmdir("/etc/openvpn");
498 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
499 }
500
501 #ifdef LINUX26
502 sprintf(&buffer[0], "vpn_client%d", clientNum);
503 allow_fastnat(buffer, 1);
504 try_enabling_fastnat();
505 #endif
506 vpnlog(VPN_LOG_INFO,"VPN GUI client backend stopped.");
507 }
508
509 void start_vpnserver(int serverNum)
510 {
511 FILE *fp, *ccd;
512 char iface[IF_SIZE];
513 char buffer[BUF_SIZE];
514 char *argv[6], *chp, *route;
515 int argc = 0;
516 int c2c = 0;
517 enum { TAP, TUN } ifType = TUN;
518 enum { TLS, SECRET, CUSTOM } cryptMode = CUSTOM;
519 int nvi, ip[4], nm[4];
520 long int nvl;
521 int pid;
522
523 int current_security_level = 1;
524 sprintf(&buffer[0], "vpnserver%d", serverNum);
525 if (getpid() != 1) {
526 start_service(&buffer[0]);
527 return;
528 }
529
530 vpnlog(VPN_LOG_INFO,"VPN GUI server backend starting...");
531
532 if ( (pid = pidof(&buffer[0])) >= 0 )
533 {
534 vpnlog(VPN_LOG_INFO, "VPN Server %d already running...", serverNum);
535 vpnlog(VPN_LOG_INFO,"PID: %d", pid);
536 return;
537 }
538
539 // Determine interface type
540 sprintf(&buffer[0], "vpn_server%d_if", serverNum);
541 if ( nvram_contains_word(&buffer[0], "tap") )
542 ifType = TAP;
543 else if ( nvram_contains_word(&buffer[0], "tun") )
544 ifType = TUN;
545 else
546 {
547 vpnlog(VPN_LOG_ERROR,"Invalid interface type, %.3s", nvram_safe_get(&buffer[0]));
548 return;
549 }
550
551 // Build interface name
552 snprintf(&iface[0], IF_SIZE, "%s%d", nvram_safe_get(&buffer[0]), serverNum+SERVER_IF_START);
553
554 // Determine encryption mode
555 sprintf(&buffer[0], "vpn_server%d_crypt", serverNum);
556 if ( nvram_contains_word(&buffer[0], "tls") )
557 cryptMode = TLS;
558 else if ( nvram_contains_word(&buffer[0], "secret") )
559 cryptMode = SECRET;
560 else if ( nvram_contains_word(&buffer[0], "custom") )
561 cryptMode = CUSTOM;
562 else
563 {
564 vpnlog(VPN_LOG_ERROR,"Invalid encryption mode, %.6s", nvram_safe_get(&buffer[0]));
565 return;
566 }
567
568 // Make sure openvpn directory exists
569 mkdir("/etc/openvpn", 0700);
570 sprintf(&buffer[0], "/etc/openvpn/server%d", serverNum);
571 mkdir(&buffer[0], 0700);
572
573 // Make sure symbolic link exists
574 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d", serverNum);
575 unlink(&buffer[0]);
576 if ( symlink("/usr/sbin/openvpn", &buffer[0]) )
577 {
578 vpnlog(VPN_LOG_ERROR,"Creating symlink failed...");
579 stop_vpnserver(serverNum);
580 return;
581 }
582
583 // Make sure module is loaded
584 modprobe("tun");
585 f_wait_exists("/dev/net/tun", 5);
586
587 // Create tap/tun interface
588 sprintf(&buffer[0], "openvpn --mktun --dev %s", &iface[0]);
589 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
590 if ( _eval(argv, NULL, 0, NULL) )
591 {
592 vpnlog(VPN_LOG_ERROR,"Creating tunnel interface failed...");
593 stop_vpnserver(serverNum);
594 return;
595 }
596
597 // Add interface to LAN bridge (TAP only)
598 if( ifType == TAP )
599 {
600 snprintf(&buffer[0], BUF_SIZE, "brctl addif %s %s", nvram_safe_get("lan_ifname"), &iface[0]);
601 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
602 if ( _eval(argv, NULL, 0, NULL) )
603 {
604 vpnlog(VPN_LOG_ERROR,"Adding tunnel interface to bridge failed...");
605 stop_vpnserver(serverNum);
606 return;
607 }
608 }
609
610 // Bring interface up
611 sprintf(&buffer[0], "ifconfig %s 0.0.0.0 promisc up", &iface[0]);
612 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
613 if ( _eval(argv, NULL, 0, NULL) )
614 {
615 vpnlog(VPN_LOG_ERROR,"Bringing up tunnel interface failed...");
616 stop_vpnserver(serverNum);
617 return;
618 }
619
620 // Build and write config files
621 vpnlog(VPN_LOG_EXTRA,"Writing config file");
622 sprintf(&buffer[0], "/etc/openvpn/server%d/config.ovpn", serverNum);
623 fp = fopen(&buffer[0], "w");
624 chmod(&buffer[0], S_IRUSR|S_IWUSR);
625 fprintf(fp, "# Automatically generated configuration\n");
626 fprintf(fp, "daemon\n");
627 if ( cryptMode == TLS )
628 {
629 if ( ifType == TUN )
630 {
631 sprintf(&buffer[0], "vpn_server%d_sn", serverNum);
632 fprintf(fp, "server %s ", nvram_safe_get(&buffer[0]));
633 sprintf(&buffer[0], "vpn_server%d_nm", serverNum);
634 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
635 }
636 else if ( ifType == TAP )
637 {
638 fprintf(fp, "server-bridge");
639 sprintf(&buffer[0], "vpn_server%d_dhcp", serverNum);
640 if ( nvram_get_int(&buffer[0]) == 0 )
641 {
642 fprintf(fp, " %s ", nvram_safe_get("lan_ipaddr"));
643 fprintf(fp, "%s ", nvram_safe_get("lan_netmask"));
644 sprintf(&buffer[0], "vpn_server%d_r1", serverNum);
645 fprintf(fp, "%s ", nvram_safe_get(&buffer[0]));
646 sprintf(&buffer[0], "vpn_server%d_r2", serverNum);
647 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
648 }
649 fprintf(fp, "\n");
650 }
651 }
652 else if ( cryptMode == SECRET )
653 {
654 if ( ifType == TUN )
655 {
656 sprintf(&buffer[0], "vpn_server%d_local", serverNum);
657 fprintf(fp, "ifconfig %s ", nvram_safe_get(&buffer[0]));
658 sprintf(&buffer[0], "vpn_server%d_remote", serverNum);
659 fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
660 }
661 }
662 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
663 fprintf(fp, "proto %s\n", nvram_safe_get(&buffer[0]));
664 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
665 fprintf(fp, "port %d\n", nvram_get_int(&buffer[0]));
666 fprintf(fp, "dev %s\n", &iface[0]);
667 sprintf(&buffer[0], "vpn_server%d_cipher", serverNum);
668 if ( !nvram_contains_word(&buffer[0], "default") )
669 fprintf(fp, "cipher %s\n", nvram_safe_get(&buffer[0]));
670 sprintf(&buffer[0], "vpn_server%d_comp", serverNum);
671 if ( nvram_get_int(&buffer[0]) >= 0 )
672 fprintf(fp, "comp-lzo %s\n", nvram_safe_get(&buffer[0]));
673 sprintf(&buffer[0], "vpn_server%d_reneg", serverNum);
674 if ( (nvl = atol(nvram_safe_get(&buffer[0]))) >= 0 )
675 fprintf(fp, "reneg-sec %ld\n", nvl);
676 fprintf(fp, "keepalive 15 60\n");
677 fprintf(fp, "verb 3\n");
678 if ( cryptMode == TLS )
679 {
680 sprintf(&buffer[0], "vpn_server%d_plan", serverNum);
681 if ( ifType == TUN && nvram_get_int(&buffer[0]) )
682 {
683 sscanf(nvram_safe_get("lan_ipaddr"), "%d.%d.%d.%d", &ip[0], &ip[1], &ip[2], &ip[3]);
684 sscanf(nvram_safe_get("lan_netmask"), "%d.%d.%d.%d", &nm[0], &nm[1], &nm[2], &nm[3]);
685 fprintf(fp, "push \"route %d.%d.%d.%d %s\"\n", ip[0]&nm[0], ip[1]&nm[1], ip[2]&nm[2], ip[3]&nm[3],
686 nvram_safe_get("lan_netmask"));
687 }
688
689 sprintf(&buffer[0], "vpn_server%d_ccd", serverNum);
690 if ( nvram_get_int(&buffer[0]) )
691 {
692 fprintf(fp, "client-config-dir ccd\n");
693
694 sprintf(&buffer[0], "vpn_server%d_c2c", serverNum);
695 if ( (c2c = nvram_get_int(&buffer[0])) )
696 fprintf(fp, "client-to-client\n");
697
698 sprintf(&buffer[0], "vpn_server%d_ccd_excl", serverNum);
699 if ( nvram_get_int(&buffer[0]) )
700 fprintf(fp, "ccd-exclusive\n");
701
702 sprintf(&buffer[0], "/etc/openvpn/server%d/ccd", serverNum);
703 mkdir(&buffer[0], 0700);
704 chdir(&buffer[0]);
705
706 sprintf(&buffer[0], "vpn_server%d_ccd_val", serverNum);
707 strcpy(&buffer[0], nvram_safe_get(&buffer[0]));
708 chp = strtok(&buffer[0],">");
709 while ( chp != NULL )
710 {
711 nvi = strlen(chp);
712
713 chp[strcspn(chp,"<")] = '\0';
714 vpnlog(VPN_LOG_EXTRA,"CCD: enabled: %d", atoi(chp));
715 if ( atoi(chp) == 1 )
716 {
717 nvi -= strlen(chp)+1;
718 chp += strlen(chp)+1;
719
720 ccd = NULL;
721 route = NULL;
722 if ( nvi > 0 )
723 {
724 chp[strcspn(chp,"<")] = '\0';
725 vpnlog(VPN_LOG_EXTRA,"CCD: Common name: %s", chp);
726 ccd = fopen(chp, "w");
727 chmod(chp, S_IRUSR|S_IWUSR);
728
729 nvi -= strlen(chp)+1;
730 chp += strlen(chp)+1;
731 }
732 if ( nvi > 0 && ccd != NULL && strcspn(chp,"<") != strlen(chp) )
733 {
734 chp[strcspn(chp,"<")] = ' ';
735 chp[strcspn(chp,"<")] = '\0';
736 route = chp;
737 vpnlog(VPN_LOG_EXTRA,"CCD: Route: %s", chp);
738 if ( strlen(route) > 1 )
739 {
740 fprintf(ccd, "iroute %s\n", route);
741 fprintf(fp, "route %s\n", route);
742 }
743
744 nvi -= strlen(chp)+1;
745 chp += strlen(chp)+1;
746 }
747 if ( ccd != NULL )
748 fclose(ccd);
749 if ( nvi > 0 && route != NULL )
750 {
751 chp[strcspn(chp,"<")] = '\0';
752 vpnlog(VPN_LOG_EXTRA,"CCD: Push: %d", atoi(chp));
753 if ( c2c && atoi(chp) == 1 && strlen(route) > 1 )
754 fprintf(fp, "push \"route %s\"\n", route);
755
756 nvi -= strlen(chp)+1;
757 chp += strlen(chp)+1;
758 }
759
760 vpnlog(VPN_LOG_EXTRA,"CCD leftover: %d", nvi+1);
761 }
762 // Advance to next entry
763 chp = strtok(NULL, ">");
764 }
765 vpnlog(VPN_LOG_EXTRA,"CCD processing complete");
766 }
767
768 sprintf(&buffer[0], "vpn_server%d_userpass", serverNum);
769 if ( nvram_get_int(&buffer[0]) )
770 {
771 fprintf(fp, "plugin /lib/openvpn_plugin_auth_nvram.so vpn_server%d_users_val\n",serverNum);
772 if(current_security_level < 2){
773 fprintf(fp, "script-security 2\n");
774 current_security_level = 2;
775 }
776 fprintf(fp, "username-as-common-name\n");
777 sprintf(&buffer[0], "vpn_server%d_nocert", serverNum);
778 if ( nvram_get_int(&buffer[0]) )
779 fprintf(fp, "client-cert-not-required\n");
780 }
781
782 sprintf(&buffer[0], "vpn_server%d_pdns", serverNum);
783 if ( nvram_get_int(&buffer[0]) )
784 {
785 if ( nvram_safe_get("wan_domain")[0] != '\0' )
786 fprintf(fp, "push \"dhcp-option DOMAIN %s\"\n", nvram_safe_get("wan_domain"));
787 if ( (nvram_safe_get("wan_wins")[0] != '\0' && strcmp(nvram_safe_get("wan_wins"), "0.0.0.0") != 0) )
788 fprintf(fp, "push \"dhcp-option WINS %s\"\n", nvram_safe_get("wan_wins"));
789 fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));
790 }
791
792 sprintf(&buffer[0], "vpn_server%d_rgw", serverNum);
793 if ( nvram_get_int(&buffer[0]) )
794 {
795 if ( ifType == TAP )
796 fprintf(fp, "push \"route-gateway %s\"\n", nvram_safe_get("lan_ipaddr"));
797 fprintf(fp, "push \"redirect-gateway def1\"\n");
798 }
799
800 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
801 nvi = nvram_get_int(&buffer[0]);
802 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
803 if ( !nvram_is_empty(&buffer[0]) && nvi >= 0 )
804 {
805 fprintf(fp, "tls-auth static.key");
806 if ( nvi < 2 )
807 fprintf(fp, " %d", nvi);
808 fprintf(fp, "\n");
809 }
810
811 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
812 if ( !nvram_is_empty(&buffer[0]) )
813 fprintf(fp, "ca ca.crt\n");
814 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
815 if ( !nvram_is_empty(&buffer[0]) )
816 fprintf(fp, "dh dh.pem\n");
817 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
818 if ( !nvram_is_empty(&buffer[0]) )
819 fprintf(fp, "cert server.crt\n");
820 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
821 if ( !nvram_is_empty(&buffer[0]) )
822 fprintf(fp, "key server.key\n");
823 }
824 else if ( cryptMode == SECRET )
825 {
826 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
827 if ( !nvram_is_empty(&buffer[0]) )
828 fprintf(fp, "secret static.key\n");
829 }
830 fprintf(fp, "status-version 2\n");
831 fprintf(fp, "status status\n");
832 fprintf(fp, "\n# Custom Configuration\n");
833 sprintf(&buffer[0], "vpn_server%d_custom", serverNum);
834 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
835 fclose(fp);
836 vpnlog(VPN_LOG_EXTRA,"Done writing config file");
837
838 // Write certification and key files
839 vpnlog(VPN_LOG_EXTRA,"Writing certs/keys");
840 if ( cryptMode == TLS )
841 {
842 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
843 if ( !nvram_is_empty(&buffer[0]) )
844 {
845 sprintf(&buffer[0], "/etc/openvpn/server%d/ca.crt", serverNum);
846 fp = fopen(&buffer[0], "w");
847 chmod(&buffer[0], S_IRUSR|S_IWUSR);
848 sprintf(&buffer[0], "vpn_server%d_ca", serverNum);
849 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
850 fclose(fp);
851 }
852
853 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
854 if ( !nvram_is_empty(&buffer[0]) )
855 {
856 sprintf(&buffer[0], "/etc/openvpn/server%d/server.key", serverNum);
857 fp = fopen(&buffer[0], "w");
858 chmod(&buffer[0], S_IRUSR|S_IWUSR);
859 sprintf(&buffer[0], "vpn_server%d_key", serverNum);
860 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
861 fclose(fp);
862 }
863
864 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
865 if ( !nvram_is_empty(&buffer[0]) )
866 {
867 sprintf(&buffer[0], "/etc/openvpn/server%d/server.crt", serverNum);
868 fp = fopen(&buffer[0], "w");
869 chmod(&buffer[0], S_IRUSR|S_IWUSR);
870 sprintf(&buffer[0], "vpn_server%d_crt", serverNum);
871 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
872 fclose(fp);
873 }
874
875 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
876 if ( !nvram_is_empty(&buffer[0]) )
877 {
878 sprintf(&buffer[0], "/etc/openvpn/server%d/dh.pem", serverNum);
879 fp = fopen(&buffer[0], "w");
880 chmod(&buffer[0], S_IRUSR|S_IWUSR);
881 sprintf(&buffer[0], "vpn_server%d_dh", serverNum);
882 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
883 fclose(fp);
884 }
885 }
886 sprintf(&buffer[0], "vpn_server%d_hmac", serverNum);
887 if ( cryptMode == SECRET || (cryptMode == TLS && nvram_get_int(&buffer[0]) >= 0) )
888 {
889 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
890 if ( !nvram_is_empty(&buffer[0]) )
891 {
892 sprintf(&buffer[0], "/etc/openvpn/server%d/static.key", serverNum);
893 fp = fopen(&buffer[0], "w");
894 chmod(&buffer[0], S_IRUSR|S_IWUSR);
895 sprintf(&buffer[0], "vpn_server%d_static", serverNum);
896 fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
897 fclose(fp);
898 }
899 }
900 vpnlog(VPN_LOG_EXTRA,"Done writing certs/keys");
901
902 sprintf(&buffer[0], "/etc/openvpn/vpnserver%d --cd /etc/openvpn/server%d --config config.ovpn", serverNum, serverNum);
903 vpnlog(VPN_LOG_INFO,"Starting OpenVPN: %s",&buffer[0]);
904 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
905 if ( _eval(argv, NULL, 0, &pid) )
906 {
907 vpnlog(VPN_LOG_ERROR,"Starting VPN instance failed...");
908 stop_vpnserver(serverNum);
909 return;
910 }
911 vpnlog(VPN_LOG_EXTRA,"Done starting openvpn");
912
913 // Handle firewall rules if appropriate
914 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
915 if ( !nvram_contains_word(&buffer[0], "custom") )
916 {
917 // Create firewall rules
918 vpnlog(VPN_LOG_EXTRA,"Creating firewall rules");
919 mkdir("/etc/openvpn/fw", 0700);
920 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
921 fp = fopen(&buffer[0], "w");
922 chmod(&buffer[0], S_IRUSR|S_IWUSR|S_IXUSR);
923 fprintf(fp, "#!/bin/sh\n");
924 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
925 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
926 fprintf(fp, "iptables -t nat -I PREROUTING -p %s ", strtok(&buffer[0], "-"));
927 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
928 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
929 sprintf(&buffer[0], "vpn_server%d_proto", serverNum);
930 strncpy(&buffer[0], nvram_safe_get(&buffer[0]), BUF_SIZE);
931 fprintf(fp, "iptables -I INPUT -p %s ", strtok(&buffer[0], "-"));
932 sprintf(&buffer[0], "vpn_server%d_port", serverNum);
933 fprintf(fp, "--dport %d -j ACCEPT\n", nvram_get_int(&buffer[0]));
934 sprintf(&buffer[0], "vpn_server%d_firewall", serverNum);
935 if ( !nvram_contains_word(&buffer[0], "external") )
936 {
937 fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", &iface[0]);
938 fprintf(fp, "iptables -I FORWARD -i %s -j ACCEPT\n", &iface[0]);
939 }
940 fclose(fp);
941 vpnlog(VPN_LOG_EXTRA,"Done creating firewall rules");
942
943 // Run the firewall rules
944 vpnlog(VPN_LOG_EXTRA,"Running firewall rules");
945 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
946 argv[0] = &buffer[0];
947 argv[1] = NULL;
948 _eval(argv, NULL, 0, NULL);
949 vpnlog(VPN_LOG_EXTRA,"Done running firewall rules");
950 }
951
952 // Set up cron job
953 sprintf(&buffer[0], "vpn_server%d_poll", serverNum);
954 if ( (nvi = nvram_get_int(&buffer[0])) > 0 )
955 {
956 vpnlog(VPN_LOG_EXTRA,"Adding cron job");
957 argv[0] = "cru";
958 argv[1] = "a";
959 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
960 argv[2] = &buffer[0];
961 sprintf(&buffer[strlen(&buffer[0])+1], "*/%d * * * * service vpnserver%d start", nvi, serverNum);
962 argv[3] = &buffer[strlen(&buffer[0])+1];
963 argv[4] = NULL;
964 _eval(argv, NULL, 0, NULL);
965 vpnlog(VPN_LOG_EXTRA,"Done adding cron job");
966 }
967
968 #ifdef LINUX26
969 sprintf(&buffer[0], "vpn_server%d", serverNum);
970 allow_fastnat(buffer, 0);
971 try_enabling_fastnat();
972 #endif
973 vpnlog(VPN_LOG_INFO,"VPN GUI server backend complete.");
974 }
975
976 void stop_vpnserver(int serverNum)
977 {
978 int argc;
979 char *argv[9];
980 char buffer[BUF_SIZE];
981
982 sprintf(&buffer[0], "vpnserver%d", serverNum);
983 if (getpid() != 1) {
984 stop_service(&buffer[0]);
985 return;
986 }
987
988 vpnlog(VPN_LOG_INFO,"Stopping VPN GUI server backend.");
989
990 // Remove cron job
991 vpnlog(VPN_LOG_EXTRA,"Removing cron job");
992 argv[0] = "cru";
993 argv[1] = "d";
994 sprintf(&buffer[0], "CheckVPNServer%d", serverNum);
995 argv[2] = &buffer[0];
996 argv[3] = NULL;
997 _eval(argv, NULL, 0, NULL);
998 vpnlog(VPN_LOG_EXTRA,"Done removing cron job");
999
1000 // Remove firewall rules
1001 vpnlog(VPN_LOG_EXTRA,"Removing firewall rules.");
1002 sprintf(&buffer[0], "/etc/openvpn/fw/server%d-fw.sh", serverNum);
1003 argv[0] = "sed";
1004 argv[1] = "-i";
1005 argv[2] = "s/-A/-D/g;s/-I/-D/g";
1006 argv[3] = &buffer[0];
1007 argv[4] = NULL;
1008 if (!_eval(argv, NULL, 0, NULL))
1009 {
1010 argv[0] = &buffer[0];
1011 argv[1] = NULL;
1012 _eval(argv, NULL, 0, NULL);
1013 }
1014 vpnlog(VPN_LOG_EXTRA,"Done removing firewall rules.");
1015
1016 // Stop the VPN server
1017 vpnlog(VPN_LOG_EXTRA,"Stopping OpenVPN server.");
1018 sprintf(&buffer[0], "vpnserver%d", serverNum);
1019 if ( !waitfor(&buffer[0]) )
1020 vpnlog(VPN_LOG_EXTRA,"OpenVPN server stopped.");
1021
1022 // NVRAM setting for device type could have changed, just try to remove both
1023 vpnlog(VPN_LOG_EXTRA,"Removing VPN device.");
1024 sprintf(&buffer[0], "openvpn --rmtun --dev tap%d", serverNum+SERVER_IF_START);
1025 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1026 _eval(argv, NULL, 0, NULL);
1027
1028 sprintf(&buffer[0], "openvpn --rmtun --dev tun%d", serverNum+SERVER_IF_START);
1029 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1030 _eval(argv, NULL, 0, NULL);
1031 vpnlog(VPN_LOG_EXTRA,"VPN device removed.");
1032
1033 modprobe_r("tun");
1034
1035 if ( nvram_get_int("vpn_debug") <= VPN_LOG_EXTRA )
1036 {
1037 vpnlog(VPN_LOG_EXTRA,"Removing generated files.");
1038 // Delete all files for this server
1039 sprintf(&buffer[0], "rm -rf /etc/openvpn/server%d /etc/openvpn/fw/server%d-fw.sh /etc/openvpn/vpnserver%d",serverNum,serverNum,serverNum);
1040 for (argv[argc=0] = strtok(&buffer[0], " "); argv[argc] != NULL; argv[++argc] = strtok(NULL, " "));
1041 _eval(argv, NULL, 0, NULL);
1042
1043 // Attempt to remove directories. Will fail if not empty
1044 rmdir("/etc/openvpn/fw");
1045 rmdir("/etc/openvpn");
1046 vpnlog(VPN_LOG_EXTRA,"Done removing generated files.");
1047 }
1048
1049 #ifdef LINUX26
1050 sprintf(&buffer[0], "vpn_server%d", serverNum);
1051 allow_fastnat(buffer, 1);
1052 try_enabling_fastnat();
1053 #endif
1054 vpnlog(VPN_LOG_INFO,"VPN GUI server backend stopped.");
1055 }
1056
1057 void start_vpn_eas()
1058 {
1059 char buffer[16], *cur;
1060 int nums[4], i;
1061
1062 if (strlen(nvram_safe_get("vpn_server_eas")) == 0 && strlen(nvram_safe_get("vpn_client_eas")) == 0) return;
1063 // wait for time sync for a while
1064 i = 10;
1065 while (time(0) < Y2K && i--) {
1066 sleep(1);
1067 }
1068
1069 // Parse and start servers
1070 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
1071 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting OpenVPN servers (eas): %s", &buffer[0]);
1072 i = 0;
1073 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1074 nums[i] = 0;
1075 for( i = 0; nums[i] > 0; i++ )
1076 {
1077 sprintf(&buffer[0], "vpnserver%d", nums[i]);
1078 if ( pidof(&buffer[0]) >= 0 )
1079 {
1080 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
1081 stop_vpnserver(nums[i]);
1082 }
1083
1084 vpnlog(VPN_LOG_INFO, "Starting OpenVPN server %d (eas)", nums[i]);
1085 start_vpnserver(nums[i]);
1086 }
1087
1088 // Parse and start clients
1089 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
1090 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting clients (eas): %s", &buffer[0]);
1091 i = 0;
1092 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1093 nums[i] = 0;
1094 for( i = 0; nums[i] > 0; i++ )
1095 {
1096 sprintf(&buffer[0], "vpnclient%d", nums[i]);
1097 if ( pidof(&buffer[0]) >= 0 )
1098 {
1099 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
1100 stop_vpnclient(nums[i]);
1101 }
1102
1103 vpnlog(VPN_LOG_INFO, "Starting OpenVPN client %d (eas)", nums[i]);
1104 start_vpnclient(nums[i]);
1105 }
1106 }
1107
1108 void stop_vpn_eas()
1109 {
1110 char buffer[16], *cur;
1111 int nums[4], i;
1112
1113 // Parse and stop servers
1114 strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
1115 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN servers (eas): %s", &buffer[0]);
1116 i = 0;
1117 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1118 nums[i] = 0;
1119 for( i = 0; nums[i] > 0; i++ )
1120 {
1121 sprintf(&buffer[0], "vpnserver%d", nums[i]);
1122 if ( pidof(&buffer[0]) >= 0 )
1123 {
1124 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
1125 stop_vpnserver(nums[i]);
1126 }
1127 }
1128
1129 // Parse and stop clients
1130 strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
1131 if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN clients (eas): %s", &buffer[0]);
1132 i = 0;
1133 for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
1134 nums[i] = 0;
1135 for( i = 0; nums[i] > 0; i++ )
1136 {
1137 sprintf(&buffer[0], "vpnclient%d", nums[i]);
1138 if ( pidof(&buffer[0]) >= 0 )
1139 {
1140 vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
1141 stop_vpnclient(nums[i]);
1142 }
1143 }
1144 }
1145
1146 void run_vpn_firewall_scripts()
1147 {
1148 DIR *dir;
1149 struct dirent *file;
1150 char *fn;
1151 char *argv[3];
1152
1153 if ( chdir("/etc/openvpn/fw") )
1154 return;
1155
1156 dir = opendir("/etc/openvpn/fw");
1157
1158 vpnlog(VPN_LOG_EXTRA,"Beginning all firewall scripts...");
1159 while ( (file = readdir(dir)) != NULL )
1160 {
1161 fn = file->d_name;
1162 if ( fn[0] == '.' )
1163 continue;
1164 vpnlog(VPN_LOG_INFO,"Running firewall script: %s", fn);
1165 argv[0] = "/bin/sh";
1166 argv[1] = fn;
1167 argv[2] = NULL;
1168 _eval(argv, NULL, 0, NULL);
1169 }
1170 vpnlog(VPN_LOG_EXTRA,"Done with all firewall scripts...");
1171
1172 closedir(dir);
1173 }
1174
1175 void write_vpn_dnsmasq_config(FILE* f)
1176 {
1177 char nv[16];
1178 char buf[24];
1179 char *pos, ch;
1180 int cur;
1181 DIR *dir;
1182 struct dirent *file;
1183 FILE *dnsf;
1184
1185 strlcpy(&buf[0], nvram_safe_get("vpn_server_dns"), sizeof(buf));
1186 for ( pos = strtok(&buf[0],","); pos != NULL; pos=strtok(NULL, ",") )
1187 {
1188 cur = atoi(pos);
1189 if ( cur )
1190 {
1191 vpnlog(VPN_LOG_EXTRA, "Adding server %d interface to dns config", cur);
1192 snprintf(&nv[0], sizeof(nv), "vpn_server%d_if", cur);
1193 fprintf(f, "interface=%s%d\n", nvram_safe_get(&nv[0]), SERVER_IF_START+cur);
1194 }
1195 }
1196
1197 if ( (dir = opendir("/etc/openvpn/dns")) != NULL )
1198 {
1199 while ( (file = readdir(dir)) != NULL )
1200 {
1201 if ( file->d_name[0] == '.' )
1202 continue;
1203
1204 if ( sscanf(file->d_name, "client%d.resol%c", &cur, &ch) == 2 )
1205 {
1206 vpnlog(VPN_LOG_EXTRA, "Checking ADNS settings for client %d", cur);
1207 snprintf(&buf[0], sizeof(buf), "vpn_client%d_adns", cur);
1208 if ( nvram_get_int(&buf[0]) == 2 )
1209 {
1210 vpnlog(VPN_LOG_INFO, "Adding strict-order to dnsmasq config for client %d", cur);
1211 fprintf(f, "strict-order\n");
1212 break;
1213 }
1214 }
1215
1216 if ( sscanf(file->d_name, "client%d.con%c", &cur, &ch) == 2 )
1217 {
1218 if ( (dnsf = fopen(file->d_name, "r")) != NULL )
1219 {
1220 vpnlog(VPN_LOG_INFO, "Adding Dnsmasq config from %s", file->d_name);
1221
1222 while( !feof(dnsf) )
1223 {
1224 ch = fgetc(dnsf);
1225 fputc(ch==EOF?'\n':ch, f);
1226 }
1227
1228 fclose(dnsf);
1229 }
1230 }
1231 }
1232 }
1233 }
1234
1235 int write_vpn_resolv(FILE* f)
1236 {
1237 DIR *dir;
1238 struct dirent *file;
1239 char *fn, ch, num, buf[24];
1240 FILE *dnsf;
1241 int exclusive = 0;
1242
1243 if ( chdir("/etc/openvpn/dns") )
1244 return 0;
1245
1246 dir = opendir("/etc/openvpn/dns");
1247
1248 vpnlog(VPN_LOG_EXTRA, "Adding DNS entries...");
1249 while ( (file = readdir(dir)) != NULL )
1250 {
1251 fn = file->d_name;
1252
1253 if ( fn[0] == '.' )
1254 continue;
1255
1256 if ( sscanf(fn, "client%c.resol%c", &num, &ch) == 2 )
1257 {
1258 if ( (dnsf = fopen(fn, "r")) == NULL )
1259 continue;
1260
1261 vpnlog(VPN_LOG_INFO,"Adding DNS entries from %s", fn);
1262
1263 while( !feof(dnsf) )
1264 {
1265 ch = fgetc(dnsf);
1266 fputc(ch==EOF?'\n':ch, f);
1267 }
1268
1269 fclose(dnsf);
1270
1271 snprintf(&buf[0], sizeof(buf), "vpn_client%c_adns", num);
1272 if ( nvram_get_int(&buf[0]) == 3 )
1273 exclusive = 1;
1274 }
1275 }
1276 vpnlog(VPN_LOG_EXTRA, "Done with DNS entries...");
1277
1278 closedir(dir);
1279
1280 return exclusive;
1281 }
1282
Tomato firmware and modifications.