Diskussion:Vpn03

Aus wiki.freifunk.net
Wechseln zu: Navigation, Suche
#!/bin/sh /etc/rc.common
# (c) 2013 by sven-ola

START=99
EXTRA_COMMANDS="inetvia prerm debug"
EXTRA_HELP="
        inetvia (eth0.2|br-lan|default|disable) Set Inet-to-VPN03-only-via Firewall rule
        debug   Start this script with debug output
        prerm   Remove system changes before uninstalling
"

WDIR=/tmp/vpn03
HOME=/usr/lib/vpn03
HOST=vpn03.berlin.freifunk.net

. /lib/functions.sh
. /etc/openwrt_release

if [ -z "$(which ip)" ] || [ ! -f /proc/net/if_inet6 ];then
        # No iproute2 or no ipv6, use old OpenVPN compiled with ifconfig
        DOWNLOAD=12.09
        LIST="liblzo_2.06-1 libopenssl_1.0.1e-1 openvpn_2.2.2-2 libpcap_1.1.1-2 tcpdump-mini_4.2.1-3"
else
        # Have iproute2 / busybox-ip, use new openvpn-polarssl compiled with iproute2 
        DOWNLOAD=12.09
        LIST="liblzo_2.06-1 libpolarssl_1.2.5-1 openvpn-polarssl_2.3.0-1 libpcap_1.1.1-2 tcpdump-mini_4.2.1-3"
fi

case ${DISTRIB_CODENAME} in backfire)
        # We also host binaries for older OpenWrt-Backfire
        DOWNLOAD=10.03.2
        LIST="liblzo_2.05-1 libopenssl_0.9.8x-1 openvpn_2.2.1-5 libpcap_1.0.0-2 tcpdump-mini_4.1.1-2"
;;esac

inetvia() {
        iface=${1}
        case ${1} in default)
                iface= # Use ${CONFIG_wan_ifname}
        ;;""|-h|--help)
                config_load network
                echo "Usage: $initscript inetvia (eth0.2|br-lan|default|disable)

\$ifname: Send to ${HOST} only via this interface
default: Use default wan ifname (currently: ${CONFIG_wan_ifname})
disable: Do not set any extra firewall rule
" >&2
                case ${CONFIG_settings_vpn03via} in disable)
                        echo "Current setting: disable" >&2
                ;;""|${CONFIG_wan_ifname})
                        echo "Current setting: default" >&2
                ;;*)
                        echo "Current setting: ${CONFIG_settings_vpn03via}" >&2
                ;;esac
                exit 1
        ;;esac
        uci set network.settings=private
        uci set network.settings.vpn03via=${iface}
        uci commit
        exit 0
}

prerm() {
        rm -f ${HOME}/*.md5
        PAT=$(echo ${WDIR}|sed 's,/,\\/,g')
        sed -i "/^for i in ${PAT}/,/^done/d;/export LD_LIBRARY_PATH=${PAT}/d" /etc/profile
}

start() {
        config_load network

        case ${DEBUG_VPN03} in "");;*)
                set -x
        ;;esac

        # Download required binaries and unpack to RAM disk

        test -d ${WDIR} || mkdir ${WDIR}
        for file in $LIST;do
                while [ ! -f ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk ];do
                        scp -i $HOME/dropbearkey.vpn03 download@$HOST:~/${DOWNLOAD}/${file}_${DISTRIB_TARGET%%/*}.ipk ${WDIR}/
                        test -f ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk || sleep 10
                done
        done
        for file in $LIST;do
                test -s ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk && {
                        if [ -f ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5 ];then
                                md5sum -c ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5 || {
                                        echo "md5sum for ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk does not match" >&2
                                        exit 1
                                }
                        else
                                md5sum ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk > ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5
                        fi
                        tar xOzf ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk ./data.tar.gz|tar zxC ${WDIR}
                        :>${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk
                }
        done
        if [ -d ${WDIR}/usr ]; then
                for file in ${WDIR}/usr/*;do
                        if [ -d ${file} ];then
                                test -d ${WDIR}/${file##*/} || mkdir ${WDIR}/${file##*/}
                                mv ${file}/* ${WDIR}/${file##*/}/
                                rmdir ${file}/
                        else
                                mv ${file} ${WDIR}/
                        fi
                done
                rmdir ${WDIR}/usr
        fi

        # Add test scripts for old freifunk-fw and luci-base-fw

        test -d ${WDIR}/bin || mkdir -p ${WDIR}/bin

        if [ ! -x ${WDIR}/bin/test.sh ];then
                cat > ${WDIR}/bin/test.sh << EOF
#!/bin/sh

test -n "\$1" || {
        echo "IP address missing." >&2
        exit 1
}

trap "killall wget;echo;exit" SIGINT
wget -O /dev/null http://\$1/cgi-bin-dev-zero.bin&
sleep 10
killall wget
echo
EOF
                chmod +x ${WDIR}/bin/test.sh
        fi

        if [ ! -x ${WDIR}/bin/tst.sh ];then
                cat > ${WDIR}/bin/tst.sh << EOF
#!/bin/sh

test -n "\$1" || {
        echo "IP address missing." >&2
        exit 1
}

trap "killall wget;echo;exit" SIGINT
wget -O /dev/null http://\$1/cgi-bin/luci/freifunk/status/zeroes&
sleep 10
killall wget
echo
EOF
                chmod +x ${WDIR}/bin/tst.sh
        fi

        if ! grep -q LD_LIBRARY_PATH=${WDIR}/lib /etc/profile;then
                cat >> /etc/profile << EOF

export LD_LIBRARY_PATH=${WDIR}/lib
for i in ${WDIR}/bin ${WDIR}/sbin;do
        test -d \${i} && export PATH=\${PATH}:\${i}
done
EOF
        fi

        # The Pberg FW has busybox "/bin/ip", while the OpenVPN-polarssl needs /usr/sbin/ip

        if [ ! -e /usr/sbin/ip ] && [ -e /bin/ip ];then
                ln -sf /bin/ip /usr/sbin/ip
        fi

        # Prevent OpenVPN via mesh, WAN allowed only

        case ${CONFIG_settings_vpn03via} in disable);;*)
                case ${CONFIG_settings_vpn03via} in "")
                        proto=${CONFIG_wan_proto}
                        ifname=${CONFIG_wan_ifname}
                ;;*)
                        proto=manual
                        ifname=${CONFIG_settings_vpn03via}
                ;;esac
                case ${ifname} in "");;*) case ${proto} in ""|none);;*)
                        iptables -I OUTPUT -d ${HOST} -j REJECT
                        iptables -I OUTPUT -d ${HOST} -o ${ifname} -j ACCEPT
                ;;esac;;esac
        ;;esac

        # VPN03 server ca generated end-of-nov 2012. We set the date at least to that.

        if [ $(date +%s) -lt $(date -d 2012.12.01-00:00:0000000000 +%s) ];then
                date -s 2012.12.01-00:00:0000000000
        fi

        export LD_LIBRARY_PATH=${WDIR}/lib
        for file in /etc/openvpn/*.conf; do
                ${WDIR}/sbin/openvpn --cd /etc/openvpn --config ${file} --daemon
        done
}

debug() {
        export DEBUG_VPN03=true
        stop
        set +x
        start
        logread -f
}

stop() {
        config_load network

        case ${DEBUG_VPN03} in "");;*)
                set -x
        ;;esac

        killall openvpn 2>&-

        case ${CONFIG_settings_vpn03via} in disable);;*)
                case ${CONFIG_settings_vpn03via} in "")
                        proto=${CONFIG_wan_proto}
                        ifname=${CONFIG_wan_ifname}
                ;;*)
                        proto=manual
                        ifname=${CONFIG_settings_vpn03via}
                ;;esac
                case ${ifname} in "");;*) case ${proto} in ""|none);;*)
                        iptables -D OUTPUT -d ${HOST} -j REJECT
                        iptables -D OUTPUT -d ${HOST} -o ${ifname} -j ACCEPT
                ;;esac;;esac
        ;;esac
}