Diskussion:Vpn03
Aus wiki.freifunk.net
Zur Navigation springenZur Suche springen#!/bin/sh /etc/rc.common
# (c) 2013 by sven-ola
START=99
EXTRA_COMMANDS="inetvia prerm debug"
EXTRA_HELP="
inetvia (eth0.2|br-lan|default|disable) Set Inet-to-VPN03-only-via Firewall rule
debug Start this script with debug output
prerm Remove system changes before uninstalling
"
WDIR=/tmp/vpn03
HOME=/usr/lib/vpn03
HOST=vpn03.berlin.freifunk.net
. /lib/functions.sh
. /etc/openwrt_release
if [ -z "$(which ip)" ] || [ ! -f /proc/net/if_inet6 ];then
# No iproute2 or no ipv6, use old OpenVPN compiled with ifconfig
DOWNLOAD=12.09
LIST="liblzo_2.06-1 libopenssl_1.0.1e-1 openvpn_2.2.2-2 libpcap_1.1.1-2 tcpdump-mini_4.2.1-3"
else
# Have iproute2 / busybox-ip, use new openvpn-polarssl compiled with iproute2
DOWNLOAD=12.09
LIST="liblzo_2.06-1 libpolarssl_1.2.5-1 openvpn-polarssl_2.3.0-1 libpcap_1.1.1-2 tcpdump-mini_4.2.1-3"
fi
case ${DISTRIB_CODENAME} in backfire)
# We also host binaries for older OpenWrt-Backfire
DOWNLOAD=10.03.2
LIST="liblzo_2.05-1 libopenssl_0.9.8x-1 openvpn_2.2.1-5 libpcap_1.0.0-2 tcpdump-mini_4.1.1-2"
;;esac
inetvia() {
iface=${1}
case ${1} in default)
iface= # Use ${CONFIG_wan_ifname}
;;""|-h|--help)
config_load network
echo "Usage: $initscript inetvia (eth0.2|br-lan|default|disable)
\$ifname: Send to ${HOST} only via this interface
default: Use default wan ifname (currently: ${CONFIG_wan_ifname})
disable: Do not set any extra firewall rule
" >&2
case ${CONFIG_settings_vpn03via} in disable)
echo "Current setting: disable" >&2
;;""|${CONFIG_wan_ifname})
echo "Current setting: default" >&2
;;*)
echo "Current setting: ${CONFIG_settings_vpn03via}" >&2
;;esac
exit 1
;;esac
uci set network.settings=private
uci set network.settings.vpn03via=${iface}
uci commit
exit 0
}
prerm() {
rm -f ${HOME}/*.md5
PAT=$(echo ${WDIR}|sed 's,/,\\/,g')
sed -i "/^for i in ${PAT}/,/^done/d;/export LD_LIBRARY_PATH=${PAT}/d" /etc/profile
}
start() {
config_load network
case ${DEBUG_VPN03} in "");;*)
set -x
;;esac
# Download required binaries and unpack to RAM disk
test -d ${WDIR} || mkdir ${WDIR}
for file in $LIST;do
while [ ! -f ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk ];do
scp -i $HOME/dropbearkey.vpn03 download@$HOST:~/${DOWNLOAD}/${file}_${DISTRIB_TARGET%%/*}.ipk ${WDIR}/
test -f ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk || sleep 10
done
done
for file in $LIST;do
test -s ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk && {
if [ -f ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5 ];then
md5sum -c ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5 || {
echo "md5sum for ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk does not match" >&2
exit 1
}
else
md5sum ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk > ${HOME}/${file}_${DISTRIB_TARGET%%/*}.ipk.md5
fi
tar xOzf ${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk ./data.tar.gz|tar zxC ${WDIR}
:>${WDIR}/${file}_${DISTRIB_TARGET%%/*}.ipk
}
done
if [ -d ${WDIR}/usr ]; then
for file in ${WDIR}/usr/*;do
if [ -d ${file} ];then
test -d ${WDIR}/${file##*/} || mkdir ${WDIR}/${file##*/}
mv ${file}/* ${WDIR}/${file##*/}/
rmdir ${file}/
else
mv ${file} ${WDIR}/
fi
done
rmdir ${WDIR}/usr
fi
# Add test scripts for old freifunk-fw and luci-base-fw
test -d ${WDIR}/bin || mkdir -p ${WDIR}/bin
if [ ! -x ${WDIR}/bin/test.sh ];then
cat > ${WDIR}/bin/test.sh << EOF
#!/bin/sh
test -n "\$1" || {
echo "IP address missing." >&2
exit 1
}
trap "killall wget;echo;exit" SIGINT
wget -O /dev/null http://\$1/cgi-bin-dev-zero.bin&
sleep 10
killall wget
echo
EOF
chmod +x ${WDIR}/bin/test.sh
fi
if [ ! -x ${WDIR}/bin/tst.sh ];then
cat > ${WDIR}/bin/tst.sh << EOF
#!/bin/sh
test -n "\$1" || {
echo "IP address missing." >&2
exit 1
}
trap "killall wget;echo;exit" SIGINT
wget -O /dev/null http://\$1/cgi-bin/luci/freifunk/status/zeroes&
sleep 10
killall wget
echo
EOF
chmod +x ${WDIR}/bin/tst.sh
fi
if ! grep -q LD_LIBRARY_PATH=${WDIR}/lib /etc/profile;then
cat >> /etc/profile << EOF
export LD_LIBRARY_PATH=${WDIR}/lib
for i in ${WDIR}/bin ${WDIR}/sbin;do
test -d \${i} && export PATH=\${PATH}:\${i}
done
EOF
fi
# The Pberg FW has busybox "/bin/ip", while the OpenVPN-polarssl needs /usr/sbin/ip
if [ ! -e /usr/sbin/ip ] && [ -e /bin/ip ];then
ln -sf /bin/ip /usr/sbin/ip
fi
# Prevent OpenVPN via mesh, WAN allowed only
case ${CONFIG_settings_vpn03via} in disable);;*)
case ${CONFIG_settings_vpn03via} in "")
proto=${CONFIG_wan_proto}
ifname=${CONFIG_wan_ifname}
;;*)
proto=manual
ifname=${CONFIG_settings_vpn03via}
;;esac
case ${ifname} in "");;*) case ${proto} in ""|none);;*)
iptables -I OUTPUT -d ${HOST} -j REJECT
iptables -I OUTPUT -d ${HOST} -o ${ifname} -j ACCEPT
;;esac;;esac
;;esac
# VPN03 server ca generated end-of-nov 2012. We set the date at least to that.
if [ $(date +%s) -lt $(date -d 2012.12.01-00:00:0000000000 +%s) ];then
date -s 2012.12.01-00:00:0000000000
fi
export LD_LIBRARY_PATH=${WDIR}/lib
for file in /etc/openvpn/*.conf; do
${WDIR}/sbin/openvpn --cd /etc/openvpn --config ${file} --daemon
done
}
debug() {
export DEBUG_VPN03=true
stop
set +x
start
logread -f
}
stop() {
config_load network
case ${DEBUG_VPN03} in "");;*)
set -x
;;esac
killall openvpn 2>&-
case ${CONFIG_settings_vpn03via} in disable);;*)
case ${CONFIG_settings_vpn03via} in "")
proto=${CONFIG_wan_proto}
ifname=${CONFIG_wan_ifname}
;;*)
proto=manual
ifname=${CONFIG_settings_vpn03via}
;;esac
case ${ifname} in "");;*) case ${proto} in ""|none);;*)
iptables -D OUTPUT -d ${HOST} -j REJECT
iptables -D OUTPUT -d ${HOST} -o ${ifname} -j ACCEPT
;;esac;;esac
;;esac
}
