blob: 0924d4250f570ffe934b18fd5ff741c1fe023db2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
#!/bin/sh
. /lib/functions.sh
. /lib/functions/network.sh
. ../netifd-proto.sh
init_proto "$@"
IPv4_REGEX="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
append_args() {
while [ $# -gt 0 ]; do
append cmdline "'${1//\'/\'\\\'\'}'"
shift
done
}
proto_openfortivpn_init_config() {
proto_config_add_string "peeraddr"
proto_config_add_int "port"
proto_config_add_string "tunlink"
proto_config_add_string "local_ip"
proto_config_add_string "username"
proto_config_add_string "password"
proto_config_add_int "persist_int"
proto_config_add_string "trusted_cert"
proto_config_add_string "remote_status_check"
no_device=1
available=1
}
proto_openfortivpn_setup() {
local config="$1"
local msg ifname ip server_ips pwfile callfile
local peeraddr port tunlink local_ip username password persist_int \
trusted_cert remote_status_check
json_get_vars host peeraddr port tunlink local_ip username password persist_int \
trusted_cert remote_status_check
ifname="vpn-$config"
[ -n "$tunlink" ] && {
network_get_device iface_device_name "$tunlink"
network_is_up "$tunlink" || {
msg="$tunlink is not up $iface_device_name"
logger -t "openfortivpn" "$config: $msg"
proto_notify_error "$config" "$msg"
proto_block_restart "$config"
exit 1
}
}
if echo "$peeraddr" | grep -q -E "$IPv4_REGEX"; then
server_ips="$peeraddr"
elif command -v resolveip >/dev/null ; then
server_ips="$(resolveip -4 -t 10 "$peeraddr")" || {
msg="$config: failed to resolve server ip for $peeraddr"
logger -t "openfortivpn" "$msg"
sleep 10
proto_notify_error "$config" "$msg"
proto_setup_failed "$config"
exit 1
}
else
logger -t "openfortivpn" "resolveip not present, could not resolve $peeraddr"
fi
[ "$remote_status_check" = "curl" ] && {
curl -k --head -s --connect-timeout 10 ${tunlink:+--interface} "$iface_device_name" "https://$peeraddr" > /dev/null || {
msg="failed to reach https://$peeraddr${tunlink:+ on $iface_device_name}"
logger -t "openfortivpn" "$config: $msg"
sleep 10
proto_notify_error "$config" "$msg"
proto_setup_failed "$config"
exit 1
}
}
[ "$remote_status_check" = "ping" ] && {
ping ${tunlink:+-I} "$iface_device_name" -c 1 -w 10 "$peeraddr" > /dev/null 2>&1 || {
msg="$config: failed to ping $peeraddr on $iface_device_name"
logger -t "openfortvpn" "$config: $msg"
sleep 10
proto_notify_error "$config" "$msg"
proto_setup_failed "$config"
exit 1
}
}
if [ -n "$server_ips" ]; then
for ip in $server_ips; do
logger -p 6 -t "openfortivpn" "$config: adding host dependency for $ip on $tunlink at $config"
proto_add_host_dependency "$config" "$ip" "$tunlink"
done
fi
# uclient-fetch cannot bind to interface, so perform check after adding host dependency
[ "$remote_status_check" = "fetch" ] && {
uclient-fetch --no-check-certificate -q -s --timeout=10 "https://$peeraddr" > /dev/null 2>&1 || {
msg="$config: failed to reach ${server_ip:-$peeraddr} on $iface_device_name"
logger -t "openfortvpn" "$config: $msg"
sleep 10
proto_notify_error "$config" "$msg"
proto_setup_failed "$config"
exit 1
}
}
[ -n "$port" ] && port=":$port"
append_args "$peeraddr$port" --pppd-ifname="$ifname" --use-syslog -c /dev/null
append_args "--set-dns=0"
append_args "--no-routes"
append_args "--pppd-use-peerdns=1"
[ -n "$tunlink" ] && {
append_args "--ifname=$iface_device_name"
}
[ -n "$persist_int" ] && append_args "--persistent=$persist_int"
[ -n "$trusted_cert" ] && append_args "--trusted-cert=$trusted_cert"
[ -n "$username" ] && append_args -u "$username"
[ -n "$password" ] && {
umask 077
mkdir -p '/var/etc/openfortivpn'
pwfile="/var/etc/openfortivpn/$config.passwd"
echo "$password" > "$pwfile"
}
[ -n "$local_ip" ] || local_ip=192.0.2.1
[ -e '/etc/ppp/peers' ] || mkdir -p '/etc/ppp/peers'
[ -e '/etc/ppp/peers/openfortivpn' ] || {
ln -s -T '/var/etc/openfortivpn/peers' '/etc/ppp/peers/openfortivpn' 2> /dev/null
mkdir -p '/var/etc/openfortivpn/peers'
}
[ -f /etc/openfortivpn/user-cert-$config.pem ] && append_args "--user-cert=/etc/openfortivpn/user-cert-$config.pem"
[ -f /etc/openfortivpn/user-key-$config.pem ] && append_args "--user-key=/etc/openfortivpn/user-key-$config.pem"
[ -f /etc/openfortivpn/ca-$config.pem ] && append_args "--ca-file=/etc/openfortivpn/ca-$config.pem"
callfile="/var/etc/openfortivpn/peers/$config"
echo "115200
:$local_ip
noipdefault
noaccomp
noauth
default-asyncmap
nopcomp
receive-all
nodetach
ipparam $config
lcp-max-configure 40
ip-up-script /lib/netifd/openfortivpn-ppp-up
ip-down-script /lib/netifd/ppp-down
mru 1354" > "$callfile"
append_args "--pppd-call=openfortivpn/$config"
logger -p 6 -t openfortivpn "$config: executing 'openfortivpn $cmdline'"
eval "proto_run_command '$config' /usr/sbin/openfortivpn-wrapper '$pwfile' '$config' $cmdline"
}
proto_openfortivpn_teardown() {
local config="$1"
pwfile="/var/etc/openfortivpn/$config.passwd"
callfile="/var/etc/openfortivpn/peers/$config"
rm -f "$pwfile"
rm -f "$callfile"
proto_kill_command "$config" 2
}
add_protocol openfortivpn
|