From 2de9bf3b2c605ad71a4d73a65c6b7932ffd98a29 Mon Sep 17 00:00:00 2001 From: Julien VAUBOURG Date: Wed, 5 Nov 2014 23:42:24 +0100 Subject: [PATCH] Fixing a lot of stuff --- conf/client.conf.tpl | 2 -- conf/ynh-vpnclient | 34 ++++++++++++++++++---------------- manifest.json | 23 +++++++++-------------- scripts/install | 44 +++++++++++++++++++++----------------------- scripts/remove | 8 ++++++++ 5 files changed, 56 insertions(+), 55 deletions(-) diff --git a/conf/client.conf.tpl b/conf/client.conf.tpl index 74053fc..6d80e50 100644 --- a/conf/client.conf.tpl +++ b/conf/client.conf.tpl @@ -11,8 +11,6 @@ keepalive 10 30 comp-lzo adaptive # UDP only -mssfix -fragment 1300 explicit-exit-notify # TLS diff --git a/conf/ynh-vpnclient b/conf/ynh-vpnclient index 55c8326..0975822 100644 --- a/conf/ynh-vpnclient +++ b/conf/ynh-vpnclient @@ -15,19 +15,20 @@ has_nativeip6() { is_ip6addr_set() { yunohost app list -f hotspot --json | grep -q '"installed": true'\ - || ip a s dev tun0 | grep -q /128 + || ip a s dev tun0 2> /dev/null | grep -q /128 } -is_ip6interco_set() { - ip -6 r | grep -q / +is_serverip6route_set() { + ip -6 r | grep -q / } is_openvpn_running() { - service openvpn status &> /dev/null + # service openvpn status seems to be a joke + ip l sh dev tun0 &> /dev/null } is_running() { - ((has_nativeip6 && is_ip6interco_set) || ! has_nativeip6) && is_openvpn_running + ((has_nativeip6 && is_serverip6route_set) || ! has_nativeip6) && is_openvpn_running } gw6=$(ip -6 r | grep default\ via | awk '{ print $3 }') @@ -45,7 +46,7 @@ case "$1" in sed "s||${proto}|" /etc/openvpn/client.conf.tpl > /etc/openvpn/client.conf sed 's|^||' -i /etc/openvpn/client.conf - service openvpn start + service openvpn start client false || while [ $? -ne 0 ]; do sleep 1 @@ -55,9 +56,9 @@ case "$1" in sleep 2 fi - if has_nativeip6 && ! is_ip6interco_set; then - echo "Set IPv6 interco route" - ip r a /128 via ${gw6} dev + if has_nativeip6 && ! is_serverip6route_set; then + echo "Set IPv6 server route" + ip r a /128 via ${gw6} dev fi if ! is_ip6addr_set; then @@ -69,12 +70,13 @@ case "$1" in stop) if is_ip6addr_set; then echo "Unset IPv6 address" - ip a d /128 dev tun0 + # Not useful if hotspot is installed + ip a d /128 dev tun0 2> /dev/null fi - if is_ip6interco_set; then - echo "Unset IPv6 interco route" - ip r d /128 via ${gw6} dev + if is_serverip6route_set; then + echo "Unset IPv6 server route" + ip r d /128 via ${gw6} dev fi if is_openvpn_running; then @@ -97,10 +99,10 @@ case "$1" in fi if has_nativeip6; then - if is_ip6interco_set; then - echo "IPv6 interco route is correctly set" + if is_serverip6route_set; then + echo "IPv6 server route is correctly set" else - echo "IPv6 interco route is NOT set" + echo "IPv6 server route is NOT set" exitcode=1 fi else diff --git a/manifest.json b/manifest.json index eefa26a..46009fc 100644 --- a/manifest.json +++ b/manifest.json @@ -25,23 +25,26 @@ { "name": "Client certificate", "ask": { - "en": "Select your client certificate" + "en": "Select the path of your client certificate (will be moved)" }, - "example": "-----BEGIN CERTIFICATE-----" + "example": "/tmp/user.crt", + "default": "/tmp/user.crt" }, { "name": "Client certificate key", "ask": { - "en": "Select your client certificate key" + "en": "Select the path of your client certificate key (will be moved)" }, - "example": "-----BEGIN PRIVATE KEY-----" + "example": "/tmp/user.key", + "default": "/tmp/user.key" }, { "name": "Server CA", "ask": { - "en": "Select your server certificate authority" + "en": "Select the path of your server certificate authority (will be moved)" }, - "example": "-----BEGIN CERTIFICATE-----" + "example": "/tmp/ca-server.crt", + "default": "/tmp/ca-server.crt" }, { "name": "IPv6 network", @@ -49,14 +52,6 @@ "en": "Select your IPv6 delegated network (netmask number must be <= 64)" }, "example": "2001:db8:42::/48" - }, - { - "name": "IPv6 interco", - "ask": { - "en": "Select your IPv6 interco (server side)" - }, - "example": "2001:db8:1337::42", - "default": "2001:db8:1337::42" } ] } diff --git a/scripts/install b/scripts/install index cfde256..e95f360 100644 --- a/scripts/install +++ b/scripts/install @@ -2,11 +2,10 @@ # Retrieve arguments server_name=$1 -crt_client=$2 -crt_client_key=$3 -crt_server_ca=$4 +crt_client_path=$2 +crt_client_key_path=$3 +crt_server_ca_path=$4 ip6_net=$5 -ip6_interco=$6 # Check arguments # TODO @@ -19,39 +18,31 @@ sudo apt-get --assume-yes --force-yes install sipcalc # Compute extra arguments wired_device=$(ip r | awk '/default via/ { print $NF; }') -ip6_interco=$(sipcalc ${ip6_interco} | grep Compressed | awk '{ print $NF; }') ip6_expanded_net=$(sipcalc ${ip6_net} | grep Expanded | awk '{ print $NF; }') ip6_net=$(sipcalc ${ip6_net} | grep Compressed | awk '{ print $NF; }') -ip6_addr=$(echo "$(echo ${ip6_expanded_net} | cut -d: -f1-7):42") +ip6_addr=$(echo "$(echo ${ip6_expanded_net} | cut -d: -f1-7):1") ip6_addr=$(sipcalc ${ip6_addr} | grep Compressed | awk '{ print $NF; }') +server_ip6=$(host ${server_name} | awk '/IPv6/ { print $NF; }') # Save arguments for future upgrades sudo yunohost app setting vpnclient wired_device -v ${wired_device} sudo yunohost app setting vpnclient ip6_addr -v ${ip6_addr} sudo yunohost app setting vpnclient ip6_net -v ${ip6_net} -sudo yunohost app setting vpnclient ip6_interco -v ${ip6_interco} -sudo yunohost app setting vpnclient crt_client -v ${crt_client} -sudo yunohost app setting vpnclient crt_client_key -v ${crt_client_key} -sudo yunohost app setting vpnclient crt_server_ca -v ${crt_server_ca} +sudo yunohost app setting vpnclient server_name -v ${server_name} +sudo yunohost app setting vpnclient server_ip6 -v ${server_ip6} # Copy confs sudo install -b -o root -g root -m 0644 ../conf/client.conf.tpl /etc/openvpn/ -# Create certificates +# Copy certificates sudo mkdir -pm 0700 /etc/openvpn/keys/ +sudo chown root: /etc/openvpn/keys/ -sudo cat << EOF > /etc/openvpn/keys/user.crt -${crt_client} -EOF -sudo cat << EOF > /etc/openvpn/keys/user.key -${crt_client_key} -EOF -sudo cat << EOF > /etc/openvpn/keys/ca-server.crt -${crt_server_ca} -EOF +sudo install -b -o root -g root -m 0600 ${crt_client_path} /etc/openvpn/keys/user.crt +sudo install -b -o root -g root -m 0600 ${crt_client_key_path} /etc/openvpn/keys/user.key +sudo install -b -o root -g root -m 0600 ${crt_server_ca_path} /etc/openvpn/keys/ca-server.crt -sudo chown -R root: /etc/openvpn/keys/ -sudo chmod 0600 /etc/openvpn/keys/* +sudo rm -f ${crt_client_path} ${crt_client_key_path} ${crt_server_ca_path} # Fix confs ## openvpn @@ -63,7 +54,7 @@ sudo install -b -o root -g root -m 0755 ../conf/ynh-vpnclient /etc/init.d/ # Fix init script ## ynh-vpnclient sudo sed "s||${ip6_addr}|g" -i /etc/init.d/ynh-vpnclient -sudo sed "s||${ip6_interco}|g" -i /etc/init.d/ynh-vpnclient +sudo sed "s||${server_ip6}|g" -i /etc/init.d/ynh-vpnclient sudo sed "s||${wired_device}|g" -i /etc/init.d/ynh-vpnclient # Set default inits @@ -79,4 +70,11 @@ sudo yunohost service add ynh-vpnclient sudo yunohost service enable ynh-vpnclient sudo yunohost service start ynh-vpnclient +# Restart hotspot service if installed to change NAT configuration (now on tun0) +sudo yunohost app list -f hotspot --json | grep -q '"installed": true' +if [ "$?" -eq 0 ]; then + sudo yunohost service stop ynh-hotspot + sudo yunohost service start ynh-hotspot +fi + exit 0 diff --git a/scripts/remove b/scripts/remove index 3c520db..8590ab8 100644 --- a/scripts/remove +++ b/scripts/remove @@ -11,6 +11,14 @@ sudo rm -f /etc/openvpn/client.conf* # Remove certificates sudo rm -rf /etc/openvpn/keys/ +# Restart hotspot service if installed to change NAT configuration +sudo yunohost app list -f hotspot --json | grep -q '"installed": true' +if [ "$?" -eq 0 ]; then + sleep 2 + sudo yunohost service stop ynh-hotspot + sudo yunohost service start ynh-hotspot +fi + # Remove packets # The yunohost policy is currently to not uninstall packets (dependency problems) ## sudo apt-get --assume-yes --force-yes remove openvpn