WEBLIB.RE/vpnclient_ynh
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Compare commits

base: WEBLIB.RE:fix-get-date-without-ntpd-port
Branches Tags
WEBLIB.RE:master WEBLIB.RE:master_upstream WEBLIB.RE:master_myfork WEBLIB.RE:testing WEBLIB.RE:develop WEBLIB.RE:fix-get-date-without-ntpd-port WEBLIB.RE:fix-1016-vpn-firewall-residual
WEBLIB.RE:v1.4.2 WEBLIB.RE:1.4.1 WEBLIB.RE:1.4.0 WEBLIB.RE:1.3.0 WEBLIB.RE:1.0.1 WEBLIB.RE:1.0.0
..
compare: WEBLIB.RE:v1.4.2
Branches Tags
WEBLIB.RE:master WEBLIB.RE:master_upstream WEBLIB.RE:master_myfork WEBLIB.RE:testing WEBLIB.RE:develop WEBLIB.RE:fix-get-date-without-ntpd-port WEBLIB.RE:fix-1016-vpn-firewall-residual
WEBLIB.RE:v1.4.2 WEBLIB.RE:1.4.1 WEBLIB.RE:1.4.0 WEBLIB.RE:1.3.0 WEBLIB.RE:1.0.1 WEBLIB.RE:1.0.0

90 Commits
fix-get-da ... v1.4.2

Author SHA1 Message Date
Samuel VERMEULEN
330cf13589 Fix cipher connexion pour vpn svnet 2020-04-20 16:47:59 +02:00
pitchum
06c83007d0 Bump to version 1.4.1 2020-04-04 12:06:18 +02:00
Antoine Jacques de Dixmude
22c793defc change for a best way of verifying if authentication is successful (check if a http header is set instead of looking into web page content) 2020-04-04 11:57:45 +02:00
Alexandre Aubin
e7a7d9bb9b Typo in variable name ... 2019-12-04 23:22:18 +01:00
Alexandre Aubin
6e0b782d0e Merge pull request #56 from labriqueinternet/brutal-refactor-for-moar-logging 
Brutal refactoring for more logging and readability of the script because debugging is hell
 2019-09-22 21:06:40 +02:00
Alexandre Aubin
b5ff4e2498 Misc tweaks and improvements following actual tests 2019-07-27 02:25:50 +02:00
Alexandre Aubin
c18d2f3419 Brutal refactoring for more logging and readability of the script because debugging is hell 2019-07-27 01:08:16 +02:00
Alexandre Aubin
51e3a6a100 Merge pull request #55 from labriqueinternet/alias-traversal 
Fix the issue alias_traversal
 2019-05-18 17:01:09 +02:00
Kayou
16a8fcd4e8 Fix the issue alias_traversal 2019-03-26 18:59:21 +01:00
Keoma Brun
9b61a849a9 Merge pull request #52 from keomabrun/new-standard 
updating to new standards
 2019-03-18 23:43:39 +01:00
keoma
b64b8cb18c bump version to 1.4 2019-03-18 23:43:12 +01:00
Kayou
efee70b606 Fix upgrade 2019-03-12 00:57:58 +01:00
Kayou
92634574e7 No Upgrade options for now 2019-03-11 20:37:14 +01:00
Kayou
0d668765e5 No more service_name 2019-03-11 20:30:16 +01:00
keoma
5916e7c8dd adding systemctl daemon-reload before enabling services 2019-03-07 22:41:44 +01:00
keoma
f63958ec08 removing useless lines in check_process 2019-03-07 22:40:26 +01:00
Keoma Brun
96d14e76e0 Merge pull request #1 from kay0u/new-standard 
New standard
 2019-02-28 21:34:53 +01:00
Kayou
d015446ff7 Fix backup/restore, again 2019-02-27 23:26:38 +01:00
Kayou
a05204c26c description in upgrade 2019-02-27 22:48:57 +01:00
Kayou
7aaca1167b Trying to fix the restore 2019-02-27 22:48:35 +01:00
Kayou
a58a3742b5 service_name not service_checker 2019-02-27 22:33:21 +01:00
Kayou
2b60906505 fix use of ynh_add_systemd_config 2019-02-27 22:19:33 +01:00
Kayou
7e3813808b Fix missing arg 2019-02-27 22:05:06 +01:00
Kayou
009efe81e8 first iteration of restore script 2019-02-27 21:45:58 +01:00
Kayou
06dc1f46ab First iteration of backup script 2019-02-27 21:45:46 +01:00
Kayou
8d1dbc3684 Retrieve service_name 2019-02-27 21:45:28 +01:00
Kayou
d26f296dd5 Store service_name 2019-02-27 21:44:39 +01:00
Kayou
d5c632e7db use ynh helper in vpnclient_deploy_files_and_services 2019-02-27 21:44:22 +01:00
Kayou
aff39ce947 upgrade: using ynh_replace_string and php 7 2019-02-27 21:09:16 +01:00
Kayou
646f2ee61f We are now using php7.0 2019-02-27 21:03:12 +01:00
Kayou
f5d3e45e9f Use ynh variable for install script 2019-02-27 21:00:17 +01:00
keoma
3dd730607b adding root domain test 2019-02-27 11:54:53 +01:00
keoma
4ac8f287e1 replacing tabs by spaces 2019-02-27 10:53:53 +01:00
keoma
6f71831614 updating script to new standards 2019-02-26 21:13:27 +01:00
keoma
7f1fea7836 update manifest 2019-02-26 21:13:27 +01:00
Keoma Brun
73aa672346 Merge pull request #54 from keomabrun/dev_53 
fix #53
 2019-02-26 21:12:33 +01:00
keoma
5c90da1a79 fix #53 2019-02-26 21:00:45 +01:00
Alexandre Aubin
b1c667817b Merge pull request #51 from keomabrun/dev_50 
fix #50
 2019-02-25 23:08:35 +01:00
keoma
7646ffbb28 fix #50 2019-02-25 22:24:19 +01:00
Alexandre Aubin
c3970ac8d9 Improve app description 2019-02-18 00:43:31 +01:00
pitchum
623d8a3045 [mod] Bump to version 1.3.1 2018-12-21 09:09:13 +01:00
Alexandre Aubin
cf2dcfa953 Fix ynh_secure_remove usage 2018-12-18 20:44:24 +01:00
Alexandre Aubin
6ed5edab9d Misc improvements in README ? 2018-12-18 20:44:24 +01:00
Alexandre Aubin
ed60b7782a No need to sudo all over the place 2018-12-18 20:44:24 +01:00
Alexandre Aubin
fe159638f5 rm -rf -> ynh_secure_remove 2018-12-18 20:44:24 +01:00
Alexandre Aubin
fc1d305b2b Clean / simplify / reorganize a few things in install script 2018-12-18 20:44:24 +01:00
Alexandre Aubin
34d8b55b44 This file aint used / needed anymore 2018-12-18 20:44:24 +01:00
Alexandre Aubin
bbc821a632 ynh_die does not exists before helpers sourcing 2018-12-02 23:49:24 +01:00
Alexandre Aubin
2f04d16d4f At the end of the upgrade, restart vpnclient only if it's already active 2018-12-02 23:27:35 +01:00
pitchum
1c06d02d49 [mod] Make package_linter happier than ever. 2018-12-02 19:15:27 +01:00
pitchum
9edd5f3b96 [mod] Reenable abort_if_erros in upgrade script (to make package_linter happy). 2018-12-02 18:52:17 +01:00
Alexandre Aubin
0133fa19cc Update manifest.json ? (#46) 2018-12-02 18:39:34 +01:00
pitchum
0b3ee4e6b6 [mod] Tell package_check that LDAP integration is irrelevent here. 2018-12-02 16:45:32 +01:00
pitchum
f9ab657dbb [mod] Make our package_linter happy again. 2018-12-02 16:29:54 +01:00
pitchum
0e1504556b [mod] Release v1.3.0 2018-12-02 13:30:27 +01:00
pitchum
62ed195729 [fix] Remove sudoers file on app remove. 2018-12-02 13:30:27 +01:00
pitchum
4929faf2be [fix] Backport fixes from my old dev branch. 2018-12-02 13:03:23 +01:00
pitchum
e86d83049e [fix] upgrade script needs sourcing _common.sh and helpers. 2018-12-02 12:23:30 +01:00
pitchum
97c32df3cc [enh] Purge apt dependencies on remove. 2018-12-02 11:22:22 +01:00
pitchum
94bbcdb2db [fix] Create a dedicated system user with proper sudo permissions. 
Ref. #41.
 2018-12-02 11:22:19 +01:00
pitchum
9d2bc631e5 [wip] Disabling backup and restore scripts (temporarily). 2018-12-02 11:21:48 +01:00
pitchum
639ee4992d [mod] Release v1.2.1 2018-12-02 11:21:07 +01:00
pitchum
53ccf1d4e1 [fix] user/group = www-data in php-fpm config. 2018-12-02 11:20:39 +01:00
pitchum
06089130b2 [mod] Release v1.2.0 2018-12-02 11:20:37 +01:00
pitchum
9bc126ebd3 [fix] upgrade script sets 'final_path' setting. 2018-12-02 11:19:55 +01:00
pitchum
c004113529 Removed hard-coded "vpnadmin" string. 2018-12-02 11:19:55 +01:00
pitchum
993441d89f Rewriting packages scripts. backup (WIP). 2018-12-02 11:19:50 +01:00
pitchum
c47d8e2195 Moar experimental helpers needed. 2018-12-02 11:18:38 +01:00
pitchum
ed17abfd32 Bugfix: revert changes not compatible with stable yunohost. 2018-12-02 11:18:38 +01:00
pitchum
8294528c67 Add missing helpers. 
- read_json
- read_manifest
- abort_if_up_to_date
 2018-12-02 11:18:38 +01:00
pitchum
432569620c [mod] upgrade, disable auto-backup/restore 2018-12-02 11:18:38 +01:00
pitchum
abd0145d4e [fix] Do not start vpnclient service on first install. 2018-12-02 11:18:38 +01:00
pitchum
abce6aef00 [mod] install and upgrade scripts share some common code. 2018-12-02 11:18:36 +01:00
pitchum
8cbe81be03 [mod] backup script rewritten (inspired and adpated from example_ynh). 
Currently neither backup nor restore are useful but are safe enough to
not break the upgrade script. That's what matters for now.
 2018-12-02 11:15:06 +01:00
pitchum
f6165c5dc6 [fix] upgrade script renames paths to comply with the new ones. 2018-12-02 11:04:43 +01:00
pitchum
5ff35acd1c [mod] upgrade script simplified: does nothing except a backup. 2018-12-02 11:00:10 +01:00
pitchum
124d11cebe [mod] Hard-coded occurrences of "vpnadmin" replaced with ${app} (where appropriate). 2018-12-02 10:57:10 +01:00
pitchum
0c53667839 [mod] Created file check_process for driving CI builds. 2018-12-02 10:51:58 +01:00
realitygaps
be0f2f54a6 Change password field to type 'password' 2018-12-01 18:56:24 +01:00
Alexandre Aubin
8356355da6 Fix upgrade maybe :< 2018-12-01 18:52:59 +01:00
pitchum
56fa7d6268 Force reloading VPN Settings page after validating form. 2018-11-25 21:39:19 +01:00
Gabriel Corona
d8a5cc54f6 CSRF protection (#44) 2018-11-25 21:25:27 +01:00
ljf (zamentur)
d452b139d7 Merge pull request #42 from labriqueinternet/testing 
Testing
 2018-10-02 23:44:17 +02:00
agentcobra
4c00ff92ef Update README.md 
add integration from jenkins
 2018-10-02 23:41:31 +02:00
Sebastien Badia
8f2ba6cdcd doc: s/NextCloud/LaBriqueInterNet VPNclient/ thx agentcorba 2018-10-02 23:41:14 +02:00
Sebastien Badia
2e0fbfddff doc: Update syntax (badges) 2018-10-02 23:40:52 +02:00
Sebastien Badia
4aa7062213 doc: Added install badge 2018-10-02 23:40:18 +02:00
ljf (zamentur)
033abdcb69 [enh] Update version number 2018-10-02 23:35:39 +02:00
ljf (zamentur)
84a4e1a319 [fix] Sync the date with http if ntp can't (#37) 
* [fix] Sync the date with http if ntp can't
 2018-10-02 23:31:46 +02:00
agentcobra
8b3a04fb90 emergency fix 
with 
- 5654b6d0b2
- 081447008c
- a642a01029
 2018-09-10 21:50:47 +02:00
22 changed files with 1135 additions and 528 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1,3 +0,0 @@
# Created from https://github.com/YunoHost/example_ynh/blob/master/.gitignore
*~
*.sw[op]

13
.travis.yml
View File

@@ -1,13 +0,0 @@
language: php
before_script:
- git clone --depth 1 git://github.com/YunoHost/package_linter ../package_linter && cd ../package_linter
- mv ../vpnclient_ynh vpnclient_ynh
script:
- ./package_linter.py vpnclient_ynh
notifications:
email: false
irc:
on_success: always
on_failure: always
channels:
- "irc.geeknode.org#labriqueinter.net-dev"

48
CHANGES.md Normal file
View File

@@ -0,0 +1,48 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is (partially) based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
## Unreleasead
## 1.4.1 - 2020-04-04
- [fix] ynh-vpnclient-loadcubefile.sh broken with ssowat 3.7.x (#60)
## 1.4.0 - 2019-03-18
- refactoring scripts
## 1.3.1 - 2018-12-19
- [mod] Bug fixes and code cleaning
## 1.3.0 - 2018-12-02
- [fix] Create a dedicated system user with proper sudo permissions. (#41)
- [fix] CSRF vulnerability (#43)
## 1.2.1 - 2018-09-10
- [fix] user/group = www-data in php-fpm config.
## 1.2.0 - 2018-09-06
- [fix] upgrade script is now functional
- [mod] lots of refactoring to apply app packaging best-practices
## 1.1.1 - 2018-04-06
- [fix] Sync the date with http if ntp can't (#37)
## 0.0.0 - 2016-05-14
First release

18
README.md
View File

@@ -1,5 +1,8 @@
# VPN Client
[![Build Status](https://travis-ci.org/labriqueinternet/vpnclient_ynh.svg?branch=master)](https://travis-ci.org/labriqueinternet/vpnclient_ynh)
# VPN Client [![Build Status](https://travis-ci.org/labriqueinternet/vpnclient_ynh.svg?branch=master)](https://travis-ci.org/labriqueinternet/vpnclient_ynh) [![Integration level](https://dash.yunohost.org/integration/vpnclient.svg)](https://dash.yunohost.org/appci/app/vpnclient)
[![Install LaBriqueInterNet VPNclient with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=vpnclient)
This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
## Overview
VPN Client app for [YunoHost](http://yunohost.org/).
@@ -10,8 +13,6 @@ VPN Client app for [YunoHost](http://yunohost.org/).
* Useful to easily move your server anywhere.
* With the [Hotspot app for YunoHost](https://github.com/labriqueinternet/hotspot_ynh), you can broadcast your VPN access by wifi to use a clean internet connection (depending on your VPN provider) on your laptop (or those of your friends) without having to configure it.
This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
## Features
* Authentication based on certificates or login (or both), with or without shared-secret (*ta.key*)
@@ -23,12 +24,9 @@ This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.ne
* Strong firewalling (internet access and self-hosted services only available through the VPN)
* Advanced mode for editing the default OpenVPN configuration
* Auto-configuration mode, with [dot cube files](http://internetcu.be/dotcubefiles.html)
* Web interface ([screenshot](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png))
* Web interface
## Prerequisites
## Screenshot
* Debian Jessie
* YunoHost >= 2.2.0
* Yunohost-Moulinette >= 2.4.0 (firewalling)
![Screenshot of the web interface](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png)
**[BUG REPORTS SHOULD BE OPEN HERE](https://dev.yunohost.org)**

33
check_process Normal file
View File

@@ -0,0 +1,33 @@
;; Test complet
; Manifest
domain="domain.tld" (DOMAIN)
path="/vpnconfig" (PATH)
; Checks
pkg_linter=1
setup_sub_dir=1
setup_root=1
setup_nourl=0
setup_private=1
setup_public=0
upgrade=1
upgrade=1 from_commit=623d8a30453a26ee21aa2ce1142674a2ffdb85b9
upgrade=1 from_commit=73aa672346e40fc1857aef7441c449f0bd322082
backup_restore=1
multi_instance=0
incorrect_path=1
port_already_use=0
change_url=0
;;; Levels
Level 1=auto
Level 2=auto
Level 3=auto
Level 4=na
Level 5=auto
Level 6=auto
Level 7=auto
Level 8=0
Level 9=0
Level 10=0
;;; Options
Email=pitchum@gramaton.org
Notification=down

22
conf/nginx_vpnadmin.conf → conf/nginx.conf
View File

@@ -1,34 +1,41 @@
# VPN Client app for YunoHost
# VPN Client app for YunoHost
# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
location <TPL:NGINX_LOCATION> {
alias <TPL:NGINX_REALPATH>;
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__/ {
# Path to source
alias __FINALPATH__/ ;
# Force usage of https
if ($scheme = http) {
rewrite ^ https://$server_name$request_uri? permanent;
}
# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
client_max_body_size 10G;
index index.php;
try_files $uri $uri/ index.php;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php5-fpm-<TPL:PHP_NAME>.sock;
fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 600;
@@ -37,5 +44,6 @@ location <TPL:NGINX_LOCATION> {
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}

3
conf/openvpn_client.conf.tpl
View File

@@ -40,3 +40,6 @@ log-append /var/log/openvpn-client.log
# Routing
route-ipv6 2000::/3
redirect-gateway def1 bypass-dhcp
# Cipher
cipher AES-256-CBC

24
conf/phpfpm_vpnadmin.conf → conf/php-fpm.conf
View File

@@ -1,24 +1,24 @@
; VPN Client app for YunoHost
; VPN Client app for YunoHost
; Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
; Contribute at https://github.com/labriqueinternet/vpnclient_ynh
;
;
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU Affero General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU Affero General Public License for more details.
;
;
; You should have received a copy of the GNU Affero General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Start a new pool named '<TPL:PHP_NAME>'.
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[<TPL:PHP_NAME>]
[__NAMETOCHANGE__]
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
@@ -28,7 +28,7 @@
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php5-fpm-<TPL:PHP_NAME>.sock
listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
@@ -42,8 +42,8 @@ listen.mode = 0600
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = <TPL:PHP_USER>
group = <TPL:PHP_GROUP>
user = __USER__
group = __USER__
; Choose how the process manager will control the number of child processes.
; Possible Values:
@@ -157,7 +157,7 @@ request_slowlog_timeout = 0
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/nginx/<TPL:PHP_NAME>.slow.log
slowlog = /var/log/nginx/[__NAMETOCHANGE__].slow.log
; Set open file descriptor rlimit.
; Default Value: system defined value
@@ -171,7 +171,7 @@ rlimit_core = 0
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = <TPL:NGINX_REALPATH>
chdir = __FINALPATH__
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.

13
conf/sudoers.conf Normal file
View File

@@ -0,0 +1,13 @@
Cmnd_Alias VPNCLIENTTASKS = /bin/systemctl stop ynh-vpnclient, \
/bin/systemctl start ynh-vpnclient, \
/usr/local/bin/ynh-vpnclient *
Cmnd_Alias YUNOHOST = /usr/bin/yunohost app setting vpnclient *,\
/usr/bin/yunohost app info hotspot *
Cmnd_Alias HOTSPOT = /bin/systemctl stop ynh-hotspot,\
/bin/systemctl start ynh-hotspot,\
/usr/bin/yunohost app setting hotspot *
__VPNCLIENT_SYSUSER__ ALL = NOPASSWD: /bin/grep, VPNCLIENTTASKS, YUNOHOST, HOTSPOT

577
conf/ynh-vpnclient
View File

@@ -17,8 +17,44 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Functions
## State functions
###################################################################################
# Logging helpers #
###################################################################################
LOGFILE="/var/log/ynh-vpnclient.log"
touch $LOGFILE
chown root:root $LOGFILE
chmod 600 $LOGFILE
function success()
{
echo "[ OK ] $1" | tee -a $LOGFILE
}
function info()
{
echo "[INFO] $1" | tee -a $LOGFILE
}
function warn()
{
echo "[WARN] $1" | tee -a $LOGFILE >&2
}
function error()
{
echo "[FAIL] $1" | tee -a $LOGFILE >&2
}
function critical()
{
echo "[CRIT] $1" | tee -a $LOGFILE >&2
exit 1
}
###################################################################################
# IPv6 and route config stuff #
###################################################################################
has_nativeip6() {
ip -6 route | grep -q default\ via
@@ -28,27 +64,24 @@ has_ip6delegatedprefix() {
[ "${ynh_ip6_addr}" != none ]
}
has_hotspot_app() {
[ -e /tmp/.ynh-hotspot-started ]
}
is_hotspot_knowme() {
hotspot_vpnclient=$(ynh_setting_get hotspot vpnclient)
[ "${hotspot_vpnclient}" == yes ]
}
is_firewall_set() {
wired_device=${1}
ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
&& iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}
is_ip6addr_set() {
ip address show dev tun0 2> /dev/null | grep -q "${ynh_ip6_addr}/128"
}
set_ip6addr() {
info "Adding IPv6 from VPN configuration"
ip address add "${ynh_ip6_addr}/128" dev tun0
}
unset_ip6addr() {
info "Removing IPv6 from VPN configuration"
ip address delete "${ynh_ip6_addr}/128" dev tun0
}
#
# Server IPv6 route
#
is_serverip6route_set() {
server_ip6=${1}
@@ -59,51 +92,55 @@ is_serverip6route_set() {
fi
}
is_dns_set() {
[ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
&& ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf )
}
is_openvpn_running() {
systemctl is-active openvpn@client.service &> /dev/null
}
is_running() {
((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
&& ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
&& is_dns_set && is_firewall_set && is_openvpn_running
}
## Setters
set_ip6addr() {
ip address add "${ynh_ip6_addr}/128" dev tun0
}
set_firewall() {
wired_device=${1}
cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
yunohost firewall reload
}
set_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
info "Adding IPv6 server route"
ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
unset_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
info "Removing IPv6 server route"
ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
###################################################################################
# Hotspot app #
###################################################################################
has_hotspot_app() {
[ -e /tmp/.ynh-hotspot-started ]
}
is_hotspot_knowme() {
hotspot_vpnclient=$(ynh_setting_get hotspot vpnclient)
[ "${hotspot_vpnclient}" == yes ]
}
###################################################################################
# DNS rules #
###################################################################################
is_dns_set() {
# FIXME : having the ynh_dns0 in the resolv.dnsmasq.conf is not necessarily good enough
# We want it to be the only one (with ynh_dns1) but nowadays for example ARN's resolver is
# in the default list from yunohost...
[ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
&& ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf )
}
set_dns() {
info "Enforcing custom DNS resolvers from vpnclient"
resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
@@ -117,7 +154,92 @@ EOF
bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
}
unset_dns() {
resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
info "Removing custom DNS resolvers from vpnclient"
rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
mv "${resolvconf}.ynh" "${resolvconf}"
# FIXME : this situation happened to a user ...
# We could try to force regen the dns conf
# (though for now it's tightly coupled to dnsmasq)
grep -q "^nameserver" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
}
###################################################################################
# Firewall rules management #
###################################################################################
is_firewall_set() {
wired_device=${1}
ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
&& iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}
set_firewall() {
info "Adding vpnclient custom rules to the firewall"
wired_device=${1}
cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
info "Restarting yunohost firewall..."
yunohost firewall reload && success "Firewall restarted!"
}
unset_firewall() {
info "Cleaning vpnclient custom rules from the firewall"
rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
info "Restarting yunohost firewall..."
yunohost firewall reload && success "Firewall restarted!"
}
###################################################################################
# Time sync #
###################################################################################
sync_time() {
info "Now synchronizing time using ntp..."
systemctl stop ntp
timeout 20 ntpd -qg &> /dev/null
# Some networks drop ntp port (udp 123).
# Try to get the date with an http request on the internetcube web site
if [ $? -ne 0 ]; then
info "ntp synchronization failed, falling back to curl method"
http_date=`curl -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6`
http_date_seconds=`date -d "${http_date}" +%s`
curr_date_seconds=`date +%s`
# Set the new date if it's greater than the current date
# So it does if 1970 year or if old fake-hwclock date is used
if [ $http_date_seconds -ge $curr_date_seconds ]; then
date -s "${http_date}"
fi
fi
systemctl start ntp
}
###################################################################################
# OpenVPN client start/stop procedures #
###################################################################################
is_openvpn_running() {
systemctl is-active openvpn@client.service &> /dev/null
}
start_openvpn() {
ip6_gw=${1}
server_ip6=${2}
@@ -129,8 +251,13 @@ start_openvpn() {
[ "${ynh_server_proto}" == tcp ] && proto=tcp-client
fi
# Unset firewall to let DNS and NTP resolution works
# Firewall is reset after vpn is mounted (more details on #1016)
unset_firewall
sync_time
info "Preparing openvpn configuration..."
cp /etc/openvpn/client.conf{.tpl,}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/openvpn/client.conf
@@ -161,62 +288,52 @@ start_openvpn() {
sed 's|^<TPL:LOGIN_COMMENT>||' -i /etc/openvpn/client.conf
fi
info "Now actually starting OpenVPN client..."
systemctl start openvpn@client.service
}
## Unsetters
if [ ! $? -eq 0 ]
then
tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
critical "Failed to start OpenVPN :/"
else
info "OpenVPN client started ... waiting for tun0 interface to show up"
fi
unset_ip6addr() {
ip address delete "${ynh_ip6_addr}/128" dev tun0
}
unset_firewall() {
rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
yunohost firewall reload
}
unset_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
unset_dns() {
resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
mv "${resolvconf}.ynh" "${resolvconf}"
for attempt in $(seq 0 20)
do
sleep 1
if ip link show dev tun0 &> /dev/null
then
success "tun0 interface is up!"
return 0
fi
done
error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue"
tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
stop_openvpn
critical "Failed to start OpenVPN client : tun0 interface did not show up"
}
stop_openvpn() {
# FIXME : isn't openvpn@client ? (idk)
info "Stopping OpenVPN service"
systemctl stop openvpn.service
}
## Tools
sync_time() {
systemctl stop ntp
timeout 20 ntpd -qg &> /dev/null
# Some networks drop ntp port (udp 123).
# Try to get the date with an http request on the internetcube web site
if [ $? -ne 0 ]; then
http_date=`curl -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6`
http_date_seconds=`date -d "${http_date}" +%s`
curr_date_seconds=`date +%s`
# Set the new date if it's greater than the current date
# So it does if 1970 year or if old fake-hwclock date is used
if [ $http_date_seconds -ge $curr_date_seconds ]; then
date -s "${http_date}"
for attempt in $(seq 0 20)
do
if ip link show dev tun0 &> /dev/null
then
info "(Waiting for tun0 to disappear if it was up)"
sleep 1
fi
fi
systemctl start ntp
done
}
###################################################################################
# Yunohost settings interface #
###################################################################################
ynh_setting_get() {
app=${1}
setting=${2}
@@ -232,36 +349,41 @@ ynh_setting_set() {
yunohost app setting "${app}" "${setting}" -v "${value}"
}
###################################################################################
# The actual ynh vpnclient management thing #
###################################################################################
is_running() {
((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
&& ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
&& is_dns_set && is_firewall_set && is_openvpn_running
}
if [ "$1" != restart ]; then
# Restart php5-fpm at the first start (it needs to be restarted after the slapd start)
# Restart php-fpm at the first start (it needs to be restarted after the slapd start)
if [ ! -e /tmp/.ynh-vpnclient-boot ]; then
touch /tmp/.ynh-vpnclient-boot
systemctl restart php5-fpm
systemctl restart php7.0-fpm
fi
# Check configuration consistency
if [[ ! "${1}" =~ stop ]]; then
exitcode=0
if [ ! -e /etc/openvpn/keys/ca-server.crt ]; then
echo "[WARN] You need a CA server (you can add it through the web admin)"
exitcode=1
critical "You need a CA server (you can add it through the web admin)"
fi
empty=$(find /etc/openvpn/keys/ -empty -name credentials &> /dev/null | wc -l)
if [ "${empty}" -gt 0 -a ! -e /etc/openvpn/keys/user.key ]; then
echo "[WARN] You need either a client certificate, either a username, or both (you can add one through the web admin)"
exitcode=1
critical "You need either a client certificate, either a username, or both (you can add one through the web admin)"
fi
[ "${exitcode}" -ne 0 ] && exit ${exitcode}
fi
# Variables
echo -n "Retrieving Yunohost settings... "
info "Retrieving Yunohost settings... "
ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled)
ynh_server_name=$(ynh_setting_get vpnclient server_name)
@@ -281,201 +403,210 @@ if [ "$1" != restart ]; then
new_server_ip6=$(host "${ynh_server_name}" 2> /dev/null | awk '/IPv6/ { print $NF; }')
if [ -z "${new_server_ip6}" ]; then
# FIXME wtf is this hardcoded IP ...
new_server_ip6=$(host "${ynh_server_name}" 80.67.188.188 2> /dev/null | awk '/IPv6/ { print $NF; }')
fi
echo "OK"
success "Settings retrieved"
fi
# Script
###################################################################################
# Start / stop / restart / status handling #
###################################################################################
case "${1}" in
# ########## #
# Starting #
# ########## #
start)
if is_running; then
echo "Already started"
info "Service is already running"
exit 0
elif [ "${ynh_service_enabled}" -eq 0 ]; then
echo "Disabled service"
else
echo "[vpnclient] Starting..."
touch /tmp/.ynh-vpnclient-started
# Run openvpn
if ! is_openvpn_running; then
echo "Run openvpn"
start_openvpn "${new_ip6_gw}" "${new_server_ip6}"
if [ ! $? -eq 0 ]; then
exit 1
fi
i=0; false || while [ $? -ne 0 ]; do
sleep 1 && (( i++ ))
[ ${i} -gt 20 ] && stop_openvpn
[ ${i} -gt 20 ] && exit 1
ip link show dev tun0 &> /dev/null
done
fi
# Check old state of the server ipv6 route
if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
-a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
-o "${new_wired_device}" != "${old_wired_device}" \) ]\
&& is_serverip6route_set "${old_server_ip6}"; then
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi
# Set the new server ipv6 route
if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"; then
echo "Set IPv6 server route"
set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
fi
# Set the ipv6 address
if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set; then
echo "Set IPv6 address"
set_ip6addr
fi
# Set host DNS resolvers
if ! is_dns_set; then
echo "Set host DNS resolvers"
set_dns
fi
# Set ipv6/ipv4 firewall
if ! is_firewall_set "${new_wired_device}"; then
echo "Set IPv6/IPv4 firewall"
set_firewall "${new_wired_device}"
fi
# Update dynamic settings
ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
ynh_setting_set vpnclient wired_device "${new_wired_device}"
# Fix configuration
if has_hotspot_app && ! is_hotspot_knowme; then
ynh-hotspot start
fi
warn "Service is disabled, not starting it"
exit 0
fi
info "[vpnclient] Starting..."
touch /tmp/.ynh-vpnclient-started
# Run openvpn
if is_openvpn_running;
then
info "(openvpn is already running)"
else
start_openvpn "${new_ip6_gw}" "${new_server_ip6}"
fi
# Check old state of the server ipv6 route
if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
-a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
-o "${new_wired_device}" != "${old_wired_device}" \) ]\
&& is_serverip6route_set "${old_server_ip6}"
then
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi
# Set the new server ipv6 route
if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"
then
set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
fi
# Set the ipv6 address
if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set
then
set_ip6addr
fi
# Set host DNS resolvers
if ! is_dns_set
then
set_dns
fi
# Set ipv6/ipv4 firewall
if ! is_firewall_set "${new_wired_device}"
then
set_firewall "${new_wired_device}"
fi
# Update dynamic settings
info "Saving settings..."
ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
ynh_setting_set vpnclient wired_device "${new_wired_device}"
# Fix configuration
if has_hotspot_app && ! is_hotspot_knowme; then
info "Now starting the hotspot"
ynh-hotspot start
fi
success "YunoHost VPN client started!"
;;
# ########## #
# Stopping #
# ########## #
stop)
echo "[vpnclient] Stopping..."
info "[vpnclient] Stopping..."
rm -f /tmp/.ynh-vpnclient-started
if ! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set; then
echo "Unset IPv6 address"
unset_ip6addr
fi
if is_serverip6route_set "${old_server_ip6}"; then
echo "Unset IPv6 server route"
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi
if is_firewall_set "${old_wired_device}"; then
echo "Unset IPv6/IPv4 firewall"
unset_firewall
fi
is_firewall_set "${old_wired_device}" && unset_firewall
if is_dns_set; then
echo "Unset forced host DNS resolvers"
unset_dns
fi
is_dns_set && unset_dns
if is_openvpn_running; then
echo "Stop openvpn"
stop_openvpn
i=0; true && while [ $? -eq 0 ]; do
sleep 1 && (( i++ ))
[ ${i} -gt 20 ] && exit 1
ip link show dev tun0 &> /dev/null
done
fi
is_openvpn_running && stop_openvpn
# Fix configuration
if has_hotspot_app && is_hotspot_knowme; then
info "Now starting the hotspot"
ynh-hotspot start
fi
;;
# ########## #
# Restart #
# ########## #
restart)
$0 stop
$0 start
;;
# ########## #
# Status #
# ########## #
status)
exitcode=0
if [ "${ynh_service_enabled}" -eq 0 ]; then
echo "[ERR] VPN Client Service disabled"
error "VPN Client Service disabled"
exitcode=1
fi
echo "[INFO] Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
echo "[INFO] Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
info "Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
info "Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
if has_ip6delegatedprefix; then
echo "[INFO] IPv6 delegated prefix found"
echo "[INFO] IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
info "IPv6 delegated prefix found"
info "IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
if ! has_hotspot_app; then
echo "[INFO] No Hotspot app detected"
info "No Hotspot app detected"
if is_ip6addr_set; then
echo "[OK] IPv6 address correctly set"
success "IPv6 address correctly set"
else
echo "[ERR] No IPv6 address set"
error "No IPv6 address set"
exitcode=1
fi
else
echo "[INFO] Hotspot app detected"
echo "[INFO] No IPv6 address to set"
info "Hotspot app detected"
info "No IPv6 address to set"
fi
else
echo "[INFO] No IPv6 delegated prefix found"
info "No IPv6 delegated prefix found"
fi
if has_nativeip6; then
echo "[INFO] Native IPv6 detected"
echo "[INFO] Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
info "Native IPv6 detected"
info "Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
if is_serverip6route_set "${new_server_ip6}"; then
echo "[OK] IPv6 server route correctly set"
success "IPv6 server route correctly set"
else
echo "[ERR] No IPv6 server route set"
error "No IPv6 server route set"
exitcode=1
fi
else
echo "[INFO] No native IPv6 detected"
echo "[INFO] No IPv6 server route to set"
info "No native IPv6 detected"
info "No IPv6 server route to set"
fi
if is_firewall_set "${new_wired_device}"; then
echo "[OK] IPv6/IPv4 firewall set"
success "IPv6/IPv4 firewall set"
else
echo "[ERR] No IPv6/IPv4 firewall set"
info "No IPv6/IPv4 firewall set"
exitcode=1
fi
if is_dns_set; then
echo "[OK] Host DNS correctly set"
success "Host DNS correctly set"
else
echo "[ERR] No host DNS set"
error "No host DNS set"
exitcode=1
fi
if is_openvpn_running; then
echo "[OK] Openvpn is running"
success "Openvpn is running"
else
echo "[ERR] Openvpn is not running"
error "Openvpn is not running"
exitcode=1
fi
exit ${exitcode}
;;
# ########## #
# Halp #
# ########## #
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1

4
conf/ynh-vpnclient-loadcubefile.sh
View File

@@ -86,7 +86,7 @@ ynh_service_enabled=$(ynh_setting vpnclient service_enabled)
# SSO login
curl -kLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -c "${tmpdir}/cookies" 2> /dev/null | grep -q Logout
curl -D - -skLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -o /dev/null -c "${tmpdir}/cookies" 2> /dev/null | grep -q "set-cookie: SSOwAuthUser=${ynh_user}"
if [ $? -ne 0 ]; then
echo "[ERROR] SSO login failed" >&2
@@ -96,7 +96,7 @@ fi
# Upload cube file
output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
# Configure IPv6 Delegated Prefix on Hotspot

23
manifest.json
View File

@@ -2,27 +2,24 @@
"name": "VPN Client",
"id": "vpnclient",
"packaging_format": 1,
"version": "1.4.1",
"description": {
"en": "VPN Client",
"fr": "Client VPN"
"en": "Tunnel the internet traffic through a VPN",
"fr": "Fais passer le traffic internet à travers un VPN"
},
"url": "https://github.com/labriqueinternet/vpnclient_ynh",
"version": "1.1.0",
"url": "https://labriqueinter.net",
"license": "AGPL-3.0",
"maintainer": {
"name": "Julien Vaubourg",
"email": "julien@vaubourg.com",
"url": "http://julien.vaubourg.com"
},
"requirements": {
"yunohost": ">= 2.2.0",
"moulinette": ">= 2.4.0"
"name": "pitchum",
"email": "pitchum@users.noreply.github.com"
},
"multi_instance": false,
"requirements": {
"yunohost": ">= 3.2.0"
},
"services": [
"nginx",
"php5-fpm",
"ynh-vpnclient"
"php7.0-fpm"
],
"arguments": {
"install": [

230
scripts/_common.sh
View File

@@ -1,43 +1,205 @@
#!/bin/bash
#
# Common variables
# Common variables and helpers
#
pkg_dependencies="php5-fpm sipcalc dnsutils openvpn curl fake-hwclock"
pkg_dependencies="php7.0-fpm sipcalc dnsutils openvpn curl fake-hwclock"
service_name="ynh-vpnclient"
service_checker_name=$service_name"-checker"
# Helper to start/stop/.. a systemd service from a yunohost context,
# *and* the systemd service itself needs to be able to run yunohost
# commands.
#
# Hence the need to release the lock during the operation
#
# usage : ynh_systemctl yolo restart
#
function ynh_systemctl()
{
local ACTION="$1"
local SERVICE="$2"
local LOCKFILE="/var/run/moulinette_yunohost.lock"
to_logs() {
# Launch the action
sudo systemctl "$ACTION" "$SERVICE" &
local SYSCTLACTION=$!
# Save and release the lock...
cp $LOCKFILE $LOCKFILE.bkp.$$
rm $LOCKFILE
# Wait for the end of the action
wait $SYSCTLACTION
# Make sure the lock is released...
while [ -f $LOCKFILE ]
do
sleep 0.1
done
# Restore the old lock
mv $LOCKFILE.bkp.$$ $LOCKFILE
# When yunohost --verbose or bash -x
if $_ISVERBOSE; then
cat
else
cat > /dev/null
fi
}
# Experimental helpers
# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest
read_json () {
python3 -c "import sys, json;print(json.load(open('$1'))['$2'])"
}
# Experimental helper
# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest
read_manifest () {
if [ -f '../manifest.json' ] ; then
read_json '../manifest.json' "$1"
else
read_json '../settings/manifest.json' "$1"
fi
}
# Experimental helper
# cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/master/ynh_abort_if_up_to_date/ynh_abort_if_up_to_date
ynh_abort_if_up_to_date () {
version=$(read_json "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" 'version' 2> /dev/null || echo '20160501-7')
last_version=$(read_manifest 'version')
if [ "${version}" = "${last_version}" ]; then
ynh_print_info "Up-to-date, nothing to do"
ynh_die "" 0
fi
}
# Read the value of a key in a ynh manifest file
#
# usage: ynh_read_manifest manifest key
# | arg: manifest - Path of the manifest to read
# | arg: key - Name of the key to find
ynh_read_manifest () {
manifest="$1"
key="$2"
python3 -c "import sys, json;print(json.load(open('$manifest', encoding='utf-8'))['$key'])"
}
# Read the upstream version from the manifest
# The version number in the manifest is defined by <upstreamversion>~ynh<packageversion>
# For example : 4.3-2~ynh3
# This include the number before ~ynh
# In the last example it return 4.3-2
#
# usage: ynh_app_upstream_version
ynh_app_upstream_version () {
manifest_path="../manifest.json"
if [ ! -e "$manifest_path" ]; then
manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place
fi
version_key=$(ynh_read_manifest "$manifest_path" "version")
echo "${version_key/~ynh*/}"
}
# Read package version from the manifest
# The version number in the manifest is defined by <upstreamversion>~ynh<packageversion>
# For example : 4.3-2~ynh3
# This include the number after ~ynh
# In the last example it return 3
#
# usage: ynh_app_package_version
ynh_app_package_version () {
manifest_path="../manifest.json"
if [ ! -e "$manifest_path" ]; then
manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place
fi
version_key=$(ynh_read_manifest "$manifest_path" "version")
echo "${version_key/*~ynh/}"
}
# Exit without error if the package is up to date
#
# This helper should be used to avoid an upgrade of a package
# when it's not needed.
#
# To force an upgrade, even if the package is up to date,
# you have to set the variable YNH_FORCE_UPGRADE before.
# example: YNH_FORCE_UPGRADE=1 yunohost app upgrade MyApp
#
# usage: ynh_abort_if_up_to_date
ynh_abort_if_up_to_date () {
local force_upgrade=${YNH_FORCE_UPGRADE:-0}
local package_check=${PACKAGE_CHECK_EXEC:-0}
local version=$(ynh_read_manifest "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" "version" || echo 1.0)
local last_version=$(ynh_read_manifest "../manifest.json" "version" || echo 1.0)
if [ "$version" = "$last_version" ]
then
if [ "$force_upgrade" != "0" ]
then
echo "Upgrade forced by YNH_FORCE_UPGRADE." >&2
unset YNH_FORCE_UPGRADE
elif [ "$package_check" != "0" ]
then
echo "Upgrade forced for package check." >&2
else
ynh_die "Up-to-date, nothing to do" 0
fi
fi
}
# Operations needed by both 'install' and 'upgrade' scripts
function vpnclient_deploy_files_and_services()
{
local domain=$1
local app=$2
local service_name=$3
local sysuser="${app}"
local service_checker_name="$service_name-checker"
# Ensure vpnclient_ynh has its own system user
if ! ynh_system_user_exists ${sysuser}
then
ynh_system_user_create ${sysuser}
fi
# Ensure the system user has enough permissions
install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
ynh_replace_string "__VPNCLIENT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
# Install IPv6 scripts
install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
# Install command-line cube file loader
install -o root -g root -m 0755 ../conf/$service_name-loadcubefile.sh /usr/local/bin/
# Copy confs
mkdir -pm 0755 /var/log/nginx/
chown root:${sysuser} /etc/openvpn/
chmod 775 /etc/openvpn/
mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
install -b -o root -g ${sysuser} -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
# Copy web sources
mkdir -pm 0755 /var/www/${app}/
cp -a ../sources/* /var/www/${app}/
chown -R root: /var/www/${app}/
chmod -R 0644 /var/www/${app}/*
find /var/www/${app}/ -type d -exec chmod +x {} \;
# Create certificates directory
mkdir -pm 0770 /etc/openvpn/keys/
chown root:${sysuser} /etc/openvpn/keys/
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_print_info "Configuring nginx web server..."
ynh_add_nginx_config
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Configuring php-fpm..."
ynh_add_fpm_config
#=================================================
# Fix sources
ynh_replace_string "__PATH__" "${path_url}" "/var/www/${app}/config.php"
# Copy init script
install -o root -g root -m 0755 ../conf/$service_name /usr/local/bin/
# Copy checker timer
install -o root -g root -m 0755 ../conf/$service_checker_name.sh /usr/local/bin/
install -o root -g root -m 0644 ../conf/$service_checker_name.timer /etc/systemd/system/
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_print_info "Configuring a systemd service..."
ynh_add_systemd_config $service_name "$service_name.service"
ynh_add_systemd_config $service_checker_name "$service_checker_name.service"
}

77
scripts/backup
View File

@@ -1,16 +1,83 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_abort_if_errors # Stop script if an error is detected
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading installation settings..."
backup_dir="${1}/apps/vpnclient"
mkdir -p "${backup_dir}/"
app=$YNH_APP_INSTANCE_NAME
sudo cp -a /etc/openvpn/keys/ "${backup_dir}/"
sudo cp -a /etc/openvpn/client.conf.tpl "${backup_dir}/"
final_path=$(ynh_app_setting_get $app final_path)
domain=$(ynh_app_setting_get $app domain)
#=================================================
# STANDARD BACKUP STEPS
#=================================================
# BACKUP THE APP MAIN DIR
#=================================================
ynh_print_info "Backing up the main app directory..."
ynh_backup "$final_path"
ynh_backup "/etc/sudoers.d/${app}_ynh"
ynh_backup "/usr/local/bin/ipv6_expanded"
ynh_backup "/usr/local/bin/ipv6_compressed"
ynh_backup "/usr/local/bin/$service_name-loadcubefile.sh"
ynh_backup "/etc/yunohost/hooks.d/90-vpnclient.tpl"
ynh_backup "/etc/openvpn/client.conf.tpl"
ynh_backup "/etc/openvpn/client.conf.tpl.restore"
ynh_backup "/etc/openvpn/keys/"
ynh_backup "/usr/local/bin/$service_name"
ynh_backup "/usr/local/bin/$service_checker_name.sh"
#=================================================
# BACKUP THE NGINX CONFIGURATION
#=================================================
ynh_print_info "Backing up nginx web server configuration..."
ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# BACKUP THE PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Backing up php-fpm configuration..."
ynh_backup "/etc/php/7.0/fpm/pool.d/$app.conf"
#=================================================
# SPECIFIC BACKUP
#=================================================
# BACKUP SYSTEMD
#=================================================
ynh_print_info "Backing up systemd configuration..."
ynh_backup "/etc/systemd/system/$service_name.service"
ynh_backup "/etc/systemd/system/$service_checker_name.service"
ynh_backup "/etc/systemd/system/$service_checker_name.timer"
ynh_backup "/etc/systemd/system/openvpn@.service"
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

143
scripts/install
View File

@@ -23,8 +23,8 @@
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
source _common.sh
#=================================================
# MANAGE SCRIPT FAILURE
@@ -39,29 +39,25 @@ ynh_abort_if_errors
# Retrieve arguments
domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
path_url=$(ynh_normalize_url_path "$YNH_APP_ARG_PATH")
app=$YNH_APP_INSTANCE_NAME
final_path="/var/www/$app"
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_print_info "Validating installation parameters..."
# Check destination directory
final_path="/var/www/$app"
test ! -e "$final_path" || ynh_die "This path already contains a folder"
test ! -e "$final_path" || ynh_die "Path is already in use: ${final_path}."
# Normalize the url path syntax
path_url=$(ynh_normalize_url_path "$path_url")
# Check web path availability
ynh_webpath_available "$domain" "$path_url"
# Register (book) web path
ynh_webpath_register "$app" "$domain" "$path_url"
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_print_info "Storing installation settings..."
ynh_app_setting_set "$app" domain "$domain"
ynh_app_setting_set "$app" final_path "$final_path"
@@ -71,125 +67,46 @@ ynh_app_setting_set "$app" final_path "$final_path"
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_print_info "Installing dependencies..."
ynh_install_app_dependencies "$pkg_dependencies"
#=================================================
# SPECIFIC SETUP
# DEPLOY FILES FROM PACKAGE
#=================================================
ynh_print_info "Deploy files from package..."
# This is an upgrade?
upgrade=$([ -z ${VPNCLIENT_UPGRADE+x} ] && echo true || echo false)
if ! $upgrade; then
# Save arguments
ynh_app_setting_set $app service_enabled 0
ynh_app_setting_set $app server_name none
ynh_app_setting_set $app server_port 1194
ynh_app_setting_set $app server_proto udp
ynh_app_setting_set $app ip6_addr none
ynh_app_setting_set $app ip6_net none
ynh_app_setting_set $app login_user "${login_user}"
ynh_app_setting_set $app login_passphrase "${login_passphrase}"
ynh_app_setting_set $app dns0 89.234.141.66
ynh_app_setting_set $app dns1 2001:913::8
fi
# Install IPv6 scripts
sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
# Install command-line cube file loader
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-loadcubefile.sh /usr/local/bin/
# Copy confs
sudo mkdir -pm 0755 /var/log/nginx/
sudo chown root:admins /etc/openvpn/
sudo chmod 775 /etc/openvpn/
sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
sudo install -b -o root -g admins -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/vpnadmin.conf
sudo install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
sudo install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
# Copy web sources
sudo mkdir -pm 0755 /var/www/vpnadmin/
sudo cp -a ../sources/* /var/www/vpnadmin/
sudo chown -R root: /var/www/vpnadmin/
sudo chmod -R 0644 /var/www/vpnadmin/*
sudo find /var/www/vpnadmin/ -type d -exec chmod +x {} \;
# Create certificates directory
sudo mkdir -pm 0770 /etc/openvpn/keys/
sudo chown root:admins /etc/openvpn/keys/
vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}"
#=================================================
# NGINX CONFIGURATION
# RELOAD SERVICES
#=================================================
sudo sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:PHP_USER>|admin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:PHP_GROUP>|admins|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
# Fix sources
sudo sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i /var/www/vpnadmin/config.php
# Copy init script
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient /usr/local/bin/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient.service /etc/systemd/system/
# Copy checker timer
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-checker.sh /usr/local/bin/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.service /etc/systemd/system/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.timer /etc/systemd/system/
ynh_print_info "Reloading services..."
# Set default inits
# The boot order of these services are important, so they are disabled by default
# and the ynh-vpnclient service handles them.
sudo systemctl disable openvpn
sudo systemctl stop openvpn
# and the vpnclient service handles them.
systemctl disable openvpn
systemctl stop openvpn
sudo systemctl enable php5-fpm
sudo systemctl restart php5-fpm
systemctl restart php7.0-fpm
systemctl reload nginx
sudo systemctl reload nginx
# main service
sudo systemctl enable ynh-vpnclient
sudo yunohost service add ynh-vpnclient
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
yunohost service enable $service_name
ynh_systemctl start ynh-vpnclient-checker.service
sudo systemctl enable ynh-vpnclient-checker.service
ynh_systemctl start ynh-vpnclient-checker.timer
sudo systemctl enable ynh-vpnclient-checker.timer
# checker service
if ! $upgrade; then
ynh_systemctl start ynh-vpnclient
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
yunohost service start $service_checker_name
yunohost service enable $service_checker_name
systemctl start $service_checker_name.timer
systemctl enable $service_checker_name.timer
# Check configuration consistency
if [ -z "${crt_server_ca_path}" ]; then
echo "WARNING: VPN Client is not started because you need to define a server CA through the web admin" >&2
fi
if [ -z "${crt_client_key_path}" -a -z "${login_user}" ]; then
echo "WARNING: VPN Client is not started because you need either a client certificate, either a username (or both)" >&2
fi
fi
sudo yunohost app ssowatconf
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Installation of $app completed"

105
scripts/remove
View File

@@ -29,37 +29,96 @@ source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get $app domain)
#=================================================
# The End
ynh_systemctl stop ynh-vpnclient-checker.service
sudo systemctl disable ynh-vpnclient-checker.service
ynh_systemctl stop ynh-vpnclient-checker.timer && sleep 1
sudo systemctl disable ynh-vpnclient-checker.timer
ynh_systemctl stop ynh-vpnclient
sudo systemctl disable ynh-vpnclient
sudo yunohost service remove ynh-vpnclient
sudo rm -f /etc/systemd/system/ynh-vpnclient* /usr/local/bin/ynh-vpnclient*
sudo rm -f /tmp/.ynh-vpnclient-*
# STOP AND REMOVE SERVICES
#=================================================
ynh_print_info "Stopping and removing services"
# Remove confs
sudo rm -f /etc/openvpn/client.conf{.tpl,.tpl.restore,}
sudo rm -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf
sudo rm -f /etc/php5/fpm/pool.d/vpnadmin.conf
sudo rm -f /etc/yunohost/hooks.d/90-vpnclient.tpl
sudo rm -f /etc/systemd/system/openvpn@.service
yunohost service stop $service_checker_name
yunohost service disable $service_checker_name
yunohost service remove $service_checker_name
systemctl stop $service_checker_name.timer && sleep 1
systemctl disable $service_checker_name.timer
# Remove certificates
sudo rm -rf /etc/openvpn/keys/
yunohost service stop $service_name
yunohost service disable $service_name
yunohost service remove $service_name
# Restart services
sudo systemctl restart php5-fpm
sudo systemctl reload nginx
for FILE in $(ls /etc/systemd/system/$service_name* /usr/local/bin/ynh-vpnclient* /tmp/.ynh-vpnclient-*)
do
ynh_secure_remove "$FILE"
done
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_print_info "Removing nginx web server configuration"
# Remove the dedicated nginx config
ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Removing php-fpm configuration"
# Remove the dedicated php-fpm config
ynh_remove_fpm_config
#=================================================
# SPECIFIC REMOVE
#================================================
ynh_print_info "Removing openvpn configuration"
# Remove openvpn configurations
ynh_secure_remove /etc/openvpn/client.conf
ynh_secure_remove /etc/openvpn/client.conf.tpl
ynh_secure_remove /etc/openvpn/client.conf.tpl.restore
# Remove YunoHost hook
ynh_secure_remove /etc/yunohost/hooks.d/90-vpnclient.tpl
# Remove openvpn service
ynh_secure_remove /etc/systemd/system/openvpn@.service
# Remove openvpn certificates
ynh_secure_remove /etc/openvpn/keys
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_print_info "Removing dependencies"
ynh_remove_app_dependencies
# Remove sources
sudo rm -rf /var/www/vpnadmin/
ynh_secure_remove "/var/www/${app}"
# Reload systemd configuration
systemctl daemon-reload
# Restart services
# (this must happen before deleting the user, otherwise the user is
# being used by one of the php pool process)
systemctl restart php7.0-fpm
systemctl reload nginx
#=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_print_info "Removing the dedicated system user"
# Delete a system user
ynh_system_user_delete ${app}
ynh_secure_remove "/etc/sudoers.d/${app}_ynh"
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Removal of $app completed"

133
scripts/restore
View File

@@ -1,15 +1,12 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
if [ ! -e _common.sh ]; then
# Fetch helpers file if not in current directory
cp ../settings/scripts/_common.sh ./_common.sh
chmod a+rx _common.sh
fi
source _common.sh
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
@@ -19,21 +16,121 @@ source /usr/share/yunohost/helpers
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
backup_dir="${1}/apps/vpnclient"
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading settings..."
sudo mkdir -p /etc/openvpn/
sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
sudo chown -R root:admins /etc/openvpn/keys/
app=$YNH_APP_INSTANCE_NAME
gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)
domain=$(ynh_app_setting_get $app domain)
path_url=$(ynh_app_setting_get $app path)
final_path=$(ynh_app_setting_get $app final_path)
git clone https://github.com/labriqueinternet/vpnclient_ynh.git "${tmpdir}/"
git --work-tree "${tmpdir}/" --git-dir "${tmpdir}/.git/" reset --hard "${gitcommit}"
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_print_info "Validating restoration parameters..."
cd "${tmpdir}/scripts/"
bash ./upgrade
ynh_webpath_available $domain $path_url \
|| ynh_die "Path not available: ${domain}${path_url}"
test ! -d $final_path \
|| ynh_die "There is already a directory: $final_path "
sudo rm -r "${tmpdir}/"
#=================================================
# STANDARD RESTORATION STEPS
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_print_info "Restoring the app main directory..."
ynh_restore_file "$final_path"
ynh_restore_file "/etc/sudoers.d/${app}_ynh"
ynh_restore_file "/usr/local/bin/ipv6_expanded"
ynh_restore_file "/usr/local/bin/ipv6_compressed"
ynh_restore_file "/usr/local/bin/$service_name-loadcubefile.sh"
ynh_restore_file "/etc/yunohost/hooks.d/90-vpnclient.tpl"
ynh_restore_file "/etc/openvpn/client.conf.tpl"
ynh_restore_file "/etc/openvpn/client.conf.tpl.restore"
ynh_restore_file "/etc/openvpn/keys/"
ynh_restore_file "/usr/local/bin/$service_name"
ynh_restore_file "/usr/local/bin/$service_checker_name.sh"
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
ynh_print_info "Recreating the dedicated system user..."
# Create the dedicated user (if not existing)
ynh_system_user_create $app
#=================================================
# RESTORE USER RIGHTS
#=================================================
# Restore permissions on app files
chown -R $app: $final_path
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_restore_file "/etc/php/7.0/fpm/pool.d/$app.conf"
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_print_info "Reinstalling dependencies..."
# Define and install dependencies
ynh_install_app_dependencies "$pkg_dependencies"
#=================================================
# RESTORE SYSTEMD
#=================================================
ynh_print_info "Restoring the systemd configuration..."
ynh_restore_file "/etc/systemd/system/$service_name.service"
ynh_restore_file "/etc/systemd/system/$service_checker_name.service"
ynh_restore_file "/etc/systemd/system/$service_checker_name.timer"
ynh_restore_file "/etc/systemd/system/openvpn@.service"
systemctl daemon-reload
systemctl enable "$service_name.service"
systemctl enable "$service_checker_name.service"
systemctl enable "openvpn@.service"
#=================================================
# ADVERTISE SERVICE IN ADMIN PANEL
#=================================================
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_print_info "Reloading nginx web server and php-fpm..."
systemctl restart php7.0-fpm
systemctl reload nginx
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Restoration completed for $app"

143
scripts/upgrade
View File

@@ -9,16 +9,10 @@
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
@@ -26,44 +20,115 @@ domain=$(ynh_app_setting_get $app domain)
path_url=$(ynh_app_setting_get $app path)
is_public=$(ynh_app_setting_get $app is_public)
final_path=$(ynh_app_setting_get $app final_path)
server_name=$(ynh_app_setting_get $app server_name)
#=================================================
# CHECK VERSION
# SPECIAL UPGRADE FOR VERSIONS < 1.2.0
#=================================================
ynh_abort_if_up_to_date
#=================================================
sudo mkdir -m 0700 -p /var/cache/labriqueinternet/vpnclient/
sudo tar czf "/var/cache/labriqueinternet/vpnclient/rollback_$(date +%Y-%m-%d-%H%M%S).tgz" /etc/openvpn/ /etc/yunohost/apps/vpnclient/ &> /dev/null
tmpdir=$(mktemp -dp /tmp/ vpnclient-upgrade-XXXXX)
sudo cp -a /etc/yunohost/apps/vpnclient/settings.yml "${tmpdir}/"
sudo cp -a /etc/openvpn/keys/ "${tmpdir}/"
if [ ! -e /etc/openvpn/client.conf.tpl.restore ] || ! cmp -s /etc/openvpn/client.conf.tpl{,.restore}; then
sudo cp -a /etc/openvpn/client.conf.tpl "${tmpdir}/"
# Apply renaming that occured in v1.2.0 ("vpnadmin" -> "${app}")
if [ -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf ]; then
ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
ynh_replace_string "vpnadmin.sock" "${app}.sock" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
mv /etc/nginx/conf.d/${domain}.d/vpnadmin.conf /etc/nginx/conf.d/${domain}.d/${app}.conf
fi
export VPNCLIENT_UPGRADE=1
sudo bash /etc/yunohost/apps/vpnclient/scripts/remove &> /dev/null
bash ./install "${domain}" "${path}" "${server_name}"
sudo rmdir /etc/openvpn/keys/
sudo cp -a "${tmpdir}/keys/" /etc/openvpn/keys/
sudo cp -a "${tmpdir}/settings.yml" /etc/yunohost/apps/vpnclient/
sudo cp -a "${tmpdir}/client.conf.tpl" /etc/openvpn/ 2> /dev/null
sudo rm -r "${tmpdir}/"
# Changes
if [ -z "$(ynh_setting vpnclient dns0)" ]; then
sudo yunohost app setting vpnclient dns0 -v 89.234.141.66
sudo yunohost app setting vpnclient dns1 -v 2001:913::8
if [ -f /etc/php5/fpm/pool.d/vpnadmin.conf ]; then
ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" /etc/php5/fpm/pool.d/vpnadmin.conf
ynh_replace_string "vpnadmin.sock" "${app}.sock" /etc/php5/fpm/pool.d/vpnadmin.conf
mv /etc/php5/fpm/pool.d/vpnadmin.conf /etc/php/7.0/fpm/pool.d/${app}.conf
fi
ynh_systemctl start ynh-vpnclient
if [ -d /var/www/vpnadmin ]; then
mv /var/www/vpnadmin /var/www/${app}
fi
## Versions known to have a buggy backup script
#buggy_versions="1.0.0 1.0.1 1.1.0"
#curr_version=$(read_manifest version)
#if echo $buggy_versions | grep -w $curr_version > /dev/null; then
# echo "Your current version of ${app} is very old: ${curr_version}. Please ignore the next warning." >&2
#fi
#
##=================================================
## BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
##=================================================
#
#ynh_backup_before_upgrade
#ynh_clean_setup () {
# ynh_restore_upgradebackup
#}
## Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# DO UPGRADE
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_print_info "Installing dependencies..."
ynh_install_app_dependencies "$pkg_dependencies"
#=================================================
# DEPLOY FILES FROM PACKAGE
#=================================================
# Keep a copy of existing config files before overwriting them
tmpdir=$(mktemp -d /tmp/vpnclient-upgrade-XXX)
cp -r /etc/openvpn/client* ${tmpdir}
# Deploy files from package
vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}"
# Restore previously existing config files
cp -r ${tmpdir}/client* /etc/openvpn/
ynh_secure_remove ${tmpdir}
#=================================================
# RELOAD RELEVANT SERVICES
#=================================================
ynh_print_info "Reload services..."
systemctl reload php7.0-fpm
systemctl reload nginx
### Make sure that the yunohost services have a description and need-lock enabled
# main service
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
# checker service
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
# Reload systemd configuration
systemctl daemon-reload
### Restart services
# restart main service if needed
if systemctl is-active $service_name >/dev/null;
then
yunohost service restart $service_name
fi
# restart checker service if needed
if systemctl is-active $service_checker_name >/dev/null;
then
yunohost service restart $service_checker_name
fi
# restart checker service timer
if systemctl is-active $service_name.timer >/dev/null;
then
yunohost service restart $service_checker_name.timer
fi
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Upgrade of $app completed"

12
sources/config.php
View File

@@ -1,19 +1,19 @@
<?php
/* VPN Client app for YunoHost
/* VPN Client app for YunoHost
* Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
* Contribute at https://github.com/labriqueinternet/vpnclient_ynh
*
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -22,11 +22,11 @@
function configure() {
option('env', ENV_PRODUCTION);
option('debug', false);
option('base_uri', '<TPL:NGINX_LOCATION>/');
option('base_uri', '__PATH__/');
layout('layout.html.php');
define('PUBLIC_DIR', '<TPL:NGINX_LOCATION>/public');
define('PUBLIC_DIR', '__PATH__/public');
}
// Before routing

5
sources/controller.php
View File

@@ -117,6 +117,11 @@ dispatch('/', function() {
});
dispatch_put('/settings', function() {
if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
throw new Exception('CSRF protection');
}
$service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
if($service_enabled == 1) {

32
sources/public/js/custom.js
View File

@@ -28,7 +28,7 @@ function tabsClick() {
return false;
}
$(document).ready(function() {
function ready() {
$('.btn-group').button();
$('[data-toggle="tooltip"]').tooltip();
@@ -73,11 +73,29 @@ $(document).ready(function() {
$(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
});
$('#save').click(function() {
$(this).prop('disabled', true);
$('#form').on("submit", function(event) {
event.preventDefault()
$('#save').prop('disabled', true);
$('#save-loading').show();
$('#form').submit();
});
$.ajax({
url: this.action,
type: this.method,
contentType: false,
processData: false,
cache: false,
data: new FormData(this),
headers: {
'X-Requested-With': 'jQuery',
},
timeout: 5000,
dataType: "html",
// success: function() {}, // XXX will never happen because the VPN connection will be restarted after the form is posted.
complete: function() {
console.log("Forcing page reload after a few seconds...");
setTimeout(function() {document.location.reload();}, 45000)
},
});
})
$('#status .close').click(function() {
$(this).parent().hide();
@@ -110,4 +128,6 @@ $(document).ready(function() {
$('.enabled').show('slow');
}
});
});
}
$(document).ready(ready)

2
sources/views/settings.html.php
View File

@@ -200,7 +200,7 @@
<div class="form-group">
<label for="login_passphrase" class="col-sm-3 control-label"><?= _('Password') ?></label>
<div class="col-sm-9">
<input type="text" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" />
<input type="password" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" />
</div>
</div>
</div>