WEBLIB.RE/vpnclient_ynh
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Compare commits

base: WEBLIB.RE:master
Branches Tags
WEBLIB.RE:master WEBLIB.RE:master_upstream WEBLIB.RE:master_myfork WEBLIB.RE:testing WEBLIB.RE:develop WEBLIB.RE:fix-get-date-without-ntpd-port WEBLIB.RE:fix-1016-vpn-firewall-residual
WEBLIB.RE:v1.4.2 WEBLIB.RE:1.4.1 WEBLIB.RE:1.4.0 WEBLIB.RE:1.3.0 WEBLIB.RE:1.0.1 WEBLIB.RE:1.0.0
..
compare: WEBLIB.RE:develop
Branches Tags
WEBLIB.RE:master WEBLIB.RE:master_upstream WEBLIB.RE:master_myfork WEBLIB.RE:testing WEBLIB.RE:develop WEBLIB.RE:fix-get-date-without-ntpd-port WEBLIB.RE:fix-1016-vpn-firewall-residual
WEBLIB.RE:v1.4.2 WEBLIB.RE:1.4.1 WEBLIB.RE:1.4.0 WEBLIB.RE:1.3.0 WEBLIB.RE:1.0.1 WEBLIB.RE:1.0.0

18 Commits
master ... develop

Author SHA1 Message Date
agentcobra
9e82f4776c Merge branch 'master' into develop 2018-09-10 20:27:16 +02:00
pitchum
aa7bbd6a4c [mod] Created file check_process for driving CI builds. 2018-08-29 10:40:12 +02:00
pitchum
7800953960 [fix] upgrade script requires some helpers. 
```
Warning: Upgrading app vpnclient...
Warning: ./upgrade: line 35: ynh_abort_if_up_to_date: command not found
Warning: !!
Warning:   vpnclient's script has encountered an error. Its execution was cancelled.
Warning: !!
Warning:
Error: Unable to upgrade vpnclient
```
 2018-08-25 19:24:31 +02:00
ljf (zamentur)
1fc4581106 [fix] Sync the date with http if ntp can't (#37) 
* [fix] Sync the date with http if ntp can't
 2018-06-13 11:30:43 +02:00
ljf (zamentur)
081447008c [fix] Let VPN mount (#38) 2018-05-22 09:43:35 +02:00
Bastien
24ff5a8687 travis improvement 
with manifest check JSON
 2018-05-13 12:33:59 +02:00
agentcobra
a55574ac9b Update README.md 
add integration from jenkins
 2018-05-13 11:48:07 +02:00
Sebastien Badia
9c736b4804 doc: s/NextCloud/LaBriqueInterNet VPNclient/ thx agentcorba 2018-05-13 11:38:27 +02:00
Sebastien Badia
3efa16e19e doc: Update syntax (badges) 2018-05-13 11:25:37 +02:00
Sebastien Badia
c4d2bab59c doc: Added install badge 2018-05-13 11:22:56 +02:00
agentcobra
05878ea230 Merge pull request #34 from keomabrun/master 
using new helpers and script formatting
 2018-04-25 20:18:55 +02:00
Keoma Brun
809dc19c80 using new helpers and script formatting 2018-04-09 16:11:08 +02:00
ljf (zamentur)
35f38ec86c [enh] Update version number 2018-04-08 13:55:09 +02:00
ljf (zamentur)
a642a01029 [fix] Add fake-hwclock to avoid RTC 1970 date 
A20 Allwinner seems to have a RTC but i think this one can't work when the board is shutdown (during several minutes/hours/days ?).  This package register the last date and set it early in the boot process.
 2018-04-08 13:55:09 +02:00
ljf (zamentur)
5654b6d0b2 [fix] ntpd blocked cause firewall to strict 2018-04-08 13:54:28 +02:00
agentcobra
b34644c729 Update upgrade 
quick fix for ci building failling
 2018-04-06 13:09:02 +02:00
Sebastien Badia
c9d7537387 cr: Update notifications settings 2018-03-23 10:29:24 +01:00
agentcobra
8aab3c7dd2 Package improvement (#31) 
* fix manifest

* fix tabs

* add Services section in manifest

* Fix invalid JSON
open an issue https://dev.yunohost.org/issues/1097

* fix "Impossible de satisfaire les pré-requis pour vpnclient : Paquet «
yunohost-moulinette » inconnu"

* finalisation manifest.json et harmonisation avec
https://yunohost.org/#/packaging_apps_manifest_fr

* ajout de du CI avec .travis.yml

* Update README.md

* lifting manifest.json

* remove exit 0 from scrits and add .gitignore

* fix lint error with exit

* fix #31

* refix #31
 2018-03-23 09:23:57 +01:00
22 changed files with 591 additions and 1079 deletions
Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
# Created from https://github.com/YunoHost/example_ynh/blob/master/.gitignore
*~
*.sw[op]

14
.travis.yml Normal file
View File

@@ -0,0 +1,14 @@
language: python
before_script:
- git clone --depth 1 git://github.com/YunoHost/package_linter ../package_linter && cd ../package_linter
- mv ../vpnclient_ynh vpnclient_ynh
script:
- python -m json.tool vpnclient_ynh/manifest.json
- ./package_linter.py vpnclient_ynh
notifications:
email: false
irc:
on_success: always
on_failure: always
channels:
- "irc.geeknode.org#labriqueinter.net-dev"

48
CHANGES.md
View File

@@ -1,48 +0,0 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is (partially) based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
## Unreleasead
## 1.4.1 - 2020-04-04
- [fix] ynh-vpnclient-loadcubefile.sh broken with ssowat 3.7.x (#60)
## 1.4.0 - 2019-03-18
- refactoring scripts
## 1.3.1 - 2018-12-19
- [mod] Bug fixes and code cleaning
## 1.3.0 - 2018-12-02
- [fix] Create a dedicated system user with proper sudo permissions. (#41)
- [fix] CSRF vulnerability (#43)
## 1.2.1 - 2018-09-10
- [fix] user/group = www-data in php-fpm config.
## 1.2.0 - 2018-09-06
- [fix] upgrade script is now functional
- [mod] lots of refactoring to apply app packaging best-practices
## 1.1.1 - 2018-04-06
- [fix] Sync the date with http if ntp can't (#37)
## 0.0.0 - 2016-05-14
First release

15
README.md
View File

@@ -1,8 +1,6 @@
# VPN Client [![Build Status](https://travis-ci.org/labriqueinternet/vpnclient_ynh.svg?branch=master)](https://travis-ci.org/labriqueinternet/vpnclient_ynh) [![Integration level](https://dash.yunohost.org/integration/vpnclient.svg)](https://dash.yunohost.org/appci/app/vpnclient) # VPN Client [![Build Status](https://travis-ci.org/labriqueinternet/vpnclient_ynh.svg?branch=master)](https://travis-ci.org/labriqueinternet/vpnclient_ynh) [![Integration level](https://dash.yunohost.org/integration/vpnclient.svg)](https://ci-apps.yunohost.org/jenkins/job/vpnclient%20%28Community%29/lastBuild/consoleFull)
[![Install LaBriqueInterNet VPNclient with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=vpnclient) [![Install LaBriqueInterNet VPNclient with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=vpnclient)
This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
## Overview ## Overview
VPN Client app for [YunoHost](http://yunohost.org/). VPN Client app for [YunoHost](http://yunohost.org/).
@@ -13,6 +11,8 @@ VPN Client app for [YunoHost](http://yunohost.org/).
* Useful to easily move your server anywhere. * Useful to easily move your server anywhere.
* With the [Hotspot app for YunoHost](https://github.com/labriqueinternet/hotspot_ynh), you can broadcast your VPN access by wifi to use a clean internet connection (depending on your VPN provider) on your laptop (or those of your friends) without having to configure it. * With the [Hotspot app for YunoHost](https://github.com/labriqueinternet/hotspot_ynh), you can broadcast your VPN access by wifi to use a clean internet connection (depending on your VPN provider) on your laptop (or those of your friends) without having to configure it.
This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
## Features ## Features
* Authentication based on certificates or login (or both), with or without shared-secret (*ta.key*) * Authentication based on certificates or login (or both), with or without shared-secret (*ta.key*)
@@ -24,9 +24,12 @@ VPN Client app for [YunoHost](http://yunohost.org/).
* Strong firewalling (internet access and self-hosted services only available through the VPN) * Strong firewalling (internet access and self-hosted services only available through the VPN)
* Advanced mode for editing the default OpenVPN configuration * Advanced mode for editing the default OpenVPN configuration
* Auto-configuration mode, with [dot cube files](http://internetcu.be/dotcubefiles.html) * Auto-configuration mode, with [dot cube files](http://internetcu.be/dotcubefiles.html)
* Web interface * Web interface ([screenshot](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png))
## Screenshot ## Prerequisites
![Screenshot of the web interface](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png) * Debian Jessie
* YunoHost >= 2.2.0
* Yunohost-Moulinette >= 2.4.0 (firewalling)
**[BUG REPORTS SHOULD BE OPEN HERE](https://dev.yunohost.org)**

65
check_process
View File

@@ -1,33 +1,40 @@
;; Test complet ;; Test complet
; Manifest ; pre-install
domain="domain.tld" (DOMAIN) echo -n "Si j'avais des commandes à exécuter ce serait ici "
path="/vpnconfig" (PATH) ; Manifest
; Checks domain="domain.tld" (DOMAIN)
pkg_linter=1 path="/vpnconfig" (PATH)
setup_sub_dir=1 ; Checks
setup_root=1 pkg_linter=1
setup_nourl=0 setup_sub_dir=1
setup_private=1 setup_root=0
setup_public=0 setup_nourl=0
upgrade=1 setup_private=1
upgrade=1 from_commit=623d8a30453a26ee21aa2ce1142674a2ffdb85b9 setup_public=0
upgrade=1 from_commit=73aa672346e40fc1857aef7441c449f0bd322082 upgrade=1
backup_restore=1 upgrade=1 from_commit=355b24ea0cd3467d7ba1390ab7d34dd4b2500229
multi_instance=0 upgrade=1 from_commit=1fc458110660ce775f7613091cde3c5fdcfbe4e6
incorrect_path=1 backup_restore=1
port_already_use=0 multi_instance=0
change_url=0 incorrect_path=1
port_already_use=0
change_url=0
;;; Levels ;;; Levels
Level 1=auto Level 1=auto
Level 2=auto Level 2=auto
Level 3=auto Level 3=auto
Level 4=na Level 4=0
Level 5=auto Level 5=auto
Level 6=auto Level 6=auto
Level 7=auto Level 7=auto
Level 8=0 Level 8=0
Level 9=0 Level 9=0
Level 10=0 Level 10=0
;;; Options ;;; Options
Email=pitchum@gramaton.org Email=pitchum@gramaton.org
Notification=down Notification=down
#;;; Upgrade options
# ; commit=65c382d138596fcb32b4c97c39398815a1dcd4e8
# name=Name of this previous version
# manifest_arg=domain=DOMAIN&path=PATH&admin=USER&password=pass&is_public=1&
#

22
conf/nginx.conf → conf/nginx_vpnadmin.conf
View File

@@ -1,41 +1,34 @@
# VPN Client app for YunoHost # VPN Client app for YunoHost
# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com> # Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
# Contribute at https://github.com/labriqueinternet/vpnclient_ynh # Contribute at https://github.com/labriqueinternet/vpnclient_ynh
# #
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by # it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or # the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version. # (at your option) any later version.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details. # GNU Affero General Public License for more details.
# #
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location <TPL:NGINX_LOCATION> {
location __PATH__/ { alias <TPL:NGINX_REALPATH>;
# Path to source
alias __FINALPATH__/ ;
# Force usage of https
if ($scheme = http) { if ($scheme = http) {
rewrite ^ https://$server_name$request_uri? permanent; rewrite ^ https://$server_name$request_uri? permanent;
} }
# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
client_max_body_size 10G; client_max_body_size 10G;
index index.php; index index.php;
try_files $uri $uri/ index.php; try_files $uri $uri/ index.php;
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock; fastcgi_pass unix:/var/run/php5-fpm-<TPL:PHP_NAME>.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
fastcgi_read_timeout 600; fastcgi_read_timeout 600;
@@ -44,6 +37,5 @@ location __PATH__/ {
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_FILENAME $request_filename;
} }
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc; include conf.d/yunohost_panel.conf.inc;
} }

3
conf/openvpn_client.conf.tpl
View File

@@ -40,6 +40,3 @@ log-append /var/log/openvpn-client.log
# Routing # Routing
route-ipv6 2000::/3 route-ipv6 2000::/3
redirect-gateway def1 bypass-dhcp redirect-gateway def1 bypass-dhcp
# Cipher
cipher AES-256-CBC

24
conf/php-fpm.conf → conf/phpfpm_vpnadmin.conf
View File

@@ -1,24 +1,24 @@
; VPN Client app for YunoHost ; VPN Client app for YunoHost
; Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com> ; Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
; Contribute at https://github.com/labriqueinternet/vpnclient_ynh ; Contribute at https://github.com/labriqueinternet/vpnclient_ynh
; ;
; This program is free software: you can redistribute it and/or modify ; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU Affero General Public License as published by ; it under the terms of the GNU Affero General Public License as published by
; the Free Software Foundation, either version 3 of the License, or ; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version. ; (at your option) any later version.
; ;
; This program is distributed in the hope that it will be useful, ; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of ; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU Affero General Public License for more details. ; GNU Affero General Public License for more details.
; ;
; You should have received a copy of the GNU Affero General Public License ; You should have received a copy of the GNU Affero General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>. ; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Start a new pool named 'www'. ; Start a new pool named '<TPL:PHP_NAME>'.
; the variable $pool can we used in any directive and will be replaced by the ; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here) ; pool name ('www' here)
[__NAMETOCHANGE__] [<TPL:PHP_NAME>]
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:
@@ -28,7 +28,7 @@
; specific port; ; specific port;
; '/path/to/unix/socket' - to listen on a unix socket. ; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory. ; Note: This value is mandatory.
listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock listen = /var/run/php5-fpm-<TPL:PHP_NAME>.sock
; Set permissions for unix socket, if one is used. In Linux, read/write ; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many ; permissions must be set in order to allow connections from a web server. Many
@@ -42,8 +42,8 @@ listen.mode = 0600
; Unix user/group of processes ; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group ; Note: The user is mandatory. If the group is not set, the default user's group
; will be used. ; will be used.
user = __USER__ user = <TPL:PHP_USER>
group = __USER__ group = <TPL:PHP_GROUP>
; Choose how the process manager will control the number of child processes. ; Choose how the process manager will control the number of child processes.
; Possible Values: ; Possible Values:
@@ -157,7 +157,7 @@ request_slowlog_timeout = 0
; The log file for slow requests ; The log file for slow requests
; Default Value: not set ; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set ; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/nginx/[__NAMETOCHANGE__].slow.log slowlog = /var/log/nginx/<TPL:PHP_NAME>.slow.log
; Set open file descriptor rlimit. ; Set open file descriptor rlimit.
; Default Value: system defined value ; Default Value: system defined value
@@ -171,7 +171,7 @@ rlimit_core = 0
; Chdir to this directory at the start. ; Chdir to this directory at the start.
; Note: relative path can be used. ; Note: relative path can be used.
; Default Value: current directory or / when chroot ; Default Value: current directory or / when chroot
chdir = __FINALPATH__ chdir = <TPL:NGINX_REALPATH>
; Redirect worker stdout and stderr into main error log. If not set, stdout and ; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs. ; stderr will be redirected to /dev/null according to FastCGI specs.

13
conf/sudoers.conf
View File

@@ -1,13 +0,0 @@
Cmnd_Alias VPNCLIENTTASKS = /bin/systemctl stop ynh-vpnclient, \
/bin/systemctl start ynh-vpnclient, \
/usr/local/bin/ynh-vpnclient *
Cmnd_Alias YUNOHOST = /usr/bin/yunohost app setting vpnclient *,\
/usr/bin/yunohost app info hotspot *
Cmnd_Alias HOTSPOT = /bin/systemctl stop ynh-hotspot,\
/bin/systemctl start ynh-hotspot,\
/usr/bin/yunohost app setting hotspot *
__VPNCLIENT_SYSUSER__ ALL = NOPASSWD: /bin/grep, VPNCLIENTTASKS, YUNOHOST, HOTSPOT

587
conf/ynh-vpnclient
View File

@@ -17,44 +17,8 @@
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
################################################################################### # Functions
# Logging helpers # ## State functions
###################################################################################
LOGFILE="/var/log/ynh-vpnclient.log"
touch $LOGFILE
chown root:root $LOGFILE
chmod 600 $LOGFILE
function success()
{
echo "[ OK ] $1" | tee -a $LOGFILE
}
function info()
{
echo "[INFO] $1" | tee -a $LOGFILE
}
function warn()
{
echo "[WARN] $1" | tee -a $LOGFILE >&2
}
function error()
{
echo "[FAIL] $1" | tee -a $LOGFILE >&2
}
function critical()
{
echo "[CRIT] $1" | tee -a $LOGFILE >&2
exit 1
}
###################################################################################
# IPv6 and route config stuff #
###################################################################################
has_nativeip6() { has_nativeip6() {
ip -6 route | grep -q default\ via ip -6 route | grep -q default\ via
@@ -64,58 +28,6 @@ has_ip6delegatedprefix() {
[ "${ynh_ip6_addr}" != none ] [ "${ynh_ip6_addr}" != none ]
} }
is_ip6addr_set() {
ip address show dev tun0 2> /dev/null | grep -q "${ynh_ip6_addr}/128"
}
set_ip6addr() {
info "Adding IPv6 from VPN configuration"
ip address add "${ynh_ip6_addr}/128" dev tun0
}
unset_ip6addr() {
info "Removing IPv6 from VPN configuration"
ip address delete "${ynh_ip6_addr}/128" dev tun0
}
#
# Server IPv6 route
#
is_serverip6route_set() {
server_ip6=${1}
if [ -z "${server_ip6}" ]; then
false
else
ip -6 route | grep -q "${server_ip6}/"
fi
}
set_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
info "Adding IPv6 server route"
ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
unset_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
info "Removing IPv6 server route"
ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
###################################################################################
# Hotspot app #
###################################################################################
has_hotspot_app() { has_hotspot_app() {
[ -e /tmp/.ynh-hotspot-started ] [ -e /tmp/.ynh-hotspot-started ]
} }
@@ -126,21 +38,72 @@ is_hotspot_knowme() {
[ "${hotspot_vpnclient}" == yes ] [ "${hotspot_vpnclient}" == yes ]
} }
################################################################################### is_firewall_set() {
# DNS rules # wired_device=${1}
###################################################################################
ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
&& iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}
is_ip6addr_set() {
ip address show dev tun0 2> /dev/null | grep -q "${ynh_ip6_addr}/128"
}
is_serverip6route_set() {
server_ip6=${1}
if [ -z "${server_ip6}" ]; then
false
else
ip -6 route | grep -q "${server_ip6}/"
fi
}
is_dns_set() { is_dns_set() {
# FIXME : having the ynh_dns0 in the resolv.dnsmasq.conf is not necessarily good enough
# We want it to be the only one (with ynh_dns1) but nowadays for example ARN's resolver is
# in the default list from yunohost...
[ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\ [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
&& ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf ) && ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf )
} }
set_dns() { is_openvpn_running() {
info "Enforcing custom DNS resolvers from vpnclient" systemctl is-active openvpn@client.service &> /dev/null
}
is_running() {
((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
&& ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
&& is_dns_set && is_firewall_set && is_openvpn_running
}
## Setters
set_ip6addr() {
ip address add "${ynh_ip6_addr}/128" dev tun0
}
set_firewall() {
wired_device=${1}
cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
yunohost firewall reload
}
set_serverip6route() {
server_ip6=${1}
ip6_gw=${2}
wired_device=${3}
ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
set_dns() {
resolvconf=/etc/resolv.conf resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf [ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
@@ -154,92 +117,7 @@ EOF
bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
} }
unset_dns() {
resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
info "Removing custom DNS resolvers from vpnclient"
rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
mv "${resolvconf}.ynh" "${resolvconf}"
# FIXME : this situation happened to a user ...
# We could try to force regen the dns conf
# (though for now it's tightly coupled to dnsmasq)
grep -q "^nameserver" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
}
###################################################################################
# Firewall rules management #
###################################################################################
is_firewall_set() {
wired_device=${1}
ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
&& iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}
set_firewall() {
info "Adding vpnclient custom rules to the firewall"
wired_device=${1}
cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
info "Restarting yunohost firewall..."
yunohost firewall reload && success "Firewall restarted!"
}
unset_firewall() {
info "Cleaning vpnclient custom rules from the firewall"
rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
info "Restarting yunohost firewall..."
yunohost firewall reload && success "Firewall restarted!"
}
###################################################################################
# Time sync #
###################################################################################
sync_time() {
info "Now synchronizing time using ntp..."
systemctl stop ntp
timeout 20 ntpd -qg &> /dev/null
# Some networks drop ntp port (udp 123).
# Try to get the date with an http request on the internetcube web site
if [ $? -ne 0 ]; then
info "ntp synchronization failed, falling back to curl method"
http_date=`curl -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6`
http_date_seconds=`date -d "${http_date}" +%s`
curr_date_seconds=`date +%s`
# Set the new date if it's greater than the current date
# So it does if 1970 year or if old fake-hwclock date is used
if [ $http_date_seconds -ge $curr_date_seconds ]; then
date -s "${http_date}"
fi
fi
systemctl start ntp
}
###################################################################################
# OpenVPN client start/stop procedures #
###################################################################################
is_openvpn_running() {
systemctl is-active openvpn@client.service &> /dev/null
}
start_openvpn() { start_openvpn() {
ip6_gw=${1} ip6_gw=${1}
server_ip6=${2} server_ip6=${2}
@@ -254,10 +132,9 @@ start_openvpn() {
# Unset firewall to let DNS and NTP resolution works # Unset firewall to let DNS and NTP resolution works
# Firewall is reset after vpn is mounted (more details on #1016) # Firewall is reset after vpn is mounted (more details on #1016)
unset_firewall unset_firewall
sync_time sync_time
info "Preparing openvpn configuration..."
cp /etc/openvpn/client.conf{.tpl,} cp /etc/openvpn/client.conf{.tpl,}
sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/openvpn/client.conf sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/openvpn/client.conf
@@ -288,51 +165,61 @@ start_openvpn() {
sed 's|^<TPL:LOGIN_COMMENT>||' -i /etc/openvpn/client.conf sed 's|^<TPL:LOGIN_COMMENT>||' -i /etc/openvpn/client.conf
fi fi
info "Now actually starting OpenVPN client..."
systemctl start openvpn@client.service systemctl start openvpn@client.service
}
if [ ! $? -eq 0 ] ## Unsetters
then
tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
critical "Failed to start OpenVPN :/"
else
info "OpenVPN client started ... waiting for tun0 interface to show up"
fi
for attempt in $(seq 0 20) unset_ip6addr() {
do ip address delete "${ynh_ip6_addr}/128" dev tun0
sleep 1 }
if ip link show dev tun0 &> /dev/null
then unset_firewall() {
success "tun0 interface is up!" rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
return 0 yunohost firewall reload
fi }
done
unset_serverip6route() {
error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue" server_ip6=${1}
tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE ip6_gw=${2}
stop_openvpn wired_device=${3}
critical "Failed to start OpenVPN client : tun0 interface did not show up"
ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
}
unset_dns() {
resolvconf=/etc/resolv.conf
[ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
mv "${resolvconf}.ynh" "${resolvconf}"
} }
stop_openvpn() { stop_openvpn() {
# FIXME : isn't openvpn@client ? (idk)
info "Stopping OpenVPN service"
systemctl stop openvpn.service systemctl stop openvpn.service
for attempt in $(seq 0 20)
do
if ip link show dev tun0 &> /dev/null
then
info "(Waiting for tun0 to disappear if it was up)"
sleep 1
fi
done
} }
################################################################################### ## Tools
# Yunohost settings interface #
################################################################################### sync_time() {
systemctl stop ntp
timeout 20 ntpd -qg &> /dev/null
# Some networks drop ntp port (udp 123).
# Try to get the date with an http request on the internetcube web site
if [ $? -ne 0 ]; then
http_date=`curl -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6`
http_date_seconds=`date -d "${http_date}" +%s`
curr_date_seconds=`date +%s`
# Set the new date if it's greater than the current date
# So it does if 1970 year or if old fake-hwclock date is used
if [ $http_date_seconds -ge $curr_date_seconds ]; then
date -s "${http_date}"
fi
fi
systemctl start ntp
}
ynh_setting_get() { ynh_setting_get() {
app=${1} app=${1}
@@ -349,41 +236,36 @@ ynh_setting_set() {
yunohost app setting "${app}" "${setting}" -v "${value}" yunohost app setting "${app}" "${setting}" -v "${value}"
} }
###################################################################################
# The actual ynh vpnclient management thing #
###################################################################################
is_running() {
((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
&& ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
&& is_dns_set && is_firewall_set && is_openvpn_running
}
if [ "$1" != restart ]; then if [ "$1" != restart ]; then
# Restart php-fpm at the first start (it needs to be restarted after the slapd start) # Restart php5-fpm at the first start (it needs to be restarted after the slapd start)
if [ ! -e /tmp/.ynh-vpnclient-boot ]; then if [ ! -e /tmp/.ynh-vpnclient-boot ]; then
touch /tmp/.ynh-vpnclient-boot touch /tmp/.ynh-vpnclient-boot
systemctl restart php7.0-fpm systemctl restart php5-fpm
fi fi
# Check configuration consistency # Check configuration consistency
if [[ ! "${1}" =~ stop ]]; then if [[ ! "${1}" =~ stop ]]; then
exitcode=0
if [ ! -e /etc/openvpn/keys/ca-server.crt ]; then if [ ! -e /etc/openvpn/keys/ca-server.crt ]; then
critical "You need a CA server (you can add it through the web admin)" echo "[WARN] You need a CA server (you can add it through the web admin)"
exitcode=1
fi fi
empty=$(find /etc/openvpn/keys/ -empty -name credentials &> /dev/null | wc -l) empty=$(find /etc/openvpn/keys/ -empty -name credentials &> /dev/null | wc -l)
if [ "${empty}" -gt 0 -a ! -e /etc/openvpn/keys/user.key ]; then if [ "${empty}" -gt 0 -a ! -e /etc/openvpn/keys/user.key ]; then
critical "You need either a client certificate, either a username, or both (you can add one through the web admin)" echo "[WARN] You need either a client certificate, either a username, or both (you can add one through the web admin)"
exitcode=1
fi fi
[ "${exitcode}" -ne 0 ] && exit ${exitcode}
fi fi
# Variables # Variables
info "Retrieving Yunohost settings... " echo -n "Retrieving Yunohost settings... "
ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled) ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled)
ynh_server_name=$(ynh_setting_get vpnclient server_name) ynh_server_name=$(ynh_setting_get vpnclient server_name)
@@ -403,210 +285,201 @@ if [ "$1" != restart ]; then
new_server_ip6=$(host "${ynh_server_name}" 2> /dev/null | awk '/IPv6/ { print $NF; }') new_server_ip6=$(host "${ynh_server_name}" 2> /dev/null | awk '/IPv6/ { print $NF; }')
if [ -z "${new_server_ip6}" ]; then if [ -z "${new_server_ip6}" ]; then
# FIXME wtf is this hardcoded IP ...
new_server_ip6=$(host "${ynh_server_name}" 80.67.188.188 2> /dev/null | awk '/IPv6/ { print $NF; }') new_server_ip6=$(host "${ynh_server_name}" 80.67.188.188 2> /dev/null | awk '/IPv6/ { print $NF; }')
fi fi
success "Settings retrieved" echo "OK"
fi fi
################################################################################### # Script
# Start / stop / restart / status handling #
###################################################################################
case "${1}" in case "${1}" in
# ########## #
# Starting #
# ########## #
start) start)
if is_running; then if is_running; then
info "Service is already running" echo "Already started"
exit 0
elif [ "${ynh_service_enabled}" -eq 0 ]; then elif [ "${ynh_service_enabled}" -eq 0 ]; then
warn "Service is disabled, not starting it" echo "Disabled service"
exit 0
fi
info "[vpnclient] Starting..."
touch /tmp/.ynh-vpnclient-started
# Run openvpn
if is_openvpn_running;
then
info "(openvpn is already running)"
else else
start_openvpn "${new_ip6_gw}" "${new_server_ip6}" echo "[vpnclient] Starting..."
touch /tmp/.ynh-vpnclient-started
# Run openvpn
if ! is_openvpn_running; then
echo "Run openvpn"
start_openvpn "${new_ip6_gw}" "${new_server_ip6}"
if [ ! $? -eq 0 ]; then
exit 1
fi
i=0; false || while [ $? -ne 0 ]; do
sleep 1 && (( i++ ))
[ ${i} -gt 20 ] && stop_openvpn
[ ${i} -gt 20 ] && exit 1
ip link show dev tun0 &> /dev/null
done
fi
# Check old state of the server ipv6 route
if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
-a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
-o "${new_wired_device}" != "${old_wired_device}" \) ]\
&& is_serverip6route_set "${old_server_ip6}"; then
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi
# Set the new server ipv6 route
if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"; then
echo "Set IPv6 server route"
set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
fi
# Set the ipv6 address
if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set; then
echo "Set IPv6 address"
set_ip6addr
fi
# Set host DNS resolvers
if ! is_dns_set; then
echo "Set host DNS resolvers"
set_dns
fi
# Set ipv6/ipv4 firewall
if ! is_firewall_set "${new_wired_device}"; then
echo "Set IPv6/IPv4 firewall"
set_firewall "${new_wired_device}"
fi
# Update dynamic settings
ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
ynh_setting_set vpnclient wired_device "${new_wired_device}"
# Fix configuration
if has_hotspot_app && ! is_hotspot_knowme; then
ynh-hotspot start
fi
fi fi
# Check old state of the server ipv6 route
if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
-a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
-o "${new_wired_device}" != "${old_wired_device}" \) ]\
&& is_serverip6route_set "${old_server_ip6}"
then
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi
# Set the new server ipv6 route
if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"
then
set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
fi
# Set the ipv6 address
if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set
then
set_ip6addr
fi
# Set host DNS resolvers
if ! is_dns_set
then
set_dns
fi
# Set ipv6/ipv4 firewall
if ! is_firewall_set "${new_wired_device}"
then
set_firewall "${new_wired_device}"
fi
# Update dynamic settings
info "Saving settings..."
ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
ynh_setting_set vpnclient wired_device "${new_wired_device}"
# Fix configuration
if has_hotspot_app && ! is_hotspot_knowme; then
info "Now starting the hotspot"
ynh-hotspot start
fi
success "YunoHost VPN client started!"
;; ;;
# ########## #
# Stopping #
# ########## #
stop) stop)
info "[vpnclient] Stopping..." echo "[vpnclient] Stopping..."
rm -f /tmp/.ynh-vpnclient-started rm -f /tmp/.ynh-vpnclient-started
if ! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set; then if ! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set; then
echo "Unset IPv6 address"
unset_ip6addr unset_ip6addr
fi fi
if is_serverip6route_set "${old_server_ip6}"; then if is_serverip6route_set "${old_server_ip6}"; then
echo "Unset IPv6 server route"
unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}" unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
fi fi
is_firewall_set "${old_wired_device}" && unset_firewall if is_firewall_set "${old_wired_device}"; then
echo "Unset IPv6/IPv4 firewall"
unset_firewall
fi
is_dns_set && unset_dns if is_dns_set; then
echo "Unset forced host DNS resolvers"
unset_dns
fi
is_openvpn_running && stop_openvpn if is_openvpn_running; then
echo "Stop openvpn"
stop_openvpn
i=0; true && while [ $? -eq 0 ]; do
sleep 1 && (( i++ ))
[ ${i} -gt 20 ] && exit 1
ip link show dev tun0 &> /dev/null
done
fi
# Fix configuration # Fix configuration
if has_hotspot_app && is_hotspot_knowme; then if has_hotspot_app && is_hotspot_knowme; then
info "Now starting the hotspot"
ynh-hotspot start ynh-hotspot start
fi fi
;; ;;
# ########## #
# Restart #
# ########## #
restart) restart)
$0 stop $0 stop
$0 start $0 start
;; ;;
# ########## #
# Status #
# ########## #
status) status)
exitcode=0 exitcode=0
if [ "${ynh_service_enabled}" -eq 0 ]; then if [ "${ynh_service_enabled}" -eq 0 ]; then
error "VPN Client Service disabled" echo "[ERR] VPN Client Service disabled"
exitcode=1 exitcode=1
fi fi
info "Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})" echo "[INFO] Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
info "Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})" echo "[INFO] Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
if has_ip6delegatedprefix; then if has_ip6delegatedprefix; then
info "IPv6 delegated prefix found" echo "[INFO] IPv6 delegated prefix found"
info "IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}" echo "[INFO] IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
if ! has_hotspot_app; then if ! has_hotspot_app; then
info "No Hotspot app detected" echo "[INFO] No Hotspot app detected"
if is_ip6addr_set; then if is_ip6addr_set; then
success "IPv6 address correctly set" echo "[OK] IPv6 address correctly set"
else else
error "No IPv6 address set" echo "[ERR] No IPv6 address set"
exitcode=1 exitcode=1
fi fi
else else
info "Hotspot app detected" echo "[INFO] Hotspot app detected"
info "No IPv6 address to set" echo "[INFO] No IPv6 address to set"
fi fi
else else
info "No IPv6 delegated prefix found" echo "[INFO] No IPv6 delegated prefix found"
fi fi
if has_nativeip6; then if has_nativeip6; then
info "Native IPv6 detected" echo "[INFO] Native IPv6 detected"
info "Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})" echo "[INFO] Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
if is_serverip6route_set "${new_server_ip6}"; then if is_serverip6route_set "${new_server_ip6}"; then
success "IPv6 server route correctly set" echo "[OK] IPv6 server route correctly set"
else else
error "No IPv6 server route set" echo "[ERR] No IPv6 server route set"
exitcode=1 exitcode=1
fi fi
else else
info "No native IPv6 detected" echo "[INFO] No native IPv6 detected"
info "No IPv6 server route to set" echo "[INFO] No IPv6 server route to set"
fi fi
if is_firewall_set "${new_wired_device}"; then if is_firewall_set "${new_wired_device}"; then
success "IPv6/IPv4 firewall set" echo "[OK] IPv6/IPv4 firewall set"
else else
info "No IPv6/IPv4 firewall set" echo "[ERR] No IPv6/IPv4 firewall set"
exitcode=1 exitcode=1
fi fi
if is_dns_set; then if is_dns_set; then
success "Host DNS correctly set" echo "[OK] Host DNS correctly set"
else else
error "No host DNS set" echo "[ERR] No host DNS set"
exitcode=1 exitcode=1
fi fi
if is_openvpn_running; then if is_openvpn_running; then
success "Openvpn is running" echo "[OK] Openvpn is running"
else else
error "Openvpn is not running" echo "[ERR] Openvpn is not running"
exitcode=1 exitcode=1
fi fi
exit ${exitcode} exit ${exitcode}
;; ;;
# ########## #
# Halp #
# ########## #
*) *)
echo "Usage: $0 {start|stop|restart|status}" echo "Usage: $0 {start|stop|restart|status}"
exit 1 exit 1

4
conf/ynh-vpnclient-loadcubefile.sh
View File

@@ -86,7 +86,7 @@ ynh_service_enabled=$(ynh_setting vpnclient service_enabled)
# SSO login # SSO login
curl -D - -skLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -o /dev/null -c "${tmpdir}/cookies" 2> /dev/null | grep -q "set-cookie: SSOwAuthUser=${ynh_user}" curl -kLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -c "${tmpdir}/cookies" 2> /dev/null | grep -q Logout
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "[ERROR] SSO login failed" >&2 echo "[ERROR] SSO login failed" >&2
@@ -96,7 +96,7 @@ fi
# Upload cube file # Upload cube file
output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g') output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
# Configure IPv6 Delegated Prefix on Hotspot # Configure IPv6 Delegated Prefix on Hotspot

23
manifest.json
View File

@@ -2,24 +2,27 @@
"name": "VPN Client", "name": "VPN Client",
"id": "vpnclient", "id": "vpnclient",
"packaging_format": 1, "packaging_format": 1,
"version": "1.4.1",
"description": { "description": {
"en": "Tunnel the internet traffic through a VPN", "en": "VPN Client",
"fr": "Fais passer le traffic internet à travers un VPN" "fr": "Client VPN"
}, },
"url": "https://labriqueinter.net", "url": "https://github.com/labriqueinternet/vpnclient_ynh",
"version": "1.1.0",
"license": "AGPL-3.0", "license": "AGPL-3.0",
"maintainer": { "maintainer": {
"name": "pitchum", "name": "Julien Vaubourg",
"email": "pitchum@users.noreply.github.com" "email": "julien@vaubourg.com",
"url": "http://julien.vaubourg.com"
},
"requirements": {
"yunohost": ">= 2.2.0",
"moulinette": ">= 2.4.0"
}, },
"multi_instance": false, "multi_instance": false,
"requirements": {
"yunohost": ">= 3.2.0"
},
"services": [ "services": [
"nginx", "nginx",
"php7.0-fpm" "php5-fpm",
"ynh-vpnclient"
], ],
"arguments": { "arguments": {
"install": [ "install": [

197
scripts/_common.sh
View File

@@ -1,48 +1,44 @@
#!/bin/bash #!/bin/bash
# #
# Common variables and helpers # Common variables
# #
pkg_dependencies="php7.0-fpm sipcalc dnsutils openvpn curl fake-hwclock" pkg_dependencies="php5-fpm sipcalc dnsutils openvpn curl fake-hwclock"
service_name="ynh-vpnclient"
service_checker_name=$service_name"-checker"
to_logs() { # Helper to start/stop/.. a systemd service from a yunohost context,
# *and* the systemd service itself needs to be able to run yunohost
# commands.
#
# Hence the need to release the lock during the operation
#
# usage : ynh_systemctl yolo restart
#
function ynh_systemctl()
{
local ACTION="$1"
local SERVICE="$2"
local LOCKFILE="/var/run/moulinette_yunohost.lock"
# When yunohost --verbose or bash -x # Launch the action
if $_ISVERBOSE; then sudo systemctl "$ACTION" "$SERVICE" &
cat local SYSCTLACTION=$!
else
cat > /dev/null
fi
}
# Experimental helpers # Save and release the lock...
# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest cp $LOCKFILE $LOCKFILE.bkp.$$
read_json () { rm $LOCKFILE
python3 -c "import sys, json;print(json.load(open('$1'))['$2'])"
}
# Experimental helper # Wait for the end of the action
# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest wait $SYSCTLACTION
read_manifest () {
if [ -f '../manifest.json' ] ; then
read_json '../manifest.json' "$1"
else
read_json '../settings/manifest.json' "$1"
fi
}
# Experimental helper # Make sure the lock is released...
# cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/master/ynh_abort_if_up_to_date/ynh_abort_if_up_to_date while [ -f $LOCKFILE ]
ynh_abort_if_up_to_date () { do
version=$(read_json "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" 'version' 2> /dev/null || echo '20160501-7') sleep 0.1
last_version=$(read_manifest 'version') done
if [ "${version}" = "${last_version}" ]; then
ynh_print_info "Up-to-date, nothing to do" # Restore the old lock
ynh_die "" 0 mv $LOCKFILE.bkp.$$ $LOCKFILE
fi
} }
# Read the value of a key in a ynh manifest file # Read the value of a key in a ynh manifest file
@@ -51,9 +47,9 @@ ynh_abort_if_up_to_date () {
# | arg: manifest - Path of the manifest to read # | arg: manifest - Path of the manifest to read
# | arg: key - Name of the key to find # | arg: key - Name of the key to find
ynh_read_manifest () { ynh_read_manifest () {
manifest="$1" manifest="$1"
key="$2" key="$2"
python3 -c "import sys, json;print(json.load(open('$manifest', encoding='utf-8'))['$key'])" python3 -c "import sys, json;print(json.load(open('$manifest', encoding='utf-8'))['$key'])"
} }
# Read the upstream version from the manifest # Read the upstream version from the manifest
@@ -66,7 +62,7 @@ ynh_read_manifest () {
ynh_app_upstream_version () { ynh_app_upstream_version () {
manifest_path="../manifest.json" manifest_path="../manifest.json"
if [ ! -e "$manifest_path" ]; then if [ ! -e "$manifest_path" ]; then
manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place
fi fi
version_key=$(ynh_read_manifest "$manifest_path" "version") version_key=$(ynh_read_manifest "$manifest_path" "version")
echo "${version_key/~ynh*/}" echo "${version_key/~ynh*/}"
@@ -82,7 +78,7 @@ ynh_app_upstream_version () {
ynh_app_package_version () { ynh_app_package_version () {
manifest_path="../manifest.json" manifest_path="../manifest.json"
if [ ! -e "$manifest_path" ]; then if [ ! -e "$manifest_path" ]; then
manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place manifest_path="../settings/manifest.json" # Into the restore script, the manifest is not at the same place
fi fi
version_key=$(ynh_read_manifest "$manifest_path" "version") version_key=$(ynh_read_manifest "$manifest_path" "version")
echo "${version_key/*~ynh/}" echo "${version_key/*~ynh/}"
@@ -95,111 +91,26 @@ ynh_app_package_version () {
# #
# To force an upgrade, even if the package is up to date, # To force an upgrade, even if the package is up to date,
# you have to set the variable YNH_FORCE_UPGRADE before. # you have to set the variable YNH_FORCE_UPGRADE before.
# example: YNH_FORCE_UPGRADE=1 yunohost app upgrade MyApp # example: sudo YNH_FORCE_UPGRADE=1 yunohost app upgrade MyApp
# #
# usage: ynh_abort_if_up_to_date # usage: ynh_abort_if_up_to_date
ynh_abort_if_up_to_date () { ynh_abort_if_up_to_date () {
local force_upgrade=${YNH_FORCE_UPGRADE:-0} local force_upgrade=${YNH_FORCE_UPGRADE:-0}
local package_check=${PACKAGE_CHECK_EXEC:-0} local package_check=${PACKAGE_CHECK_EXEC:-0}
local version=$(ynh_read_manifest "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" "version" || echo 1.0) local version=$(ynh_read_manifest "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" "version" || echo 1.0)
local last_version=$(ynh_read_manifest "../manifest.json" "version" || echo 1.0) local last_version=$(ynh_read_manifest "../manifest.json" "version" || echo 1.0)
if [ "$version" = "$last_version" ] if [ "$version" = "$last_version" ]
then then
if [ "$force_upgrade" != "0" ] if [ "$force_upgrade" != "0" ]
then then
echo "Upgrade forced by YNH_FORCE_UPGRADE." >&2 echo "Upgrade forced by YNH_FORCE_UPGRADE." >&2
unset YNH_FORCE_UPGRADE unset YNH_FORCE_UPGRADE
elif [ "$package_check" != "0" ] elif [ "$package_check" != "0" ]
then then
echo "Upgrade forced for package check." >&2 echo "Upgrade forced for package check." >&2
else else
ynh_die "Up-to-date, nothing to do" 0 ynh_die "Up-to-date, nothing to do" 0
fi fi
fi fi
}
# Operations needed by both 'install' and 'upgrade' scripts
function vpnclient_deploy_files_and_services()
{
local domain=$1
local app=$2
local service_name=$3
local sysuser="${app}"
local service_checker_name="$service_name-checker"
# Ensure vpnclient_ynh has its own system user
if ! ynh_system_user_exists ${sysuser}
then
ynh_system_user_create ${sysuser}
fi
# Ensure the system user has enough permissions
install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
ynh_replace_string "__VPNCLIENT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
# Install IPv6 scripts
install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
# Install command-line cube file loader
install -o root -g root -m 0755 ../conf/$service_name-loadcubefile.sh /usr/local/bin/
# Copy confs
mkdir -pm 0755 /var/log/nginx/
chown root:${sysuser} /etc/openvpn/
chmod 775 /etc/openvpn/
mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
install -b -o root -g ${sysuser} -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
# Copy web sources
mkdir -pm 0755 /var/www/${app}/
cp -a ../sources/* /var/www/${app}/
chown -R root: /var/www/${app}/
chmod -R 0644 /var/www/${app}/*
find /var/www/${app}/ -type d -exec chmod +x {} \;
# Create certificates directory
mkdir -pm 0770 /etc/openvpn/keys/
chown root:${sysuser} /etc/openvpn/keys/
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_print_info "Configuring nginx web server..."
ynh_add_nginx_config
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Configuring php-fpm..."
ynh_add_fpm_config
#=================================================
# Fix sources
ynh_replace_string "__PATH__" "${path_url}" "/var/www/${app}/config.php"
# Copy init script
install -o root -g root -m 0755 ../conf/$service_name /usr/local/bin/
# Copy checker timer
install -o root -g root -m 0755 ../conf/$service_checker_name.sh /usr/local/bin/
install -o root -g root -m 0644 ../conf/$service_checker_name.timer /etc/systemd/system/
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_print_info "Configuring a systemd service..."
ynh_add_systemd_config $service_name "$service_name.service"
ynh_add_systemd_config $service_checker_name "$service_checker_name.service"
} }

77
scripts/backup
View File

@@ -1,83 +1,16 @@
#!/bin/bash #!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#================================================= #=================================================
# MANAGE SCRIPT FAILURE # MANAGE SCRIPT FAILURE
#================================================= #=================================================
# Exit if an error occurs during the execution of the script ynh_abort_if_errors # Stop script if an error is detected
ynh_abort_if_errors
#================================================= #=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME backup_dir="${1}/apps/vpnclient"
mkdir -p "${backup_dir}/"
final_path=$(ynh_app_setting_get $app final_path) sudo cp -a /etc/openvpn/keys/ "${backup_dir}/"
domain=$(ynh_app_setting_get $app domain) sudo cp -a /etc/openvpn/client.conf.tpl "${backup_dir}/"
#=================================================
# STANDARD BACKUP STEPS
#=================================================
# BACKUP THE APP MAIN DIR
#=================================================
ynh_print_info "Backing up the main app directory..."
ynh_backup "$final_path"
ynh_backup "/etc/sudoers.d/${app}_ynh"
ynh_backup "/usr/local/bin/ipv6_expanded"
ynh_backup "/usr/local/bin/ipv6_compressed"
ynh_backup "/usr/local/bin/$service_name-loadcubefile.sh"
ynh_backup "/etc/yunohost/hooks.d/90-vpnclient.tpl"
ynh_backup "/etc/openvpn/client.conf.tpl"
ynh_backup "/etc/openvpn/client.conf.tpl.restore"
ynh_backup "/etc/openvpn/keys/"
ynh_backup "/usr/local/bin/$service_name"
ynh_backup "/usr/local/bin/$service_checker_name.sh"
#=================================================
# BACKUP THE NGINX CONFIGURATION
#=================================================
ynh_print_info "Backing up nginx web server configuration..."
ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# BACKUP THE PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Backing up php-fpm configuration..."
ynh_backup "/etc/php/7.0/fpm/pool.d/$app.conf"
#=================================================
# SPECIFIC BACKUP
#=================================================
# BACKUP SYSTEMD
#=================================================
ynh_print_info "Backing up systemd configuration..."
ynh_backup "/etc/systemd/system/$service_name.service"
ynh_backup "/etc/systemd/system/$service_checker_name.service"
ynh_backup "/etc/systemd/system/$service_checker_name.timer"
ynh_backup "/etc/systemd/system/openvpn@.service"
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

143
scripts/install
View File

@@ -23,8 +23,8 @@
# IMPORT GENERIC HELPERS # IMPORT GENERIC HELPERS
#================================================= #=================================================
source /usr/share/yunohost/helpers
source _common.sh source _common.sh
source /usr/share/yunohost/helpers
#================================================= #=================================================
# MANAGE SCRIPT FAILURE # MANAGE SCRIPT FAILURE
@@ -39,25 +39,29 @@ ynh_abort_if_errors
# Retrieve arguments # Retrieve arguments
domain=$YNH_APP_ARG_DOMAIN domain=$YNH_APP_ARG_DOMAIN
path_url=$(ynh_normalize_url_path "$YNH_APP_ARG_PATH") path_url=$YNH_APP_ARG_PATH
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
final_path="/var/www/$app"
#================================================= #=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#================================================= #=================================================
ynh_print_info "Validating installation parameters..."
# Check destination directory # Check destination directory
test ! -e "$final_path" || ynh_die "Path is already in use: ${final_path}." final_path="/var/www/$app"
test ! -e "$final_path" || ynh_die "This path already contains a folder"
# Normalize the url path syntax
path_url=$(ynh_normalize_url_path "$path_url")
# Check web path availability
ynh_webpath_available "$domain" "$path_url"
# Register (book) web path # Register (book) web path
ynh_webpath_register "$app" "$domain" "$path_url" ynh_webpath_register "$app" "$domain" "$path_url"
#================================================= #=================================================
# STORE SETTINGS FROM MANIFEST # STORE SETTINGS FROM MANIFEST
#================================================= #=================================================
ynh_print_info "Storing installation settings..."
ynh_app_setting_set "$app" domain "$domain" ynh_app_setting_set "$app" domain "$domain"
ynh_app_setting_set "$app" final_path "$final_path" ynh_app_setting_set "$app" final_path "$final_path"
@@ -67,46 +71,125 @@ ynh_app_setting_set "$app" final_path "$final_path"
#================================================= #=================================================
# INSTALL DEPENDENCIES # INSTALL DEPENDENCIES
#================================================= #=================================================
ynh_print_info "Installing dependencies..."
ynh_install_app_dependencies "$pkg_dependencies" ynh_install_app_dependencies "$pkg_dependencies"
#================================================= #=================================================
# DEPLOY FILES FROM PACKAGE # SPECIFIC SETUP
#================================================= #=================================================
ynh_print_info "Deploy files from package..."
vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}" # This is an upgrade?
upgrade=$([ -z ${VPNCLIENT_UPGRADE+x} ] && echo true || echo false)
if ! $upgrade; then
# Save arguments
ynh_app_setting_set $app service_enabled 0
ynh_app_setting_set $app server_name none
ynh_app_setting_set $app server_port 1194
ynh_app_setting_set $app server_proto udp
ynh_app_setting_set $app ip6_addr none
ynh_app_setting_set $app ip6_net none
ynh_app_setting_set $app login_user "${login_user}"
ynh_app_setting_set $app login_passphrase "${login_passphrase}"
ynh_app_setting_set $app dns0 89.234.141.66
ynh_app_setting_set $app dns1 2001:913::8
fi
# Install IPv6 scripts
sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
# Install command-line cube file loader
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-loadcubefile.sh /usr/local/bin/
# Copy confs
sudo mkdir -pm 0755 /var/log/nginx/
sudo chown root:admins /etc/openvpn/
sudo chmod 775 /etc/openvpn/
sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
sudo install -b -o root -g admins -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/vpnadmin.conf
sudo install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
sudo install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
# Copy web sources
sudo mkdir -pm 0755 /var/www/vpnadmin/
sudo cp -a ../sources/* /var/www/vpnadmin/
sudo chown -R root: /var/www/vpnadmin/
sudo chmod -R 0644 /var/www/vpnadmin/*
sudo find /var/www/vpnadmin/ -type d -exec chmod +x {} \;
# Create certificates directory
sudo mkdir -pm 0770 /etc/openvpn/keys/
sudo chown root:admins /etc/openvpn/keys/
#================================================= #=================================================
# RELOAD SERVICES # NGINX CONFIGURATION
#================================================= #=================================================
ynh_print_info "Reloading services..."
sudo sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:PHP_USER>|admin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:PHP_GROUP>|admins|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
# Fix sources
sudo sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i /var/www/vpnadmin/config.php
# Copy init script
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient /usr/local/bin/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient.service /etc/systemd/system/
# Copy checker timer
sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-checker.sh /usr/local/bin/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.service /etc/systemd/system/
sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.timer /etc/systemd/system/
# Set default inits # Set default inits
# The boot order of these services are important, so they are disabled by default # The boot order of these services are important, so they are disabled by default
# and the vpnclient service handles them. # and the ynh-vpnclient service handles them.
systemctl disable openvpn sudo systemctl disable openvpn
systemctl stop openvpn sudo systemctl stop openvpn
systemctl restart php7.0-fpm sudo systemctl enable php5-fpm
systemctl reload nginx sudo systemctl restart php5-fpm
# main service sudo systemctl reload nginx
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock sudo systemctl enable ynh-vpnclient
yunohost service enable $service_name sudo yunohost service add ynh-vpnclient
# checker service ynh_systemctl start ynh-vpnclient-checker.service
sudo systemctl enable ynh-vpnclient-checker.service
ynh_systemctl start ynh-vpnclient-checker.timer
sudo systemctl enable ynh-vpnclient-checker.timer
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock if ! $upgrade; then
yunohost service start $service_checker_name ynh_systemctl start ynh-vpnclient
yunohost service enable $service_checker_name
systemctl start $service_checker_name.timer
systemctl enable $service_checker_name.timer
#================================================= # Check configuration consistency
# END OF SCRIPT
#================================================= if [ -z "${crt_server_ca_path}" ]; then
echo "WARNING: VPN Client is not started because you need to define a server CA through the web admin" >&2
fi
if [ -z "${crt_client_key_path}" -a -z "${login_user}" ]; then
echo "WARNING: VPN Client is not started because you need either a client certificate, either a username (or both)" >&2
fi
fi
sudo yunohost app ssowatconf
ynh_print_info "Installation of $app completed"

105
scripts/remove
View File

@@ -29,96 +29,37 @@ source /usr/share/yunohost/helpers
#================================================= #=================================================
# LOAD SETTINGS # LOAD SETTINGS
#================================================= #=================================================
ynh_print_info "Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get $app domain) domain=$(ynh_app_setting_get $app domain)
#================================================= #=================================================
# STOP AND REMOVE SERVICES # The End
#================================================= ynh_systemctl stop ynh-vpnclient-checker.service
ynh_print_info "Stopping and removing services" sudo systemctl disable ynh-vpnclient-checker.service
ynh_systemctl stop ynh-vpnclient-checker.timer && sleep 1
sudo systemctl disable ynh-vpnclient-checker.timer
ynh_systemctl stop ynh-vpnclient
sudo systemctl disable ynh-vpnclient
sudo yunohost service remove ynh-vpnclient
sudo rm -f /etc/systemd/system/ynh-vpnclient* /usr/local/bin/ynh-vpnclient*
sudo rm -f /tmp/.ynh-vpnclient-*
yunohost service stop $service_checker_name # Remove confs
yunohost service disable $service_checker_name sudo rm -f /etc/openvpn/client.conf{.tpl,.tpl.restore,}
yunohost service remove $service_checker_name sudo rm -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf
systemctl stop $service_checker_name.timer && sleep 1 sudo rm -f /etc/php5/fpm/pool.d/vpnadmin.conf
systemctl disable $service_checker_name.timer sudo rm -f /etc/yunohost/hooks.d/90-vpnclient.tpl
sudo rm -f /etc/systemd/system/openvpn@.service
yunohost service stop $service_name # Remove certificates
yunohost service disable $service_name sudo rm -rf /etc/openvpn/keys/
yunohost service remove $service_name
for FILE in $(ls /etc/systemd/system/$service_name* /usr/local/bin/ynh-vpnclient* /tmp/.ynh-vpnclient-*)
do
ynh_secure_remove "$FILE"
done
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_print_info "Removing nginx web server configuration"
# Remove the dedicated nginx config
ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_print_info "Removing php-fpm configuration"
# Remove the dedicated php-fpm config
ynh_remove_fpm_config
#=================================================
# SPECIFIC REMOVE
#================================================
ynh_print_info "Removing openvpn configuration"
# Remove openvpn configurations
ynh_secure_remove /etc/openvpn/client.conf
ynh_secure_remove /etc/openvpn/client.conf.tpl
ynh_secure_remove /etc/openvpn/client.conf.tpl.restore
# Remove YunoHost hook
ynh_secure_remove /etc/yunohost/hooks.d/90-vpnclient.tpl
# Remove openvpn service
ynh_secure_remove /etc/systemd/system/openvpn@.service
# Remove openvpn certificates
ynh_secure_remove /etc/openvpn/keys
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_print_info "Removing dependencies"
ynh_remove_app_dependencies
# Remove sources
ynh_secure_remove "/var/www/${app}"
# Reload systemd configuration
systemctl daemon-reload
# Restart services # Restart services
# (this must happen before deleting the user, otherwise the user is sudo systemctl restart php5-fpm
# being used by one of the php pool process) sudo systemctl reload nginx
systemctl restart php7.0-fpm
systemctl reload nginx
#================================================= # Remove sources
# REMOVE DEDICATED USER sudo rm -rf /var/www/vpnadmin/
#=================================================
ynh_print_info "Removing the dedicated system user"
# Delete a system user
ynh_system_user_delete ${app}
ynh_secure_remove "/etc/sudoers.d/${app}_ynh"
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Removal of $app completed"

133
scripts/restore
View File

@@ -1,12 +1,15 @@
#!/bin/bash #!/bin/bash
#=================================================
# GENERIC START
#================================================= #=================================================
# IMPORT GENERIC HELPERS # IMPORT GENERIC HELPERS
#================================================= #=================================================
source ../settings/scripts/_common.sh if [ ! -e _common.sh ]; then
# Fetch helpers file if not in current directory
cp ../settings/scripts/_common.sh ./_common.sh
chmod a+rx _common.sh
fi
source _common.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
#================================================= #=================================================
@@ -16,121 +19,21 @@ source /usr/share/yunohost/helpers
# Exit if an error occurs during the execution of the script # Exit if an error occurs during the execution of the script
ynh_abort_if_errors ynh_abort_if_errors
#================================================= backup_dir="${1}/apps/vpnclient"
# LOAD SETTINGS
#=================================================
ynh_print_info "Loading settings..."
app=$YNH_APP_INSTANCE_NAME sudo mkdir -p /etc/openvpn/
sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
sudo chown -R root:admins /etc/openvpn/keys/
domain=$(ynh_app_setting_get $app domain) gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
path_url=$(ynh_app_setting_get $app path) tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)
final_path=$(ynh_app_setting_get $app final_path)
#================================================= git clone https://github.com/labriqueinternet/vpnclient_ynh.git "${tmpdir}/"
# CHECK IF THE APP CAN BE RESTORED git --work-tree "${tmpdir}/" --git-dir "${tmpdir}/.git/" reset --hard "${gitcommit}"
#=================================================
ynh_print_info "Validating restoration parameters..."
ynh_webpath_available $domain $path_url \ cd "${tmpdir}/scripts/"
|| ynh_die "Path not available: ${domain}${path_url}" bash ./upgrade
test ! -d $final_path \
|| ynh_die "There is already a directory: $final_path "
#================================================= sudo rm -r "${tmpdir}/"
# STANDARD RESTORATION STEPS
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_print_info "Restoring the app main directory..."
ynh_restore_file "$final_path"
ynh_restore_file "/etc/sudoers.d/${app}_ynh"
ynh_restore_file "/usr/local/bin/ipv6_expanded"
ynh_restore_file "/usr/local/bin/ipv6_compressed"
ynh_restore_file "/usr/local/bin/$service_name-loadcubefile.sh"
ynh_restore_file "/etc/yunohost/hooks.d/90-vpnclient.tpl"
ynh_restore_file "/etc/openvpn/client.conf.tpl"
ynh_restore_file "/etc/openvpn/client.conf.tpl.restore"
ynh_restore_file "/etc/openvpn/keys/"
ynh_restore_file "/usr/local/bin/$service_name"
ynh_restore_file "/usr/local/bin/$service_checker_name.sh"
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
ynh_print_info "Recreating the dedicated system user..."
# Create the dedicated user (if not existing)
ynh_system_user_create $app
#=================================================
# RESTORE USER RIGHTS
#=================================================
# Restore permissions on app files
chown -R $app: $final_path
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_restore_file "/etc/php/7.0/fpm/pool.d/$app.conf"
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_print_info "Reinstalling dependencies..."
# Define and install dependencies
ynh_install_app_dependencies "$pkg_dependencies"
#=================================================
# RESTORE SYSTEMD
#=================================================
ynh_print_info "Restoring the systemd configuration..."
ynh_restore_file "/etc/systemd/system/$service_name.service"
ynh_restore_file "/etc/systemd/system/$service_checker_name.service"
ynh_restore_file "/etc/systemd/system/$service_checker_name.timer"
ynh_restore_file "/etc/systemd/system/openvpn@.service"
systemctl daemon-reload
systemctl enable "$service_name.service"
systemctl enable "$service_checker_name.service"
systemctl enable "openvpn@.service"
#=================================================
# ADVERTISE SERVICE IN ADMIN PANEL
#=================================================
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_print_info "Reloading nginx web server and php-fpm..."
systemctl restart php7.0-fpm
systemctl reload nginx
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Restoration completed for $app"

143
scripts/upgrade
View File

@@ -9,10 +9,16 @@
source _common.sh source _common.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#================================================= #=================================================
# LOAD SETTINGS # LOAD SETTINGS
#================================================= #=================================================
ynh_print_info "Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
@@ -20,115 +26,44 @@ domain=$(ynh_app_setting_get $app domain)
path_url=$(ynh_app_setting_get $app path) path_url=$(ynh_app_setting_get $app path)
is_public=$(ynh_app_setting_get $app is_public) is_public=$(ynh_app_setting_get $app is_public)
final_path=$(ynh_app_setting_get $app final_path) final_path=$(ynh_app_setting_get $app final_path)
server_name=$(ynh_app_setting_get $app server_name)
#================================================= #=================================================
# SPECIAL UPGRADE FOR VERSIONS < 1.2.0 # CHECK VERSION
#================================================= #=================================================
# Apply renaming that occured in v1.2.0 ("vpnadmin" -> "${app}") ynh_abort_if_up_to_date
if [ -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf ]; then
ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf" #=================================================
ynh_replace_string "vpnadmin.sock" "${app}.sock" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
mv /etc/nginx/conf.d/${domain}.d/vpnadmin.conf /etc/nginx/conf.d/${domain}.d/${app}.conf
sudo mkdir -m 0700 -p /var/cache/labriqueinternet/vpnclient/
sudo tar czf "/var/cache/labriqueinternet/vpnclient/rollback_$(date +%Y-%m-%d-%H%M%S).tgz" /etc/openvpn/ /etc/yunohost/apps/vpnclient/ &> /dev/null
tmpdir=$(mktemp -dp /tmp/ vpnclient-upgrade-XXXXX)
sudo cp -a /etc/yunohost/apps/vpnclient/settings.yml "${tmpdir}/"
sudo cp -a /etc/openvpn/keys/ "${tmpdir}/"
if [ ! -e /etc/openvpn/client.conf.tpl.restore ] || ! cmp -s /etc/openvpn/client.conf.tpl{,.restore}; then
sudo cp -a /etc/openvpn/client.conf.tpl "${tmpdir}/"
fi fi
if [ -f /etc/php5/fpm/pool.d/vpnadmin.conf ]; then export VPNCLIENT_UPGRADE=1
ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" /etc/php5/fpm/pool.d/vpnadmin.conf sudo bash /etc/yunohost/apps/vpnclient/scripts/remove &> /dev/null
ynh_replace_string "vpnadmin.sock" "${app}.sock" /etc/php5/fpm/pool.d/vpnadmin.conf bash ./install "${domain}" "${path}" "${server_name}"
mv /etc/php5/fpm/pool.d/vpnadmin.conf /etc/php/7.0/fpm/pool.d/${app}.conf
sudo rmdir /etc/openvpn/keys/
sudo cp -a "${tmpdir}/keys/" /etc/openvpn/keys/
sudo cp -a "${tmpdir}/settings.yml" /etc/yunohost/apps/vpnclient/
sudo cp -a "${tmpdir}/client.conf.tpl" /etc/openvpn/ 2> /dev/null
sudo rm -r "${tmpdir}/"
# Changes
if [ -z "$(ynh_setting vpnclient dns0)" ]; then
sudo yunohost app setting vpnclient dns0 -v 89.234.141.66
sudo yunohost app setting vpnclient dns1 -v 2001:913::8
fi fi
if [ -d /var/www/vpnadmin ]; then ynh_systemctl start ynh-vpnclient
mv /var/www/vpnadmin /var/www/${app}
fi
## Versions known to have a buggy backup script
#buggy_versions="1.0.0 1.0.1 1.1.0"
#curr_version=$(read_manifest version)
#if echo $buggy_versions | grep -w $curr_version > /dev/null; then
# echo "Your current version of ${app} is very old: ${curr_version}. Please ignore the next warning." >&2
#fi
#
##=================================================
## BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
##=================================================
#
#ynh_backup_before_upgrade
#ynh_clean_setup () {
# ynh_restore_upgradebackup
#}
## Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# DO UPGRADE
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_print_info "Installing dependencies..."
ynh_install_app_dependencies "$pkg_dependencies"
#=================================================
# DEPLOY FILES FROM PACKAGE
#=================================================
# Keep a copy of existing config files before overwriting them
tmpdir=$(mktemp -d /tmp/vpnclient-upgrade-XXX)
cp -r /etc/openvpn/client* ${tmpdir}
# Deploy files from package
vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}"
# Restore previously existing config files
cp -r ${tmpdir}/client* /etc/openvpn/
ynh_secure_remove ${tmpdir}
#=================================================
# RELOAD RELEVANT SERVICES
#=================================================
ynh_print_info "Reload services..."
systemctl reload php7.0-fpm
systemctl reload nginx
### Make sure that the yunohost services have a description and need-lock enabled
# main service
yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
# checker service
yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
# Reload systemd configuration
systemctl daemon-reload
### Restart services
# restart main service if needed
if systemctl is-active $service_name >/dev/null;
then
yunohost service restart $service_name
fi
# restart checker service if needed
if systemctl is-active $service_checker_name >/dev/null;
then
yunohost service restart $service_checker_name
fi
# restart checker service timer
if systemctl is-active $service_name.timer >/dev/null;
then
yunohost service restart $service_checker_name.timer
fi
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info "Upgrade of $app completed"

12
sources/config.php
View File

@@ -1,19 +1,19 @@
<?php <?php
/* VPN Client app for YunoHost /* VPN Client app for YunoHost
* Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com> * Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
* Contribute at https://github.com/labriqueinternet/vpnclient_ynh * Contribute at https://github.com/labriqueinternet/vpnclient_ynh
* *
* This program is free software: you can redistribute it and/or modify * This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by * it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details. * GNU Affero General Public License for more details.
* *
* You should have received a copy of the GNU Affero General Public License * You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>. * along with this program. If not, see <http://www.gnu.org/licenses/>.
*/ */
@@ -22,11 +22,11 @@
function configure() { function configure() {
option('env', ENV_PRODUCTION); option('env', ENV_PRODUCTION);
option('debug', false); option('debug', false);
option('base_uri', '__PATH__/'); option('base_uri', '<TPL:NGINX_LOCATION>/');
layout('layout.html.php'); layout('layout.html.php');
define('PUBLIC_DIR', '__PATH__/public'); define('PUBLIC_DIR', '<TPL:NGINX_LOCATION>/public');
} }
// Before routing // Before routing

5
sources/controller.php
View File

@@ -117,11 +117,6 @@ dispatch('/', function() {
}); });
dispatch_put('/settings', function() { dispatch_put('/settings', function() {
if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
throw new Exception('CSRF protection');
}
$service_enabled = isset($_POST['service_enabled']) ? 1 : 0; $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
if($service_enabled == 1) { if($service_enabled == 1) {

32
sources/public/js/custom.js
View File

@@ -28,7 +28,7 @@ function tabsClick() {
return false; return false;
} }
function ready() { $(document).ready(function() {
$('.btn-group').button(); $('.btn-group').button();
$('[data-toggle="tooltip"]').tooltip(); $('[data-toggle="tooltip"]').tooltip();
@@ -73,29 +73,11 @@ function ready() {
$(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, '')); $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
}); });
$('#form').on("submit", function(event) { $('#save').click(function() {
event.preventDefault() $(this).prop('disabled', true);
$('#save').prop('disabled', true);
$('#save-loading').show(); $('#save-loading').show();
$.ajax({ $('#form').submit();
url: this.action, });
type: this.method,
contentType: false,
processData: false,
cache: false,
data: new FormData(this),
headers: {
'X-Requested-With': 'jQuery',
},
timeout: 5000,
dataType: "html",
// success: function() {}, // XXX will never happen because the VPN connection will be restarted after the form is posted.
complete: function() {
console.log("Forcing page reload after a few seconds...");
setTimeout(function() {document.location.reload();}, 45000)
},
});
})
$('#status .close').click(function() { $('#status .close').click(function() {
$(this).parent().hide(); $(this).parent().hide();
@@ -128,6 +110,4 @@ function ready() {
$('.enabled').show('slow'); $('.enabled').show('slow');
} }
}); });
} });
$(document).ready(ready)

2
sources/views/settings.html.php
View File

@@ -200,7 +200,7 @@
<div class="form-group"> <div class="form-group">
<label for="login_passphrase" class="col-sm-3 control-label"><?= _('Password') ?></label> <label for="login_passphrase" class="col-sm-3 control-label"><?= _('Password') ?></label>
<div class="col-sm-9"> <div class="col-sm-9">
<input type="password" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" /> <input type="text" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" />
</div> </div>
</div> </div>
</div> </div>