Browse Source

Restructured and added restart of dnsmasq on openvpn-reconnect

Joachim M. Giæver 7 years ago
parent
commit
fa33dc529b
8 changed files with 293 additions and 0 deletions
  1. 52 0
      aiop/aiop-dnsmasq
  2. 43 0
      aiop/aiop-func
  3. 64 0
      aiop/aiop-openvpn
  4. 43 0
      client1/ca.crt
  5. 30 0
      client1/config.ovpn
  6. 20 0
      client1/crl.pem
  7. 9 0
      dnsmasq.postconf
  8. 32 0
      openvpn-event

+ 52 - 0
aiop/aiop-dnsmasq

@@ -0,0 +1,52 @@
+#!/bin/sh
+source /jffs/scripts/aiop-func
+
+if [ `cat ${DNSMASQ_CONF} | grep -c "log-dhcp"` -eq 0 ]; then
+    pc_append "log-dhcp" ${DNSMASQ_CONF}
+fi
+
+assign_ip () {
+
+    if [ $# -ne 4 ]; then
+        echo "Wrong number of parameters"
+        return
+    fi
+
+    IFACE="${1}"
+    IFACE_INET_ADDR="${2}"
+    IFACE_NWRK_ADDR="${IFACE_INET_ADDR%.*}.0"
+    IFACE_MASK_ADDR="255.255.255.0"
+
+    DHCP_START="${IFACE_INET_ADDR%.*}.${3}"
+    DHCP_END="${IFACE_INET_ADDR%.*}.${4}"
+
+    if [ `ifconfig ${IFACE} 2&> /dev/null | grep -ice "UP"` -ne 1 ]; then
+        logger "dnsmasq-dhcp: Unknown interface ${IFACE}."
+        return
+    fi
+
+    if [ `ifconfig | grep -ice $(_quote ${IFACE_INET_ADDR%.*}.)` -ne 0 ]; then
+        if [ `ifconfig ${IFACE} | grep -ice "$(_quote ${IFACE_INET_ADDR%.*}.)"` -ne 1 ]; then
+            logger "dnsmasq-dhcp: Service already running on subnet ${IFACE_INET_ADDR%.*}"
+            return
+        fi
+    fi
+
+    logger "dnsmasq-dhcp: Configure ${IFACE} to have special DHCP on ${IFACE_INET_ADDR}"
+    
+    if [ `cat ${DNSMASQ_CONF} | grep -c ${IFACE}` -eq 0 ]; then
+        cmd_run "pc_append" "pc_append interface=${IFACE} ${DNSMASQ_CONF}"
+        cmd_run "pc_append" "pc_append dhcp-range=${IFACE},${DHCP_START},${DHCP_END},${IFACE_MASK_ADDR},24h ${DNSMASQ_CONF}"
+        cmd_run "pc_append" "pc_append dhcp-option=${IFACE},3,${IFACE_INET_ADDR} ${DNSMASQ_CONF}"
+    fi
+
+    cmd_run "ifconfig" "ifconfig ${IFACE} ${IFACE_INET_ADDR} netmask ${IFACE_MASK_ADDR}"
+
+    ebtable "${IFACE}" "I" "ipv4"
+    ebtable "${IFACE}" "I" "ipv6"
+    ebtable "${IFACE}" "I" "arp"
+
+    iptable "${IFACE}" "I" "INPUT" "ACCEPT"
+
+}
+

+ 43 - 0
aiop/aiop-func

@@ -0,0 +1,43 @@
+#!/bin/sh
+CONFIG=1
+source /usr/sbin/helper.sh
+
+DNSMASQ_CONF=/tmp/etc/dnsmasq.conf
+
+cmd_log () {
+    #if [ ${1} -ne 0 ]; then
+        logger "${2}[${1}] - ${3}"
+    #fi
+}
+
+cmd_run () {
+    CMD=`${2}`
+    ERRCODE=$?
+    cmd_log ${ERRCODE} "${1}" "${ERR}: ${2}, ${CMD}"
+    return ${ERRCODE}
+}
+
+iptable () {
+    IFACE=`echo "${1}"`
+    local OPT=`echo "${2}"`
+    shift 2
+    if [ "${OPT}" = "I" ]; then
+        iptable "${IFACE}" "D" ${@}
+    fi
+    if [ $# -eq 1 ]; then
+        cmd_run "iptable" "iptables -t nat -${OPT} POSTROUTING -s ${1} -o ${IFACE} -j MASQUERADE"
+    elif [ $# -eq 2 ]; then
+        cmd_run "iptable" "iptables -${OPT} ${1} -i ${IFACE} -m state --state NEW -j ${2}"
+    elif [ $# -eq 3 ]; then
+        cmd_run "iptable" "iptables -${OPT} ${1} -i ${IFACE} -o ${3} -j ${2}"
+    else
+        cmd_log 0 "iptable" "Unknown argument length ${#} (${@})."
+    fi
+}
+
+ebtable () {
+    if [ "${2}" = "I" ]; then
+        ebtable "${1}" "D" "${3}"
+    fi
+    cmd_run "ebtable" "ebtables -t broute -${2} BROUTING -p ${3} -i ${1} -j DROP"
+}

+ 64 - 0
aiop/aiop-openvpn

@@ -0,0 +1,64 @@
+#!/bin/sh
+source /jffs/scripts/aiop-func
+
+route_vpn () {
+    IFACE="${1}"
+    IFACE_TUN="${2}"
+
+    if [ `ifconfig ${IFACE_TUN} 2&> /dev/null | grep -ice "UP"` -ne 1 ]; then
+        logger "openvpn: ${IFACE_TUN} not UP"
+        return
+    fi
+
+    if [ `ifconfig ${IFACE} 2&> /dev/null | grep -ice "UP"` -ne 1 ]; then
+        logger "dnsmasq-dhcp: Unknown interface ${IFACE}."
+        return
+    fi
+
+    IFACE_INET_ADDR="$(ifconfig "${IFACE}" | sed -ne's/.*inet addr:\([^ ]*\).*$/\1/p')"
+    IFACE_NWRK_ADDR="${IFACE_INET_ADDR%.*}.0"
+    RTABLE=`echo ${IFACE_TUN} | sed -E 's/([a-z]+)([0-9]+).*/\2/'`
+
+    CIDR=24
+    if [ $# -eq 3 ]; then
+        CIDR="${3}"
+    fi
+
+    ip route show table main | grep -Ev ^default | while read ROUTE; do
+        if [ `ip route show table "${RTABLE}" | grep -ice "${ROUTE}"` -eq 0 ]; then
+            cmd_run "ip-route" "ip route add table ${RTABLE} ${ROUTE}"
+        fi
+    done
+    
+    cmd_run "ip-route" "ip route add default dev ${IFACE_TUN} table ${RTABLE}"
+    cmd_run "ip-rule" "ip rule add dev ${IFACE} table ${RTABLE}"
+    cmd_run "ip-route" "ip route flush cache"
+    
+    iptable "${IFACE}" "I" "FORWARD" "ACCEPT" "${IFACE_TUN}"
+    iptable "${IFACE_TUN}" "I" "${IFACE_NWRK_ADDR}/${CIDR}"
+}
+
+unroute_vpn () {
+    IFACE="${1}"
+    IFACE_TUN="${2}"
+
+    if [ `ifconfig ${IFACE} 2&> /dev/null | grep -ice "UP"` -ne 1 ]; then
+        logger "dnsmasq-dhcp: Unknown interface ${IFACE}."
+        return
+    fi
+
+    IFACE_INET_ADDR="$(ifconfig "${IFACE}" | sed -ne's/.*inet addr:\([^ ]*\).*$/\1/p')"
+    IFACE_NWRK_ADDR="${IFACE_INET_ADDR%.*}.0"
+    RTABLE=`echo ${IFACE_TUN} | sed -E 's/([a-z]+)([0-9]+).*/\2/'`
+
+    CIDR=24
+    if [ $# -eq 3 ]; then
+        CIDR="${3}"
+    fi
+
+    cmd_run "ip-route" "ip route flush table ${RTABLE}"
+    cmd_run "ip-rule" "ip rule flush table ${RTABLE}"
+
+    iptable "${IFACE}" "D" "FORWARD" "ACCEPT" "${IFACE_TUN}"
+    iptable "${IFACE_TUN}" "D" "${IFACE_NWRK_ADDR}/${CIDR}"
+}

+ 43 - 0
client1/ca.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
+MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
+hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
+De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
+V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
+25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
+fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
+p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
+Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
+tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
+jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
+meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
+1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
+HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
+yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
+pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
+Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
+tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
+LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
+6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
+5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
+JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
+iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
+8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
++no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
+-----END CERTIFICATE-----

+ 30 - 0
client1/config.ovpn

@@ -0,0 +1,30 @@
+# Pia config. 
+# Remember to add 
+# * your login credetials after import of this config.
+# * content of <ca.crt> in Certificate Auth.
+# * content of <crl.pem> in Certificate Revocation List
+daemon
+client
+proto udp
+remote PIA-ROUTE.privateinternetaccess.com 1197 #alter to e.g "no" for Norway
+resolv-retry 30
+nobind
+persist-key
+persist-tun
+comp-lzo adaptive
+cipher AES-256-CBC
+auth RSA-SHA256
+script-security 2
+route-delay 2
+verb 1
+reneg-sec 0
+status-version 2
+status status 10
+
+# Custom Configuration
+remote-cert-tls server
+tls-client
+persist-key
+persist-tun
+disable-occ
+route-nopull

+ 20 - 0
client1/crl.pem

@@ -0,0 +1,20 @@
+-----BEGIN X509 CRL-----
+MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
+MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
+9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMd
+KydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5
+JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8Pp
+LN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKv
+IdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU
+8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbey
+qxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J
+0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+
+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOox
+NeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZ
+yo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
+-----END X509 CRL-----

+ 9 - 0
dnsmasq.postconf

@@ -0,0 +1,9 @@
+#!/bin/sh
+source /jffs/scripts/aiop/aiop-dnsmasq
+
+assign_ip "wl0.1" "192.168.2.1" "2" "254"
+assign_ip "wl0.2" "192.168.3.1" "2" "254"
+assign_ip "wl0.3" "192.168.4.1" "2" "254"
+assign_ip "wl1.1" "192.168.5.1" "2" "254"
+assign_ip "wl1.2" "192.168.6.1" "2" "254"
+assign_ip "wl1.3" "192.168.7.1" "2" "254"

+ 32 - 0
openvpn-event

@@ -0,0 +1,32 @@
+#!/bin/sh
+source /jffs/scripts/aiop/aiop-openvpn
+
+openvpn_run () {
+    if [ ${1} -eq 6 ]; then
+        unroute_vpn ${2} ${3}
+        # Route is down, so we dont care about restarting dnsmasq
+    elif [ ${1} -eq 5 ]; then
+        route_vpn ${2} ${3}
+        service restart_dnsmasq
+    fi
+}
+
+case "${1}" in
+    tun11)
+        openvpn_run $# "wl0.1" "${1}"
+        openvpn_run $# "wl0.3" "${1}"
+        ;;
+    tun12)
+        openvpn_run $# "wl0.2" "${1}"
+        ;;
+    tun13)
+        openvpn_run $# "wl1.1" "${1}"
+        ;;
+    tun14)
+        openvpn_run $# "wl1.2" "${1}"
+        ;;
+    tun15)
+        openvpn_run $# "wl1.3" "${1}"
+        ;;
+esac
+