diff --git a/precise/vpn/deb/openvpn_2.3.6-debian0_amd64.deb b/precise/vpn/deb/openvpn_2.3.6-debian0_amd64.deb new file mode 100644 index 00000000..e68649f5 Binary files /dev/null and b/precise/vpn/deb/openvpn_2.3.6-debian0_amd64.deb differ diff --git a/precise/vpn/hooks/install b/precise/vpn/hooks/install index efb168d8..ffabb26a 100755 --- a/precise/vpn/hooks/install +++ b/precise/vpn/hooks/install @@ -2,37 +2,71 @@ set -eux - -apt-get -y --force-yes install openvpn kal-scripts - -mkdir -p /etc/openvpn/clients.d /var/lib/openvpn /var/log/openvpn - -## XXXvlab: why is that ? and if we use tap ? -#mkdir /dev/net -#mknod -m a+rw /dev/net/tun c 10 200 - - -# -# snat.sh -# -# iptables -t nat -A POSTROUTING -s 10.64.0.0/24 -o eth0 -j SNAT --to-source "$(dig +short A "$(hostname -s)")" -# - - -cat < /etc/openvpn/snat.sh -#!/bin/bash - -## example call: -## tap0 1500 1574 10.64.0.1 255.255.255.0 init - -server_ip="$4" -device="$1" - -iptables -t nat -A POSTROUTING -s "$(ifnet "$device")" \ - -o eth0 -j SNAT --to-source "$(ifip eth0)" 2>&1 | logger -t iptables - -EOF - -chmod +x /etc/openvpn/snat.sh +apt-get install -y --force-yes wget git kal-scripts python + +if test -z "${RELEASE:-}"; then + if type -p lsb_release; then + RELEASE=$(lsb_release -c -s) + else + RELEASE=$(cat apt/sources.list | grep ^deb | head -n 1 | awk '{print $3;}') + fi + export RELEASE +fi + +# ## Get latest OpenVPN version (they don't have a lot of recent packets) +# wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - +# echo "deb http://swupdate.openvpn.net/apt $RELEASE main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list +# ## Update only this repo: +# apt-get update -o Dir::Etc::sourcelist="sources.list.d/swupdate.openvpn.net.list" \ +# -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" +# apt-get -y --force-yes install openvpn + +export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true +dpkg -i deb/openvpn_*.deb || true +apt-get -o Dpkg::Options::="--force-confnew" install -f -y --force-yes + + +mkdir -p /var/run/openvpn /var/log/openvpn + +## +## if using ``tun`` we will need this. +## + +[ -d /dev/net ] || + mkdir -p /dev/net +[ -c /dev/net/tun ] || + mknod -m a+rw /dev/net/tun c 10 200 + + +## +## installing obfsproxy latest version +## + +mkdir -p /opt/apps + +( + apt-get install -y --force-yes python-setuptools python-twisted python-crypto python-yaml python-pyptlib + cd /opt/apps && + git clone https://git.torproject.org/pluggable-transports/obfsproxy.git && + python setup.py install +) + +## obfs4proxy does not work with OpenVPN for now. +# ( +# apt-get install --force-yes -y golang && +# cd /opt/apps && +# mkdir obfs4 && +# cd obfs4 && +# GOPATH=$PWD go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy +# ln -sf /opt/apps/obfs4/ +# ) + +## +## Make sure the init script in good +## + +( + cp src/etc/init.d/openvpn /etc/init.d/openvpn +) diff --git a/precise/vpn/metadata.yaml b/precise/vpn/metadata.yaml index 91c213a4..deaabe56 100644 --- a/precise/vpn/metadata.yaml +++ b/precise/vpn/metadata.yaml @@ -6,3 +6,6 @@ description: | Installs a VPN master server. config-resources: - /etc/openvpn +data-resources: + - /var/lib/openvpn + - /var/log/openvpn diff --git a/precise/vpn/src/etc/init.d/openvpn b/precise/vpn/src/etc/init.d/openvpn new file mode 100755 index 00000000..0769467d --- /dev/null +++ b/precise/vpn/src/etc/init.d/openvpn @@ -0,0 +1,266 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: openvpn +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Should-Start: network-manager +# Should-Stop: network-manager +# X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm +# X-Interactive: true +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Openvpn VPN service +### END INIT INFO + +# Original version by Robert Leslie +# , edited by iwj and cs +# Modified for openvpn by Alberto Gonzalez Iniesta +# Modified for restarting / starting / stopping single tunnels by Richard Mueller + +. /lib/lsb/init-functions + +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +DAEMON=/usr/sbin/openvpn +DESC="virtual private network daemon" +CONFIG_DIR=/etc/openvpn +test -x $DAEMON || exit 0 +test -d $CONFIG_DIR || exit 0 + +# Source defaults file; edit that file to configure this script. +AUTOSTART="all" +STATUSREFRESH=10 +if test -e /etc/default/openvpn ; then + . /etc/default/openvpn +fi + +start_vpn () { + if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then + # daemon already given in config file + DAEMONARG= + else + # need to daemonize + DAEMONARG="--daemon ovpn-$NAME" + fi + + if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then + # status file already given in config file + STATUSARG="" + elif test $STATUSREFRESH -eq 0 ; then + # default status file disabled in /etc/default/openvpn + STATUSARG="" + else + # prepare default status file + STATUSARG="--status /var/run/openvpn/$NAME.status $STATUSREFRESH" + fi + + log_progress_msg "$NAME" + STATUS=0 + + mkdir -p /var/run/openvpn + mkdir -p /var/log/openvpn + start-stop-daemon --start --quiet --oknodo \ + --pidfile /var/run/openvpn.$NAME.pid \ + --exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn.$NAME.pid \ + $DAEMONARG $STATUSARG --cd $CONFIG_DIR \ + --config $CONFIG_DIR/$NAME.conf \ + --log-append /var/log/openvpn/$NAME.log || STATUS=1 +} + +stop_vpn () { + kill `cat $PIDFILE` || true + rm -f $PIDFILE + rm -f /var/run/openvpn/$NAME.status 2> /dev/null +} + +case "$1" in +start) + log_daemon_msg "Starting $DESC" + + # autostart VPNs + if test -z "$2" ; then + # check if automatic startup is disabled by AUTOSTART=none + if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then + log_warning_msg " Autostart disabled." + exit 0 + fi + if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then + # all VPNs shall be started automatically + for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do + NAME=${CONFIG%%.conf} + start_vpn + done + else + # start only specified VPNs + for NAME in $AUTOSTART ; do + if test -e $CONFIG_DIR/$NAME.conf ; then + start_vpn + else + log_failure_msg "No such VPN: $NAME" + STATUS=1 + fi + done + fi + #start VPNs from command line + else + while shift ; do + [ -z "$1" ] && break + if test -e $CONFIG_DIR/$1.conf ; then + NAME=$1 + start_vpn + else + log_failure_msg " No such VPN: $1" + STATUS=1 + fi + done + fi + log_end_msg ${STATUS:-0} + + ;; +stop) + log_daemon_msg "Stopping $DESC" + + if test -z "$2" ; then + for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do + NAME=`echo $PIDFILE | cut -c18-` + NAME=${NAME%%.pid} + stop_vpn + log_progress_msg "$NAME" + done + else + while shift ; do + [ -z "$1" ] && break + if test -e /var/run/openvpn.$1.pid ; then + PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null` + NAME=`echo $PIDFILE | cut -c18-` + NAME=${NAME%%.pid} + stop_vpn + log_progress_msg "$NAME" + else + log_failure_msg " (failure: No such VPN is running: $1)" + fi + done + fi + log_end_msg 0 + ;; +# Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'. +reload|force-reload) + log_daemon_msg "Reloading $DESC" + for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do + NAME=`echo $PIDFILE | cut -c18-` + NAME=${NAME%%.pid} +# If openvpn if running under a different user than root we'll need to restart + if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then + stop_vpn + sleep 1 + start_vpn + log_progress_msg "(restarted)" + else + kill -HUP `cat $PIDFILE` || true + log_progress_msg "$NAME" + fi + done + log_end_msg 0 + ;; + +# Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'. +soft-restart) + log_daemon_msg "$DESC sending SIGUSR1" + for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do + NAME=`echo $PIDFILE | cut -c18-` + NAME=${NAME%%.pid} + kill -USR1 `cat $PIDFILE` || true + log_progress_msg "$NAME" + done + log_end_msg 0 + ;; + +restart) + shift + $0 stop ${@} + sleep 1 + $0 start ${@} + ;; +cond-restart) + log_daemon_msg "Restarting $DESC." + for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do + NAME=`echo $PIDFILE | cut -c18-` + NAME=${NAME%%.pid} + stop_vpn + sleep 1 + start_vpn + done + log_end_msg 0 + ;; +status) + GLOBAL_STATUS=0 + if test -z "$2" ; then + # We want status for all defined VPNs. + # Returns success if all autostarted VPNs are defined and running + if test "x$AUTOSTART" = "xnone" ; then + # Consider it a failure if AUTOSTART=none + log_warning_msg "No VPN autostarted" + GLOBAL_STATUS=1 + else + if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then + # Consider it a failure if one of the autostarted VPN is not defined + for VPN in $AUTOSTART ; do + if ! test -f $CONFIG_DIR/$VPN.conf ; then + log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined" + GLOBAL_STATUS=1 + fi + done + fi + fi + for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do + NAME=${CONFIG%%.conf} + # Is it an autostarted VPN ? + if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then + AUTOVPN=1 + else + if test "x$AUTOSTART" = "xnone" ; then + AUTOVPN=0 + else + AUTOVPN=0 + for VPN in $AUTOSTART; do + if test "x$VPN" = "x$NAME" ; then + AUTOVPN=1 + fi + done + fi + fi + if test "x$AUTOVPN" = "x1" ; then + # If it is autostarted, then it contributes to global status + status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 + else + status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true + fi + done + else + # We just want status for specified VPNs. + # Returns success if all specified VPNs are defined and running + while shift ; do + [ -z "$1" ] && break + NAME=$1 + if test -e $CONFIG_DIR/$NAME.conf ; then + # Config exists + status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 + else + # Config does not exist + log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !" + GLOBAL_STATUS=1 + fi + done + fi + exit $GLOBAL_STATUS + ;; +*) + echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2 + exit 1 + ;; +esac + +exit 0 + +# vim:set ai sts=2 sw=2 tw=0: