Browse Source

new: [vpn] new vpn charm

Install last version of ``openvpn`` along with ``obfsproxy``.
Set ``/etc/openvpn`` contents to get a client and server connections.
Read ``/var/log/openvpn`` for log files or ``/var/run/openvpn`` for status.
postgres
Valentin Lab 10 years ago
parent
commit
eb54ff8b34
  1. BIN
      precise/vpn/deb/openvpn_2.3.6-debian0_amd64.deb
  2. 98
      precise/vpn/hooks/install
  3. 3
      precise/vpn/metadata.yaml
  4. 266
      precise/vpn/src/etc/init.d/openvpn

BIN
precise/vpn/deb/openvpn_2.3.6-debian0_amd64.deb

98
precise/vpn/hooks/install

@ -2,37 +2,71 @@
set -eux
apt-get -y --force-yes install openvpn kal-scripts
mkdir -p /etc/openvpn/clients.d /var/lib/openvpn /var/log/openvpn
## XXXvlab: why is that ? and if we use tap ?
#mkdir /dev/net
#mknod -m a+rw /dev/net/tun c 10 200
#
# snat.sh
#
# iptables -t nat -A POSTROUTING -s 10.64.0.0/24 -o eth0 -j SNAT --to-source "$(dig +short A "$(hostname -s)")"
#
cat <<EOF > /etc/openvpn/snat.sh
#!/bin/bash
## example call:
## <exname> tap0 1500 1574 10.64.0.1 255.255.255.0 init
server_ip="$4"
device="$1"
iptables -t nat -A POSTROUTING -s "$(ifnet "$device")" \
-o eth0 -j SNAT --to-source "$(ifip eth0)" 2>&1 | logger -t iptables
EOF
chmod +x /etc/openvpn/snat.sh
apt-get install -y --force-yes wget git kal-scripts python
if test -z "${RELEASE:-}"; then
if type -p lsb_release; then
RELEASE=$(lsb_release -c -s)
else
RELEASE=$(cat apt/sources.list | grep ^deb | head -n 1 | awk '{print $3;}')
fi
export RELEASE
fi
# ## Get latest OpenVPN version (they don't have a lot of recent packets)
# wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
# echo "deb http://swupdate.openvpn.net/apt $RELEASE main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
# ## Update only this repo:
# apt-get update -o Dir::Etc::sourcelist="sources.list.d/swupdate.openvpn.net.list" \
# -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0"
# apt-get -y --force-yes install openvpn
export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
dpkg -i deb/openvpn_*.deb || true
apt-get -o Dpkg::Options::="--force-confnew" install -f -y --force-yes
mkdir -p /var/run/openvpn /var/log/openvpn
##
## if using ``tun`` we will need this.
##
[ -d /dev/net ] ||
mkdir -p /dev/net
[ -c /dev/net/tun ] ||
mknod -m a+rw /dev/net/tun c 10 200
##
## installing obfsproxy latest version
##
mkdir -p /opt/apps
(
apt-get install -y --force-yes python-setuptools python-twisted python-crypto python-yaml python-pyptlib
cd /opt/apps &&
git clone https://git.torproject.org/pluggable-transports/obfsproxy.git &&
python setup.py install
)
## obfs4proxy does not work with OpenVPN for now.
# (
# apt-get install --force-yes -y golang &&
# cd /opt/apps &&
# mkdir obfs4 &&
# cd obfs4 &&
# GOPATH=$PWD go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
# ln -sf /opt/apps/obfs4/
# )
##
## Make sure the init script in good
##
(
cp src/etc/init.d/openvpn /etc/init.d/openvpn
)

3
precise/vpn/metadata.yaml

@ -6,3 +6,6 @@ description: |
Installs a VPN master server.
config-resources:
- /etc/openvpn
data-resources:
- /var/lib/openvpn
- /var/log/openvpn

266
precise/vpn/src/etc/init.d/openvpn

@ -0,0 +1,266 @@
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: openvpn
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: network-manager
# Should-Stop: network-manager
# X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm
# X-Interactive: true
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Openvpn VPN service
### END INIT INFO
# Original version by Robert Leslie
# <rob@mars.org>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
. /lib/lsb/init-functions
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0
# Source defaults file; edit that file to configure this script.
AUTOSTART="all"
STATUSREFRESH=10
if test -e /etc/default/openvpn ; then
. /etc/default/openvpn
fi
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
DAEMONARG=
else
# need to daemonize
DAEMONARG="--daemon ovpn-$NAME"
fi
if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then
# status file already given in config file
STATUSARG=""
elif test $STATUSREFRESH -eq 0 ; then
# default status file disabled in /etc/default/openvpn
STATUSARG=""
else
# prepare default status file
STATUSARG="--status /var/run/openvpn/$NAME.status $STATUSREFRESH"
fi
log_progress_msg "$NAME"
STATUS=0
mkdir -p /var/run/openvpn
mkdir -p /var/log/openvpn
start-stop-daemon --start --quiet --oknodo \
--pidfile /var/run/openvpn.$NAME.pid \
--exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf \
--log-append /var/log/openvpn/$NAME.log || STATUS=1
}
stop_vpn () {
kill `cat $PIDFILE` || true
rm -f $PIDFILE
rm -f /var/run/openvpn/$NAME.status 2> /dev/null
}
case "$1" in
start)
log_daemon_msg "Starting $DESC"
# autostart VPNs
if test -z "$2" ; then
# check if automatic startup is disabled by AUTOSTART=none
if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then
log_warning_msg " Autostart disabled."
exit 0
fi
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# all VPNs shall be started automatically
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
start_vpn
done
else
# start only specified VPNs
for NAME in $AUTOSTART ; do
if test -e $CONFIG_DIR/$NAME.conf ; then
start_vpn
else
log_failure_msg "No such VPN: $NAME"
STATUS=1
fi
done
fi
#start VPNs from command line
else
while shift ; do
[ -z "$1" ] && break
if test -e $CONFIG_DIR/$1.conf ; then
NAME=$1
start_vpn
else
log_failure_msg " No such VPN: $1"
STATUS=1
fi
done
fi
log_end_msg ${STATUS:-0}
;;
stop)
log_daemon_msg "Stopping $DESC"
if test -z "$2" ; then
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
done
else
while shift ; do
[ -z "$1" ] && break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
else
log_failure_msg " (failure: No such VPN is running: $1)"
fi
done
fi
log_end_msg 0
;;
# Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
log_daemon_msg "Reloading $DESC"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
stop_vpn
sleep 1
start_vpn
log_progress_msg "(restarted)"
else
kill -HUP `cat $PIDFILE` || true
log_progress_msg "$NAME"
fi
done
log_end_msg 0
;;
# Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'.
soft-restart)
log_daemon_msg "$DESC sending SIGUSR1"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
kill -USR1 `cat $PIDFILE` || true
log_progress_msg "$NAME"
done
log_end_msg 0
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
log_daemon_msg "Restarting $DESC."
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
log_end_msg 0
;;
status)
GLOBAL_STATUS=0
if test -z "$2" ; then
# We want status for all defined VPNs.
# Returns success if all autostarted VPNs are defined and running
if test "x$AUTOSTART" = "xnone" ; then
# Consider it a failure if AUTOSTART=none
log_warning_msg "No VPN autostarted"
GLOBAL_STATUS=1
else
if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# Consider it a failure if one of the autostarted VPN is not defined
for VPN in $AUTOSTART ; do
if ! test -f $CONFIG_DIR/$VPN.conf ; then
log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined"
GLOBAL_STATUS=1
fi
done
fi
fi
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
# Is it an autostarted VPN ?
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
AUTOVPN=1
else
if test "x$AUTOSTART" = "xnone" ; then
AUTOVPN=0
else
AUTOVPN=0
for VPN in $AUTOSTART; do
if test "x$VPN" = "x$NAME" ; then
AUTOVPN=1
fi
done
fi
fi
if test "x$AUTOVPN" = "x1" ; then
# If it is autostarted, then it contributes to global status
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1
else
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true
fi
done
else
# We just want status for specified VPNs.
# Returns success if all specified VPNs are defined and running
while shift ; do
[ -z "$1" ] && break
NAME=$1
if test -e $CONFIG_DIR/$NAME.conf ; then
# Config exists
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1
else
# Config does not exist
log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !"
GLOBAL_STATUS=1
fi
done
fi
exit $GLOBAL_STATUS
;;
*)
echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2
exit 1
;;
esac
exit 0
# vim:set ai sts=2 sw=2 tw=0:
Loading…
Cancel
Save