From 86fe0fc4573a29ff1560ce17d6260338db8f56e2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 26 Mar 2018 18:02:28 +0200 Subject: [PATCH] tests: added check with haproxy connection Signed-off-by: Nikos Mavrogiannopoulos --- README.md | 1 + tests/Makefile.am | 6 +- tests/common.sh | 1 + tests/data/haproxy-connect.cfg | 32 ++ tests/data/test-haproxy-connect.config | 187 +++++++ tests/haproxy-connect | 180 ++++++ tests/scripts/vpnc-script | 748 +++++++++++++++++++++++++ 7 files changed, 1153 insertions(+), 2 deletions(-) create mode 100644 tests/data/haproxy-connect.cfg create mode 100644 tests/data/test-haproxy-connect.config create mode 100755 tests/haproxy-connect create mode 100755 tests/scripts/vpnc-script diff --git a/README.md b/README.md index d62ee5ad..06ce3b78 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ libsocket-wrapper / socket_wrapper gss-ntlmssp / gssntlmssp libpam-oath / pam_oath haproxy / haproxy +iputils-ping / iputils ``` See [README-radius](doc/README-radius.md) for more information on Radius diff --git a/tests/Makefile.am b/tests/Makefile.am index d8a608f0..2d47d810 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -25,7 +25,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem common.sh certs/server-cert.pem \ data/test-otp-cert.config data/test-otp.oath test-otp-cert data/test-otp.passwd \ data/test-otp.config data/test-cert-opt-pass.config data/test-gssapi-opt-pass.config \ certs/server-key-secp521r1.pem certs/server-cert-secp521r1.pem data/test-vhost-pass-cert.config \ - data/vhost.hosts data/multiple-routes.config data/haproxy-auth.cfg data/test-haproxy-auth.config + data/vhost.hosts data/multiple-routes.config data/haproxy-auth.cfg data/test-haproxy-auth.config \ + data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script SUBDIRS = docker-ocserv docker-kerberos @@ -47,7 +48,7 @@ endif dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \ test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \ test-cookie-invalidation test-user-config test-append-routes test-ban \ - multiple-routes + multiple-routes haproxy-connect endif if HAVE_CWRAP @@ -136,3 +137,4 @@ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" + diff --git a/tests/common.sh b/tests/common.sh index acd47fb0..bab53710 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -57,6 +57,7 @@ update_config() { sed -i 's|@CRLNAME@|'${CRLNAME}'|g' "$file.$$.tmp" sed -i 's|@PORT@|'${PORT}'|g' "$file.$$.tmp" sed -i 's|@ADDRESS@|'${ADDRESS}'|g' "$file.$$.tmp" + sed -i 's|@VPNNET@|'${VPNNET}'|g' "$file.$$.tmp" CONFIG="$file.$$.tmp" } diff --git a/tests/data/haproxy-connect.cfg b/tests/data/haproxy-connect.cfg new file mode 100644 index 00000000..37195131 --- /dev/null +++ b/tests/data/haproxy-connect.cfg @@ -0,0 +1,32 @@ +global + #user haproxy + #group haproxy + #daemon + + # Default SSL material locations + #ca-base /etc/ssl/certs + #crt-base /etc/ssl/private + + ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + + +defaults + log global + mode http + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +frontend ssl + mode tcp + bind *:@HAPORT@ + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + +use_backend ocserv + +backend ocserv + mode tcp + option ssl-hello-chk + server server-vpn @ADDRESS@:@PORT@ send-proxy-v2 diff --git a/tests/data/test-haproxy-connect.config b/tests/data/test-haproxy-connect.config new file mode 100644 index 00000000..05d0ada9 --- /dev/null +++ b/tests/data/test-haproxy-connect.config @@ -0,0 +1,187 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +auth = "plain[@SRCDIR@/data/test1.passwd]" +#auth = "pam" + +max-ban-score = 0 + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +#listen-host = @ADDRESS@ + +use-dbus = no + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +listen-proxy-proto = true + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting multiple times) +# Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = @PORT@ +udp-port = @PORT@ + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds +dpd = 440 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = @SRCDIR@/certs/server-cert.pem +server-key = @SRCDIR@/certs/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only (It's the storage +# root key). +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used +# to verify clients if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client certificate. +# The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# A revocation list of ca-cert is set +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 172800 + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# PID file +pid-file = ./ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = ./ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = @USERNAME@ +run-as-group = @GROUP@ + +# Network settings + +device = vpns + +# The default domain to be advertised +default-domain = example.com + +ipv4-network = @VPNNET@ +# Use the keywork local to advertize the local P-t-P address as DNS server +ipv4-dns = 192.168.1.1 + +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + +#ipv6-address = +#ipv6-mask = +#ipv6-dns = + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Leave empty to assign the default MTU of the device +# mtu = + +#route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 + +# +# The following options are for (experimental) AnyConnect client +# compatibility. They are only available if the server is built +# with --enable-anyconnect +# + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# The profile is ignored by the openconnect client. +#user-profile = profile.xml + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie. Legacy CISCO clients do not do that, and thus this option +# should be set for them. +#always-require-cert = false + diff --git a/tests/haproxy-connect b/tests/haproxy-connect new file mode 100755 index 00000000..5fed09cf --- /dev/null +++ b/tests/haproxy-connect @@ -0,0 +1,180 @@ +#!/bin/bash +# +# Copyright (C) 2018 Nikos Mavrogiannopoulos +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +SERV="${SERV:-../src/ocserv}" +srcdir=${srcdir:-.} +PORT=4566 +HAPORT=4567 +PIDFILE=ocserv-pid.$$.tmp +CLIPID=oc-pid.$$.tmp +HACONFIG=haproxy.conf.$$.tmp +PATH=${PATH}:/usr/sbin +HAPROXY=$(which haproxy) +IP=$(which ip) + +. `dirname $0`/common.sh + +if test -z "${HAPROXY}";then + echo "no haproxy present" + exit 77 +fi + +if test -z "${IP}";then + echo "no IP tool is present" + exit 77 +fi + +if test "$(id -u)" != "0";then + echo "This test must be run as root" + exit 77 +fi + +echo "Testing ocserv connection via haproxy... " + +function finish { + set +e + echo " * Cleaning up..." + test -n "${HAPID}" && kill ${HAPID} >/dev/null 2>&1 + test -n "${PID}" && kill ${PID} >/dev/null 2>&1 + test -n "${ETHNAME1}" && ${IP} link delete ${ETHNAME1} >/dev/null 2>&1 + test -n "${ETHNAME2}" && ${IP} link delete ${ETHNAME2} >/dev/null 2>&1 + test -n "${NSNAME1}" && ${IP} netns delete ${NSNAME1} >/dev/null 2>&1 + test -n "${NSNAME2}" && ${IP} netns delete ${NSNAME2} >/dev/null 2>&1 + test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 + test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1 + test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 + test -n "${HACONFIG}" && rm -f ${HACONFIG} >/dev/null 2>&1 + test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 + test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1 +} +trap finish EXIT + +# server address +ADDRESS=10.200.2.1 +CLI_ADDRESS=10.200.1.1 +VPNNET=192.168.1.0/24 +VPNADDR=192.168.1.1 + +echo " * Setting up namespaces..." +set -e +NSNAME1="ocserv-c-tmp-$$" +NSNAME2="ocserv-s-tmp-$$" +ETHNAME1="oceth-c$$" +ETHNAME2="oceth-s$$" +${IP} netns add ${NSNAME1} +${IP} netns add ${NSNAME2} + +${IP} link add ${ETHNAME1} type veth peer name ${ETHNAME2} +${IP} link set ${ETHNAME1} netns ${NSNAME1} +${IP} link set ${ETHNAME2} netns ${NSNAME2} + +${IP} netns exec ${NSNAME1} ip link set ${ETHNAME1} up +${IP} netns exec ${NSNAME2} ip link set ${ETHNAME2} up +${IP} netns exec ${NSNAME2} ip link set lo up + +${IP} netns exec ${NSNAME1} ip addr add ${CLI_ADDRESS} dev ${ETHNAME1} +${IP} netns exec ${NSNAME2} ip addr add ${ADDRESS} dev ${ETHNAME2} + +${IP} netns exec ${NSNAME1} ip route add default via ${CLI_ADDRESS} dev ${ETHNAME1} +${IP} netns exec ${NSNAME2} ip route add default via ${ADDRESS} dev ${ETHNAME2} + +${IP} netns exec ${NSNAME2} ip addr +${IP} netns exec ${NSNAME2} ip route +${IP} netns exec ${NSNAME1} ip route + +${IP} netns exec ${NSNAME1} ping -c 1 ${ADDRESS} +${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS} +${IP} netns exec ${NSNAME2} ping -c 1 ${CLI_ADDRESS} +set +e + +# Run servers +update_config test-haproxy-connect.config +if test "$VERBOSE" = 1;then +DEBUG="-d 3" +fi + +${IP} netns exec ${NSNAME2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + +sleep 1 + +rm -f ${HACONFIG} +sed -e 's|@HAPORT@|'${HAPORT}'|g' -e 's|@PORT@|'${PORT}'|g' -e 's|@ADDRESS@|'${ADDRESS}'|g' ${srcdir}/data/haproxy-connect.cfg >${HACONFIG} +${IP} netns exec ${NSNAME2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! + +sleep 3 + +# Run clients +echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." +( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +if test $? != 0;then + echo "Could not get cookie from server" + exit 1 +fi + +echo " * Connecting to ${ADDRESS}:${HAPORT}..." +( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) +if test $? != 0;then + echo "Could not connect to server" + exit 1 +fi + +set -e +echo " * ping remote address" + +${IP} netns exec ${NSNAME1} ping -c 3 ${VPNADDR} + +set +e + +echo " * Restarting haproxy..." +# Restart haproxy and reconnect. +kill ${HAPID} + +sleep 2 + +${IP} netns exec ${NSNAME2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! + +sleep 2 + +kill $(cat ${CLIPID}) >/dev/null 2>&1 + +sleep 2 + +# This is to reproduce issue #146. There multiple entries of the client IP +# are present and these packets would trigger invalid lookup/crash. +echo " * Sending a stray UDP packet to VPN server" +set -e +${IP} netns exec ${NSNAME1} bash -c "echo -e \"\x17\xfe\xff\x00\x0b\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\" >/dev/udp/${ADDRESS}/${PORT}" +set +e + +sleep 3 + +echo " * Re-connecting to obtain cookie after haproxy restart... " +( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) +if test $? != 0;then + echo "Could not receive cookie from server on reconnection" + exit 1 +fi + +if ! test -f ${PIDFILE};then + echo "Could not find pid file ${PIDFILE}" + exit 1 +fi + +exit 0 diff --git a/tests/scripts/vpnc-script b/tests/scripts/vpnc-script new file mode 100755 index 00000000..7d1b49a9 --- /dev/null +++ b/tests/scripts/vpnc-script @@ -0,0 +1,748 @@ +#!/bin/sh +# +# Originally part of vpnc source code: +# © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al. +# © 2009-2012 David Woodhouse +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +################ +# +# List of parameters passed through environment +#* reason -- why this script was called, one of: pre-init connect disconnect reconnect +#* VPNGATEWAY -- vpn gateway address (always present) +#* TUNDEV -- tunnel device (always present) +#* INTERNAL_IP4_ADDRESS -- address (always present) +#* INTERNAL_IP4_MTU -- mtu (often unset) +#* INTERNAL_IP4_NETMASK -- netmask (often unset) +#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset) +#* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set) +#* INTERNAL_IP4_DNS -- list of dns servers +#* INTERNAL_IP4_NBNS -- list of wins servers +#* INTERNAL_IP6_ADDRESS -- IPv6 address +#* INTERNAL_IP6_NETMASK -- IPv6 netmask +#* INTERNAL_IP6_DNS -- IPv6 list of dns servers +#* CISCO_DEF_DOMAIN -- default domain name +#* CISCO_BANNER -- banner from server +#* CISCO_SPLIT_INC -- number of networks in split-network-list +#* CISCO_SPLIT_INC_%d_ADDR -- network address +#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0) +#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24) +#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0) +#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0) +#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0) +#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list +#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address +#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen + +# FIXMEs: + +# Section A: route handling + +# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored +# In order to use them, we'll probably need os specific solutions +# * Linux: iptables -t mangle -I PREROUTING -j ROUTE --oif $TUNDEV +# This would be an *alternative* to changing the routes (and thus 2) and 3) +# shouldn't be relevant at all) +# 2) There are two different functions to set routes: generic routes and the +# default route. Why isn't the defaultroute handled via the generic route case? +# 3) In the split tunnel case, all routes but the default route might get replaced +# without getting restored later. We should explicitely check and save them just +# like the defaultroute +# 4) Replies to a dhcp-server should never be sent into the tunnel + +# Section B: Split DNS handling + +# 1) Maybe dnsmasq can do something like that +# 2) Parse dns packets going out via tunnel and redirect them to original dns-server + +#env | sort +#set -x + +# =========== script (variable) setup ==================================== + +PATH=/sbin:/usr/sbin:$PATH + +OS="`uname -s`" + +HOOKS_DIR=/etc/vpnc +DEFAULT_ROUTE_FILE=./defaultroute +SCRIPTNAME=`basename $0` + +# some systems, eg. Darwin & FreeBSD, prune /var/run on boot +if [ ! -d "/var/run/vpnc" ]; then + mkdir -p /var/run/vpnc + [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc +fi + +# stupid SunOS: no blubber in /usr/local/bin ... (on stdout) +IPROUTE="`which ip 2> /dev/null | grep '^/'`" + +if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then + ifconfig_syntax_inet="" +else + ifconfig_syntax_inet="inet" +fi + +if [ "$OS" = "Linux" ]; then + ifconfig_syntax_ptp="pointopoint" + route_syntax_gw="gw" + route_syntax_del="del" + route_syntax_netmask="netmask" +else + ifconfig_syntax_ptp="" + route_syntax_gw="" + route_syntax_del="delete" + route_syntax_netmask="-netmask" +fi +if [ "$OS" = "SunOS" ]; then + route_syntax_interface="-interface" + ifconfig_syntax_ptpv6="$INTERNAL_IP6_ADDRESS" +else + route_syntax_interface="" + ifconfig_syntax_ptpv6="" +fi + +grep ^hosts /etc/nsswitch.conf|grep resolve >/dev/null 2>&1 +if [ $? = 0 ];then + RESOLVEDENABLED=1 +else + RESOLVEDENABLED=0 +fi + +MODIFYRESOLVCONF=modify_resolvconf_generic +RESTORERESOLVCONF=restore_resolvconf_generic + +# =========== script hooks ================================================= + +run_hooks() { + HOOK="$1" + + if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then + for script in ${HOOKS_DIR}/${HOOK}.d/* ; do + [ -f $script ] && . $script + done + fi +} + +# =========== tunnel interface handling ==================================== + +do_ifconfig() { + if [ -n "$INTERNAL_IP4_MTU" ]; then + MTU=$INTERNAL_IP4_MTU + elif [ -n "$IPROUTE" ]; then + MTUDEV=`$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p'` + MTU=`$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p'` + if [ -n "$MTU" ]; then + MTU=`expr $MTU - 88` + fi + fi + + if [ -z "$MTU" ]; then + MTU=1412 + fi + + # Point to point interface require a netmask of 255.255.255.255 on some systems + if [ -n "$IPROUTE" ]; then + $IPROUTE link set dev "$TUNDEV" up mtu "$MTU" + $IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV" + else + ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up + fi + + if [ -n "$INTERNAL_IP4_NETMASK" ]; then + set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN + fi + + # If the netmask is provided, it contains the address _and_ netmask + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + if [ -n "$IPROUTE" ]; then + $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV + else + # Unlike for Legacy IP, we don't specify the dest_address + # here on *BSD. OpenBSD for one will refuse to accept + # incoming packets to that address if we do. + # OpenVPN does the same (gives dest_address for Legacy IP + # but not for IPv6). + # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 + ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up + fi + fi +} + +destroy_tun_device() { + case "$OS" in + NetBSD|OpenBSD) # and probably others... + ifconfig "$TUNDEV" destroy + ;; + FreeBSD) + ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & + ;; + esac +} + +# =========== route handling ==================================== + +if [ -n "$IPROUTE" ]; then + fix_ip_get_output () { + sed -e 's/ /\n/g' | \ + sed -ne '1p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p}' + } + + set_vpngateway_route() { + $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` + $IPROUTE route flush cache + } + + del_vpngateway_route() { + $IPROUTE route $route_syntax_del "$VPNGATEWAY" + $IPROUTE route flush cache + } + + set_default_route() { + $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" + $IPROUTE route replace default dev "$TUNDEV" + $IPROUTE route flush cache + } + + set_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" + $IPROUTE route flush cache + } + + reset_default_route() { + if [ -s "$DEFAULT_ROUTE_FILE" ]; then + $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` + $IPROUTE route flush cache + rm -f -- "$DEFAULT_ROUTE_FILE" + fi + } + + del_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV" + $IPROUTE route flush cache + } + + set_ipv6_default_route() { + # We don't save/restore IPv6 default route; just add a higher-priority one. + $IPROUTE -6 route add default dev "$TUNDEV" metric 1 + $IPROUTE -6 route flush cache + } + + set_ipv6_network_route() { + NETWORK="$1" + NETMASKLEN="$2" + $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" + $IPROUTE route flush cache + } + + reset_ipv6_default_route() { + $IPROUTE -6 route del default dev "$TUNDEV" + $IPROUTE route flush cache + } + + del_ipv6_network_route() { + NETWORK="$1" + NETMASKLEN="$2" + $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV" + $IPROUTE -6 route flush cache + } +else # use route command + get_default_gw() { + # isn't -n supposed to give --numeric output? + # apperently not... + # Get rid of lines containing IPv6 addresses (':') + netstat -r -n | awk '/:/ { next; } /^(default|0\.0\.0\.0)/ { print $2; }' + } + + set_vpngateway_route() { + route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`" + } + + del_vpngateway_route() { + route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`" + } + + set_default_route() { + DEFAULTGW="`get_default_gw`" + echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE" + route $route_syntax_del default $route_syntax_gw "$DEFAULTGW" + route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface + } + + set_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" + route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface + } + + reset_default_route() { + if [ -s "$DEFAULT_ROUTE_FILE" ]; then + route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface + route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"` + rm -f -- "$DEFAULT_ROUTE_FILE" + fi + } + + del_network_route() { + case "$OS" in + Linux|NetBSD|OpenBSD|Darwin|SunOS) # and probably others... + # routes are deleted automatically on device shutdown + return + ;; + esac + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS" + } + + set_ipv6_default_route() { + route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface + } + + set_ipv6_network_route() { + NETWORK="$1" + NETMASK="$2" + route add -inet6 -net "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS" $route_syntax_interface + : + } + + reset_ipv6_default_route() { + route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS" + : + } + + del_ipv6_network_route() { + NETWORK="$1" + NETMASK="$2" + route $route_syntax_del -inet6 "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS" + : + } + +fi + +# =========== resolv.conf handling ==================================== + +# =========== resolv.conf handling for any OS ========================= + +modify_resolvconf_generic() { + if test -z "$RESOLVCONF_FILE";then + return + fi + NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc +# and will be overwritten by vpnc +# as long as the above mark is intact" + + DOMAINS="$CISCO_DEF_DOMAIN" + + for i in $INTERNAL_IP4_DNS ; do + NEW_RESOLVCONF="$NEW_RESOLVCONF +nameserver $i" + done + # note that "search" is mutually exclusive with "domain"; + # "search" allows multiple domains to be listed, so use that + if [ -n "$DOMAINS" ]; then + NEW_RESOLVCONF="$NEW_RESOLVCONF +search $DOMAINS" + fi + echo "$NEW_RESOLVCONF" > $RESOLVCONF_FILE + + if [ "$OS" = "Darwin" ]; then + case "`uname -r`" in + # Skip for pre-10.4 systems + 4.*|5.*|6.*|7.*) + ;; + # 10.4 and later require use of scutil for DNS to work properly + *) + OVERRIDE_PRIMARY="" + if [ -n "$CISCO_SPLIT_INC" ]; then + if [ $CISCO_SPLIT_INC -lt 1 ]; then + # Must override for correct default route + # Cannot use multiple DNS matching in this case + OVERRIDE_PRIMARY='d.add OverridePrimary # 1' + fi + # Overriding the default gateway breaks split routing + OVERRIDE_GATEWAY="" + # Not overriding the default gateway breaks usage of + # INTERNAL_IP4_DNS. Prepend INTERNAL_IP4_DNS to list + # of used DNS servers + SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'` + SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs` + if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then + scutil >/dev/null 2>&1 <<-EOF + open + get State:/Network/Service/$SERVICE/DNS + d.add ServerAddresses * $INTERNAL_IP4_DNS $SERVICE_DNS + set State:/Network/Service/$SERVICE/DNS + close + EOF + fi + else + # No split routing. Override default gateway + OVERRIDE_GATEWAY="d.add Router $INTERNAL_IP4_ADDRESS" + fi + # Uncomment the following if/fi pair to use multiple + # DNS matching when available. When multiple DNS matching + # is present, anything reading the /etc/resolv.conf file + # directly will probably not work as intended. + #if [ -z "$CISCO_DEF_DOMAIN" ]; then + # Cannot use multiple DNS matching without a domain + OVERRIDE_PRIMARY='d.add OverridePrimary # 1' + #fi + scutil >/dev/null 2>&1 <<-EOF + open + d.init + d.add ServerAddresses * $INTERNAL_IP4_DNS + set State:/Network/Service/$TUNDEV/DNS + d.init + $OVERRIDE_GATEWAY + d.add Addresses * $INTERNAL_IP4_ADDRESS + d.add SubnetMasks * 255.255.255.255 + d.add InterfaceName $TUNDEV + $OVERRIDE_PRIMARY + set State:/Network/Service/$TUNDEV/IPv4 + close + EOF + if [ -n "$CISCO_DEF_DOMAIN" ]; then + scutil >/dev/null 2>&1 <<-EOF + open + get State:/Network/Service/$TUNDEV/DNS + d.add DomainName $CISCO_DEF_DOMAIN + d.add SearchDomains * $CISCO_DEF_DOMAIN + d.add SupplementalMatchDomains * $CISCO_DEF_DOMAIN + set State:/Network/Service/$TUNDEV/DNS + close + EOF + fi + ;; + esac + fi +} + +restore_resolvconf_generic() { + if test -n "$RESOLVCONF_FILE";then + rm -f $RESOLVCONF_FILE + fi +} + +AF_INET=2 + +get_if_index() { + local link + link="$(ip link show dev "$1")" || return $? + echo ${link} | awk -F: '{print $1}' +} + +busctl_call() { + local dest node + dest=org.freedesktop.resolve1 + node=/org/freedesktop/resolve1 + busctl call "$dest" "${node}" "${dest}.Manager" "$@" +} + +busctl_set_nameservers() { + local if_index addresses args addr + if_index=$1 + shift + addresses="$@" + args="$if_index $#" + for addr in ${addresses}; do + args="$args ${AF_INET} 4 $(echo $addr | sed 's/[.]/ /g')" + done + busctl_call SetLinkDNS 'ia(iay)' ${args} +} + +busctl_set_search() { + local if_index domains args domain + if_index=$1 + shift + domains="$@" + args="$if_index $#" + for domain in ${domains}; do + args="$args ${domain} false" + done + busctl_call SetLinkDomains 'ia(sb)' ${args} +} + +modify_resolved_manager() { + local if_index + if_index=$(get_if_index $TUNDEV) + busctl_set_nameservers $if_index $INTERNAL_IP4_DNS + if [ -n "$CISCO_DEF_DOMAIN" ]; then + busctl_set_search $if_index $CISCO_DEF_DOMAIN + fi +} + +restore_resolved_manager() { + local if_index + if_index=$(get_if_index $TUNDEV) + busctl_call RevertLink 'i' $if_index +} + +# === resolv.conf handling via unbound ========= + +modify_resolvconf_unbound() { + if [ -n "$CISCO_DEF_DOMAIN" ]; then + /usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS} + /usr/sbin/unbound-control flush_requestlist + /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + fi +} + +restore_resolvconf_unbound() { + if [ -n "$CISCO_DEF_DOMAIN" ]; then + /usr/sbin/unbound-control forward_remove +i ${CISCO_DEF_DOMAIN} + /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + /usr/sbin/unbound-control flush_requestlist + fi +} + +# ========= Toplevel state handling ======================================= + +kernel_is_2_6_or_above() { + case `uname -r` in + 1.*|2.[012345]*) + return 1 + ;; + *) + return 0 + ;; + esac +} + +do_pre_init() { + if [ "$OS" = "Linux" ]; then + if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then + : + else # can't open /dev/net/tun + test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null + # fix for broken devfs in kernel 2.6.x + if [ "`readlink /dev/net/tun`" = misc/net/tun \ + -a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then + ln -sf /dev/misc/net/tun /dev/net/tun + fi + # make sure tun device exists + if [ ! -e /dev/net/tun ]; then + mkdir -p /dev/net + mknod -m 0640 /dev/net/tun c 10 200 + [ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun + fi + # workaround for a possible latency caused by udev, sleep max. 10s + if kernel_is_2_6_or_above ; then + for x in `seq 100` ; do + (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; + sleep 0.1 + done + fi + fi + elif [ "$OS" = "FreeBSD" ]; then + if ! kldstat -q -m if_tun > /dev/null; then + kldload if_tun + fi + + if ! ifconfig $TUNDEV > /dev/null; then + ifconfig $TUNDEV create + fi + elif [ "$OS" = "GNU/kFreeBSD" ]; then + if [ ! -e /dev/tun ]; then + kldload if_tun + fi + elif [ "$OS" = "NetBSD" ]; then + : + elif [ "$OS" = "OpenBSD" ]; then + if ! ifconfig $TUNDEV > /dev/null; then + ifconfig $TUNDEV create + fi + : + elif [ "$OS" = "SunOS" ]; then + : + elif [ "$OS" = "Darwin" ]; then + : + fi +} + +do_connect() { + if [ -n "$CISCO_BANNER" ]; then + echo "Connect Banner:" + echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done + echo + fi + + set_vpngateway_route + do_ifconfig + if [ -n "$CISCO_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}" + if [ "$NETWORK" != "0.0.0.0" ]; then + set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" + else + set_default_route + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + echo "$i" | grep : >/dev/null || \ + set_network_route "$i" "255.255.255.255" "32" + done + elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then + set_default_route + fi + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" + if [ $NETMASKLEN -lt 128 ]; then + set_ipv6_network_route "$NETWORK" "$NETMASKLEN" + else + set_ipv6_default_route + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + if echo "$i" | grep : >/dev/null; then + set_ipv6_network_route "$i" "128" + fi + done + elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then + set_ipv6_default_route + fi + + if [ -n "$INTERNAL_IP4_DNS" ]; then + $MODIFYRESOLVCONF + fi +} + +do_disconnect() { + if [ -n "$CISCO_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}" + if [ "$NETWORK" != "0.0.0.0" ]; then + # FIXME: This doesn't restore previously overwritten + # routes. + del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" + else + reset_default_route + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + del_network_route "$i" "255.255.255.255" "32" + done + else + reset_default_route + fi + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" + if [ $NETMASKLEN -eq 0 ]; then + reset_ipv6_default_route + else + del_ipv6_network_route "$NETWORK" "$NETMASKLEN" + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP6_DNS ; do + del_ipv6_network_route "$i" "128" + done + elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then + reset_ipv6_default_route + fi + + del_vpngateway_route + + if [ -n "$INTERNAL_IP4_DNS" ]; then + $RESTORERESOLVCONF + fi + + + if [ -n "$IPROUTE" ]; then + if [ -n "$INTERNAL_IP4_ADDRESS" ]; then + $IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV" + fi + # If the netmask is provided, it contains the address _and_ netmask + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV + fi + else + if [ -n "$INTERNAL_IP4_ADDRESS" ]; then + ifconfig "$TUNDEV" 0.0.0.0 + fi + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK + fi + fi + + destroy_tun_device +} + +#### Main + +if [ -z "$reason" ]; then + echo "this script must be called from vpnc" 1>&2 + exit 1 +fi + +case "$reason" in + pre-init) + run_hooks pre-init + do_pre_init + ;; + connect) + run_hooks connect + do_connect + run_hooks post-connect + ;; + disconnect) + run_hooks disconnect + do_disconnect + run_hooks post-disconnect + ;; + reconnect) + run_hooks reconnect + ;; + *) + echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2 + exit 1 + ;; +esac + +exit 0