GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-09 08:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

tests: added check with haproxy connection

Browse Source 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos
2018-03-26 18:02:28 +02:00
parent d6332cd428
commit 86fe0fc457
7 changed files with 1153 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -56,6 +56,7 @@ libsocket-wrapper / socket_wrapper
gss-ntlmssp / gssntlmssp
libpam-oath / pam_oath
haproxy / haproxy
iputils-ping / iputils
```
See [README-radius](doc/README-radius.md) for more information on Radius

6
tests/Makefile.am
View File

@@ -25,7 +25,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem common.sh certs/server-cert.pem \
data/test-otp-cert.config data/test-otp.oath test-otp-cert data/test-otp.passwd \
data/test-otp.config data/test-cert-opt-pass.config data/test-gssapi-opt-pass.config \
certs/server-key-secp521r1.pem certs/server-cert-secp521r1.pem data/test-vhost-pass-cert.config \
data/vhost.hosts data/multiple-routes.config data/haproxy-auth.cfg data/test-haproxy-auth.config
data/vhost.hosts data/multiple-routes.config data/haproxy-auth.cfg data/test-haproxy-auth.config \
data/haproxy-connect.cfg data/test-haproxy-connect.config scripts/vpnc-script
SUBDIRS = docker-ocserv docker-kerberos
@@ -47,7 +48,7 @@ endif
dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
test-cookie-invalidation test-user-config test-append-routes test-ban \
multiple-routes
multiple-routes haproxy-connect
endif
if HAVE_CWRAP
@@ -136,3 +137,4 @@ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
top_builddir="$(top_builddir)"

1
tests/common.sh
View File

@@ -57,6 +57,7 @@ update_config() {
sed -i 's|@CRLNAME@|'${CRLNAME}'|g' "$file.$$.tmp"
sed -i 's|@PORT@|'${PORT}'|g' "$file.$$.tmp"
sed -i 's|@ADDRESS@|'${ADDRESS}'|g' "$file.$$.tmp"
sed -i 's|@VPNNET@|'${VPNNET}'|g' "$file.$$.tmp"
CONFIG="$file.$$.tmp"
}

32
tests/data/haproxy-connect.cfg Normal file
View File

@@ -0,0 +1,32 @@
global
#user haproxy
#group haproxy
#daemon
# Default SSL material locations
#ca-base /etc/ssl/certs
#crt-base /etc/ssl/private
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode http
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend ssl
mode tcp
bind *:@HAPORT@
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend ocserv
backend ocserv
mode tcp
option ssl-hello-chk
server server-vpn @ADDRESS@:@PORT@ send-proxy-v2

187
tests/data/test-haproxy-connect.config Normal file
View File

@@ -0,0 +1,187 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
max-ban-score = 0
# A banner to be displayed on clients
#banner = "Welcome"
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = @ADDRESS@
use-dbus = no
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = @PORT@
udp-port = @PORT@
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds
dpd = 440
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = @SRCDIR@/certs/server-cert.pem
server-key = @SRCDIR@/certs/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# PID file
pid-file = ./ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = ./ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = @USERNAME@
run-as-group = @GROUP@
# Network settings
device = vpns
# The default domain to be advertised
default-domain = example.com
ipv4-network = @VPNNET@
# Use the keywork local to advertize the local P-t-P address as DNS server
ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

180
tests/haproxy-connect Executable file
View File

@@ -0,0 +1,180 @@
#!/bin/bash
#
# Copyright (C) 2018 Nikos Mavrogiannopoulos
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
SERV="${SERV:-../src/ocserv}"
srcdir=${srcdir:-.}
PORT=4566
HAPORT=4567
PIDFILE=ocserv-pid.$$.tmp
CLIPID=oc-pid.$$.tmp
HACONFIG=haproxy.conf.$$.tmp
PATH=${PATH}:/usr/sbin
HAPROXY=$(which haproxy)
IP=$(which ip)
. `dirname $0`/common.sh
if test -z "${HAPROXY}";then
echo "no haproxy present"
exit 77
fi
if test -z "${IP}";then
echo "no IP tool is present"
exit 77
fi
if test "$(id -u)" != "0";then
echo "This test must be run as root"
exit 77
fi
echo "Testing ocserv connection via haproxy... "
function finish {
set +e
echo " * Cleaning up..."
test -n "${HAPID}" && kill ${HAPID} >/dev/null 2>&1
test -n "${PID}" && kill ${PID} >/dev/null 2>&1
test -n "${ETHNAME1}" && ${IP} link delete ${ETHNAME1} >/dev/null 2>&1
test -n "${ETHNAME2}" && ${IP} link delete ${ETHNAME2} >/dev/null 2>&1
test -n "${NSNAME1}" && ${IP} netns delete ${NSNAME1} >/dev/null 2>&1
test -n "${NSNAME2}" && ${IP} netns delete ${NSNAME2} >/dev/null 2>&1
test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
test -n "${HACONFIG}" && rm -f ${HACONFIG} >/dev/null 2>&1
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
test -n "${NUTTCPPID}" && kill ${NUTTCPPID} >/dev/null 2>&1
}
trap finish EXIT
# server address
ADDRESS=10.200.2.1
CLI_ADDRESS=10.200.1.1
VPNNET=192.168.1.0/24
VPNADDR=192.168.1.1
echo " * Setting up namespaces..."
set -e
NSNAME1="ocserv-c-tmp-$$"
NSNAME2="ocserv-s-tmp-$$"
ETHNAME1="oceth-c$$"
ETHNAME2="oceth-s$$"
${IP} netns add ${NSNAME1}
${IP} netns add ${NSNAME2}
${IP} link add ${ETHNAME1} type veth peer name ${ETHNAME2}
${IP} link set ${ETHNAME1} netns ${NSNAME1}
${IP} link set ${ETHNAME2} netns ${NSNAME2}
${IP} netns exec ${NSNAME1} ip link set ${ETHNAME1} up
${IP} netns exec ${NSNAME2} ip link set ${ETHNAME2} up
${IP} netns exec ${NSNAME2} ip link set lo up
${IP} netns exec ${NSNAME1} ip addr add ${CLI_ADDRESS} dev ${ETHNAME1}
${IP} netns exec ${NSNAME2} ip addr add ${ADDRESS} dev ${ETHNAME2}
${IP} netns exec ${NSNAME1} ip route add default via ${CLI_ADDRESS} dev ${ETHNAME1}
${IP} netns exec ${NSNAME2} ip route add default via ${ADDRESS} dev ${ETHNAME2}
${IP} netns exec ${NSNAME2} ip addr
${IP} netns exec ${NSNAME2} ip route
${IP} netns exec ${NSNAME1} ip route
${IP} netns exec ${NSNAME1} ping -c 1 ${ADDRESS}
${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS}
${IP} netns exec ${NSNAME2} ping -c 1 ${CLI_ADDRESS}
set +e
# Run servers
update_config test-haproxy-connect.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
${IP} netns exec ${NSNAME2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
sleep 1
rm -f ${HACONFIG}
sed -e 's|@HAPORT@|'${HAPORT}'|g' -e 's|@PORT@|'${PORT}'|g' -e 's|@ADDRESS@|'${ADDRESS}'|g' ${srcdir}/data/haproxy-connect.cfg >${HACONFIG}
${IP} netns exec ${NSNAME2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$!
sleep 3
# Run clients
echo " * Getting cookie from ${ADDRESS}:${HAPORT}..."
( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? != 0;then
echo "Could not get cookie from server"
exit 1
fi
echo " * Connecting to ${ADDRESS}:${HAPORT}..."
( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
if test $? != 0;then
echo "Could not connect to server"
exit 1
fi
set -e
echo " * ping remote address"
${IP} netns exec ${NSNAME1} ping -c 3 ${VPNADDR}
set +e
echo " * Restarting haproxy..."
# Restart haproxy and reconnect.
kill ${HAPID}
sleep 2
${IP} netns exec ${NSNAME2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$!
sleep 2
kill $(cat ${CLIPID}) >/dev/null 2>&1
sleep 2
# This is to reproduce issue #146. There multiple entries of the client IP
# are present and these packets would trigger invalid lookup/crash.
echo " * Sending a stray UDP packet to VPN server"
set -e
${IP} netns exec ${NSNAME1} bash -c "echo -e \"\x17\xfe\xff\x00\x0b\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\" >/dev/udp/${ADDRESS}/${PORT}"
set +e
sleep 3
echo " * Re-connecting to obtain cookie after haproxy restart... "
( echo "test" | ${IP} netns exec ${NSNAME1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
if test $? != 0;then
echo "Could not receive cookie from server on reconnection"
exit 1
fi
if ! test -f ${PIDFILE};then
echo "Could not find pid file ${PIDFILE}"
exit 1
fi
exit 0

748
tests/scripts/vpnc-script Executable file
View File

@@ -0,0 +1,748 @@
#!/bin/sh
#
# Originally part of vpnc source code:
# © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al.
# © 2009-2012 David Woodhouse <dwmw2@infradead.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
################
#
# List of parameters passed through environment
#* reason -- why this script was called, one of: pre-init connect disconnect reconnect
#* VPNGATEWAY -- vpn gateway address (always present)
#* TUNDEV -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS -- address (always present)
#* INTERNAL_IP4_MTU -- mtu (often unset)
#* INTERNAL_IP4_NETMASK -- netmask (often unset)
#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset)
#* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set)
#* INTERNAL_IP4_DNS -- list of dns servers
#* INTERNAL_IP4_NBNS -- list of wins servers
#* INTERNAL_IP6_ADDRESS -- IPv6 address
#* INTERNAL_IP6_NETMASK -- IPv6 netmask
#* INTERNAL_IP6_DNS -- IPv6 list of dns servers
#* CISCO_DEF_DOMAIN -- default domain name
#* CISCO_BANNER -- banner from server
#* CISCO_SPLIT_INC -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR -- network address
#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24)
#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0)
#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0)
#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0)
#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list
#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
# FIXMEs:
# Section A: route handling
# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored
# In order to use them, we'll probably need os specific solutions
# * Linux: iptables -t mangle -I PREROUTING <conditions> -j ROUTE --oif $TUNDEV
# This would be an *alternative* to changing the routes (and thus 2) and 3)
# shouldn't be relevant at all)
# 2) There are two different functions to set routes: generic routes and the
# default route. Why isn't the defaultroute handled via the generic route case?
# 3) In the split tunnel case, all routes but the default route might get replaced
# without getting restored later. We should explicitely check and save them just
# like the defaultroute
# 4) Replies to a dhcp-server should never be sent into the tunnel
# Section B: Split DNS handling
# 1) Maybe dnsmasq can do something like that
# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
#env | sort
#set -x
# =========== script (variable) setup ====================================
PATH=/sbin:/usr/sbin:$PATH
OS="`uname -s`"
HOOKS_DIR=/etc/vpnc
DEFAULT_ROUTE_FILE=./defaultroute
SCRIPTNAME=`basename $0`
# some systems, eg. Darwin & FreeBSD, prune /var/run on boot
if [ ! -d "/var/run/vpnc" ]; then
mkdir -p /var/run/vpnc
[ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc
fi
# stupid SunOS: no blubber in /usr/local/bin ... (on stdout)
IPROUTE="`which ip 2> /dev/null | grep '^/'`"
if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then
ifconfig_syntax_inet=""
else
ifconfig_syntax_inet="inet"
fi
if [ "$OS" = "Linux" ]; then
ifconfig_syntax_ptp="pointopoint"
route_syntax_gw="gw"
route_syntax_del="del"
route_syntax_netmask="netmask"
else
ifconfig_syntax_ptp=""
route_syntax_gw=""
route_syntax_del="delete"
route_syntax_netmask="-netmask"
fi
if [ "$OS" = "SunOS" ]; then
route_syntax_interface="-interface"
ifconfig_syntax_ptpv6="$INTERNAL_IP6_ADDRESS"
else
route_syntax_interface=""
ifconfig_syntax_ptpv6=""
fi
grep ^hosts /etc/nsswitch.conf|grep resolve >/dev/null 2>&1
if [ $? = 0 ];then
RESOLVEDENABLED=1
else
RESOLVEDENABLED=0
fi
MODIFYRESOLVCONF=modify_resolvconf_generic
RESTORERESOLVCONF=restore_resolvconf_generic
# =========== script hooks =================================================
run_hooks() {
HOOK="$1"
if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
[ -f $script ] && . $script
done
fi
}
# =========== tunnel interface handling ====================================
do_ifconfig() {
if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n "$IPROUTE" ]; then
MTUDEV=`$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p'`
MTU=`$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p'`
if [ -n "$MTU" ]; then
MTU=`expr $MTU - 88`
fi
fi
if [ -z "$MTU" ]; then
MTU=1412
fi
# Point to point interface require a netmask of 255.255.255.255 on some systems
if [ -n "$IPROUTE" ]; then
$IPROUTE link set dev "$TUNDEV" up mtu "$MTU"
$IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
else
ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
fi
if [ -n "$INTERNAL_IP4_NETMASK" ]; then
set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
fi
# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
if [ -n "$IPROUTE" ]; then
$IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
else
# Unlike for Legacy IP, we don't specify the dest_address
# here on *BSD. OpenBSD for one will refuse to accept
# incoming packets to that address if we do.
# OpenVPN does the same (gives dest_address for Legacy IP
# but not for IPv6).
# Only Solaris needs it; hence $ifconfig_syntax_ptpv6
ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up
fi
fi
}
destroy_tun_device() {
case "$OS" in
NetBSD|OpenBSD) # and probably others...
ifconfig "$TUNDEV" destroy
;;
FreeBSD)
ifconfig "$TUNDEV" destroy > /dev/null 2>&1 &
;;
esac
}
# =========== route handling ====================================
if [ -n "$IPROUTE" ]; then
fix_ip_get_output () {
sed -e 's/ /\n/g' | \
sed -ne '1p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p}'
}
set_vpngateway_route() {
$IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output`
$IPROUTE route flush cache
}
del_vpngateway_route() {
$IPROUTE route $route_syntax_del "$VPNGATEWAY"
$IPROUTE route flush cache
}
set_default_route() {
$IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
$IPROUTE route replace default dev "$TUNDEV"
$IPROUTE route flush cache
}
set_network_route() {
NETWORK="$1"
NETMASK="$2"
NETMASKLEN="$3"
$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
$IPROUTE route flush cache
}
reset_default_route() {
if [ -s "$DEFAULT_ROUTE_FILE" ]; then
$IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"`
$IPROUTE route flush cache
rm -f -- "$DEFAULT_ROUTE_FILE"
fi
}
del_network_route() {
NETWORK="$1"
NETMASK="$2"
NETMASKLEN="$3"
$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
$IPROUTE route flush cache
}
set_ipv6_default_route() {
# We don't save/restore IPv6 default route; just add a higher-priority one.
$IPROUTE -6 route add default dev "$TUNDEV" metric 1
$IPROUTE -6 route flush cache
}
set_ipv6_network_route() {
NETWORK="$1"
NETMASKLEN="$2"
$IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
$IPROUTE route flush cache
}
reset_ipv6_default_route() {
$IPROUTE -6 route del default dev "$TUNDEV"
$IPROUTE route flush cache
}
del_ipv6_network_route() {
NETWORK="$1"
NETMASKLEN="$2"
$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
$IPROUTE -6 route flush cache
}
else # use route command
get_default_gw() {
# isn't -n supposed to give --numeric output?
# apperently not...
# Get rid of lines containing IPv6 addresses (':')
netstat -r -n | awk '/:/ { next; } /^(default|0\.0\.0\.0)/ { print $2; }'
}
set_vpngateway_route() {
route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
}
del_vpngateway_route() {
route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
}
set_default_route() {
DEFAULTGW="`get_default_gw`"
echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE"
route $route_syntax_del default $route_syntax_gw "$DEFAULTGW"
route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
}
set_network_route() {
NETWORK="$1"
NETMASK="$2"
NETMASKLEN="$3"
del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
}
reset_default_route() {
if [ -s "$DEFAULT_ROUTE_FILE" ]; then
route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface
route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"`
rm -f -- "$DEFAULT_ROUTE_FILE"
fi
}
del_network_route() {
case "$OS" in
Linux|NetBSD|OpenBSD|Darwin|SunOS) # and probably others...
# routes are deleted automatically on device shutdown
return
;;
esac
NETWORK="$1"
NETMASK="$2"
NETMASKLEN="$3"
route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
}
set_ipv6_default_route() {
route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
}
set_ipv6_network_route() {
NETWORK="$1"
NETMASK="$2"
route add -inet6 -net "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
:
}
reset_ipv6_default_route() {
route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS"
:
}
del_ipv6_network_route() {
NETWORK="$1"
NETMASK="$2"
route $route_syntax_del -inet6 "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS"
:
}
fi
# =========== resolv.conf handling ====================================
# =========== resolv.conf handling for any OS =========================
modify_resolvconf_generic() {
if test -z "$RESOLVCONF_FILE";then
return
fi
NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact"
DOMAINS="$CISCO_DEF_DOMAIN"
for i in $INTERNAL_IP4_DNS ; do
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
done
# note that "search" is mutually exclusive with "domain";
# "search" allows multiple domains to be listed, so use that
if [ -n "$DOMAINS" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
search $DOMAINS"
fi
echo "$NEW_RESOLVCONF" > $RESOLVCONF_FILE
if [ "$OS" = "Darwin" ]; then
case "`uname -r`" in
# Skip for pre-10.4 systems
4.*|5.*|6.*|7.*)
;;
# 10.4 and later require use of scutil for DNS to work properly
*)
OVERRIDE_PRIMARY=""
if [ -n "$CISCO_SPLIT_INC" ]; then
if [ $CISCO_SPLIT_INC -lt 1 ]; then
# Must override for correct default route
# Cannot use multiple DNS matching in this case
OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
fi
# Overriding the default gateway breaks split routing
OVERRIDE_GATEWAY=""
# Not overriding the default gateway breaks usage of
# INTERNAL_IP4_DNS. Prepend INTERNAL_IP4_DNS to list
# of used DNS servers
SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'`
SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs`
if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then
scutil >/dev/null 2>&1 <<-EOF
open
get State:/Network/Service/$SERVICE/DNS
d.add ServerAddresses * $INTERNAL_IP4_DNS $SERVICE_DNS
set State:/Network/Service/$SERVICE/DNS
close
EOF
fi
else
# No split routing. Override default gateway
OVERRIDE_GATEWAY="d.add Router $INTERNAL_IP4_ADDRESS"
fi
# Uncomment the following if/fi pair to use multiple
# DNS matching when available. When multiple DNS matching
# is present, anything reading the /etc/resolv.conf file
# directly will probably not work as intended.
#if [ -z "$CISCO_DEF_DOMAIN" ]; then
# Cannot use multiple DNS matching without a domain
OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
#fi
scutil >/dev/null 2>&1 <<-EOF
open
d.init
d.add ServerAddresses * $INTERNAL_IP4_DNS
set State:/Network/Service/$TUNDEV/DNS
d.init
$OVERRIDE_GATEWAY
d.add Addresses * $INTERNAL_IP4_ADDRESS
d.add SubnetMasks * 255.255.255.255
d.add InterfaceName $TUNDEV
$OVERRIDE_PRIMARY
set State:/Network/Service/$TUNDEV/IPv4
close
EOF
if [ -n "$CISCO_DEF_DOMAIN" ]; then
scutil >/dev/null 2>&1 <<-EOF
open
get State:/Network/Service/$TUNDEV/DNS
d.add DomainName $CISCO_DEF_DOMAIN
d.add SearchDomains * $CISCO_DEF_DOMAIN
d.add SupplementalMatchDomains * $CISCO_DEF_DOMAIN
set State:/Network/Service/$TUNDEV/DNS
close
EOF
fi
;;
esac
fi
}
restore_resolvconf_generic() {
if test -n "$RESOLVCONF_FILE";then
rm -f $RESOLVCONF_FILE
fi
}
AF_INET=2
get_if_index() {
local link
link="$(ip link show dev "$1")" || return $?
echo ${link} | awk -F: '{print $1}'
}
busctl_call() {
local dest node
dest=org.freedesktop.resolve1
node=/org/freedesktop/resolve1
busctl call "$dest" "${node}" "${dest}.Manager" "$@"
}
busctl_set_nameservers() {
local if_index addresses args addr
if_index=$1
shift
addresses="$@"
args="$if_index $#"
for addr in ${addresses}; do
args="$args ${AF_INET} 4 $(echo $addr | sed 's/[.]/ /g')"
done
busctl_call SetLinkDNS 'ia(iay)' ${args}
}
busctl_set_search() {
local if_index domains args domain
if_index=$1
shift
domains="$@"
args="$if_index $#"
for domain in ${domains}; do
args="$args ${domain} false"
done
busctl_call SetLinkDomains 'ia(sb)' ${args}
}
modify_resolved_manager() {
local if_index
if_index=$(get_if_index $TUNDEV)
busctl_set_nameservers $if_index $INTERNAL_IP4_DNS
if [ -n "$CISCO_DEF_DOMAIN" ]; then
busctl_set_search $if_index $CISCO_DEF_DOMAIN
fi
}
restore_resolved_manager() {
local if_index
if_index=$(get_if_index $TUNDEV)
busctl_call RevertLink 'i' $if_index
}
# === resolv.conf handling via unbound =========
modify_resolvconf_unbound() {
if [ -n "$CISCO_DEF_DOMAIN" ]; then
/usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS}
/usr/sbin/unbound-control flush_requestlist
/usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
fi
}
restore_resolvconf_unbound() {
if [ -n "$CISCO_DEF_DOMAIN" ]; then
/usr/sbin/unbound-control forward_remove +i ${CISCO_DEF_DOMAIN}
/usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
/usr/sbin/unbound-control flush_requestlist
fi
}
# ========= Toplevel state handling =======================================
kernel_is_2_6_or_above() {
case `uname -r` in
1.*|2.[012345]*)
return 1
;;
*)
return 0
;;
esac
}
do_pre_init() {
if [ "$OS" = "Linux" ]; then
if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then
:
else # can't open /dev/net/tun
test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null
# fix for broken devfs in kernel 2.6.x
if [ "`readlink /dev/net/tun`" = misc/net/tun \
-a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then
ln -sf /dev/misc/net/tun /dev/net/tun
fi
# make sure tun device exists
if [ ! -e /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 0640 /dev/net/tun c 10 200
[ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun
fi
# workaround for a possible latency caused by udev, sleep max. 10s
if kernel_is_2_6_or_above ; then
for x in `seq 100` ; do
(exec 6<> /dev/net/tun) > /dev/null 2>&1 && break;
sleep 0.1
done
fi
fi
elif [ "$OS" = "FreeBSD" ]; then
if ! kldstat -q -m if_tun > /dev/null; then
kldload if_tun
fi
if ! ifconfig $TUNDEV > /dev/null; then
ifconfig $TUNDEV create
fi
elif [ "$OS" = "GNU/kFreeBSD" ]; then
if [ ! -e /dev/tun ]; then
kldload if_tun
fi
elif [ "$OS" = "NetBSD" ]; then
:
elif [ "$OS" = "OpenBSD" ]; then
if ! ifconfig $TUNDEV > /dev/null; then
ifconfig $TUNDEV create
fi
:
elif [ "$OS" = "SunOS" ]; then
:
elif [ "$OS" = "Darwin" ]; then
:
fi
}
do_connect() {
if [ -n "$CISCO_BANNER" ]; then
echo "Connect Banner:"
echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
echo
fi
set_vpngateway_route
do_ifconfig
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
if [ "$NETWORK" != "0.0.0.0" ]; then
set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
else
set_default_route
fi
i=`expr $i + 1`
done
for i in $INTERNAL_IP4_DNS ; do
echo "$i" | grep : >/dev/null || \
set_network_route "$i" "255.255.255.255" "32"
done
elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
set_default_route
fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
if [ $NETMASKLEN -lt 128 ]; then
set_ipv6_network_route "$NETWORK" "$NETMASKLEN"
else
set_ipv6_default_route
fi
i=`expr $i + 1`
done
for i in $INTERNAL_IP4_DNS ; do
if echo "$i" | grep : >/dev/null; then
set_ipv6_network_route "$i" "128"
fi
done
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
set_ipv6_default_route
fi
if [ -n "$INTERNAL_IP4_DNS" ]; then
$MODIFYRESOLVCONF
fi
}
do_disconnect() {
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
if [ "$NETWORK" != "0.0.0.0" ]; then
# FIXME: This doesn't restore previously overwritten
# routes.
del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
else
reset_default_route
fi
i=`expr $i + 1`
done
for i in $INTERNAL_IP4_DNS ; do
del_network_route "$i" "255.255.255.255" "32"
done
else
reset_default_route
fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
if [ $NETMASKLEN -eq 0 ]; then
reset_ipv6_default_route
else
del_ipv6_network_route "$NETWORK" "$NETMASKLEN"
fi
i=`expr $i + 1`
done
for i in $INTERNAL_IP6_DNS ; do
del_ipv6_network_route "$i" "128"
done
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
reset_ipv6_default_route
fi
del_vpngateway_route
if [ -n "$INTERNAL_IP4_DNS" ]; then
$RESTORERESOLVCONF
fi
if [ -n "$IPROUTE" ]; then
if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
$IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
fi
# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
$IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV
fi
else
if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
ifconfig "$TUNDEV" 0.0.0.0
fi
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK
fi
fi
destroy_tun_device
}
#### Main
if [ -z "$reason" ]; then
echo "this script must be called from vpnc" 1>&2
exit 1
fi
case "$reason" in
pre-init)
run_hooks pre-init
do_pre_init
;;
connect)
run_hooks connect
do_connect
run_hooks post-connect
;;
disconnect)
run_hooks disconnect
do_disconnect
run_hooks post-disconnect
;;
reconnect)
run_hooks reconnect
;;
*)
echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
exit 1
;;
esac
exit 0