summaryrefslogtreecommitdiff
path: root/openvpn/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/contrib')
-rw-r--r--openvpn/contrib/README2
-rw-r--r--openvpn/contrib/multilevel-init.patch79
-rw-r--r--openvpn/contrib/openvpn-fwmarkroute-1.00/README44
-rwxr-xr-xopenvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down22
-rwxr-xr-xopenvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up49
-rw-r--r--openvpn/contrib/pull-resolv-conf/client.down76
-rw-r--r--openvpn/contrib/pull-resolv-conf/client.up75
7 files changed, 347 insertions, 0 deletions
diff --git a/openvpn/contrib/README b/openvpn/contrib/README
new file mode 100644
index 0000000..e1a57d0
--- /dev/null
+++ b/openvpn/contrib/README
@@ -0,0 +1,2 @@
+This directory contains scripts and patches contributed
+by users.
diff --git a/openvpn/contrib/multilevel-init.patch b/openvpn/contrib/multilevel-init.patch
new file mode 100644
index 0000000..8d48fbc
--- /dev/null
+++ b/openvpn/contrib/multilevel-init.patch
@@ -0,0 +1,79 @@
+--- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200
++++ openvpn 2004-05-12 20:34:33.000000000 +0200
+@@ -58,13 +58,13 @@
+ # returning success or failure status to caller (James Yonan).
+
+ # Location of openvpn binary
+-openvpn="/usr/sbin/openvpn"
++openvpn=/usr/sbin/openvpn
+
+ # Lockfile
+-lock="/var/lock/subsys/openvpn"
++lock=/var/lock/subsys/openvpn
+
+ # PID directory
+-piddir="/var/run/openvpn"
++piddir=/var/run/openvpn
+
+ # Our working directory
+ work=/etc/openvpn
+@@ -106,7 +106,7 @@
+
+ if [ -f $lock ]; then
+ # we were not shut down correctly
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -116,12 +116,12 @@
+ sleep 2
+ fi
+
+- rm -f $piddir/*.pid $piddir/*/*.pid
++ find $piddir -name "*.pid"|xargs rm -f
+
+ # Start every .conf in $work and run .sh if exists
+ errors=0
+ successes=0
+- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do
++ for c in `find * -name "*.conf" 2>/dev/null`; do
+ bn=${c%%.conf}
+ if [ -f "$bn.sh" ]; then
+ . $bn.sh
+@@ -147,7 +147,7 @@
+ ;;
+ stop)
+ echo -n $"Shutting down openvpn: "
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -163,7 +163,7 @@
+ ;;
+ reload)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -HUP `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -175,7 +175,7 @@
+ ;;
+ reopen)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -USR1 `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -195,7 +195,7 @@
+ ;;
+ status)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -USR2 `cat $pidf` >/dev/null 2>&1
+ fi
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/openvpn/contrib/openvpn-fwmarkroute-1.00/README
new file mode 100644
index 0000000..66fe61a
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/README
@@ -0,0 +1,44 @@
+OpenVPN fwmark Routing
+Sean Reifschneider, <jafo@tummy.com>
+Thursday November 27, 2003
+==========================
+
+These scripts can be used with OpenVPN up and down scripts to set up
+routing on a Linux system such that the VPN traffic is sent via normal
+network connectivity, but other traffic to that network runs over the VPN.
+The idea is to allow encryption of data to the network the remote host is
+on, without interfering with the VPN traffic. You can't simply add a route
+to the remote network, becaues that will cause the VPN traffic to also try
+to run over the VPN, and breaks the VPN.
+
+These scripts use the Linux "fwmark" iptables rules to specify routing
+based not only on IP address, but also by port and protocol. This allows
+you to effectively say "if the packet is to this IP address on this port
+using this protocol, then use the normal default gateway, otherwise use the
+VPN gateway.
+
+This is set up on the client VPN system, not the VPN server. These scripts
+also set up all ICMP echo-responses to run across the VPN. You can
+comment the lines in the scripts to disable this, but I find this useful
+at coffee shops which have networks that block ICMP.
+
+To configure this, you need to set up these scripts as your up and down
+scripts in the config file. You will need to set these values in the
+config file:
+
+ up /etc/openvpn/fwmarkroute.up
+ down /etc/openvpn/fwmarkroute.down
+ up-restart
+ up-delay
+
+ setenv remote_netmask_bits 24
+
+Note: For this to work, you can't set the "user" or "group" config options,
+because then the scripts will not run as root.
+
+The last setting allows you to control the size of the network the remote
+system is on. The remote end has to be set up to route, probably with
+masquerading or NAT. The network this netmask relates to is calculated
+using the value of "remote" in the conf file.
+
+Sean
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
new file mode 100755
index 0000000..87d67d4
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Bring down vpn routing.
+
+# calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+# clear routing via VPN
+ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route del table vpnonly.out via "$5"
+iptables -D OUTPUT -t mangle -p "$proto" \
+ -d "$remote_network"/"$remote_netmask_bits" \
+ --dport "$remote_port" -j ACCEPT
+iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2
+
+# undo the ICMP ping tunneling
+iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+ -j MARK --set-mark 3
+
+# flush route cache
+ip route flush cache
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
new file mode 100755
index 0000000..661ec31
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# Bring up vpn routing.
+
+# calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+# add the stuff that doesn't change if it's not already there
+grep -q '^202 ' /etc/iproute2/rt_tables
+if [ "$?" -ne 0 ]
+then
+ echo 202 vpn.out >> /etc/iproute2/rt_tables
+fi
+grep -q '^203 ' /etc/iproute2/rt_tables
+if [ "$?" -ne 0 ]
+then
+ echo 203 vpnonly.out >> /etc/iproute2/rt_tables
+fi
+ip rule ls | grep -q 'lookup vpn.out *$'
+if [ "$?" -ne 0 ]
+then
+ ip rule add fwmark 2 table vpn.out
+fi
+ip rule ls | grep -q 'lookup vpnonly.out *$'
+if [ "$?" -ne 0 ]
+then
+ ip rule add fwmark 3 table vpnonly.out
+fi
+
+# route VPN traffic using the normal table
+iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \
+ -j ACCEPT
+
+# route all other traffic to that host via VPN
+iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \
+ -j MARK --set-mark 2
+
+# route all ICMP pings over the VPN
+iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+ -j MARK --set-mark 3
+
+# NAT traffic going over the VPN, so it doesn't have an unknown address
+iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4"
+
+# add routing commands
+ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route add table vpnonly.out via "$5"
+ip route flush cache
diff --git a/openvpn/contrib/pull-resolv-conf/client.down b/openvpn/contrib/pull-resolv-conf/client.down
new file mode 100644
index 0000000..d51472f
--- /dev/null
+++ b/openvpn/contrib/pull-resolv-conf/client.down
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (c) 2005 by OpenVPN Solutions LLC
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
+# set by the companion script "client.up".
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.down
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+# client
+# pull dhcp-options
+# up /etc/openvpn/client.up
+# down /etc/openvpn/client.down
+# Next, "chmod a+x /etc/openvpn/client.down"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.up"
+# script.
+
+# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
+# It should work with any GNU/Linux with /etc/resolv.conf
+
+# This runs with the context of the OpenVPN UID/GID
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+
+# init variables
+
+i=1
+j=1
+unset fopt
+unset dns
+unset opt
+
+# Convert ENVs to an array
+
+while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do
+{
+ opt[i-1]=${!fopt}
+ case ${opt[i-1]} in
+ *DOMAIN* ) domain=`echo ${opt[i-1]} | \
+ sed -e 's/dhcp-option DOMAIN //g'` ;;
+ *DNS* ) dns[j-1]=`echo ${opt[i-1]} | \
+ sed -e 's/dhcp-option DNS //g'`
+ let j++ ;;
+ esac
+ let i++
+}
+done
+
+# Now, do the work
+
+if [ -n "${dns[*]}" ]; then
+ for i in "${dns[@]}"; do
+ sed -i -e "/nameserver ${i}/D" /etc/resolv.conf || die
+ done
+fi
+
+if [ -n "${domain}" ]; then
+ sed -i -e "/search ${domain}/D" /etc/resolv.conf || die
+fi
+
+# all done...
+exit 0
diff --git a/openvpn/contrib/pull-resolv-conf/client.up b/openvpn/contrib/pull-resolv-conf/client.up
new file mode 100644
index 0000000..48b1a39
--- /dev/null
+++ b/openvpn/contrib/pull-resolv-conf/client.up
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# Copyright (c) 2005 by OpenVPN Solutions LLC
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
+# as pulled down from an OpenVPN server.
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.up
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+# client
+# pull dhcp-options
+# up /etc/openvpn/client.up
+# Next, "chmod a+x /etc/openvpn/client.up"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.down"
+# script.
+
+# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
+# It should work with any GNU/Linux with /etc/resolv.conf
+
+# This runs with the context of the OpenVPN UID/GID
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+
+# init variables
+
+i=1
+j=1
+unset fopt
+unset dns
+unset opt
+
+# Convert ENVs to an array
+
+while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do
+{
+ opt[i-1]=${!fopt}
+ case ${opt[i-1]} in
+ *DOMAIN* ) domain=`echo ${opt[i-1]} | \
+ sed -e 's/dhcp-option DOMAIN //g'` ;;
+ *DNS* ) dns[j-1]=`echo ${opt[i-1]} | \
+ sed -e 's/dhcp-option DNS //g'`
+ let j++ ;;
+ esac
+ let i++
+}
+done
+
+# Now, do the work
+
+if [ -n "${dns[*]}" ]; then
+ for i in "${dns[@]}"; do
+ sed -i -e "1,1 i nameserver ${i}" /etc/resolv.conf || die
+ done
+fi
+
+if [ -n "${domain}" ]; then
+ sed -i -e "$j,1 i search ${domain}" /etc/resolv.conf || die
+fi
+
+# all done...
+exit 0