diff options
Diffstat (limited to 'openvpn/contrib')
-rw-r--r-- | openvpn/contrib/README | 2 | ||||
-rw-r--r-- | openvpn/contrib/multilevel-init.patch | 79 | ||||
-rw-r--r-- | openvpn/contrib/openvpn-fwmarkroute-1.00/README | 44 | ||||
-rwxr-xr-x | openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 | ||||
-rwxr-xr-x | openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 | ||||
-rw-r--r-- | openvpn/contrib/pull-resolv-conf/client.down | 76 | ||||
-rw-r--r-- | openvpn/contrib/pull-resolv-conf/client.up | 75 |
7 files changed, 347 insertions, 0 deletions
diff --git a/openvpn/contrib/README b/openvpn/contrib/README new file mode 100644 index 0000000..e1a57d0 --- /dev/null +++ b/openvpn/contrib/README @@ -0,0 +1,2 @@ +This directory contains scripts and patches contributed +by users. diff --git a/openvpn/contrib/multilevel-init.patch b/openvpn/contrib/multilevel-init.patch new file mode 100644 index 0000000..8d48fbc --- /dev/null +++ b/openvpn/contrib/multilevel-init.patch @@ -0,0 +1,79 @@ +--- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 ++++ openvpn 2004-05-12 20:34:33.000000000 +0200 +@@ -58,13 +58,13 @@ + # returning success or failure status to caller (James Yonan). + + # Location of openvpn binary +-openvpn="/usr/sbin/openvpn" ++openvpn=/usr/sbin/openvpn + + # Lockfile +-lock="/var/lock/subsys/openvpn" ++lock=/var/lock/subsys/openvpn + + # PID directory +-piddir="/var/run/openvpn" ++piddir=/var/run/openvpn + + # Our working directory + work=/etc/openvpn +@@ -106,7 +106,7 @@ + + if [ -f $lock ]; then + # we were not shut down correctly +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi +@@ -116,12 +116,12 @@ + sleep 2 + fi + +- rm -f $piddir/*.pid $piddir/*/*.pid ++ find $piddir -name "*.pid"|xargs rm -f + + # Start every .conf in $work and run .sh if exists + errors=0 + successes=0 +- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do ++ for c in `find * -name "*.conf" 2>/dev/null`; do + bn=${c%%.conf} + if [ -f "$bn.sh" ]; then + . $bn.sh +@@ -147,7 +147,7 @@ + ;; + stop) + echo -n $"Shutting down openvpn: " +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi +@@ -163,7 +163,7 @@ + ;; + reload) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -HUP `cat $pidf` >/dev/null 2>&1 + fi +@@ -175,7 +175,7 @@ + ;; + reopen) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -USR1 `cat $pidf` >/dev/null 2>&1 + fi +@@ -195,7 +195,7 @@ + ;; + status) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -USR2 `cat $pidf` >/dev/null 2>&1 + fi diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/openvpn/contrib/openvpn-fwmarkroute-1.00/README new file mode 100644 index 0000000..66fe61a --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/README @@ -0,0 +1,44 @@ +OpenVPN fwmark Routing +Sean Reifschneider, <jafo@tummy.com> +Thursday November 27, 2003 +========================== + +These scripts can be used with OpenVPN up and down scripts to set up +routing on a Linux system such that the VPN traffic is sent via normal +network connectivity, but other traffic to that network runs over the VPN. +The idea is to allow encryption of data to the network the remote host is +on, without interfering with the VPN traffic. You can't simply add a route +to the remote network, becaues that will cause the VPN traffic to also try +to run over the VPN, and breaks the VPN. + +These scripts use the Linux "fwmark" iptables rules to specify routing +based not only on IP address, but also by port and protocol. This allows +you to effectively say "if the packet is to this IP address on this port +using this protocol, then use the normal default gateway, otherwise use the +VPN gateway. + +This is set up on the client VPN system, not the VPN server. These scripts +also set up all ICMP echo-responses to run across the VPN. You can +comment the lines in the scripts to disable this, but I find this useful +at coffee shops which have networks that block ICMP. + +To configure this, you need to set up these scripts as your up and down +scripts in the config file. You will need to set these values in the +config file: + + up /etc/openvpn/fwmarkroute.up + down /etc/openvpn/fwmarkroute.down + up-restart + up-delay + + setenv remote_netmask_bits 24 + +Note: For this to work, you can't set the "user" or "group" config options, +because then the scripts will not run as root. + +The last setting allows you to control the size of the network the remote +system is on. The remote end has to be set up to route, probably with +masquerading or NAT. The network this netmask relates to is calculated +using the value of "remote" in the conf file. + +Sean diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down new file mode 100755 index 0000000..87d67d4 --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Bring down vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# clear routing via VPN +ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route del table vpnonly.out via "$5" +iptables -D OUTPUT -t mangle -p "$proto" \ + -d "$remote_network"/"$remote_netmask_bits" \ + --dport "$remote_port" -j ACCEPT +iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 + +# undo the ICMP ping tunneling +iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# flush route cache +ip route flush cache diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up new file mode 100755 index 0000000..661ec31 --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Bring up vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# add the stuff that doesn't change if it's not already there +grep -q '^202 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 202 vpn.out >> /etc/iproute2/rt_tables +fi +grep -q '^203 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 203 vpnonly.out >> /etc/iproute2/rt_tables +fi +ip rule ls | grep -q 'lookup vpn.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 2 table vpn.out +fi +ip rule ls | grep -q 'lookup vpnonly.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 3 table vpnonly.out +fi + +# route VPN traffic using the normal table +iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ + -j ACCEPT + +# route all other traffic to that host via VPN +iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ + -j MARK --set-mark 2 + +# route all ICMP pings over the VPN +iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# NAT traffic going over the VPN, so it doesn't have an unknown address +iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" + +# add routing commands +ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route add table vpnonly.out via "$5" +ip route flush cache diff --git a/openvpn/contrib/pull-resolv-conf/client.down b/openvpn/contrib/pull-resolv-conf/client.down new file mode 100644 index 0000000..d51472f --- /dev/null +++ b/openvpn/contrib/pull-resolv-conf/client.down @@ -0,0 +1,76 @@ +#!/bin/bash + +# Copyright (c) 2005 by OpenVPN Solutions LLC +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously +# set by the companion script "client.up". + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.down +# Then, add the following to your /etc/openvpn/<clientconfig>.conf: +# client +# pull dhcp-options +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Next, "chmod a+x /etc/openvpn/client.down" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.up" +# script. + +# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0 +# It should work with any GNU/Linux with /etc/resolv.conf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. + +# init variables + +i=1 +j=1 +unset fopt +unset dns +unset opt + +# Convert ENVs to an array + +while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do +{ + opt[i-1]=${!fopt} + case ${opt[i-1]} in + *DOMAIN* ) domain=`echo ${opt[i-1]} | \ + sed -e 's/dhcp-option DOMAIN //g'` ;; + *DNS* ) dns[j-1]=`echo ${opt[i-1]} | \ + sed -e 's/dhcp-option DNS //g'` + let j++ ;; + esac + let i++ +} +done + +# Now, do the work + +if [ -n "${dns[*]}" ]; then + for i in "${dns[@]}"; do + sed -i -e "/nameserver ${i}/D" /etc/resolv.conf || die + done +fi + +if [ -n "${domain}" ]; then + sed -i -e "/search ${domain}/D" /etc/resolv.conf || die +fi + +# all done... +exit 0 diff --git a/openvpn/contrib/pull-resolv-conf/client.up b/openvpn/contrib/pull-resolv-conf/client.up new file mode 100644 index 0000000..48b1a39 --- /dev/null +++ b/openvpn/contrib/pull-resolv-conf/client.up @@ -0,0 +1,75 @@ +#!/bin/bash + +# Copyright (c) 2005 by OpenVPN Solutions LLC +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries +# as pulled down from an OpenVPN server. + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.up +# Then, add the following to your /etc/openvpn/<clientconfig>.conf: +# client +# pull dhcp-options +# up /etc/openvpn/client.up +# Next, "chmod a+x /etc/openvpn/client.up" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.down" +# script. + +# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0 +# It should work with any GNU/Linux with /etc/resolv.conf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. + +# init variables + +i=1 +j=1 +unset fopt +unset dns +unset opt + +# Convert ENVs to an array + +while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do +{ + opt[i-1]=${!fopt} + case ${opt[i-1]} in + *DOMAIN* ) domain=`echo ${opt[i-1]} | \ + sed -e 's/dhcp-option DOMAIN //g'` ;; + *DNS* ) dns[j-1]=`echo ${opt[i-1]} | \ + sed -e 's/dhcp-option DNS //g'` + let j++ ;; + esac + let i++ +} +done + +# Now, do the work + +if [ -n "${dns[*]}" ]; then + for i in "${dns[@]}"; do + sed -i -e "1,1 i nameserver ${i}" /etc/resolv.conf || die + done +fi + +if [ -n "${domain}" ]; then + sed -i -e "$j,1 i search ${domain}" /etc/resolv.conf || die +fi + +# all done... +exit 0 |