]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/misc-progs/openvpnctrl.c
13 struct keyvalue
*kv
= NULL
;
14 FILE *ifacefile
= NULL
;
16 char redif
[STRING_SIZE
];
17 char blueif
[STRING_SIZE
];
18 char orangeif
[STRING_SIZE
];
19 char enablered
[STRING_SIZE
] = "off";
20 char enableblue
[STRING_SIZE
] = "off";
21 char enableorange
[STRING_SIZE
] = "off";
24 char OVPNRED
[STRING_SIZE
] = "OVPN";
25 char OVPNBLUE
[STRING_SIZE
] = "OVPN_BLUE_";
26 char OVPNORANGE
[STRING_SIZE
] = "OVPN_ORANGE_";
27 char WRAPPERVERSION
[STRING_SIZE
] = "2.0.1.6";
29 void exithandler(void)
40 printf("Wrapper for OpenVPN v%s-debug\n", WRAPPERVERSION
);
42 printf("Wrapper for OpenVPN v%s\n", WRAPPERVERSION
);
44 printf("openvpnctrl <option>\n");
45 printf(" Valid options are:\n");
46 printf(" -s --start\n");
47 printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n");
48 printf(" -k --kill\n");
49 printf(" kills/stops OpenVPN\n");
50 printf(" -r --restart\n");
51 printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n");
52 printf(" -d --display\n");
53 printf(" displays OpenVPN status to syslog\n");
54 printf(" -fwr --firewall-rules\n");
55 printf(" removes current OpenVPN chains and rules and resets them according to the config\n");
56 printf(" -sdo --start-daemon-only\n");
57 printf(" starts OpenVPN daemon only\n");
58 printf(" -ccr --create-chains-and-rules\n");
59 printf(" creates chains and rules for OpenVPN\n");
60 printf(" -dcr --delete-chains-and-rules\n");
61 printf(" removes all chains for OpenVPN\n");
67 // Read OpenVPN configuration
69 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ovpn/settings")) {
70 fprintf(stderr
, "Cannot read ovpn settings\n");
74 if (!findkey(kv
, "ENABLED", enablered
)) {
75 fprintf(stderr
, "Cannot read ENABLED\n");
79 if (!findkey(kv
, "ENABLED_BLUE", enableblue
)){
80 fprintf(stderr
, "Cannot read ENABLED_BLUE\n");
84 if (!findkey(kv
, "ENABLED_ORANGE", enableorange
)){
85 fprintf(stderr
, "Cannot read ENABLED_ORANGE\n");
90 // read interface settings
92 // details for the red int
93 memset(redif
, 0, STRING_SIZE
);
94 if ((ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r")))
96 if (fgets(redif
, STRING_SIZE
, ifacefile
))
98 if (redif
[strlen(redif
) - 1] == '\n')
99 redif
[strlen(redif
) - 1] = '\0';
104 if (!VALID_DEVICE(redif
))
106 memset(redif
, 0, STRING_SIZE
);
111 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings"))
113 fprintf(stderr
, "Cannot read ethernet settings\n");
117 if (strcmp(enableblue
, "on")==0){
118 if (!findkey(kv
, "BLUE_DEV", blueif
)){
119 fprintf(stderr
, "Cannot read BLUE_DEV\n");
123 if (strcmp(enableorange
, "on")==0){
124 if (!findkey(kv
, "ORANGE_DEV", orangeif
)){
125 fprintf(stderr
, "Cannot read ORNAGE_DEV\n");
132 void executeCommand(char *command
) {
134 printf(strncat(command
, "\n", 2));
136 safe_system(strncat(command
, " >/dev/null 2>&1", 17));
139 void setChainRules(char *chain
, char *interface
, char *protocol
, char *port
)
141 char str
[STRING_SIZE
];
143 sprintf(str
, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain
, interface
, protocol
, port
);
145 sprintf(str
, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain
);
147 sprintf(str
, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain
);
151 void flushChain(char *chain
) {
152 char str
[STRING_SIZE
];
154 sprintf(str
, "/sbin/iptables -F %sINPUT", chain
);
156 sprintf(str
, "/sbin/iptables -F %sFORWARD", chain
);
161 void deleteChainReference(char *chain
) {
162 char str
[STRING_SIZE
];
164 sprintf(str
, "/sbin/iptables -D INPUT -j %sINPUT", chain
);
167 sprintf(str
, "/sbin/iptables -D FORWARD -j %sFORWARD", chain
);
172 void deleteChain(char *chain
) {
173 char str
[STRING_SIZE
];
175 sprintf(str
, "/sbin/iptables -X %sINPUT", chain
);
177 sprintf(str
, "/sbin/iptables -X %sFORWARD", chain
);
181 void deleteAllChains(void) {
182 // not an elegant solution, but to avoid timing problems with undeleted chain references
183 deleteChainReference(OVPNRED
);
184 deleteChainReference(OVPNBLUE
);
185 deleteChainReference(OVPNORANGE
);
187 flushChain(OVPNBLUE
);
188 flushChain(OVPNORANGE
);
189 deleteChain(OVPNRED
);
190 deleteChain(OVPNBLUE
);
191 deleteChain(OVPNORANGE
);
194 void createChainReference(char *chain
) {
195 char str
[STRING_SIZE
];
196 sprintf(str
, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain
);
198 sprintf(str
, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain
);
202 void createChain(char *chain
) {
203 char str
[STRING_SIZE
];
204 sprintf(str
, "/sbin/iptables -N %sINPUT", chain
);
206 sprintf(str
, "/sbin/iptables -N %sFORWARD", chain
);
210 void createAllChains(void) {
211 if (!((strcmp(enablered
, "on")==0) || (strcmp(enableblue
, "on")==0) || (strcmp(enableorange
, "on")==0))){
212 fprintf(stderr
, "OpenVPN is not enabled on any interface\n");
215 // create chain and chain references
216 if (!strcmp(enableorange
, "on")) {
217 if (strlen(orangeif
)) {
218 createChain(OVPNORANGE
);
219 createChainReference(OVPNORANGE
);
221 fprintf(stderr
, "OpenVPN enabled on orange but no orange interface found\n");
226 if (!strcmp(enableblue
, "on")) {
227 if (strlen(blueif
)) {
228 createChain(OVPNBLUE
);
229 createChainReference(OVPNBLUE
);
231 fprintf(stderr
, "OpenVPN enabled on blue but no blue interface found\n");
236 if (!strcmp(enablered
, "on")) {
238 createChain(OVPNRED
);
239 createChainReference(OVPNRED
);
241 fprintf(stderr
, "OpenVPN enabled on red but no red interface found\n");
248 void setFirewallRules(void) {
249 char protocol
[STRING_SIZE
] = "";
250 char dport
[STRING_SIZE
] = "";
251 char dovpnip
[STRING_SIZE
] = "";
253 /* check if it makes sence to proceed further */
254 if (!((strcmp(enablered
, "on")==0) || (strcmp(enableblue
, "on")==0) || (strcmp(enableorange
, "on")==0))){
255 fprintf(stderr
, "Config error, at least one device must be enabled\n");
259 kv
= initkeyvalues();
260 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ovpn/settings"))
262 fprintf(stderr
, "Cannot read ovpn settings\n");
266 /* we got one device, so lets proceed further */
267 if (!findkey(kv
, "DDEST_PORT", dport
)){
268 fprintf(stderr
, "Cannot read DDEST_PORT\n");
272 if (!findkey(kv
, "DPROTOCOL", protocol
)){
273 fprintf(stderr
, "Cannot read DPROTOCOL\n");
277 if (!findkey(kv
, "VPN_IP", dovpnip
)){
278 fprintf(stderr
, "Cannot read VPN_IP\n");
279 // exit(1); step further as we don't need an ip
283 // set firewall rules
284 if (!strcmp(enablered
, "on") && strlen(redif
))
285 setChainRules(OVPNRED
, redif
, protocol
, dport
);
286 if (!strcmp(enableblue
, "on") && strlen(blueif
))
287 setChainRules(OVPNBLUE
, blueif
, protocol
, dport
);
288 if (!strcmp(enableorange
, "on") && strlen(orangeif
))
289 setChainRules(OVPNORANGE
, orangeif
, protocol
, dport
);
292 void stopDaemon(void) {
293 char command
[STRING_SIZE
];
295 snprintf(command
, STRING_SIZE
- 1, "/bin/killall openvpn");
296 executeCommand(command
);
297 snprintf(command
, STRING_SIZE
- 1, "/bin/rm -f /var/run/openvpn.pid");
298 executeCommand(command
);
299 snprintf(command
, STRING_SIZE
-1, "/sbin/modprobe -r tun");
300 executeCommand(command
);
303 void startDaemon(void) {
304 char command
[STRING_SIZE
];
306 if (!((strcmp(enablered
, "on")==0) || (strcmp(enableblue
, "on")==0) || (strcmp(enableorange
, "on")==0))){
307 fprintf(stderr
, "OpenVPN is not enabled on any interface\n");
310 snprintf(command
, STRING_SIZE
-1, "/sbin/modprobe tun");
311 executeCommand(command
);
312 snprintf(command
, STRING_SIZE
-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
313 executeCommand(command
);
317 void displayopenvpn(void) {
318 char command
[STRING_SIZE
];
320 snprintf(command
, STRING_SIZE
- 1, "/bin/killall -sSIGUSR2 openvpn");
321 executeCommand(command
);
324 int main(int argc
, char *argv
[]) {
331 if( (strcmp(argv
[1], "-k") == 0) || (strcmp(argv
[1], "--kill") == 0) ) {
335 else if( (strcmp(argv
[1], "-d") == 0) || (strcmp(argv
[1], "--display") == 0) ) {
339 else if( (strcmp(argv
[1], "-dcr") == 0) || (strcmp(argv
[1], "--delete-chains-and-rules") == 0) ) {
346 if( (strcmp(argv
[1], "-s") == 0) || (strcmp(argv
[1], "--start") == 0) ) {
353 else if( (strcmp(argv
[1], "-sdo") == 0) || (strcmp(argv
[1], "--start-daemon-only") == 0) ) {
357 else if( (strcmp(argv
[1], "-r") == 0) || (strcmp(argv
[1], "--restart") == 0) ) {
365 else if( (strcmp(argv
[1], "-fwr") == 0) || (strcmp(argv
[1], "--firewall-rules") == 0) ) {
371 else if( (strcmp(argv
[1], "-ccr") == 0) || (strcmp(argv
[1], "--create-chains-and-rules") == 0) ) {