]>
Commit | Line | Data |
---|---|---|
39877197 | 1 | #include <signal.h> |
6e13d0a5 MT |
2 | #include <stdio.h> |
3 | #include <string.h> | |
4 | #include <unistd.h> | |
5 | #include <stdlib.h> | |
6 | #include <sys/types.h> | |
3d1fbbb0 MT |
7 | #include <arpa/inet.h> |
8 | #include <netinet/in.h> | |
6e13d0a5 MT |
9 | #include <fcntl.h> |
10 | #include "setuid.h" | |
11 | #include "libsmooth.h" | |
12 | ||
c894a342 | 13 | #define noovpndebug |
6e13d0a5 MT |
14 | |
15 | // global vars | |
16 | struct keyvalue *kv = NULL; | |
17 | FILE *ifacefile = NULL; | |
18 | ||
19 | char redif[STRING_SIZE]; | |
20 | char blueif[STRING_SIZE]; | |
21 | char orangeif[STRING_SIZE]; | |
22 | char enablered[STRING_SIZE] = "off"; | |
23 | char enableblue[STRING_SIZE] = "off"; | |
24 | char enableorange[STRING_SIZE] = "off"; | |
25 | ||
26 | // consts | |
27 | char OVPNRED[STRING_SIZE] = "OVPN"; | |
28 | char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; | |
29 | char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; | |
c31f18b6 | 30 | char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; |
3d1fbbb0 MT |
31 | char OVPNNAT[STRING_SIZE] = "OVPNNAT"; |
32 | char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; | |
6925b8ef AF |
33 | |
34 | struct connection_struct { | |
35 | char name[STRING_SIZE]; | |
91a0a221 | 36 | char type[STRING_SIZE]; |
6925b8ef | 37 | char proto[STRING_SIZE]; |
99b01b84 | 38 | char status[STRING_SIZE]; |
3d1fbbb0 MT |
39 | char local_subnet[STRING_SIZE]; |
40 | char transfer_subnet[STRING_SIZE]; | |
41 | char role[STRING_SIZE]; | |
6925b8ef AF |
42 | int port; |
43 | struct connection_struct *next; | |
44 | }; | |
45 | ||
46 | typedef struct connection_struct connection; | |
6e13d0a5 MT |
47 | |
48 | void exithandler(void) | |
49 | { | |
50 | if(kv) | |
51 | freekeyvalues(kv); | |
52 | if (ifacefile) | |
53 | fclose(ifacefile); | |
54 | } | |
55 | ||
56 | void usage(void) | |
57 | { | |
58 | #ifdef ovpndebug | |
07081137 | 59 | printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION); |
6e13d0a5 | 60 | #else |
07081137 | 61 | printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION); |
6e13d0a5 MT |
62 | #endif |
63 | printf("openvpnctrl <option>\n"); | |
64 | printf(" Valid options are:\n"); | |
65 | printf(" -s --start\n"); | |
66 | printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n"); | |
67 | printf(" -k --kill\n"); | |
68 | printf(" kills/stops OpenVPN\n"); | |
69 | printf(" -r --restart\n"); | |
70 | printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n"); | |
64f0c354 MT |
71 | printf(" -sn2n --start-net-2-net\n"); |
72 | printf(" starts all net2net connections\n"); | |
73 | printf(" you may pass a connection name to the switch to only start a specific one\n"); | |
74 | printf(" -kn2n --kill-net-2-net\n"); | |
75 | printf(" kills all net2net connections\n"); | |
76 | printf(" you may pass a connection name to the switch to only start a specific one\n"); | |
6e13d0a5 MT |
77 | printf(" -d --display\n"); |
78 | printf(" displays OpenVPN status to syslog\n"); | |
79 | printf(" -fwr --firewall-rules\n"); | |
80 | printf(" removes current OpenVPN chains and rules and resets them according to the config\n"); | |
81 | printf(" -sdo --start-daemon-only\n"); | |
afabe9f7 | 82 | printf(" starts OpenVPN daemon only\n"); |
6e13d0a5 MT |
83 | printf(" -ccr --create-chains-and-rules\n"); |
84 | printf(" creates chains and rules for OpenVPN\n"); | |
85 | printf(" -dcr --delete-chains-and-rules\n"); | |
86 | printf(" removes all chains for OpenVPN\n"); | |
87 | exit(1); | |
88 | } | |
89 | ||
6925b8ef AF |
90 | connection *getConnections() { |
91 | FILE *fp = NULL; | |
92 | ||
93 | if (!(fp = fopen(CONFIG_ROOT "/ovpn/ovpnconfig", "r"))) { | |
94 | fprintf(stderr, "Could not open openvpn n2n configuration file.\n"); | |
95 | exit(1); | |
96 | } | |
97 | ||
98 | char line[STRING_SIZE] = ""; | |
d4f2fb97 MT |
99 | char result[STRING_SIZE] = ""; |
100 | char *resultptr; | |
6925b8ef AF |
101 | int count; |
102 | connection *conn_first = NULL; | |
103 | connection *conn_last = NULL; | |
104 | connection *conn_curr; | |
105 | ||
106 | while ((fgets(line, STRING_SIZE, fp) != NULL)) { | |
107 | if (line[strlen(line) - 1] == '\n') | |
108 | line[strlen(line) - 1] = '\0'; | |
109 | ||
110 | conn_curr = (connection *)malloc(sizeof(connection)); | |
111 | memset(conn_curr, 0, sizeof(connection)); | |
112 | ||
113 | if (conn_first == NULL) { | |
114 | conn_first = conn_curr; | |
115 | } else { | |
116 | conn_last->next = conn_curr; | |
117 | } | |
118 | conn_last = conn_curr; | |
119 | ||
120 | count = 0; | |
d4f2fb97 MT |
121 | char *lineptr = &line; |
122 | while (1) { | |
123 | if (*lineptr == NULL) | |
124 | break; | |
125 | ||
126 | resultptr = result; | |
127 | while (*lineptr != NULL) { | |
128 | if (*lineptr == ',') { | |
129 | lineptr++; | |
130 | break; | |
131 | } | |
132 | *resultptr++ = *lineptr++; | |
133 | } | |
134 | *resultptr = '\0'; | |
135 | ||
99b01b84 MT |
136 | if (count == 1) { |
137 | strcpy(conn_curr->status, result); | |
138 | } else if (count == 2) { | |
6925b8ef | 139 | strcpy(conn_curr->name, result); |
91a0a221 MT |
140 | } else if (count == 4) { |
141 | strcpy(conn_curr->type, result); | |
3d1fbbb0 MT |
142 | } else if (count == 7) { |
143 | strcpy(conn_curr->role, result); | |
144 | } else if (count == 9) { | |
145 | strcpy(conn_curr->local_subnet, result); | |
146 | } else if (count == 28) { | |
147 | strcpy(conn_curr->transfer_subnet, result); | |
d4f2fb97 | 148 | } else if (count == 29) { |
6925b8ef | 149 | strcpy(conn_curr->proto, result); |
d4f2fb97 | 150 | } else if (count == 30) { |
6925b8ef AF |
151 | conn_curr->port = atoi(result); |
152 | } | |
153 | ||
6925b8ef AF |
154 | count++; |
155 | } | |
156 | } | |
157 | ||
158 | fclose(fp); | |
159 | ||
160 | return conn_first; | |
161 | } | |
162 | ||
80ca8bd0 MT |
163 | int readPidFile(const char *pidfile) { |
164 | FILE *fp = fopen(pidfile, "r"); | |
165 | if (fp == NULL) { | |
166 | fprintf(stderr, "PID file not found: '%s'\n", pidfile); | |
167 | exit(1); | |
168 | } | |
169 | ||
170 | int pid = 0; | |
171 | fscanf(fp, "%d", &pid); | |
172 | fclose(fp); | |
173 | ||
174 | return pid; | |
175 | } | |
176 | ||
6e13d0a5 MT |
177 | void ovpnInit(void) { |
178 | ||
179 | // Read OpenVPN configuration | |
180 | kv = initkeyvalues(); | |
181 | if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) { | |
182 | fprintf(stderr, "Cannot read ovpn settings\n"); | |
183 | exit(1); | |
184 | } | |
185 | ||
186 | if (!findkey(kv, "ENABLED", enablered)) { | |
187 | fprintf(stderr, "Cannot read ENABLED\n"); | |
188 | exit(1); | |
189 | } | |
190 | ||
191 | if (!findkey(kv, "ENABLED_BLUE", enableblue)){ | |
192 | fprintf(stderr, "Cannot read ENABLED_BLUE\n"); | |
193 | exit(1); | |
194 | } | |
195 | ||
196 | if (!findkey(kv, "ENABLED_ORANGE", enableorange)){ | |
197 | fprintf(stderr, "Cannot read ENABLED_ORANGE\n"); | |
198 | exit(1); | |
199 | } | |
200 | freekeyvalues(kv); | |
201 | ||
202 | // read interface settings | |
203 | ||
204 | // details for the red int | |
205 | memset(redif, 0, STRING_SIZE); | |
206 | if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) | |
207 | { | |
208 | if (fgets(redif, STRING_SIZE, ifacefile)) | |
209 | { | |
210 | if (redif[strlen(redif) - 1] == '\n') | |
211 | redif[strlen(redif) - 1] = '\0'; | |
212 | } | |
213 | fclose (ifacefile); | |
214 | ifacefile = NULL; | |
215 | ||
216 | if (!VALID_DEVICE(redif)) | |
217 | { | |
218 | memset(redif, 0, STRING_SIZE); | |
219 | } | |
220 | } | |
221 | ||
222 | kv=initkeyvalues(); | |
223 | if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) | |
224 | { | |
225 | fprintf(stderr, "Cannot read ethernet settings\n"); | |
226 | exit(1); | |
227 | } | |
228 | ||
229 | if (strcmp(enableblue, "on")==0){ | |
230 | if (!findkey(kv, "BLUE_DEV", blueif)){ | |
231 | fprintf(stderr, "Cannot read BLUE_DEV\n"); | |
232 | exit(1); | |
233 | } | |
234 | } | |
235 | if (strcmp(enableorange, "on")==0){ | |
236 | if (!findkey(kv, "ORANGE_DEV", orangeif)){ | |
237 | fprintf(stderr, "Cannot read ORNAGE_DEV\n"); | |
238 | exit(1); | |
239 | } | |
240 | } | |
241 | freekeyvalues(kv); | |
242 | } | |
243 | ||
244 | void executeCommand(char *command) { | |
245 | #ifdef ovpndebug | |
246 | printf(strncat(command, "\n", 2)); | |
247 | #endif | |
248 | safe_system(strncat(command, " >/dev/null 2>&1", 17)); | |
249 | } | |
250 | ||
251 | void setChainRules(char *chain, char *interface, char *protocol, char *port) | |
252 | { | |
253 | char str[STRING_SIZE]; | |
07081137 | 254 | |
6e13d0a5 MT |
255 | sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); |
256 | executeCommand(str); | |
6e13d0a5 MT |
257 | } |
258 | ||
259 | void flushChain(char *chain) { | |
260 | char str[STRING_SIZE]; | |
261 | ||
d2c4a3ca | 262 | sprintf(str, "/sbin/iptables -F %s", chain); |
6e13d0a5 | 263 | executeCommand(str); |
6e13d0a5 MT |
264 | } |
265 | ||
3d1fbbb0 MT |
266 | void flushChainNAT(char *chain) { |
267 | char str[STRING_SIZE]; | |
268 | ||
269 | sprintf(str, "/sbin/iptables -t nat -F %s", chain); | |
270 | executeCommand(str); | |
271 | } | |
272 | ||
d2c4a3ca MT |
273 | void flushChainINPUT(char *chain) { |
274 | char str[STRING_SIZE]; | |
275 | ||
276 | snprintf(str, STRING_SIZE, "%sINPUT", chain); | |
277 | flushChain(str); | |
278 | } | |
279 | ||
6e13d0a5 MT |
280 | void deleteChainReference(char *chain) { |
281 | char str[STRING_SIZE]; | |
282 | ||
283 | sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); | |
284 | executeCommand(str); | |
6e13d0a5 MT |
285 | } |
286 | ||
287 | void deleteChain(char *chain) { | |
288 | char str[STRING_SIZE]; | |
289 | ||
290 | sprintf(str, "/sbin/iptables -X %sINPUT", chain); | |
291 | executeCommand(str); | |
6e13d0a5 MT |
292 | } |
293 | ||
294 | void deleteAllChains(void) { | |
295 | // not an elegant solution, but to avoid timing problems with undeleted chain references | |
296 | deleteChainReference(OVPNRED); | |
297 | deleteChainReference(OVPNBLUE); | |
298 | deleteChainReference(OVPNORANGE); | |
d2c4a3ca MT |
299 | flushChainINPUT(OVPNRED); |
300 | flushChainINPUT(OVPNBLUE); | |
301 | flushChainINPUT(OVPNORANGE); | |
6e13d0a5 MT |
302 | deleteChain(OVPNRED); |
303 | deleteChain(OVPNBLUE); | |
304 | deleteChain(OVPNORANGE); | |
2181b555 MT |
305 | |
306 | // Only flush chains that are created by the firewall | |
307 | flushChain(OVPNBLOCK); | |
308 | flushChainNAT(OVPNNAT); | |
6e13d0a5 MT |
309 | } |
310 | ||
311 | void createChainReference(char *chain) { | |
312 | char str[STRING_SIZE]; | |
313 | sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); | |
314 | executeCommand(str); | |
6e13d0a5 MT |
315 | } |
316 | ||
317 | void createChain(char *chain) { | |
318 | char str[STRING_SIZE]; | |
319 | sprintf(str, "/sbin/iptables -N %sINPUT", chain); | |
320 | executeCommand(str); | |
6e13d0a5 MT |
321 | } |
322 | ||
323 | void createAllChains(void) { | |
858d8d90 MT |
324 | // create chain and chain references |
325 | if (!strcmp(enableorange, "on")) { | |
326 | if (strlen(orangeif)) { | |
327 | createChain(OVPNORANGE); | |
328 | createChainReference(OVPNORANGE); | |
329 | } else { | |
330 | fprintf(stderr, "OpenVPN enabled on orange but no orange interface found\n"); | |
331 | //exit(1); | |
6e13d0a5 | 332 | } |
858d8d90 MT |
333 | } |
334 | ||
335 | if (!strcmp(enableblue, "on")) { | |
336 | if (strlen(blueif)) { | |
337 | createChain(OVPNBLUE); | |
338 | createChainReference(OVPNBLUE); | |
339 | } else { | |
340 | fprintf(stderr, "OpenVPN enabled on blue but no blue interface found\n"); | |
341 | //exit(1); | |
6e13d0a5 | 342 | } |
858d8d90 MT |
343 | } |
344 | ||
345 | if (!strcmp(enablered, "on")) { | |
346 | if (strlen(redif)) { | |
347 | createChain(OVPNRED); | |
348 | createChainReference(OVPNRED); | |
349 | } else { | |
350 | fprintf(stderr, "OpenVPN enabled on red but no red interface found\n"); | |
351 | //exit(1); | |
6e13d0a5 MT |
352 | } |
353 | } | |
354 | } | |
355 | ||
3d1fbbb0 | 356 | char* calcTransferNetAddress(const connection* conn) { |
a19ff965 MT |
357 | char *subnetmask = strdup(conn->transfer_subnet); |
358 | char *address = strsep(&subnetmask, "/"); | |
3d1fbbb0 | 359 | |
cdbe3504 MT |
360 | if ((address == NULL) || (subnetmask == NULL)) { |
361 | goto ERROR; | |
362 | } | |
363 | ||
a19ff965 MT |
364 | in_addr_t _address = inet_addr(address); |
365 | in_addr_t _subnetmask = inet_addr(subnetmask); | |
366 | _address &= _subnetmask; | |
3d1fbbb0 | 367 | |
a19ff965 MT |
368 | if (strcmp(conn->role, "server") == 0) { |
369 | _address += 1 << 24; | |
370 | } else if (strcmp(conn->role, "client") == 0) { | |
371 | _address += 2 << 24; | |
3d1fbbb0 MT |
372 | } else { |
373 | goto ERROR; | |
374 | } | |
375 | ||
a19ff965 MT |
376 | struct in_addr address_info; |
377 | address_info.s_addr = _address; | |
378 | ||
379 | return inet_ntoa(address_info); | |
3d1fbbb0 MT |
380 | |
381 | ERROR: | |
a19ff965 MT |
382 | fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name); |
383 | ||
3d1fbbb0 MT |
384 | free(address); |
385 | return NULL; | |
386 | } | |
387 | ||
388 | char* getLocalSubnetAddress(const connection* conn) { | |
389 | kv = initkeyvalues(); | |
390 | if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) { | |
391 | fprintf(stderr, "Cannot read ethernet settings\n"); | |
392 | exit(1); | |
393 | } | |
394 | ||
395 | const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL}; | |
396 | char *zone = NULL; | |
397 | ||
398 | // Get net address of the local openvpn subnet. | |
399 | char *subnetmask = strdup(conn->local_subnet); | |
400 | char *address = strsep(&subnetmask, "/"); | |
401 | ||
402 | if ((address == NULL) || (subnetmask == NULL)) { | |
403 | goto ERROR; | |
404 | } | |
405 | ||
406 | in_addr_t _address = inet_addr(address); | |
407 | in_addr_t _subnetmask = inet_addr(subnetmask); | |
408 | ||
409 | in_addr_t _netaddr = (_address & _subnetmask); | |
410 | in_addr_t _broadcast = (_address | ~_subnetmask); | |
411 | ||
412 | char zone_address_key[STRING_SIZE]; | |
413 | char zone_address[STRING_SIZE]; | |
414 | in_addr_t zone_addr; | |
415 | ||
416 | int i = 0; | |
417 | while (zones[i]) { | |
418 | zone = zones[i++]; | |
419 | snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone); | |
420 | ||
421 | if (!findkey(kv, zone_address_key, zone_address)) | |
422 | continue; | |
423 | ||
424 | zone_addr = inet_addr(zone_address); | |
425 | if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) { | |
426 | freekeyvalues(kv); | |
427 | ||
428 | return strdup(zone_address); | |
429 | } | |
430 | } | |
431 | ||
432 | ERROR: | |
a19ff965 MT |
433 | fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name); |
434 | ||
3d1fbbb0 MT |
435 | freekeyvalues(kv); |
436 | return NULL; | |
437 | } | |
438 | ||
6e13d0a5 MT |
439 | void setFirewallRules(void) { |
440 | char protocol[STRING_SIZE] = ""; | |
441 | char dport[STRING_SIZE] = ""; | |
442 | char dovpnip[STRING_SIZE] = ""; | |
443 | ||
6e13d0a5 MT |
444 | kv = initkeyvalues(); |
445 | if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) | |
446 | { | |
447 | fprintf(stderr, "Cannot read ovpn settings\n"); | |
448 | exit(1); | |
449 | } | |
450 | ||
451 | /* we got one device, so lets proceed further */ | |
452 | if (!findkey(kv, "DDEST_PORT", dport)){ | |
453 | fprintf(stderr, "Cannot read DDEST_PORT\n"); | |
454 | exit(1); | |
455 | } | |
456 | ||
457 | if (!findkey(kv, "DPROTOCOL", protocol)){ | |
458 | fprintf(stderr, "Cannot read DPROTOCOL\n"); | |
459 | exit(1); | |
460 | } | |
461 | ||
462 | if (!findkey(kv, "VPN_IP", dovpnip)){ | |
463 | fprintf(stderr, "Cannot read VPN_IP\n"); | |
464 | // exit(1); step further as we don't need an ip | |
465 | } | |
466 | freekeyvalues(kv); | |
467 | ||
07081137 | 468 | // Flush all chains. |
d2c4a3ca MT |
469 | flushChainINPUT(OVPNRED); |
470 | flushChainINPUT(OVPNBLUE); | |
471 | flushChainINPUT(OVPNORANGE); | |
2181b555 | 472 | flushChain(OVPNBLOCK); |
3d1fbbb0 | 473 | flushChainNAT(OVPNNAT); |
07081137 | 474 | |
6e13d0a5 MT |
475 | // set firewall rules |
476 | if (!strcmp(enablered, "on") && strlen(redif)) | |
477 | setChainRules(OVPNRED, redif, protocol, dport); | |
478 | if (!strcmp(enableblue, "on") && strlen(blueif)) | |
479 | setChainRules(OVPNBLUE, blueif, protocol, dport); | |
480 | if (!strcmp(enableorange, "on") && strlen(orangeif)) | |
481 | setChainRules(OVPNORANGE, orangeif, protocol, dport); | |
6925b8ef | 482 | |
91a0a221 MT |
483 | // read connection configuration |
484 | connection *conn = getConnections(); | |
485 | ||
6925b8ef | 486 | // set firewall rules for n2n connections |
91a0a221 | 487 | char command[STRING_SIZE]; |
3d1fbbb0 MT |
488 | char *local_subnet_address = NULL; |
489 | char *transfer_subnet_address = NULL; | |
7d653d51 | 490 | while (conn != NULL) { |
91a0a221 MT |
491 | if (strcmp(conn->type, "net") == 0) { |
492 | sprintf(command, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT", | |
493 | OVPNRED, redif, conn->proto, conn->port); | |
494 | executeCommand(command); | |
3d1fbbb0 | 495 | |
c31f18b6 MT |
496 | /* Block all communication from the transfer nets. */ |
497 | snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", | |
498 | OVPNBLOCK, conn->transfer_subnet); | |
499 | executeCommand(command); | |
500 | ||
3d1fbbb0 MT |
501 | local_subnet_address = getLocalSubnetAddress(conn); |
502 | transfer_subnet_address = calcTransferNetAddress(conn); | |
503 | ||
cdbe3504 MT |
504 | if ((local_subnet_address) && (transfer_subnet_address)) { |
505 | snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", | |
506 | OVPNNAT, transfer_subnet_address, local_subnet_address); | |
507 | executeCommand(command); | |
508 | } | |
91a0a221 MT |
509 | } |
510 | ||
6925b8ef AF |
511 | conn = conn->next; |
512 | } | |
6e13d0a5 MT |
513 | } |
514 | ||
515 | void stopDaemon(void) { | |
516 | char command[STRING_SIZE]; | |
517 | ||
2bcff894 | 518 | int pid = readPidFile("/var/run/openvpn.pid"); |
80ca8bd0 | 519 | if (!pid > 0) { |
2bcff894 MT |
520 | exit(1); |
521 | } | |
522 | ||
523 | fprintf(stderr, "Killing PID %d.\n", pid); | |
524 | kill(pid, SIGTERM); | |
525 | ||
6e13d0a5 MT |
526 | snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid"); |
527 | executeCommand(command); | |
528 | } | |
529 | ||
530 | void startDaemon(void) { | |
531 | char command[STRING_SIZE]; | |
532 | ||
533 | if (!((strcmp(enablered, "on")==0) || (strcmp(enableblue, "on")==0) || (strcmp(enableorange, "on")==0))){ | |
534 | fprintf(stderr, "OpenVPN is not enabled on any interface\n"); | |
535 | exit(1); | |
536 | } else { | |
7d3af7f7 MT |
537 | snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun"); |
538 | executeCommand(command); | |
072cd997 | 539 | snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf"); |
6e13d0a5 MT |
540 | executeCommand(command); |
541 | } | |
542 | } | |
543 | ||
99b01b84 | 544 | int startNet2Net(char *name) { |
6925b8ef AF |
545 | connection *conn = NULL; |
546 | connection *conn_iter; | |
547 | ||
548 | conn_iter = getConnections(); | |
549 | ||
550 | while (conn_iter) { | |
91a0a221 | 551 | if ((strcmp(conn_iter->type, "net") == 0) && (strcmp(conn_iter->name, name) == 0)) { |
6925b8ef AF |
552 | conn = conn_iter; |
553 | break; | |
554 | } | |
555 | conn_iter = conn_iter->next; | |
556 | } | |
557 | ||
558 | if (conn == NULL) { | |
559 | fprintf(stderr, "Connection not found.\n"); | |
99b01b84 MT |
560 | return 1; |
561 | } | |
562 | ||
563 | if (strcmp(conn->status, "on") != 0) { | |
564 | fprintf(stderr, "Connection '%s' is not enabled.\n", conn->name); | |
565 | return 1; | |
6925b8ef AF |
566 | } |
567 | ||
99b01b84 MT |
568 | fprintf(stderr, "Starting connection %s...\n", conn->name); |
569 | ||
39877197 MT |
570 | char configfile[STRING_SIZE]; |
571 | snprintf(configfile, STRING_SIZE - 1, CONFIG_ROOT "/ovpn/n2nconf/%s/%s.conf", | |
572 | conn->name, conn->name); | |
573 | ||
574 | FILE *fp = fopen(configfile, "r"); | |
575 | if (fp == NULL) { | |
576 | fprintf(stderr, "Could not find configuration file for connection '%s' at '%s'.\n", | |
577 | conn->name, configfile); | |
99b01b84 | 578 | return 2; |
39877197 MT |
579 | } |
580 | fclose(fp); | |
581 | ||
07081137 MT |
582 | // Make sure all firewall rules are up to date. |
583 | setFirewallRules(); | |
584 | ||
6925b8ef | 585 | char command[STRING_SIZE]; |
81a789d9 MT |
586 | snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun"); |
587 | executeCommand(command); | |
588 | snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config %s", configfile); | |
6925b8ef | 589 | executeCommand(command); |
99b01b84 MT |
590 | |
591 | return 0; | |
6925b8ef AF |
592 | } |
593 | ||
99b01b84 | 594 | int killNet2Net(char *name) { |
39877197 MT |
595 | connection *conn = NULL; |
596 | connection *conn_iter; | |
597 | ||
598 | conn_iter = getConnections(); | |
599 | ||
600 | while (conn_iter) { | |
601 | if (strcmp(conn_iter->name, name) == 0) { | |
602 | conn = conn_iter; | |
603 | break; | |
604 | } | |
605 | conn_iter = conn_iter->next; | |
606 | } | |
607 | ||
608 | if (conn == NULL) { | |
609 | fprintf(stderr, "Connection not found.\n"); | |
99b01b84 | 610 | return 1; |
39877197 MT |
611 | } |
612 | ||
613 | char pidfile[STRING_SIZE]; | |
80ca8bd0 | 614 | snprintf(pidfile, STRING_SIZE - 1, "/var/run/%sn2n.pid", conn->name); |
39877197 | 615 | |
2bcff894 | 616 | int pid = readPidFile(pidfile); |
80ca8bd0 | 617 | if (!pid > 0) { |
99b01b84 MT |
618 | fprintf(stderr, "Could not read pid file of connection %s.", conn->name); |
619 | return 1; | |
39877197 MT |
620 | } |
621 | ||
99b01b84 | 622 | fprintf(stderr, "Killing connection %s (PID %d)...\n", conn->name, pid); |
39877197 MT |
623 | kill(pid, SIGTERM); |
624 | ||
d4c8b6be MT |
625 | char command[STRING_SIZE]; |
626 | snprintf(command, STRING_SIZE - 1, "/bin/rm -f %s", pidfile); | |
627 | executeCommand(command); | |
628 | ||
99b01b84 | 629 | return 0; |
6925b8ef AF |
630 | } |
631 | ||
64f0c354 | 632 | void startAllNet2Net() { |
99b01b84 MT |
633 | int exitcode = 0, _exitcode = 0; |
634 | ||
64f0c354 MT |
635 | connection *conn = getConnections(); |
636 | ||
637 | while(conn) { | |
99b01b84 MT |
638 | /* Skip all connections that are not of type "net" or disabled. */ |
639 | if ((strcmp(conn->type, "net") != 0) || (strcmp(conn->status, "on") != 0)) { | |
640 | conn = conn->next; | |
641 | continue; | |
642 | } | |
643 | ||
644 | _exitcode = startNet2Net(conn->name); | |
64f0c354 | 645 | conn = conn->next; |
99b01b84 MT |
646 | |
647 | if (_exitcode > exitcode) { | |
648 | exitcode = _exitcode; | |
649 | } | |
64f0c354 MT |
650 | } |
651 | ||
99b01b84 | 652 | exit(exitcode); |
64f0c354 MT |
653 | } |
654 | ||
655 | void killAllNet2Net() { | |
99b01b84 MT |
656 | int exitcode = 0, _exitcode = 0; |
657 | ||
64f0c354 MT |
658 | connection *conn = getConnections(); |
659 | ||
660 | while(conn) { | |
99b01b84 MT |
661 | /* Skip all connections that are not of type "net". */ |
662 | if (strcmp(conn->type, "net") != 0) { | |
663 | conn = conn->next; | |
664 | continue; | |
665 | } | |
666 | ||
667 | _exitcode = killNet2Net(conn->name); | |
64f0c354 | 668 | conn = conn->next; |
99b01b84 MT |
669 | |
670 | if (_exitcode > exitcode) { | |
671 | exitcode = _exitcode; | |
672 | } | |
64f0c354 MT |
673 | } |
674 | ||
99b01b84 | 675 | exit(exitcode); |
64f0c354 MT |
676 | } |
677 | ||
6e13d0a5 MT |
678 | void displayopenvpn(void) { |
679 | char command[STRING_SIZE]; | |
680 | ||
681 | snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn"); | |
682 | executeCommand(command); | |
683 | } | |
684 | ||
685 | int main(int argc, char *argv[]) { | |
686 | if (!(initsetuid())) | |
687 | exit(1); | |
688 | if(argc < 2) | |
689 | usage(); | |
6925b8ef AF |
690 | |
691 | if(argc == 3) { | |
91a0a221 MT |
692 | ovpnInit(); |
693 | ||
6925b8ef AF |
694 | if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) { |
695 | startNet2Net(argv[2]); | |
696 | return 0; | |
697 | } | |
698 | else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) { | |
699 | killNet2Net(argv[2]); | |
700 | return 0; | |
701 | } else { | |
702 | usage(); | |
703 | return 1; | |
704 | } | |
705 | } | |
706 | else if(argc == 2) { | |
6e13d0a5 MT |
707 | if( (strcmp(argv[1], "-k") == 0) || (strcmp(argv[1], "--kill") == 0) ) { |
708 | stopDaemon(); | |
709 | return 0; | |
710 | } | |
711 | else if( (strcmp(argv[1], "-d") == 0) || (strcmp(argv[1], "--display") == 0) ) { | |
712 | displayopenvpn(); | |
713 | return 0; | |
714 | } | |
715 | else if( (strcmp(argv[1], "-dcr") == 0) || (strcmp(argv[1], "--delete-chains-and-rules") == 0) ) { | |
716 | deleteAllChains(); | |
717 | return 0; | |
718 | } | |
719 | else { | |
720 | ovpnInit(); | |
721 | ||
722 | if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) { | |
723 | deleteAllChains(); | |
724 | createAllChains(); | |
725 | setFirewallRules(); | |
726 | startDaemon(); | |
727 | return 0; | |
728 | } | |
64f0c354 MT |
729 | else if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) { |
730 | startAllNet2Net(); | |
731 | return 0; | |
732 | } | |
733 | else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) { | |
734 | killAllNet2Net(); | |
735 | return 0; | |
736 | } | |
6e13d0a5 MT |
737 | else if( (strcmp(argv[1], "-sdo") == 0) || (strcmp(argv[1], "--start-daemon-only") == 0) ) { |
738 | startDaemon(); | |
739 | return 0; | |
740 | } | |
741 | else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) { | |
742 | stopDaemon(); | |
743 | deleteAllChains(); | |
744 | createAllChains(); | |
745 | setFirewallRules(); | |
746 | startDaemon(); | |
747 | return 0; | |
748 | } | |
749 | else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) { | |
750 | deleteAllChains(); | |
751 | createAllChains(); | |
752 | setFirewallRules(); | |
753 | return 0; | |
754 | } | |
755 | else if( (strcmp(argv[1], "-ccr") == 0) || (strcmp(argv[1], "--create-chains-and-rules") == 0) ) { | |
756 | createAllChains(); | |
757 | setFirewallRules(); | |
758 | return 0; | |
759 | } | |
760 | else { | |
761 | usage(); | |
762 | return 0; | |
763 | } | |
764 | } | |
765 | } | |
766 | else { | |
767 | usage(); | |
768 | return 0; | |
769 | } | |
770 | return 0; | |
771 | } | |
772 |