void start_openvpnserver(void)
{
int jffs = 0;
if (nvram_invmatch("openvpn_enable", "1"))
return;
if ((nvram_match("usb_enable", "1")
&& nvram_match("usb_storage", "1")
&& nvram_match("usb_automnt", "1")
&& nvram_match("usb_mntpoint", "jffs"))
|| (nvram_match("enable_jffs2", "1")
&& nvram_match("jffs_mounted", "1")
&& nvram_match("sys_enable_jffs2", "1")))
jffs = 1;
dd_syslog(LOG_INFO, "openvpn : OpenVPN daemon (Server) starting/restarting...\n");
mkdir("/tmp/openvpn", 0700);
mkdir("/tmp/openvpn/ccd", 0700);
write_nvram("/tmp/openvpn/dh.pem", "openvpn_dh");
write_nvram("/tmp/openvpn/ca.crt", "openvpn_ca");
write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt");
write_nvram("/tmp/openvpn/ca.crl", "openvpn_crl");
write_nvram("/tmp/openvpn/key.pem", "openvpn_key");
write_nvram("/tmp/openvpn/ta.key", "openvpn_tlsauth");
write_nvram("/tmp/openvpn/cert.p12", "openvpn_pkcs12");
write_nvram("/tmp/openvpn/static.key", "openvpn_static");
chmod("/tmp/openvpn/key.pem", 0600);
// use jffs for ccd if available
if (jffs == 1) {
mkdir("/jffs/etc", 0700);
mkdir("/jffs/etc/openvpn", 0700);
mkdir("/jffs/etc/openvpn/ccd", 0700);
if (strlen(nvram_safe_get("openvpn_ccddef")) > 0) {
write_nvram("/jffs/etc/openvpn/ccd/DEFAULT", "openvpn_ccddef");
chmod("/jffs/etc/openvpn/ccd/DEFAULT", 0700);
}
// if (strlen(nvram_safe_get("openvpn_clcon")) > 0)
// write_nvram("/jffs/etc/openvpn/clcon.sh", "openvpn_clcon");
// if (strlen(nvram_safe_get("openvpn_cldiscon")) > 0)
// write_nvram("/jffs/etc/openvpn/cldiscon.sh", "openvpn_cldiscon");
} else {
write_nvram("/tmp/openvpn/ccd/DEFAULT", "openvpn_ccddef");
// write_nvram("/tmp/openvpn/clcon.sh", "openvpn_clcon");
// write_nvram("/tmp/openvpn/cldiscon.sh", "openvpn_cldiscon");
chmod("/tmp/openvpn/ccd/DEFAULT", 0700);
}
/* fp = fopen("/jffs/etc/openvpn/clcon.sh", "wb");
if (fp == NULL)
return;
fprintf(fp, "#!/bin/sh\n");
fclose(fp)
fp = fopen("/jffs/etc/openvpn/cldiscon.sh", "wb");
if (fp == NULL)
return;
fprintf(fp, "#!/bin/sh\n");
fclose(fp)
chmod("/jffs/etc/openvpn/clcon.sh", 0700);
chmod("/jffs/etc/openvpn/cldiscon.sh", 0700); */
FILE *fp = fopen("/tmp/openvpn/openvpn.conf", "wb");
if (fp == NULL)
return;
if (nvram_invmatch("openvpn_static", ""))
fprintf(fp, "secret /tmp/openvpn/static.key\n");
else if (nvram_invmatch("openvpn_pkcs12", "")) {
fprintf(fp, "dh /tmp/openvpn/dh.pem\n");
fprintf(fp, "pkcs12 /tmp/openvpn/cert.p12\n");
} else {
if (nvram_invmatch("openvpn_dh", ""))
fprintf(fp, "dh /tmp/openvpn/dh.pem\n");
if (nvram_invmatch("openvpn_ca", ""))
fprintf(fp, "ca /tmp/openvpn/ca.crt\n");
if (nvram_invmatch("openvpn_crt", ""))
fprintf(fp, "cert /tmp/openvpn/cert.pem\n");
if (nvram_invmatch("openvpn_key", ""))
fprintf(fp, "key /tmp/openvpn/key.pem\n");
}
//be sure Chris old style config is still working
if (nvram_match("openvpn_switch", "1")) {
write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt");
fprintf(fp, "keepalive 10 120\n"
"verb 3\n" "mute 3\n" "syslog\n"
"writepid /var/run/openvpnd.pid\n"
"management 127.0.0.1 14\n"
"management-log-cache 100\n"
"topology subnet\n"
"script-security 2\n"
"port %s\n" "proto %s\n" "cipher %s\n" "auth %s\n", nvram_safe_get("openvpn_port"), nvram_safe_get("openvpn_proto"), nvram_safe_get("openvpn_cipher"), nvram_safe_get("openvpn_auth"));
if (jffs == 1) { // use usb/jffs for ccd if available
fprintf(fp, "client-config-dir /jffs/etc/openvpn/ccd\n");
// fprintf(fp, "client-connect /jffs/etc/openvpn/clcon.sh\n");
// fprintf(fp, "client-disconnect /jffs/etc/openvpn/cldiscon.sh\n");
} else {
fprintf(fp, "client-config-dir /tmp/openvpn/ccd\n");
// fprintf(fp, "client-connect /tmp/openvpn/clcon.sh\n");
// fprintf(fp, "client-disconnect /tmp/openvpn/cldiscon.sh\n");
}
if (nvram_invmatch("openvpn_lzo", "off"))
fprintf(fp, "comp-lzo %s\n", //yes/no/adaptive/disable
nvram_safe_get("openvpn_lzo"));
if (nvram_invmatch("openvpn_auth", "none")) //not needed if we have no auth anyway
fprintf(fp, "tls-server\n");
if (nvram_match("openvpn_dupcn", "1"))
fprintf(fp, "duplicate-cn\n");
if (nvram_match("openvpn_dupcn", "0") //keep peer ip persistant for x sec. works only when dupcn=off & no proxy mode
&& nvram_match("openvpn_proxy", "0"))
fprintf(fp, "ifconfig-pool-persist /tmp/openvpn/ip-pool 86400\n");
if (nvram_match("openvpn_cl2cl", "1"))
fprintf(fp, "client-to-client\n");
if (nvram_match("openvpn_redirgate", "1"))
fprintf(fp, "push \"redirect-gateway def1\"\n");
if (nvram_invmatch("openvpn_tlscip", "0"))
fprintf(fp, "tls-cipher %s\n", nvram_safe_get("openvpn_tlscip"));
if (nvram_match("openvpn_proto", "udp"))
fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10%
else //TCP_NODELAY is generally a good latency optimization
fprintf(fp, "tcp-nodelay\n");
if (nvram_invmatch("openvpn_mtu", ""))
fprintf(fp, "tun-mtu %s\n", nvram_safe_get("openvpn_mtu"));
if (nvram_invmatch("openvpn_fragment", "")
&& nvram_match("openvpn_proto", "udp")) {
fprintf(fp, "fragment %s\n", nvram_safe_get("openvpn_fragment"));
if (nvram_match("openvpn_mssfix", "1"))
fprintf(fp, "mssfix\n"); //mssfix=1450 (default), should be set on one side only. when fragment->=mss
} else
fprintf(fp, "mtu-disc yes\n");
if (nvram_match("openvpn_tuntap", "tun")) {
fprintf(fp, "server %s %s\n", nvram_safe_get("openvpn_net"), nvram_safe_get("openvpn_tunmask"));
fprintf(fp, "dev tun2\n");
fprintf(fp, "tun-ipv6\n"); //enable ipv6 support.
} else if (nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "0")) {
fprintf(fp, "server-bridge %s %s %s %s\n", nvram_safe_get("openvpn_gateway"), nvram_safe_get("openvpn_mask"), nvram_safe_get("openvpn_startip"), nvram_safe_get("openvpn_endip"));
fprintf(fp, "dev tap2\n");
} else if (nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "1") && nvram_match("openvpn_redirgate", "1"))
fprintf(fp, "server-bridge\n" "dev tap2\n");
else
fprintf(fp, "server-bridge nogw\n" "dev tap2\n");
if (strlen(nvram_safe_get("openvpn_tlsauth")) > 0)
fprintf(fp, "tls-auth /tmp/openvpn/ta.key 0\n");
if (strlen(nvram_safe_get("openvpn_crl")) > 0)
fprintf(fp, "crl-verify /tmp/openvpn/ca.crl\n");
/* for QOS */
if (nvram_invmatch("wshaper_enable", "0"))
fprintf(fp, "passtos\n");
} else
write_nvram("/tmp/openvpn/cert.pem", "openvpn_client");
fprintf(fp, "%s\n", nvram_safe_get("openvpn_config"));
fclose(fp);
fp = fopen("/tmp/openvpn/route-up.sh", "wb");
if (fp == NULL)
return;
fprintf(fp, "#!/bin/sh\n");
#if defined(HAVE_TMK) || defined(HAVE_BKM)
char *gpiovpn = nvram_get("gpiovpn");
if (gpiovpn != NULL) {
fprintf(fp, "gpio enable %s\n", gpiovpn);
}
#endif
//bring up tap interface when choosen
if (nvram_match("openvpn_tuntap", "tap")) {
fprintf(fp, "brctl addif br0 tap2\n"
"ifconfig tap2 0.0.0.0 up\n"); //non promisc for performance reasons
}
if (nvram_match("block_multicast", "0") //block multicast on bridged vpns
&& nvram_match("openvpn_tuntap", "tap"))
fprintf(fp, "insmod ebtables\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n" "insmod ebt_pkttype\n"
/* "ebtables -D FORWARD -o tap2 --pkttype-type multicast -j DROP\n"
"ebtables -D OUTPUT -o tap2 --pkttype-type multicast -j DROP\n"
"ebtables -A FORWARD -o tap2 --pkttype-type multicast -j DROP\n"
"ebtables -A OUTPUT -o tap2 --pkttype-type multicast -j DROP\n"); */
"ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n"
"ebtables -t nat -I POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n");
if (nvram_match("openvpn_dhcpbl", "1") //block dhcp on bridged vpns
&& nvram_match("openvpn_tuntap", "tap")
&& nvram_match("openvpn_proxy", "0"))
fprintf(fp, "insmod ebtables\n" "insmod ebt_ip\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n"
/* "ebtables -D INPUT -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -D FORWARD -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -D FORWARD -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -I INPUT -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -I FORWARD -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -I FORWARD -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" */
"ebtables -t nat -D PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -t nat -D POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -t nat -I PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -t nat -I POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n");
fprintf(fp, "startservice set_routes\n"
"stopservice wshaper\n"
"startservice wshaper\n");
fclose(fp);
fp = fopen("/tmp/openvpn/route-down.sh", "wb");
if (fp == NULL)
return;
fprintf(fp, "#!/bin/sh\n");
#if defined(HAVE_TMK) || defined(HAVE_BKM)
if (gpiovpn != NULL)
fprintf(fp, "gpio disable %s\n", gpiovpn);
#endif
// remove ebtales rules
if (nvram_match("block_multicast", "0")
&& nvram_match("openvpn_tuntap", "tap"))
fprintf(fp, "ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n");
if (nvram_match("openvpn_dhcpbl", "1")
&& nvram_match("openvpn_tuntap", "tap")
&& nvram_match("openvpn_proxy", "0"))
fprintf(fp,
"ebtables -t nat -D PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"
"ebtables -t nat -D POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n");
/* if ((nvram_match("openvpn_dhcpbl", "1")
&& nvram_match("openvpn_tuntap", "tap")
&& nvram_match("openvpn_proxy", "0"))
|| (nvram_match("block_multicast", "0")
&& nvram_match("openvpn_tuntap", "tap")))
fprintf(fp, "if [ `ebtables -t nat -L|grep -e '-j' -c` -eq 0 ]\n"
"then rmmod ebtable_nat\n" "\t rmmod ebt_ip\n"
"elseif [ `ebtables -t nat -L|grep -e '-j' -c` -eq 0 ]\n"
"then rmmod ebtable_filter\n" "\t rmmod ebtables\n"); */
if (nvram_match("openvpn_tuntap", "tap"))
fprintf(fp, "brctl delif br0 tap2\n" "ifconfig tap2 down\n");
fclose(fp);
chmod("/tmp/openvpn/route-up.sh", 0700);
chmod("/tmp/openvpn/route-down.sh", 0700);
eval("ln", "-s", "/usr/sbin/openvpn", "/tmp/openvpnserver");
if (nvram_match("use_crypto", "1"))
eval("/tmp/openvpnserver", "--config", "/tmp/openvpn/openvpn.conf", "--route-up", "/tmp/openvpn/route-up.sh", "--down-pre", "/tmp/openvpn/route-down.sh", "--daemon", "--engine", "cryptodev");
else
eval("/tmp/openvpnserver", "--config", "/tmp/openvpn/openvpn.conf", "--route-up", "/tmp/openvpn/route-up.sh", "--down-pre", "/tmp/openvpn/route-down.sh", "--daemon");
eval("stopservice", "wshaper");
eval("startservice", "wshaper");
}
void start_openvpn(void)
{
if (nvram_invmatch("openvpncl_enable", "1"))
return;
dd_syslog(LOG_INFO, "openvpn : OpenVPN daemon (Client) starting/restarting...\n");
mkdir("/tmp/openvpncl", 0700);
write_nvram("/tmp/openvpncl/ca.crt", "openvpncl_ca");
write_nvram("/tmp/openvpncl/client.crt", "openvpncl_client");
write_nvram("/tmp/openvpncl/client.key", "openvpncl_key");
write_nvram("/tmp/openvpncl/ta.key", "openvpncl_tlsauth");
write_nvram("/tmp/openvpncl/cert.p12", "openvpncl_pkcs12");
write_nvram("/tmp/openvpncl/static.key", "openvpncl_static");
chmod("/tmp/openvpn/client.key", 0600);
FILE *fp = fopen("/tmp/openvpncl/openvpn.conf", "wb");
if (fp == NULL)
return;
if (nvram_invmatch("openvpncl_static", ""))
fprintf(fp, "secret /tmp/openvpncl/static.key\n");
else if (nvram_invmatch("openvpncl_pkcs12", "")) {;
fprintf(fp, "pkcs12 /tmp/openvpncl/cert.p12\n");
} else {
if (nvram_invmatch("openvpncl_ca", ""))
fprintf(fp, "ca /tmp/openvpncl/ca.crt\n");
if (nvram_invmatch("openvpncl_client", ""))
fprintf(fp, "cert /tmp/openvpncl/client.crt\n");
if (nvram_invmatch("openvpncl_key", ""))
fprintf(fp, "key /tmp/openvpncl/client.key\n");
}
fprintf(fp,
"management 127.0.0.1 16\n"
"management-log-cache 100\n" "verb 3\n" "mute 3\n" "syslog\n"
"writepid /var/run/openvpncl.pid\n" "client\n"
"resolv-retry infinite\n" "nobind\n" "persist-key\n"
"persist-tun\n" "script-security 2\n");
fprintf(fp, "dev %s1\n", nvram_safe_get("openvpncl_tuntap"));
fprintf(fp, "proto %s\n", nvram_safe_get("openvpncl_proto"));
fprintf(fp, "cipher %s\n", nvram_safe_get("openvpncl_cipher"));
fprintf(fp, "auth %s\n", nvram_safe_get("openvpncl_auth"));
fprintf(fp, "remote %s %s\n", nvram_safe_get("openvpncl_remoteip"), nvram_safe_get("openvpncl_remoteport"));
if (nvram_invmatch("openvpncl_lzo", "off"))
fprintf(fp, "comp-lzo %s\n", //yes/no/adaptive/disable
nvram_safe_get("openvpncl_lzo"));
if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy routing: we need redirect-gw so we get gw info
fprintf(fp, "redirect-private def1\n");
if (nvram_invmatch("openvpncl_tuntap", "tun"))
fprintf(fp, "ifconfig-noexec\n");
else
fprintf(fp, "route-noexec\n");
}
if (nvram_invmatch("openvpncl_auth", "none")) //not needed if we have no auth anyway
fprintf(fp, "tls-client\n");
if (nvram_invmatch("openvpncl_mtu", ""))
fprintf(fp, "tun-mtu %s\n", nvram_safe_get("openvpncl_mtu"));
if (nvram_invmatch("openvpncl_fragment", "")
&& nvram_match("openvpncl_proto", "udp")) {
fprintf(fp, "fragment %s\n", nvram_safe_get("openvpncl_fragment"));
if (nvram_match("openvpncl_mssfix", "1"))
fprintf(fp, "mssfix\n"); //mssfix=1450 (default), should be set on one side only. when fragment->=mss
} else
fprintf(fp, "mtu-disc yes\n");
if (nvram_match("openvpncl_certtype", "1"))
fprintf(fp, "ns-cert-type server\n");
if (nvram_match("openvpncl_proto", "udp"))
fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10%
if (nvram_match("openvpncl_tuntap", "tun"))
fprintf(fp, "tun-ipv6\n"); //enable ipv6 support.
if (strlen(nvram_safe_get("openvpncl_tlsauth")) > 0)
fprintf(fp, "tls-auth /tmp/openvpncl/ta.key 1\n");
if (nvram_invmatch("openvpncl_tlscip", "0"))
fprintf(fp, "tls-cipher %s\n", nvram_safe_get("openvpncl_tlscip"));
/* for QOS */
if (nvram_invmatch("wshaper_enable", "0"))
fprintf(fp, "passtos\n");
fprintf(fp, "%s\n", nvram_safe_get("openvpncl_config"));
fclose(fp);
fp = fopen("/tmp/openvpncl/route-up.sh", "wb");
if (fp == NULL) {
return;
}
fprintf(fp, "#!/bin/sh\n");
//bridge tap interface to br0 when choosen
if (nvram_match("openvpncl_tuntap", "tap")
&& nvram_match("openvpncl_bridge", "1")
&& nvram_match("openvpncl_nat", "0")) {
fprintf(fp, "brctl addif br0 tap1\n"
"ifconfig tap1 0.0.0.0 up\n"); //non promisc for performance reasons
} else {
if (nvram_match("openvpncl_tuntap", "tap")
&& strlen(nvram_safe_get("openvpncl_ip")) > 0)
fprintf(fp, "ifconfig tap1 %s netmask %s up\n", nvram_safe_get("openvpncl_ip"), nvram_safe_get("openvpncl_mask"));
}
if (nvram_match("openvpncl_nat", "1"))
fprintf(fp, "iptables -I POSTROUTING -t nat -o %s1 -j MASQUERADE\n", nvram_safe_get("openvpncl_tuntap"));
if (nvram_match("openvpncl_sec", "0"))
fprintf(fp, "iptables -I INPUT -i %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap"));
else {
if (nvram_match("openvpncl_tuntap", "tun")) //only needed with tun
fprintf(fp,
"iptables -I INPUT -i %s1 -j ACCEPT\n"
"iptables -I FORWARD -i %s1 -j ACCEPT\n"
"iptables -I FORWARD -o %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"));
}
if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing
write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route");
// fprintf(fp, "ip route flush table 10\n");
fprintf(fp, "for IP in `cat /tmp/openvpncl/policy_ips` ; do\n" "\t ip rule add from $IP table 10\n" "done\n");
if (nvram_match("openvpncl_tuntap", "tap"))
fprintf(fp, "ip route add default via $route_vpn_gateway table 10\n");
else
fprintf(fp, "ip route add default via $ifconfig_remote table 10\n");
fprintf(fp, "ip route flush cache\n" "echo $ifconfig_remote >>/tmp/gateway.txt\n" "echo $route_vpn_gateway >>/tmp/gateway.txt\n" "echo $ifconfig_local >>/tmp/gateway.txt\n");
}
if (nvram_match("block_multicast", "0") //block multicast on bridged vpns
&& nvram_match("openvpncl_tuntap", "tap")
&& nvram_match("openvpncl_bridge", "1")) {
fprintf(fp, "insmod ebtables\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n" "insmod ebt_pkttype\n"
// "ebtables -I FORWARD -o tap1 --pkttype-type multicast -j DROP\n"
// "ebtables -I OUTPUT -o tap1 --pkttype-type multicast -j DROP\n"
"ebtables -t nat -D POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n" "ebtables -t nat -I POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n");
}
if (nvram_match("wshaper_enable", "1"))
fprintf(fp, "stopservice wshaper\n"
"startservice wshaper\n");
fclose(fp);
fp = fopen("/tmp/openvpncl/route-down.sh", "wb");
if (fp == NULL)
return;
fprintf(fp, "#!/bin/sh\n");
if (nvram_match("openvpncl_tuntap", "tap")
&& nvram_match("openvpncl_bridge", "1")
&& nvram_match("openvpncl_nat", "0"))
fprintf(fp, "brctl delif br0 tap1\n" "ifconfig tap1 down\n");
else if (nvram_match("openvpncl_tuntap", "tap")
&& strlen(nvram_safe_get("openvpncl_ip")) > 0)
fprintf(fp, "ifconfig tap1 down\n");
if (nvram_match("openvpncl_nat", "1"))
fprintf(fp, "iptables -D INPUT -i %s1 -j ACCEPT\n" "iptables -D POSTROUTING -t nat -o %s1 -j MASQUERADE\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"));
else {
fprintf(fp,
"iptables -D INPUT -i %s1 -j ACCEPT\n"
"iptables -D FORWARD -i %s1 -j ACCEPT\n" "iptables -D FORWARD -o %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"));
}
if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing
write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route");
fprintf(fp, "ip route flush table 10\n");
}
/* if (nvram_match("block_multicast", "0") //block multicast on bridged vpns
&& nvram_match("openvpncl_tuntap", "tap")
&& nvram_match("openvpncl_bridge", "1")) {
fprintf(fp, "ebtables -t nat -D POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n"
"if [ `ebtables -t nat -L|grep -e '-j' -c` -ne 0 ]\n"
"then rmmod ebtable_nat\n" "\t rmmod ebtables\n");
} */
fclose(fp);
chmod("/tmp/openvpncl/route-up.sh", 0700);
chmod("/tmp/openvpncl/route-down.sh", 0700);
if (nvram_match("use_crypto", "1"))
eval("openvpn", "--config", "/tmp/openvpncl/openvpn.conf", "--route-up", "/tmp/openvpncl/route-up.sh", "--down-pre", "/tmp/openvpncl/route-down.sh", "--daemon", "--engine", "cryptodev");
else
eval("openvpn", "--config", "/tmp/openvpncl/openvpn.conf", "--route-up", "/tmp/openvpncl/route-up.sh", "--down-pre", "/tmp/openvpncl/route-down.sh", "--daemon");
if (nvram_match("wshaper_enable", "1")) {
eval("stopservice", "wshaper");
eval("startservice", "wshaper");
}
return;
}
void setupSupplicant(char *prefix)
{
char akm[16];
sprintf(akm, "%s_akm", prefix);
char wmode[16];
sprintf(wmode, "%s_mode", prefix);
if (nvram_match(akm, "8021X")) {
char fstr[32];
char psk[64];
char ath[64];
sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix);
FILE *fp = fopen(fstr, "wb");
fprintf(fp, "ap_scan=1\n");
fprintf(fp, "fast_reauth=1\n");
fprintf(fp, "eapol_version=1\n");
fprintf(fp, "network={\n");
sprintf(psk, "%s_ssid", prefix);
fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk));
fprintf(fp, "\tscan_ssid=1\n");
if (nvram_prefix_match("8021xtype", prefix, "tls")) {
// -> added habeIchVergessen
char *keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix);
char *wpaOpts[40];
if (strlen(keyExchng)==0)
nvram_nset("wep","%s_tls8021xkeyxchng", prefix);
sprintf(wpaOpts, "");
keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix);
if (strcmp("wpa2", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=CCMP\n\tgroup=CCMP\n");
if (strcmp("wpa2mixed", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=CCMP TKIP\n\tgroup=CCMP TKIP\n");
if (strcmp("wpa", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=TKIP\n\tgroup=TKIP\n");
fprintf(fp, "\tkey_mgmt=%s\n%s", (strlen(wpaOpts) == 0 ? "IEEE8021X" : "WPA-EAP"), wpaOpts);
// <- added habeIchVergessen
fprintf(fp, "\teap=TLS\n");
fprintf(fp, "\tidentity=\"%s\"\n",
nvram_prefix_get("tls8021xuser", prefix));
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_tls8021xca", prefix);
write_nvram(psk, ath);
sprintf(psk, "/tmp/%s/user.pem", prefix);
sprintf(ath, "%s_tls8021xpem", prefix);
write_nvram(psk, ath);
sprintf(psk, "/tmp/%s/user.prv", prefix);
sprintf(ath, "%s_tls8021xprv", prefix);
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=/tmp/%s/ca.pem\n", prefix);
fprintf(fp, "\tclient_cert=/tmp/%s/user.pem\n", prefix);
fprintf(fp, "\tprivate_key=/tmp/%s/user.prv\n", prefix);
fprintf(fp, "\tprivate_key_passwd=\"%s\"\n",
nvram_prefix_get("tls8021xpasswd", prefix));
fprintf(fp, "\teapol_flags=3\n");
if (strlen(nvram_nget("%s_tls8021xphase2", prefix)) > 0) {
fprintf(fp, "\tphase2=\"%s\"\n",
nvram_nget("%s_tls8021xphase2",
prefix));
}
if (strlen(nvram_nget("%s_tls8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n",
nvram_nget("%s_tls8021xanon", prefix));
}
if (strlen(nvram_nget("%s_tls8021xaddopt", prefix)) > 0) {
sprintf(ath, "%s_tls8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "peap")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=PEAP\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tphase1=\"peapver=0\"\n");
fprintf(fp, "\tidentity=\"%s\"\n",
nvram_prefix_get("peap8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n",
nvram_prefix_get("peap8021xpasswd", prefix));
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_peap8021xca", prefix);
if (!nvram_match(ath, "")) {
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n",
prefix);
}
if (strlen(nvram_nget("%s_peap8021xphase2", prefix)) >
0) {
fprintf(fp, "\tphase2=\"%s\"\n",
nvram_nget("%s_peap8021xphase2",
prefix));
}
if (strlen(nvram_nget("%s_peap8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n",
nvram_nget("%s_peap8021xanon", prefix));
}
if (strlen(nvram_nget("%s_peap8021xaddopt", prefix)) >
0) {
sprintf(ath, "%s_peap8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "ttls")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=TTLS\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tidentity=\"%s\"\n",
nvram_prefix_get("ttls8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n",
nvram_prefix_get("ttls8021xpasswd", prefix));
if (strlen(nvram_nget("%s_ttls8021xca", prefix)) > 0) {
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_ttls8021xca", prefix);
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n",
prefix);
}
if (strlen(nvram_nget("%s_ttls8021xphase2", prefix)) >
0) {
fprintf(fp, "\tphase2=\"%s\"\n",
nvram_nget("%s_ttls8021xphase2",
prefix));
}
if (strlen(nvram_nget("%s_ttls8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n",
nvram_nget("%s_ttls8021xanon", prefix));
}
if (strlen(nvram_nget("%s_ttls8021xaddopt", prefix)) >
0) {
sprintf(ath, "%s_ttls8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "leap")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=LEAP\n");
fprintf(fp, "\tauth_alg=LEAP\n");
fprintf(fp, "\tproto=WPA RSN\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tidentity=\"%s\"\n",
nvram_prefix_get("leap8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n",
nvram_prefix_get("leap8021xpasswd", prefix));
if (strlen(nvram_nget("%s_leap8021xphase2", prefix)) >
0) {
fprintf(fp, "\tphase2=\"%s\"\n",
nvram_nget("%s_leap8021xphase2",
prefix));
}
if (strlen(nvram_nget("%s_leap8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n",
nvram_nget("%s_leap8021xanon", prefix));
}
if (strlen(nvram_nget("%s_leap8021xaddopt", prefix)) >
0) {
sprintf(ath, "%s_leap8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
fprintf(fp, "}\n");
fclose(fp);
sprintf(psk, "-i%s", getRADev(prefix));
char bvar[32];
sprintf(bvar, "%s_bridged", prefix);
if (nvram_match(bvar, "1")
&& (nvram_match(wmode, "wdssta")
|| nvram_match(wmode, "wet")))
eval("wpa_supplicant", "-b",
nvram_safe_get("lan_ifname"), "-B", "-Dralink",
psk, "-c", fstr);
else
eval("wpa_supplicant", "-B", "-Dralink", psk, "-c",
fstr);
}
}
// Pthread wrappers for entry points
void *whoop_wrapper_write_nvram(void* args)
{
write_nvram(whoop_file_0, whoop_buf, whoop_int, whoop_loff_t);
return NULL;
}
void setupSupplicant(char *prefix)
{
char akm[16];
sprintf(akm, "%s_akm", prefix);
char wmode[16];
sprintf(wmode, "%s_mode", prefix);
if (nvram_match(akm, "wep")) {
char key[16];
int cnt = 1;
int i;
char bul[8];
for (i = 1; i < 5; i++) {
sprintf(key, "%s_key%d", prefix, i);
char *athkey = nvram_safe_get(key);
if (athkey != NULL && strlen(athkey) > 0) {
sprintf(bul, "[%d]", cnt++);
eval("iwconfig", prefix, "key", bul, athkey); // setup wep
// encryption
// key
}
}
sprintf(key, "%s_key", prefix);
sprintf(bul, "[%s]", nvram_safe_get(key));
eval("iwconfig", prefix, "key", bul);
// eval ("iwpriv", prefix, "authmode", "2");
} else if (nvram_match(akm, "psk") || nvram_match(akm, "psk2") || nvram_match(akm, "psk psk2")) {
char fstr[64];
char psk[16];
sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix);
FILE *fp = fopen(fstr, "wb");
#ifdef HAVE_MAKSAT
fprintf(fp, "ap_scan=1\n");
#elif HAVE_NEWMEDIA
fprintf(fp, "ap_scan=1\n");
#else
fprintf(fp, "ap_scan=2\n");
#endif
fprintf(fp, "fast_reauth=1\n");
fprintf(fp, "eapol_version=1\n");
// fprintf (fp, "ctrl_interface_group=0\n");
// fprintf (fp, "ctrl_interface=/var/run/wpa_supplicant\n");
fprintf(fp, "network={\n");
sprintf(psk, "%s_ssid", prefix);
fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk));
// fprintf (fp, "\tmode=0\n");
fprintf(fp, "\tscan_ssid=1\n");
fprintf(fp, "\tkey_mgmt=WPA-PSK\n");
sprintf(psk, "%s_crypto", prefix);
if (nvram_match(psk, "aes")) {
#if 1
fprintf(fp, "\tpairwise=CCMP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
#else
fprintf(fp, "\tpairwise=CCMP\n");
fprintf(fp, "\tgroup=CCMP\n");
#endif
}
if (nvram_match(psk, "tkip")) {
fprintf(fp, "\tpairwise=TKIP\n");
fprintf(fp, "\tgroup=TKIP\n");
}
if (nvram_match(psk, "tkip+aes")) {
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
}
if (nvram_match(akm, "psk"))
fprintf(fp, "\tproto=WPA\n");
if (nvram_match(akm, "psk2"))
fprintf(fp, "\tproto=RSN\n");
if (nvram_match(akm, "psk psk2"))
fprintf(fp, "\tproto=WPA RSN\n");
sprintf(psk, "%s_wpa_psk", prefix);
fprintf(fp, "\tpsk=\"%s\"\n", nvram_safe_get(psk));
fprintf(fp, "}\n");
fclose(fp);
if (!strcmp(prefix, "wl0"))
sprintf(psk, "-i%s", nvram_safe_get("wl0_ifname"));
else if (!strcmp(prefix, "wl1"))
sprintf(psk, "-i%s", nvram_safe_get("wl1_ifname"));
else
sprintf(psk, "-i%s", prefix);
if (nvram_match(wmode, "wdssta") || nvram_match(wmode, "wet"))
eval("wpa_supplicant", "-b", getBridge(prefix), "-B", "-Dwext", psk, "-c", fstr);
else
eval("wpa_supplicant", "-B", "-Dwext", psk, "-c", fstr);
} else if (nvram_match(akm, "8021X")) {
char fstr[32];
char psk[64];
char ath[64];
sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix);
FILE *fp = fopen(fstr, "wb");
fprintf(fp, "ap_scan=1\n");
fprintf(fp, "fast_reauth=1\n");
fprintf(fp, "eapol_version=1\n");
// fprintf (fp, "ctrl_interface_group=0\n");
// fprintf (fp, "ctrl_interface=/var/run/wpa_supplicant\n");
fprintf(fp, "network={\n");
sprintf(psk, "%s_ssid", prefix);
fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk));
fprintf(fp, "\tscan_ssid=1\n");
if (nvram_prefix_match("8021xtype", prefix, "tls")) {
// -> added habeIchVergessen
char *keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix);
char *wpaOpts[40];
if (strlen(keyExchng) == 0)
nvram_nset("wep", "%s_tls8021xkeyxchng", prefix);
sprintf(wpaOpts, "");
keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix);
if (strcmp("wpa2", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=CCMP\n\tgroup=CCMP\n");
if (strcmp("wpa2mixed", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=CCMP TKIP\n\tgroup=CCMP TKIP\n");
if (strcmp("wpa", keyExchng) == 0)
sprintf(wpaOpts, "\tpairwise=TKIP\n\tgroup=TKIP\n");
fprintf(fp, "\tkey_mgmt=%s\n%s", (strlen(wpaOpts) == 0 ? "IEEE8021X" : "WPA-EAP"), wpaOpts);
// <- added habeIchVergessen
fprintf(fp, "\teap=TLS\n");
fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("tls8021xuser", prefix));
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk, 0700);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_tls8021xca", prefix);
write_nvram(psk, ath);
sprintf(psk, "/tmp/%s/user.pem", prefix);
sprintf(ath, "%s_tls8021xpem", prefix);
write_nvram(psk, ath);
sprintf(psk, "/tmp/%s/user.prv", prefix);
sprintf(ath, "%s_tls8021xprv", prefix);
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=/tmp/%s/ca.pem\n", prefix);
fprintf(fp, "\tclient_cert=/tmp/%s/user.pem\n", prefix);
fprintf(fp, "\tprivate_key=/tmp/%s/user.prv\n", prefix);
fprintf(fp, "\tprivate_key_passwd=\"%s\"\n", nvram_prefix_get("tls8021xpasswd", prefix));
fprintf(fp, "\teapol_flags=3\n");
if (strlen(nvram_nget("%s_tls8021xphase2", prefix)) > 0) {
fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_tls8021xphase2", prefix));
}
if (strlen(nvram_nget("%s_tls8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_tls8021xanon", prefix));
}
if (strlen(nvram_nget("%s_tls8021xaddopt", prefix)) > 0) {
sprintf(ath, "%s_tls8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "peap")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=PEAP\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tphase1=\"peapver=0\"\n");
fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("peap8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("peap8021xpasswd", prefix));
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk, 0700);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_peap8021xca", prefix);
if (!nvram_match(ath, "")) {
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix);
}
if (strlen(nvram_nget("%s_peap8021xphase2", prefix)) > 0) {
fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_peap8021xphase2", prefix));
}
if (strlen(nvram_nget("%s_peap8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_peap8021xanon", prefix));
}
if (strlen(nvram_nget("%s_peap8021xaddopt", prefix)) > 0) {
sprintf(ath, "%s_peap8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "ttls")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=TTLS\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("ttls8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("ttls8021xpasswd", prefix));
if (strlen(nvram_nget("%s_ttls8021xca", prefix)) > 0) {
sprintf(psk, "/tmp/%s", prefix);
mkdir(psk, 0700);
sprintf(psk, "/tmp/%s/ca.pem", prefix);
sprintf(ath, "%s_ttls8021xca", prefix);
write_nvram(psk, ath);
fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix);
}
if (strlen(nvram_nget("%s_ttls8021xphase2", prefix)) > 0) {
fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_ttls8021xphase2", prefix));
}
if (strlen(nvram_nget("%s_ttls8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_ttls8021xanon", prefix));
}
if (strlen(nvram_nget("%s_ttls8021xaddopt", prefix)) > 0) {
sprintf(ath, "%s_ttls8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
if (nvram_prefix_match("8021xtype", prefix, "leap")) {
fprintf(fp, "\tkey_mgmt=WPA-EAP\n");
fprintf(fp, "\teap=LEAP\n");
fprintf(fp, "\tauth_alg=LEAP\n");
fprintf(fp, "\tproto=WPA RSN\n");
fprintf(fp, "\tpairwise=CCMP TKIP\n");
fprintf(fp, "\tgroup=CCMP TKIP\n");
fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("leap8021xuser", prefix));
fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("leap8021xpasswd", prefix));
if (strlen(nvram_nget("%s_leap8021xphase2", prefix)) > 0) {
fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_leap8021xphase2", prefix));
}
if (strlen(nvram_nget("%s_leap8021xanon", prefix)) > 0) {
fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_leap8021xanon", prefix));
}
if (strlen(nvram_nget("%s_leap8021xaddopt", prefix)) > 0) {
sprintf(ath, "%s_leap8021xaddopt", prefix);
fprintf(fp, "\t"); // tab
fwritenvram(ath, fp);
fprintf(fp, "\n"); // extra new line at the end
}
}
fprintf(fp, "}\n");
fclose(fp);
if (!strcmp(prefix, "wl0"))
sprintf(psk, "-i%s", nvram_safe_get("wl0_ifname"));
else if (!strcmp(prefix, "wl1"))
sprintf(psk, "-i%s", nvram_safe_get("wl1_ifname"));
else
sprintf(psk, "-i%s", prefix);
char bvar[32];
sprintf(bvar, "%s_bridged", prefix);
if (nvram_match(bvar, "1")
&& (nvram_match(wmode, "wdssta")
|| nvram_match(wmode, "wet")))
eval("wpa_supplicant", "-b", nvram_safe_get("lan_ifname"), "-B", "-Dwext", psk, "-c", fstr);
else
eval("wpa_supplicant", "-B", "-Dwext", psk, "-c", fstr);
} else {
eval("iwconfig", prefix, "key", "off");
// eval ("iwpriv", prefix, "authmode", "0");
}
}
