static void
openvpn_create_server_acl(FILE *fp, const char *ccd)
{
int i, i_max;
char *acl_user, *acl_rnet, *acl_rmsk;
char acl_user_var[16], acl_rnet_var[16], acl_rmsk_var[16], vpns_ccd[64];
snprintf(vpns_ccd, sizeof(vpns_ccd), "%s/%s", SERVER_ROOT_DIR, ccd);
mkdir(vpns_ccd, 0755);
i_max = nvram_get_int("vpns_num_x");
if (i_max > MAX_CLIENTS_NUM) i_max = MAX_CLIENTS_NUM;
for (i = 0; i < i_max; i++) {
sprintf(acl_user_var, "vpns_user_x%d", i);
sprintf(acl_rnet_var, "vpns_rnet_x%d", i);
sprintf(acl_rmsk_var, "vpns_rmsk_x%d", i);
acl_user = nvram_safe_get(acl_user_var);
acl_rnet = nvram_safe_get(acl_rnet_var);
acl_rmsk = nvram_safe_get(acl_rmsk_var);
if (*acl_user && inet_addr_(acl_rnet) != INADDR_ANY && inet_addr_(acl_rmsk) != INADDR_ANY)
{
FILE *fp_ccf;
char ccf[80];
snprintf(ccf, sizeof(ccf), "%s/%s", vpns_ccd, acl_user);
fp_ccf = fopen(ccf, "w+");
if (fp_ccf) {
int i_cli2;
char acl_addr_var[16];
struct in_addr pool_in;
unsigned int vaddr, vmask;
vaddr = ntohl(inet_addr(nvram_safe_get("vpns_vnet")));
vmask = ntohl(inet_addr(VPN_SERVER_SUBNET_MASK));
vaddr = (vaddr & vmask) | 1;
sprintf(acl_addr_var, "vpns_addr_x%d", i);
i_cli2 = nvram_get_int(acl_addr_var);
if (i_cli2 > 1 && i_cli2 < 255 ) {
pool_in.s_addr = htonl((vaddr & vmask) | (unsigned int)i_cli2);
fprintf(fp_ccf, "ifconfig-push %s %s\n", inet_ntoa(pool_in), VPN_SERVER_SUBNET_MASK);
fprintf(fp, "route %s %s %s\n", acl_rnet, acl_rmsk, inet_ntoa(pool_in));
}
fprintf(fp_ccf, "iroute %s %s\n", acl_rnet, acl_rmsk);
fclose(fp_ccf);
chmod(ccf, 0644);
}
}
}
}
int start_auth_kabinet(void)
{
int ret;
char *gateip = nvram_safe_get("wan_heartbeat_x");
char *passwd = nvram_safe_get("wan_auth_pass");
stop_auth_kabinet();
if ( !passwd[0] )
{
logmessage("lanauth", "password is empty, unable to start!");
return -1;
}
if (inet_addr_(gateip) != INADDR_ANY)
{
ret = eval("/usr/sbin/lanauth", "-s", gateip, "-p", passwd);
}
else
{
ret = eval("/usr/sbin/lanauth", "-p", passwd);
}
if (ret == 0)
{
logmessage("lanauth", "start authentication...");
}
return ret;
}
void start_sit_tunnel(int ipv6_type, char *wan_addr4, char *wan_addr6)
{
int sit_ttl, sit_mtu, size4, size6;
char *sit_remote, *sit_relay, *wan_gate6;
char addr6s[INET6_ADDRSTRLEN];
struct in_addr addr4;
struct in6_addr addr6;
size4 = 0;
addr4.s_addr = inet_addr_(wan_addr4);
if (addr4.s_addr == INADDR_ANY)
return; // cannot start SIT tunnel w/o IPv4 WAN addr
sit_mtu = nvram_get_int("ip6_sit_mtu");
sit_ttl = nvram_get_int("ip6_sit_ttl");
if (sit_mtu < 1280) sit_mtu = 1280;
if (sit_ttl < 1) sit_ttl = 1;
if (sit_ttl > 255) sit_ttl = 255;
memset(&addr6, 0, sizeof(addr6));
size6 = ipv6_from_string(wan_addr6, &addr6);
if (size6 < 0) size6 = 0;
sit_relay = "";
sit_remote = "any";
if (ipv6_type == IPV6_6IN4)
sit_remote = nvram_safe_get("ip6_6in4_remote");
if (is_interface_exist(IFNAME_SIT))
doSystem("ip tunnel del %s", IFNAME_SIT);
doSystem("ip tunnel %s %s mode sit remote %s local %s ttl %d", "add", IFNAME_SIT, sit_remote, wan_addr4, sit_ttl);
if (ipv6_type == IPV6_6TO4) {
size6 = 16;
memset(&addr6, 0, sizeof(addr6));
addr6.s6_addr16[0] = htons(0x2002);
ipv6_to_ipv4_map(&addr6, size6, &addr4, 0);
addr6.s6_addr16[7] = htons(0x0001);
sit_relay = nvram_safe_get("ip6_6to4_relay");
}
else if (ipv6_type == IPV6_6RD) {
struct in_addr net4;
struct in6_addr net6;
char sit_6rd_prefix[INET6_ADDRSTRLEN], sit_6rd_relay_prefix[32];
memcpy(&net6, &addr6, sizeof(addr6));
ipv6_to_net(&net6, size6);
inet_ntop(AF_INET6, &net6, sit_6rd_prefix, INET6_ADDRSTRLEN);
sprintf(sit_6rd_prefix, "%s/%d", sit_6rd_prefix, size6);
strcpy(sit_6rd_relay_prefix, "0.0.0.0/0");
size4 = nvram_get_int("wan0_6rd_size");
if (size4 > 0 && size4 <= 32)
{
net4.s_addr = addr4.s_addr & htonl(0xffffffffUL << (32 - size4));
sprintf(sit_6rd_relay_prefix, "%s/%d", inet_ntoa(net4), size4);
}
doSystem("ip tunnel 6rd dev %s 6rd-prefix %s 6rd-relay_prefix %s", IFNAME_SIT, sit_6rd_prefix, sit_6rd_relay_prefix);
ipv6_to_ipv4_map(&addr6, size6, &addr4, size4);
addr6.s6_addr16[7] = htons(0x0001);
sit_relay = nvram_safe_get("wan0_6rd_relay");
}
// WAN IPv6 address
inet_ntop(AF_INET6, &addr6, addr6s, INET6_ADDRSTRLEN);
if (size6 > 0)
sprintf(addr6s, "%s/%d", addr6s, size6);
control_if_ipv6_radv(IFNAME_SIT, 0);
doSystem("ip link set mtu %d dev %s up", sit_mtu, IFNAME_SIT);
control_if_ipv6(IFNAME_SIT, 1);
clear_if_addr6(IFNAME_SIT);
doSystem("ip -6 addr add %s dev %s", addr6s, IFNAME_SIT);
/* WAN IPv6 gateway (auto-generate for 6to4/6rd) */
if (ipv6_type == IPV6_6TO4 || ipv6_type == IPV6_6RD) {
sprintf(addr6s, "::%s", sit_relay);
wan_gate6 = addr6s;
/* add direct default gateway for workaround "No route to host" on new kernel */
doSystem("ip -6 route add default dev %s metric %d", IFNAME_SIT, 2048);
}
else {
wan_gate6 = nvram_safe_get("wan0_gate6");
}
if (*wan_gate6)
doSystem("ip -6 route add default via %s dev %s metric %d", wan_gate6, IFNAME_SIT, 1);
/* LAN IPv6 address (auto-generate for 6to4/6rd) */
if (ipv6_type == IPV6_6TO4 || ipv6_type == IPV6_6RD) {
memset(&addr6, 0, sizeof(addr6));
if (ipv6_type == IPV6_6TO4) {
addr6.s6_addr16[0] = htons(0x2002);
ipv6_to_ipv4_map(&addr6, 16, &addr4, 0);
addr6.s6_addr16[3] = htons(0x0001);
addr6.s6_addr16[7] = htons(0x0001);
}
else {
ipv6_from_string(wan_addr6, &addr6);
ipv6_to_ipv4_map(&addr6, size6, &addr4, size4);
addr6.s6_addr16[7] = htons(0x0001);
}
inet_ntop(AF_INET6, &addr6, addr6s, INET6_ADDRSTRLEN);
sprintf(addr6s, "%s/%d", addr6s, 64);
clear_if_addr6(IFNAME_BR);
doSystem("ip -6 addr add %s dev %s", addr6s, IFNAME_BR);
store_lan_addr6(addr6s);
}
}
static int
openvpn_create_server_conf(const char *conf_file, int is_tun)
{
FILE *fp;
int i, i_prot, i_atls, i_rdgw, i_dhcp, i_dns, i_cli0, i_cli1;
unsigned int laddr, lmask;
struct in_addr pool_in;
char pooll[32], pool1[32], pool2[32];
char *lanip, *lannm, *wins, *dns1, *dns2;
i_atls = nvram_get_int("vpns_ov_atls");
for (i=0; i<5; i++) {
if (!i_atls && (i == 4))
continue;
if (!openvpn_check_key(openvpn_server_keys[i], 1))
return 1;
}
i_prot = nvram_get_int("vpns_ov_prot");
i_rdgw = nvram_get_int("vpns_ov_rdgw");
i_cli0 = nvram_get_int("vpns_cli0");
i_cli1 = nvram_get_int("vpns_cli1");
i_dns = 0;
i_dhcp = nvram_get_int("dhcp_enable_x");
lanip = nvram_safe_get("lan_ipaddr");
lannm = nvram_safe_get("lan_netmask");
if (i_cli0 < 2) i_cli0 = 2;
if (i_cli0 > 254) i_cli0 = 254;
if (i_cli1 < 2) i_cli1 = 2;
if (i_cli1 > 254) i_cli1 = 254;
if (i_cli1 < i_cli0) i_cli1 = i_cli0;
laddr = ntohl(inet_addr(lanip));
lmask = ntohl(inet_addr(lannm));
pool_in.s_addr = htonl(laddr & lmask);
strcpy(pooll, inet_ntoa(pool_in));
pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli0);
strcpy(pool1, inet_ntoa(pool_in));
pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli1);
strcpy(pool2, inet_ntoa(pool_in));
fp = fopen(conf_file, "w+");
if (fp) {
if (i_prot > 0)
fprintf(fp, "proto %s\n", "tcp-server");
else
fprintf(fp, "proto %s\n", "udp");
fprintf(fp, "port %d\n", nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535));
if (is_tun) {
char *vnet, *vmsk;
vnet = nvram_safe_get("vpns_vnet");
vmsk = VPN_SERVER_SUBNET_MASK;
laddr = ntohl(inet_addr(vnet));
lmask = ntohl(inet_addr(vmsk));
pool_in.s_addr = htonl(laddr & lmask);
fprintf(fp, "dev %s\n", IFNAME_SERVER_TUN);
fprintf(fp, "topology %s\n", "subnet");
fprintf(fp, "server %s %s\n", inet_ntoa(pool_in), vmsk);
fprintf(fp, "client-config-dir %s\n", "ccd");
openvpn_create_server_acl(fp, "ccd");
fprintf(fp, "push \"route %s %s\"\n", pooll, lannm);
} else {
fprintf(fp, "dev %s\n", IFNAME_SERVER_TAP);
fprintf(fp, "server-bridge %s %s %s %s\n", lanip, lannm, pool1, pool2);
}
if (i_rdgw) {
fprintf(fp, "push \"redirect-gateway def1 %s\"\n", "bypass-dhcp");
if (i_dhcp == 1) {
dns1 = nvram_safe_get("dhcp_dns1_x");
dns2 = nvram_safe_get("dhcp_dns2_x");
if ((inet_addr_(dns1) != INADDR_ANY) && (strcmp(dns1, lanip))) {
i_dns++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns1);
}
if ((inet_addr_(dns2) != INADDR_ANY) && (strcmp(dns2, lanip)) && (strcmp(dns2, dns1))) {
i_dns++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns2);
}
}
if (i_dns < 2)
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", lanip);
}
if (i_dhcp == 1)
{
wins = nvram_safe_get("dhcp_wins_x");
if (inet_addr_(wins) != INADDR_ANY)
fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", wins);
}
fprintf(fp, "ca %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[0]);
fprintf(fp, "dh %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[1]);
fprintf(fp, "cert %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[2]);
fprintf(fp, "key %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[3]);
if (i_atls)
fprintf(fp, "tls-auth %s/%s %d\n", SERVER_CERT_DIR, openvpn_server_keys[4], 0);
fprintf(fp, "persist-key\n");
fprintf(fp, "persist-tun\n");
fprintf(fp, "user %s\n", "nobody");
fprintf(fp, "group %s\n", "nogroup");
fprintf(fp, "script-security %d\n", 2);
fprintf(fp, "tmp-dir %s\n", COMMON_TEMP_DIR);
fprintf(fp, "writepid %s\n", SERVER_PID_FILE);
fprintf(fp, "client-connect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "client-disconnect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "\n### User params:\n");
openvpn_load_user_config(fp, SERVER_CERT_DIR, "server.conf");
fclose(fp);
chmod(conf_file, 0644);
return 0;
}
return 1;
}
