void
vpns_route_to_remote_lan(const char *cname, char *ifname, char *gw, int add)
{
int i, i_max;
char *acl_user, *acl_rnet, *acl_rmsk, *lnet, *lmsk;
char acl_user_var[16], acl_rnet_var[16], acl_rmsk_var[16];
lnet = nvram_safe_get("lan_ipaddr");
lmsk = nvram_safe_get("lan_netmask");
i_max = nvram_get_int("vpns_num_x");
if (i_max > MAX_CLIENTS_NUM) i_max = MAX_CLIENTS_NUM;
for (i = 0; i < i_max; i++) {
sprintf(acl_user_var, "vpns_user_x%d", i);
sprintf(acl_rnet_var, "vpns_rnet_x%d", i);
sprintf(acl_rmsk_var, "vpns_rmsk_x%d", i);
acl_user = nvram_safe_get(acl_user_var);
acl_rnet = nvram_safe_get(acl_rnet_var);
acl_rmsk = nvram_safe_get(acl_rmsk_var);
if (*acl_user && strcmp(acl_user, cname) == 0 && is_valid_ipv4(acl_rnet) && is_valid_ipv4(acl_rmsk)) {
if (!is_same_subnet2(acl_rnet, lnet, acl_rmsk, lmsk)) {
if (add)
route_add(ifname, 0, acl_rnet, gw, acl_rmsk);
else
route_del(ifname, 0, acl_rnet, gw, acl_rmsk);
}
break;
}
}
}
static void
openvpn_create_server_acl(FILE *fp, const char *ccd)
{
int i, i_max;
char *acl_user, *acl_rnet, *acl_rmsk;
char acl_user_var[16], acl_rnet_var[16], acl_rmsk_var[16], vpns_ccd[64];
snprintf(vpns_ccd, sizeof(vpns_ccd), "%s/%s", SERVER_ROOT_DIR, ccd);
mkdir(vpns_ccd, 0755);
i_max = nvram_get_int("vpns_num_x");
if (i_max > MAX_CLIENTS_NUM) i_max = MAX_CLIENTS_NUM;
for (i = 0; i < i_max; i++) {
sprintf(acl_user_var, "vpns_user_x%d", i);
sprintf(acl_rnet_var, "vpns_rnet_x%d", i);
sprintf(acl_rmsk_var, "vpns_rmsk_x%d", i);
acl_user = nvram_safe_get(acl_user_var);
acl_rnet = nvram_safe_get(acl_rnet_var);
acl_rmsk = nvram_safe_get(acl_rmsk_var);
if (*acl_user && is_valid_ipv4(acl_rnet) && is_valid_ipv4(acl_rmsk)) {
FILE *fp_ccf;
char ccf[80];
snprintf(ccf, sizeof(ccf), "%s/%s", vpns_ccd, acl_user);
fp_ccf = fopen(ccf, "w+");
if (fp_ccf) {
int i_cli2;
char acl_addr_var[16];
struct in_addr pool_in;
unsigned int vaddr, vmask;
vaddr = ntohl(inet_addr(nvram_safe_get("vpns_vnet")));
vmask = ntohl(inet_addr(VPN_SERVER_SUBNET_MASK));
vaddr = (vaddr & vmask) | 1;
sprintf(acl_addr_var, "vpns_addr_x%d", i);
i_cli2 = nvram_get_int(acl_addr_var);
if (i_cli2 > 1 && i_cli2 < 255 ) {
pool_in.s_addr = htonl((vaddr & vmask) | (unsigned int)i_cli2);
fprintf(fp_ccf, "ifconfig-push %s %s\n", inet_ntoa(pool_in), VPN_SERVER_SUBNET_MASK);
fprintf(fp, "route %s %s %s\n", acl_rnet, acl_rmsk, inet_ntoa(pool_in));
}
fprintf(fp_ccf, "iroute %s %s\n", acl_rnet, acl_rmsk);
fclose(fp_ccf);
chmod(ccf, 0644);
}
}
}
}
int
start_syslogd(void)
{
char *log_ipaddr, log_rot[8], host_dst[32];
char *syslogd_argv[] = {
"/sbin/syslogd",
log_rot, /* max size before rotation */
"-b0", /* purge on rotate */
"-S", /* smaller output */
"-D", /* drop duplicates */
"-O", "/tmp/syslog.log", /* syslog file */
NULL, /* -L */
NULL, NULL, /* -R host:port */
NULL
};
snprintf(log_rot, sizeof(log_rot), "-s%d", LOG_ROTATE_SIZE_MAX);
log_ipaddr = nvram_safe_get("log_ipaddr");
if (is_valid_ipv4(log_ipaddr)) {
int log_port = nvram_safe_get_int("log_port", 514, 1, 65535);
snprintf(host_dst, sizeof(host_dst), "%s:%d", log_ipaddr, log_port);
syslogd_argv[7] = "-L"; /* local & remote */
syslogd_argv[8] = "-R";
syslogd_argv[9] = host_dst;
}
setenv_tz();
return _eval(syslogd_argv, NULL, 0, NULL);
}
static void
on_server_client_connect(int is_tun)
{
FILE *fp;
char *common_name = safe_getenv("common_name");
char *peer_addr_r = safe_getenv("trusted_ip");
char *peer_addr_l = safe_getenv("ifconfig_pool_remote_ip");
char *dev_ifname = safe_getenv("dev");
const char *script_name = VPN_SERVER_UPDOWN_SCRIPT;
#if defined (USE_IPV6)
if (!is_valid_ipv4(peer_addr_r))
peer_addr_r = safe_getenv("trusted_ip6");
#endif
if (strlen(dev_ifname) == 0)
dev_ifname = (is_tun) ? IFNAME_SERVER_TUN : IFNAME_SERVER_TAP;
logmessage(SERVER_LOG_NAME, "peer %s (%s) connected - local IP: %s",
peer_addr_r, common_name, peer_addr_l);
fp = fopen(VPN_SERVER_LEASE_FILE, "a+");
if (fp) {
fprintf(fp, "%s %s %s %s\n", "-", peer_addr_l, peer_addr_r, common_name);
fclose(fp);
}
if (check_if_file_exist(script_name))
doSystem("%s %s %s %s %s %s", script_name, "up", dev_ifname, peer_addr_l, peer_addr_r, common_name);
}
static void
vpnc_route_to_remote_lan(char *ifname, char *gw, int add)
{
char *rnet = nvram_safe_get("vpnc_rnet");
char *rmsk = nvram_safe_get("vpnc_rmsk");
if (is_valid_ipv4(rnet) && is_valid_ipv4(rmsk)) {
char *lnet = nvram_safe_get("lan_ipaddr");
char *lmsk = nvram_safe_get("lan_netmask");
if (strlen(ifname) > 0 && !is_same_subnet2(rnet, lnet, rmsk, lmsk)) {
if (add)
route_add(ifname, 0, rnet, gw, rmsk);
else
route_del(ifname, 0, rnet, gw, rmsk);
}
}
}
static void
on_server_client_disconnect(int is_tun)
{
FILE *fp1, *fp2;
char ifname[16], addr_l[64], addr_r[64], peer_name[64];
char *clients_l1 = VPN_SERVER_LEASE_FILE;
char *clients_l2 = "/tmp/.vpns.leases";
char *common_name = safe_getenv("common_name");
char *peer_addr_r = safe_getenv("trusted_ip");
char *peer_addr_l = safe_getenv("ifconfig_pool_remote_ip");
char *dev_ifname = safe_getenv("dev");
const char *script_name = VPN_SERVER_UPDOWN_SCRIPT;
uint64_t llsent = strtoll(safe_getenv("bytes_sent"), NULL, 10);
uint64_t llrecv = strtoll(safe_getenv("bytes_received"), NULL, 10);
#if defined (USE_IPV6)
if (!is_valid_ipv4(peer_addr_r))
peer_addr_r = safe_getenv("trusted_ip6");
#endif
if (strlen(dev_ifname) == 0)
dev_ifname = (is_tun) ? IFNAME_SERVER_TUN : IFNAME_SERVER_TAP;
logmessage(SERVER_LOG_NAME, "peer %s (%s) disconnected, sent: %llu KB, received: %llu KB",
peer_addr_r, common_name, llsent / 1024, llrecv / 1024);
fp1 = fopen(clients_l1, "r");
fp2 = fopen(clients_l2, "w");
if (fp1) {
while(fscanf(fp1, "%15s %63s %63s %63[^\n]\n", ifname, addr_l, addr_r, peer_name) == 4) {
if (strcmp(peer_addr_r, addr_r) != 0 || strcmp(peer_addr_l, addr_l) != 0) {
if (fp2)
fprintf(fp2, "%s %s %s %s\n", ifname, addr_l, addr_r, peer_name);
}
}
fclose(fp1);
}
if (fp2) {
fclose(fp2);
rename(clients_l2, clients_l1);
unlink(clients_l2);
}
if (check_if_file_exist(script_name))
doSystem("%s %s %s %s %s %s", script_name, "down", dev_ifname, peer_addr_l, peer_addr_r, common_name);
}
int start_auth_kabinet(void)
{
int ret;
char *gateip = nvram_safe_get("wan_auth_host");
char *passwd = nvram_safe_get("wan_auth_pass");
stop_auth_kabinet();
if (strlen(passwd) < 1) {
logmessage("lanauth", "password is empty, unable to start!");
return -1;
}
if (is_valid_ipv4(gateip))
ret = eval("/usr/sbin/lanauth", "-s", gateip, "-p", passwd);
else
ret = eval("/usr/sbin/lanauth", "-p", passwd);
if (ret == 0)
logmessage("lanauth", "start authentication...");
return ret;
}
int
control_static_routes(char *ift, char *ifname, int is_add)
{
char word[128], *next;
char *route_buf;
char *ipaddr, *netmask, *gateway, *metric;
if (is_add && nvram_invmatch("sr_enable_x", "1"))
return 0;
route_buf = (char *)malloc(SR_BUF_LEN*sizeof(char));
if (!route_buf)
return -1;
fill_static_routes(route_buf, SR_BUF_LEN, ift);
foreach(word, route_buf, next) {
netmask = word;
ipaddr = strsep(&netmask, ":");
if (!ipaddr || !netmask)
continue;
gateway = netmask;
netmask = strsep(&gateway, ":");
if (!netmask || !gateway)
continue;
metric = gateway;
gateway = strsep(&metric, ":");
if (!gateway || !metric)
continue;
if (!is_valid_ipv4(gateway))
gateway = nvram_safe_get("wanx_gateway"); // oleg patch
if (is_add)
route_add(ifname, atoi(metric), ipaddr, gateway, netmask);
else
route_del(ifname, atoi(metric), ipaddr, gateway, netmask);
}
int
ovpn_server_expcli_main(int argc, char **argv)
{
FILE *fp;
int i, i_atls, rsa_bits, days_valid;
char *wan_addr;
const char *tmp_ovpn_path = "/tmp/export_ovpn";
const char *tmp_ovpn_conf = "/tmp/client.ovpn";
if (argc < 2 || strlen(argv[1]) < 1) {
printf("Usage: %s common_name [rsa_bits] [days_valid]\n", argv[0]);
return 1;
}
rsa_bits = 1024;
if (argc > 2 && atoi(argv[2]) >= 1024)
rsa_bits = atoi(argv[2]);
days_valid = 365;
if (argc > 3 && atoi(argv[3]) > 0)
days_valid = atoi(argv[3]);
i_atls = nvram_get_int("vpns_ov_atls");
for (i=0; i<5; i++) {
if (!i_atls && (i == 4))
continue;
if (!openvpn_check_key(openvpn_server_keys[i], 1)) {
printf("Error: server file %s is not found\n", openvpn_server_keys[i]);
return 1;
}
}
/* Generate client cert and key */
doSystem("rm -rf %s", tmp_ovpn_path);
setenv("CRT_PATH_CLI", tmp_ovpn_path, 1);
doSystem("/usr/bin/openvpn-cert.sh %s -n '%s' -b %d -d %d", "client", argv[1], rsa_bits, days_valid);
unsetenv("CRT_PATH_CLI");
fp = fopen(tmp_ovpn_conf, "w+");
if (!fp) {
doSystem("rm -rf %s", tmp_ovpn_path);
printf("Error: unable to create file %s\n", tmp_ovpn_conf);
return 1;
}
wan_addr = get_ddns_fqdn();
if (!wan_addr) {
wan_addr = get_wan_unit_value(0, "ipaddr");
if (!is_valid_ipv4(wan_addr))
wan_addr = NULL;
}
if (!wan_addr)
wan_addr = "{wan_address}";
fprintf(fp, "client\n");
fprintf(fp, "dev %s\n", (nvram_get_int("vpns_ov_mode") == 1) ? "tun" : "tap");
fprintf(fp, "proto %s\n", (nvram_get_int("vpns_ov_prot") > 0) ? "tcp-client" : "udp");
fprintf(fp, "remote %s %d\n", wan_addr, nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535));
fprintf(fp, "resolv-retry %s\n", "infinite");
fprintf(fp, "nobind\n");
fprintf(fp, "persist-key\n");
fprintf(fp, "persist-tun\n");
openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig"));
openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph"));
openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 0);
fprintf(fp, "nice %d\n", 0);
fprintf(fp, "verb %d\n", 3);
fprintf(fp, "mute %d\n", 10);
fprintf(fp, ";ns-cert-type %s\n", "server");
openvpn_add_key(fp, SERVER_CERT_DIR, openvpn_server_keys[0], "ca");
openvpn_add_key(fp, tmp_ovpn_path, openvpn_client_keys[1], "cert");
openvpn_add_key(fp, tmp_ovpn_path, openvpn_client_keys[2], "key");
if (i_atls) {
openvpn_add_key(fp, SERVER_CERT_DIR, openvpn_server_keys[4], "tls-auth");
fprintf(fp, "key-direction %d\n", 1);
}
fclose(fp);
doSystem("rm -rf %s", tmp_ovpn_path);
doSystem("unix2dos %s", tmp_ovpn_conf);
chmod(tmp_ovpn_conf, 0600);
return 0;
}
static int
openvpn_create_server_conf(const char *conf_file, int is_tun)
{
FILE *fp;
int i, i_prot, i_atls, i_rdgw, i_dhcp, i_items, i_cli0, i_cli1;
unsigned int laddr, lmask, lsnet;
struct in_addr pool_in;
char pooll[32], pool1[32], pool2[32];
char *lanip, *lannm, *wins, *dns1, *dns2;
i_atls = nvram_get_int("vpns_ov_atls");
for (i=0; i<5; i++) {
if (!i_atls && (i == 4))
continue;
if (!openvpn_check_key(openvpn_server_keys[i], 1))
return 1;
}
i_prot = nvram_get_int("vpns_ov_prot");
i_rdgw = nvram_get_int("vpns_ov_rdgw");
i_cli0 = nvram_safe_get_int("vpns_cli0", 245, 1, 254);
i_cli1 = nvram_safe_get_int("vpns_cli1", 254, 2, 254);
i_dhcp = is_dhcpd_enabled(0);
lanip = nvram_safe_get("lan_ipaddr");
lannm = nvram_safe_get("lan_netmask");
laddr = ntohl(inet_addr(lanip));
lmask = ntohl(inet_addr(lannm));
lsnet = (~lmask) - 1;
if (i_cli0 > (int)lsnet) i_cli0 = (int)lsnet;
if (i_cli1 > (int)lsnet) i_cli1 = (int)lsnet;
if (i_cli1 < i_cli0) i_cli1 = i_cli0;
pool_in.s_addr = htonl(laddr & lmask);
strcpy(pooll, inet_ntoa(pool_in));
pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli0);
strcpy(pool1, inet_ntoa(pool_in));
pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli1);
strcpy(pool2, inet_ntoa(pool_in));
fp = fopen(conf_file, "w+");
if (fp) {
if (i_prot > 0)
fprintf(fp, "proto %s\n", "tcp-server");
else
fprintf(fp, "proto %s\n", "udp");
fprintf(fp, "port %d\n", nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535));
if (is_tun) {
char *vnet, *vmsk;
vnet = nvram_safe_get("vpns_vnet");
vmsk = VPN_SERVER_SUBNET_MASK;
laddr = ntohl(inet_addr(vnet));
lmask = ntohl(inet_addr(vmsk));
pool_in.s_addr = htonl(laddr & lmask);
fprintf(fp, "dev %s\n", IFNAME_SERVER_TUN);
fprintf(fp, "topology %s\n", "subnet");
fprintf(fp, "server %s %s\n", inet_ntoa(pool_in), vmsk);
fprintf(fp, "client-config-dir %s\n", "ccd");
openvpn_create_server_acl(fp, "ccd");
fprintf(fp, "push \"route %s %s\"\n", pooll, lannm);
} else {
fprintf(fp, "dev %s\n", IFNAME_SERVER_TAP);
fprintf(fp, "server-bridge %s %s %s %s\n", lanip, lannm, pool1, pool2);
}
openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig"));
openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph"));
openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 1);
i_items = 0;
if (i_rdgw) {
fprintf(fp, "push \"redirect-gateway def1 %s\"\n", "bypass-dhcp");
if (i_dhcp) {
dns1 = nvram_safe_get("dhcp_dns1_x");
dns2 = nvram_safe_get("dhcp_dns2_x");
if (is_valid_ipv4(dns1) && (strcmp(dns1, lanip))) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns1);
}
if (is_valid_ipv4(dns2) && (strcmp(dns2, lanip)) && (strcmp(dns2, dns1))) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns2);
}
}
if (i_items < 2)
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", lanip);
}
i_items = 0;
if (i_dhcp) {
wins = nvram_safe_get("dhcp_wins_x");
if (is_valid_ipv4(wins)) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", wins);
}
}
#if defined(APP_SMBD) || defined(APP_NMBD)
if ((i_items < 1) && nvram_get_int("wins_enable"))
fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", lanip);
#endif
fprintf(fp, "ca %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[0]);
fprintf(fp, "dh %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[1]);
fprintf(fp, "cert %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[2]);
fprintf(fp, "key %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[3]);
if (i_atls)
fprintf(fp, "tls-auth %s/%s %d\n", SERVER_CERT_DIR, openvpn_server_keys[4], 0);
fprintf(fp, "persist-key\n");
fprintf(fp, "persist-tun\n");
fprintf(fp, "user %s\n", SYS_USER_NOBODY);
fprintf(fp, "group %s\n", SYS_GROUP_NOGROUP);
fprintf(fp, "script-security %d\n", 2);
fprintf(fp, "tmp-dir %s\n", COMMON_TEMP_DIR);
fprintf(fp, "writepid %s\n", SERVER_PID_FILE);
fprintf(fp, "client-connect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "client-disconnect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "\n### User params:\n");
load_user_config(fp, SERVER_CERT_DIR, "server.conf", forbidden_list);
fclose(fp);
chmod(conf_file, 0644);
return 0;
}
return 1;
}
bool CUtil::is_valid_ip(const char* str)
{
return is_valid_ipv4(str) || is_valid_ipv6(str);
}
static void
write_nfsd_exports(void)
{
FILE *procpt, *fp;
char line[256], devname[32], mpname[128], system_type[16], mount_mode[164], acl_lan[32], acl_vpn[32];
const char *exports_link = "/etc/storage/exports";
const char *exports_file = "/etc/exports";
const char *exports_rule = "async,insecure,no_root_squash,no_subtree_check";
char *nfsmm, *acl_addr, *acl_mask;
unlink(exports_file);
if (check_if_file_exist(exports_link)) {
symlink(exports_link, exports_file);
return;
}
fp = fopen(exports_file, "w");
if (!fp)
return;
acl_addr = nvram_safe_get("lan_ipaddr_t");
acl_mask = nvram_safe_get("lan_netmask_t");
if (!is_valid_ipv4(acl_addr) || !is_valid_ipv4(acl_mask)) {
acl_addr = nvram_safe_get("lan_ipaddr");
acl_mask = nvram_safe_get("lan_netmask");
}
acl_lan[0] = 0;
ip2class(acl_addr, acl_mask, acl_lan, sizeof(acl_lan));
acl_vpn[0] = 0;
if (!get_ap_mode() && nvram_get_int("vpns_enable") && nvram_get_int("vpns_vuse")) {
acl_addr = nvram_safe_get("vpns_vnet");
acl_mask = VPN_SERVER_SUBNET_MASK;
#if defined (APP_OPENVPN)
if (nvram_get_int("vpns_type") == 2) {
if (nvram_get_int("vpns_ov_mode") == 1)
ip2class(acl_addr, acl_mask, acl_vpn, sizeof(acl_vpn));
} else
#endif
ip2class(acl_addr, acl_mask, acl_vpn, sizeof(acl_vpn));
if (strcmp(acl_lan, acl_vpn) == 0)
acl_vpn[0] = 0;
}
fprintf(fp, "# %s\n\n", "auto-created file");
procpt = fopen("/proc/mounts", "r");
if (procpt) {
while (fgets(line, sizeof(line), procpt)) {
if (sscanf(line, "%31s %127s %15s %163s %*s %*s", devname, mpname, system_type, mount_mode) != 4)
continue;
if (!strcmp(system_type, "fuseblk"))
continue;
if (!strncmp(devname, "/dev/sd", 7) && !strncmp(mpname, "/media/", 7)) {
nfsmm = (strncmp(mount_mode, "ro", 2) == 0) ? "ro" : "rw";
fprintf(fp, "%s\t", mpname);
fprintf(fp, " %s(%s,%s)", acl_lan, nfsmm, exports_rule);
if (acl_vpn[0])
fprintf(fp, " %s(%s,%s)", acl_vpn, nfsmm, exports_rule);
fprintf(fp, "\n");
}
}
fclose(procpt);
}
fclose(fp);
}
static int
create_vpns_pppd_options(int vpns_type)
{
FILE *fp;
int i_mppe, i_auth, i_vuse, i_dhcp, i_items;
char *vpns_opt, *lanip, *wins, *dns1, *dns2;
i_auth = nvram_get_int("vpns_auth");
i_mppe = nvram_get_int("vpns_mppe");
i_vuse = nvram_get_int("vpns_vuse");
i_dhcp = is_dhcpd_enabled(0);
lanip = nvram_safe_get("lan_ipaddr");
vpns_opt = VPN_SERVER_PPPD_OPTIONS;
if (!(fp = fopen(vpns_opt, "w")))
return -1;
fprintf(fp, "lock\n");
fprintf(fp, "name %s\n", get_our_hostname());
fprintf(fp, "auth\n");
fprintf(fp, "refuse-eap\n");
fprintf(fp, "refuse-pap\n");
fprintf(fp, "refuse-mschap\n");
if (i_auth == 0) {
fprintf(fp, "refuse-chap\n");
fprintf(fp, "require-mschap-v2\n");
}
fprintf(fp, "default-asyncmap\n");
/* looks like pptp also likes them */
fprintf(fp, "nopcomp noaccomp\n");
/* ccp should still be enabled - mppe/mppc requires this */
fprintf(fp, "novj nobsdcomp nodeflate\n");
if (i_mppe == 3) {
fprintf(fp, "nomppe nomppc\n");
} else {
if (i_mppe == 1) {
fprintf(fp, "+mppe\n");
fprintf(fp, "-mppe-40\n");
fprintf(fp, "+mppe-128\n");
} else if (i_mppe == 2) {
fprintf(fp, "+mppe\n");
fprintf(fp, "+mppe-40\n");
fprintf(fp, "-mppe-128\n");
} else {
fprintf(fp, "+mppe-40\n");
fprintf(fp, "+mppe-128\n");
}
fprintf(fp, "nomppe-stateful\n");
}
// DNS Server
i_items = 0;
if (i_dhcp) {
dns1 = nvram_safe_get("dhcp_dns1_x");
dns2 = nvram_safe_get("dhcp_dns2_x");
if (is_valid_ipv4(dns1) && (strcmp(dns1, lanip))) {
i_items++;
fprintf(fp, "ms-dns %s\n", dns1);
}
if (is_valid_ipv4(dns2) && (strcmp(dns2, lanip)) && (strcmp(dns2, dns1))) {
i_items++;
fprintf(fp, "ms-dns %s\n", dns2);
}
}
if (i_items < 2)
fprintf(fp, "ms-dns %s\n", lanip);
// WINS Server
i_items = 0;
if (i_dhcp) {
wins = nvram_safe_get("dhcp_wins_x");
if (is_valid_ipv4(wins)) {
i_items++;
fprintf(fp, "ms-wins %s\n", wins);
}
}
#if defined(APP_SMBD) || defined(APP_NMBD)
if ((i_items < 1) && nvram_get_int("wins_enable"))
fprintf(fp, "ms-wins %s\n", lanip);
#endif
fprintf(fp, "mtu %d\n", nvram_safe_get_int("vpns_mtu", 1450, 1000, 1460));
fprintf(fp, "mru %d\n", nvram_safe_get_int("vpns_mru", 1450, 1000, 1460));
fprintf(fp, "ipcp-accept-remote ipcp-accept-local\n");
fprintf(fp, "nodefaultroute\n");
if (i_vuse == 0)
fprintf(fp, "proxyarp\n");
if (vpns_type == 1) {
// L2TP: Don't wait for LCP term responses; exit immediately when killed
fprintf(fp, "lcp-max-terminate %d\n", 0);
}
/* echo failures (6*20s) */
fprintf(fp, "lcp-echo-interval %d\n", 20);
fprintf(fp, "lcp-echo-failure %d\n", 6);
fprintf(fp, "lcp-echo-adaptive\n");
fprintf(fp, "ip-up-script %s\n", VPNS_PPP_UP_SCRIPT);
fprintf(fp, "ip-down-script %s\n", VPNS_PPP_DW_SCRIPT);
fprintf(fp, "minunit %d\n", VPN_SERVER_PPP_UNIT);
fclose(fp);
chmod(vpns_opt, 0644);
return 0;
}
static int
openvpn_create_client_conf(const char *conf_file, int is_tun)
{
FILE *fp;
int i, i_prot, i_prot_ori, i_auth, i_atls;
const char *p_peer, *p_prot;
i_auth = nvram_get_int("vpnc_ov_auth");
i_atls = nvram_get_int("vpnc_ov_atls");
for (i=0; i<4; i++) {
if (i_auth == 1 && (i == 1 || i == 2))
continue;
if (!i_atls && (i == 3))
continue;
if (!openvpn_check_key(openvpn_client_keys[i], 0))
return 1;
}
i_prot = nvram_get_int("vpnc_ov_prot");
i_prot_ori = i_prot;
if (i_prot > 1 && get_ipv6_type() == IPV6_DISABLED)
i_prot &= 1;
p_peer = nvram_safe_get("vpnc_peer");
/* note: upcoming openvpn 2.4 will need direct set udp4/tcp4-client for ipv4 only */
#if defined (USE_IPV6)
/* check peer address is direct ipv4/ipv6 */
if (i_prot > 1 && is_valid_ipv4(p_peer))
i_prot &= 1;
else if (i_prot < 2 && is_valid_ipv6(p_peer))
i_prot += 2;
if (i_prot == 3)
p_prot = "tcp6-client";
else if (i_prot == 2)
p_prot = "udp6";
else
#endif
if (i_prot == 1)
p_prot = "tcp-client";
else
p_prot = "udp";
/* fixup ipv4/ipv6 mismatch */
if (i_prot != i_prot_ori)
nvram_set_int("vpnc_ov_prot", i_prot);
fp = fopen(conf_file, "w+");
if (!fp)
return 1;
fprintf(fp, "client\n");
fprintf(fp, "proto %s\n", p_prot);
fprintf(fp, "remote %s %d\n", p_peer, nvram_safe_get_int("vpnc_ov_port", 1194, 1, 65535));
fprintf(fp, "resolv-retry %s\n", "infinite");
fprintf(fp, "nobind\n");
fprintf(fp, "dev %s\n", (is_tun) ? IFNAME_CLIENT_TUN : IFNAME_CLIENT_TAP);
fprintf(fp, "ca %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[0]);
if (i_auth == 0) {
fprintf(fp, "cert %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[1]);
fprintf(fp, "key %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[2]);
}
if (i_atls)
fprintf(fp, "tls-auth %s/%s %d\n", CLIENT_CERT_DIR, openvpn_client_keys[3], 1);
openvpn_add_auth(fp, nvram_get_int("vpnc_ov_mdig"));
openvpn_add_cipher(fp, nvram_get_int("vpnc_ov_ciph"));
openvpn_add_lzo(fp, nvram_get_int("vpnc_ov_clzo"), 0);
if (i_auth == 1) {
fprintf(fp, "auth-user-pass %s\n", "secret");
openvpn_create_client_secret("secret");
}
if (nvram_match("vpnc_dgw", "1"))
fprintf(fp, "redirect-gateway def1 bypass-dhcp\n");
fprintf(fp, "persist-key\n");
fprintf(fp, "script-security %d\n", 2);
fprintf(fp, "writepid %s\n", CLIENT_PID_FILE);
fprintf(fp, "up %s\n", SCRIPT_OVPN_CLIENT);
fprintf(fp, "down %s\n", SCRIPT_OVPN_CLIENT);
fprintf(fp, "\n### User params:\n");
load_user_config(fp, CLIENT_CERT_DIR, "client.conf", forbidden_list);
fclose(fp);
chmod(conf_file, 0644);
return 0;
}
static int
openvpn_create_server_conf(const char *conf_file, int is_tun)
{
FILE *fp;
int i, i_prot, i_prot_ori, i_atls, i_rdgw, i_dhcp, i_items;
unsigned int laddr, lmask;
char *lanip, *lannm, *wins, *dns1, *dns2;
const char *p_prot;
struct in_addr pool_in;
i_atls = nvram_get_int("vpns_ov_atls");
for (i=0; i<5; i++) {
if (!i_atls && (i == 4))
continue;
if (!openvpn_check_key(openvpn_server_keys[i], 1))
return 1;
}
i_prot = nvram_get_int("vpns_ov_prot");
i_rdgw = nvram_get_int("vpns_ov_rdgw");
i_dhcp = is_dhcpd_enabled(0);
lanip = nvram_safe_get("lan_ipaddr");
lannm = nvram_safe_get("lan_netmask");
laddr = ntohl(inet_addr(lanip));
lmask = ntohl(inet_addr(lannm));
i_prot_ori = i_prot;
if (i_prot > 1 && get_ipv6_type() == IPV6_DISABLED)
i_prot &= 1;
/* note: upcoming openvpn 2.4 will need direct set udp4/tcp4-server for ipv4 only */
#if defined (USE_IPV6)
if (i_prot == 3)
p_prot = "tcp6-server";
else if (i_prot == 2)
p_prot = "udp6";
else
#endif
if (i_prot == 1)
p_prot = "tcp-server";
else
p_prot = "udp";
/* fixup ipv4/ipv6 mismatch */
if (i_prot != i_prot_ori)
nvram_set_int("vpns_ov_prot", i_prot);
fp = fopen(conf_file, "w+");
if (!fp)
return 1;
fprintf(fp, "proto %s\n", p_prot);
fprintf(fp, "port %d\n", nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535));
if (is_tun) {
unsigned int vnet, vmsk;
vnet = ntohl(inet_addr(nvram_safe_get("vpns_vnet")));
vmsk = ntohl(inet_addr(VPN_SERVER_SUBNET_MASK));
pool_in.s_addr = htonl(vnet & vmsk);
fprintf(fp, "dev %s\n", IFNAME_SERVER_TUN);
fprintf(fp, "topology %s\n", "subnet");
fprintf(fp, "server %s %s\n", inet_ntoa(pool_in), VPN_SERVER_SUBNET_MASK);
fprintf(fp, "client-config-dir %s\n", "ccd");
openvpn_create_server_acl(fp, "ccd", vnet, vmsk);
pool_in.s_addr = htonl(laddr & lmask);
fprintf(fp, "push \"route %s %s\"\n", inet_ntoa(pool_in), lannm);
} else {
char sp_b[INET_ADDRSTRLEN], sp_e[INET_ADDRSTRLEN];
unsigned int vp_b, vp_e, lnet;
lnet = ~(lmask) - 1;
vp_b = (unsigned int)nvram_safe_get_int("vpns_cli0", 245, 1, 254);
vp_e = (unsigned int)nvram_safe_get_int("vpns_cli1", 254, 2, 254);
if (vp_b > lnet)
vp_b = lnet;
if (vp_e > lnet)
vp_e = lnet;
if (vp_e < vp_b)
vp_e = vp_b;
pool_in.s_addr = htonl((laddr & lmask) | vp_b);
strcpy(sp_b, inet_ntoa(pool_in));
pool_in.s_addr = htonl((laddr & lmask) | vp_e);
strcpy(sp_e, inet_ntoa(pool_in));
fprintf(fp, "dev %s\n", IFNAME_SERVER_TAP);
fprintf(fp, "server-bridge %s %s %s %s\n", lanip, lannm, sp_b, sp_e);
}
openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig"));
openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph"));
openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 1);
i_items = 0;
if (i_rdgw) {
fprintf(fp, "push \"redirect-gateway def1 %s\"\n", "bypass-dhcp");
if (i_dhcp) {
dns1 = nvram_safe_get("dhcp_dns1_x");
dns2 = nvram_safe_get("dhcp_dns2_x");
if (is_valid_ipv4(dns1)) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns1);
}
if (is_valid_ipv4(dns2) && strcmp(dns2, dns1)) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns2);
}
}
if (i_items < 1)
fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", lanip);
}
i_items = 0;
if (i_dhcp) {
wins = nvram_safe_get("dhcp_wins_x");
if (is_valid_ipv4(wins)) {
i_items++;
fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", wins);
}
}
#if defined(APP_SMBD) || defined(APP_NMBD)
if ((i_items < 1) && nvram_get_int("wins_enable"))
fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", lanip);
#endif
fprintf(fp, "ca %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[0]);
fprintf(fp, "dh %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[1]);
fprintf(fp, "cert %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[2]);
fprintf(fp, "key %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[3]);
if (i_atls)
fprintf(fp, "tls-auth %s/%s %d\n", SERVER_CERT_DIR, openvpn_server_keys[4], 0);
fprintf(fp, "persist-key\n");
fprintf(fp, "persist-tun\n");
fprintf(fp, "user %s\n", SYS_USER_NOBODY);
fprintf(fp, "group %s\n", SYS_GROUP_NOGROUP);
fprintf(fp, "script-security %d\n", 2);
fprintf(fp, "tmp-dir %s\n", COMMON_TEMP_DIR);
fprintf(fp, "writepid %s\n", SERVER_PID_FILE);
fprintf(fp, "client-connect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "client-disconnect %s\n", SCRIPT_OVPN_SERVER);
fprintf(fp, "\n### User params:\n");
load_user_config(fp, SERVER_CERT_DIR, "server.conf", forbidden_list);
fclose(fp);
chmod(conf_file, 0644);
return 0;
}