void start_openvpnserver(void) { int jffs = 0; if (nvram_invmatch("openvpn_enable", "1")) return; if ((nvram_match("usb_enable", "1") && nvram_match("usb_storage", "1") && nvram_match("usb_automnt", "1") && nvram_match("usb_mntpoint", "jffs")) || (nvram_match("enable_jffs2", "1") && nvram_match("jffs_mounted", "1") && nvram_match("sys_enable_jffs2", "1"))) jffs = 1; dd_syslog(LOG_INFO, "openvpn : OpenVPN daemon (Server) starting/restarting...\n"); mkdir("/tmp/openvpn", 0700); mkdir("/tmp/openvpn/ccd", 0700); write_nvram("/tmp/openvpn/dh.pem", "openvpn_dh"); write_nvram("/tmp/openvpn/ca.crt", "openvpn_ca"); write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt"); write_nvram("/tmp/openvpn/ca.crl", "openvpn_crl"); write_nvram("/tmp/openvpn/key.pem", "openvpn_key"); write_nvram("/tmp/openvpn/ta.key", "openvpn_tlsauth"); write_nvram("/tmp/openvpn/cert.p12", "openvpn_pkcs12"); write_nvram("/tmp/openvpn/static.key", "openvpn_static"); chmod("/tmp/openvpn/key.pem", 0600); // use jffs for ccd if available if (jffs == 1) { mkdir("/jffs/etc", 0700); mkdir("/jffs/etc/openvpn", 0700); mkdir("/jffs/etc/openvpn/ccd", 0700); if (strlen(nvram_safe_get("openvpn_ccddef")) > 0) { write_nvram("/jffs/etc/openvpn/ccd/DEFAULT", "openvpn_ccddef"); chmod("/jffs/etc/openvpn/ccd/DEFAULT", 0700); } // if (strlen(nvram_safe_get("openvpn_clcon")) > 0) // write_nvram("/jffs/etc/openvpn/clcon.sh", "openvpn_clcon"); // if (strlen(nvram_safe_get("openvpn_cldiscon")) > 0) // write_nvram("/jffs/etc/openvpn/cldiscon.sh", "openvpn_cldiscon"); } else { write_nvram("/tmp/openvpn/ccd/DEFAULT", "openvpn_ccddef"); // write_nvram("/tmp/openvpn/clcon.sh", "openvpn_clcon"); // write_nvram("/tmp/openvpn/cldiscon.sh", "openvpn_cldiscon"); chmod("/tmp/openvpn/ccd/DEFAULT", 0700); } /* fp = fopen("/jffs/etc/openvpn/clcon.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); fclose(fp) fp = fopen("/jffs/etc/openvpn/cldiscon.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); fclose(fp) chmod("/jffs/etc/openvpn/clcon.sh", 0700); chmod("/jffs/etc/openvpn/cldiscon.sh", 0700); */ FILE *fp = fopen("/tmp/openvpn/openvpn.conf", "wb"); if (fp == NULL) return; if (nvram_invmatch("openvpn_static", "")) fprintf(fp, "secret /tmp/openvpn/static.key\n"); else if (nvram_invmatch("openvpn_pkcs12", "")) { fprintf(fp, "dh /tmp/openvpn/dh.pem\n"); fprintf(fp, "pkcs12 /tmp/openvpn/cert.p12\n"); } else { if (nvram_invmatch("openvpn_dh", "")) fprintf(fp, "dh /tmp/openvpn/dh.pem\n"); if (nvram_invmatch("openvpn_ca", "")) fprintf(fp, "ca /tmp/openvpn/ca.crt\n"); if (nvram_invmatch("openvpn_crt", "")) fprintf(fp, "cert /tmp/openvpn/cert.pem\n"); if (nvram_invmatch("openvpn_key", "")) fprintf(fp, "key /tmp/openvpn/key.pem\n"); } //be sure Chris old style config is still working if (nvram_match("openvpn_switch", "1")) { write_nvram("/tmp/openvpn/cert.pem", "openvpn_crt"); fprintf(fp, "keepalive 10 120\n" "verb 3\n" "mute 3\n" "syslog\n" "writepid /var/run/openvpnd.pid\n" "management 127.0.0.1 14\n" "management-log-cache 100\n" "topology subnet\n" "script-security 2\n" "port %s\n" "proto %s\n" "cipher %s\n" "auth %s\n", nvram_safe_get("openvpn_port"), nvram_safe_get("openvpn_proto"), nvram_safe_get("openvpn_cipher"), nvram_safe_get("openvpn_auth")); if (jffs == 1) { // use usb/jffs for ccd if available fprintf(fp, "client-config-dir /jffs/etc/openvpn/ccd\n"); // fprintf(fp, "client-connect /jffs/etc/openvpn/clcon.sh\n"); // fprintf(fp, "client-disconnect /jffs/etc/openvpn/cldiscon.sh\n"); } else { fprintf(fp, "client-config-dir /tmp/openvpn/ccd\n"); // fprintf(fp, "client-connect /tmp/openvpn/clcon.sh\n"); // fprintf(fp, "client-disconnect /tmp/openvpn/cldiscon.sh\n"); } if (nvram_invmatch("openvpn_lzo", "off")) fprintf(fp, "comp-lzo %s\n", //yes/no/adaptive/disable nvram_safe_get("openvpn_lzo")); if (nvram_invmatch("openvpn_auth", "none")) //not needed if we have no auth anyway fprintf(fp, "tls-server\n"); if (nvram_match("openvpn_dupcn", "1")) fprintf(fp, "duplicate-cn\n"); if (nvram_match("openvpn_dupcn", "0") //keep peer ip persistant for x sec. works only when dupcn=off & no proxy mode && nvram_match("openvpn_proxy", "0")) fprintf(fp, "ifconfig-pool-persist /tmp/openvpn/ip-pool 86400\n"); if (nvram_match("openvpn_cl2cl", "1")) fprintf(fp, "client-to-client\n"); if (nvram_match("openvpn_redirgate", "1")) fprintf(fp, "push \"redirect-gateway def1\"\n"); if (nvram_invmatch("openvpn_tlscip", "0")) fprintf(fp, "tls-cipher %s\n", nvram_safe_get("openvpn_tlscip")); if (nvram_match("openvpn_proto", "udp")) fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10% else //TCP_NODELAY is generally a good latency optimization fprintf(fp, "tcp-nodelay\n"); if (nvram_invmatch("openvpn_mtu", "")) fprintf(fp, "tun-mtu %s\n", nvram_safe_get("openvpn_mtu")); if (nvram_invmatch("openvpn_fragment", "") && nvram_match("openvpn_proto", "udp")) { fprintf(fp, "fragment %s\n", nvram_safe_get("openvpn_fragment")); if (nvram_match("openvpn_mssfix", "1")) fprintf(fp, "mssfix\n"); //mssfix=1450 (default), should be set on one side only. when fragment->=mss } else fprintf(fp, "mtu-disc yes\n"); if (nvram_match("openvpn_tuntap", "tun")) { fprintf(fp, "server %s %s\n", nvram_safe_get("openvpn_net"), nvram_safe_get("openvpn_tunmask")); fprintf(fp, "dev tun2\n"); fprintf(fp, "tun-ipv6\n"); //enable ipv6 support. } else if (nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "0")) { fprintf(fp, "server-bridge %s %s %s %s\n", nvram_safe_get("openvpn_gateway"), nvram_safe_get("openvpn_mask"), nvram_safe_get("openvpn_startip"), nvram_safe_get("openvpn_endip")); fprintf(fp, "dev tap2\n"); } else if (nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "1") && nvram_match("openvpn_redirgate", "1")) fprintf(fp, "server-bridge\n" "dev tap2\n"); else fprintf(fp, "server-bridge nogw\n" "dev tap2\n"); if (strlen(nvram_safe_get("openvpn_tlsauth")) > 0) fprintf(fp, "tls-auth /tmp/openvpn/ta.key 0\n"); if (strlen(nvram_safe_get("openvpn_crl")) > 0) fprintf(fp, "crl-verify /tmp/openvpn/ca.crl\n"); /* for QOS */ if (nvram_invmatch("wshaper_enable", "0")) fprintf(fp, "passtos\n"); } else write_nvram("/tmp/openvpn/cert.pem", "openvpn_client"); fprintf(fp, "%s\n", nvram_safe_get("openvpn_config")); fclose(fp); fp = fopen("/tmp/openvpn/route-up.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); #if defined(HAVE_TMK) || defined(HAVE_BKM) char *gpiovpn = nvram_get("gpiovpn"); if (gpiovpn != NULL) { fprintf(fp, "gpio enable %s\n", gpiovpn); } #endif //bring up tap interface when choosen if (nvram_match("openvpn_tuntap", "tap")) { fprintf(fp, "brctl addif br0 tap2\n" "ifconfig tap2 0.0.0.0 up\n"); //non promisc for performance reasons } if (nvram_match("block_multicast", "0") //block multicast on bridged vpns && nvram_match("openvpn_tuntap", "tap")) fprintf(fp, "insmod ebtables\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n" "insmod ebt_pkttype\n" /* "ebtables -D FORWARD -o tap2 --pkttype-type multicast -j DROP\n" "ebtables -D OUTPUT -o tap2 --pkttype-type multicast -j DROP\n" "ebtables -A FORWARD -o tap2 --pkttype-type multicast -j DROP\n" "ebtables -A OUTPUT -o tap2 --pkttype-type multicast -j DROP\n"); */ "ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n" "ebtables -t nat -I POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n"); if (nvram_match("openvpn_dhcpbl", "1") //block dhcp on bridged vpns && nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "0")) fprintf(fp, "insmod ebtables\n" "insmod ebt_ip\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n" /* "ebtables -D INPUT -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -D FORWARD -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -D FORWARD -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -I INPUT -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -I FORWARD -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -I FORWARD -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" */ "ebtables -t nat -D PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -t nat -D POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -t nat -I PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -t nat -I POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"); fprintf(fp, "startservice set_routes\n" "stopservice wshaper\n" "startservice wshaper\n"); fclose(fp); fp = fopen("/tmp/openvpn/route-down.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); #if defined(HAVE_TMK) || defined(HAVE_BKM) if (gpiovpn != NULL) fprintf(fp, "gpio disable %s\n", gpiovpn); #endif // remove ebtales rules if (nvram_match("block_multicast", "0") && nvram_match("openvpn_tuntap", "tap")) fprintf(fp, "ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP\n"); if (nvram_match("openvpn_dhcpbl", "1") && nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "0")) fprintf(fp, "ebtables -t nat -D PREROUTING -i tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n" "ebtables -t nat -D POSTROUTING -o tap2 -p ipv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j DROP\n"); /* if ((nvram_match("openvpn_dhcpbl", "1") && nvram_match("openvpn_tuntap", "tap") && nvram_match("openvpn_proxy", "0")) || (nvram_match("block_multicast", "0") && nvram_match("openvpn_tuntap", "tap"))) fprintf(fp, "if [ `ebtables -t nat -L|grep -e '-j' -c` -eq 0 ]\n" "then rmmod ebtable_nat\n" "\t rmmod ebt_ip\n" "elseif [ `ebtables -t nat -L|grep -e '-j' -c` -eq 0 ]\n" "then rmmod ebtable_filter\n" "\t rmmod ebtables\n"); */ if (nvram_match("openvpn_tuntap", "tap")) fprintf(fp, "brctl delif br0 tap2\n" "ifconfig tap2 down\n"); fclose(fp); chmod("/tmp/openvpn/route-up.sh", 0700); chmod("/tmp/openvpn/route-down.sh", 0700); eval("ln", "-s", "/usr/sbin/openvpn", "/tmp/openvpnserver"); if (nvram_match("use_crypto", "1")) eval("/tmp/openvpnserver", "--config", "/tmp/openvpn/openvpn.conf", "--route-up", "/tmp/openvpn/route-up.sh", "--down-pre", "/tmp/openvpn/route-down.sh", "--daemon", "--engine", "cryptodev"); else eval("/tmp/openvpnserver", "--config", "/tmp/openvpn/openvpn.conf", "--route-up", "/tmp/openvpn/route-up.sh", "--down-pre", "/tmp/openvpn/route-down.sh", "--daemon"); eval("stopservice", "wshaper"); eval("startservice", "wshaper"); }
void start_openvpn(void) { if (nvram_invmatch("openvpncl_enable", "1")) return; dd_syslog(LOG_INFO, "openvpn : OpenVPN daemon (Client) starting/restarting...\n"); mkdir("/tmp/openvpncl", 0700); write_nvram("/tmp/openvpncl/ca.crt", "openvpncl_ca"); write_nvram("/tmp/openvpncl/client.crt", "openvpncl_client"); write_nvram("/tmp/openvpncl/client.key", "openvpncl_key"); write_nvram("/tmp/openvpncl/ta.key", "openvpncl_tlsauth"); write_nvram("/tmp/openvpncl/cert.p12", "openvpncl_pkcs12"); write_nvram("/tmp/openvpncl/static.key", "openvpncl_static"); chmod("/tmp/openvpn/client.key", 0600); FILE *fp = fopen("/tmp/openvpncl/openvpn.conf", "wb"); if (fp == NULL) return; if (nvram_invmatch("openvpncl_static", "")) fprintf(fp, "secret /tmp/openvpncl/static.key\n"); else if (nvram_invmatch("openvpncl_pkcs12", "")) {; fprintf(fp, "pkcs12 /tmp/openvpncl/cert.p12\n"); } else { if (nvram_invmatch("openvpncl_ca", "")) fprintf(fp, "ca /tmp/openvpncl/ca.crt\n"); if (nvram_invmatch("openvpncl_client", "")) fprintf(fp, "cert /tmp/openvpncl/client.crt\n"); if (nvram_invmatch("openvpncl_key", "")) fprintf(fp, "key /tmp/openvpncl/client.key\n"); } fprintf(fp, "management 127.0.0.1 16\n" "management-log-cache 100\n" "verb 3\n" "mute 3\n" "syslog\n" "writepid /var/run/openvpncl.pid\n" "client\n" "resolv-retry infinite\n" "nobind\n" "persist-key\n" "persist-tun\n" "script-security 2\n"); fprintf(fp, "dev %s1\n", nvram_safe_get("openvpncl_tuntap")); fprintf(fp, "proto %s\n", nvram_safe_get("openvpncl_proto")); fprintf(fp, "cipher %s\n", nvram_safe_get("openvpncl_cipher")); fprintf(fp, "auth %s\n", nvram_safe_get("openvpncl_auth")); fprintf(fp, "remote %s %s\n", nvram_safe_get("openvpncl_remoteip"), nvram_safe_get("openvpncl_remoteport")); if (nvram_invmatch("openvpncl_lzo", "off")) fprintf(fp, "comp-lzo %s\n", //yes/no/adaptive/disable nvram_safe_get("openvpncl_lzo")); if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy routing: we need redirect-gw so we get gw info fprintf(fp, "redirect-private def1\n"); if (nvram_invmatch("openvpncl_tuntap", "tun")) fprintf(fp, "ifconfig-noexec\n"); else fprintf(fp, "route-noexec\n"); } if (nvram_invmatch("openvpncl_auth", "none")) //not needed if we have no auth anyway fprintf(fp, "tls-client\n"); if (nvram_invmatch("openvpncl_mtu", "")) fprintf(fp, "tun-mtu %s\n", nvram_safe_get("openvpncl_mtu")); if (nvram_invmatch("openvpncl_fragment", "") && nvram_match("openvpncl_proto", "udp")) { fprintf(fp, "fragment %s\n", nvram_safe_get("openvpncl_fragment")); if (nvram_match("openvpncl_mssfix", "1")) fprintf(fp, "mssfix\n"); //mssfix=1450 (default), should be set on one side only. when fragment->=mss } else fprintf(fp, "mtu-disc yes\n"); if (nvram_match("openvpncl_certtype", "1")) fprintf(fp, "ns-cert-type server\n"); if (nvram_match("openvpncl_proto", "udp")) fprintf(fp, "fast-io\n"); //experimental!improving CPU efficiency by 5%-10% if (nvram_match("openvpncl_tuntap", "tun")) fprintf(fp, "tun-ipv6\n"); //enable ipv6 support. if (strlen(nvram_safe_get("openvpncl_tlsauth")) > 0) fprintf(fp, "tls-auth /tmp/openvpncl/ta.key 1\n"); if (nvram_invmatch("openvpncl_tlscip", "0")) fprintf(fp, "tls-cipher %s\n", nvram_safe_get("openvpncl_tlscip")); /* for QOS */ if (nvram_invmatch("wshaper_enable", "0")) fprintf(fp, "passtos\n"); fprintf(fp, "%s\n", nvram_safe_get("openvpncl_config")); fclose(fp); fp = fopen("/tmp/openvpncl/route-up.sh", "wb"); if (fp == NULL) { return; } fprintf(fp, "#!/bin/sh\n"); //bridge tap interface to br0 when choosen if (nvram_match("openvpncl_tuntap", "tap") && nvram_match("openvpncl_bridge", "1") && nvram_match("openvpncl_nat", "0")) { fprintf(fp, "brctl addif br0 tap1\n" "ifconfig tap1 0.0.0.0 up\n"); //non promisc for performance reasons } else { if (nvram_match("openvpncl_tuntap", "tap") && strlen(nvram_safe_get("openvpncl_ip")) > 0) fprintf(fp, "ifconfig tap1 %s netmask %s up\n", nvram_safe_get("openvpncl_ip"), nvram_safe_get("openvpncl_mask")); } if (nvram_match("openvpncl_nat", "1")) fprintf(fp, "iptables -I POSTROUTING -t nat -o %s1 -j MASQUERADE\n", nvram_safe_get("openvpncl_tuntap")); if (nvram_match("openvpncl_sec", "0")) fprintf(fp, "iptables -I INPUT -i %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap")); else { if (nvram_match("openvpncl_tuntap", "tun")) //only needed with tun fprintf(fp, "iptables -I INPUT -i %s1 -j ACCEPT\n" "iptables -I FORWARD -i %s1 -j ACCEPT\n" "iptables -I FORWARD -o %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap")); } if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route"); // fprintf(fp, "ip route flush table 10\n"); fprintf(fp, "for IP in `cat /tmp/openvpncl/policy_ips` ; do\n" "\t ip rule add from $IP table 10\n" "done\n"); if (nvram_match("openvpncl_tuntap", "tap")) fprintf(fp, "ip route add default via $route_vpn_gateway table 10\n"); else fprintf(fp, "ip route add default via $ifconfig_remote table 10\n"); fprintf(fp, "ip route flush cache\n" "echo $ifconfig_remote >>/tmp/gateway.txt\n" "echo $route_vpn_gateway >>/tmp/gateway.txt\n" "echo $ifconfig_local >>/tmp/gateway.txt\n"); } if (nvram_match("block_multicast", "0") //block multicast on bridged vpns && nvram_match("openvpncl_tuntap", "tap") && nvram_match("openvpncl_bridge", "1")) { fprintf(fp, "insmod ebtables\n" "insmod ebtable_filter\n" "insmod ebtable_nat\n" "insmod ebt_pkttype\n" // "ebtables -I FORWARD -o tap1 --pkttype-type multicast -j DROP\n" // "ebtables -I OUTPUT -o tap1 --pkttype-type multicast -j DROP\n" "ebtables -t nat -D POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n" "ebtables -t nat -I POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n"); } if (nvram_match("wshaper_enable", "1")) fprintf(fp, "stopservice wshaper\n" "startservice wshaper\n"); fclose(fp); fp = fopen("/tmp/openvpncl/route-down.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); if (nvram_match("openvpncl_tuntap", "tap") && nvram_match("openvpncl_bridge", "1") && nvram_match("openvpncl_nat", "0")) fprintf(fp, "brctl delif br0 tap1\n" "ifconfig tap1 down\n"); else if (nvram_match("openvpncl_tuntap", "tap") && strlen(nvram_safe_get("openvpncl_ip")) > 0) fprintf(fp, "ifconfig tap1 down\n"); if (nvram_match("openvpncl_nat", "1")) fprintf(fp, "iptables -D INPUT -i %s1 -j ACCEPT\n" "iptables -D POSTROUTING -t nat -o %s1 -j MASQUERADE\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap")); else { fprintf(fp, "iptables -D INPUT -i %s1 -j ACCEPT\n" "iptables -D FORWARD -i %s1 -j ACCEPT\n" "iptables -D FORWARD -o %s1 -j ACCEPT\n", nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap"), nvram_safe_get("openvpncl_tuntap")); } if (strlen(nvram_safe_get("openvpncl_route")) > 0) { //policy based routing write_nvram("/tmp/openvpncl/policy_ips", "openvpncl_route"); fprintf(fp, "ip route flush table 10\n"); } /* if (nvram_match("block_multicast", "0") //block multicast on bridged vpns && nvram_match("openvpncl_tuntap", "tap") && nvram_match("openvpncl_bridge", "1")) { fprintf(fp, "ebtables -t nat -D POSTROUTING -o tap1 --pkttype-type multicast -j DROP\n" "if [ `ebtables -t nat -L|grep -e '-j' -c` -ne 0 ]\n" "then rmmod ebtable_nat\n" "\t rmmod ebtables\n"); } */ fclose(fp); chmod("/tmp/openvpncl/route-up.sh", 0700); chmod("/tmp/openvpncl/route-down.sh", 0700); if (nvram_match("use_crypto", "1")) eval("openvpn", "--config", "/tmp/openvpncl/openvpn.conf", "--route-up", "/tmp/openvpncl/route-up.sh", "--down-pre", "/tmp/openvpncl/route-down.sh", "--daemon", "--engine", "cryptodev"); else eval("openvpn", "--config", "/tmp/openvpncl/openvpn.conf", "--route-up", "/tmp/openvpncl/route-up.sh", "--down-pre", "/tmp/openvpncl/route-down.sh", "--daemon"); if (nvram_match("wshaper_enable", "1")) { eval("stopservice", "wshaper"); eval("startservice", "wshaper"); } return; }
void setupSupplicant(char *prefix) { char akm[16]; sprintf(akm, "%s_akm", prefix); char wmode[16]; sprintf(wmode, "%s_mode", prefix); if (nvram_match(akm, "8021X")) { char fstr[32]; char psk[64]; char ath[64]; sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix); FILE *fp = fopen(fstr, "wb"); fprintf(fp, "ap_scan=1\n"); fprintf(fp, "fast_reauth=1\n"); fprintf(fp, "eapol_version=1\n"); fprintf(fp, "network={\n"); sprintf(psk, "%s_ssid", prefix); fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk)); fprintf(fp, "\tscan_ssid=1\n"); if (nvram_prefix_match("8021xtype", prefix, "tls")) { // -> added habeIchVergessen char *keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix); char *wpaOpts[40]; if (strlen(keyExchng)==0) nvram_nset("wep","%s_tls8021xkeyxchng", prefix); sprintf(wpaOpts, ""); keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix); if (strcmp("wpa2", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=CCMP\n\tgroup=CCMP\n"); if (strcmp("wpa2mixed", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=CCMP TKIP\n\tgroup=CCMP TKIP\n"); if (strcmp("wpa", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=TKIP\n\tgroup=TKIP\n"); fprintf(fp, "\tkey_mgmt=%s\n%s", (strlen(wpaOpts) == 0 ? "IEEE8021X" : "WPA-EAP"), wpaOpts); // <- added habeIchVergessen fprintf(fp, "\teap=TLS\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("tls8021xuser", prefix)); sprintf(psk, "/tmp/%s", prefix); mkdir(psk); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_tls8021xca", prefix); write_nvram(psk, ath); sprintf(psk, "/tmp/%s/user.pem", prefix); sprintf(ath, "%s_tls8021xpem", prefix); write_nvram(psk, ath); sprintf(psk, "/tmp/%s/user.prv", prefix); sprintf(ath, "%s_tls8021xprv", prefix); write_nvram(psk, ath); fprintf(fp, "\tca_cert=/tmp/%s/ca.pem\n", prefix); fprintf(fp, "\tclient_cert=/tmp/%s/user.pem\n", prefix); fprintf(fp, "\tprivate_key=/tmp/%s/user.prv\n", prefix); fprintf(fp, "\tprivate_key_passwd=\"%s\"\n", nvram_prefix_get("tls8021xpasswd", prefix)); fprintf(fp, "\teapol_flags=3\n"); if (strlen(nvram_nget("%s_tls8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_tls8021xphase2", prefix)); } if (strlen(nvram_nget("%s_tls8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_tls8021xanon", prefix)); } if (strlen(nvram_nget("%s_tls8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_tls8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "peap")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=PEAP\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tphase1=\"peapver=0\"\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("peap8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("peap8021xpasswd", prefix)); sprintf(psk, "/tmp/%s", prefix); mkdir(psk); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_peap8021xca", prefix); if (!nvram_match(ath, "")) { write_nvram(psk, ath); fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix); } if (strlen(nvram_nget("%s_peap8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_peap8021xphase2", prefix)); } if (strlen(nvram_nget("%s_peap8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_peap8021xanon", prefix)); } if (strlen(nvram_nget("%s_peap8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_peap8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "ttls")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=TTLS\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("ttls8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("ttls8021xpasswd", prefix)); if (strlen(nvram_nget("%s_ttls8021xca", prefix)) > 0) { sprintf(psk, "/tmp/%s", prefix); mkdir(psk); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_ttls8021xca", prefix); write_nvram(psk, ath); fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix); } if (strlen(nvram_nget("%s_ttls8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_ttls8021xphase2", prefix)); } if (strlen(nvram_nget("%s_ttls8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_ttls8021xanon", prefix)); } if (strlen(nvram_nget("%s_ttls8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_ttls8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "leap")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=LEAP\n"); fprintf(fp, "\tauth_alg=LEAP\n"); fprintf(fp, "\tproto=WPA RSN\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("leap8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("leap8021xpasswd", prefix)); if (strlen(nvram_nget("%s_leap8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_leap8021xphase2", prefix)); } if (strlen(nvram_nget("%s_leap8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_leap8021xanon", prefix)); } if (strlen(nvram_nget("%s_leap8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_leap8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } fprintf(fp, "}\n"); fclose(fp); sprintf(psk, "-i%s", getRADev(prefix)); char bvar[32]; sprintf(bvar, "%s_bridged", prefix); if (nvram_match(bvar, "1") && (nvram_match(wmode, "wdssta") || nvram_match(wmode, "wet"))) eval("wpa_supplicant", "-b", nvram_safe_get("lan_ifname"), "-B", "-Dralink", psk, "-c", fstr); else eval("wpa_supplicant", "-B", "-Dralink", psk, "-c", fstr); } }
// Pthread wrappers for entry points void *whoop_wrapper_write_nvram(void* args) { write_nvram(whoop_file_0, whoop_buf, whoop_int, whoop_loff_t); return NULL; }
void setupSupplicant(char *prefix) { char akm[16]; sprintf(akm, "%s_akm", prefix); char wmode[16]; sprintf(wmode, "%s_mode", prefix); if (nvram_match(akm, "wep")) { char key[16]; int cnt = 1; int i; char bul[8]; for (i = 1; i < 5; i++) { sprintf(key, "%s_key%d", prefix, i); char *athkey = nvram_safe_get(key); if (athkey != NULL && strlen(athkey) > 0) { sprintf(bul, "[%d]", cnt++); eval("iwconfig", prefix, "key", bul, athkey); // setup wep // encryption // key } } sprintf(key, "%s_key", prefix); sprintf(bul, "[%s]", nvram_safe_get(key)); eval("iwconfig", prefix, "key", bul); // eval ("iwpriv", prefix, "authmode", "2"); } else if (nvram_match(akm, "psk") || nvram_match(akm, "psk2") || nvram_match(akm, "psk psk2")) { char fstr[64]; char psk[16]; sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix); FILE *fp = fopen(fstr, "wb"); #ifdef HAVE_MAKSAT fprintf(fp, "ap_scan=1\n"); #elif HAVE_NEWMEDIA fprintf(fp, "ap_scan=1\n"); #else fprintf(fp, "ap_scan=2\n"); #endif fprintf(fp, "fast_reauth=1\n"); fprintf(fp, "eapol_version=1\n"); // fprintf (fp, "ctrl_interface_group=0\n"); // fprintf (fp, "ctrl_interface=/var/run/wpa_supplicant\n"); fprintf(fp, "network={\n"); sprintf(psk, "%s_ssid", prefix); fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk)); // fprintf (fp, "\tmode=0\n"); fprintf(fp, "\tscan_ssid=1\n"); fprintf(fp, "\tkey_mgmt=WPA-PSK\n"); sprintf(psk, "%s_crypto", prefix); if (nvram_match(psk, "aes")) { #if 1 fprintf(fp, "\tpairwise=CCMP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); #else fprintf(fp, "\tpairwise=CCMP\n"); fprintf(fp, "\tgroup=CCMP\n"); #endif } if (nvram_match(psk, "tkip")) { fprintf(fp, "\tpairwise=TKIP\n"); fprintf(fp, "\tgroup=TKIP\n"); } if (nvram_match(psk, "tkip+aes")) { fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); } if (nvram_match(akm, "psk")) fprintf(fp, "\tproto=WPA\n"); if (nvram_match(akm, "psk2")) fprintf(fp, "\tproto=RSN\n"); if (nvram_match(akm, "psk psk2")) fprintf(fp, "\tproto=WPA RSN\n"); sprintf(psk, "%s_wpa_psk", prefix); fprintf(fp, "\tpsk=\"%s\"\n", nvram_safe_get(psk)); fprintf(fp, "}\n"); fclose(fp); if (!strcmp(prefix, "wl0")) sprintf(psk, "-i%s", nvram_safe_get("wl0_ifname")); else if (!strcmp(prefix, "wl1")) sprintf(psk, "-i%s", nvram_safe_get("wl1_ifname")); else sprintf(psk, "-i%s", prefix); if (nvram_match(wmode, "wdssta") || nvram_match(wmode, "wet")) eval("wpa_supplicant", "-b", getBridge(prefix), "-B", "-Dwext", psk, "-c", fstr); else eval("wpa_supplicant", "-B", "-Dwext", psk, "-c", fstr); } else if (nvram_match(akm, "8021X")) { char fstr[32]; char psk[64]; char ath[64]; sprintf(fstr, "/tmp/%s_wpa_supplicant.conf", prefix); FILE *fp = fopen(fstr, "wb"); fprintf(fp, "ap_scan=1\n"); fprintf(fp, "fast_reauth=1\n"); fprintf(fp, "eapol_version=1\n"); // fprintf (fp, "ctrl_interface_group=0\n"); // fprintf (fp, "ctrl_interface=/var/run/wpa_supplicant\n"); fprintf(fp, "network={\n"); sprintf(psk, "%s_ssid", prefix); fprintf(fp, "\tssid=\"%s\"\n", nvram_safe_get(psk)); fprintf(fp, "\tscan_ssid=1\n"); if (nvram_prefix_match("8021xtype", prefix, "tls")) { // -> added habeIchVergessen char *keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix); char *wpaOpts[40]; if (strlen(keyExchng) == 0) nvram_nset("wep", "%s_tls8021xkeyxchng", prefix); sprintf(wpaOpts, ""); keyExchng = nvram_nget("%s_tls8021xkeyxchng", prefix); if (strcmp("wpa2", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=CCMP\n\tgroup=CCMP\n"); if (strcmp("wpa2mixed", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=CCMP TKIP\n\tgroup=CCMP TKIP\n"); if (strcmp("wpa", keyExchng) == 0) sprintf(wpaOpts, "\tpairwise=TKIP\n\tgroup=TKIP\n"); fprintf(fp, "\tkey_mgmt=%s\n%s", (strlen(wpaOpts) == 0 ? "IEEE8021X" : "WPA-EAP"), wpaOpts); // <- added habeIchVergessen fprintf(fp, "\teap=TLS\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("tls8021xuser", prefix)); sprintf(psk, "/tmp/%s", prefix); mkdir(psk, 0700); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_tls8021xca", prefix); write_nvram(psk, ath); sprintf(psk, "/tmp/%s/user.pem", prefix); sprintf(ath, "%s_tls8021xpem", prefix); write_nvram(psk, ath); sprintf(psk, "/tmp/%s/user.prv", prefix); sprintf(ath, "%s_tls8021xprv", prefix); write_nvram(psk, ath); fprintf(fp, "\tca_cert=/tmp/%s/ca.pem\n", prefix); fprintf(fp, "\tclient_cert=/tmp/%s/user.pem\n", prefix); fprintf(fp, "\tprivate_key=/tmp/%s/user.prv\n", prefix); fprintf(fp, "\tprivate_key_passwd=\"%s\"\n", nvram_prefix_get("tls8021xpasswd", prefix)); fprintf(fp, "\teapol_flags=3\n"); if (strlen(nvram_nget("%s_tls8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_tls8021xphase2", prefix)); } if (strlen(nvram_nget("%s_tls8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_tls8021xanon", prefix)); } if (strlen(nvram_nget("%s_tls8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_tls8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "peap")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=PEAP\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tphase1=\"peapver=0\"\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("peap8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("peap8021xpasswd", prefix)); sprintf(psk, "/tmp/%s", prefix); mkdir(psk, 0700); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_peap8021xca", prefix); if (!nvram_match(ath, "")) { write_nvram(psk, ath); fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix); } if (strlen(nvram_nget("%s_peap8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_peap8021xphase2", prefix)); } if (strlen(nvram_nget("%s_peap8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_peap8021xanon", prefix)); } if (strlen(nvram_nget("%s_peap8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_peap8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "ttls")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=TTLS\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("ttls8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("ttls8021xpasswd", prefix)); if (strlen(nvram_nget("%s_ttls8021xca", prefix)) > 0) { sprintf(psk, "/tmp/%s", prefix); mkdir(psk, 0700); sprintf(psk, "/tmp/%s/ca.pem", prefix); sprintf(ath, "%s_ttls8021xca", prefix); write_nvram(psk, ath); fprintf(fp, "\tca_cert=\"/tmp/%s/ca.pem\"\n", prefix); } if (strlen(nvram_nget("%s_ttls8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_ttls8021xphase2", prefix)); } if (strlen(nvram_nget("%s_ttls8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_ttls8021xanon", prefix)); } if (strlen(nvram_nget("%s_ttls8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_ttls8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } if (nvram_prefix_match("8021xtype", prefix, "leap")) { fprintf(fp, "\tkey_mgmt=WPA-EAP\n"); fprintf(fp, "\teap=LEAP\n"); fprintf(fp, "\tauth_alg=LEAP\n"); fprintf(fp, "\tproto=WPA RSN\n"); fprintf(fp, "\tpairwise=CCMP TKIP\n"); fprintf(fp, "\tgroup=CCMP TKIP\n"); fprintf(fp, "\tidentity=\"%s\"\n", nvram_prefix_get("leap8021xuser", prefix)); fprintf(fp, "\tpassword=\"%s\"\n", nvram_prefix_get("leap8021xpasswd", prefix)); if (strlen(nvram_nget("%s_leap8021xphase2", prefix)) > 0) { fprintf(fp, "\tphase2=\"%s\"\n", nvram_nget("%s_leap8021xphase2", prefix)); } if (strlen(nvram_nget("%s_leap8021xanon", prefix)) > 0) { fprintf(fp, "\tanonymous_identity=\"%s\"\n", nvram_nget("%s_leap8021xanon", prefix)); } if (strlen(nvram_nget("%s_leap8021xaddopt", prefix)) > 0) { sprintf(ath, "%s_leap8021xaddopt", prefix); fprintf(fp, "\t"); // tab fwritenvram(ath, fp); fprintf(fp, "\n"); // extra new line at the end } } fprintf(fp, "}\n"); fclose(fp); if (!strcmp(prefix, "wl0")) sprintf(psk, "-i%s", nvram_safe_get("wl0_ifname")); else if (!strcmp(prefix, "wl1")) sprintf(psk, "-i%s", nvram_safe_get("wl1_ifname")); else sprintf(psk, "-i%s", prefix); char bvar[32]; sprintf(bvar, "%s_bridged", prefix); if (nvram_match(bvar, "1") && (nvram_match(wmode, "wdssta") || nvram_match(wmode, "wet"))) eval("wpa_supplicant", "-b", nvram_safe_get("lan_ifname"), "-B", "-Dwext", psk, "-c", fstr); else eval("wpa_supplicant", "-B", "-Dwext", psk, "-c", fstr); } else { eval("iwconfig", prefix, "key", "off"); // eval ("iwpriv", prefix, "authmode", "0"); } }