void wan6_up(char *wan_ifname, int unit)
{
int ipv6_type, allow_ra, start_radvd_now;
char *wan_addr6, *wan_gate6, *wan_addr4;
ipv6_type = get_ipv6_type();
if (ipv6_type == IPV6_DISABLED)
return;
stop_dhcp6c();
build_dns6_var();
control_if_ipv6_dad(IFNAME_BR, 1);
start_radvd_now = 1;
if (ipv6_type == IPV6_6IN4 || ipv6_type == IPV6_6TO4 || ipv6_type == IPV6_6RD) {
wan_addr4 = get_wan_unit_value(unit, "ipaddr");
wan_addr6 = get_wan_unit_value(unit, "addr6");
start_sit_tunnel(ipv6_type, wan_addr4, wan_addr6);
} else {
control_if_ipv6_dad(wan_ifname, 1);
if (ipv6_type == IPV6_NATIVE_STATIC) {
wan_addr6 = get_wan_unit_value(unit, "addr6");
wan_gate6 = get_wan_unit_value(unit, "gate6");
control_if_ipv6_privacy(wan_ifname, 0);
control_if_ipv6_radv(wan_ifname, 0);
clear_if_addr6(wan_ifname);
if (*wan_addr6)
doSystem("ip -6 addr add %s dev %s", wan_addr6, wan_ifname);
if (*wan_gate6) {
doSystem("ip -6 route add %s dev %s", wan_gate6, wan_ifname);
doSystem("ip -6 route add default via %s metric %d", wan_gate6, 1);
}
} else {
doSystem("ip -6 route add default dev %s metric %d", wan_ifname, 2048);
allow_ra = nvram_invmatch("ip6_wan_dhcp", "1");
control_if_ipv6_privacy(wan_ifname, allow_ra && nvram_match("ip6_wan_priv", "1"));
control_if_ipv6_autoconf(wan_ifname, allow_ra);
control_if_ipv6_radv(wan_ifname, 1);
/* wait for interface ready */
sleep(2);
start_dhcp6c(wan_ifname);
if (nvram_match("ip6_lan_auto", "1"))
start_radvd_now = 0;
}
}
if (start_radvd_now)
reload_radvd();
}
int store_wan_dns6(char *dns6_new)
{
char dns6s[INET6_ADDRSTRLEN*3+8] = {0};
char *dns6_old;
if (!dns6_new)
return 0;
snprintf(dns6s, sizeof(dns6s), "%s", dns6_new);
trim_r(dns6s);
if (!(*dns6s))
return 0;
dns6_old = get_wan_unit_value(0, "dns6");
if (strcmp(dns6s, dns6_old) != 0) {
set_wan_unit_value(0, "dns6", dns6s);
return 1;
}
return 0;
}
int
ovpn_server_expcli_main(int argc, char **argv)
{
FILE *fp;
int i, i_atls, rsa_bits, days_valid;
char *wan_addr;
const char *tmp_ovpn_path = "/tmp/export_ovpn";
const char *tmp_ovpn_conf = "/tmp/client.ovpn";
if (argc < 2 || strlen(argv[1]) < 1) {
printf("Usage: %s common_name [rsa_bits] [days_valid]\n", argv[0]);
return 1;
}
rsa_bits = 1024;
if (argc > 2 && atoi(argv[2]) >= 1024)
rsa_bits = atoi(argv[2]);
days_valid = 365;
if (argc > 3 && atoi(argv[3]) > 0)
days_valid = atoi(argv[3]);
i_atls = nvram_get_int("vpns_ov_atls");
for (i=0; i<5; i++) {
if (!i_atls && (i == 4))
continue;
if (!openvpn_check_key(openvpn_server_keys[i], 1)) {
printf("Error: server file %s is not found\n", openvpn_server_keys[i]);
return 1;
}
}
/* Generate client cert and key */
doSystem("rm -rf %s", tmp_ovpn_path);
setenv("CRT_PATH_CLI", tmp_ovpn_path, 1);
doSystem("/usr/bin/openvpn-cert.sh %s -n '%s' -b %d -d %d", "client", argv[1], rsa_bits, days_valid);
unsetenv("CRT_PATH_CLI");
fp = fopen(tmp_ovpn_conf, "w+");
if (!fp) {
doSystem("rm -rf %s", tmp_ovpn_path);
printf("Error: unable to create file %s\n", tmp_ovpn_conf);
return 1;
}
wan_addr = get_ddns_fqdn();
if (!wan_addr) {
wan_addr = get_wan_unit_value(0, "ipaddr");
if (!is_valid_ipv4(wan_addr))
wan_addr = NULL;
}
if (!wan_addr)
wan_addr = "{wan_address}";
fprintf(fp, "client\n");
fprintf(fp, "dev %s\n", (nvram_get_int("vpns_ov_mode") == 1) ? "tun" : "tap");
fprintf(fp, "proto %s\n", (nvram_get_int("vpns_ov_prot") > 0) ? "tcp-client" : "udp");
fprintf(fp, "remote %s %d\n", wan_addr, nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535));
fprintf(fp, "resolv-retry %s\n", "infinite");
fprintf(fp, "nobind\n");
fprintf(fp, "persist-key\n");
fprintf(fp, "persist-tun\n");
openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig"));
openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph"));
openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 0);
fprintf(fp, "nice %d\n", 0);
fprintf(fp, "verb %d\n", 3);
fprintf(fp, "mute %d\n", 10);
fprintf(fp, ";ns-cert-type %s\n", "server");
openvpn_add_key(fp, SERVER_CERT_DIR, openvpn_server_keys[0], "ca");
openvpn_add_key(fp, tmp_ovpn_path, openvpn_client_keys[1], "cert");
openvpn_add_key(fp, tmp_ovpn_path, openvpn_client_keys[2], "key");
if (i_atls) {
openvpn_add_key(fp, SERVER_CERT_DIR, openvpn_server_keys[4], "tls-auth");
fprintf(fp, "key-direction %d\n", 1);
}
fclose(fp);
doSystem("rm -rf %s", tmp_ovpn_path);
doSystem("unix2dos %s", tmp_ovpn_conf);
chmod(tmp_ovpn_conf, 0600);
return 0;
}
int start_auth_eapol(char *ifname, int unit, int eap_algo)
{
FILE *fp;
int ret;
const char *wpa_conf = "/etc/wpa_supplicant.conf";
char *eap_type = "MD5";
char *log_prefix = "EAPoL-MD5";
char *wpa_argv[] = {"/usr/sbin/wpa_supplicant",
"-B", "-W",
"-D", "wired",
"-i", ifname,
"-c", (char *)wpa_conf,
NULL
};
char *cli_argv[] = {"/usr/sbin/wpa_cli",
"-B",
"-i", ifname,
"-a", SCRIPT_WPACLI_WAN,
NULL
};
stop_auth_eapol();
/* Generate options file */
if ((fp = fopen(wpa_conf, "w")) == NULL) {
perror(wpa_conf);
return -1;
}
#if defined(SUPPORT_PEAP_SSL)
if (eap_algo == 5) {
eap_type = "PEAP";
log_prefix = "EAPoL-PEAP";
} else if (eap_algo == 4 || eap_algo == 3 || eap_algo == 2 || eap_algo == 1) {
eap_type = "TTLS";
log_prefix = "EAPoL-TTLS";
}
#endif
fprintf(fp,
"ctrl_interface=/var/run/wpa_supplicant\n"
"ap_scan=0\n"
"fast_reauth=1\n"
"network={\n"
" key_mgmt=IEEE8021X\n"
" eap=%s\n"
" identity=\"%s\"\n"
" password=\"%s\"\n"
,
eap_type,
get_wan_unit_value(unit, "auth_user"),
get_wan_unit_value(unit, "auth_pass"));
#if defined(SUPPORT_PEAP_SSL)
if (eap_algo == 5) {
fprintf(fp,
" phase1=\"peaplabel=0\"\n"
" phase2=\"auth=%s\"\n", "MSCHAPV2");
} else if (eap_algo == 4 || eap_algo == 3 || eap_algo == 2 || eap_algo == 1) {
char *phase2_auth = "MSCHAPV2";
if (eap_algo == 1)
phase2_auth = "PAP";
else if (eap_algo == 2)
phase2_auth = "CHAP";
else if (eap_algo == 3)
phase2_auth = "MSCHAP";
fprintf(fp,
" anonymous_identity=\"anonymous\"\n"
" phase2=\"auth=%s\"\n", phase2_auth);
}
#endif
fprintf(fp,
" eapol_flags=0\n"
"}\n");
fclose(fp);
/* Start wpa_supplicant */
ret = _eval(wpa_argv, NULL, 0, NULL);
if (ret == 0) {
logmessage(log_prefix, "Start authentication...");
_eval(cli_argv, NULL, 0, NULL);
}
return ret;
}
void start_sit_tunnel(int ipv6_type, char *wan_addr4, char *wan_addr6)
{
int sit_ttl, sit_mtu, size4, size6;
char *sit_remote, *sit_relay, *wan_gate6;
char addr6s[INET6_ADDRSTRLEN];
struct in_addr addr4;
struct in6_addr addr6;
size4 = 0;
addr4.s_addr = inet_addr_safe(wan_addr4);
if (addr4.s_addr == INADDR_ANY)
return; // cannot start SIT tunnel w/o IPv4 WAN addr
sit_mtu = nvram_get_int("ip6_sit_mtu");
sit_ttl = nvram_get_int("ip6_sit_ttl");
if (sit_mtu < 1280) sit_mtu = 1280;
if (sit_ttl < 1) sit_ttl = 1;
if (sit_ttl > 255) sit_ttl = 255;
memset(&addr6, 0, sizeof(addr6));
size6 = ipv6_from_string(wan_addr6, &addr6);
if (size6 < 0) size6 = 0;
sit_relay = "";
sit_remote = "any";
if (ipv6_type == IPV6_6IN4)
sit_remote = nvram_safe_get("ip6_6in4_remote");
if (is_interface_exist(IFNAME_SIT))
doSystem("ip tunnel del %s", IFNAME_SIT);
doSystem("ip tunnel %s %s mode sit remote %s local %s ttl %d", "add", IFNAME_SIT, sit_remote, wan_addr4, sit_ttl);
if (ipv6_type == IPV6_6TO4) {
size6 = 16;
memset(&addr6, 0, sizeof(addr6));
addr6.s6_addr16[0] = htons(0x2002);
ipv6_to_ipv4_map(&addr6, size6, &addr4, 0);
addr6.s6_addr16[7] = htons(0x0001);
sit_relay = nvram_safe_get("ip6_6to4_relay");
}
else if (ipv6_type == IPV6_6RD) {
struct in_addr net4;
struct in6_addr net6;
char sit_6rd_prefix[INET6_ADDRSTRLEN], sit_6rd_relay_prefix[32];
memcpy(&net6, &addr6, sizeof(addr6));
ipv6_to_net(&net6, size6);
inet_ntop(AF_INET6, &net6, sit_6rd_prefix, INET6_ADDRSTRLEN);
sprintf(sit_6rd_prefix, "%s/%d", sit_6rd_prefix, size6);
strcpy(sit_6rd_relay_prefix, "0.0.0.0/0");
size4 = get_wan_unit_value_int(0, "6rd_size");
if (size4 > 0 && size4 <= 32)
{
net4.s_addr = addr4.s_addr & htonl(0xffffffffUL << (32 - size4));
sprintf(sit_6rd_relay_prefix, "%s/%d", inet_ntoa(net4), size4);
}
doSystem("ip tunnel 6rd dev %s 6rd-prefix %s 6rd-relay_prefix %s", IFNAME_SIT, sit_6rd_prefix, sit_6rd_relay_prefix);
ipv6_to_ipv4_map(&addr6, size6, &addr4, size4);
addr6.s6_addr16[7] = htons(0x0001);
sit_relay = get_wan_unit_value(0, "6rd_relay");
}
// WAN IPv6 address
inet_ntop(AF_INET6, &addr6, addr6s, INET6_ADDRSTRLEN);
if (size6 > 0)
sprintf(addr6s, "%s/%d", addr6s, size6);
control_if_ipv6_radv(IFNAME_SIT, 0);
doSystem("ip link set mtu %d dev %s up", sit_mtu, IFNAME_SIT);
control_if_ipv6(IFNAME_SIT, 1);
clear_if_addr6(IFNAME_SIT);
doSystem("ip -6 addr add %s dev %s", addr6s, IFNAME_SIT);
/* WAN IPv6 gateway (auto-generate for 6to4/6rd) */
if (ipv6_type == IPV6_6TO4 || ipv6_type == IPV6_6RD) {
sprintf(addr6s, "::%s", sit_relay);
wan_gate6 = addr6s;
/* add direct default gateway for workaround "No route to host" on new kernel */
doSystem("ip -6 route add default dev %s metric %d", IFNAME_SIT, 2048);
}
else {
wan_gate6 = get_wan_unit_value(0, "gate6");
}
if (*wan_gate6)
doSystem("ip -6 route add default via %s dev %s metric %d", wan_gate6, IFNAME_SIT, 1);
/* LAN IPv6 address (auto-generate for 6to4/6rd) */
if (ipv6_type == IPV6_6TO4 || ipv6_type == IPV6_6RD) {
memset(&addr6, 0, sizeof(addr6));
if (ipv6_type == IPV6_6TO4) {
addr6.s6_addr16[0] = htons(0x2002);
ipv6_to_ipv4_map(&addr6, 16, &addr4, 0);
addr6.s6_addr16[3] = htons(0x0001);
addr6.s6_addr16[7] = htons(0x0001);
}
else {
ipv6_from_string(wan_addr6, &addr6);
ipv6_to_ipv4_map(&addr6, size6, &addr4, size4);
addr6.s6_addr16[7] = htons(0x0001);
}
inet_ntop(AF_INET6, &addr6, addr6s, INET6_ADDRSTRLEN);
sprintf(addr6s, "%s/%d", addr6s, 64);
clear_if_addr6(IFNAME_BR);
doSystem("ip -6 addr add %s dev %s", addr6s, IFNAME_BR);
store_lan_addr6(addr6s);
}
}
