summaryrefslogtreecommitdiff
path: root/app/openvpn/contrib
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2015-06-16 11:28:05 +0200
committerParménides GV <parmegv@sdf.org>2015-06-16 11:28:05 +0200
commit66c79953db6876ec17a7ebf50dc4fd07d24fae37 (patch)
tree67075abe6ea28f7fc7213f654b86464b13507058 /app/openvpn/contrib
parent1f41fec6765e49838141ad29151713c7ac3dd17c (diff)
parente533cf6939e3ea4233aa8a82812f8ce5fcb565ca (diff)
Merge branch 'develop'0.9.4
Diffstat (limited to 'app/openvpn/contrib')
-rw-r--r--app/openvpn/contrib/OCSP_check/OCSP_check.sh118
-rw-r--r--app/openvpn/contrib/README2
-rw-r--r--app/openvpn/contrib/openvpn-fwmarkroute-1.00/README44
-rwxr-xr-xapp/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down22
-rwxr-xr-xapp/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up49
-rw-r--r--app/openvpn/contrib/pull-resolv-conf/client.down47
-rw-r--r--app/openvpn/contrib/pull-resolv-conf/client.up101
7 files changed, 0 insertions, 383 deletions
diff --git a/app/openvpn/contrib/OCSP_check/OCSP_check.sh b/app/openvpn/contrib/OCSP_check/OCSP_check.sh
deleted file mode 100644
index 6876c6d8..00000000
--- a/app/openvpn/contrib/OCSP_check/OCSP_check.sh
+++ /dev/null
@@ -1,118 +0,0 @@
-#!/bin/sh
-
-# Sample script to perform OCSP queries with OpenSSL
-# given a certificate serial number.
-
-# If you run your own CA, you can set up a very simple
-# OCSP server using the -port option to "openssl ocsp".
-
-# Full documentation and examples:
-# http://www.openssl.org/docs/apps/ocsp.html
-
-
-# Edit the following values to suit your needs
-
-# OCSP responder URL (mandatory)
-# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
-#ocsp_url="http://ocsp.example.com/"
-#ocsp_url="https://ocsp.secure.example.com/"
-
-# Path to issuer certificate (mandatory)
-# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
-issuer="/path/to/CAcert.crt"
-
-# use a nonce in the query, set to "-no_nonce" to not use it
-nonce="-nonce"
-
-# Verify the response
-# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
-verify="/path/to/CAcert.crt"
-
-# Depth in the certificate chain where the cert to verify is.
-# Set to -1 to run the verification at every level (NOTE that
-# in that case you need a more complex script as the various
-# parameters for the query will likely be different at each level)
-# "0" is the usual value here, where the client certificate is
-check_depth=0
-
-cur_depth=$1 # this is the *CURRENT* depth
-common_name=$2 # CN in case you need it
-
-# minimal sanity checks
-
-err=0
-if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
- echo "Error: issuer certificate undefined or not found!" >&2
- err=1
-fi
-
-if [ -z "$verify" ] || [ ! -e "$verify" ]; then
- echo "Error: verification certificate undefined or not found!" >&2
- err=1
-fi
-
-if [ -z "$ocsp_url" ]; then
- echo "Error: OCSP server URL not defined!" >&2
- err=1
-fi
-
-if [ $err -eq 1 ]; then
- echo "Did you forget to customize the variables in the script?" >&2
- exit 1
-fi
-
-# begin
-if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
-
- eval serial="\$tls_serial_${cur_depth}"
-
- # To successfully complete, the following must happen:
- #
- # - The serial number must not be empty
- # - The exit status of "openssl ocsp" must be zero
- # - The output of the above command must contain the line
- # "${serial}: good"
- #
- # Everything else fails with exit status 1.
-
- if [ -n "$serial" ]; then
-
- # This is only an example; you are encouraged to run this command (without
- # redirections) manually against your or your CA's OCSP server to see how
- # it responds, and adapt accordingly.
- # Sample output that is assumed here:
- #
- # Response verify OK
- # 4287405: good
- # This Update: Apr 24 19:38:49 2010 GMT
- # Next Update: May 2 14:23:42 2010 GMT
- #
- # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL
- # can in some circumstances give a "good" result if it could not
- # reach the the OSCP server. In this case, the exit code will indicate
- # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0,
- # don't trust the OpenSSL status.
-
- status=$(openssl ocsp -issuer "$issuer" \
- "$nonce" \
- -CAfile "$verify" \
- -url "$ocsp_url" \
- -serial "${serial}" 2>&1)
-
- if [ $? -eq 0 ]; then
- # check if ocsp didn't report any errors
- if echo "$status" | grep -Eq "(error|fail)"; then
- exit 1
- fi
- # check that the reported status of certificate is ok
- if echo "$status" | grep -Fq "^${serial}: good"; then
- # check if signature on the OCSP response verified correctly
- if echo "$status" | grep -Fq "^Response verify OK"; then
- exit 0
- fi
- fi
- fi
- fi
- # if we get here, something was wrong
- exit 1
-fi
diff --git a/app/openvpn/contrib/README b/app/openvpn/contrib/README
deleted file mode 100644
index e1a57d0e..00000000
--- a/app/openvpn/contrib/README
+++ /dev/null
@@ -1,2 +0,0 @@
-This directory contains scripts and patches contributed
-by users.
diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README
deleted file mode 100644
index 66fe61ad..00000000
--- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README
+++ /dev/null
@@ -1,44 +0,0 @@
-OpenVPN fwmark Routing
-Sean Reifschneider, <jafo@tummy.com>
-Thursday November 27, 2003
-==========================
-
-These scripts can be used with OpenVPN up and down scripts to set up
-routing on a Linux system such that the VPN traffic is sent via normal
-network connectivity, but other traffic to that network runs over the VPN.
-The idea is to allow encryption of data to the network the remote host is
-on, without interfering with the VPN traffic. You can't simply add a route
-to the remote network, becaues that will cause the VPN traffic to also try
-to run over the VPN, and breaks the VPN.
-
-These scripts use the Linux "fwmark" iptables rules to specify routing
-based not only on IP address, but also by port and protocol. This allows
-you to effectively say "if the packet is to this IP address on this port
-using this protocol, then use the normal default gateway, otherwise use the
-VPN gateway.
-
-This is set up on the client VPN system, not the VPN server. These scripts
-also set up all ICMP echo-responses to run across the VPN. You can
-comment the lines in the scripts to disable this, but I find this useful
-at coffee shops which have networks that block ICMP.
-
-To configure this, you need to set up these scripts as your up and down
-scripts in the config file. You will need to set these values in the
-config file:
-
- up /etc/openvpn/fwmarkroute.up
- down /etc/openvpn/fwmarkroute.down
- up-restart
- up-delay
-
- setenv remote_netmask_bits 24
-
-Note: For this to work, you can't set the "user" or "group" config options,
-because then the scripts will not run as root.
-
-The last setting allows you to control the size of the network the remote
-system is on. The remote end has to be set up to route, probably with
-masquerading or NAT. The network this netmask relates to is calculated
-using the value of "remote" in the conf file.
-
-Sean
diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
deleted file mode 100755
index 87d67d4d..00000000
--- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-#
-# Bring down vpn routing.
-
-# calculate the network address
-remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
-remote_network="${remote_network#*=}"
-
-# clear routing via VPN
-ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
-ip route del table vpnonly.out via "$5"
-iptables -D OUTPUT -t mangle -p "$proto" \
- -d "$remote_network"/"$remote_netmask_bits" \
- --dport "$remote_port" -j ACCEPT
-iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2
-
-# undo the ICMP ping tunneling
-iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
- -j MARK --set-mark 3
-
-# flush route cache
-ip route flush cache
diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
deleted file mode 100755
index 661ec313..00000000
--- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# Bring up vpn routing.
-
-# calculate the network address
-remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
-remote_network="${remote_network#*=}"
-
-# add the stuff that doesn't change if it's not already there
-grep -q '^202 ' /etc/iproute2/rt_tables
-if [ "$?" -ne 0 ]
-then
- echo 202 vpn.out >> /etc/iproute2/rt_tables
-fi
-grep -q '^203 ' /etc/iproute2/rt_tables
-if [ "$?" -ne 0 ]
-then
- echo 203 vpnonly.out >> /etc/iproute2/rt_tables
-fi
-ip rule ls | grep -q 'lookup vpn.out *$'
-if [ "$?" -ne 0 ]
-then
- ip rule add fwmark 2 table vpn.out
-fi
-ip rule ls | grep -q 'lookup vpnonly.out *$'
-if [ "$?" -ne 0 ]
-then
- ip rule add fwmark 3 table vpnonly.out
-fi
-
-# route VPN traffic using the normal table
-iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \
- -j ACCEPT
-
-# route all other traffic to that host via VPN
-iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \
- -j MARK --set-mark 2
-
-# route all ICMP pings over the VPN
-iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
- -j MARK --set-mark 3
-
-# NAT traffic going over the VPN, so it doesn't have an unknown address
-iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4"
-
-# add routing commands
-ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
-ip route add table vpnonly.out via "$5"
-ip route flush cache
diff --git a/app/openvpn/contrib/pull-resolv-conf/client.down b/app/openvpn/contrib/pull-resolv-conf/client.down
deleted file mode 100644
index 05f2d4d5..00000000
--- a/app/openvpn/contrib/pull-resolv-conf/client.down
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
-# Licensed under the GPL version 2
-
-# First version by Jesse Adelman
-# someone at boldandbusted dink com
-# http://www.boldandbusted.com/
-
-# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
-# set by the companion script "client.up".
-
-# INSTALL NOTES:
-# Place this in /etc/openvpn/client.down
-# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
-# client
-# up /etc/openvpn/client.up
-# down /etc/openvpn/client.down
-# Next, "chmod a+x /etc/openvpn/client.down"
-
-# USAGE NOTES:
-# Note that this script is best served with the companion "client.up"
-# script.
-
-# Tested under Debian lenny with OpenVPN 2.1_rc11
-# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
-
-# This runs with the context of the OpenVPN UID/GID
-# at the time of execution. This generally means that
-# the client "up" script will run fine, but the "down" script
-# will require the use of the OpenVPN "down-root" plugin
-# which is in the plugins/ directory of the OpenVPN source tree
-
-# A horrid work around, from a security perspective,
-# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
-# been WARNED.
-PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
-
-if type resolvconf >/dev/null 2>&1; then
- resolvconf -d "${1}" -f
-elif [ -e /etc/resolv.conf.ovpnsave ] ; then
- # cp + rm rather than mv in case it's a symlink
- cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
- rm -f /etc/resolv.conf.ovpnsave
-fi
-
-exit 0
diff --git a/app/openvpn/contrib/pull-resolv-conf/client.up b/app/openvpn/contrib/pull-resolv-conf/client.up
deleted file mode 100644
index b28d4d19..00000000
--- a/app/openvpn/contrib/pull-resolv-conf/client.up
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
-# Licensed under the GPL version 2
-
-# First version by Jesse Adelman
-# someone at boldandbusted dink com
-# http://www.boldandbusted.com/
-
-# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
-# as pulled down from an OpenVPN server.
-
-# INSTALL NOTES:
-# Place this in /etc/openvpn/client.up
-# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
-# client
-# up /etc/openvpn/client.up
-# Next, "chmod a+x /etc/openvpn/client.up"
-
-# USAGE NOTES:
-# Note that this script is best served with the companion "client.down"
-# script.
-
-# Tested under Debian lenny with OpenVPN 2.1_rc11
-# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
-
-# This runs with the context of the OpenVPN UID/GID
-# at the time of execution. This generally means that
-# the client "up" script will run fine, but the "down" script
-# will require the use of the OpenVPN "down-root" plugin
-# which is in the plugins/ directory of the OpenVPN source tree
-
-# A horrid work around, from a security perspective,
-# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
-# been WARNED.
-PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
-
-# init variables
-
-i=1
-domains=
-fopt=
-ndoms=0
-nns=0
-nl='
-'
-
-# $foreign_option_<n> is something like
-# "dhcp-option DOMAIN example.com" (multiple allowed)
-# or
-# "dhcp-option DNS 10.10.10.10" (multiple allowed)
-
-# each DNS option becomes a "nameserver" option in resolv.con
-# if we get one DOMAIN, that becomes "domain" in resolv.conf
-# if we get multiple DOMAINS, those become "search" lines in resolv.conf
-
-while true; do
- eval fopt=\$foreign_option_${i}
- [ -z "${fopt}" ] && break
-
- case ${fopt} in
- dhcp-option\ DOMAIN\ *)
- ndoms=$((ndoms + 1))
- domains="${domains} ${fopt#dhcp-option DOMAIN }"
- ;;
- dhcp-option\ DNS\ *)
- nns=$((nns + 1))
- if [ $nns -le 3 ]; then
- dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
- else
- printf "%s\n" "Too many nameservers - ignoring after third" >&2
- fi
- ;;
- *)
- printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
- ;;
- esac
- i=$((i + 1))
-done
-
-ds=domain
-if [ $ndoms -gt 1 ]; then
- ds=search
-fi
-
-# This is the complete file - "$domains" has a leading space already
-out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
-
-# use resolvconf if it's available
-if type resolvconf >/dev/null 2>&1; then
- printf "%s\n" "${out}" | resolvconf -p -a "${1}"
-else
- # Preserve the existing resolv.conf
- if [ -e /etc/resolv.conf ] ; then
- cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
- fi
- printf "%s\n" "${out}" > /etc/resolv.conf
- chmod 644 /etc/resolv.conf
-fi
-
-exit 0