diff options
author | Parménides GV <parmegv@sdf.org> | 2015-06-16 11:28:05 +0200 |
---|---|---|
committer | Parménides GV <parmegv@sdf.org> | 2015-06-16 11:28:05 +0200 |
commit | 66c79953db6876ec17a7ebf50dc4fd07d24fae37 (patch) | |
tree | 67075abe6ea28f7fc7213f654b86464b13507058 /app/openvpn/contrib | |
parent | 1f41fec6765e49838141ad29151713c7ac3dd17c (diff) | |
parent | e533cf6939e3ea4233aa8a82812f8ce5fcb565ca (diff) |
Merge branch 'develop'0.9.4
Diffstat (limited to 'app/openvpn/contrib')
-rw-r--r-- | app/openvpn/contrib/OCSP_check/OCSP_check.sh | 118 | ||||
-rw-r--r-- | app/openvpn/contrib/README | 2 | ||||
-rw-r--r-- | app/openvpn/contrib/openvpn-fwmarkroute-1.00/README | 44 | ||||
-rwxr-xr-x | app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 | ||||
-rwxr-xr-x | app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 | ||||
-rw-r--r-- | app/openvpn/contrib/pull-resolv-conf/client.down | 47 | ||||
-rw-r--r-- | app/openvpn/contrib/pull-resolv-conf/client.up | 101 |
7 files changed, 0 insertions, 383 deletions
diff --git a/app/openvpn/contrib/OCSP_check/OCSP_check.sh b/app/openvpn/contrib/OCSP_check/OCSP_check.sh deleted file mode 100644 index 6876c6d8..00000000 --- a/app/openvpn/contrib/OCSP_check/OCSP_check.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/sh - -# Sample script to perform OCSP queries with OpenSSL -# given a certificate serial number. - -# If you run your own CA, you can set up a very simple -# OCSP server using the -port option to "openssl ocsp". - -# Full documentation and examples: -# http://www.openssl.org/docs/apps/ocsp.html - - -# Edit the following values to suit your needs - -# OCSP responder URL (mandatory) -# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER -#ocsp_url="http://ocsp.example.com/" -#ocsp_url="https://ocsp.secure.example.com/" - -# Path to issuer certificate (mandatory) -# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE -issuer="/path/to/CAcert.crt" - -# use a nonce in the query, set to "-no_nonce" to not use it -nonce="-nonce" - -# Verify the response -# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT -verify="/path/to/CAcert.crt" - -# Depth in the certificate chain where the cert to verify is. -# Set to -1 to run the verification at every level (NOTE that -# in that case you need a more complex script as the various -# parameters for the query will likely be different at each level) -# "0" is the usual value here, where the client certificate is -check_depth=0 - -cur_depth=$1 # this is the *CURRENT* depth -common_name=$2 # CN in case you need it - -# minimal sanity checks - -err=0 -if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then - echo "Error: issuer certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$verify" ] || [ ! -e "$verify" ]; then - echo "Error: verification certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$ocsp_url" ]; then - echo "Error: OCSP server URL not defined!" >&2 - err=1 -fi - -if [ $err -eq 1 ]; then - echo "Did you forget to customize the variables in the script?" >&2 - exit 1 -fi - -# begin -if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then - - eval serial="\$tls_serial_${cur_depth}" - - # To successfully complete, the following must happen: - # - # - The serial number must not be empty - # - The exit status of "openssl ocsp" must be zero - # - The output of the above command must contain the line - # "${serial}: good" - # - # Everything else fails with exit status 1. - - if [ -n "$serial" ]; then - - # This is only an example; you are encouraged to run this command (without - # redirections) manually against your or your CA's OCSP server to see how - # it responds, and adapt accordingly. - # Sample output that is assumed here: - # - # Response verify OK - # 4287405: good - # This Update: Apr 24 19:38:49 2010 GMT - # Next Update: May 2 14:23:42 2010 GMT - # - # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL - # can in some circumstances give a "good" result if it could not - # reach the the OSCP server. In this case, the exit code will indicate - # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, - # don't trust the OpenSSL status. - - status=$(openssl ocsp -issuer "$issuer" \ - "$nonce" \ - -CAfile "$verify" \ - -url "$ocsp_url" \ - -serial "${serial}" 2>&1) - - if [ $? -eq 0 ]; then - # check if ocsp didn't report any errors - if echo "$status" | grep -Eq "(error|fail)"; then - exit 1 - fi - # check that the reported status of certificate is ok - if echo "$status" | grep -Fq "^${serial}: good"; then - # check if signature on the OCSP response verified correctly - if echo "$status" | grep -Fq "^Response verify OK"; then - exit 0 - fi - fi - fi - fi - # if we get here, something was wrong - exit 1 -fi diff --git a/app/openvpn/contrib/README b/app/openvpn/contrib/README deleted file mode 100644 index e1a57d0e..00000000 --- a/app/openvpn/contrib/README +++ /dev/null @@ -1,2 +0,0 @@ -This directory contains scripts and patches contributed -by users. diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README deleted file mode 100644 index 66fe61ad..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README +++ /dev/null @@ -1,44 +0,0 @@ -OpenVPN fwmark Routing -Sean Reifschneider, <jafo@tummy.com> -Thursday November 27, 2003 -========================== - -These scripts can be used with OpenVPN up and down scripts to set up -routing on a Linux system such that the VPN traffic is sent via normal -network connectivity, but other traffic to that network runs over the VPN. -The idea is to allow encryption of data to the network the remote host is -on, without interfering with the VPN traffic. You can't simply add a route -to the remote network, becaues that will cause the VPN traffic to also try -to run over the VPN, and breaks the VPN. - -These scripts use the Linux "fwmark" iptables rules to specify routing -based not only on IP address, but also by port and protocol. This allows -you to effectively say "if the packet is to this IP address on this port -using this protocol, then use the normal default gateway, otherwise use the -VPN gateway. - -This is set up on the client VPN system, not the VPN server. These scripts -also set up all ICMP echo-responses to run across the VPN. You can -comment the lines in the scripts to disable this, but I find this useful -at coffee shops which have networks that block ICMP. - -To configure this, you need to set up these scripts as your up and down -scripts in the config file. You will need to set these values in the -config file: - - up /etc/openvpn/fwmarkroute.up - down /etc/openvpn/fwmarkroute.down - up-restart - up-delay - - setenv remote_netmask_bits 24 - -Note: For this to work, you can't set the "user" or "group" config options, -because then the scripts will not run as root. - -The last setting allows you to control the size of the network the remote -system is on. The remote end has to be set up to route, probably with -masquerading or NAT. The network this netmask relates to is calculated -using the value of "remote" in the conf file. - -Sean diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down deleted file mode 100755 index 87d67d4d..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Bring down vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# clear routing via VPN -ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route del table vpnonly.out via "$5" -iptables -D OUTPUT -t mangle -p "$proto" \ - -d "$remote_network"/"$remote_netmask_bits" \ - --dport "$remote_port" -j ACCEPT -iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 - -# undo the ICMP ping tunneling -iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# flush route cache -ip route flush cache diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up deleted file mode 100755 index 661ec313..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh -# -# Bring up vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# add the stuff that doesn't change if it's not already there -grep -q '^202 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 202 vpn.out >> /etc/iproute2/rt_tables -fi -grep -q '^203 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 203 vpnonly.out >> /etc/iproute2/rt_tables -fi -ip rule ls | grep -q 'lookup vpn.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 2 table vpn.out -fi -ip rule ls | grep -q 'lookup vpnonly.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 3 table vpnonly.out -fi - -# route VPN traffic using the normal table -iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ - -j ACCEPT - -# route all other traffic to that host via VPN -iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ - -j MARK --set-mark 2 - -# route all ICMP pings over the VPN -iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# NAT traffic going over the VPN, so it doesn't have an unknown address -iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" - -# add routing commands -ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route add table vpnonly.out via "$5" -ip route flush cache diff --git a/app/openvpn/contrib/pull-resolv-conf/client.down b/app/openvpn/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 05f2d4d5..00000000 --- a/app/openvpn/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${1}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/app/openvpn/contrib/pull-resolv-conf/client.up b/app/openvpn/contrib/pull-resolv-conf/client.up deleted file mode 100644 index b28d4d19..00000000 --- a/app/openvpn/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.con -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in - dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; - dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; - esac - i=$((i + 1)) -done - -ds=domain -if [ $ndoms -gt 1 ]; then - ds=search -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${1}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 |