summaryrefslogtreecommitdiff
path: root/openvpn/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/contrib')
-rw-r--r--openvpn/contrib/OCSP_check/OCSP_check.sh111
-rw-r--r--openvpn/contrib/README2
-rw-r--r--openvpn/contrib/multilevel-init.patch79
-rw-r--r--openvpn/contrib/openvpn-fwmarkroute-1.00/README44
-rwxr-xr-xopenvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down22
-rwxr-xr-xopenvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up49
-rw-r--r--openvpn/contrib/pull-resolv-conf/client.down47
-rw-r--r--openvpn/contrib/pull-resolv-conf/client.up101
8 files changed, 455 insertions, 0 deletions
diff --git a/openvpn/contrib/OCSP_check/OCSP_check.sh b/openvpn/contrib/OCSP_check/OCSP_check.sh
new file mode 100644
index 00000000..847be450
--- /dev/null
+++ b/openvpn/contrib/OCSP_check/OCSP_check.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+# Sample script to perform OCSP queries with OpenSSL
+# given a certificate serial number.
+
+# If you run your own CA, you can set up a very simple
+# OCSP server using the -port option to "openssl ocsp".
+
+# Full documentation and examples:
+# http://www.openssl.org/docs/apps/ocsp.html
+
+
+# Edit the following values to suit your needs
+
+# OCSP responder URL (mandatory)
+# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
+#ocsp_url="http://ocsp.example.com/"
+#ocsp_url="https://ocsp.secure.example.com/"
+
+# Path to issuer certificate (mandatory)
+# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
+issuer="/path/to/CAcert.crt"
+
+# use a nonce in the query, set to "-no_nonce" to not use it
+nonce="-nonce"
+
+# Verify the response
+# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
+verify="/path/to/CAcert.crt"
+
+# Depth in the certificate chain where the cert to verify is.
+# Set to -1 to run the verification at every level (NOTE that
+# in that case you need a more complex script as the various
+# parameters for the query will likely be different at each level)
+# "0" is the usual value here, where the client certificate is
+check_depth=0
+
+cur_depth=$1 # this is the *CURRENT* depth
+common_name=$2 # CN in case you need it
+
+# minimal sanity checks
+
+err=0
+if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
+ echo "Error: issuer certificate undefined or not found!" >&2
+ err=1
+fi
+
+if [ -z "$verify" ] || [ ! -e "$verify" ]; then
+ echo "Error: verification certificate undefined or not found!" >&2
+ err=1
+fi
+
+if [ -z "$ocsp_url" ]; then
+ echo "Error: OCSP server URL not defined!" >&2
+ err=1
+fi
+
+if [ $err -eq 1 ]; then
+ echo "Did you forget to customize the variables in the script?" >&2
+ exit 1
+fi
+
+# begin
+if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+
+ eval serial="\$tls_serial_${cur_depth}"
+
+ # To successfully complete, the following must happen:
+ #
+ # - The serial number must not be empty
+ # - The exit status of "openssl ocsp" must be zero
+ # - The output of the above command must contain the line
+ # "0x${serial}: good"
+ #
+ # Everything else fails with exit status 1.
+
+ if [ -n "$serial" ]; then
+
+ # This is only an example; you are encouraged to run this command (without
+ # redirections) manually against your or your CA's OCSP server to see how
+ # it responds, and adapt accordingly.
+ # Sample output that is assumed here:
+ #
+ # Response verify OK
+ # 0x428740A5: good
+ # This Update: Apr 24 19:38:49 2010 GMT
+ # Next Update: May 2 14:23:42 2010 GMT
+ #
+ # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL
+ # can in some circumstances give a "good" result if it could not
+ # reach the the OSCP server. In this case, the exit code will indicate
+ # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0,
+ # don't trust the OpenSSL status.
+
+ status=$(openssl ocsp -issuer "$issuer" \
+ "$nonce" \
+ -CAfile "$verify" \
+ -url "$ocsp_url" \
+ -serial "0x${serial}" 2>/dev/null)
+
+ if [ $? -eq 0 ]; then
+ # check that it's good
+ if echo "$status" | grep -Fq "0x${serial}: good"; then
+ exit 0
+ fi
+ fi
+ fi
+ # if we get here, something was wrong
+ exit 1
+fi
diff --git a/openvpn/contrib/README b/openvpn/contrib/README
new file mode 100644
index 00000000..e1a57d0e
--- /dev/null
+++ b/openvpn/contrib/README
@@ -0,0 +1,2 @@
+This directory contains scripts and patches contributed
+by users.
diff --git a/openvpn/contrib/multilevel-init.patch b/openvpn/contrib/multilevel-init.patch
new file mode 100644
index 00000000..8d48fbcd
--- /dev/null
+++ b/openvpn/contrib/multilevel-init.patch
@@ -0,0 +1,79 @@
+--- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200
++++ openvpn 2004-05-12 20:34:33.000000000 +0200
+@@ -58,13 +58,13 @@
+ # returning success or failure status to caller (James Yonan).
+
+ # Location of openvpn binary
+-openvpn="/usr/sbin/openvpn"
++openvpn=/usr/sbin/openvpn
+
+ # Lockfile
+-lock="/var/lock/subsys/openvpn"
++lock=/var/lock/subsys/openvpn
+
+ # PID directory
+-piddir="/var/run/openvpn"
++piddir=/var/run/openvpn
+
+ # Our working directory
+ work=/etc/openvpn
+@@ -106,7 +106,7 @@
+
+ if [ -f $lock ]; then
+ # we were not shut down correctly
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -116,12 +116,12 @@
+ sleep 2
+ fi
+
+- rm -f $piddir/*.pid $piddir/*/*.pid
++ find $piddir -name "*.pid"|xargs rm -f
+
+ # Start every .conf in $work and run .sh if exists
+ errors=0
+ successes=0
+- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do
++ for c in `find * -name "*.conf" 2>/dev/null`; do
+ bn=${c%%.conf}
+ if [ -f "$bn.sh" ]; then
+ . $bn.sh
+@@ -147,7 +147,7 @@
+ ;;
+ stop)
+ echo -n $"Shutting down openvpn: "
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -163,7 +163,7 @@
+ ;;
+ reload)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -HUP `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -175,7 +175,7 @@
+ ;;
+ reopen)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -USR1 `cat $pidf` >/dev/null 2>&1
+ fi
+@@ -195,7 +195,7 @@
+ ;;
+ status)
+ if [ -f $lock ]; then
+- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ if [ -s $pidf ]; then
+ kill -USR2 `cat $pidf` >/dev/null 2>&1
+ fi
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/openvpn/contrib/openvpn-fwmarkroute-1.00/README
new file mode 100644
index 00000000..66fe61ad
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/README
@@ -0,0 +1,44 @@
+OpenVPN fwmark Routing
+Sean Reifschneider, <jafo@tummy.com>
+Thursday November 27, 2003
+==========================
+
+These scripts can be used with OpenVPN up and down scripts to set up
+routing on a Linux system such that the VPN traffic is sent via normal
+network connectivity, but other traffic to that network runs over the VPN.
+The idea is to allow encryption of data to the network the remote host is
+on, without interfering with the VPN traffic. You can't simply add a route
+to the remote network, becaues that will cause the VPN traffic to also try
+to run over the VPN, and breaks the VPN.
+
+These scripts use the Linux "fwmark" iptables rules to specify routing
+based not only on IP address, but also by port and protocol. This allows
+you to effectively say "if the packet is to this IP address on this port
+using this protocol, then use the normal default gateway, otherwise use the
+VPN gateway.
+
+This is set up on the client VPN system, not the VPN server. These scripts
+also set up all ICMP echo-responses to run across the VPN. You can
+comment the lines in the scripts to disable this, but I find this useful
+at coffee shops which have networks that block ICMP.
+
+To configure this, you need to set up these scripts as your up and down
+scripts in the config file. You will need to set these values in the
+config file:
+
+ up /etc/openvpn/fwmarkroute.up
+ down /etc/openvpn/fwmarkroute.down
+ up-restart
+ up-delay
+
+ setenv remote_netmask_bits 24
+
+Note: For this to work, you can't set the "user" or "group" config options,
+because then the scripts will not run as root.
+
+The last setting allows you to control the size of the network the remote
+system is on. The remote end has to be set up to route, probably with
+masquerading or NAT. The network this netmask relates to is calculated
+using the value of "remote" in the conf file.
+
+Sean
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
new file mode 100755
index 00000000..87d67d4d
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Bring down vpn routing.
+
+# calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+# clear routing via VPN
+ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route del table vpnonly.out via "$5"
+iptables -D OUTPUT -t mangle -p "$proto" \
+ -d "$remote_network"/"$remote_netmask_bits" \
+ --dport "$remote_port" -j ACCEPT
+iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2
+
+# undo the ICMP ping tunneling
+iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+ -j MARK --set-mark 3
+
+# flush route cache
+ip route flush cache
diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
new file mode 100755
index 00000000..661ec313
--- /dev/null
+++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# Bring up vpn routing.
+
+# calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+# add the stuff that doesn't change if it's not already there
+grep -q '^202 ' /etc/iproute2/rt_tables
+if [ "$?" -ne 0 ]
+then
+ echo 202 vpn.out >> /etc/iproute2/rt_tables
+fi
+grep -q '^203 ' /etc/iproute2/rt_tables
+if [ "$?" -ne 0 ]
+then
+ echo 203 vpnonly.out >> /etc/iproute2/rt_tables
+fi
+ip rule ls | grep -q 'lookup vpn.out *$'
+if [ "$?" -ne 0 ]
+then
+ ip rule add fwmark 2 table vpn.out
+fi
+ip rule ls | grep -q 'lookup vpnonly.out *$'
+if [ "$?" -ne 0 ]
+then
+ ip rule add fwmark 3 table vpnonly.out
+fi
+
+# route VPN traffic using the normal table
+iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \
+ -j ACCEPT
+
+# route all other traffic to that host via VPN
+iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \
+ -j MARK --set-mark 2
+
+# route all ICMP pings over the VPN
+iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+ -j MARK --set-mark 3
+
+# NAT traffic going over the VPN, so it doesn't have an unknown address
+iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4"
+
+# add routing commands
+ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route add table vpnonly.out via "$5"
+ip route flush cache
diff --git a/openvpn/contrib/pull-resolv-conf/client.down b/openvpn/contrib/pull-resolv-conf/client.down
new file mode 100644
index 00000000..05f2d4d5
--- /dev/null
+++ b/openvpn/contrib/pull-resolv-conf/client.down
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
+# set by the companion script "client.up".
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.down
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+# client
+# up /etc/openvpn/client.up
+# down /etc/openvpn/client.down
+# Next, "chmod a+x /etc/openvpn/client.down"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.up"
+# script.
+
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
+
+# This runs with the context of the OpenVPN UID/GID
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
+
+if type resolvconf >/dev/null 2>&1; then
+ resolvconf -d "${1}" -f
+elif [ -e /etc/resolv.conf.ovpnsave ] ; then
+ # cp + rm rather than mv in case it's a symlink
+ cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
+ rm -f /etc/resolv.conf.ovpnsave
+fi
+
+exit 0
diff --git a/openvpn/contrib/pull-resolv-conf/client.up b/openvpn/contrib/pull-resolv-conf/client.up
new file mode 100644
index 00000000..b28d4d19
--- /dev/null
+++ b/openvpn/contrib/pull-resolv-conf/client.up
@@ -0,0 +1,101 @@
+#!/bin/sh
+
+# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
+# as pulled down from an OpenVPN server.
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.up
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+# client
+# up /etc/openvpn/client.up
+# Next, "chmod a+x /etc/openvpn/client.up"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.down"
+# script.
+
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
+
+# This runs with the context of the OpenVPN UID/GID
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
+
+# init variables
+
+i=1
+domains=
+fopt=
+ndoms=0
+nns=0
+nl='
+'
+
+# $foreign_option_<n> is something like
+# "dhcp-option DOMAIN example.com" (multiple allowed)
+# or
+# "dhcp-option DNS 10.10.10.10" (multiple allowed)
+
+# each DNS option becomes a "nameserver" option in resolv.con
+# if we get one DOMAIN, that becomes "domain" in resolv.conf
+# if we get multiple DOMAINS, those become "search" lines in resolv.conf
+
+while true; do
+ eval fopt=\$foreign_option_${i}
+ [ -z "${fopt}" ] && break
+
+ case ${fopt} in
+ dhcp-option\ DOMAIN\ *)
+ ndoms=$((ndoms + 1))
+ domains="${domains} ${fopt#dhcp-option DOMAIN }"
+ ;;
+ dhcp-option\ DNS\ *)
+ nns=$((nns + 1))
+ if [ $nns -le 3 ]; then
+ dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
+ else
+ printf "%s\n" "Too many nameservers - ignoring after third" >&2
+ fi
+ ;;
+ *)
+ printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
+ ;;
+ esac
+ i=$((i + 1))
+done
+
+ds=domain
+if [ $ndoms -gt 1 ]; then
+ ds=search
+fi
+
+# This is the complete file - "$domains" has a leading space already
+out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
+
+# use resolvconf if it's available
+if type resolvconf >/dev/null 2>&1; then
+ printf "%s\n" "${out}" | resolvconf -p -a "${1}"
+else
+ # Preserve the existing resolv.conf
+ if [ -e /etc/resolv.conf ] ; then
+ cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
+ fi
+ printf "%s\n" "${out}" > /etc/resolv.conf
+ chmod 644 /etc/resolv.conf
+fi
+
+exit 0