From 5fc5d37330d3535a0f421632694d1e7918fc22d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 8 Apr 2014 11:38:09 +0200 Subject: Compiles correctly: app/build-native + gradle. --- app/openvpn/contrib/OCSP_check/OCSP_check.sh | 111 +++++++++++++++++++++ app/openvpn/contrib/README | 2 + .../contrib/openvpn-fwmarkroute-1.00/README | 44 ++++++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 ++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 +++++++++ app/openvpn/contrib/pull-resolv-conf/client.down | 47 +++++++++ app/openvpn/contrib/pull-resolv-conf/client.up | 101 +++++++++++++++++++ 7 files changed, 376 insertions(+) create mode 100644 app/openvpn/contrib/OCSP_check/OCSP_check.sh create mode 100644 app/openvpn/contrib/README create mode 100644 app/openvpn/contrib/openvpn-fwmarkroute-1.00/README create mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down create mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up create mode 100644 app/openvpn/contrib/pull-resolv-conf/client.down create mode 100644 app/openvpn/contrib/pull-resolv-conf/client.up (limited to 'app/openvpn/contrib') diff --git a/app/openvpn/contrib/OCSP_check/OCSP_check.sh b/app/openvpn/contrib/OCSP_check/OCSP_check.sh new file mode 100644 index 00000000..847be450 --- /dev/null +++ b/app/openvpn/contrib/OCSP_check/OCSP_check.sh @@ -0,0 +1,111 @@ +#!/bin/sh + +# Sample script to perform OCSP queries with OpenSSL +# given a certificate serial number. + +# If you run your own CA, you can set up a very simple +# OCSP server using the -port option to "openssl ocsp". + +# Full documentation and examples: +# http://www.openssl.org/docs/apps/ocsp.html + + +# Edit the following values to suit your needs + +# OCSP responder URL (mandatory) +# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER +#ocsp_url="http://ocsp.example.com/" +#ocsp_url="https://ocsp.secure.example.com/" + +# Path to issuer certificate (mandatory) +# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE +issuer="/path/to/CAcert.crt" + +# use a nonce in the query, set to "-no_nonce" to not use it +nonce="-nonce" + +# Verify the response +# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT +verify="/path/to/CAcert.crt" + +# Depth in the certificate chain where the cert to verify is. +# Set to -1 to run the verification at every level (NOTE that +# in that case you need a more complex script as the various +# parameters for the query will likely be different at each level) +# "0" is the usual value here, where the client certificate is +check_depth=0 + +cur_depth=$1 # this is the *CURRENT* depth +common_name=$2 # CN in case you need it + +# minimal sanity checks + +err=0 +if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then + echo "Error: issuer certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$verify" ] || [ ! -e "$verify" ]; then + echo "Error: verification certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$ocsp_url" ]; then + echo "Error: OCSP server URL not defined!" >&2 + err=1 +fi + +if [ $err -eq 1 ]; then + echo "Did you forget to customize the variables in the script?" >&2 + exit 1 +fi + +# begin +if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then + + eval serial="\$tls_serial_${cur_depth}" + + # To successfully complete, the following must happen: + # + # - The serial number must not be empty + # - The exit status of "openssl ocsp" must be zero + # - The output of the above command must contain the line + # "0x${serial}: good" + # + # Everything else fails with exit status 1. + + if [ -n "$serial" ]; then + + # This is only an example; you are encouraged to run this command (without + # redirections) manually against your or your CA's OCSP server to see how + # it responds, and adapt accordingly. + # Sample output that is assumed here: + # + # Response verify OK + # 0x428740A5: good + # This Update: Apr 24 19:38:49 2010 GMT + # Next Update: May 2 14:23:42 2010 GMT + # + # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL + # can in some circumstances give a "good" result if it could not + # reach the the OSCP server. In this case, the exit code will indicate + # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, + # don't trust the OpenSSL status. + + status=$(openssl ocsp -issuer "$issuer" \ + "$nonce" \ + -CAfile "$verify" \ + -url "$ocsp_url" \ + -serial "0x${serial}" 2>/dev/null) + + if [ $? -eq 0 ]; then + # check that it's good + if echo "$status" | grep -Fq "0x${serial}: good"; then + exit 0 + fi + fi + fi + # if we get here, something was wrong + exit 1 +fi diff --git a/app/openvpn/contrib/README b/app/openvpn/contrib/README new file mode 100644 index 00000000..e1a57d0e --- /dev/null +++ b/app/openvpn/contrib/README @@ -0,0 +1,2 @@ +This directory contains scripts and patches contributed +by users. diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README new file mode 100644 index 00000000..66fe61ad --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README @@ -0,0 +1,44 @@ +OpenVPN fwmark Routing +Sean Reifschneider, +Thursday November 27, 2003 +========================== + +These scripts can be used with OpenVPN up and down scripts to set up +routing on a Linux system such that the VPN traffic is sent via normal +network connectivity, but other traffic to that network runs over the VPN. +The idea is to allow encryption of data to the network the remote host is +on, without interfering with the VPN traffic. You can't simply add a route +to the remote network, becaues that will cause the VPN traffic to also try +to run over the VPN, and breaks the VPN. + +These scripts use the Linux "fwmark" iptables rules to specify routing +based not only on IP address, but also by port and protocol. This allows +you to effectively say "if the packet is to this IP address on this port +using this protocol, then use the normal default gateway, otherwise use the +VPN gateway. + +This is set up on the client VPN system, not the VPN server. These scripts +also set up all ICMP echo-responses to run across the VPN. You can +comment the lines in the scripts to disable this, but I find this useful +at coffee shops which have networks that block ICMP. + +To configure this, you need to set up these scripts as your up and down +scripts in the config file. You will need to set these values in the +config file: + + up /etc/openvpn/fwmarkroute.up + down /etc/openvpn/fwmarkroute.down + up-restart + up-delay + + setenv remote_netmask_bits 24 + +Note: For this to work, you can't set the "user" or "group" config options, +because then the scripts will not run as root. + +The last setting allows you to control the size of the network the remote +system is on. The remote end has to be set up to route, probably with +masquerading or NAT. The network this netmask relates to is calculated +using the value of "remote" in the conf file. + +Sean diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down new file mode 100755 index 00000000..87d67d4d --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Bring down vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# clear routing via VPN +ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route del table vpnonly.out via "$5" +iptables -D OUTPUT -t mangle -p "$proto" \ + -d "$remote_network"/"$remote_netmask_bits" \ + --dport "$remote_port" -j ACCEPT +iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 + +# undo the ICMP ping tunneling +iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# flush route cache +ip route flush cache diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up new file mode 100755 index 00000000..661ec313 --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Bring up vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# add the stuff that doesn't change if it's not already there +grep -q '^202 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 202 vpn.out >> /etc/iproute2/rt_tables +fi +grep -q '^203 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 203 vpnonly.out >> /etc/iproute2/rt_tables +fi +ip rule ls | grep -q 'lookup vpn.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 2 table vpn.out +fi +ip rule ls | grep -q 'lookup vpnonly.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 3 table vpnonly.out +fi + +# route VPN traffic using the normal table +iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ + -j ACCEPT + +# route all other traffic to that host via VPN +iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ + -j MARK --set-mark 2 + +# route all ICMP pings over the VPN +iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# NAT traffic going over the VPN, so it doesn't have an unknown address +iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" + +# add routing commands +ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route add table vpnonly.out via "$5" +ip route flush cache diff --git a/app/openvpn/contrib/pull-resolv-conf/client.down b/app/openvpn/contrib/pull-resolv-conf/client.down new file mode 100644 index 00000000..05f2d4d5 --- /dev/null +++ b/app/openvpn/contrib/pull-resolv-conf/client.down @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously +# set by the companion script "client.up". + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.down +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Next, "chmod a+x /etc/openvpn/client.down" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.up" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +if type resolvconf >/dev/null 2>&1; then + resolvconf -d "${1}" -f +elif [ -e /etc/resolv.conf.ovpnsave ] ; then + # cp + rm rather than mv in case it's a symlink + cp /etc/resolv.conf.ovpnsave /etc/resolv.conf + rm -f /etc/resolv.conf.ovpnsave +fi + +exit 0 diff --git a/app/openvpn/contrib/pull-resolv-conf/client.up b/app/openvpn/contrib/pull-resolv-conf/client.up new file mode 100644 index 00000000..b28d4d19 --- /dev/null +++ b/app/openvpn/contrib/pull-resolv-conf/client.up @@ -0,0 +1,101 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries +# as pulled down from an OpenVPN server. + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.up +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# Next, "chmod a+x /etc/openvpn/client.up" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.down" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +# init variables + +i=1 +domains= +fopt= +ndoms=0 +nns=0 +nl=' +' + +# $foreign_option_ is something like +# "dhcp-option DOMAIN example.com" (multiple allowed) +# or +# "dhcp-option DNS 10.10.10.10" (multiple allowed) + +# each DNS option becomes a "nameserver" option in resolv.con +# if we get one DOMAIN, that becomes "domain" in resolv.conf +# if we get multiple DOMAINS, those become "search" lines in resolv.conf + +while true; do + eval fopt=\$foreign_option_${i} + [ -z "${fopt}" ] && break + + case ${fopt} in + dhcp-option\ DOMAIN\ *) + ndoms=$((ndoms + 1)) + domains="${domains} ${fopt#dhcp-option DOMAIN }" + ;; + dhcp-option\ DNS\ *) + nns=$((nns + 1)) + if [ $nns -le 3 ]; then + dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" + else + printf "%s\n" "Too many nameservers - ignoring after third" >&2 + fi + ;; + *) + printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 + ;; + esac + i=$((i + 1)) +done + +ds=domain +if [ $ndoms -gt 1 ]; then + ds=search +fi + +# This is the complete file - "$domains" has a leading space already +out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" + +# use resolvconf if it's available +if type resolvconf >/dev/null 2>&1; then + printf "%s\n" "${out}" | resolvconf -p -a "${1}" +else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf.ovpnsave + fi + printf "%s\n" "${out}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf +fi + +exit 0 -- cgit v1.2.3 From 3c3421afd8f74a3aa8d1011de07a8c18f9549210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 8 Apr 2014 12:04:17 +0200 Subject: Rename app->bitmask_android This way, gradle commands generate apks correctly named. --- app/openvpn/contrib/OCSP_check/OCSP_check.sh | 111 --------------------- app/openvpn/contrib/README | 2 - .../contrib/openvpn-fwmarkroute-1.00/README | 44 -------- .../openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 ---- .../openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 --------- app/openvpn/contrib/pull-resolv-conf/client.down | 47 --------- app/openvpn/contrib/pull-resolv-conf/client.up | 101 ------------------- 7 files changed, 376 deletions(-) delete mode 100644 app/openvpn/contrib/OCSP_check/OCSP_check.sh delete mode 100644 app/openvpn/contrib/README delete mode 100644 app/openvpn/contrib/openvpn-fwmarkroute-1.00/README delete mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down delete mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up delete mode 100644 app/openvpn/contrib/pull-resolv-conf/client.down delete mode 100644 app/openvpn/contrib/pull-resolv-conf/client.up (limited to 'app/openvpn/contrib') diff --git a/app/openvpn/contrib/OCSP_check/OCSP_check.sh b/app/openvpn/contrib/OCSP_check/OCSP_check.sh deleted file mode 100644 index 847be450..00000000 --- a/app/openvpn/contrib/OCSP_check/OCSP_check.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/sh - -# Sample script to perform OCSP queries with OpenSSL -# given a certificate serial number. - -# If you run your own CA, you can set up a very simple -# OCSP server using the -port option to "openssl ocsp". - -# Full documentation and examples: -# http://www.openssl.org/docs/apps/ocsp.html - - -# Edit the following values to suit your needs - -# OCSP responder URL (mandatory) -# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER -#ocsp_url="http://ocsp.example.com/" -#ocsp_url="https://ocsp.secure.example.com/" - -# Path to issuer certificate (mandatory) -# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE -issuer="/path/to/CAcert.crt" - -# use a nonce in the query, set to "-no_nonce" to not use it -nonce="-nonce" - -# Verify the response -# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT -verify="/path/to/CAcert.crt" - -# Depth in the certificate chain where the cert to verify is. -# Set to -1 to run the verification at every level (NOTE that -# in that case you need a more complex script as the various -# parameters for the query will likely be different at each level) -# "0" is the usual value here, where the client certificate is -check_depth=0 - -cur_depth=$1 # this is the *CURRENT* depth -common_name=$2 # CN in case you need it - -# minimal sanity checks - -err=0 -if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then - echo "Error: issuer certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$verify" ] || [ ! -e "$verify" ]; then - echo "Error: verification certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$ocsp_url" ]; then - echo "Error: OCSP server URL not defined!" >&2 - err=1 -fi - -if [ $err -eq 1 ]; then - echo "Did you forget to customize the variables in the script?" >&2 - exit 1 -fi - -# begin -if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then - - eval serial="\$tls_serial_${cur_depth}" - - # To successfully complete, the following must happen: - # - # - The serial number must not be empty - # - The exit status of "openssl ocsp" must be zero - # - The output of the above command must contain the line - # "0x${serial}: good" - # - # Everything else fails with exit status 1. - - if [ -n "$serial" ]; then - - # This is only an example; you are encouraged to run this command (without - # redirections) manually against your or your CA's OCSP server to see how - # it responds, and adapt accordingly. - # Sample output that is assumed here: - # - # Response verify OK - # 0x428740A5: good - # This Update: Apr 24 19:38:49 2010 GMT - # Next Update: May 2 14:23:42 2010 GMT - # - # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL - # can in some circumstances give a "good" result if it could not - # reach the the OSCP server. In this case, the exit code will indicate - # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, - # don't trust the OpenSSL status. - - status=$(openssl ocsp -issuer "$issuer" \ - "$nonce" \ - -CAfile "$verify" \ - -url "$ocsp_url" \ - -serial "0x${serial}" 2>/dev/null) - - if [ $? -eq 0 ]; then - # check that it's good - if echo "$status" | grep -Fq "0x${serial}: good"; then - exit 0 - fi - fi - fi - # if we get here, something was wrong - exit 1 -fi diff --git a/app/openvpn/contrib/README b/app/openvpn/contrib/README deleted file mode 100644 index e1a57d0e..00000000 --- a/app/openvpn/contrib/README +++ /dev/null @@ -1,2 +0,0 @@ -This directory contains scripts and patches contributed -by users. diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README deleted file mode 100644 index 66fe61ad..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README +++ /dev/null @@ -1,44 +0,0 @@ -OpenVPN fwmark Routing -Sean Reifschneider, -Thursday November 27, 2003 -========================== - -These scripts can be used with OpenVPN up and down scripts to set up -routing on a Linux system such that the VPN traffic is sent via normal -network connectivity, but other traffic to that network runs over the VPN. -The idea is to allow encryption of data to the network the remote host is -on, without interfering with the VPN traffic. You can't simply add a route -to the remote network, becaues that will cause the VPN traffic to also try -to run over the VPN, and breaks the VPN. - -These scripts use the Linux "fwmark" iptables rules to specify routing -based not only on IP address, but also by port and protocol. This allows -you to effectively say "if the packet is to this IP address on this port -using this protocol, then use the normal default gateway, otherwise use the -VPN gateway. - -This is set up on the client VPN system, not the VPN server. These scripts -also set up all ICMP echo-responses to run across the VPN. You can -comment the lines in the scripts to disable this, but I find this useful -at coffee shops which have networks that block ICMP. - -To configure this, you need to set up these scripts as your up and down -scripts in the config file. You will need to set these values in the -config file: - - up /etc/openvpn/fwmarkroute.up - down /etc/openvpn/fwmarkroute.down - up-restart - up-delay - - setenv remote_netmask_bits 24 - -Note: For this to work, you can't set the "user" or "group" config options, -because then the scripts will not run as root. - -The last setting allows you to control the size of the network the remote -system is on. The remote end has to be set up to route, probably with -masquerading or NAT. The network this netmask relates to is calculated -using the value of "remote" in the conf file. - -Sean diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down deleted file mode 100755 index 87d67d4d..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Bring down vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# clear routing via VPN -ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route del table vpnonly.out via "$5" -iptables -D OUTPUT -t mangle -p "$proto" \ - -d "$remote_network"/"$remote_netmask_bits" \ - --dport "$remote_port" -j ACCEPT -iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 - -# undo the ICMP ping tunneling -iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# flush route cache -ip route flush cache diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up deleted file mode 100755 index 661ec313..00000000 --- a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh -# -# Bring up vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# add the stuff that doesn't change if it's not already there -grep -q '^202 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 202 vpn.out >> /etc/iproute2/rt_tables -fi -grep -q '^203 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 203 vpnonly.out >> /etc/iproute2/rt_tables -fi -ip rule ls | grep -q 'lookup vpn.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 2 table vpn.out -fi -ip rule ls | grep -q 'lookup vpnonly.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 3 table vpnonly.out -fi - -# route VPN traffic using the normal table -iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ - -j ACCEPT - -# route all other traffic to that host via VPN -iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ - -j MARK --set-mark 2 - -# route all ICMP pings over the VPN -iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# NAT traffic going over the VPN, so it doesn't have an unknown address -iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" - -# add routing commands -ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route add table vpnonly.out via "$5" -ip route flush cache diff --git a/app/openvpn/contrib/pull-resolv-conf/client.down b/app/openvpn/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 05f2d4d5..00000000 --- a/app/openvpn/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${1}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/app/openvpn/contrib/pull-resolv-conf/client.up b/app/openvpn/contrib/pull-resolv-conf/client.up deleted file mode 100644 index b28d4d19..00000000 --- a/app/openvpn/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_ is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.con -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in - dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; - dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; - esac - i=$((i + 1)) -done - -ds=domain -if [ $ndoms -gt 1 ]; then - ds=search -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${1}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 -- cgit v1.2.3 From 1684c8f398922065a97e7da4dac4ac6a33cc5218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Wed, 9 Apr 2014 16:03:55 +0200 Subject: Back to the standard "app" module. This return to "app" instead of "bitmask_android" is due to this reading: https://developer.android.com/sdk/installing/studio-build.html#projectStructure I'll have to tweak the final apk name in build.gradle. --- app/openvpn/contrib/OCSP_check/OCSP_check.sh | 111 +++++++++++++++++++++ app/openvpn/contrib/README | 2 + .../contrib/openvpn-fwmarkroute-1.00/README | 44 ++++++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 ++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 +++++++++ app/openvpn/contrib/pull-resolv-conf/client.down | 47 +++++++++ app/openvpn/contrib/pull-resolv-conf/client.up | 101 +++++++++++++++++++ 7 files changed, 376 insertions(+) create mode 100644 app/openvpn/contrib/OCSP_check/OCSP_check.sh create mode 100644 app/openvpn/contrib/README create mode 100644 app/openvpn/contrib/openvpn-fwmarkroute-1.00/README create mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down create mode 100755 app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up create mode 100644 app/openvpn/contrib/pull-resolv-conf/client.down create mode 100644 app/openvpn/contrib/pull-resolv-conf/client.up (limited to 'app/openvpn/contrib') diff --git a/app/openvpn/contrib/OCSP_check/OCSP_check.sh b/app/openvpn/contrib/OCSP_check/OCSP_check.sh new file mode 100644 index 00000000..847be450 --- /dev/null +++ b/app/openvpn/contrib/OCSP_check/OCSP_check.sh @@ -0,0 +1,111 @@ +#!/bin/sh + +# Sample script to perform OCSP queries with OpenSSL +# given a certificate serial number. + +# If you run your own CA, you can set up a very simple +# OCSP server using the -port option to "openssl ocsp". + +# Full documentation and examples: +# http://www.openssl.org/docs/apps/ocsp.html + + +# Edit the following values to suit your needs + +# OCSP responder URL (mandatory) +# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER +#ocsp_url="http://ocsp.example.com/" +#ocsp_url="https://ocsp.secure.example.com/" + +# Path to issuer certificate (mandatory) +# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE +issuer="/path/to/CAcert.crt" + +# use a nonce in the query, set to "-no_nonce" to not use it +nonce="-nonce" + +# Verify the response +# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT +verify="/path/to/CAcert.crt" + +# Depth in the certificate chain where the cert to verify is. +# Set to -1 to run the verification at every level (NOTE that +# in that case you need a more complex script as the various +# parameters for the query will likely be different at each level) +# "0" is the usual value here, where the client certificate is +check_depth=0 + +cur_depth=$1 # this is the *CURRENT* depth +common_name=$2 # CN in case you need it + +# minimal sanity checks + +err=0 +if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then + echo "Error: issuer certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$verify" ] || [ ! -e "$verify" ]; then + echo "Error: verification certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$ocsp_url" ]; then + echo "Error: OCSP server URL not defined!" >&2 + err=1 +fi + +if [ $err -eq 1 ]; then + echo "Did you forget to customize the variables in the script?" >&2 + exit 1 +fi + +# begin +if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then + + eval serial="\$tls_serial_${cur_depth}" + + # To successfully complete, the following must happen: + # + # - The serial number must not be empty + # - The exit status of "openssl ocsp" must be zero + # - The output of the above command must contain the line + # "0x${serial}: good" + # + # Everything else fails with exit status 1. + + if [ -n "$serial" ]; then + + # This is only an example; you are encouraged to run this command (without + # redirections) manually against your or your CA's OCSP server to see how + # it responds, and adapt accordingly. + # Sample output that is assumed here: + # + # Response verify OK + # 0x428740A5: good + # This Update: Apr 24 19:38:49 2010 GMT + # Next Update: May 2 14:23:42 2010 GMT + # + # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL + # can in some circumstances give a "good" result if it could not + # reach the the OSCP server. In this case, the exit code will indicate + # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, + # don't trust the OpenSSL status. + + status=$(openssl ocsp -issuer "$issuer" \ + "$nonce" \ + -CAfile "$verify" \ + -url "$ocsp_url" \ + -serial "0x${serial}" 2>/dev/null) + + if [ $? -eq 0 ]; then + # check that it's good + if echo "$status" | grep -Fq "0x${serial}: good"; then + exit 0 + fi + fi + fi + # if we get here, something was wrong + exit 1 +fi diff --git a/app/openvpn/contrib/README b/app/openvpn/contrib/README new file mode 100644 index 00000000..e1a57d0e --- /dev/null +++ b/app/openvpn/contrib/README @@ -0,0 +1,2 @@ +This directory contains scripts and patches contributed +by users. diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README new file mode 100644 index 00000000..66fe61ad --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/README @@ -0,0 +1,44 @@ +OpenVPN fwmark Routing +Sean Reifschneider, +Thursday November 27, 2003 +========================== + +These scripts can be used with OpenVPN up and down scripts to set up +routing on a Linux system such that the VPN traffic is sent via normal +network connectivity, but other traffic to that network runs over the VPN. +The idea is to allow encryption of data to the network the remote host is +on, without interfering with the VPN traffic. You can't simply add a route +to the remote network, becaues that will cause the VPN traffic to also try +to run over the VPN, and breaks the VPN. + +These scripts use the Linux "fwmark" iptables rules to specify routing +based not only on IP address, but also by port and protocol. This allows +you to effectively say "if the packet is to this IP address on this port +using this protocol, then use the normal default gateway, otherwise use the +VPN gateway. + +This is set up on the client VPN system, not the VPN server. These scripts +also set up all ICMP echo-responses to run across the VPN. You can +comment the lines in the scripts to disable this, but I find this useful +at coffee shops which have networks that block ICMP. + +To configure this, you need to set up these scripts as your up and down +scripts in the config file. You will need to set these values in the +config file: + + up /etc/openvpn/fwmarkroute.up + down /etc/openvpn/fwmarkroute.down + up-restart + up-delay + + setenv remote_netmask_bits 24 + +Note: For this to work, you can't set the "user" or "group" config options, +because then the scripts will not run as root. + +The last setting allows you to control the size of the network the remote +system is on. The remote end has to be set up to route, probably with +masquerading or NAT. The network this netmask relates to is calculated +using the value of "remote" in the conf file. + +Sean diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down new file mode 100755 index 00000000..87d67d4d --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Bring down vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# clear routing via VPN +ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route del table vpnonly.out via "$5" +iptables -D OUTPUT -t mangle -p "$proto" \ + -d "$remote_network"/"$remote_netmask_bits" \ + --dport "$remote_port" -j ACCEPT +iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 + +# undo the ICMP ping tunneling +iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# flush route cache +ip route flush cache diff --git a/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up new file mode 100755 index 00000000..661ec313 --- /dev/null +++ b/app/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Bring up vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# add the stuff that doesn't change if it's not already there +grep -q '^202 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 202 vpn.out >> /etc/iproute2/rt_tables +fi +grep -q '^203 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 203 vpnonly.out >> /etc/iproute2/rt_tables +fi +ip rule ls | grep -q 'lookup vpn.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 2 table vpn.out +fi +ip rule ls | grep -q 'lookup vpnonly.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 3 table vpnonly.out +fi + +# route VPN traffic using the normal table +iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ + -j ACCEPT + +# route all other traffic to that host via VPN +iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ + -j MARK --set-mark 2 + +# route all ICMP pings over the VPN +iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# NAT traffic going over the VPN, so it doesn't have an unknown address +iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" + +# add routing commands +ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route add table vpnonly.out via "$5" +ip route flush cache diff --git a/app/openvpn/contrib/pull-resolv-conf/client.down b/app/openvpn/contrib/pull-resolv-conf/client.down new file mode 100644 index 00000000..05f2d4d5 --- /dev/null +++ b/app/openvpn/contrib/pull-resolv-conf/client.down @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously +# set by the companion script "client.up". + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.down +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Next, "chmod a+x /etc/openvpn/client.down" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.up" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +if type resolvconf >/dev/null 2>&1; then + resolvconf -d "${1}" -f +elif [ -e /etc/resolv.conf.ovpnsave ] ; then + # cp + rm rather than mv in case it's a symlink + cp /etc/resolv.conf.ovpnsave /etc/resolv.conf + rm -f /etc/resolv.conf.ovpnsave +fi + +exit 0 diff --git a/app/openvpn/contrib/pull-resolv-conf/client.up b/app/openvpn/contrib/pull-resolv-conf/client.up new file mode 100644 index 00000000..b28d4d19 --- /dev/null +++ b/app/openvpn/contrib/pull-resolv-conf/client.up @@ -0,0 +1,101 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries +# as pulled down from an OpenVPN server. + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.up +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# Next, "chmod a+x /etc/openvpn/client.up" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.down" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +# init variables + +i=1 +domains= +fopt= +ndoms=0 +nns=0 +nl=' +' + +# $foreign_option_ is something like +# "dhcp-option DOMAIN example.com" (multiple allowed) +# or +# "dhcp-option DNS 10.10.10.10" (multiple allowed) + +# each DNS option becomes a "nameserver" option in resolv.con +# if we get one DOMAIN, that becomes "domain" in resolv.conf +# if we get multiple DOMAINS, those become "search" lines in resolv.conf + +while true; do + eval fopt=\$foreign_option_${i} + [ -z "${fopt}" ] && break + + case ${fopt} in + dhcp-option\ DOMAIN\ *) + ndoms=$((ndoms + 1)) + domains="${domains} ${fopt#dhcp-option DOMAIN }" + ;; + dhcp-option\ DNS\ *) + nns=$((nns + 1)) + if [ $nns -le 3 ]; then + dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" + else + printf "%s\n" "Too many nameservers - ignoring after third" >&2 + fi + ;; + *) + printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 + ;; + esac + i=$((i + 1)) +done + +ds=domain +if [ $ndoms -gt 1 ]; then + ds=search +fi + +# This is the complete file - "$domains" has a leading space already +out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" + +# use resolvconf if it's available +if type resolvconf >/dev/null 2>&1; then + printf "%s\n" "${out}" | resolvconf -p -a "${1}" +else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf.ovpnsave + fi + printf "%s\n" "${out}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf +fi + +exit 0 -- cgit v1.2.3