From 3e4d8f433239c40311037616b1b8833a06651ae0 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 16 Apr 2012 19:21:14 +0200 Subject: Initial import --- openvpn/contrib/OCSP_check/OCSP_check.sh | 111 +++++++++++++++++++++ openvpn/contrib/README | 2 + openvpn/contrib/multilevel-init.patch | 79 +++++++++++++++ openvpn/contrib/openvpn-fwmarkroute-1.00/README | 44 ++++++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 ++++ .../openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 +++++++++ openvpn/contrib/pull-resolv-conf/client.down | 47 +++++++++ openvpn/contrib/pull-resolv-conf/client.up | 101 +++++++++++++++++++ 8 files changed, 455 insertions(+) create mode 100644 openvpn/contrib/OCSP_check/OCSP_check.sh create mode 100644 openvpn/contrib/README create mode 100644 openvpn/contrib/multilevel-init.patch create mode 100644 openvpn/contrib/openvpn-fwmarkroute-1.00/README create mode 100755 openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down create mode 100755 openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up create mode 100644 openvpn/contrib/pull-resolv-conf/client.down create mode 100644 openvpn/contrib/pull-resolv-conf/client.up (limited to 'openvpn/contrib') diff --git a/openvpn/contrib/OCSP_check/OCSP_check.sh b/openvpn/contrib/OCSP_check/OCSP_check.sh new file mode 100644 index 00000000..847be450 --- /dev/null +++ b/openvpn/contrib/OCSP_check/OCSP_check.sh @@ -0,0 +1,111 @@ +#!/bin/sh + +# Sample script to perform OCSP queries with OpenSSL +# given a certificate serial number. + +# If you run your own CA, you can set up a very simple +# OCSP server using the -port option to "openssl ocsp". + +# Full documentation and examples: +# http://www.openssl.org/docs/apps/ocsp.html + + +# Edit the following values to suit your needs + +# OCSP responder URL (mandatory) +# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER +#ocsp_url="http://ocsp.example.com/" +#ocsp_url="https://ocsp.secure.example.com/" + +# Path to issuer certificate (mandatory) +# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE +issuer="/path/to/CAcert.crt" + +# use a nonce in the query, set to "-no_nonce" to not use it +nonce="-nonce" + +# Verify the response +# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT +verify="/path/to/CAcert.crt" + +# Depth in the certificate chain where the cert to verify is. +# Set to -1 to run the verification at every level (NOTE that +# in that case you need a more complex script as the various +# parameters for the query will likely be different at each level) +# "0" is the usual value here, where the client certificate is +check_depth=0 + +cur_depth=$1 # this is the *CURRENT* depth +common_name=$2 # CN in case you need it + +# minimal sanity checks + +err=0 +if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then + echo "Error: issuer certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$verify" ] || [ ! -e "$verify" ]; then + echo "Error: verification certificate undefined or not found!" >&2 + err=1 +fi + +if [ -z "$ocsp_url" ]; then + echo "Error: OCSP server URL not defined!" >&2 + err=1 +fi + +if [ $err -eq 1 ]; then + echo "Did you forget to customize the variables in the script?" >&2 + exit 1 +fi + +# begin +if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then + + eval serial="\$tls_serial_${cur_depth}" + + # To successfully complete, the following must happen: + # + # - The serial number must not be empty + # - The exit status of "openssl ocsp" must be zero + # - The output of the above command must contain the line + # "0x${serial}: good" + # + # Everything else fails with exit status 1. + + if [ -n "$serial" ]; then + + # This is only an example; you are encouraged to run this command (without + # redirections) manually against your or your CA's OCSP server to see how + # it responds, and adapt accordingly. + # Sample output that is assumed here: + # + # Response verify OK + # 0x428740A5: good + # This Update: Apr 24 19:38:49 2010 GMT + # Next Update: May 2 14:23:42 2010 GMT + # + # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL + # can in some circumstances give a "good" result if it could not + # reach the the OSCP server. In this case, the exit code will indicate + # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, + # don't trust the OpenSSL status. + + status=$(openssl ocsp -issuer "$issuer" \ + "$nonce" \ + -CAfile "$verify" \ + -url "$ocsp_url" \ + -serial "0x${serial}" 2>/dev/null) + + if [ $? -eq 0 ]; then + # check that it's good + if echo "$status" | grep -Fq "0x${serial}: good"; then + exit 0 + fi + fi + fi + # if we get here, something was wrong + exit 1 +fi diff --git a/openvpn/contrib/README b/openvpn/contrib/README new file mode 100644 index 00000000..e1a57d0e --- /dev/null +++ b/openvpn/contrib/README @@ -0,0 +1,2 @@ +This directory contains scripts and patches contributed +by users. diff --git a/openvpn/contrib/multilevel-init.patch b/openvpn/contrib/multilevel-init.patch new file mode 100644 index 00000000..8d48fbcd --- /dev/null +++ b/openvpn/contrib/multilevel-init.patch @@ -0,0 +1,79 @@ +--- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 ++++ openvpn 2004-05-12 20:34:33.000000000 +0200 +@@ -58,13 +58,13 @@ + # returning success or failure status to caller (James Yonan). + + # Location of openvpn binary +-openvpn="/usr/sbin/openvpn" ++openvpn=/usr/sbin/openvpn + + # Lockfile +-lock="/var/lock/subsys/openvpn" ++lock=/var/lock/subsys/openvpn + + # PID directory +-piddir="/var/run/openvpn" ++piddir=/var/run/openvpn + + # Our working directory + work=/etc/openvpn +@@ -106,7 +106,7 @@ + + if [ -f $lock ]; then + # we were not shut down correctly +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi +@@ -116,12 +116,12 @@ + sleep 2 + fi + +- rm -f $piddir/*.pid $piddir/*/*.pid ++ find $piddir -name "*.pid"|xargs rm -f + + # Start every .conf in $work and run .sh if exists + errors=0 + successes=0 +- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do ++ for c in `find * -name "*.conf" 2>/dev/null`; do + bn=${c%%.conf} + if [ -f "$bn.sh" ]; then + . $bn.sh +@@ -147,7 +147,7 @@ + ;; + stop) + echo -n $"Shutting down openvpn: " +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi +@@ -163,7 +163,7 @@ + ;; + reload) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -HUP `cat $pidf` >/dev/null 2>&1 + fi +@@ -175,7 +175,7 @@ + ;; + reopen) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -USR1 `cat $pidf` >/dev/null 2>&1 + fi +@@ -195,7 +195,7 @@ + ;; + status) + if [ -f $lock ]; then +- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do ++ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do + if [ -s $pidf ]; then + kill -USR2 `cat $pidf` >/dev/null 2>&1 + fi diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/openvpn/contrib/openvpn-fwmarkroute-1.00/README new file mode 100644 index 00000000..66fe61ad --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/README @@ -0,0 +1,44 @@ +OpenVPN fwmark Routing +Sean Reifschneider, +Thursday November 27, 2003 +========================== + +These scripts can be used with OpenVPN up and down scripts to set up +routing on a Linux system such that the VPN traffic is sent via normal +network connectivity, but other traffic to that network runs over the VPN. +The idea is to allow encryption of data to the network the remote host is +on, without interfering with the VPN traffic. You can't simply add a route +to the remote network, becaues that will cause the VPN traffic to also try +to run over the VPN, and breaks the VPN. + +These scripts use the Linux "fwmark" iptables rules to specify routing +based not only on IP address, but also by port and protocol. This allows +you to effectively say "if the packet is to this IP address on this port +using this protocol, then use the normal default gateway, otherwise use the +VPN gateway. + +This is set up on the client VPN system, not the VPN server. These scripts +also set up all ICMP echo-responses to run across the VPN. You can +comment the lines in the scripts to disable this, but I find this useful +at coffee shops which have networks that block ICMP. + +To configure this, you need to set up these scripts as your up and down +scripts in the config file. You will need to set these values in the +config file: + + up /etc/openvpn/fwmarkroute.up + down /etc/openvpn/fwmarkroute.down + up-restart + up-delay + + setenv remote_netmask_bits 24 + +Note: For this to work, you can't set the "user" or "group" config options, +because then the scripts will not run as root. + +The last setting allows you to control the size of the network the remote +system is on. The remote end has to be set up to route, probably with +masquerading or NAT. The network this netmask relates to is calculated +using the value of "remote" in the conf file. + +Sean diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down new file mode 100755 index 00000000..87d67d4d --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Bring down vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# clear routing via VPN +ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route del table vpnonly.out via "$5" +iptables -D OUTPUT -t mangle -p "$proto" \ + -d "$remote_network"/"$remote_netmask_bits" \ + --dport "$remote_port" -j ACCEPT +iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 + +# undo the ICMP ping tunneling +iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# flush route cache +ip route flush cache diff --git a/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up new file mode 100755 index 00000000..661ec313 --- /dev/null +++ b/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Bring up vpn routing. + +# calculate the network address +remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` +remote_network="${remote_network#*=}" + +# add the stuff that doesn't change if it's not already there +grep -q '^202 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 202 vpn.out >> /etc/iproute2/rt_tables +fi +grep -q '^203 ' /etc/iproute2/rt_tables +if [ "$?" -ne 0 ] +then + echo 203 vpnonly.out >> /etc/iproute2/rt_tables +fi +ip rule ls | grep -q 'lookup vpn.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 2 table vpn.out +fi +ip rule ls | grep -q 'lookup vpnonly.out *$' +if [ "$?" -ne 0 ] +then + ip rule add fwmark 3 table vpnonly.out +fi + +# route VPN traffic using the normal table +iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ + -j ACCEPT + +# route all other traffic to that host via VPN +iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ + -j MARK --set-mark 2 + +# route all ICMP pings over the VPN +iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ + -j MARK --set-mark 3 + +# NAT traffic going over the VPN, so it doesn't have an unknown address +iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" + +# add routing commands +ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out +ip route add table vpnonly.out via "$5" +ip route flush cache diff --git a/openvpn/contrib/pull-resolv-conf/client.down b/openvpn/contrib/pull-resolv-conf/client.down new file mode 100644 index 00000000..05f2d4d5 --- /dev/null +++ b/openvpn/contrib/pull-resolv-conf/client.down @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously +# set by the companion script "client.up". + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.down +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Next, "chmod a+x /etc/openvpn/client.down" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.up" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +if type resolvconf >/dev/null 2>&1; then + resolvconf -d "${1}" -f +elif [ -e /etc/resolv.conf.ovpnsave ] ; then + # cp + rm rather than mv in case it's a symlink + cp /etc/resolv.conf.ovpnsave /etc/resolv.conf + rm -f /etc/resolv.conf.ovpnsave +fi + +exit 0 diff --git a/openvpn/contrib/pull-resolv-conf/client.up b/openvpn/contrib/pull-resolv-conf/client.up new file mode 100644 index 00000000..b28d4d19 --- /dev/null +++ b/openvpn/contrib/pull-resolv-conf/client.up @@ -0,0 +1,101 @@ +#!/bin/sh + +# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. +# Licensed under the GPL version 2 + +# First version by Jesse Adelman +# someone at boldandbusted dink com +# http://www.boldandbusted.com/ + +# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries +# as pulled down from an OpenVPN server. + +# INSTALL NOTES: +# Place this in /etc/openvpn/client.up +# Then, add the following to your /etc/openvpn/.conf: +# client +# up /etc/openvpn/client.up +# Next, "chmod a+x /etc/openvpn/client.up" + +# USAGE NOTES: +# Note that this script is best served with the companion "client.down" +# script. + +# Tested under Debian lenny with OpenVPN 2.1_rc11 +# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf + +# This runs with the context of the OpenVPN UID/GID +# at the time of execution. This generally means that +# the client "up" script will run fine, but the "down" script +# will require the use of the OpenVPN "down-root" plugin +# which is in the plugins/ directory of the OpenVPN source tree + +# A horrid work around, from a security perspective, +# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have +# been WARNED. +PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + +# init variables + +i=1 +domains= +fopt= +ndoms=0 +nns=0 +nl=' +' + +# $foreign_option_ is something like +# "dhcp-option DOMAIN example.com" (multiple allowed) +# or +# "dhcp-option DNS 10.10.10.10" (multiple allowed) + +# each DNS option becomes a "nameserver" option in resolv.con +# if we get one DOMAIN, that becomes "domain" in resolv.conf +# if we get multiple DOMAINS, those become "search" lines in resolv.conf + +while true; do + eval fopt=\$foreign_option_${i} + [ -z "${fopt}" ] && break + + case ${fopt} in + dhcp-option\ DOMAIN\ *) + ndoms=$((ndoms + 1)) + domains="${domains} ${fopt#dhcp-option DOMAIN }" + ;; + dhcp-option\ DNS\ *) + nns=$((nns + 1)) + if [ $nns -le 3 ]; then + dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" + else + printf "%s\n" "Too many nameservers - ignoring after third" >&2 + fi + ;; + *) + printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 + ;; + esac + i=$((i + 1)) +done + +ds=domain +if [ $ndoms -gt 1 ]; then + ds=search +fi + +# This is the complete file - "$domains" has a leading space already +out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" + +# use resolvconf if it's available +if type resolvconf >/dev/null 2>&1; then + printf "%s\n" "${out}" | resolvconf -p -a "${1}" +else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf.ovpnsave + fi + printf "%s\n" "${out}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf +fi + +exit 0 -- cgit v1.2.3