SHARE
TWEET

OVPN server running on Qnap NAS

a guest Aug 8th, 2019 11 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## ====BRAMANTE====
  2. ## ==Para bandaancha.eu===
  3.  
  4. #!/bin/sh
  5.  
  6. ## include common function
  7. . /etc/init.d/vpn_common.sh
  8.  
  9. VPN_CONF="/etc/config/vpn.conf"
  10. VPN_NAME="OPENVPN"
  11. VPN_PROCESS="/usr/sbin/openvpn"
  12. VPN_ONLINE_LOG="/var/log/openvpn_online_user.log"
  13. VPN_SERVER_CONF="/etc/openvpn/server.conf"
  14. VPN_PROCESS_NAME=$(/usr/bin/basename "${VPN_PROCESS}")
  15. VPN_EASY_RSA="/etc/openvpn/easy-rsa"
  16. VPN_KEY_PATH="/etc/openvpn/keys"
  17. VPN_CRT_FILE="${VPN_KEY_PATH}/myserver.crt"
  18. VPN_CA_FILE="${VPN_KEY_PATH}/ca.crt"
  19. HOST_TAG_NAME="tun0"
  20.    
  21.     ## check tls-cipher upgraded or not
  22.     if [ "${OPENSSL_VERSION}" -ge 10001000 ] && [ -f "${VPN_SERVER_CONF}" ]; then
  23.         execute /bin/grep TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 "${VPN_SERVER_CONF}"
  24.         [ $? == 0 ] || execute /sbin/setcfg ${VPN_NAME} "Download Status" 2 -f "${VPN_CONF}"
  25.     fi
  26.    
  27.     VPN_PROTO=$(/bin/echo "${VPN_PROTO}" | /bin/awk '{print tolower($0)}')
  28.     VPN_IP_POOL=$(/bin/echo -n ${VPN_IP_POOL} | /bin/awk -F. '{printf("%d.%d.%d.0",$1,$2,$3)}')
  29.     VPN_LOCAL_IP=$(/bin/echo -n ${VPN_IP_POOL} | /bin/awk -F. '{printf("%d.%d.%d.1",$1,$2,$3)}')
  30.    
  31.     if [ x${VPN_COMPRESS} = xTRUE ]; then
  32.         VPN_COMPRESS="comp-lzo"
  33.     else
  34.         VPN_COMPRESS=
  35.     fi
  36.    
  37.     if [ $(/sbin/getcfg ${VPN_NAME} "Enable Manual DNS" -u -d FALSE -f "${VPN_CONF}") == TRUE ];then
  38.         ip_dns_to_client=$(/sbin/getcfg ${VPN_NAME} "Use Manual DNS" -d "0.0.0.0" -f "${VPN_CONF}")
  39.     else
  40.         ip_dns_to_client=${VPN_LOCAL_IP}
  41.     fi
  42.     ip_dns_to_client="push \"dhcp-option DNS ${ip_dns_to_client}\""
  43.    
  44.     if [ x${VPN_PUSH_GATEWAY} = xTRUE ]; then
  45.         VPN_PUSH_GATEWAY="push \"redirect-gateway def1\""
  46.     else
  47.         VPN_PUSH_GATEWAY=
  48.     fi
  49.    
  50.     local VPN_CIPHER
  51.     local VPN_TLS_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
  52.     if [ "${OPENSSL_VERSION}" -ge 10001000 ]; then
  53.         VPN_TLS_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:${VPN_TLS_CIPHER}"
  54.     fi
  55.     VPN_TLS_CIPHER="tls-cipher ${VPN_TLS_CIPHER}"
  56.     if [ x${VPN_ENCRYPTION} = x1 ]; then
  57.         VPN_CIPHER="cipher AES-128-GCM"
  58.     elif [ x${VPN_ENCRYPTION} = x2 ]; then
  59.         VPN_CIPHER="cipher AES-128-GCM"
  60.     else
  61.         VPN_CIPHER=
  62.         VPN_TLS_CIPHER=
  63.     fi
  64.  
  65.     $(/bin/cat > "${VPN_SERVER_CONF}" <<-__EOF__
  66.         cd /etc/openvpn
  67.         dev tun
  68.         keepalive 10 60
  69.         reneg-sec 0
  70.         persist-key
  71.         persist-tun
  72.         duplicate-cn
  73.         script-security 3
  74.         client-to-client
  75.         #username-as-common-name
  76.         client-cert-not-required
  77.         auth-user-pass-verify /usr/sbin/qvpn.sauth via-env
  78.         fast-io
  79.        
  80.         ca /etc/openvpn/keys/ca.crt
  81.         dh /etc/openvpn/keys/dh1024.pem
  82.         key /etc/openvpn/keys/myserver.key
  83.         cert /etc/openvpn/keys/myserver.crt
  84.         tls-crypt /etc/openvpn/keys/ta.key
  85.        
  86.         client-connect /etc/openvpn/connect.sh
  87.         client-disconnect /etc/openvpn/disconnect.sh
  88.        
  89.         status /var/log/openvpn-status.log
  90.         writepid /var/run/openvpn.server.pid
  91.        
  92.         port ${VPN_PORT}
  93.         proto ${VPN_PROTO}4
  94.         max-clients ${VPN_MAXIMUM}
  95.         server ${VPN_IP_POOL} 255.255.255.0
  96.        
  97.         ${ip_dns_to_client}
  98.         ${VPN_PUSH_GATEWAY}
  99.         ${VPN_COMPRESS}
  100.         ${VPN_CIPHER}
  101.         ${VPN_TLS_CIPHER}
  102.         __EOF__
  103.     )
  104.    
  105.     local ROUTER_CONF=$(/sbin/csvc_cli -g --name="QVPN (OpenVPN Server)" --type=1)
  106.     if [ $? != 0 ]; then
  107.         execute /sbin/csvc_cli -a --name="QVPN (OpenVPN Server)" --enable=0 --type=1 --int-port=${VPN_PORT} --ext-port=${VPN_PORT} --protocol=1 --auto-port=0 -S
  108.         return 0
  109.     fi
  110.    
  111.     local ROUTER_RULE=$(/bin/echo "${ROUTER_CONF}" | /bin/sed -nr "s/.*port=([0-9]+):.*\[(TCP|UDP)\].*/\1 \2/p")
  112.     ROUTER_RULE=$(/bin/echo "${ROUTER_RULE}" | /bin/awk '{print tolower($0)}')
  113.     if [ x"${ROUTER_RULE/ */}" != x"${VPN_PORT}" -o x"${ROUTER_RULE/* /}" != x"${VPN_PROTO}" ]; then
  114.         if [ x"${VPN_PROTO}" = xtcp ]; then
  115.             VPN_PROTO=0
  116.         else
  117.             VPN_PROTO=1
  118.         fi
  119.         local ENABLE_RULE=$(/bin/echo "${ROUTER_CONF}" | /bin/sed -nr "s/^.*\((0|1)\):$/\1/p")
  120.         execute /sbin/csvc_cli -s --name="QVPN (OpenVPN Server)" --enable=${ENABLE_RULE} --type=1 --int-port=${VPN_PORT} --ext-port=${VPN_PORT} --protocol=${VPN_PROTO} --auto-port=0 &
  121.     fi
  122. }
  123.  
  124. setup_nat(){
  125.     local VPN_NAT=$(/sbin/getcfg OPENVPN "interface" -d "all" -f "${VPN_CONF}")
  126.     local VPN_IP_POOL=$(/sbin/getcfg OPENVPN "Client IP 1" -d "10.8.0.2" -f "${VPN_CONF}")
  127.     VPN_IP_POOL=$(echo -n ${VPN_IP_POOL} | awk -F. '{printf("%d.%d.%d.0",$1,$2,$3)}')
  128.     execute unset_nat_routing_rule ${VPN_IP_POOL} 24 `get_vpn_last_nat "OVPN" "${VPN_NAT}"` "tun0"
  129.    
  130.     if [ x$1 = xSET ]; then
  131.         execute set_nat_routing_rule ${VPN_IP_POOL} 24 ${VPN_NAT} "tun0"
  132.         set_vpn_last_nat "OVPN" ${VPN_NAT}
  133.     fi
  134. }
  135.  
  136. verify_ca(){
  137.     local DATE_NOW=$(/bin/date +%s)
  138.     local CRT_DATE_START=$(/bin/date --date="$(/usr/bin/openssl x509 -in "${VPN_CRT_FILE}" -noout -startdate 2>/dev/null | /bin/cut -d= -f 2)" +%s)
  139.     local CRT_DATE_END=$(/bin/date --date="$(/usr/bin/openssl x509 -in "${VPN_CRT_FILE}" -noout -enddate 2>/dev/null | /bin/cut -d= -f 2)" +%s)
  140.    
  141.     execute /usr/bin/openssl verify -CAfile "${VPN_CA_FILE}" "${VPN_CRT_FILE}"
  142.    
  143.     if [ $? = 0 ] && [ ${DATE_NOW} -ge ${CRT_DATE_START} ] && [ ${DATE_NOW} -le ${CRT_DATE_END} ]; then
  144.         return
  145.     fi
  146.    
  147.     execute /sbin/setcfg -f "${VPN_CONF}" "${VPN_NAME}" "Download Status" 3
  148.    
  149.     ## nofity ca is expired
  150.     export EASY_RSA="${VPN_EASY_RSA}"
  151.     export OPENSSL="/usr/bin/openssl"
  152.     export PKCS11TOOL="pkcs11-tool"
  153.     export GREP="/bin/grep"
  154.     export KEY_CONFIG=$(${VPN_EASY_RSA}/whichopensslcnf ${VPN_EASY_RSA})
  155.     export KEY_DIR="${VPN_KEY_PATH}"
  156.     export PKCS11_MODULE_PATH="dummy"
  157.     export PKCS11_PIN="dummy"
  158.     export KEY_SIZE=1024
  159.     export CA_EXPIRE=3650
  160.     export KEY_EXPIRE=3650
  161.     export KEY_COUNTRY="TW"
  162.     export KEY_PROVINCE="Taiwan"
  163.     export KEY_CITY="Taipei"
  164.     export KEY_ORG="QNAP Systems Inc."
  165.     export KEY_EMAIL="admin@qnap.com"
  166.     export KEY_CN="TS Series NAS"
  167.     export KEY_NAME="NAS"
  168.     export KEY_OU="NAS"
  169.     export PKCS11_MODULE_PATH=changeme
  170.     export PKCS11_PIN=1234
  171.  
  172.     execute /etc/openvpn/easy-rsa/clean-all
  173.     execute /etc/openvpn/easy-rsa/build-dh
  174.     execute /etc/openvpn/easy-rsa/pkitool --initca
  175.     execute /etc/openvpn/easy-rsa/pkitool --server myserver
  176. }
  177.  
  178. start_daemon(){
  179.     local QPKG_ENABLE=$(/sbin/getcfg -f "${QPKG_CONF}" "${QPKG_NAME}" Enable -u -d FALSE)
  180.    
  181.     [ x"${QPKG_ENABLE}" == xTRUE ] || assert "${QPKG_NAME} is disabled."
  182.    
  183.     local VPN_ENABLE=$(/sbin/getcfg -f "${VPN_CONF}" ${VPN_NAME} "Enable" -u -d FALSE)
  184.    
  185.     [ x${VPN_ENABLE} = xTRUE ] || assert "${VPN_NAME} is disabled."
  186.    
  187.     echo "Starting ${VPN_NAME} services:"
  188.    
  189.     >&2 verify_ca
  190.     generate_config
  191.     load_kernel_modules
  192.    
  193.     execute /sbin/daemon_mgr ${VPN_PROCESS_NAME} start "${VPN_PROCESS} --config ${VPN_SERVER_CONF} --daemon ovpn-server"
  194.    
  195.     setup_nat SET
  196.     notify_cloud OPENVPN start
  197.  
  198.     # wait creating tun device
  199.     for((i=0;i<6;i++));do
  200.         if [ -d /sys/class/net/tun0 ];then
  201.             ip_server=$(grep "server " ${VPN_SERVER_CONF})
  202.             ip_server=${ip_server% *}
  203.             ip_server=${ip_server%.*}.1
  204.             ip_server=${ip_server#* }
  205.             #todo failed
  206.             execute /usr/local/sbin/qsh NetworkService.external_dev.add_dns_service ip=${ip_server}
  207.             break
  208.         else
  209.             sleep 1
  210.         fi
  211.     done
  212.     execute /usr/local/sbin/qsh NetworkService.firewall.nat.AddHosts ip=${VPN_LOCAL_IP} ifname=${HOST_TAG_NAME}
  213. }
  214.  
  215. stop_daemon(){
  216.     echo "Shutting down ${VPN_NAME} services:"
  217.    
  218.     kick_all_connection ${VPN_OVPN_TYPE}
  219.     execute /sbin/daemon_mgr ${VPN_PROCESS_NAME} stop "${VPN_PROCESS}"
  220.    
  221.     execute /usr/bin/killall -KILL $(/usr/bin/basename ${VPN_PROCESS})
  222.    
  223.     setup_nat UNSET
  224.    
  225.     if [ -f ${VPN_ONLINE_LOG} ]; then
  226.         rm -f ${VPN_ONLINE_LOG}
  227.     fi
  228.     notify_cloud OPENVPN stop
  229.  
  230.     ip_server=$(grep "server " ${VPN_SERVER_CONF})
  231.     ip_server=${ip_server% *}
  232.     ip_server=${ip_server%.*}.1
  233.     ip_server=${ip_server#* }
  234.     execute /usr/local/sbin/qsh NetworkService.external_dev.del_dns_service ip=${ip_server}
  235.     execute /usr/local/sbin/qsh NetworkService.firewall.nat.DelHosts ifname=${HOST_TAG_NAME}
  236. }
  237.  
  238. reload_daemon(){
  239.     setup_nat SET
  240. }
  241.  
  242. case "$1" in
  243.     start)
  244.         start_daemon
  245.         ;;
  246.     stop)
  247.         stop_daemon
  248.         ;;
  249.     restart)
  250.         stop_daemon
  251.         start_daemon
  252.         ;;
  253.     init)
  254.         ;;
  255.     reload)
  256.         reload_daemon
  257.         ;;
  258.     *)
  259.         echo "Usage: $0 {start|stop|restart|reload}"
  260.         exit 1
  261. esac
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top