Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## ====BRAMANTE====
- ## ==Para bandaancha.eu===
- #!/bin/sh
- ## include common function
- . /etc/init.d/vpn_common.sh
- VPN_CONF="/etc/config/vpn.conf"
- VPN_NAME="OPENVPN"
- VPN_PROCESS="/usr/sbin/openvpn"
- VPN_ONLINE_LOG="/var/log/openvpn_online_user.log"
- VPN_SERVER_CONF="/etc/openvpn/server.conf"
- VPN_PROCESS_NAME=$(/usr/bin/basename "${VPN_PROCESS}")
- VPN_EASY_RSA="/etc/openvpn/easy-rsa"
- VPN_KEY_PATH="/etc/openvpn/keys"
- VPN_CRT_FILE="${VPN_KEY_PATH}/myserver.crt"
- VPN_CA_FILE="${VPN_KEY_PATH}/ca.crt"
- HOST_TAG_NAME="tun0"
- ## check tls-cipher upgraded or not
- if [ "${OPENSSL_VERSION}" -ge 10001000 ] && [ -f "${VPN_SERVER_CONF}" ]; then
- execute /bin/grep TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 "${VPN_SERVER_CONF}"
- [ $? == 0 ] || execute /sbin/setcfg ${VPN_NAME} "Download Status" 2 -f "${VPN_CONF}"
- fi
- VPN_PROTO=$(/bin/echo "${VPN_PROTO}" | /bin/awk '{print tolower($0)}')
- VPN_IP_POOL=$(/bin/echo -n ${VPN_IP_POOL} | /bin/awk -F. '{printf("%d.%d.%d.0",$1,$2,$3)}')
- VPN_LOCAL_IP=$(/bin/echo -n ${VPN_IP_POOL} | /bin/awk -F. '{printf("%d.%d.%d.1",$1,$2,$3)}')
- if [ x${VPN_COMPRESS} = xTRUE ]; then
- VPN_COMPRESS="comp-lzo"
- else
- VPN_COMPRESS=
- fi
- if [ $(/sbin/getcfg ${VPN_NAME} "Enable Manual DNS" -u -d FALSE -f "${VPN_CONF}") == TRUE ];then
- ip_dns_to_client=$(/sbin/getcfg ${VPN_NAME} "Use Manual DNS" -d "0.0.0.0" -f "${VPN_CONF}")
- else
- ip_dns_to_client=${VPN_LOCAL_IP}
- fi
- ip_dns_to_client="push \"dhcp-option DNS ${ip_dns_to_client}\""
- if [ x${VPN_PUSH_GATEWAY} = xTRUE ]; then
- VPN_PUSH_GATEWAY="push \"redirect-gateway def1\""
- else
- VPN_PUSH_GATEWAY=
- fi
- local VPN_CIPHER
- local VPN_TLS_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
- if [ "${OPENSSL_VERSION}" -ge 10001000 ]; then
- VPN_TLS_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:${VPN_TLS_CIPHER}"
- fi
- VPN_TLS_CIPHER="tls-cipher ${VPN_TLS_CIPHER}"
- if [ x${VPN_ENCRYPTION} = x1 ]; then
- VPN_CIPHER="cipher AES-128-GCM"
- elif [ x${VPN_ENCRYPTION} = x2 ]; then
- VPN_CIPHER="cipher AES-128-GCM"
- else
- VPN_CIPHER=
- VPN_TLS_CIPHER=
- fi
- $(/bin/cat > "${VPN_SERVER_CONF}" <<-__EOF__
- cd /etc/openvpn
- dev tun
- keepalive 10 60
- reneg-sec 0
- persist-key
- persist-tun
- duplicate-cn
- script-security 3
- client-to-client
- #username-as-common-name
- client-cert-not-required
- auth-user-pass-verify /usr/sbin/qvpn.sauth via-env
- fast-io
- ca /etc/openvpn/keys/ca.crt
- dh /etc/openvpn/keys/dh1024.pem
- key /etc/openvpn/keys/myserver.key
- cert /etc/openvpn/keys/myserver.crt
- tls-crypt /etc/openvpn/keys/ta.key
- client-connect /etc/openvpn/connect.sh
- client-disconnect /etc/openvpn/disconnect.sh
- status /var/log/openvpn-status.log
- writepid /var/run/openvpn.server.pid
- port ${VPN_PORT}
- proto ${VPN_PROTO}4
- max-clients ${VPN_MAXIMUM}
- server ${VPN_IP_POOL} 255.255.255.0
- ${ip_dns_to_client}
- ${VPN_PUSH_GATEWAY}
- ${VPN_COMPRESS}
- ${VPN_CIPHER}
- ${VPN_TLS_CIPHER}
- __EOF__
- )
- local ROUTER_CONF=$(/sbin/csvc_cli -g --name="QVPN (OpenVPN Server)" --type=1)
- if [ $? != 0 ]; then
- execute /sbin/csvc_cli -a --name="QVPN (OpenVPN Server)" --enable=0 --type=1 --int-port=${VPN_PORT} --ext-port=${VPN_PORT} --protocol=1 --auto-port=0 -S
- return 0
- fi
- local ROUTER_RULE=$(/bin/echo "${ROUTER_CONF}" | /bin/sed -nr "s/.*port=([0-9]+):.*\[(TCP|UDP)\].*/\1 \2/p")
- ROUTER_RULE=$(/bin/echo "${ROUTER_RULE}" | /bin/awk '{print tolower($0)}')
- if [ x"${ROUTER_RULE/ */}" != x"${VPN_PORT}" -o x"${ROUTER_RULE/* /}" != x"${VPN_PROTO}" ]; then
- if [ x"${VPN_PROTO}" = xtcp ]; then
- VPN_PROTO=0
- else
- VPN_PROTO=1
- fi
- local ENABLE_RULE=$(/bin/echo "${ROUTER_CONF}" | /bin/sed -nr "s/^.*\((0|1)\):$/\1/p")
- execute /sbin/csvc_cli -s --name="QVPN (OpenVPN Server)" --enable=${ENABLE_RULE} --type=1 --int-port=${VPN_PORT} --ext-port=${VPN_PORT} --protocol=${VPN_PROTO} --auto-port=0 &
- fi
- }
- setup_nat(){
- local VPN_NAT=$(/sbin/getcfg OPENVPN "interface" -d "all" -f "${VPN_CONF}")
- local VPN_IP_POOL=$(/sbin/getcfg OPENVPN "Client IP 1" -d "10.8.0.2" -f "${VPN_CONF}")
- VPN_IP_POOL=$(echo -n ${VPN_IP_POOL} | awk -F. '{printf("%d.%d.%d.0",$1,$2,$3)}')
- execute unset_nat_routing_rule ${VPN_IP_POOL} 24 `get_vpn_last_nat "OVPN" "${VPN_NAT}"` "tun0"
- if [ x$1 = xSET ]; then
- execute set_nat_routing_rule ${VPN_IP_POOL} 24 ${VPN_NAT} "tun0"
- set_vpn_last_nat "OVPN" ${VPN_NAT}
- fi
- }
- verify_ca(){
- local DATE_NOW=$(/bin/date +%s)
- local CRT_DATE_START=$(/bin/date --date="$(/usr/bin/openssl x509 -in "${VPN_CRT_FILE}" -noout -startdate 2>/dev/null | /bin/cut -d= -f 2)" +%s)
- local CRT_DATE_END=$(/bin/date --date="$(/usr/bin/openssl x509 -in "${VPN_CRT_FILE}" -noout -enddate 2>/dev/null | /bin/cut -d= -f 2)" +%s)
- execute /usr/bin/openssl verify -CAfile "${VPN_CA_FILE}" "${VPN_CRT_FILE}"
- if [ $? = 0 ] && [ ${DATE_NOW} -ge ${CRT_DATE_START} ] && [ ${DATE_NOW} -le ${CRT_DATE_END} ]; then
- return
- fi
- execute /sbin/setcfg -f "${VPN_CONF}" "${VPN_NAME}" "Download Status" 3
- ## nofity ca is expired
- export EASY_RSA="${VPN_EASY_RSA}"
- export OPENSSL="/usr/bin/openssl"
- export PKCS11TOOL="pkcs11-tool"
- export GREP="/bin/grep"
- export KEY_CONFIG=$(${VPN_EASY_RSA}/whichopensslcnf ${VPN_EASY_RSA})
- export KEY_DIR="${VPN_KEY_PATH}"
- export PKCS11_MODULE_PATH="dummy"
- export PKCS11_PIN="dummy"
- export KEY_SIZE=1024
- export CA_EXPIRE=3650
- export KEY_EXPIRE=3650
- export KEY_COUNTRY="TW"
- export KEY_PROVINCE="Taiwan"
- export KEY_CITY="Taipei"
- export KEY_ORG="QNAP Systems Inc."
- export KEY_EMAIL="[email protected]"
- export KEY_CN="TS Series NAS"
- export KEY_NAME="NAS"
- export KEY_OU="NAS"
- export PKCS11_MODULE_PATH=changeme
- export PKCS11_PIN=1234
- execute /etc/openvpn/easy-rsa/clean-all
- execute /etc/openvpn/easy-rsa/build-dh
- execute /etc/openvpn/easy-rsa/pkitool --initca
- execute /etc/openvpn/easy-rsa/pkitool --server myserver
- }
- start_daemon(){
- local QPKG_ENABLE=$(/sbin/getcfg -f "${QPKG_CONF}" "${QPKG_NAME}" Enable -u -d FALSE)
- [ x"${QPKG_ENABLE}" == xTRUE ] || assert "${QPKG_NAME} is disabled."
- local VPN_ENABLE=$(/sbin/getcfg -f "${VPN_CONF}" ${VPN_NAME} "Enable" -u -d FALSE)
- [ x${VPN_ENABLE} = xTRUE ] || assert "${VPN_NAME} is disabled."
- echo "Starting ${VPN_NAME} services:"
- >&2 verify_ca
- generate_config
- load_kernel_modules
- execute /sbin/daemon_mgr ${VPN_PROCESS_NAME} start "${VPN_PROCESS} --config ${VPN_SERVER_CONF} --daemon ovpn-server"
- setup_nat SET
- notify_cloud OPENVPN start
- # wait creating tun device
- for((i=0;i<6;i++));do
- if [ -d /sys/class/net/tun0 ];then
- ip_server=$(grep "server " ${VPN_SERVER_CONF})
- ip_server=${ip_server% *}
- ip_server=${ip_server%.*}.1
- ip_server=${ip_server#* }
- #todo failed
- execute /usr/local/sbin/qsh NetworkService.external_dev.add_dns_service ip=${ip_server}
- break
- else
- sleep 1
- fi
- done
- execute /usr/local/sbin/qsh NetworkService.firewall.nat.AddHosts ip=${VPN_LOCAL_IP} ifname=${HOST_TAG_NAME}
- }
- stop_daemon(){
- echo "Shutting down ${VPN_NAME} services:"
- kick_all_connection ${VPN_OVPN_TYPE}
- execute /sbin/daemon_mgr ${VPN_PROCESS_NAME} stop "${VPN_PROCESS}"
- execute /usr/bin/killall -KILL $(/usr/bin/basename ${VPN_PROCESS})
- setup_nat UNSET
- if [ -f ${VPN_ONLINE_LOG} ]; then
- rm -f ${VPN_ONLINE_LOG}
- fi
- notify_cloud OPENVPN stop
- ip_server=$(grep "server " ${VPN_SERVER_CONF})
- ip_server=${ip_server% *}
- ip_server=${ip_server%.*}.1
- ip_server=${ip_server#* }
- execute /usr/local/sbin/qsh NetworkService.external_dev.del_dns_service ip=${ip_server}
- execute /usr/local/sbin/qsh NetworkService.firewall.nat.DelHosts ifname=${HOST_TAG_NAME}
- }
- reload_daemon(){
- setup_nat SET
- }
- case "$1" in
- start)
- start_daemon
- ;;
- stop)
- stop_daemon
- ;;
- restart)
- stop_daemon
- start_daemon
- ;;
- init)
- ;;
- reload)
- reload_daemon
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|reload}"
- exit 1
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
