mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-03-09 15:40:03 +00:00
Add OpenVPN with MPTCP upstream support
This commit is contained in:
parent
04e1c1cd1b
commit
363f07142f
19 changed files with 2026 additions and 0 deletions
54
openvpn/Config-mbedtls.in
Normal file
54
openvpn/Config-mbedtls.in
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
if PACKAGE_openvpn-mbedtls
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_LZO
|
||||||
|
bool "Enable LZO compression support"
|
||||||
|
default n
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
|
#config OPENVPN_mbedtls_ENABLE_EUREPHIA
|
||||||
|
# bool "Enable support for the eurephia plug-in"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_MANAGEMENT
|
||||||
|
bool "Enable management server support"
|
||||||
|
default n
|
||||||
|
|
||||||
|
#config OPENVPN_mbedtls_ENABLE_PKCS11
|
||||||
|
# bool "Enable pkcs11 support"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_FRAGMENT
|
||||||
|
bool "Enable internal fragmentation support (--fragment)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_MULTIHOME
|
||||||
|
bool "Enable multi-homed UDP server support (--multihome)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_PORT_SHARE
|
||||||
|
bool "Enable TCP server port-share support (--port-share)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_DEF_AUTH
|
||||||
|
bool "Enable deferred authentication"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_PF
|
||||||
|
bool "Enable internal packet filter"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_IPROUTE2
|
||||||
|
bool "Enable support for iproute2"
|
||||||
|
default n
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_SMALL
|
||||||
|
bool "Enable size optimization"
|
||||||
|
default y
|
||||||
|
help
|
||||||
|
enable smaller executable size (disable OCC, usage
|
||||||
|
message, and verb 4 parm list)
|
||||||
|
|
||||||
|
endif
|
58
openvpn/Config-openssl.in
Normal file
58
openvpn/Config-openssl.in
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
if PACKAGE_openvpn-openssl
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_LZO
|
||||||
|
bool "Enable LZO compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
|
||||||
|
bool "Enable the --x509-username-field feature"
|
||||||
|
default n
|
||||||
|
|
||||||
|
#config OPENVPN_openssl_ENABLE_EUREPHIA
|
||||||
|
# bool "Enable support for the eurephia plug-in"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_MANAGEMENT
|
||||||
|
bool "Enable management server support"
|
||||||
|
default n
|
||||||
|
|
||||||
|
#config OPENVPN_openssl_ENABLE_PKCS11
|
||||||
|
# bool "Enable pkcs11 support"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_FRAGMENT
|
||||||
|
bool "Enable internal fragmentation support (--fragment)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_MULTIHOME
|
||||||
|
bool "Enable multi-homed UDP server support (--multihome)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_PORT_SHARE
|
||||||
|
bool "Enable TCP server port-share support (--port-share)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_DEF_AUTH
|
||||||
|
bool "Enable deferred authentication"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_PF
|
||||||
|
bool "Enable internal packet filter"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_IPROUTE2
|
||||||
|
bool "Enable support for iproute2"
|
||||||
|
default n
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_SMALL
|
||||||
|
bool "Enable size optimization"
|
||||||
|
default y
|
||||||
|
help
|
||||||
|
enable smaller executable size (disable OCC, usage
|
||||||
|
message, and verb 4 parm list)
|
||||||
|
|
||||||
|
endif
|
63
openvpn/Config-wolfssl.in
Normal file
63
openvpn/Config-wolfssl.in
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
if PACKAGE_openvpn-wolfssl
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl
|
||||||
|
bool
|
||||||
|
default y
|
||||||
|
select WOLFSSL_HAS_OPENVPN
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_LZO
|
||||||
|
bool "Enable LZO compression support"
|
||||||
|
default n
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_X509_ALT_USERNAME
|
||||||
|
bool "Enable the --x509-username-field feature"
|
||||||
|
default n
|
||||||
|
|
||||||
|
#config OPENVPN_wolfssl_ENABLE_EUREPHIA
|
||||||
|
# bool "Enable support for the eurephia plug-in"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_MANAGEMENT
|
||||||
|
bool "Enable management server support"
|
||||||
|
default n
|
||||||
|
|
||||||
|
#config OPENVPN_wolfssl_ENABLE_PKCS11
|
||||||
|
# bool "Enable pkcs11 support"
|
||||||
|
# default n
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_FRAGMENT
|
||||||
|
bool "Enable internal fragmentation support (--fragment)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_MULTIHOME
|
||||||
|
bool "Enable multi-homed UDP server support (--multihome)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_PORT_SHARE
|
||||||
|
bool "Enable TCP server port-share support (--port-share)"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_DEF_AUTH
|
||||||
|
bool "Enable deferred authentication"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_PF
|
||||||
|
bool "Enable internal packet filter"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_IPROUTE2
|
||||||
|
bool "Enable support for iproute2"
|
||||||
|
default n
|
||||||
|
|
||||||
|
config OPENVPN_wolfssl_ENABLE_SMALL
|
||||||
|
bool "Enable size optimization"
|
||||||
|
default y
|
||||||
|
help
|
||||||
|
enable smaller executable size (disable OCC, usage
|
||||||
|
message, and verb 4 parm list)
|
||||||
|
|
||||||
|
endif
|
149
openvpn/Makefile
Normal file
149
openvpn/Makefile
Normal file
|
@ -0,0 +1,149 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2010-2015 OpenWrt.org
|
||||||
|
#
|
||||||
|
# This is free software, licensed under the GNU General Public License v2.
|
||||||
|
# See /LICENSE for more information.
|
||||||
|
#
|
||||||
|
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=openvpn
|
||||||
|
|
||||||
|
PKG_VERSION:=2.5.8
|
||||||
|
PKG_RELEASE:=3
|
||||||
|
|
||||||
|
PKG_SOURCE_URL:=\
|
||||||
|
https://build.openvpn.net/downloads/releases/ \
|
||||||
|
https://swupdate.openvpn.net/community/releases/
|
||||||
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||||
|
PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
|
||||||
|
|
||||||
|
PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
|
||||||
|
|
||||||
|
PKG_INSTALL:=1
|
||||||
|
PKG_FIXUP:=autoreconf
|
||||||
|
PKG_BUILD_PARALLEL:=1
|
||||||
|
PKG_BUILD_FLAGS:=gc-sections
|
||||||
|
PKG_LICENSE:=GPL-2.0
|
||||||
|
PKG_CPE_ID:=cpe:/a:openvpn:openvpn
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/openvpn/Default
|
||||||
|
TITLE:=Open source VPN solution using $(2)
|
||||||
|
SECTION:=net
|
||||||
|
CATEGORY:=Network
|
||||||
|
URL:=http://openvpn.net
|
||||||
|
SUBMENU:=VPN
|
||||||
|
MENU:=1
|
||||||
|
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
|
||||||
|
VARIANT:=$(1)
|
||||||
|
PROVIDES:=openvpn openvpn-crypto
|
||||||
|
endef
|
||||||
|
|
||||||
|
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
|
||||||
|
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
|
||||||
|
Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl)
|
||||||
|
|
||||||
|
define Package/openvpn/config/Default
|
||||||
|
source "$(SOURCE)/Config-$(1).in"
|
||||||
|
endef
|
||||||
|
|
||||||
|
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
|
||||||
|
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
|
||||||
|
Package/openvpn-wolfssl/config=$(call Package/openvpn/config/Default,wolfssl)
|
||||||
|
|
||||||
|
ifeq ($(BUILD_VARIANT),mbedtls)
|
||||||
|
CONFIG_OPENVPN_MBEDTLS:=y
|
||||||
|
endif
|
||||||
|
ifeq ($(BUILD_VARIANT),openssl)
|
||||||
|
CONFIG_OPENVPN_OPENSSL:=y
|
||||||
|
endif
|
||||||
|
ifeq ($(BUILD_VARIANT),wolfssl)
|
||||||
|
CONFIG_OPENVPN_WOLFSSL:=y
|
||||||
|
endif
|
||||||
|
|
||||||
|
CONFIGURE_VARS += \
|
||||||
|
IPROUTE=/sbin/ip \
|
||||||
|
NETSTAT=/sbin/netstat
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
$(call Build/Configure/Default, \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SMALL),--enable-small) \
|
||||||
|
--disable-selinux \
|
||||||
|
--disable-systemd \
|
||||||
|
--disable-plugins \
|
||||||
|
--disable-debug \
|
||||||
|
--disable-pkcs11 \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
|
||||||
|
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
|
||||||
|
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
|
||||||
|
$(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \
|
||||||
|
)
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/openvpn-$(BUILD_VARIANT)/conffiles
|
||||||
|
/etc/config/openvpn
|
||||||
|
/etc/openvpn.user
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/openvpn-$(BUILD_VARIANT)/install
|
||||||
|
$(INSTALL_DIR) \
|
||||||
|
$(1)/usr/sbin \
|
||||||
|
$(1)/usr/share/openvpn \
|
||||||
|
$(1)/etc/init.d \
|
||||||
|
$(1)/etc/config \
|
||||||
|
$(1)/etc/openvpn \
|
||||||
|
$(1)/lib/functions \
|
||||||
|
$(1)/lib/upgrade/keep.d \
|
||||||
|
$(1)/usr/libexec \
|
||||||
|
$(1)/etc/hotplug.d/openvpn
|
||||||
|
|
||||||
|
$(INSTALL_BIN) \
|
||||||
|
$(PKG_INSTALL_DIR)/usr/sbin/openvpn \
|
||||||
|
$(1)/usr/sbin/
|
||||||
|
|
||||||
|
$(INSTALL_BIN) \
|
||||||
|
files/openvpn.init \
|
||||||
|
$(1)/etc/init.d/openvpn
|
||||||
|
|
||||||
|
$(INSTALL_BIN) \
|
||||||
|
files/usr/libexec/openvpn-hotplug \
|
||||||
|
$(1)/usr/libexec/openvpn-hotplug
|
||||||
|
|
||||||
|
$(INSTALL_DATA) \
|
||||||
|
files/lib/functions/openvpn.sh \
|
||||||
|
$(1)/lib/functions/openvpn.sh
|
||||||
|
|
||||||
|
$(INSTALL_DATA) \
|
||||||
|
files/etc/hotplug.d/openvpn/01-user \
|
||||||
|
$(1)/etc/hotplug.d/openvpn/01-user
|
||||||
|
|
||||||
|
$(INSTALL_DATA) \
|
||||||
|
files/etc/openvpn.user \
|
||||||
|
$(1)/etc/openvpn.user
|
||||||
|
|
||||||
|
$(INSTALL_DATA) \
|
||||||
|
files/openvpn.options \
|
||||||
|
$(1)/usr/share/openvpn/openvpn.options
|
||||||
|
|
||||||
|
$(INSTALL_CONF) files/openvpn.config \
|
||||||
|
$(1)/etc/config/openvpn
|
||||||
|
|
||||||
|
$(INSTALL_DATA) \
|
||||||
|
files/openvpn.upgrade \
|
||||||
|
$(1)/lib/upgrade/keep.d/openvpn
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,openvpn-openssl))
|
||||||
|
$(eval $(call BuildPackage,openvpn-mbedtls))
|
||||||
|
$(eval $(call BuildPackage,openvpn-wolfssl))
|
22
openvpn/files/etc/hotplug.d/openvpn/01-user
Normal file
22
openvpn/files/etc/hotplug.d/openvpn/01-user
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
[ -e "/etc/openvpn.user" ] && {
|
||||||
|
env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \
|
||||||
|
/bin/sh \
|
||||||
|
/etc/openvpn.user \
|
||||||
|
$*
|
||||||
|
}
|
||||||
|
|
||||||
|
# Wrap user defined scripts on up/down events
|
||||||
|
case "$ACTION" in
|
||||||
|
up) command=$user_up ;;
|
||||||
|
down) command=$user_down ;;
|
||||||
|
*) command= ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ -n "$command" ]; then
|
||||||
|
shift
|
||||||
|
exec /bin/sh -c "$command $*"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
11
openvpn/files/etc/openvpn.user
Normal file
11
openvpn/files/etc/openvpn.user
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# This file is interpreted as shell script.
|
||||||
|
# Put your custom openvpn action here, they will
|
||||||
|
# be executed with each opevnp event.
|
||||||
|
#
|
||||||
|
# $ACTION
|
||||||
|
# <down> down action is generated after the TUN/TAP device is closed
|
||||||
|
# <up> up action is generated after the TUN/TAP device is opened
|
||||||
|
# $INSTANCE Name of the openvpn instance which went up or down
|
||||||
|
|
16
openvpn/files/lib/functions/openvpn.sh
Normal file
16
openvpn/files/lib/functions/openvpn.sh
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
get_openvpn_option() {
|
||||||
|
local config="$1"
|
||||||
|
local variable="$2"
|
||||||
|
local option="$3"
|
||||||
|
|
||||||
|
local value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+'"'([^']+)'"'[ \t]*$/\1/p' "$config" | tail -n1)"
|
||||||
|
[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+"(([^"\\]|\\.)+)"[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
|
||||||
|
[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+(([^ \t\\]|\\.)+)[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
|
||||||
|
[ -n "$value" ] || return 1
|
||||||
|
|
||||||
|
export -n "$variable=$value"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
506
openvpn/files/openvpn.config
Normal file
506
openvpn/files/openvpn.config
Normal file
|
@ -0,0 +1,506 @@
|
||||||
|
package openvpn
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Sample to include a custom config file. #
|
||||||
|
#################################################
|
||||||
|
|
||||||
|
config openvpn custom_config
|
||||||
|
|
||||||
|
# Set to 1 to enable this instance:
|
||||||
|
option enabled 0
|
||||||
|
|
||||||
|
# Credentials to login
|
||||||
|
#option username 'login'
|
||||||
|
#option password 'password'
|
||||||
|
|
||||||
|
# Password for client certificate
|
||||||
|
#option cert_password 'cert_password'
|
||||||
|
|
||||||
|
# Include OpenVPN configuration
|
||||||
|
option config /etc/openvpn/my-vpn.conf
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Sample OpenVPN 2.0 uci config for #
|
||||||
|
# multi-client server. #
|
||||||
|
#################################################
|
||||||
|
|
||||||
|
config openvpn sample_server
|
||||||
|
|
||||||
|
# Set to 1 to enable this instance:
|
||||||
|
option enabled 0
|
||||||
|
|
||||||
|
# Which local IP address should OpenVPN
|
||||||
|
# listen on? (optional)
|
||||||
|
# option local 0.0.0.0
|
||||||
|
|
||||||
|
# Which TCP/UDP port should OpenVPN listen on?
|
||||||
|
# If you want to run multiple OpenVPN instances
|
||||||
|
# on the same machine, use a different port
|
||||||
|
# number for each one. You will need to
|
||||||
|
# open up this port on your firewall.
|
||||||
|
option port 1194
|
||||||
|
|
||||||
|
# TCP or UDP server?
|
||||||
|
# option proto tcp
|
||||||
|
option proto udp
|
||||||
|
|
||||||
|
# "dev tun" will create a routed IP tunnel,
|
||||||
|
# "dev tap" will create an ethernet tunnel.
|
||||||
|
# Use "dev tap0" if you are ethernet bridging
|
||||||
|
# and have precreated a tap0 virtual interface
|
||||||
|
# and bridged it with your ethernet interface.
|
||||||
|
# If you want to control access policies
|
||||||
|
# over the VPN, you must create firewall
|
||||||
|
# rules for the the TUN/TAP interface.
|
||||||
|
# On non-Windows systems, you can give
|
||||||
|
# an explicit unit number, such as tun0.
|
||||||
|
# On Windows, use "dev-node" for this.
|
||||||
|
# On most systems, the VPN will not function
|
||||||
|
# unless you partially or fully disable
|
||||||
|
# the firewall for the TUN/TAP interface.
|
||||||
|
# option dev tap
|
||||||
|
option dev tun
|
||||||
|
|
||||||
|
# SSL/TLS root certificate (ca), certificate
|
||||||
|
# (cert), and private key (key). Each client
|
||||||
|
# and the server must have their own cert and
|
||||||
|
# key file. The server and all clients will
|
||||||
|
# use the same ca file.
|
||||||
|
#
|
||||||
|
# See the "easy-rsa" directory for a series
|
||||||
|
# of scripts for generating RSA certificates
|
||||||
|
# and private keys. Remember to use
|
||||||
|
# a unique Common Name for the server
|
||||||
|
# and each of the client certificates.
|
||||||
|
#
|
||||||
|
# Any X509 key management system can be used.
|
||||||
|
# OpenVPN can also use a PKCS #12 formatted key file
|
||||||
|
# (see "pkcs12" directive in man page).
|
||||||
|
option ca /etc/openvpn/ca.crt
|
||||||
|
option cert /etc/openvpn/server.crt
|
||||||
|
# This file should be kept secret:
|
||||||
|
option key /etc/openvpn/server.key
|
||||||
|
|
||||||
|
# Diffie hellman parameters.
|
||||||
|
# Generate your own with:
|
||||||
|
# openssl dhparam -out dh2048.pem 2048
|
||||||
|
# Substitute 2048 for 1024 if you are using
|
||||||
|
# 1024 bit keys.
|
||||||
|
option dh /etc/openvpn/dh2048.pem
|
||||||
|
|
||||||
|
# Configure server mode and supply a VPN subnet
|
||||||
|
# for OpenVPN to draw client addresses from.
|
||||||
|
# The server will take 10.8.0.1 for itself,
|
||||||
|
# the rest will be made available to clients.
|
||||||
|
# Each client will be able to reach the server
|
||||||
|
# on 10.8.0.1. Comment this line out if you are
|
||||||
|
# ethernet bridging. See the man page for more info.
|
||||||
|
option server "10.8.0.0 255.255.255.0"
|
||||||
|
|
||||||
|
# Maintain a record of client <-> virtual IP address
|
||||||
|
# associations in this file. If OpenVPN goes down or
|
||||||
|
# is restarted, reconnecting clients can be assigned
|
||||||
|
# the same virtual IP address from the pool that was
|
||||||
|
# previously assigned.
|
||||||
|
option ifconfig_pool_persist /tmp/ipp.txt
|
||||||
|
|
||||||
|
# Configure server mode for ethernet bridging.
|
||||||
|
# You must first use your OS's bridging capability
|
||||||
|
# to bridge the TAP interface with the ethernet
|
||||||
|
# NIC interface. Then you must manually set the
|
||||||
|
# IP/netmask on the bridge interface, here we
|
||||||
|
# assume 10.8.0.4/255.255.255.0. Finally we
|
||||||
|
# must set aside an IP range in this subnet
|
||||||
|
# (start=10.8.0.50 end=10.8.0.100) to allocate
|
||||||
|
# to connecting clients. Leave this line commented
|
||||||
|
# out unless you are ethernet bridging.
|
||||||
|
# option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"
|
||||||
|
|
||||||
|
# Push routes to the client to allow it
|
||||||
|
# to reach other private subnets behind
|
||||||
|
# the server. Remember that these
|
||||||
|
# private subnets will also need
|
||||||
|
# to know to route the OpenVPN client
|
||||||
|
# address pool (10.8.0.0/255.255.255.0)
|
||||||
|
# back to the OpenVPN server.
|
||||||
|
# list push "route 192.168.10.0 255.255.255.0"
|
||||||
|
# list push "route 192.168.20.0 255.255.255.0"
|
||||||
|
|
||||||
|
# To assign specific IP addresses to specific
|
||||||
|
# clients or if a connecting client has a private
|
||||||
|
# subnet behind it that should also have VPN access,
|
||||||
|
# use the subdirectory "ccd" for client-specific
|
||||||
|
# configuration files (see man page for more info).
|
||||||
|
|
||||||
|
# EXAMPLE: Suppose the client
|
||||||
|
# having the certificate common name "Thelonious"
|
||||||
|
# also has a small subnet behind his connecting
|
||||||
|
# machine, such as 192.168.40.128/255.255.255.248.
|
||||||
|
# First, uncomment out these lines:
|
||||||
|
# option client_config_dir /etc/openvpn/ccd
|
||||||
|
# list route "192.168.40.128 255.255.255.248"
|
||||||
|
# Then create a file ccd/Thelonious with this line:
|
||||||
|
# iroute 192.168.40.128 255.255.255.248
|
||||||
|
# This will allow Thelonious' private subnet to
|
||||||
|
# access the VPN. This example will only work
|
||||||
|
# if you are routing, not bridging, i.e. you are
|
||||||
|
# using "dev tun" and "server" directives.
|
||||||
|
|
||||||
|
# EXAMPLE: Suppose you want to give
|
||||||
|
# Thelonious a fixed VPN IP address of 10.9.0.1.
|
||||||
|
# First uncomment out these lines:
|
||||||
|
# option client_config_dir /etc/openvpn/ccd
|
||||||
|
# list route "10.9.0.0 255.255.255.252"
|
||||||
|
# list route "192.168.100.0 255.255.255.0"
|
||||||
|
# Then add this line to ccd/Thelonious:
|
||||||
|
# ifconfig-push "10.9.0.1 10.9.0.2"
|
||||||
|
|
||||||
|
# Suppose that you want to enable different
|
||||||
|
# firewall access policies for different groups
|
||||||
|
# of clients. There are two methods:
|
||||||
|
# (1) Run multiple OpenVPN daemons, one for each
|
||||||
|
# group, and firewall the TUN/TAP interface
|
||||||
|
# for each group/daemon appropriately.
|
||||||
|
# (2) (Advanced) Create a script to dynamically
|
||||||
|
# modify the firewall in response to access
|
||||||
|
# from different clients. See man
|
||||||
|
# page for more info on learn-address script.
|
||||||
|
# option learn_address /etc/openvpn/script
|
||||||
|
|
||||||
|
# If enabled, this directive will configure
|
||||||
|
# all clients to redirect their default
|
||||||
|
# network gateway through the VPN, causing
|
||||||
|
# all IP traffic such as web browsing and
|
||||||
|
# and DNS lookups to go through the VPN
|
||||||
|
# (The OpenVPN server machine may need to NAT
|
||||||
|
# the TUN/TAP interface to the internet in
|
||||||
|
# order for this to work properly).
|
||||||
|
# CAVEAT: May break client's network config if
|
||||||
|
# client's local DHCP server packets get routed
|
||||||
|
# through the tunnel. Solution: make sure
|
||||||
|
# client's local DHCP server is reachable via
|
||||||
|
# a more specific route than the default route
|
||||||
|
# of 0.0.0.0/0.0.0.0.
|
||||||
|
# list push "redirect-gateway"
|
||||||
|
|
||||||
|
# Certain Windows-specific network settings
|
||||||
|
# can be pushed to clients, such as DNS
|
||||||
|
# or WINS server addresses. CAVEAT:
|
||||||
|
# http://openvpn.net/faq.html#dhcpcaveats
|
||||||
|
# list push "dhcp-option DNS 10.8.0.1"
|
||||||
|
# list push "dhcp-option WINS 10.8.0.1"
|
||||||
|
|
||||||
|
# Uncomment this directive to allow different
|
||||||
|
# clients to be able to "see" each other.
|
||||||
|
# By default, clients will only see the server.
|
||||||
|
# To force clients to only see the server, you
|
||||||
|
# will also need to appropriately firewall the
|
||||||
|
# server's TUN/TAP interface.
|
||||||
|
# option client_to_client 1
|
||||||
|
|
||||||
|
# Uncomment this directive if multiple clients
|
||||||
|
# might connect with the same certificate/key
|
||||||
|
# files or common names. This is recommended
|
||||||
|
# only for testing purposes. For production use,
|
||||||
|
# each client should have its own certificate/key
|
||||||
|
# pair.
|
||||||
|
#
|
||||||
|
# IF YOU HAVE NOT GENERATED INDIVIDUAL
|
||||||
|
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
|
||||||
|
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
|
||||||
|
# UNCOMMENT THIS LINE OUT.
|
||||||
|
# option duplicate_cn 1
|
||||||
|
|
||||||
|
# The keepalive directive causes ping-like
|
||||||
|
# messages to be sent back and forth over
|
||||||
|
# the link so that each side knows when
|
||||||
|
# the other side has gone down.
|
||||||
|
# Ping every 10 seconds, assume that remote
|
||||||
|
# peer is down if no ping received during
|
||||||
|
# a 120 second time period.
|
||||||
|
option keepalive "10 120"
|
||||||
|
|
||||||
|
# For extra security beyond that provided
|
||||||
|
# by SSL/TLS, create an "HMAC firewall"
|
||||||
|
# to help block DoS attacks and UDP port flooding.
|
||||||
|
#
|
||||||
|
# Generate with:
|
||||||
|
# openvpn --genkey --secret ta.key
|
||||||
|
#
|
||||||
|
# The server and each client must have
|
||||||
|
# a copy of this key.
|
||||||
|
# The second parameter should be '0'
|
||||||
|
# on the server and '1' on the clients.
|
||||||
|
# This file is secret:
|
||||||
|
# option tls_auth "/etc/openvpn/ta.key 0"
|
||||||
|
|
||||||
|
# For additional privacy, a shared secret key
|
||||||
|
# can be used for both authentication (as in tls_auth)
|
||||||
|
# and encryption of the TLS control channel.
|
||||||
|
#
|
||||||
|
# Generate a shared secret with:
|
||||||
|
# openvpn --genkey --secret ta.key
|
||||||
|
#
|
||||||
|
# The server and each client must have
|
||||||
|
# a copy of this key.
|
||||||
|
#
|
||||||
|
# tls_auth and tls_crypt should NOT
|
||||||
|
# be combined, as tls_crypt implies tls_auth.
|
||||||
|
# Use EITHER tls_crypt, tls_auth, or neither option.
|
||||||
|
# option tls_crypt "/etc/openvpn/ta.key"
|
||||||
|
|
||||||
|
# Set the minimum required TLS protocol version
|
||||||
|
# for all connections.
|
||||||
|
#
|
||||||
|
# Require at least TLS 1.1
|
||||||
|
# option tls_version_min "1.1"
|
||||||
|
# Require at least TLS 1.2
|
||||||
|
# option tls_version_min "1.2"
|
||||||
|
# Require TLS 1.2, or the highest version supported
|
||||||
|
# on the system
|
||||||
|
# option tls_version_min "1.2 'or-highest'"
|
||||||
|
|
||||||
|
# List the preferred ciphers to use for the data channel.
|
||||||
|
# Run openvpn --show-ciphers to see all supported ciphers.
|
||||||
|
# list data_ciphers 'AES-256-GCM'
|
||||||
|
# list data_ciphers 'AES-128-GCM'
|
||||||
|
# list data_ciphers 'CHACHA20-POLY1305'
|
||||||
|
|
||||||
|
# Set a fallback cipher in order to be compatible with
|
||||||
|
# peers that do not support cipher negotiation.
|
||||||
|
#
|
||||||
|
# Use AES-256-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'AES-128-CBC'
|
||||||
|
# Use AES-128-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'AES-256-CBC'
|
||||||
|
# Use Triple-DES as fallback
|
||||||
|
# option data_ciphers_fallback 'DES-EDE3-CBC'
|
||||||
|
# Use BF-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'BF-CBC'
|
||||||
|
|
||||||
|
# OpenVPN versions 2.4 and later will attempt to
|
||||||
|
# automatically negotiate the most secure cipher
|
||||||
|
# between the client and server, regardless of a
|
||||||
|
# configured "option cipher" (see below).
|
||||||
|
# Automatic negotiation is recommended.
|
||||||
|
#
|
||||||
|
# Uncomment this option to disable this behavior,
|
||||||
|
# and force all OpenVPN peers to use the configured
|
||||||
|
# cipher option instead (not recommended).
|
||||||
|
# option ncp_disable
|
||||||
|
|
||||||
|
# Enable compression on the VPN link.
|
||||||
|
# If you enable it here, you must also
|
||||||
|
# enable it in the client config file.
|
||||||
|
#
|
||||||
|
# Compression is not recommended, as compression and
|
||||||
|
# encryption in combination can weaken the security
|
||||||
|
# of the connection.
|
||||||
|
#
|
||||||
|
# LZ4 requires OpenVPN 2.4+ client and server
|
||||||
|
# option compress lz4
|
||||||
|
# LZO is available by default only in openvpn-openssl variant
|
||||||
|
# LZO is compatible with most OpenVPN versions
|
||||||
|
# option compress lzo
|
||||||
|
|
||||||
|
# Control how OpenVPN handles peers using compression
|
||||||
|
#
|
||||||
|
# Do not allow any connections using compression
|
||||||
|
# option allow_compression 'no'
|
||||||
|
# Allow incoming compressed packets, but do not send compressed packets to other peers
|
||||||
|
# This can be useful when migrating old configurations with compression activated
|
||||||
|
# option allow_compression 'asym'
|
||||||
|
# Both incoming and outgoing packets may be compressed
|
||||||
|
# option allow_compression 'yes'
|
||||||
|
|
||||||
|
# The maximum number of concurrently connected
|
||||||
|
# clients we want to allow.
|
||||||
|
# option max_clients 100
|
||||||
|
|
||||||
|
# The persist options will try to avoid
|
||||||
|
# accessing certain resources on restart
|
||||||
|
# that may no longer be accessible because
|
||||||
|
# of the privilege downgrade.
|
||||||
|
option persist_key 1
|
||||||
|
option persist_tun 1
|
||||||
|
option user nobody
|
||||||
|
|
||||||
|
# Output a short status file showing
|
||||||
|
# current connections, truncated
|
||||||
|
# and rewritten every minute.
|
||||||
|
option status /tmp/openvpn-status.log
|
||||||
|
|
||||||
|
# By default, log messages will go to the syslog (or
|
||||||
|
# on Windows, if running as a service, they will go to
|
||||||
|
# the "\Program Files\OpenVPN\log" directory).
|
||||||
|
# Use log or log-append to override this default.
|
||||||
|
# "log" will truncate the log file on OpenVPN startup,
|
||||||
|
# while "log-append" will append to it. Use one
|
||||||
|
# or the other (but not both).
|
||||||
|
# option log /tmp/openvpn.log
|
||||||
|
# option log_append /tmp/openvpn.log
|
||||||
|
|
||||||
|
# Set the appropriate level of log
|
||||||
|
# file verbosity.
|
||||||
|
#
|
||||||
|
# 0 is silent, except for fatal errors
|
||||||
|
# 4 is reasonable for general usage
|
||||||
|
# 5 and 6 can help to debug connection problems
|
||||||
|
# 9 is extremely verbose
|
||||||
|
option verb 3
|
||||||
|
|
||||||
|
# Silence repeating messages. At most 20
|
||||||
|
# sequential messages of the same message
|
||||||
|
# category will be output to the log.
|
||||||
|
# option mute 20
|
||||||
|
|
||||||
|
|
||||||
|
##############################################
|
||||||
|
# Sample client-side OpenVPN 2.0 uci config #
|
||||||
|
# for connecting to multi-client server. #
|
||||||
|
##############################################
|
||||||
|
|
||||||
|
config openvpn sample_client
|
||||||
|
|
||||||
|
# Set to 1 to enable this instance:
|
||||||
|
option enabled 0
|
||||||
|
|
||||||
|
# Specify that we are a client and that we
|
||||||
|
# will be pulling certain config file directives
|
||||||
|
# from the server.
|
||||||
|
option client 1
|
||||||
|
|
||||||
|
# Use the same setting as you are using on
|
||||||
|
# the server.
|
||||||
|
# On most systems, the VPN will not function
|
||||||
|
# unless you partially or fully disable
|
||||||
|
# the firewall for the TUN/TAP interface.
|
||||||
|
# option dev tap
|
||||||
|
option dev tun
|
||||||
|
|
||||||
|
# Are we connecting to a TCP or
|
||||||
|
# UDP server? Use the same setting as
|
||||||
|
# on the server.
|
||||||
|
# option proto tcp
|
||||||
|
option proto udp
|
||||||
|
|
||||||
|
# The hostname/IP and port of the server.
|
||||||
|
# You can have multiple remote entries
|
||||||
|
# to load balance between the servers.
|
||||||
|
list remote "my_server_1 1194"
|
||||||
|
# list remote "my_server_2 1194"
|
||||||
|
|
||||||
|
# Choose a random host from the remote
|
||||||
|
# list for load_balancing. Otherwise
|
||||||
|
# try hosts in the order specified.
|
||||||
|
# option remote_random 1
|
||||||
|
|
||||||
|
# Keep trying indefinitely to resolve the
|
||||||
|
# host name of the OpenVPN server. Very useful
|
||||||
|
# on machines which are not permanently connected
|
||||||
|
# to the internet such as laptops.
|
||||||
|
option resolv_retry infinite
|
||||||
|
|
||||||
|
# Most clients don't need to bind to
|
||||||
|
# a specific local port number.
|
||||||
|
option nobind 1
|
||||||
|
|
||||||
|
# Try to preserve some state across restarts.
|
||||||
|
option persist_key 1
|
||||||
|
option persist_tun 1
|
||||||
|
option user nobody
|
||||||
|
|
||||||
|
# If you are connecting through an
|
||||||
|
# HTTP proxy to reach the actual OpenVPN
|
||||||
|
# server, put the proxy server/IP and
|
||||||
|
# port number here. See the man page
|
||||||
|
# if your proxy server requires
|
||||||
|
# authentication.
|
||||||
|
# retry on connection failures:
|
||||||
|
# option http_proxy_retry 1
|
||||||
|
# specify http proxy address and port:
|
||||||
|
# option http_proxy "192.168.1.100 8080"
|
||||||
|
|
||||||
|
# Wireless networks often produce a lot
|
||||||
|
# of duplicate packets. Set this flag
|
||||||
|
# to silence duplicate packet warnings.
|
||||||
|
# option mute_replay_warnings 1
|
||||||
|
|
||||||
|
# SSL/TLS parms.
|
||||||
|
# See the server config file for more
|
||||||
|
# description. It's best to use
|
||||||
|
# a separate .crt/.key file pair
|
||||||
|
# for each client. A single ca
|
||||||
|
# file can be used for all clients.
|
||||||
|
option ca /etc/openvpn/ca.crt
|
||||||
|
option cert /etc/openvpn/client.crt
|
||||||
|
option key /etc/openvpn/client.key
|
||||||
|
|
||||||
|
# Verify server certificate by checking
|
||||||
|
# that the certicate has the key usage
|
||||||
|
# field set to "server". This is an
|
||||||
|
# important precaution to protect against
|
||||||
|
# a potential attack discussed here:
|
||||||
|
# http://openvpn.net/howto.html#mitm
|
||||||
|
#
|
||||||
|
# To use this feature, you will need to generate
|
||||||
|
# your server certificates with the nsCertType
|
||||||
|
# field set to "server". The build_key_server
|
||||||
|
# script in the easy_rsa folder will do this.
|
||||||
|
# option remote_cert_tls server
|
||||||
|
|
||||||
|
# If a tls_auth key is used on the server
|
||||||
|
# then every client must also have the key.
|
||||||
|
# option tls_auth "/etc/openvpn/ta.key 1"
|
||||||
|
|
||||||
|
# If a tls_crypt key is used on the server
|
||||||
|
# every client must also have the key.
|
||||||
|
# option tls_crypt "/etc/openvpn/ta.key"
|
||||||
|
|
||||||
|
# Set the minimum required TLS protocol version
|
||||||
|
# for all connections.
|
||||||
|
#
|
||||||
|
# Require at least TLS 1.1
|
||||||
|
# option tls_version_min "1.1"
|
||||||
|
# Require at least TLS 1.2
|
||||||
|
# option tls_version_min "1.2"
|
||||||
|
# Require TLS 1.2, or the highest version supported
|
||||||
|
# on the system
|
||||||
|
# option tls_version_min "1.2 'or-highest'"
|
||||||
|
|
||||||
|
# List the preferred ciphers for the data channel.
|
||||||
|
# list data_ciphers 'AES-256-GCM'
|
||||||
|
# list data_ciphers 'AES-128-GCM'
|
||||||
|
# list data_ciphers 'CHACHA20-POLY1305'
|
||||||
|
|
||||||
|
# Set a fallback cipher if you connect to a peer that does
|
||||||
|
# not support cipher negotiation.
|
||||||
|
# Use AES-256-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'AES-128-CBC'
|
||||||
|
# Use AES-128-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'AES-256-CBC'
|
||||||
|
# Use Triple-DES as fallback
|
||||||
|
# option data_ciphers_fallback 'DES-EDE3-CBC'
|
||||||
|
# Use BF-CBC as fallback
|
||||||
|
# option data_ciphers_fallback 'BF-CBC'
|
||||||
|
|
||||||
|
# Enable compression on the VPN link.
|
||||||
|
# Don't enable this unless it is also
|
||||||
|
# enabled in the server config file.
|
||||||
|
#
|
||||||
|
# Compression is not recommended, as compression and
|
||||||
|
# encryption in combination can weaken the security
|
||||||
|
# of the connection.
|
||||||
|
#
|
||||||
|
# LZ4 requires OpenVPN 2.4+ on server and client
|
||||||
|
# option compress lz4
|
||||||
|
# LZO is available by default only in openvpn-openssl variant
|
||||||
|
# LZO is compatible with most OpenVPN versions
|
||||||
|
# option compress lzo
|
||||||
|
|
||||||
|
# Set log file verbosity.
|
||||||
|
option verb 3
|
||||||
|
|
||||||
|
# Silence repeating messages
|
||||||
|
# option mute 20
|
271
openvpn/files/openvpn.init
Normal file
271
openvpn/files/openvpn.init
Normal file
|
@ -0,0 +1,271 @@
|
||||||
|
#!/bin/sh /etc/rc.common
|
||||||
|
# Copyright (C) 2008-2013 OpenWrt.org
|
||||||
|
# Copyright (C) 2008 Jo-Philipp Wich
|
||||||
|
# This is free software, licensed under the GNU General Public License v2.
|
||||||
|
# See /LICENSE for more information.
|
||||||
|
|
||||||
|
START=90
|
||||||
|
STOP=10
|
||||||
|
|
||||||
|
USE_PROCD=1
|
||||||
|
PROG=/usr/sbin/openvpn
|
||||||
|
|
||||||
|
LIST_SEP="
|
||||||
|
"
|
||||||
|
|
||||||
|
UCI_STARTED=
|
||||||
|
UCI_DISABLED=
|
||||||
|
|
||||||
|
version_over_5_4() {
|
||||||
|
MAJOR_VERSION=$(uname -r | awk -F '.' '{print $1}')
|
||||||
|
MINOR_VERSION=$(uname -r | awk -F '.' '{print $2}')
|
||||||
|
if [ $MAJOR_VERSION -ge 5 ] && [ $MINOR_VERSION -gt 13 ] || [ $MAJOR_VERSION -gt 5 ] ; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
append_param() {
|
||||||
|
local s="$1"
|
||||||
|
local v="$2"
|
||||||
|
case "$v" in
|
||||||
|
*_*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
|
||||||
|
*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;;
|
||||||
|
*_*) v=${v%%_*}-${v#*_} ;;
|
||||||
|
esac
|
||||||
|
echo -n "$v" >> "/var/etc/openvpn-$s.conf"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
append_bools() {
|
||||||
|
local p; local v; local s="$1"; shift
|
||||||
|
for p in $*; do
|
||||||
|
config_get_bool v "$s" "$p"
|
||||||
|
[ "$v" = 1 ] && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
append_params() {
|
||||||
|
local p; local v; local s="$1"; shift
|
||||||
|
for p in $*; do
|
||||||
|
config_get v "$s" "$p"
|
||||||
|
IFS="$LIST_SEP"
|
||||||
|
for v in $v; do
|
||||||
|
[ "$v" = "frames_only" ] && [ "$p" = "compress" ] && unset v && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf"
|
||||||
|
[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
|
||||||
|
[ -n "$v" ] && [ "$p" = "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
|
||||||
|
done
|
||||||
|
unset IFS
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
append_list() {
|
||||||
|
local p; local v; local s="$1"; shift
|
||||||
|
|
||||||
|
list_cb_append() {
|
||||||
|
v="${v}:$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
for p in $*; do
|
||||||
|
unset v
|
||||||
|
config_list_foreach "$s" "$p" list_cb_append
|
||||||
|
[ -n "$v" ] && append_param "$s" "$p" && echo " ${v:1}" >> "/var/etc/openvpn-$s.conf"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
section_enabled() {
|
||||||
|
config_get_bool enable "$1" 'enable' 0
|
||||||
|
config_get_bool enabled "$1" 'enabled' 0
|
||||||
|
[ $enable -gt 0 ] || [ $enabled -gt 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
create_temp_file() {
|
||||||
|
mkdir -p "$(dirname "$1")"
|
||||||
|
rm -f "$1"
|
||||||
|
touch "$1"
|
||||||
|
chown root "$1"
|
||||||
|
chmod 0600 "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
openvpn_get_dev() {
|
||||||
|
local dev dev_type
|
||||||
|
local name="$1"
|
||||||
|
local conf="$2"
|
||||||
|
|
||||||
|
# Do override only for configurations with config_file
|
||||||
|
config_get config_file "$name" config
|
||||||
|
[ -n "$config_file" ] || return
|
||||||
|
|
||||||
|
# Check there is someething to override
|
||||||
|
config_get dev "$name" dev
|
||||||
|
config_get dev_type "$name" dev_type
|
||||||
|
[ -n "$dev" ] || return
|
||||||
|
|
||||||
|
# If there is a no dev_type, try to guess it
|
||||||
|
if [ -z "$dev_type" ]; then
|
||||||
|
. /lib/functions/openvpn.sh
|
||||||
|
|
||||||
|
local odev odev_type
|
||||||
|
get_openvpn_option "$conf" odev dev
|
||||||
|
get_openvpn_option "$conf" odev_type dev-type
|
||||||
|
[ -n "$odev_type" ] || odev_type="$odev"
|
||||||
|
|
||||||
|
case "$odev_type" in
|
||||||
|
tun*) dev_type="tun" ;;
|
||||||
|
tap*) dev_type="tap" ;;
|
||||||
|
*) return;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Return overrides
|
||||||
|
echo "--dev-type $dev_type --dev $dev"
|
||||||
|
}
|
||||||
|
|
||||||
|
openvpn_get_credentials() {
|
||||||
|
local name="$1"
|
||||||
|
local ret=""
|
||||||
|
|
||||||
|
config_get cert_password "$name" cert_password
|
||||||
|
config_get password "$name" password
|
||||||
|
config_get username "$name" username
|
||||||
|
|
||||||
|
if [ -n "$cert_password" ]; then
|
||||||
|
create_temp_file /var/run/openvpn.$name.pass
|
||||||
|
echo "$cert_password" > /var/run/openvpn.$name.pass
|
||||||
|
ret=" --askpass /var/run/openvpn.$name.pass "
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$username" ]; then
|
||||||
|
create_temp_file /var/run/openvpn.$name.userpass
|
||||||
|
echo "$username" > /var/run/openvpn.$name.userpass
|
||||||
|
echo "$password" >> /var/run/openvpn.$name.userpass
|
||||||
|
ret=" --auth-user-pass /var/run/openvpn.$name.userpass "
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Return overrides
|
||||||
|
echo "$ret"
|
||||||
|
}
|
||||||
|
|
||||||
|
openvpn_add_instance() {
|
||||||
|
local name="$1"
|
||||||
|
local dir="$2"
|
||||||
|
local conf=$(basename "$3")
|
||||||
|
local security="$4"
|
||||||
|
local up="$5"
|
||||||
|
local down="$6"
|
||||||
|
local client=$(grep -qEx "client|tls-client" "$dir/$conf" && echo 1)
|
||||||
|
|
||||||
|
procd_open_instance "$name"
|
||||||
|
procd_set_param command "$PROG" \
|
||||||
|
--syslog "openvpn($name)" \
|
||||||
|
--status "/var/run/openvpn.$name.status" \
|
||||||
|
--cd "$dir" \
|
||||||
|
--config "$conf" \
|
||||||
|
--up "/usr/libexec/openvpn-hotplug up $name" \
|
||||||
|
--down "/usr/libexec/openvpn-hotplug down $name" \
|
||||||
|
--route-up "/usr/libexec/openvpn-hotplug route-up $name" \
|
||||||
|
--route-pre-down "/usr/libexec/openvpn-hotplug route-pre-down $name" \
|
||||||
|
${client:+--ipchange "/usr/libexec/openvpn-hotplug ipchange $name"} \
|
||||||
|
${up:+--setenv user_up "$up"} \
|
||||||
|
${down:+--setenv user_down "$down"} \
|
||||||
|
--script-security "${security:-2}" \
|
||||||
|
$(openvpn_get_dev "$name" "$conf") \
|
||||||
|
$(openvpn_get_credentials "$name" "$conf")
|
||||||
|
if version_over_5_4; then
|
||||||
|
procd_append_param command "--mptcp"
|
||||||
|
fi
|
||||||
|
procd_set_param file "$dir/$conf"
|
||||||
|
procd_set_param term_timeout 15
|
||||||
|
procd_set_param respawn
|
||||||
|
procd_append_param respawn 3600
|
||||||
|
procd_append_param respawn 5
|
||||||
|
procd_append_param respawn -1
|
||||||
|
procd_close_instance
|
||||||
|
}
|
||||||
|
|
||||||
|
start_instance() {
|
||||||
|
local s="$1"
|
||||||
|
|
||||||
|
config_get config "$s" config
|
||||||
|
config="${config:+$(readlink -f "$config")}"
|
||||||
|
|
||||||
|
section_enabled "$s" || {
|
||||||
|
append UCI_DISABLED "$config" "$LIST_SEP"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
local up down script_security
|
||||||
|
config_get up "$s" up
|
||||||
|
config_get down "$s" down
|
||||||
|
config_get script_security "$s" script_security
|
||||||
|
|
||||||
|
[ ! -d "/var/run" ] && mkdir -p "/var/run"
|
||||||
|
|
||||||
|
if [ ! -z "$config" ]; then
|
||||||
|
append UCI_STARTED "$config" "$LIST_SEP"
|
||||||
|
[ -n "$up" ] || get_openvpn_option "$config" up up
|
||||||
|
[ -n "$down" ] || get_openvpn_option "$config" down down
|
||||||
|
openvpn_add_instance "$s" "${config%/*}" "$config" "$script_security" "$up" "$down"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
create_temp_file "/var/etc/openvpn-$s.conf"
|
||||||
|
|
||||||
|
append_bools "$s" $OPENVPN_BOOLS
|
||||||
|
append_params "$s" $OPENVPN_PARAMS
|
||||||
|
append_list "$s" $OPENVPN_LIST
|
||||||
|
|
||||||
|
openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" "$script_security" "$up" "$down"
|
||||||
|
}
|
||||||
|
|
||||||
|
start_service() {
|
||||||
|
local instance="$1"
|
||||||
|
local instance_found=0
|
||||||
|
|
||||||
|
config_cb() {
|
||||||
|
local type="$1"
|
||||||
|
local name="$2"
|
||||||
|
if [ "$type" = "openvpn" ]; then
|
||||||
|
if [ -n "$instance" -a "$instance" = "$name" ]; then
|
||||||
|
instance_found=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
. /lib/functions/openvpn.sh
|
||||||
|
. /usr/share/openvpn/openvpn.options
|
||||||
|
config_load 'openvpn'
|
||||||
|
|
||||||
|
if [ -n "$instance" ]; then
|
||||||
|
[ "$instance_found" -gt 0 ] || return
|
||||||
|
start_instance "$instance"
|
||||||
|
else
|
||||||
|
config_foreach start_instance 'openvpn'
|
||||||
|
|
||||||
|
local path name up down
|
||||||
|
for path in /etc/openvpn/*.conf; do
|
||||||
|
if [ -f "$path" ]; then
|
||||||
|
name="${path##*/}"; name="${name%.conf}"
|
||||||
|
|
||||||
|
# don't start configs again that are already started by uci
|
||||||
|
if echo "$UCI_STARTED" | grep -qxF "$path"; then
|
||||||
|
continue
|
||||||
|
|
||||||
|
# don't start configs which are set to disabled in uci
|
||||||
|
elif echo "$UCI_DISABLED" | grep -qxF "$path"; then
|
||||||
|
logger -t openvpn "$name.conf is disabled in /etc/config/openvpn"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
get_openvpn_option "$path" up up || up=""
|
||||||
|
get_openvpn_option "$path" down down || down=""
|
||||||
|
openvpn_add_instance "$name" "${path%/*}" "$path" "" "$up" "$down"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
service_triggers() {
|
||||||
|
procd_add_reload_trigger openvpn
|
||||||
|
}
|
206
openvpn/files/openvpn.options
Normal file
206
openvpn/files/openvpn.options
Normal file
|
@ -0,0 +1,206 @@
|
||||||
|
OPENVPN_PARAMS='
|
||||||
|
allow_compression
|
||||||
|
askpass
|
||||||
|
auth
|
||||||
|
auth_retry
|
||||||
|
auth_user_pass
|
||||||
|
auth_user_pass_verify
|
||||||
|
bcast_buffers
|
||||||
|
bind_dev
|
||||||
|
ca
|
||||||
|
capath
|
||||||
|
cd
|
||||||
|
cert
|
||||||
|
chroot
|
||||||
|
cipher
|
||||||
|
client_config_dir
|
||||||
|
client_connect
|
||||||
|
client_disconnect
|
||||||
|
comp_lzo
|
||||||
|
compress
|
||||||
|
connect_freq
|
||||||
|
connect_retry
|
||||||
|
connect_retry_max
|
||||||
|
connect_timeout
|
||||||
|
crl_verify
|
||||||
|
data_ciphers_fallback
|
||||||
|
dev
|
||||||
|
dev_node
|
||||||
|
dev_type
|
||||||
|
dh
|
||||||
|
ecdh_curve
|
||||||
|
echo
|
||||||
|
engine
|
||||||
|
explicit_exit_notify
|
||||||
|
extra_certs
|
||||||
|
fragment
|
||||||
|
group
|
||||||
|
hand_window
|
||||||
|
hash_size
|
||||||
|
http_proxy
|
||||||
|
http_proxy_option
|
||||||
|
http_proxy_timeout
|
||||||
|
ifconfig
|
||||||
|
ifconfig_ipv6
|
||||||
|
ifconfig_ipv6_pool
|
||||||
|
ifconfig_ipv6_push
|
||||||
|
ifconfig_pool
|
||||||
|
ifconfig_pool_persist
|
||||||
|
ifconfig_push
|
||||||
|
inactive
|
||||||
|
ipchange
|
||||||
|
iroute
|
||||||
|
iroute_ipv6
|
||||||
|
keepalive
|
||||||
|
key
|
||||||
|
key_direction
|
||||||
|
keysize
|
||||||
|
learn_address
|
||||||
|
link_mtu
|
||||||
|
lladdr
|
||||||
|
local
|
||||||
|
log
|
||||||
|
log_append
|
||||||
|
lport
|
||||||
|
management
|
||||||
|
management_log_cache
|
||||||
|
max_clients
|
||||||
|
max_routes_per_client
|
||||||
|
mode
|
||||||
|
mssfix
|
||||||
|
mtu_disc
|
||||||
|
mute
|
||||||
|
nice
|
||||||
|
ping
|
||||||
|
ping_exit
|
||||||
|
ping_restart
|
||||||
|
pkcs12
|
||||||
|
plugin
|
||||||
|
port
|
||||||
|
port_share
|
||||||
|
prng
|
||||||
|
proto
|
||||||
|
pull_filter
|
||||||
|
push
|
||||||
|
rcvbuf
|
||||||
|
redirect_gateway
|
||||||
|
remap_usr1
|
||||||
|
remote
|
||||||
|
remote_cert_eku
|
||||||
|
remote_cert_ku
|
||||||
|
remote_cert_tls
|
||||||
|
reneg_bytes
|
||||||
|
reneg_pkts
|
||||||
|
reneg_sec
|
||||||
|
replay_persist
|
||||||
|
replay_window
|
||||||
|
resolv_retry
|
||||||
|
route
|
||||||
|
route_delay
|
||||||
|
route_gateway
|
||||||
|
route_ipv6
|
||||||
|
route_metric
|
||||||
|
route_pre_down
|
||||||
|
route_up
|
||||||
|
rport
|
||||||
|
secret
|
||||||
|
server
|
||||||
|
server_bridge
|
||||||
|
server_ipv6
|
||||||
|
server_poll_timeout
|
||||||
|
setenv
|
||||||
|
shaper
|
||||||
|
sndbuf
|
||||||
|
socks_proxy
|
||||||
|
status
|
||||||
|
status_version
|
||||||
|
syslog
|
||||||
|
tcp_queue_limit
|
||||||
|
tls_auth
|
||||||
|
tls_crypt
|
||||||
|
tls_crypt_v2
|
||||||
|
tls_crypt_v2_verify
|
||||||
|
tls_export_cert
|
||||||
|
tls_timeout
|
||||||
|
tls_verify
|
||||||
|
tls_version_min
|
||||||
|
tmp_dir
|
||||||
|
topology
|
||||||
|
tran_window
|
||||||
|
tun_mtu
|
||||||
|
tun_mtu_extra
|
||||||
|
txqueuelen
|
||||||
|
user
|
||||||
|
verb
|
||||||
|
verify_client_cert
|
||||||
|
verify_x509_name
|
||||||
|
vlan_accept
|
||||||
|
vlan_pvid
|
||||||
|
x509_username_field
|
||||||
|
'
|
||||||
|
|
||||||
|
OPENVPN_BOOLS='
|
||||||
|
allow_recursive_routing
|
||||||
|
auth_nocache
|
||||||
|
auth_user_pass_optional
|
||||||
|
bind
|
||||||
|
block_ipv6
|
||||||
|
ccd_exclusive
|
||||||
|
client
|
||||||
|
client_to_client
|
||||||
|
comp_noadapt
|
||||||
|
disable
|
||||||
|
disable_occ
|
||||||
|
down_pre
|
||||||
|
duplicate_cn
|
||||||
|
fast_io
|
||||||
|
float
|
||||||
|
http_proxy_retry
|
||||||
|
ifconfig_noexec
|
||||||
|
ifconfig_nowarn
|
||||||
|
management_forget_disconnect
|
||||||
|
management_hold
|
||||||
|
management_query_passwords
|
||||||
|
management_signal
|
||||||
|
mktun
|
||||||
|
mlock
|
||||||
|
mtu_test
|
||||||
|
multihome
|
||||||
|
mute_replay_warnings
|
||||||
|
ncp_disable
|
||||||
|
nobind
|
||||||
|
opt_verify
|
||||||
|
passtos
|
||||||
|
persist_key
|
||||||
|
persist_local_ip
|
||||||
|
persist_remote_ip
|
||||||
|
persist_tun
|
||||||
|
ping_timer_rem
|
||||||
|
pull
|
||||||
|
push_peer_info
|
||||||
|
push_reset
|
||||||
|
remote_random
|
||||||
|
rmtun
|
||||||
|
route_noexec
|
||||||
|
route_nopull
|
||||||
|
single_session
|
||||||
|
socks_proxy_retry
|
||||||
|
suppress_timestamps
|
||||||
|
tcp_nodelay
|
||||||
|
test_crypto
|
||||||
|
tls_client
|
||||||
|
tls_exit
|
||||||
|
tls_server
|
||||||
|
up_delay
|
||||||
|
up_restart
|
||||||
|
username_as_common_name
|
||||||
|
vlan_tagging
|
||||||
|
'
|
||||||
|
|
||||||
|
OPENVPN_LIST='
|
||||||
|
data_ciphers
|
||||||
|
ncp_ciphers
|
||||||
|
tls_cipher
|
||||||
|
tls_ciphersuites
|
||||||
|
tls_groups
|
||||||
|
'
|
1
openvpn/files/openvpn.upgrade
Normal file
1
openvpn/files/openvpn.upgrade
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/etc/openvpn/
|
10
openvpn/files/usr/libexec/openvpn-hotplug
Normal file
10
openvpn/files/usr/libexec/openvpn-hotplug
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
ACTION=$1
|
||||||
|
shift
|
||||||
|
INSTANCE=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
export ACTION=$ACTION
|
||||||
|
export INSTANCE=$INSTANCE
|
||||||
|
exec /sbin/hotplug-call openvpn "$@"
|
10
openvpn/patches/001-reproducible-remove_DATE.patch
Normal file
10
openvpn/patches/001-reproducible-remove_DATE.patch
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
--- a/src/openvpn/options.c
|
||||||
|
+++ b/src/openvpn/options.c
|
||||||
|
@@ -105,7 +105,6 @@ const char title_string[] =
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
" [AEAD]"
|
||||||
|
- " built on " __DATE__
|
||||||
|
;
|
||||||
|
|
||||||
|
#ifndef ENABLE_SMALL
|
190
openvpn/patches/002-add-wolfssl-support.patch
Normal file
190
openvpn/patches/002-add-wolfssl-support.patch
Normal file
|
@ -0,0 +1,190 @@
|
||||||
|
From: Gert Doering <gert@greenie.muc.de>
|
||||||
|
|
||||||
|
Support for wolfSSL in OpenVPN
|
||||||
|
|
||||||
|
This patch adds support for wolfSSL in OpenVPN. Support is added by using
|
||||||
|
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
|
||||||
|
and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
|
||||||
|
linked against the wolfSSL library. The wolfSSL installation directory is
|
||||||
|
detected using pkg-config.
|
||||||
|
|
||||||
|
As requested by OpenVPN maintainers, this patch does not include
|
||||||
|
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
|
||||||
|
in the configure script wolfSSL will include wolfssl/options.h on its own
|
||||||
|
(change added in wolfSSL/wolfssl#2825). The patch
|
||||||
|
adds an option '--disable-wolfssl-options-h' in case the user would like
|
||||||
|
to supply their own settings file for wolfSSL.
|
||||||
|
|
||||||
|
wolfSSL:
|
||||||
|
Support added in: wolfSSL/wolfssl#2503
|
||||||
|
|
||||||
|
git clone https://github.com/wolfSSL/wolfssl.git
|
||||||
|
cd wolfssl
|
||||||
|
./autogen.sh
|
||||||
|
./configure --enable-openvpn
|
||||||
|
make
|
||||||
|
sudo make install
|
||||||
|
|
||||||
|
OpenVPN:
|
||||||
|
|
||||||
|
autoreconf -i -v -f
|
||||||
|
./configure --with-crypto-library=wolfssl
|
||||||
|
make
|
||||||
|
make check
|
||||||
|
sudo make install
|
||||||
|
|
||||||
|
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
|
||||||
|
Acked-by: Arne Schwabe <arne@rfc2549.org>
|
||||||
|
Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
|
||||||
|
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
|
||||||
|
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||||||
|
---
|
||||||
|
configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
src/openvpn/syshead.h | 3 ++-
|
||||||
|
2 files changed, 110 insertions(+), 3 deletions(-)
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -271,16 +271,23 @@ AC_ARG_WITH(
|
||||||
|
|
||||||
|
AC_ARG_WITH(
|
||||||
|
[crypto-library],
|
||||||
|
- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
|
||||||
|
+ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
|
||||||
|
[
|
||||||
|
case "${withval}" in
|
||||||
|
- openssl|mbedtls) ;;
|
||||||
|
+ openssl|mbedtls|wolfssl) ;;
|
||||||
|
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
|
||||||
|
esac
|
||||||
|
],
|
||||||
|
[with_crypto_library="openssl"]
|
||||||
|
)
|
||||||
|
|
||||||
|
+AC_ARG_ENABLE(
|
||||||
|
+ [wolfssl-options-h],
|
||||||
|
+ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
|
||||||
|
+ ,
|
||||||
|
+ [enable_wolfssl_options_h="yes"]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
AC_ARG_WITH(
|
||||||
|
[openssl-engine],
|
||||||
|
[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
|
||||||
|
@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
|
||||||
|
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
|
||||||
|
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
|
||||||
|
CRYPTO_LIBS="${MBEDTLS_LIBS}"
|
||||||
|
+
|
||||||
|
+elif test "${with_crypto_library}" = "wolfssl"; then
|
||||||
|
+ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
|
||||||
|
+ contain the regular wolfSSL header files but also the
|
||||||
|
+ wolfSSL OpenSSL header files. Ex: -I/usr/local/include
|
||||||
|
+ -I/usr/local/include/wolfssl])
|
||||||
|
+ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
|
||||||
|
+
|
||||||
|
+ saved_CFLAGS="${CFLAGS}"
|
||||||
|
+ saved_LIBS="${LIBS}"
|
||||||
|
+
|
||||||
|
+ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
|
||||||
|
+ # if the user did not explicitly specify flags, try to autodetect
|
||||||
|
+ PKG_CHECK_MODULES(
|
||||||
|
+ [WOLFSSL],
|
||||||
|
+ [wolfssl],
|
||||||
|
+ [],
|
||||||
|
+ [AC_MSG_ERROR([Could not find wolfSSL.])]
|
||||||
|
+ )
|
||||||
|
+ PKG_CHECK_VAR(
|
||||||
|
+ [WOLFSSL_INCLUDEDIR],
|
||||||
|
+ [wolfssl],
|
||||||
|
+ [includedir],
|
||||||
|
+ [],
|
||||||
|
+ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
|
||||||
|
+ )
|
||||||
|
+ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
|
||||||
|
+ fi
|
||||||
|
+ saved_CFLAGS="${CFLAGS}"
|
||||||
|
+ saved_LIBS="${LIBS}"
|
||||||
|
+ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
|
||||||
|
+ LIBS="${LIBS} ${WOLFSSL_LIBS}"
|
||||||
|
+
|
||||||
|
+ AC_CHECK_LIB(
|
||||||
|
+ [wolfssl],
|
||||||
|
+ [wolfSSL_Init],
|
||||||
|
+ [],
|
||||||
|
+ [AC_MSG_ERROR([Could not link wolfSSL library.])]
|
||||||
|
+ )
|
||||||
|
+ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
|
||||||
|
+
|
||||||
|
+ # wolfSSL signal EKM support
|
||||||
|
+ have_export_keying_material="yes"
|
||||||
|
+
|
||||||
|
+ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
|
||||||
|
+
|
||||||
|
+ if test "${enable_wolfssl_options_h}" = "yes"; then
|
||||||
|
+ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
|
||||||
|
+ else
|
||||||
|
+ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ have_export_keying_material="yes"
|
||||||
|
+
|
||||||
|
+ CFLAGS="${saved_CFLAGS}"
|
||||||
|
+ LIBS="${saved_LIBS}"
|
||||||
|
+
|
||||||
|
+ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
|
||||||
|
+ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
|
||||||
|
+ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
|
||||||
|
+ CRYPTO_LIBS="${WOLFSSL_LIBS}"
|
||||||
|
else
|
||||||
|
AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
|
||||||
|
fi
|
||||||
|
--- a/src/openvpn/syshead.h
|
||||||
|
+++ b/src/openvpn/syshead.h
|
||||||
|
@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
|
||||||
|
/*
|
||||||
|
* Do we have CryptoAPI capability?
|
||||||
|
*/
|
||||||
|
-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
|
||||||
|
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
|
||||||
|
+ !defined(ENABLE_CRYPTO_WOLFSSL)
|
||||||
|
#define ENABLE_CRYPTOAPI
|
||||||
|
#endif
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
--- a/src/openvpn/ssl_mbedtls.c
|
||||||
|
+++ b/src/openvpn/ssl_mbedtls.c
|
||||||
|
@@ -1539,7 +1539,7 @@ const char *
|
||||||
|
get_ssl_library_version(void)
|
||||||
|
{
|
||||||
|
static char mbedtls_version[30];
|
||||||
|
- unsigned int pv = mbedtls_version_get_number();
|
||||||
|
+ unsigned int pv = MBEDTLS_VERSION_NUMBER;
|
||||||
|
sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
|
||||||
|
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
|
||||||
|
return mbedtls_version;
|
74
openvpn/patches/210-build_always_use_internal_lz4.patch
Normal file
74
openvpn/patches/210-build_always_use_internal_lz4.patch
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1211,68 +1211,15 @@ dnl
|
||||||
|
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
|
||||||
|
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
|
||||||
|
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
|
||||||
|
- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
|
||||||
|
- # if the user did not explicitly specify flags, try to autodetect
|
||||||
|
- PKG_CHECK_MODULES([LZ4],
|
||||||
|
- [liblz4 >= 1.7.1 liblz4 < 100],
|
||||||
|
- [have_lz4="yes"],
|
||||||
|
- [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
|
||||||
|
- # We also add set LZ4_LIBS otherwise the
|
||||||
|
- # linker will not know about the lz4 library
|
||||||
|
- )
|
||||||
|
- fi
|
||||||
|
|
||||||
|
saved_CFLAGS="${CFLAGS}"
|
||||||
|
saved_LIBS="${LIBS}"
|
||||||
|
CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
|
||||||
|
LIBS="${LIBS} ${LZ4_LIBS}"
|
||||||
|
|
||||||
|
- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
|
||||||
|
- # are used, check the version directly in the LZ4 include file
|
||||||
|
- if test "${have_lz4}" != "yes"; then
|
||||||
|
- AC_CHECK_HEADERS([lz4.h],
|
||||||
|
- [have_lz4h="yes"],
|
||||||
|
- [])
|
||||||
|
-
|
||||||
|
- if test "${have_lz4h}" = "yes" ; then
|
||||||
|
- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
|
||||||
|
- AC_COMPILE_IFELSE(
|
||||||
|
- [AC_LANG_PROGRAM([[
|
||||||
|
-#include <lz4.h>
|
||||||
|
- ]],
|
||||||
|
- [[
|
||||||
|
-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
|
||||||
|
-#if LZ4_VERSION_NUMBER < 10701L
|
||||||
|
-#error LZ4 is too old
|
||||||
|
-#endif
|
||||||
|
- ]]
|
||||||
|
- )],
|
||||||
|
- [
|
||||||
|
- AC_MSG_RESULT([ok])
|
||||||
|
- have_lz4="yes"
|
||||||
|
- ],
|
||||||
|
- [AC_MSG_RESULT([system LZ4 library is too old])]
|
||||||
|
- )
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
-
|
||||||
|
- # Double check we have a few needed functions
|
||||||
|
- if test "${have_lz4}" = "yes" ; then
|
||||||
|
- AC_CHECK_LIB([lz4],
|
||||||
|
- [LZ4_compress_default],
|
||||||
|
- [],
|
||||||
|
- [have_lz4="no"])
|
||||||
|
- AC_CHECK_LIB([lz4],
|
||||||
|
- [LZ4_decompress_safe],
|
||||||
|
- [],
|
||||||
|
- [have_lz4="no"])
|
||||||
|
- fi
|
||||||
|
-
|
||||||
|
- if test "${have_lz4}" != "yes" ; then
|
||||||
|
- AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
|
||||||
|
- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||||
|
- LZ4_LIBS=""
|
||||||
|
- fi
|
||||||
|
+ AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
|
||||||
|
+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||||
|
+ LZ4_LIBS=""
|
||||||
|
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
|
||||||
|
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
|
||||||
|
AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])
|
74
openvpn/patches/220-disable_des.patch
Normal file
74
openvpn/patches/220-disable_des.patch
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
--- a/src/openvpn/syshead.h
|
||||||
|
+++ b/src/openvpn/syshead.h
|
||||||
|
@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
|
||||||
|
/*
|
||||||
|
* Should we include NTLM proxy functionality
|
||||||
|
*/
|
||||||
|
-#define NTLM 1
|
||||||
|
+//#define NTLM 1
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Should we include proxy digest auth functionality
|
||||||
|
--- a/src/openvpn/crypto_mbedtls.c
|
||||||
|
+++ b/src/openvpn/crypto_mbedtls.c
|
||||||
|
@@ -396,6 +396,7 @@ int
|
||||||
|
key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
+#ifdef MBEDTLS_DES_C
|
||||||
|
if (kt->type == MBEDTLS_CIPHER_DES_CBC)
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
|
||||||
|
{
|
||||||
|
ret = 3;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
|
||||||
|
return ret;
|
||||||
|
@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
|
||||||
|
bool
|
||||||
|
key_des_check(uint8_t *key, int key_len, int ndc)
|
||||||
|
{
|
||||||
|
+#ifdef MBEDTLS_DES_C
|
||||||
|
int i;
|
||||||
|
struct buffer b;
|
||||||
|
|
||||||
|
@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
|
||||||
|
|
||||||
|
err:
|
||||||
|
return false;
|
||||||
|
+#else
|
||||||
|
+ return true;
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
key_des_fixup(uint8_t *key, int key_len, int ndc)
|
||||||
|
{
|
||||||
|
+#ifdef MBEDTLS_DES_C
|
||||||
|
int i;
|
||||||
|
struct buffer b;
|
||||||
|
|
||||||
|
@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
|
||||||
|
}
|
||||||
|
mbedtls_des_key_set_parity(key);
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
|
||||||
|
unsigned char *src,
|
||||||
|
unsigned char *dst)
|
||||||
|
{
|
||||||
|
+#ifdef MBEDTLS_DES_C
|
||||||
|
mbedtls_des_context ctx;
|
||||||
|
|
||||||
|
ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
|
||||||
|
ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
|
290
openvpn/patches/900-add_mptcp_support.patch
Normal file
290
openvpn/patches/900-add_mptcp_support.patch
Normal file
|
@ -0,0 +1,290 @@
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 2f5f6bc7..d15c0910 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -293,6 +293,12 @@ AC_ARG_WITH(
|
||||||
|
[with_openssl_engine="auto"]
|
||||||
|
)
|
||||||
|
|
||||||
|
+AC_ARG_WITH(mptcp,
|
||||||
|
+ [AS_HELP_STRING([--without-mptcp],[Disable Multipath TCP support])],
|
||||||
|
+ [enable_mptcp=no],
|
||||||
|
+ [enable_mptcp=yes]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
|
||||||
|
if test -n "${PLUGINDIR}"; then
|
||||||
|
plugindir="${PLUGINDIR}"
|
||||||
|
@@ -846,6 +852,22 @@ PKG_CHECK_MODULES(
|
||||||
|
[]
|
||||||
|
)
|
||||||
|
|
||||||
|
+dnl
|
||||||
|
+dnl Checking Multipath TCP support on Linux
|
||||||
|
+dnl
|
||||||
|
+case "$host" in
|
||||||
|
+ *-*-linux*)
|
||||||
|
+ AC_MSG_CHECKING([Multipath TCP support ])
|
||||||
|
+ AS_IF([test "x$enable_mptcp" != xno],
|
||||||
|
+ [AC_DEFINE([ENABLE_MPTCP], [1],
|
||||||
|
+ [AC_MSG_RESULT([Multipath TCP is enabled on this system])] )],
|
||||||
|
+ [ AC_MSG_RESULT([Multipath TCP is not enabled. On Linux, you need a kernel >= 5.15 and ensure that sysctl.net.mptcp_enabled is set to 1]) ],
|
||||||
|
+ )
|
||||||
|
+ ;;
|
||||||
|
+esac
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if test "${with_crypto_library}" = "openssl"; then
|
||||||
|
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
|
||||||
|
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
|
||||||
|
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
|
||||||
|
index be8ff80f..b4fe11e2 100644
|
||||||
|
--- a/src/openvpn/init.c
|
||||||
|
+++ b/src/openvpn/init.c
|
||||||
|
@@ -3449,6 +3449,9 @@ do_init_socket_1(struct context *c, const int mode)
|
||||||
|
c->c1.socks_proxy,
|
||||||
|
#ifdef ENABLE_DEBUG
|
||||||
|
c->options.gremlin,
|
||||||
|
+#endif
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ c->options.enable_mptcp,
|
||||||
|
#endif
|
||||||
|
c->options.ce.bind_local,
|
||||||
|
c->options.ce.remote_float,
|
||||||
|
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
|
||||||
|
index 20d1273f..3222fda6 100644
|
||||||
|
--- a/src/openvpn/options.c
|
||||||
|
+++ b/src/openvpn/options.c
|
||||||
|
@@ -130,6 +130,9 @@ static const char usage_message[] =
|
||||||
|
" udp6, tcp6-server, tcp6-client\n"
|
||||||
|
"--proto-force p : only consider protocol p in list of connection profiles.\n"
|
||||||
|
" p = udp or tcp\n"
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ "--mptcp : Enable Multipath TCP on the TCP connections.\n"
|
||||||
|
+#endif
|
||||||
|
"--connect-retry n [m] : For client, number of seconds to wait between\n"
|
||||||
|
" connection retries (default=%d). On repeated retries\n"
|
||||||
|
" the wait time is exponentially increased to a maximum of m\n"
|
||||||
|
@@ -903,6 +906,11 @@ init_options(struct options *o, const bool init_gc)
|
||||||
|
}
|
||||||
|
#endif /* _WIN32 */
|
||||||
|
o->allow_recursive_routing = false;
|
||||||
|
+
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ o->enable_mptcp = false;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -8834,6 +8842,18 @@ add_option(struct options *options,
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ else if (streq(p[0], "mptcp"))
|
||||||
|
+ {
|
||||||
|
+ VERIFY_PERMISSION(OPT_P_GENERAL);
|
||||||
|
+ if (p[1])
|
||||||
|
+ {
|
||||||
|
+ msg(msglevel, "--mptcp does not accept any parameters");
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ options->enable_mptcp = true;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
else
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
|
||||||
|
index 37220904..465eff52 100644
|
||||||
|
--- a/src/openvpn/options.h
|
||||||
|
+++ b/src/openvpn/options.h
|
||||||
|
@@ -430,6 +430,9 @@ struct options
|
||||||
|
#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
|
||||||
|
unsigned int server_flags;
|
||||||
|
|
||||||
|
+#ifdef ENABLE_MPTCP
|
||||||
|
+ bool enable_mptcp;
|
||||||
|
+#endif
|
||||||
|
bool server_bridge_proxy_dhcp;
|
||||||
|
|
||||||
|
bool server_bridge_defined;
|
||||||
|
diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
|
||||||
|
index e79cb0d3..754cdfc5 100644
|
||||||
|
--- a/src/openvpn/ps.c
|
||||||
|
+++ b/src/openvpn/ps.c
|
||||||
|
@@ -39,6 +39,14 @@
|
||||||
|
|
||||||
|
#include "memdbg.h"
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+#ifndef IPPROTO_MPTCP
|
||||||
|
+#define IPPROTO_MPTCP 262
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
struct port_share *port_share = NULL; /* GLOBAL */
|
||||||
|
|
||||||
|
/* size of i/o buffers */
|
||||||
|
@@ -427,7 +435,11 @@ proxy_entry_new(struct proxy_connection **list,
|
||||||
|
struct proxy_connection *cp;
|
||||||
|
|
||||||
|
/* connect to port share server */
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_MPTCP)) < 0)
|
||||||
|
+#else
|
||||||
|
if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
|
||||||
|
+#endif
|
||||||
|
{
|
||||||
|
msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket");
|
||||||
|
return false;
|
||||||
|
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
|
||||||
|
index 28fabe76..e7242020 100644
|
||||||
|
--- a/src/openvpn/socket.c
|
||||||
|
+++ b/src/openvpn/socket.c
|
||||||
|
@@ -55,6 +55,12 @@ const int proto_overhead[] = { /* indexed by PROTO_x */
|
||||||
|
IPv6_TCP_HEADER_SIZE,
|
||||||
|
};
|
||||||
|
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+#ifndef IPPROTO_MPTCP
|
||||||
|
+#define IPPROTO_MPTCP 262
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Convert sockflags/getaddr_flags into getaddr_flags
|
||||||
|
*/
|
||||||
|
@@ -1093,6 +1099,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags)
|
||||||
|
return sd;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+socket_descriptor_t
|
||||||
|
+create_socket_mptcp(struct addrinfo *addrinfo)
|
||||||
|
+{
|
||||||
|
+ socket_descriptor_t sd;
|
||||||
|
+
|
||||||
|
+ ASSERT(addrinfo);
|
||||||
|
+ ASSERT(addrinfo->ai_socktype == SOCK_STREAM);
|
||||||
|
+ addrinfo->ai_protocol = IPPROTO_MPTCP;
|
||||||
|
+ if ((sd = socket(addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0)
|
||||||
|
+ {
|
||||||
|
+ msg(M_ERR, "Cannot create MPTCP socket");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ {
|
||||||
|
+ int on = 1;
|
||||||
|
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR,
|
||||||
|
+ (void *) &on, sizeof(on)) < 0)
|
||||||
|
+ {
|
||||||
|
+ msg(M_ERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP socket");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* set socket file descriptor to not pass across execs, so that
|
||||||
|
+ * scripts don't have access to it */
|
||||||
|
+ set_cloexec(sd);
|
||||||
|
+
|
||||||
|
+ return sd;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
bind_local(struct link_socket *sock, const sa_family_t ai_family)
|
||||||
|
{
|
||||||
|
@@ -1136,6 +1175,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr)
|
||||||
|
}
|
||||||
|
else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM)
|
||||||
|
{
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ if(sock->info.multipath)
|
||||||
|
+ {
|
||||||
|
+ sock->sd = create_socket_mptcp(addr);
|
||||||
|
+ // Multipath TCP could fail because it is not enabled on this host
|
||||||
|
+ // Try regular TCP
|
||||||
|
+ if(sock->sd == -1)
|
||||||
|
+ {
|
||||||
|
+
|
||||||
|
+ msg(M_NONFATAL, "Can't resolve MPTCP socket, fallback to TCP !");
|
||||||
|
+ sock->sd = create_socket_tcp(addr);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+#endif
|
||||||
|
sock->sd = create_socket_tcp(addr);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1891,6 +1945,9 @@ link_socket_init_phase1(struct link_socket *sock,
|
||||||
|
struct socks_proxy_info *socks_proxy,
|
||||||
|
#ifdef ENABLE_DEBUG
|
||||||
|
int gremlin,
|
||||||
|
+#endif
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ bool enable_mptcp,
|
||||||
|
#endif
|
||||||
|
bool bind_local,
|
||||||
|
bool remote_float,
|
||||||
|
@@ -1920,7 +1977,11 @@ link_socket_init_phase1(struct link_socket *sock,
|
||||||
|
sock->inetd = inetd;
|
||||||
|
sock->resolve_retry_seconds = resolve_retry_seconds;
|
||||||
|
sock->mtu_discover_type = mtu_discover_type;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ sock->info.multipath = enable_mptcp;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef ENABLE_DEBUG
|
||||||
|
sock->gremlin = gremlin;
|
||||||
|
#endif
|
||||||
|
@@ -2305,7 +2366,7 @@ link_socket_init_phase2(struct link_socket *sock,
|
||||||
|
/* If a valid remote has been found, create the socket with its addrinfo */
|
||||||
|
if (sock->info.lsa->current_remote)
|
||||||
|
{
|
||||||
|
- create_socket(sock, sock->info.lsa->current_remote);
|
||||||
|
+ create_socket(sock, sock->info.lsa->current_remote);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If socket has not already been created create it now */
|
||||||
|
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
|
||||||
|
index 2ad6155f..0dcb0655 100644
|
||||||
|
--- a/src/openvpn/socket.h
|
||||||
|
+++ b/src/openvpn/socket.h
|
||||||
|
@@ -120,6 +120,9 @@ struct link_socket_info
|
||||||
|
sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/
|
||||||
|
bool bind_ipv6_only;
|
||||||
|
int mtu_changed; /* Set to true when mtu value is changed */
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ bool multipath;
|
||||||
|
+#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -315,6 +318,9 @@ link_socket_init_phase1(struct link_socket *sock,
|
||||||
|
struct socks_proxy_info *socks_proxy,
|
||||||
|
#ifdef ENABLE_DEBUG
|
||||||
|
int gremlin,
|
||||||
|
+#endif
|
||||||
|
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
|
||||||
|
+ bool enable_mptcp,
|
||||||
|
#endif
|
||||||
|
bool bind_local,
|
||||||
|
bool remote_float,
|
||||||
|
@@ -476,6 +482,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr);
|
||||||
|
|
||||||
|
socket_descriptor_t create_socket_tcp(struct addrinfo *);
|
||||||
|
|
||||||
|
+#ifdef ENABLE_MPTCP
|
||||||
|
+socket_descriptor_t create_socket_mptcp(struct addrinfo *);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
socket_descriptor_t socket_do_accept(socket_descriptor_t sd,
|
||||||
|
struct link_socket_actual *act,
|
||||||
|
const bool nowait);
|
10
openvpn/test.sh
Executable file
10
openvpn/test.sh
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
"openvpn-mbedtls")
|
||||||
|
openvpn --version | grep "$2.*SSL (mbed TLS)"
|
||||||
|
;;
|
||||||
|
"openvpn-openssl"|"openvpn-wolfssl")
|
||||||
|
openvpn --version | grep "$2.*SSL (OpenSSL)"
|
||||||
|
;;
|
||||||
|
esac
|
Loading…
Add table
Add a link
Reference in a new issue