You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

170 lines
4.7 KiB

11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. #!/bin/sh /etc/rc.common
  2. SERVICE_USE_PID=1
  3. START=50
  4. setup_config() {
  5. config_get port $1 port "4443"
  6. config_get max_clients $1 max_clients "8"
  7. config_get max_same $1 max_same "2"
  8. config_get dpd $1 dpd "120"
  9. config_get predictable_ips $1 predictable_ips "1"
  10. config_get udp $1 udp "1"
  11. config_get auth $1 auth "plain"
  12. config_get cisco_compat $1 cisco_compat "1"
  13. config_get ipaddr $1 ipaddr "192.168.100.0"
  14. config_get netmask $1 netmask "255.255.255.0"
  15. config_get ip6addr $1 ip6addr ""
  16. test $predictable_ips = "0" && predictable_ips="false"
  17. test $predictable_ips = "1" && predictable_ips="true"
  18. test $cisco_compat = "0" && cisco_compat="false"
  19. test $cisco_compat = "1" && cisco_compat="true"
  20. test $udp = "0" && udp="#"
  21. test $udp = "1" && udp=""
  22. test -z $ip6addr && enable_ipv6="#"
  23. ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
  24. ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
  25. test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
  26. dyndns="false"
  27. hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 1`
  28. [ -n "$hostname" ] && dyndns="true"
  29. mkdir -p /var/etc
  30. sed -e "s/|PORT|/$port/g" \
  31. -e "s/|MAX_CLIENTS|/$max_clients/g" \
  32. -e "s/|MAX_SAME|/$max_same/g" \
  33. -e "s/|DPD|/$dpd/g" \
  34. -e "s#|AUTH|#$auth$authsuffix#g" \
  35. -e "s#|DYNDNS|#$dyndns#g" \
  36. -e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
  37. -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
  38. -e "s/|UDP|/$udp/g" \
  39. -e "s/|IPV4ADDR|/$ipaddr/g" \
  40. -e "s/|NETMASK|/$netmask/g" \
  41. -e "s/|IPV6ADDR|/$ipv6_addr/g" \
  42. -e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
  43. -e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
  44. /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
  45. }
  46. setup_users() {
  47. local name
  48. local group
  49. local password
  50. config_get name $1 name
  51. config_get group $1 group
  52. config_get password $1 password
  53. [ -z "$group" ] && group='*'
  54. [ -z "$name" -o -z "$password" ] && return
  55. echo "$name:$group:$password" >> /var/etc/ocpasswd
  56. }
  57. setup_routes() {
  58. local routes
  59. config_get ip $1 ip
  60. config_get netmask $1 netmask
  61. [ -z "$ip" -o -z "$netmask" ] && return
  62. echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
  63. }
  64. setup_dns() {
  65. local routes
  66. config_get ip $1 ip
  67. [ -z "$ip" ] && return
  68. echo "dns = $ip" >> /var/etc/ocserv.conf
  69. }
  70. start() {
  71. local hostname iface
  72. hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 1`
  73. [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
  74. [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
  75. logger -t ocserv "Generating CA certificate..."
  76. mkdir -p /etc/ocserv/pki/
  77. certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
  78. echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
  79. echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
  80. echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
  81. echo "ca" >>/etc/ocserv/pki/ca.tmpl
  82. echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
  83. certtool --template /etc/ocserv/pki/ca.tmpl \
  84. --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
  85. --outfile /etc/ocserv/ca.pem >/dev/null 2>&1
  86. }
  87. #generate server certificate/key
  88. [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
  89. logger -t ocserv "Generating server certificate..."
  90. mkdir -p /etc/ocserv/pki/
  91. certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
  92. echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
  93. echo "serial=2" >>/etc/ocserv/pki/server.tmpl
  94. echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
  95. echo "signing_key" >>/etc/ocserv/pki/server.tmpl
  96. echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
  97. certtool --template /etc/ocserv/pki/server.tmpl \
  98. --generate-certificate --load-privkey /etc/ocserv/server-key.pem \
  99. --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
  100. /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
  101. }
  102. [ -f /var/run/ocserv.pid ] || {
  103. touch /var/run/ocserv.pid
  104. chown ocserv:ocserv /var/run/ocserv.pid
  105. }
  106. [ -d /var/lib/ocserv ] || {
  107. mkdir -m 0755 -p /var/lib/ocserv
  108. chmod 0700 /var/lib/ocserv
  109. chown ocserv:ocserv /var/lib/ocserv
  110. }
  111. config_load "ocserv"
  112. rm -f /var/etc/ocserv.conf
  113. touch /var/etc/ocserv.conf
  114. setup_config config
  115. config_foreach setup_routes routes
  116. config_foreach setup_dns dns
  117. rm -f /var/etc/ocpasswd
  118. touch /var/etc/ocpasswd
  119. chmod 600 /var/etc/ocpasswd
  120. config_foreach setup_users ocservusers
  121. service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
  122. }
  123. stop() {
  124. service_stop /usr/sbin/ocserv
  125. }
  126. reload() {
  127. rm -f /var/etc/ocpasswd
  128. touch /var/etc/ocpasswd
  129. chmod 600 /var/etc/ocpasswd
  130. config_foreach setup_users ocservusers
  131. /usr/bin/occtl show status >/dev/null 2>&1
  132. if test $? != 0;then
  133. start
  134. else
  135. /usr/bin/occtl reload
  136. fi
  137. }