|
|
- #!/bin/sh /etc/rc.common
-
- SERVICE_USE_PID=1
-
- START=50
-
- setup_config() {
- config_get port $1 port "4443"
- config_get max_clients $1 max_clients "8"
- config_get max_same $1 max_same "2"
- config_get dpd $1 dpd "120"
- config_get predictable_ips $1 predictable_ips "1"
- config_get compression $1 compression "0"
- config_get udp $1 udp "1"
- config_get auth $1 auth "plain"
- config_get cisco_compat $1 cisco_compat "1"
- config_get ipaddr $1 ipaddr "192.168.100.0"
- config_get netmask $1 netmask "255.255.255.0"
- config_get ip6addr $1 ip6addr ""
- config_get default_domain $1 default_domain ""
-
- enable_default_domain="#"
- enable_udp="#"
- enable_compression="#"
- test $predictable_ips = "0" && predictable_ips="false"
- test $predictable_ips = "1" && predictable_ips="true"
- test $cisco_compat = "0" && cisco_compat="false"
- test $cisco_compat = "1" && cisco_compat="true"
- test $udp = "1" && enable_udp=""
- test $compression = "1" && enable_compression=""
- test -z $default_domain && enable_default_domain=""
- test -z $ip6addr && enable_ipv6="#"
-
- ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
- ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
-
- test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"
-
- dyndns="false"
- hostname=`uci show ddns 2>/dev/null|grep domain|head -1|cut -d '=' -f 2`
- [ -n "$hostname" ] && dyndns="true"
-
- mkdir -p /var/etc
- sed -e "s/|PORT|/$port/g" \
- -e "s/|MAX_CLIENTS|/$max_clients/g" \
- -e "s/|MAX_SAME|/$max_same/g" \
- -e "s/|DPD|/$dpd/g" \
- -e "s#|AUTH|#$auth$authsuffix#g" \
- -e "s#|DYNDNS|#$dyndns#g" \
- -e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
- -e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
- -e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
- -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
- -e "s/|UDP|/$enable_udp/g" \
- -e "s/|COMPRESSION|/$enable_compression/g" \
- -e "s/|IPV4ADDR|/$ipaddr/g" \
- -e "s/|NETMASK|/$netmask/g" \
- -e "s/|IPV6ADDR|/$ipv6_addr/g" \
- -e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
- -e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
- /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
- }
-
- setup_users() {
- local name
- local group
- local password
-
- config_get name $1 name
- config_get group $1 group '*'
- config_get password $1 password
-
- [ -z "$name" -o -z "$password" ] && return
-
- echo "$name:$group:$password" >> /var/etc/ocpasswd
- }
-
- setup_routes() {
- local routes
-
- config_get ip $1 ip
- config_get netmask $1 netmask
-
- [ -z "$ip" -o -z "$netmask" ] && return
-
- echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
- }
-
- setup_dns() {
- local routes
-
- config_get ip $1 ip
-
- [ -z "$ip" ] && return
-
- echo "dns = $ip" >> /var/etc/ocserv.conf
- }
-
- start() {
- local hostname iface
-
- hostname=`uci show ddns 2>/dev/null|grep domain|head -1|cut -d '=' -f 2`
- [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname 2>/dev/null`
-
- [ -f /etc/config/ocserv-dir/ca-key.pem ] && mv /etc/config/ocserv-dir/ca-key.pem /etc/ocserv/ca-key.pem
- [ -f /etc/config/ocserv-dir/ca.pem ] && mv /etc/config/ocserv-dir/ca.pem /etc/ocserv/ca.pem
- [ -f /etc/config/ocserv-dir/server-key.pem ] && mv /etc/config/ocserv-dir/server-key.pem /etc/ocserv/server-key.pem
- [ -f /etc/config/ocserv-dir/server-cert.pem ] && mv /etc/config/ocserv-dir/server-cert.pem /etc/ocserv/server-cert.pem
- [ -d /etc/config/ocserv-dir ] && rmdir /etc/config/ocserv-dir
-
- [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
- logger -t ocserv "Generating CA certificate..."
- mkdir -p /etc/ocserv/pki/
- certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
- echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
- echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
- echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
- echo "ca" >>/etc/ocserv/pki/ca.tmpl
- echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
-
- certtool --template /etc/ocserv/pki/ca.tmpl \
- --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
- --outfile /etc/ocserv/ca.pem >/dev/null 2>&1
- }
-
- #generate server certificate/key
- [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
- logger -t ocserv "Generating server certificate..."
- mkdir -p /etc/ocserv/pki/
- certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
- echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
- echo "serial=2" >>/etc/ocserv/pki/server.tmpl
- echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
- echo "signing_key" >>/etc/ocserv/pki/server.tmpl
- echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
- certtool --template /etc/ocserv/pki/server.tmpl \
- --generate-certificate --load-privkey /etc/ocserv/server-key.pem \
- --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
- /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
- }
-
- [ -f /var/run/ocserv.pid ] || {
- touch /var/run/ocserv.pid
- chown ocserv:ocserv /var/run/ocserv.pid
- }
- [ -d /var/lib/ocserv ] || {
- mkdir -m 0755 -p /var/lib/ocserv
- chmod 0700 /var/lib/ocserv
- chown ocserv:ocserv /var/lib/ocserv
- }
-
- config_load "ocserv"
-
- rm -f /var/etc/ocserv.conf
- touch /var/etc/ocserv.conf
- setup_config config
- config_foreach setup_routes routes
- config_foreach setup_dns dns
-
- rm -f /var/etc/ocpasswd
- touch /var/etc/ocpasswd
- chmod 600 /var/etc/ocpasswd
- config_foreach setup_users ocservusers
-
- service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
- }
-
- stop() {
- service_stop /usr/sbin/ocserv
- }
-
- reload() {
- rm -f /var/etc/ocpasswd
- touch /var/etc/ocpasswd
- chmod 600 /var/etc/ocpasswd
- config_foreach setup_users ocservusers
-
- /usr/bin/occtl show status >/dev/null 2>&1
- if test $? != 0;then
- start
- else
- /usr/bin/occtl reload
- fi
- }
|