From d16359b96e8e574925af1af42e08777624aceb3a Mon Sep 17 00:00:00 2001 From: Daniel Gimpelevich Date: Fri, 6 Feb 2015 14:07:29 -0800 Subject: [PATCH] vpnc: initial import Signed-off-by: Daniel Gimpelevich --- net/vpnc/Config.in | 18 ++++++ net/vpnc/Makefile | 94 ++++++++++++++++++++++++++++++ net/vpnc/README | 39 +++++++++++++ net/vpnc/files/vpnc.sh | 98 ++++++++++++++++++++++++++++++++ net/vpnc/files/vpnc.upgrade | 2 + net/vpnc/patches/001-cross.patch | 42 ++++++++++++++ 6 files changed, 293 insertions(+) create mode 100644 net/vpnc/Config.in create mode 100644 net/vpnc/Makefile create mode 100644 net/vpnc/README create mode 100755 net/vpnc/files/vpnc.sh create mode 100644 net/vpnc/files/vpnc.upgrade create mode 100644 net/vpnc/patches/001-cross.patch diff --git a/net/vpnc/Config.in b/net/vpnc/Config.in new file mode 100644 index 000000000..5eacd9782 --- /dev/null +++ b/net/vpnc/Config.in @@ -0,0 +1,18 @@ +# vpnc avanced configuration + +menu "Configuration" + depends on PACKAGE_vpnc + +choice + prompt "SSL library" + default VPNC_GNUTLS + +config VPNC_GNUTLS + bool "GnuTLS support" + +config VPNC_OPENSSL + bool "OpenSSL" + +endchoice + +endmenu diff --git a/net/vpnc/Makefile b/net/vpnc/Makefile new file mode 100644 index 000000000..16a45a4b4 --- /dev/null +++ b/net/vpnc/Makefile @@ -0,0 +1,94 @@ +# +# Copyright (C) 2006-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=vpnc +PKG_REV:=550 +PKG_VERSION:=0.5.3.r$(PKG_REV) +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://svn.unix-ag.uni-kl.de/vpnc/trunk/ +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=$(PKG_REV) +PKG_SOURCE_PROTO:=svn + +PKG_MAINTAINER:=Daniel Gimpelevich +PKG_LICENSE:=VARIOUS +PKG_LICENSE_FILES:=COPYING + +PKG_CONFIG_DEPENDS:= \ + CONFIG_VPNC_GNUTLS \ + CONFIG_VPNC_OPENSSL \ + + +include $(INCLUDE_DIR)/package.mk + +define Package/vpnc/config + source "$(SOURCE)/Config.in" +endef + +define Package/vpnc + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libgpg-error +libgcrypt +kmod-tun +VPNC_OPENSSL:libopenssl +VPNC_GNUTLS:libgnutls +vpnc-scripts +resolveip + TITLE:=VPN client for Cisco EasyVPN + URL:=http://www.unix-ag.uni-kl.de/~massar/vpnc/ + SUBMENU:=VPN +endef + +define Package/vpnc/description + A VPN client compatible with Cisco's EasyVPN equipment. + + Supports IPSec (ESP) with Mode Configuration and Xauth. Supports only + shared-secret IPSec authentication with Xauth, AES (256, 192, 128), + 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. +endef + +define Package/vpnc/conffiles +/etc/vpnc/default.conf +endef + +ifeq ($(CONFIG_VPNC_OPENSSL),y) +define Build/Compile + $(call Build/Compile/Default, \ + OFLAGS="$(TARGET_CFLAGS)" \ + OS="Linux" VERSION="$(PKG_VERSION)" \ + STAGING_DIR="$(STAGING_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + OPENSSL_GPL_VIOLATION=yes PREFIX=/usr \ + all install \ + ) +endef +else +define Build/Compile + $(call Build/Compile/Default, \ + OFLAGS="$(TARGET_CFLAGS)" \ + OS="Linux" VERSION="$(PKG_VERSION)" \ + STAGING_DIR="$(STAGING_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + PREFIX=/usr \ + all install \ + ) +endef +endif + +define Package/vpnc/install + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/vpnc.sh $(1)/lib/netifd/proto/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/vpnc \ + $(PKG_INSTALL_DIR)/usr/sbin/vpnc-disconnect \ + $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/etc/vpnc + $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/vpnc/default.conf $(1)/etc/vpnc/ + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) ./files/vpnc.upgrade $(1)/lib/upgrade/keep.d/vpnc +endef + +$(eval $(call BuildPackage,vpnc)) diff --git a/net/vpnc/README b/net/vpnc/README new file mode 100644 index 000000000..b18777ef4 --- /dev/null +++ b/net/vpnc/README @@ -0,0 +1,39 @@ +The vpnc client expects to be configured using the uci interface. + +To setup a VPN connection, add the following to /etc/config/network: + +config interface 'MYVPN' + option proto 'vpnc' + option interface 'wan' + option server 'vpn.example.com' + option username 'test' + option password 'secret' # or: + option hexpasswd 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25' + option authgroup 'DEFAULT' + option passgroup 'groupsecret' # or: + option hexpassgroup '52B0BEAF6605C3CE9BE20A0DC0A0F6240A6FF7EA' + option domain 'WORKGROUP' + option vendor 'cisco' # or 'netscreen' + option natt_mode 'natt' # or 'none' or 'force-natt' or 'cisco-udp' + option dh_group 'dh2' # or 'dh1' or 'dh5' + option pfs 'server' # or 'nopfs' or 'dh1' or 'dh2' or 'dh5' + option enable_single_des '0' + option enable_no_enc '0' # '1' to enable unencrypted VPN + option mtu '0' + option local_addr '0.0.0.0' + option local_port '500' # '0' to use a random port + option udp_port '10000' # '0' to use a random port + option dpd_idle '300' + option auth_mode 'psk' # or 'hybrid' + option target_network '0.0.0.0/0.0.0.0' # network/netmask or CIDR + +The additional file(s) are also used: +/etc/vpnc/ca-vpn-MYVPN.pem: The server's CA certificate (for auth_mode 'hybrid') + +After these are setup you can initiate the VPN using "ifup MYVPN", and +deinitialize it using ifdown. You may also use the luci web interface +(Network -> Interfaces -> MYVPN Connect). + +Note that you need to configure the firewall to allow communication between +the MYVPN interface and lan. + diff --git a/net/vpnc/files/vpnc.sh b/net/vpnc/files/vpnc.sh new file mode 100755 index 000000000..31d0070dc --- /dev/null +++ b/net/vpnc/files/vpnc.sh @@ -0,0 +1,98 @@ +#!/bin/sh +. /lib/functions.sh +. ../netifd-proto.sh +init_proto "$@" + +proto_vpnc_init_config() { + proto_config_add_string "server" + proto_config_add_string "username" + proto_config_add_string "hexpasswd" + proto_config_add_string "authgroup" + proto_config_add_string "password" + proto_config_add_string "token_mode" + proto_config_add_string "token_secret" + proto_config_add_string "interface" + proto_config_add_string "passgroup" + proto_config_add_string "hexpassgroup" + proto_config_add_string "domain" + proto_config_add_string "vendor" + proto_config_add_string "natt_mode" + proto_config_add_string "dh_group" + proto_config_add_string "pfs" + proto_config_add_boolean "enable_single_des" + proto_config_add_boolean "enable_no_enc" + proto_config_add_int "mtu" + proto_config_add_string "local_addr" + proto_config_add_int "local_port" + proto_config_add_int "udp_port" + proto_config_add_int "dpd_idle" + proto_config_add_string "auth_mode" + proto_config_add_string "target_network" + no_device=1 + available=1 +} + +proto_vpnc_setup() { + local config="$1" + + json_get_vars server username hexpasswd authgroup password token_mode token_secret interface passgroup hexpassgroup domain vendor natt_mode dh_group pfs enable_single_des enable_no_enc mtu local_addr local_port udp_port dpd_idle auth_mode target_network + + grep -q tun /proc/modules || insmod tun + + logger -t vpnc "initializing..." + serv_addr= + for ip in $(resolveip -t 10 "$server"); do + ( proto_add_host_dependency "$config" "$ip" $interface ) + serv_addr=1 + done + [ -n "$serv_addr" ] || { + logger -t vpnc "Could not resolve server address: '$server'" + sleep 60 + proto_setup_failed "$config" + exit 1 + } + + mkdir -p /var/etc + umask 077 + pwfile="/var/etc/vpnc-$config.conf" + echo "IPSec gateway $server" > "$pwfile" + cmdline="--no-detach --pid-file /var/run/vpnc-$config.pid --ifname vpn-$config --non-inter --script /lib/netifd/vpnc-script $pwfile" + + [ -f /etc/vpnc/ca-vpn-$config.pem ] && echo "CA-File /etc/vpnc/ca-vpn-$config.pem" >> "$pwfile" + [ -n "$hexpasswd" ] && echo "Xauth obfuscated password $hexpasswd" >> "$pwfile" + [ -n "$authgroup" ] && echo "IPSec ID $authgroup" >> "$pwfile" + [ -n "$username" ] && echo "Xauth username $username" >> "$pwfile" + [ -n "$password" ] && echo "Xauth password $password" >> "$pwfile" + [ -n "$passgroup" ] && echo "IPSec secret $passgroup" >> "$pwfile" + [ -n "$hexpassgroup" ] && echo "IPSec obfuscated secret $hexpassgroup" >> "$pwfile" + [ -n "$domain" ] && echo "Domain $domain" >> "$pwfile" + [ -n "$vendor" ] && echo "Vendor $vendor" >> "$pwfile" + [ -n "$natt_mode" ] && echo "NAT Traversal Mode $natt_mode" >> "$pwfile" + [ -n "$dh_group" ] && echo "IKE DH Group $dh_group" >> "$pwfile" + [ -n "$pfs" ] && echo "Perfect Forward Secrecy $pfs" >> "$pwfile" + [ "${enable_single_des:-0}" -gt 0 ] && echo "Enable Single DES" >> "$pwfile" + [ "${enable_no_enc:-0}" -gt 0 ] && echo "Enable no encryption" >> "$pwfile" + [ -n "$mtu" ] && echo "Interface MTU $mtu" >> "$pwfile" + [ -n "$local_addr" ] && echo "Local Addr $local_addr" >> "$pwfile" + [ -n "$local_port" ] && echo "Local Port $local_port" >> "$pwfile" + [ -n "$udp_port" ] && echo "Cisco UDP Encapsulation Port $udp_port" >> "$pwfile" + [ -n "$dpd_idle" ] && echo "DPD idle timeout (our side) $dpd_idle" >> "$pwfile" + [ -n "$auth_mode" ] && echo "IKE Authmode $auth_mode" >> "$pwfile" + [ -n "$target_network" ] && echo "IPSEC target network $target_network" >> "$pwfile" + + proto_export INTERFACE="$config" + logger -t vpnc "executing 'vpnc $cmdline'" + proto_run_command "$config" /usr/sbin/vpnc $cmdline +} + +proto_vpnc_teardown() { + local config="$1" + + pwfile="/var/etc/vpnc-$config.conf" + + rm -f $pwfile + logger -t vpnc "bringing down vpnc" + proto_kill_command "$config" 2 +} + +add_protocol vpnc diff --git a/net/vpnc/files/vpnc.upgrade b/net/vpnc/files/vpnc.upgrade new file mode 100644 index 000000000..585513dcb --- /dev/null +++ b/net/vpnc/files/vpnc.upgrade @@ -0,0 +1,2 @@ +/etc/vpnc/ca-vpn-*.pem + diff --git a/net/vpnc/patches/001-cross.patch b/net/vpnc/patches/001-cross.patch new file mode 100644 index 000000000..94b382c3d --- /dev/null +++ b/net/vpnc/patches/001-cross.patch @@ -0,0 +1,42 @@ +--- a/Makefile ++++ b/Makefile +@@ -20,7 +20,7 @@ + # $Id$ + + DESTDIR= +-PREFIX=/usr/local ++PREFIX=/usr + ETCDIR=/etc/vpnc + BINDIR=$(PREFIX)/bin + SBINDIR=$(PREFIX)/sbin +@@ -57,18 +57,15 @@ + CRYPTO_OBJS = $(addsuffix .o,$(basename $(CRYPTO_SRCS))) + BINOBJS = $(addsuffix .o,$(BINS)) + BINSRCS = $(addsuffix .c,$(BINS)) +-VERSION := $(shell sh mk-version) + RELEASE_VERSION := $(shell cat VERSION) + + CC ?= gcc +-CFLAGS ?= -O3 -g + CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings +-CFLAGS += $(shell libgcrypt-config --cflags) $(CRYPTO_CFLAGS) ++CFLAGS += -O3 -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include $(OFLAGS) $(CRYPTO_CFLAGS) + CPPFLAGS += -DVERSION=\"$(VERSION)\" +-LDFLAGS ?= -g +-LIBS += $(shell libgcrypt-config --libs) $(CRYPTO_LDADD) ++LIBS += -L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib -lgcrypt -lgpg-error $(CRYPTO_LDADD) + +-ifeq ($(shell uname -s), SunOS) ++ifeq ($(OS), SunOS) + LIBS += -lnsl -lresolv -lsocket + endif + ifneq (,$(findstring Apple,$(shell $(CC) --version))) +@@ -82,7 +79,7 @@ + $(CC) $(LDFLAGS) -o $@ $^ $(LIBS) + + vpnc.8 : vpnc.8.template makeman.pl vpnc +- ./makeman.pl ++ touch vpnc.8 + + cisco-decrypt : cisco-decrypt.o decrypt-utils.o + $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)