From a904a173edbec28773de2bd9ebb0320d1035902d Mon Sep 17 00:00:00 2001 From: Daniel Gimpelevich Date: Fri, 6 Feb 2015 11:03:56 -0800 Subject: [PATCH 1/3] openconnect: separate out vpnc-scripts Signed-off-by: Daniel Gimpelevich --- net/openconnect/Makefile | 5 +-- net/vpnc-scripts/Makefile | 37 +++++++++++++++++++ .../files/vpnc-script | 0 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 net/vpnc-scripts/Makefile rename net/{openconnect => vpnc-scripts}/files/vpnc-script (100%) diff --git a/net/openconnect/Makefile b/net/openconnect/Makefile index 46234cbf6..87ec8a53b 100644 --- a/net/openconnect/Makefile +++ b/net/openconnect/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2015 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -29,7 +29,7 @@ endef define Package/openconnect SECTION:=net CATEGORY:=Network - DEPENDS:=+libxml2 +kmod-tun +resolveip +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls +OPENCONNECT_STOKEN:libstoken + DEPENDS:=+libxml2 +kmod-tun +resolveip +vpnc-scripts +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls +OPENCONNECT_STOKEN:libstoken TITLE:=OpenConnect VPN client (Cisco AnyConnect compatible) MAINTAINER:=Nikos Mavrogiannopoulos URL:=http://www.infradead.org/openconnect/ @@ -65,7 +65,6 @@ define Package/openconnect/install $(INSTALL_DIR) $(1)/etc/openconnect/ $(INSTALL_DIR) $(1)/lib/netifd/proto $(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/ - $(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/ $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_BUILD_DIR)/openconnect $(1)/usr/sbin/ $(INSTALL_BIN) ./files/openconnect-wrapper $(1)/usr/sbin/ diff --git a/net/vpnc-scripts/Makefile b/net/vpnc-scripts/Makefile new file mode 100644 index 000000000..95948cfdd --- /dev/null +++ b/net/vpnc-scripts/Makefile @@ -0,0 +1,37 @@ +# +# Copyright (C) 2006-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=vpnc-scripts +PKG_VERSION:=20150116 +PKG_RELEASE:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/vpnc-scripts + SECTION:=net + CATEGORY:=Network + TITLE:=VPN configuration script for vpnc and OpenConnect + MAINTAINER:=Nikos Mavrogiannopoulos + SUBMENU:=VPN +endef + +define Package/vpnc-scripts/description + This package contains the vpnc-script which is used by vpnc + and OpenConnect to configure the tunnel interface. +endef + +define Build/Compile +endef + +define Package/vpnc-scripts/install + $(INSTALL_DIR) $(1)/lib/netifd + $(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/ +endef + +$(eval $(call BuildPackage,vpnc-scripts)) diff --git a/net/openconnect/files/vpnc-script b/net/vpnc-scripts/files/vpnc-script similarity index 100% rename from net/openconnect/files/vpnc-script rename to net/vpnc-scripts/files/vpnc-script From 41f8d5465097ee45b051c2c37d44cdccd8e9739b Mon Sep 17 00:00:00 2001 From: Daniel Gimpelevich Date: Fri, 6 Feb 2015 11:54:39 -0800 Subject: [PATCH 2/3] openconnect: fix a couple of minor things and add an interface option Signed-off-by: Daniel Gimpelevich --- net/openconnect/Makefile | 2 +- net/openconnect/README | 1 + net/openconnect/files/openconnect.sh | 12 ++++++++---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/net/openconnect/Makefile b/net/openconnect/Makefile index 87ec8a53b..2fed00253 100644 --- a/net/openconnect/Makefile +++ b/net/openconnect/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openconnect PKG_VERSION:=7.04 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/ diff --git a/net/openconnect/README b/net/openconnect/README index 3cd562194..f6d2f051c 100644 --- a/net/openconnect/README +++ b/net/openconnect/README @@ -4,6 +4,7 @@ To setup a VPN connection, add the following to /etc/config/network: config interface 'MYVPN' option proto 'openconnect' + option interface 'wan' option server 'vpn.example.com' option port '4443' option username 'test' diff --git a/net/openconnect/files/openconnect.sh b/net/openconnect/files/openconnect.sh index cd97c2cb2..bdac9bc86 100755 --- a/net/openconnect/files/openconnect.sh +++ b/net/openconnect/files/openconnect.sh @@ -10,6 +10,9 @@ proto_openconnect_init_config() { proto_config_add_string "serverhash" proto_config_add_string "authgroup" proto_config_add_string "password" + proto_config_add_string "token_mode" + proto_config_add_string "token_secret" + proto_config_add_string "interface" no_device=1 available=1 } @@ -17,14 +20,14 @@ proto_openconnect_init_config() { proto_openconnect_setup() { local config="$1" - json_get_vars server port username serverhash authgroup password vgroup token_mode token_secret + json_get_vars server port username serverhash authgroup password interface token_mode token_secret grep -q tun /proc/modules || insmod tun logger -t openconnect "initializing..." serv_addr= for ip in $(resolveip -t 10 "$server"); do - ( proto_add_host_dependency "$config" "$ip" ) + ( proto_add_host_dependency "$config" "$ip" $interface ) serv_addr=1 done [ -n "$serv_addr" ] || { @@ -57,7 +60,8 @@ proto_openconnect_setup() { [ -n "$username" ] && append cmdline "-u $username" [ -n "$password" ] && { umask 077 - pwfile="/var/run/openconnect-$config.passwd" + mkdir -p /var/etc + pwfile="/var/etc/openconnect-$config.passwd" echo "$password" > "$pwfile" append cmdline "--passwd-on-stdin" } @@ -78,7 +82,7 @@ proto_openconnect_setup() { proto_openconnect_teardown() { local config="$1" - pwfile="/var/run/openconnect-$config.passwd" + pwfile="/var/etc/openconnect-$config.passwd" rm -f $pwfile logger -t openconnect "bringing down openconnect" From d16359b96e8e574925af1af42e08777624aceb3a Mon Sep 17 00:00:00 2001 From: Daniel Gimpelevich Date: Fri, 6 Feb 2015 14:07:29 -0800 Subject: [PATCH 3/3] vpnc: initial import Signed-off-by: Daniel Gimpelevich --- net/vpnc/Config.in | 18 ++++++ net/vpnc/Makefile | 94 ++++++++++++++++++++++++++++++ net/vpnc/README | 39 +++++++++++++ net/vpnc/files/vpnc.sh | 98 ++++++++++++++++++++++++++++++++ net/vpnc/files/vpnc.upgrade | 2 + net/vpnc/patches/001-cross.patch | 42 ++++++++++++++ 6 files changed, 293 insertions(+) create mode 100644 net/vpnc/Config.in create mode 100644 net/vpnc/Makefile create mode 100644 net/vpnc/README create mode 100755 net/vpnc/files/vpnc.sh create mode 100644 net/vpnc/files/vpnc.upgrade create mode 100644 net/vpnc/patches/001-cross.patch diff --git a/net/vpnc/Config.in b/net/vpnc/Config.in new file mode 100644 index 000000000..5eacd9782 --- /dev/null +++ b/net/vpnc/Config.in @@ -0,0 +1,18 @@ +# vpnc avanced configuration + +menu "Configuration" + depends on PACKAGE_vpnc + +choice + prompt "SSL library" + default VPNC_GNUTLS + +config VPNC_GNUTLS + bool "GnuTLS support" + +config VPNC_OPENSSL + bool "OpenSSL" + +endchoice + +endmenu diff --git a/net/vpnc/Makefile b/net/vpnc/Makefile new file mode 100644 index 000000000..16a45a4b4 --- /dev/null +++ b/net/vpnc/Makefile @@ -0,0 +1,94 @@ +# +# Copyright (C) 2006-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=vpnc +PKG_REV:=550 +PKG_VERSION:=0.5.3.r$(PKG_REV) +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://svn.unix-ag.uni-kl.de/vpnc/trunk/ +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=$(PKG_REV) +PKG_SOURCE_PROTO:=svn + +PKG_MAINTAINER:=Daniel Gimpelevich +PKG_LICENSE:=VARIOUS +PKG_LICENSE_FILES:=COPYING + +PKG_CONFIG_DEPENDS:= \ + CONFIG_VPNC_GNUTLS \ + CONFIG_VPNC_OPENSSL \ + + +include $(INCLUDE_DIR)/package.mk + +define Package/vpnc/config + source "$(SOURCE)/Config.in" +endef + +define Package/vpnc + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libgpg-error +libgcrypt +kmod-tun +VPNC_OPENSSL:libopenssl +VPNC_GNUTLS:libgnutls +vpnc-scripts +resolveip + TITLE:=VPN client for Cisco EasyVPN + URL:=http://www.unix-ag.uni-kl.de/~massar/vpnc/ + SUBMENU:=VPN +endef + +define Package/vpnc/description + A VPN client compatible with Cisco's EasyVPN equipment. + + Supports IPSec (ESP) with Mode Configuration and Xauth. Supports only + shared-secret IPSec authentication with Xauth, AES (256, 192, 128), + 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. +endef + +define Package/vpnc/conffiles +/etc/vpnc/default.conf +endef + +ifeq ($(CONFIG_VPNC_OPENSSL),y) +define Build/Compile + $(call Build/Compile/Default, \ + OFLAGS="$(TARGET_CFLAGS)" \ + OS="Linux" VERSION="$(PKG_VERSION)" \ + STAGING_DIR="$(STAGING_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + OPENSSL_GPL_VIOLATION=yes PREFIX=/usr \ + all install \ + ) +endef +else +define Build/Compile + $(call Build/Compile/Default, \ + OFLAGS="$(TARGET_CFLAGS)" \ + OS="Linux" VERSION="$(PKG_VERSION)" \ + STAGING_DIR="$(STAGING_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + PREFIX=/usr \ + all install \ + ) +endef +endif + +define Package/vpnc/install + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/vpnc.sh $(1)/lib/netifd/proto/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/vpnc \ + $(PKG_INSTALL_DIR)/usr/sbin/vpnc-disconnect \ + $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/etc/vpnc + $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/vpnc/default.conf $(1)/etc/vpnc/ + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) ./files/vpnc.upgrade $(1)/lib/upgrade/keep.d/vpnc +endef + +$(eval $(call BuildPackage,vpnc)) diff --git a/net/vpnc/README b/net/vpnc/README new file mode 100644 index 000000000..b18777ef4 --- /dev/null +++ b/net/vpnc/README @@ -0,0 +1,39 @@ +The vpnc client expects to be configured using the uci interface. + +To setup a VPN connection, add the following to /etc/config/network: + +config interface 'MYVPN' + option proto 'vpnc' + option interface 'wan' + option server 'vpn.example.com' + option username 'test' + option password 'secret' # or: + option hexpasswd 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25' + option authgroup 'DEFAULT' + option passgroup 'groupsecret' # or: + option hexpassgroup '52B0BEAF6605C3CE9BE20A0DC0A0F6240A6FF7EA' + option domain 'WORKGROUP' + option vendor 'cisco' # or 'netscreen' + option natt_mode 'natt' # or 'none' or 'force-natt' or 'cisco-udp' + option dh_group 'dh2' # or 'dh1' or 'dh5' + option pfs 'server' # or 'nopfs' or 'dh1' or 'dh2' or 'dh5' + option enable_single_des '0' + option enable_no_enc '0' # '1' to enable unencrypted VPN + option mtu '0' + option local_addr '0.0.0.0' + option local_port '500' # '0' to use a random port + option udp_port '10000' # '0' to use a random port + option dpd_idle '300' + option auth_mode 'psk' # or 'hybrid' + option target_network '0.0.0.0/0.0.0.0' # network/netmask or CIDR + +The additional file(s) are also used: +/etc/vpnc/ca-vpn-MYVPN.pem: The server's CA certificate (for auth_mode 'hybrid') + +After these are setup you can initiate the VPN using "ifup MYVPN", and +deinitialize it using ifdown. You may also use the luci web interface +(Network -> Interfaces -> MYVPN Connect). + +Note that you need to configure the firewall to allow communication between +the MYVPN interface and lan. + diff --git a/net/vpnc/files/vpnc.sh b/net/vpnc/files/vpnc.sh new file mode 100755 index 000000000..31d0070dc --- /dev/null +++ b/net/vpnc/files/vpnc.sh @@ -0,0 +1,98 @@ +#!/bin/sh +. /lib/functions.sh +. ../netifd-proto.sh +init_proto "$@" + +proto_vpnc_init_config() { + proto_config_add_string "server" + proto_config_add_string "username" + proto_config_add_string "hexpasswd" + proto_config_add_string "authgroup" + proto_config_add_string "password" + proto_config_add_string "token_mode" + proto_config_add_string "token_secret" + proto_config_add_string "interface" + proto_config_add_string "passgroup" + proto_config_add_string "hexpassgroup" + proto_config_add_string "domain" + proto_config_add_string "vendor" + proto_config_add_string "natt_mode" + proto_config_add_string "dh_group" + proto_config_add_string "pfs" + proto_config_add_boolean "enable_single_des" + proto_config_add_boolean "enable_no_enc" + proto_config_add_int "mtu" + proto_config_add_string "local_addr" + proto_config_add_int "local_port" + proto_config_add_int "udp_port" + proto_config_add_int "dpd_idle" + proto_config_add_string "auth_mode" + proto_config_add_string "target_network" + no_device=1 + available=1 +} + +proto_vpnc_setup() { + local config="$1" + + json_get_vars server username hexpasswd authgroup password token_mode token_secret interface passgroup hexpassgroup domain vendor natt_mode dh_group pfs enable_single_des enable_no_enc mtu local_addr local_port udp_port dpd_idle auth_mode target_network + + grep -q tun /proc/modules || insmod tun + + logger -t vpnc "initializing..." + serv_addr= + for ip in $(resolveip -t 10 "$server"); do + ( proto_add_host_dependency "$config" "$ip" $interface ) + serv_addr=1 + done + [ -n "$serv_addr" ] || { + logger -t vpnc "Could not resolve server address: '$server'" + sleep 60 + proto_setup_failed "$config" + exit 1 + } + + mkdir -p /var/etc + umask 077 + pwfile="/var/etc/vpnc-$config.conf" + echo "IPSec gateway $server" > "$pwfile" + cmdline="--no-detach --pid-file /var/run/vpnc-$config.pid --ifname vpn-$config --non-inter --script /lib/netifd/vpnc-script $pwfile" + + [ -f /etc/vpnc/ca-vpn-$config.pem ] && echo "CA-File /etc/vpnc/ca-vpn-$config.pem" >> "$pwfile" + [ -n "$hexpasswd" ] && echo "Xauth obfuscated password $hexpasswd" >> "$pwfile" + [ -n "$authgroup" ] && echo "IPSec ID $authgroup" >> "$pwfile" + [ -n "$username" ] && echo "Xauth username $username" >> "$pwfile" + [ -n "$password" ] && echo "Xauth password $password" >> "$pwfile" + [ -n "$passgroup" ] && echo "IPSec secret $passgroup" >> "$pwfile" + [ -n "$hexpassgroup" ] && echo "IPSec obfuscated secret $hexpassgroup" >> "$pwfile" + [ -n "$domain" ] && echo "Domain $domain" >> "$pwfile" + [ -n "$vendor" ] && echo "Vendor $vendor" >> "$pwfile" + [ -n "$natt_mode" ] && echo "NAT Traversal Mode $natt_mode" >> "$pwfile" + [ -n "$dh_group" ] && echo "IKE DH Group $dh_group" >> "$pwfile" + [ -n "$pfs" ] && echo "Perfect Forward Secrecy $pfs" >> "$pwfile" + [ "${enable_single_des:-0}" -gt 0 ] && echo "Enable Single DES" >> "$pwfile" + [ "${enable_no_enc:-0}" -gt 0 ] && echo "Enable no encryption" >> "$pwfile" + [ -n "$mtu" ] && echo "Interface MTU $mtu" >> "$pwfile" + [ -n "$local_addr" ] && echo "Local Addr $local_addr" >> "$pwfile" + [ -n "$local_port" ] && echo "Local Port $local_port" >> "$pwfile" + [ -n "$udp_port" ] && echo "Cisco UDP Encapsulation Port $udp_port" >> "$pwfile" + [ -n "$dpd_idle" ] && echo "DPD idle timeout (our side) $dpd_idle" >> "$pwfile" + [ -n "$auth_mode" ] && echo "IKE Authmode $auth_mode" >> "$pwfile" + [ -n "$target_network" ] && echo "IPSEC target network $target_network" >> "$pwfile" + + proto_export INTERFACE="$config" + logger -t vpnc "executing 'vpnc $cmdline'" + proto_run_command "$config" /usr/sbin/vpnc $cmdline +} + +proto_vpnc_teardown() { + local config="$1" + + pwfile="/var/etc/vpnc-$config.conf" + + rm -f $pwfile + logger -t vpnc "bringing down vpnc" + proto_kill_command "$config" 2 +} + +add_protocol vpnc diff --git a/net/vpnc/files/vpnc.upgrade b/net/vpnc/files/vpnc.upgrade new file mode 100644 index 000000000..585513dcb --- /dev/null +++ b/net/vpnc/files/vpnc.upgrade @@ -0,0 +1,2 @@ +/etc/vpnc/ca-vpn-*.pem + diff --git a/net/vpnc/patches/001-cross.patch b/net/vpnc/patches/001-cross.patch new file mode 100644 index 000000000..94b382c3d --- /dev/null +++ b/net/vpnc/patches/001-cross.patch @@ -0,0 +1,42 @@ +--- a/Makefile ++++ b/Makefile +@@ -20,7 +20,7 @@ + # $Id$ + + DESTDIR= +-PREFIX=/usr/local ++PREFIX=/usr + ETCDIR=/etc/vpnc + BINDIR=$(PREFIX)/bin + SBINDIR=$(PREFIX)/sbin +@@ -57,18 +57,15 @@ + CRYPTO_OBJS = $(addsuffix .o,$(basename $(CRYPTO_SRCS))) + BINOBJS = $(addsuffix .o,$(BINS)) + BINSRCS = $(addsuffix .c,$(BINS)) +-VERSION := $(shell sh mk-version) + RELEASE_VERSION := $(shell cat VERSION) + + CC ?= gcc +-CFLAGS ?= -O3 -g + CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings +-CFLAGS += $(shell libgcrypt-config --cflags) $(CRYPTO_CFLAGS) ++CFLAGS += -O3 -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include $(OFLAGS) $(CRYPTO_CFLAGS) + CPPFLAGS += -DVERSION=\"$(VERSION)\" +-LDFLAGS ?= -g +-LIBS += $(shell libgcrypt-config --libs) $(CRYPTO_LDADD) ++LIBS += -L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib -lgcrypt -lgpg-error $(CRYPTO_LDADD) + +-ifeq ($(shell uname -s), SunOS) ++ifeq ($(OS), SunOS) + LIBS += -lnsl -lresolv -lsocket + endif + ifneq (,$(findstring Apple,$(shell $(CC) --version))) +@@ -82,7 +79,7 @@ + $(CC) $(LDFLAGS) -o $@ $^ $(LIBS) + + vpnc.8 : vpnc.8.template makeman.pl vpnc +- ./makeman.pl ++ touch vpnc.8 + + cisco-decrypt : cisco-decrypt.o decrypt-utils.o + $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)