summaryrefslogtreecommitdiff
path: root/user/openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'user/openvpn')
-rw-r--r--user/openvpn/APKBUILD69
-rw-r--r--user/openvpn/openvpn.confd24
-rw-r--r--user/openvpn/openvpn.down33
-rw-r--r--user/openvpn/openvpn.initd130
-rw-r--r--user/openvpn/openvpn.pre-install6
-rw-r--r--user/openvpn/openvpn.up82
6 files changed, 344 insertions, 0 deletions
diff --git a/user/openvpn/APKBUILD b/user/openvpn/APKBUILD
new file mode 100644
index 000000000..06317735b
--- /dev/null
+++ b/user/openvpn/APKBUILD
@@ -0,0 +1,69 @@
+# Contributor: Valery Kartel <valery.kartel@gmail.com>
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer: Lee Starnes <lee@canned-death.us>
+pkgname=openvpn
+pkgver=2.4.6
+pkgrel=1
+pkgdesc="A robust, and highly configurable VPN (Virtual Private Network)"
+url="https://openvpn.net/"
+arch="all"
+license="GPL-2.0-only WITH openvpn-openssl-exception"
+subpackages="$pkgname-doc $pkgname-dev $pkgname-auth-pam:pam $pkgname-openrc"
+depends="iproute2"
+makedepends="openssl-dev lzo-dev linux-pam-dev linux-headers"
+install="$pkgname.pre-install"
+source="https://swupdate.openvpn.net/community/releases/$pkgname-$pkgver.tar.gz
+ openvpn.initd
+ openvpn.confd
+ openvpn.up
+ openvpn.down
+ "
+
+build() {
+ cd "$builddir"
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --mandir=/usr/share/man \
+ --sysconfdir=/etc/openvpn \
+ --enable-crypto \
+ --enable-iproute2
+ make
+}
+
+check() {
+ cd "$builddir"
+ make check
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
+
+ # install samples
+ mkdir -p "$pkgdir"/usr/share/doc/$pkgname/samples
+ cp -a sample/sample-* "$pkgdir"/usr/share/doc/$pkgname/samples
+ install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
+
+ # install init.d and conf.d
+ install -Dm755 "$srcdir"/openvpn.initd "$pkgdir"/etc/init.d/openvpn
+ install -Dm644 "$srcdir"/openvpn.confd "$pkgdir"/etc/conf.d/openvpn
+
+ # install up and down scripts
+ install -Dm755 "$srcdir"/openvpn.up "$pkgdir"/etc/openvpn/up.sh
+ install -Dm755 "$srcdir"/openvpn.down "$pkgdir"/etc/openvpn/down.sh
+}
+
+pam() {
+ pkgdesc="OpenVPN plugin for PAM authentication"
+ mkdir -p "$subpkgdir"/usr/lib/openvpn/plugins
+ mv "$pkgdir"/usr/lib/openvpn/plugins/*-auth-pam* \
+ "$subpkgdir"/usr/lib/openvpn/plugins/
+}
+
+sha512sums="cdd70bfd03177bc6cb70d0d614e40389df00816b7097740b4cda9d7bee094d1463fdb5afeaf604c52c7b3167d1edb098a2e095e131a8b9fed0ed8b29da90cbe8 openvpn-2.4.6.tar.gz
+3594937d4cc9d7b87ac6a3af433f651ed9695f41586994f9d9789554fbe3f87f054b997b89486eda4ae0b852d816aac9007222168d585910aa9f255073324bd9 openvpn.initd
+6b2353aca9df7f43044e4e37990491b4ba077e259ebe13b8f2eb43e35ca7a617c1a65c5bfb8ab05e87cf12c4444184ae064f01f9abbb3c023dbbc07ff3f9c84e openvpn.confd
+cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up
+4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down"
diff --git a/user/openvpn/openvpn.confd b/user/openvpn/openvpn.confd
new file mode 100644
index 000000000..7274a079d
--- /dev/null
+++ b/user/openvpn/openvpn.confd
@@ -0,0 +1,24 @@
+# Configuration for /etc/init.d/openvpn{,.*}
+
+# OpenVPN can run in many modes. Most people want the init script to
+# automatically detect the mode and try and apply a good default configuration
+# and setup scripts. However, there are cases where the OpenVPN configuration
+# looks like a client, but it's really a peer or something else.
+# detect_client controls this behaviour.
+#detect_client="yes"
+
+# Path of the OpenVPN configuration file to load.
+# Default is /etc/openvpn/openvpn.conf, or /etc/openvpn/<vpn>.conf if
+# the runscript is symlinked to openvpn.<vpn> or <vpn>.
+#cfgfile=
+
+# The script to run in client mode after successful TUN/TAP device open.
+#up_script="/etc/openvpn/up.sh"
+
+# The script to run in client mode after TUN/TAP device close.
+#down_script="/etc/openvpn/down.sh"
+
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set to "no" to stop this.
+#peer_dns="yes"
diff --git a/user/openvpn/openvpn.down b/user/openvpn/openvpn.down
new file mode 100644
index 000000000..50d463f16
--- /dev/null
+++ b/user/openvpn/openvpn.down
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${RC_SVCNAME}"-down.sh ] ; then
+ /etc/openvpn/"${RC_SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+ if [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d "${dev}"
+ elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+ # Important that we cat instead of move incase resolv.conf is
+ # a symlink and not an actual file
+ cat /etc/resolv.conf-"${dev}".sv > /etc/resolv.conf
+ rm -f /etc/resolv.conf-"${dev}".sv
+ fi
+fi
+
+if [ -n "${RC_SVCNAME}" ]; then
+ # Re-enter the init script to start any dependant services
+ if /etc/init.d/"${RC_SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/"${RC_SVCNAME}" --quiet stop
+ fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/user/openvpn/openvpn.initd b/user/openvpn/openvpn.initd
new file mode 100644
index 000000000..dae0e3833
--- /dev/null
+++ b/user/openvpn/openvpn.initd
@@ -0,0 +1,130 @@
+#!/sbin/openrc-run
+
+extra_commands="checkconfig"
+
+instance_name=${RC_SVCNAME#*.}
+[ "$instance_name" != "openvpn" ] \
+ && name="OpenVPN ($instance_name)" \
+ || name="OpenVPN"
+
+# Upper case variables are for backward compatibility with Alpine < v3.8.
+: ${cfgdir:=${VPNDIR:-"/etc/openvpn"}}
+: ${cfgfile:="$cfgdir/$instance_name.conf"}
+: ${detect_client:="${DETECT_CLIENT:-yes}"}
+: ${up_script:="$cfgdir/up.sh"}
+: ${down_script:="$cfgdir/down.sh"}
+: ${peer_dns:=${PEER_DNS:-"yes"}}
+
+pidfile="/run/$RC_SVCNAME.pid"
+command="/usr/sbin/openvpn"
+command_args="
+ --daemon
+ --config $cfgfile
+ --writepid $pidfile
+ --setenv RC_SVCNAME $RC_SVCNAME
+ --setenv PEER_DNS $peer_dns"
+
+required_dirs="$cfgdir"
+required_files="$cfgfile"
+
+
+depend() {
+ need localmount net
+ use dns
+ after bootmisc
+}
+
+checkconfig() {
+ # Note: This is not just a check; we need to detect the mode both for
+ # "start" and "checkconfig" commands, that's why it's here.
+ if [ -z "$client_mode" ] && yesno "$detect_client"; then
+ cfgfile_has_option 'remote' \
+ && client_mode=yes \
+ || client_mode=no
+ fi
+
+ if [ ! -e /dev/net/tun ]; then
+ if ! modprobe tun; then
+ eerror "TUN/TAP support is not available in this kernel"
+ return 1
+ fi
+ fi
+ if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+ ebegin "Detected broken /dev/net/tun symlink, fixing..."
+ rm -f /dev/net/tun
+ ln -s /dev/misc/net/tun /dev/net/tun
+ eend $?
+ fi
+
+ if yesno "$client_mode"; then
+ local f; for f in "$up_script" "$down_script"; do
+ [ -r "$f" ] || { eerror "'$f' is not readable"; return 1; }
+ done
+
+ # Warn about setting scripts as we override them
+ if cfgfile_has_option "(up|down)"; then
+ ewarn "WARNING: You have defined your own up/down scripts"
+ ewarn "As you're running as a client, we now force Alpine specific"
+ ewarn "scripts to be run for up and down events."
+ ewarn "These scripts will call /etc/openvpn/$RC_SVCNAME-{up,down}.sh"
+ ewarn "where you can put your own code."
+ fi
+ # Warn about the inability to change ip/route/dns information when
+ # dropping privs
+ if cfgfile_has_option "user"; then
+ ewarn "WARNING: You are dropping root privileges!"
+ ewarn "As such openvpn may not be able to change ip, routing"
+ ewarn "or DNS configuration."
+ fi
+ fi
+}
+
+start_pre() {
+ checkconfig || return 1
+
+ if yesno "$client_mode"; then
+ command_args="$command_args
+ --up-delay
+ --up-restart
+ --down-pre
+ --script-security 2
+ --up $up_script
+ --down $down_script"
+ start_inactive="yes"
+ else
+ # Run as openvpn unless otherwise specified.
+ cfgfile_has_option "user" || command_args="$command_args --user openvpn"
+ cfgfile_has_option "group" || command_args="$command_args --group openvpn"
+ fi
+
+ # If the config file does not specify the cd option, we do.
+ # But if we specify it, we override the config option which we do not want.
+ if cfgfile_has_option "cd"; then
+ command_args="$command_args --cd $cfgdir"
+ fi
+}
+
+start() {
+ # If we are re-called by the up.sh script, then we don't actually want
+ # to start OpenVPN. We do this so we can "start" ourselves from
+ # inactive (from the up.sh script) which then triggers other
+ # services to start which depend on us.
+ yesno "$IN_BACKGROUND" && return 0
+
+ default_start
+}
+
+stop() {
+ # If we are re-called by the down.sh script, then we don't actually
+ # want to stop OpenVPN.
+ if yesno "$IN_BACKGROUND"; then
+ mark_service_inactive "$RC_SVCNAME"
+ return 0
+ fi
+
+ default_stop
+}
+
+cfgfile_has_option() {
+ grep -Eq "^\s*$1\s" "$cfgfile"
+}
diff --git a/user/openvpn/openvpn.pre-install b/user/openvpn/openvpn.pre-install
new file mode 100644
index 000000000..c07253531
--- /dev/null
+++ b/user/openvpn/openvpn.pre-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+addgroup -S openvpn 2>/dev/null
+adduser -S -D -H -h /dev/null -s /sbin/nologin -G openvpn -g openvpn openvpn 2>/dev/null
+
+exit 0
diff --git a/user/openvpn/openvpn.up b/user/openvpn/openvpn.up
new file mode 100644
index 000000000..2923bef7a
--- /dev/null
+++ b/user/openvpn/openvpn.up
@@ -0,0 +1,82 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+# if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+if [ "${PEER_DNS}" != "no" ]; then
+ NS=
+ DOMAIN=
+ SEARCH=
+ i=1
+ while true ; do
+ eval opt=\$foreign_option_${i}
+ [ -z "${opt}" ] && break
+ if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+ if [ -z "${DOMAIN}" ] ; then
+ DOMAIN="${opt#dhcp-option DOMAIN *}"
+ else
+ SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+ fi
+ elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+ NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+ fi
+ i=$((${i} + 1))
+ done
+
+ if [ -n "${NS}" ] ; then
+ DNS="# Generated by openvpn for interface ${dev}\n"
+ if [ -n "${SEARCH}" ] ; then
+ DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+ elif [ -n "${DOMAIN}" ]; then
+ DNS="${DNS}domain ${DOMAIN}\n"
+ fi
+ DNS="${DNS}${NS}"
+ if [ -x /sbin/resolvconf ] ; then
+ printf "${DNS}" | /sbin/resolvconf -a "${dev}"
+ else
+ # Preserve the existing resolv.conf
+ if [ -e /etc/resolv.conf ] ; then
+ cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+ fi
+ printf "${DNS}" > /etc/resolv.conf
+ chmod 644 /etc/resolv.conf
+ fi
+ fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the RC_SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${RC_SVCNAME}" ]; then
+ # If we have a service specific script, run this now
+ if [ -x /etc/openvpn/"${RC_SVCNAME}"-up.sh ] ; then
+ /etc/openvpn/"${RC_SVCNAME}"-up.sh "$@"
+ fi
+
+ # Re-enter the init script to start any dependant services
+ if ! /etc/init.d/"${RC_SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/${RC_SVCNAME} --quiet start
+ fi
+fi
+
+exit 0
+
+# vim: ts=4 :