From 3a6b23a5d7d750bf28a1f968700fa809d5ad7aaa Mon Sep 17 00:00:00 2001 From: Lee Starnes Date: Sat, 8 Sep 2018 01:30:48 +0000 Subject: user/openvpn: pull in --- user/openvpn/APKBUILD | 70 +++++++++++++++++++++ user/openvpn/openvpn.confd | 24 ++++++++ user/openvpn/openvpn.down | 33 ++++++++++ user/openvpn/openvpn.initd | 130 +++++++++++++++++++++++++++++++++++++++ user/openvpn/openvpn.pre-install | 6 ++ user/openvpn/openvpn.up | 82 ++++++++++++++++++++++++ 6 files changed, 345 insertions(+) create mode 100644 user/openvpn/APKBUILD create mode 100644 user/openvpn/openvpn.confd create mode 100644 user/openvpn/openvpn.down create mode 100644 user/openvpn/openvpn.initd create mode 100644 user/openvpn/openvpn.pre-install create mode 100644 user/openvpn/openvpn.up (limited to 'user/openvpn') diff --git a/user/openvpn/APKBUILD b/user/openvpn/APKBUILD new file mode 100644 index 000000000..73f4d9647 --- /dev/null +++ b/user/openvpn/APKBUILD @@ -0,0 +1,70 @@ +# Contributor: Valery Kartel +# Contributor: Natanael Copa +# Maintainer: Lee Starnes +pkgname=openvpn +pkgver=2.4.6 +pkgrel=1 +pkgdesc="A robust, and highly configurable VPN (Virtual Private Network)" +url="http://openvpn.sourceforge.net/" +arch="all" +license="custom" +subpackages="$pkgname-doc $pkgname-dev $pkgname-auth-pam:pam" +depends="iproute2" +makedepends="openssl-dev lzo-dev linux-pam-dev linux-headers" +install="$pkgname.pre-install" +source="http://swupdate.openvpn.net/community/releases/$pkgname-$pkgver.tar.gz + openvpn.initd + openvpn.confd + openvpn.up + openvpn.down + " +builddir="$srcdir/$pkgname-$pkgver" + +build() { + cd "$builddir" + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --mandir=/usr/share/man \ + --sysconfdir=/etc/openvpn \ + --enable-crypto \ + --enable-iproute2 + make +} + +check() { + cd "$builddir" + make check +} + +package() { + cd "$builddir" + make DESTDIR="$pkgdir" install + + # install samples + mkdir -p "$pkgdir"/usr/share/doc/$pkgname/samples + cp -a sample/sample-* "$pkgdir"/usr/share/doc/$pkgname/samples + install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING + + # install init.d and conf.d + install -Dm755 "$srcdir"/openvpn.initd "$pkgdir"/etc/init.d/openvpn + install -Dm644 "$srcdir"/openvpn.confd "$pkgdir"/etc/conf.d/openvpn + + # install up and down scripts + install -Dm755 "$srcdir"/openvpn.up "$pkgdir"/etc/openvpn/up.sh + install -Dm755 "$srcdir"/openvpn.down "$pkgdir"/etc/openvpn/down.sh +} + +pam() { + pkgdesc="OpenVPN plugin for PAM authentication" + mkdir -p "$subpkgdir"/usr/lib/openvpn/plugins + mv "$pkgdir"/usr/lib/openvpn/plugins/*-auth-pam* \ + "$subpkgdir"/usr/lib/openvpn/plugins/ +} + +sha512sums="cdd70bfd03177bc6cb70d0d614e40389df00816b7097740b4cda9d7bee094d1463fdb5afeaf604c52c7b3167d1edb098a2e095e131a8b9fed0ed8b29da90cbe8 openvpn-2.4.6.tar.gz +3594937d4cc9d7b87ac6a3af433f651ed9695f41586994f9d9789554fbe3f87f054b997b89486eda4ae0b852d816aac9007222168d585910aa9f255073324bd9 openvpn.initd +6b2353aca9df7f43044e4e37990491b4ba077e259ebe13b8f2eb43e35ca7a617c1a65c5bfb8ab05e87cf12c4444184ae064f01f9abbb3c023dbbc07ff3f9c84e openvpn.confd +cdb73c9a5b1eb56e9cbd29955d94297ce5a87079419cd626d6a0b6680d88cbf310735a53f794886df02030b687eaea553c7c569a8ea1282a149441add1c65760 openvpn.up +4456880d5c2db061219ba94e4052786700efa5e685f03b0d12d75a6023e3c0fc7b5242cc3d2bd3988e42fcd99701ab13a6257b1a0943b812318d30c64843ad27 openvpn.down" diff --git a/user/openvpn/openvpn.confd b/user/openvpn/openvpn.confd new file mode 100644 index 000000000..7274a079d --- /dev/null +++ b/user/openvpn/openvpn.confd @@ -0,0 +1,24 @@ +# Configuration for /etc/init.d/openvpn{,.*} + +# OpenVPN can run in many modes. Most people want the init script to +# automatically detect the mode and try and apply a good default configuration +# and setup scripts. However, there are cases where the OpenVPN configuration +# looks like a client, but it's really a peer or something else. +# detect_client controls this behaviour. +#detect_client="yes" + +# Path of the OpenVPN configuration file to load. +# Default is /etc/openvpn/openvpn.conf, or /etc/openvpn/.conf if +# the runscript is symlinked to openvpn. or . +#cfgfile= + +# The script to run in client mode after successful TUN/TAP device open. +#up_script="/etc/openvpn/up.sh" + +# The script to run in client mode after TUN/TAP device close. +#down_script="/etc/openvpn/down.sh" + +# OpenVPN automatically creates an /etc/resolv.conf (or sends it to +# resolvconf) if given DNS information by the OpenVPN server. +# Set to "no" to stop this. +#peer_dns="yes" diff --git a/user/openvpn/openvpn.down b/user/openvpn/openvpn.down new file mode 100644 index 000000000..50d463f16 --- /dev/null +++ b/user/openvpn/openvpn.down @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) 2006-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Contributed by Roy Marples (uberlord@gentoo.org) + +# If we have a service specific script, run this now +if [ -x /etc/openvpn/"${RC_SVCNAME}"-down.sh ] ; then + /etc/openvpn/"${RC_SVCNAME}"-down.sh "$@" +fi + +# Restore resolv.conf to how it was +if [ "${PEER_DNS}" != "no" ]; then + if [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d "${dev}" + elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then + # Important that we cat instead of move incase resolv.conf is + # a symlink and not an actual file + cat /etc/resolv.conf-"${dev}".sv > /etc/resolv.conf + rm -f /etc/resolv.conf-"${dev}".sv + fi +fi + +if [ -n "${RC_SVCNAME}" ]; then + # Re-enter the init script to start any dependant services + if /etc/init.d/"${RC_SVCNAME}" --quiet status ; then + export IN_BACKGROUND=true + /etc/init.d/"${RC_SVCNAME}" --quiet stop + fi +fi + +exit 0 + +# vim: ts=4 : diff --git a/user/openvpn/openvpn.initd b/user/openvpn/openvpn.initd new file mode 100644 index 000000000..dae0e3833 --- /dev/null +++ b/user/openvpn/openvpn.initd @@ -0,0 +1,130 @@ +#!/sbin/openrc-run + +extra_commands="checkconfig" + +instance_name=${RC_SVCNAME#*.} +[ "$instance_name" != "openvpn" ] \ + && name="OpenVPN ($instance_name)" \ + || name="OpenVPN" + +# Upper case variables are for backward compatibility with Alpine < v3.8. +: ${cfgdir:=${VPNDIR:-"/etc/openvpn"}} +: ${cfgfile:="$cfgdir/$instance_name.conf"} +: ${detect_client:="${DETECT_CLIENT:-yes}"} +: ${up_script:="$cfgdir/up.sh"} +: ${down_script:="$cfgdir/down.sh"} +: ${peer_dns:=${PEER_DNS:-"yes"}} + +pidfile="/run/$RC_SVCNAME.pid" +command="/usr/sbin/openvpn" +command_args=" + --daemon + --config $cfgfile + --writepid $pidfile + --setenv RC_SVCNAME $RC_SVCNAME + --setenv PEER_DNS $peer_dns" + +required_dirs="$cfgdir" +required_files="$cfgfile" + + +depend() { + need localmount net + use dns + after bootmisc +} + +checkconfig() { + # Note: This is not just a check; we need to detect the mode both for + # "start" and "checkconfig" commands, that's why it's here. + if [ -z "$client_mode" ] && yesno "$detect_client"; then + cfgfile_has_option 'remote' \ + && client_mode=yes \ + || client_mode=no + fi + + if [ ! -e /dev/net/tun ]; then + if ! modprobe tun; then + eerror "TUN/TAP support is not available in this kernel" + return 1 + fi + fi + if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then + ebegin "Detected broken /dev/net/tun symlink, fixing..." + rm -f /dev/net/tun + ln -s /dev/misc/net/tun /dev/net/tun + eend $? + fi + + if yesno "$client_mode"; then + local f; for f in "$up_script" "$down_script"; do + [ -r "$f" ] || { eerror "'$f' is not readable"; return 1; } + done + + # Warn about setting scripts as we override them + if cfgfile_has_option "(up|down)"; then + ewarn "WARNING: You have defined your own up/down scripts" + ewarn "As you're running as a client, we now force Alpine specific" + ewarn "scripts to be run for up and down events." + ewarn "These scripts will call /etc/openvpn/$RC_SVCNAME-{up,down}.sh" + ewarn "where you can put your own code." + fi + # Warn about the inability to change ip/route/dns information when + # dropping privs + if cfgfile_has_option "user"; then + ewarn "WARNING: You are dropping root privileges!" + ewarn "As such openvpn may not be able to change ip, routing" + ewarn "or DNS configuration." + fi + fi +} + +start_pre() { + checkconfig || return 1 + + if yesno "$client_mode"; then + command_args="$command_args + --up-delay + --up-restart + --down-pre + --script-security 2 + --up $up_script + --down $down_script" + start_inactive="yes" + else + # Run as openvpn unless otherwise specified. + cfgfile_has_option "user" || command_args="$command_args --user openvpn" + cfgfile_has_option "group" || command_args="$command_args --group openvpn" + fi + + # If the config file does not specify the cd option, we do. + # But if we specify it, we override the config option which we do not want. + if cfgfile_has_option "cd"; then + command_args="$command_args --cd $cfgdir" + fi +} + +start() { + # If we are re-called by the up.sh script, then we don't actually want + # to start OpenVPN. We do this so we can "start" ourselves from + # inactive (from the up.sh script) which then triggers other + # services to start which depend on us. + yesno "$IN_BACKGROUND" && return 0 + + default_start +} + +stop() { + # If we are re-called by the down.sh script, then we don't actually + # want to stop OpenVPN. + if yesno "$IN_BACKGROUND"; then + mark_service_inactive "$RC_SVCNAME" + return 0 + fi + + default_stop +} + +cfgfile_has_option() { + grep -Eq "^\s*$1\s" "$cfgfile" +} diff --git a/user/openvpn/openvpn.pre-install b/user/openvpn/openvpn.pre-install new file mode 100644 index 000000000..c07253531 --- /dev/null +++ b/user/openvpn/openvpn.pre-install @@ -0,0 +1,6 @@ +#!/bin/sh + +addgroup -S openvpn 2>/dev/null +adduser -S -D -H -h /dev/null -s /sbin/nologin -G openvpn -g openvpn openvpn 2>/dev/null + +exit 0 diff --git a/user/openvpn/openvpn.up b/user/openvpn/openvpn.up new file mode 100644 index 000000000..2923bef7a --- /dev/null +++ b/user/openvpn/openvpn.up @@ -0,0 +1,82 @@ +#!/bin/sh +# Copyright (c) 2006-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Contributed by Roy Marples (uberlord@gentoo.org) + +# Setup our resolv.conf +# Vitally important that we use the domain entry in resolv.conf so we +# can setup the nameservers are for the domain ONLY in resolvconf if +# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc. +# nscd/libc users will get the VPN nameservers before their other ones +# and will use the first one that responds - maybe the LAN ones? +# non resolvconf users just the the VPN resolv.conf + +# FIXME:- if we have >1 domain, then we have to use search :/ +# We need to add a flag to resolvconf to say +# "these nameservers should only be used for the listed search domains +# if other global nameservers are present on other interfaces" +# This however, will break compatibility with Debians resolvconf +# A possible workaround would be to just list multiple domain lines +# and try and let resolvconf handle it + +if [ "${PEER_DNS}" != "no" ]; then + NS= + DOMAIN= + SEARCH= + i=1 + while true ; do + eval opt=\$foreign_option_${i} + [ -z "${opt}" ] && break + if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then + if [ -z "${DOMAIN}" ] ; then + DOMAIN="${opt#dhcp-option DOMAIN *}" + else + SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}" + fi + elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then + NS="${NS}nameserver ${opt#dhcp-option DNS *}\n" + fi + i=$((${i} + 1)) + done + + if [ -n "${NS}" ] ; then + DNS="# Generated by openvpn for interface ${dev}\n" + if [ -n "${SEARCH}" ] ; then + DNS="${DNS}search ${DOMAIN} ${SEARCH}\n" + elif [ -n "${DOMAIN}" ]; then + DNS="${DNS}domain ${DOMAIN}\n" + fi + DNS="${DNS}${NS}" + if [ -x /sbin/resolvconf ] ; then + printf "${DNS}" | /sbin/resolvconf -a "${dev}" + else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv + fi + printf "${DNS}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf + fi + fi +fi + +# Below section is Gentoo specific +# Quick summary - our init scripts are re-entrant and set the RC_SVCNAME env var +# as we could have >1 openvpn service + +if [ -n "${RC_SVCNAME}" ]; then + # If we have a service specific script, run this now + if [ -x /etc/openvpn/"${RC_SVCNAME}"-up.sh ] ; then + /etc/openvpn/"${RC_SVCNAME}"-up.sh "$@" + fi + + # Re-enter the init script to start any dependant services + if ! /etc/init.d/"${RC_SVCNAME}" --quiet status ; then + export IN_BACKGROUND=true + /etc/init.d/${RC_SVCNAME} --quiet start + fi +fi + +exit 0 + +# vim: ts=4 : -- cgit v1.2.3-70-g09d2