From 7f231418374d69e8355d237571345bb853c48080 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sun, 5 Feb 2012 15:52:03 +0000 Subject: [PATCH] [packages_10.03.2] openvpn: merge r28098, r28120, r29167, r29184, r29355 SVN-Revision: 30235 --- net/openvpn/Config.in | 84 ++++++++++++++++++ net/openvpn/Makefile | 114 ++++++++++++++++++++----- net/openvpn/files/openvpn.config | 6 +- net/openvpn/files/openvpn.init | 86 +++++++++---------- net/openvpn/patches/001-easy_rsa.patch | 106 +++++++---------------- 5 files changed, 257 insertions(+), 139 deletions(-) create mode 100644 net/openvpn/Config.in diff --git a/net/openvpn/Config.in b/net/openvpn/Config.in new file mode 100644 index 0000000000..aea6f3eff6 --- /dev/null +++ b/net/openvpn/Config.in @@ -0,0 +1,84 @@ +menu "Configuration" + depends on PACKAGE_openvpn + +config OPENVPN_DISABLE_LZO + bool "Disable LZO compression support" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_CRYPTO + bool "Disable OpenSSL crypto support" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_SSL + bool "Disable OpenSSL SSL support for TLS-based key exchange" + depends on PACKAGE_openvpn + default n + +config OPENVPN_X509_ALT_USERNAME + bool "Enable the --x509-username-field feature" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_MULTI + bool "Disable client/server support (--mode server + client mode)" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_SERVER + bool "Disable server support only (but retain client support)" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_EUREPHIA + bool "Disable support for the eurephia plug-in" + depends on PACKAGE_openvpn + default y + +config OPENVPN_DISABLE_MANAGEMENT + bool "Disable management server support" + depends on PACKAGE_openvpn + default y + +config OPENVPN_DISABLE_PKCS11 + bool "Disable pkcs11 support" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_HTTP + bool "Disable HTTP proxy support" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_FRAGMENT + bool "Disable internal fragmentation support (--fragment)" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_MULTIHOME + bool "Disable multi-homed UDP server support (--multihome)" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_PORT_SHARE + bool "Disable TCP server port-share support (--port-share)" + depends on PACKAGE_openvpn + default n + +config OPENVPN_ENABLE_PASSWORD_SAVE + bool "Allow --askpass and --auth-user-pass passwords to be read from a file" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_DEF_AUTH + bool "Disable deferred authentication" + depends on PACKAGE_openvpn + default n + +config OPENVPN_DISABLE_PF + bool "Disable internal packet filter" + depends on PACKAGE_openvpn + default n + +endmenu diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index c618988ec7..c80c587e22 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -8,40 +8,36 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.1.4 -PKG_RELEASE:=3 +PKG_VERSION:=2.2.1 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases @SF/openvpn -PKG_MD5SUM:=96a11868082685802489254f03ff3bde +PKG_MD5SUM:=500bee5449b29906150569aaf2eb2730 PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk define Package/openvpn SECTION:=net CATEGORY:=Network - DEPENDS:=+kmod-tun +libopenssl +PACKAGE_openvpn_complzo:liblzo + SUBMENU:=VPN + DEPENDS:=+kmod-tun +libopenssl +!OPENVPN_DISABLE_LZO:liblzo TITLE:=Open source VPN solution using SSL URL:=http://openvpn.net - SUBMENU:=VPN + MENU:=1 endef -define Package/openvpn/config -config PACKAGE_openvpn_complzo - bool "Enable --comp-lzo compression option" - depends on PACKAGE_openvpn - default y +define Package/openvpn/description + Open source VPN solution using SSL endef -define Package/openvpn/conffiles -/etc/config/openvpn +define Package/openvpn/config + source "$(SOURCE)/Config.in" endef -define Package/openvpn/description - Open source VPN solution using SSL -endef define Package/openvpn-easy-rsa $(call Package/openvpn) @@ -59,19 +55,97 @@ CONFIGURE_ARGS+= \ --with-ifconfig-path=/sbin/ifconfig \ --with-iproute-path=/usr/sbin/ip \ --with-route-path=/sbin/route \ - --disable-pthread \ --disable-debug \ --disable-plugins \ - --enable-management \ + --disable-pthread \ + --disable-selinux \ --disable-socks \ - --enable-password-save \ --enable-small -ifndef CONFIG_PACKAGE_openvpn_complzo +ifeq ($(CONFIG_OPENVPN_DISABLE_LZO),y) CONFIGURE_ARGS += \ --disable-lzo endif +ifeq ($(CONFIG_OPENVPN_DISABLE_CRYPTO),y) +CONFIGURE_ARGS += \ + --disable-crypto +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_SSL),y) +CONFIGURE_ARGS += \ + --disable-ssl +endif + +ifeq ($(CONFIG_OPENVPN_X509_ALT_USERNAME),y) +CONFIGURE_ARGS += \ + --enable-x509-alt-username +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_MULTI),y) +CONFIGURE_ARGS += \ + --disable-multi +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_SERVER),y) +CONFIGURE_ARGS += \ + --disable-server +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_EUREPHIA),y) +CONFIGURE_ARGS += \ + --disable-eurephia +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_MANAGEMENT),y) +CONFIGURE_ARGS += \ + --disable-management +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_PKCS11),y) +CONFIGURE_ARGS += \ + --disable-pkcs11 +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_HTTP),y) +CONFIGURE_ARGS += \ + --disable-http +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_FRAGMENT),y) +CONFIGURE_ARGS += \ + --disable-fragment +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_MULTIHOME),y) +CONFIGURE_ARGS += \ + --disable-multihome +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_PORT_SHARE),y) +CONFIGURE_ARGS += \ + --disable-port-share +endif + +ifeq ($(CONFIG_OPENVPN_ENABLE_PASSWORD_SAVE),y) +CONFIGURE_ARGS += \ + --enable-password-save +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_DEF_AUTH),y) +CONFIGURE_ARGS += \ + --disable-def-auth +endif + +ifeq ($(CONFIG_OPENVPN_DISABLE_PF),y) +CONFIGURE_ARGS += \ + --disable-pf +endif + +define Package/openvpn/conffiles +/etc/config/openvpn +endef + define Package/openvpn/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/ @@ -88,7 +162,7 @@ define Package/openvpn-easy-rsa/install $(INSTALL_DIR) $(1)/usr/sbin $(CP) $(PKG_BUILD_DIR)/easy-rsa/2.0/{build-*,clean-all,inherit-inter,list-crl,pkitool,revoke-full,sign-req,whichopensslcnf} $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/easy-rsa - $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl.cnf $(1)/etc/easy-rsa/openssl.cnf + $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl-1.0.0.cnf $(1)/etc/easy-rsa/openssl-1.0.0.cnf $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/vars $(1)/etc/easy-rsa/vars $(INSTALL_DIR) $(1)/etc/easy-rsa/keys $(INSTALL_DATA) files/easy-rsa.index $(1)/etc/easy-rsa/keys/index.txt diff --git a/net/openvpn/files/openvpn.config b/net/openvpn/files/openvpn.config index a0539dfd2e..4a1f66733a 100644 --- a/net/openvpn/files/openvpn.config +++ b/net/openvpn/files/openvpn.config @@ -7,7 +7,7 @@ package openvpn config openvpn custom_config # Set to 1 to enable this instance: - option enable 0 + option enabled 0 # Include OpenVPN configuration option config /etc/openvpn/my-vpn.conf @@ -21,7 +21,7 @@ config openvpn custom_config config openvpn sample_server # Set to 1 to enable this instance: - option enable 0 + option enabled 0 # Which local IP address should OpenVPN # listen on? (optional) @@ -292,7 +292,7 @@ config openvpn sample_server config openvpn sample_client # Set to 1 to enable this instance: - option enable 0 + option enabled 0 # Specify that we are a client and that we # will be pulling certain config file directives diff --git a/net/openvpn/files/openvpn.init b/net/openvpn/files/openvpn.init index 0fee06d8d4..c5f3f95ca8 100644 --- a/net/openvpn/files/openvpn.init +++ b/net/openvpn/files/openvpn.init @@ -1,12 +1,14 @@ #!/bin/sh /etc/rc.common -# OpenVPN init script +# Copyright (C) 2008-2011 OpenWrt.org # Copyright (C) 2008 Jo-Philipp Wich # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. START=95 -BIN=/usr/sbin/openvpn -SSD=start-stop-daemon + +SERVICE_DAEMONIZE=1 +SERVICE_WRITE_PID=1 + EXTRA_COMMANDS="up down" LIST_SEP=" @@ -55,15 +57,17 @@ append_params_quoted() { done } -start_service() { +section_enabled() { + config_get_bool enable "$1" 'enable' 0 + config_get_bool enabled "$1" 'enabled' 0 + [ $enable -gt 0 ] || [ $enabled -gt 0 ] +} + +start_instance() { local s="$1" - local enable=0 - # disabled? - config_get_bool enable "$s" enable 0 - [ "$enable" == 0 ] && return 0 + section_enabled "$s" || return 1 - PID="/var/run/openvpn-$s.pid" ARGS="" # append flags @@ -104,67 +108,63 @@ start_service() { down push up - [ -n "$ARGS" ] && \ - eval "$SSD -q -b -p '$PID' -x $BIN -S -- --syslog 'openvpn($s)' --writepid '$PID' $ARGS" + SERVICE_PID_FILE="/var/run/openvpn-$s.pid" + service_start /usr/sbin/openvpn --syslog "openvpn($s)" --writepid "$SERVICE_PID_FILE" $ARGS } -kill_service() { +stop_instance() { local s="$1" - local S="${2:-TERM}" - local enable=0 - - # disabled? - config_get_bool enable "$s" enable 0 - [ "$enable" == 1 ] || [ "$S" == "TERM" ] || return 0 - PID="/var/run/openvpn-$s.pid" + section_enabled "$s" || return 1 - $SSD -q -p $PID -x $BIN -K -s $S - [ "$S" == "TERM" ] && rm -f "$PID" + SERVICE_PID_FILE="/var/run/openvpn-$s.pid" + service_stop /usr/sbin/openvpn } -hup_service() { kill_service "$1" HUP; } -stop_service() { kill_service "$1" TERM; } +reload_instance() { + local s="$1" + + section_enabled "$s" || return 1 + + SERVICE_PID_FILE="/var/run/openvpn-$s.pid" + service_reload /usr/sbin/openvpn +} start() { - config_load openvpn - config_foreach start_service openvpn + config_load 'openvpn' + config_foreach start_instance 'openvpn' } stop() { - config_load openvpn - config_foreach stop_service openvpn + config_load 'openvpn' + config_foreach stop_instance 'openvpn' } reload() { - config_load openvpn - config_foreach hup_service openvpn -} - -restart() { - stop; sleep 5; start + config_load 'openvpn' + config_foreach reload_instance 'openvpn' } up() { local exists - local INSTANCE - config_load openvpn - for INSTANCE in "$@"; do - config_get exists "$INSTANCE" TYPE + local instance + config_load 'openvpn' + for instance in "$@"; do + config_get exists "$instance" 'TYPE' if [ "$exists" == "openvpn" ]; then - start_service "$INSTANCE" + start_instance "$instance" fi done } down() { local exists - local INSTANCE - config_load openvpn - for INSTANCE in "$@"; do - config_get exists "$INSTANCE" TYPE + local instance + config_load 'openvpn' + for instance in "$@"; do + config_get exists "$instance" 'TYPE' if [ "$exists" == "openvpn" ]; then - stop_service "$INSTANCE" + stop_instance "$instance" fi done } diff --git a/net/openvpn/patches/001-easy_rsa.patch b/net/openvpn/patches/001-easy_rsa.patch index fa987a247c..6b1d0b7575 100644 --- a/net/openvpn/patches/001-easy_rsa.patch +++ b/net/openvpn/patches/001-easy_rsa.patch @@ -1,11 +1,6 @@ --- a/easy-rsa/2.0/build-ca +++ b/easy-rsa/2.0/build-ca -@@ -1,8 +1,8 @@ --#!/bin/bash -+#!/bin/sh - - # - # Build a root certificate +@@ -5,4 +5,4 @@ # export EASY_RSA="${EASY_RSA:-.}" @@ -13,21 +8,17 @@ +"/usr/sbin/pkitool" --interact --initca $* --- a/easy-rsa/2.0/build-dh +++ b/easy-rsa/2.0/build-dh -@@ -1,4 +1,6 @@ --#!/bin/bash -+#!/bin/sh -+ -+. /etc/easy-rsa/vars +@@ -1,5 +1,7 @@ + #!/bin/sh ++. /etc/easy-rsa/vars ++ # Build Diffie-Hellman parameters for the server side # of an SSL/TLS connection. + --- a/easy-rsa/2.0/build-inter +++ b/easy-rsa/2.0/build-inter -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Make an intermediate CA certificate/private key pair using a locally generated +@@ -4,4 +4,4 @@ # root certificate. export EASY_RSA="${EASY_RSA:-.}" @@ -35,11 +26,7 @@ +"/usr/sbin/pkitool" --interact --inter $* --- a/easy-rsa/2.0/build-key +++ b/easy-rsa/2.0/build-key -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Make a certificate/private key pair using a locally generated +@@ -4,4 +4,4 @@ # root certificate. export EASY_RSA="${EASY_RSA:-.}" @@ -47,11 +34,7 @@ +"/usr/sbin/pkitool" --interact $* --- a/easy-rsa/2.0/build-key-pass +++ b/easy-rsa/2.0/build-key-pass -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Similar to build-key, but protect the private key +@@ -4,4 +4,4 @@ # with a password. export EASY_RSA="${EASY_RSA:-.}" @@ -59,12 +42,7 @@ +"/usr/sbin/pkitool" --interact --pass $* --- a/easy-rsa/2.0/build-key-pkcs12 +++ b/easy-rsa/2.0/build-key-pkcs12 -@@ -1,8 +1,8 @@ --#!/bin/bash -+#!/bin/sh - - # Make a certificate/private key pair using a locally generated - # root certificate and convert it to a PKCS #12 file including the +@@ -5,4 +5,4 @@ # the CA certificate as well. export EASY_RSA="${EASY_RSA:-.}" @@ -72,12 +50,6 @@ +"/usr/sbin/pkitool" --interact --pkcs12 $* --- a/easy-rsa/2.0/build-key-server +++ b/easy-rsa/2.0/build-key-server -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/bin/sh - - # Make a certificate/private key pair using a locally generated - # root certificate. @@ -7,4 +7,4 @@ # extension in the openssl.cnf file. @@ -86,11 +58,7 @@ +"/usr/sbin/pkitool" --interact --server $* --- a/easy-rsa/2.0/build-req +++ b/easy-rsa/2.0/build-req -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Build a certificate signing request and private key. Use this +@@ -4,4 +4,4 @@ # when your root certificate and key is not available locally. export EASY_RSA="${EASY_RSA:-.}" @@ -98,11 +66,7 @@ +"/usr/sbin/pkitool" --interact --csr $* --- a/easy-rsa/2.0/build-req-pass +++ b/easy-rsa/2.0/build-req-pass -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Like build-req, but protect your private key +@@ -4,4 +4,4 @@ # with a password. export EASY_RSA="${EASY_RSA:-.}" @@ -110,34 +74,34 @@ +"/usr/sbin/pkitool" --interact --csr --pass $* --- a/easy-rsa/2.0/clean-all +++ b/easy-rsa/2.0/clean-all -@@ -1,4 +1,6 @@ --#!/bin/bash -+#!/bin/sh -+ -+. /etc/easy-rsa/vars +@@ -1,5 +1,7 @@ + #!/bin/sh ++. /etc/easy-rsa/vars ++ # Initialize the $KEY_DIR directory. # Note that this script does a + # rm -rf on $KEY_DIR so be careful! --- a/easy-rsa/2.0/inherit-inter +++ b/easy-rsa/2.0/inherit-inter -@@ -1,4 +1,6 @@ --#!/bin/bash -+#!/bin/sh -+ -+. /etc/easy-rsa/vars +@@ -1,5 +1,7 @@ + #!/bin/sh ++. /etc/easy-rsa/vars ++ # Build a new PKI which is rooted on an intermediate certificate generated # by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should + # have independent vars settings, and must use a different KEY_DIR directory --- a/easy-rsa/2.0/list-crl +++ b/easy-rsa/2.0/list-crl -@@ -1,4 +1,6 @@ --#!/bin/bash -+#!/bin/sh -+ -+. /etc/easy-rsa/vars +@@ -1,5 +1,7 @@ + #!/bin/sh ++. /etc/easy-rsa/vars ++ # list revoked certificates + CRL="${1:-crl.pem}" --- a/easy-rsa/2.0/pkitool +++ b/easy-rsa/2.0/pkitool @@ -1,5 +1,7 @@ @@ -150,21 +114,17 @@ # session authentication and key exchange, --- a/easy-rsa/2.0/revoke-full +++ b/easy-rsa/2.0/revoke-full -@@ -1,4 +1,6 @@ --#!/bin/bash -+#!/bin/sh -+ -+. /etc/easy-rsa/vars +@@ -1,5 +1,7 @@ + #!/bin/sh ++. /etc/easy-rsa/vars ++ # revoke a certificate, regenerate CRL, # and verify revocation + --- a/easy-rsa/2.0/sign-req +++ b/easy-rsa/2.0/sign-req -@@ -1,7 +1,7 @@ --#!/bin/bash -+#!/bin/sh - - # Sign a certificate signing request (a .csr file) +@@ -4,4 +4,4 @@ # with a local root certificate and key. export EASY_RSA="${EASY_RSA:-.}" -- 2.30.2