Home Explore Help
Sign In
labriqueinternet
/
vpnclient_ynh
mirror of https://github.com/labriqueinternet/vpnclient_ynh
3
0
Fork 0
Files
Browse Source

Merge pull request #108 from YunoHost-Apps/testing

Testing
Alexandre Aubin 1 year ago
parent
c0fd8fc088 7c23e1e273
commit
15092964f2
10 changed files with 63 additions and 131 deletions
Split View Show Diff Stats
  1. 0 54
      CHANGES.md
  2. 1 1
      README.md
  3. 1 1
      README_fr.md
  4. 4 0
      conf/openvpn_client.conf.tpl
  5. 44 70
      conf/ynh-vpnclient
  6. 0 2
      conf/ynh-vpnclient.service
  7. 1 1
      manifest.json
  8. BIN
      screenshot.png
  9. 5 0
      scripts/_common.sh
  10. 7 2
      scripts/config

+ 0 - 54
CHANGES.md
View File 

@@ -1,54 +0,0 @@
 
-# Changelog
 
-All notable changes to this project will be documented in this file.
 
-
 
-The format is (partially) based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 
-and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-
 
-## Unreleasead
 
-
 
-## 1.4.1~ynh1 - 2020-05-11
 
-
 
-- [fix] app cannot be deployed as main app
 
-
 
-
 
-## 1.4.1 - 2020-04-04
 
-
 
-- [fix] ynh-vpnclient-loadcubefile.sh broken with ssowat 3.7.x (#60)
 
-
 
-
 
-## 1.4.0 - 2019-03-18
 
-
 
-- refactoring scripts
 
-
 
-
 
-## 1.3.1 - 2018-12-19
 
-
 
-- [mod] Bug fixes and code cleaning
 
-
 
-
 
-## 1.3.0 - 2018-12-02
 
-
 
-- [fix] Create a dedicated system user with proper sudo permissions. (#41)
 
-- [fix] CSRF vulnerability (#43)
 
-
 
-
 
-## 1.2.1 - 2018-09-10
 
-
 
-- [fix] user/group = www-data in php-fpm config.
 
-
 
-
 
-## 1.2.0 - 2018-09-06
 
-
 
-- [fix] upgrade script is now functional
 
-- [mod] lots of refactoring to apply app packaging best-practices
 
-
 
-
 
-## 1.1.1 - 2018-04-06
 
-
 
-- [fix] Sync the date with http if ntp can't (#37)
 
-
 
-
 
-## 0.0.0 - 2016-05-14
 
-
 
-First release
 
-

+ 1 - 1
README.md
View File 

@@ -25,7 +25,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 
 
 
-**Shipped version:** 2.0.2~ynh9
 
+**Shipped version:** 2.1~ynh1
 
 
 ## Screenshots

+ 1 - 1
README_fr.md
View File 

@@ -25,7 +25,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
 
 
 
 
-**Version incluse :** 2.0.2~ynh9
 
+**Version incluse :** 2.1~ynh1
 
 
 ## Captures d’écran

+ 4 - 0
conf/openvpn_client.conf.tpl
View File 

@@ -40,3 +40,7 @@ log-append /var/log/openvpn-client.log
 
 # Routing
 
 route-ipv6 2000::/3
 
 redirect-gateway def1 bypass-dhcp
 
+
 
+script-security 2
 
+route-up "/usr/bin/run-parts /etc/openvpn/scripts/route-up.d"
 
+route-down "/usr/bin/run-parts /etc/openvpn/scripts/route-down.d"

+ 44 - 70
conf/ynh-vpnclient
View File 

@@ -85,14 +85,15 @@ unset_ip6addr() {
 
 is_serverip6route_set() {
 
   server_ip6s=${1}
 
 
-  if [ -z "${server_ip6}" ]; then
 
-    false
 
-  else
 
-    for server_ip6 in ${server_ip6s};
 
-    do
 
-        ip -6 route | grep -q "${server_ip6}/" || return 1
 
-    done
 
+  if [[ -z "${server_ip6s}" ]]; then
 
+    return 0
 
   fi
 
+
 
+  for server_ip6 in ${server_ip6s}; do
 
+    if ! ip -6 route | grep -q "^${server_ip6}"; then
 
+      return 1
 
+    fi
 
+  done
 
 }
 
 
 set_serverip6route() {
 
@@ -120,21 +121,6 @@ unset_serverip6route() {
 
     done
 
 }
 
 
-
 
-###################################################################################
 
-# Hotspot app                                                                     #
 
-###################################################################################
 
-
 
-has_hotspot_app() {
 
-  [ -e /tmp/.ynh-hotspot-started ]
 
-}
 
-
 
-is_hotspot_knowme() {
 
-  hotspot_vpnclient=$(ynh_setting_get hotspot vpnclient)
 
-
 
-  [ "${hotspot_vpnclient}" == yes ]
 
-}
 
-
 
 ###################################################################################
 
 # DNS rules                                                                       #
 
 ###################################################################################
 
@@ -277,9 +263,8 @@ start_openvpn() {
 
 }
 
 
 stop_openvpn() {
 
-  # FIXME : isn't openvpn@client ? (idk)
 
   info "Stopping OpenVPN service"
 
-  systemctl stop openvpn.service
 
+  systemctl stop openvpn@client.service
 
 
   for attempt in $(seq 0 20)
 
   do
 
@@ -317,25 +302,39 @@ ynh_setting_set() {
 
 
 is_running() {
 
   ((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
 
-  && ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
 
+  && ((has_ip6delegatedprefix && is_ip6addr_set) || ! has_ip6delegatedprefix)\
 
   && is_dns_set && is_firewall_set && is_openvpn_running
 
 }
 
 
+check_config() {
 
+  if [[ ! -e /etc/openvpn/keys/ca-server.crt ]]; then
 
+    critical "You need a CA server (you can add it through the web admin)"
 
+  fi
 
 
-if [ "$1" != restart ]; then
 
-
 
-  # Check configuration consistency
 
+  if ! openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -checkend 0 >/dev/null; then
 
+    ca_server_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -enddate | cut -d '=' -f 2)
 
+    critical "The CA server expired on $ca_server_cert_expired_date"
 
+  fi
 
 
-  if [[ ! "${1}" =~ stop ]]; then
 
-    if [ ! -e /etc/openvpn/keys/ca-server.crt ]; then
 
-      critical "You need a CA server (you can add it through the web admin)"
 
+  if [[ ! -e /etc/openvpn/keys/user.crt || ! -e /etc/openvpn/keys/user.key ]]; then
 
+    if [[ -s /etc/openvpn/keys/credentials ]]; then
 
+      login_user=$(sed -n 1p /etc/openvpn/keys/credentials)
 
+      login_passphrase=$(sed -n 2p /etc/openvpn/keys/credentials)
 
+    else
 
+      login_user=""
 
+      login_passphrase=""
 
     fi
 
 
-    empty=$(find /etc/openvpn/keys/ -empty -name credentials &> /dev/null | wc -l)
 
-    if [ "${empty}" -gt 0 -a ! -e /etc/openvpn/keys/user.key ]; then
 
+    if [[ $login_user == "" || $login_passphrase == "" ]]; then
 
       critical "You need either a client certificate, either a username, or both (you can add one through the web admin)"
 
     fi
 
+  elif [[ -e /etc/openvpn/keys/user.crt ]] && ! openssl x509 -in /etc/openvpn/keys/user.crt -noout -checkend 0 >/dev/null; then
 
+    user_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate | cut -d '=' -f 2)
 
+    critical "The client certificate expired on $user_cert_expired_date"
 
   fi
 
+}
 
+
 
+if [ "$1" != restart ]; then
 
 
   # Variables
 
 
@@ -385,17 +384,13 @@ case "${1}" in
 
       exit 0
 
     fi
 
 
-    if [ -e /etc/openvpn/keys/user.crt ] && ! cat /etc/openvpn/keys/user.crt | openssl x509 -noout -checkend 0 >/dev/null
 
-    then
 
-        critical "Failed to start OpenVPN client : user certificate expired"
 
-    fi
 
+    check_config
 
 
     info "[vpnclient] Starting..."
 
     touch /tmp/.ynh-vpnclient-started
 
 
     # Run openvpn
 
-    if is_openvpn_running;
 
-    then
 
+    if is_openvpn_running; then
 
       info "(openvpn is already running)"
 
     else
 
       start_openvpn
 
@@ -417,20 +412,18 @@ case "${1}" in
 
     fi
 
 
     # Set the ipv6 address
 
-    if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set
 
+    if has_ip6delegatedprefix && ! is_ip6addr_set
 
     then
 
       set_ip6addr
 
     fi
 
 
     # Set host DNS resolvers
 
-    if ! is_dns_set
 
-    then
 
+    if ! is_dns_set; then
 
        set_dns
 
     fi
 
 
     # Set ipv6/ipv4 firewall
 
-    if ! is_firewall_set
 
-    then
 
+    if ! is_firewall_set; then
 
       set_firewall
 
     fi
 
 
@@ -440,14 +433,6 @@ case "${1}" in
 
     ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
 
     ynh_setting_set vpnclient wired_device "${new_wired_device}"
 
 
-    # Fix configuration
 
-    if has_hotspot_app && ! is_hotspot_knowme; then
 
-      info "Now starting the hotspot"
 
-      ynh-hotspot start
 
-    fi
 
-
 
-    ping -c1 -w5 debian.org >/dev/null
 
-
 
     ipv4=$(ping -w3 -c1 ip.yunohost.org  >/dev/null 2>&1 && curl --max-time 5 https://ip.yunohost.org --silent)
 
     ipv6=$(ping -w3 -c1 ip6.yunohost.org >/dev/null 2>&1 && curl --max-time 5 https://ip6.yunohost.org --silent)
 
 
@@ -455,6 +440,8 @@ case "${1}" in
 
     if ip route get 1.2.3.4 | grep -q tun0; then
 
         if ping -c1 -w5 debian.org >/dev/null; then
 
             success "YunoHost VPN client started!"
 
+            info "IPv4 address is $ipv4"
 
+            info "IPv6 address is $ipv6"
 
         else
 
             critical "The VPN is up but debian.org cannot be reached, indicating that something is probably misconfigured/blocked."
 
         fi
 
@@ -471,7 +458,7 @@ case "${1}" in
 
     info "[vpnclient] Stopping..."
 
     rm -f /tmp/.ynh-vpnclient-started
 
 
-    if ! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set; then
 
+    if has_ip6delegatedprefix && is_ip6addr_set; then
 
       unset_ip6addr
 
     fi
 
 
@@ -484,12 +471,6 @@ case "${1}" in
 
     is_dns_set && unset_dns
 
 
     is_openvpn_running && stop_openvpn
 
-
 
-    # Fix configuration
 
-    if has_hotspot_app && is_hotspot_knowme; then
 
-      info "Now starting the hotspot"
 
-      ynh-hotspot start
 
-    fi
 
   ;;
 
 
   # ########## #
 
@@ -520,18 +501,11 @@ case "${1}" in
 
       info "IPv6 delegated prefix found"
 
       info "IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
 
 
-      if ! has_hotspot_app; then
 
-        info "No Hotspot app detected"
 
-
 
-        if is_ip6addr_set; then
 
-          success "IPv6 address correctly set"
 
-        else
 
-          error "No IPv6 address set"
 
-          exitcode=1
 
-        fi
 
+      if is_ip6addr_set; then
 
+        success "IPv6 address correctly set"
 
       else
 
-        info "Hotspot app detected"
 
-        info "No IPv6 address to set"
 
+        error "No IPv6 address set"
 
+        exitcode=1
 
       fi
 
     else
 
       info "No IPv6 delegated prefix found"

+ 0 - 2
conf/ynh-vpnclient.service
View File 

@@ -2,8 +2,6 @@
 
 Description=YunoHost VPN Client.
 
 Requires=network.target
 
 After=network.target
 
-Wants=ynh-hotspot.service
 
-Before=ynh-hotspot.service
 
 
 [Service]
 
 Type=oneshot

+ 1 - 1
manifest.json
View File 

@@ -6,7 +6,7 @@
 
     "en": "Tunnel the internet traffic through a VPN",
 
     "fr": "Fait passer le trafic internet à travers un VPN"
 
   },
 
-  "version": "2.0.2~ynh9",
 
+  "version": "2.1~ynh1",
 
   "url": "https://labriqueinter.net",
 
   "license": "AGPL-3.0",
 
   "maintainer": {

BIN
screenshot.png
View File


+ 5 - 0
scripts/_common.sh
View File 

@@ -35,6 +35,11 @@ function vpnclient_deploy_files_and_services()
 
   mkdir -pm 0770 /etc/openvpn/keys/
 
   chown root:${app} /etc/openvpn/keys/
 
 
+  # Create scripts directory
 
+  mkdir -pm 0775 /etc/openvpn/scripts
 
+  mkdir -pm 0775 /etc/openvpn/scripts/route-up.d
 
+  mkdir -pm 0775 /etc/openvpn/scripts/route-down.d
 
+
 
   #=================================================
 
 
   # Copy init script

+ 7 - 2
scripts/config
View File 

@@ -238,9 +238,14 @@ ynh_app_config_validate() {
 
         crt_client="$(read_cube $config_file crt_client)"
 
         crt_client_key="$(read_cube $config_file crt_client_key)"
 
         crt_client_ta="$(read_cube $config_file crt_client_ta)"
 
-        dns_method="custom"
 
-        nameservers="$dns0,$dns1"
 
 
+        if [[ -z "$dns0" && -z "$dns1" ]]; then
 
+          dns_method="yunohost"
 
+        else
 
+          dns_method="custom"
 
+          nameservers="$dns0,$dns1"
 
+        fi
 
+        
         # Build specific OVPN template
 
         tmp_dir=$(dirname "${config_file}")
 
         cp -f /etc/yunohost/apps/vpnclient/conf/openvpn_client.conf.tpl $tmp_dir/client.conf.tpl