[wip] VPN Client revolution

README.md

@@ -26,11 +26,12 @@ VPN Client app for [YunoHost](http://yunohost.org/).
 * Strong firewalling (internet access and self-hosted services only available through the VPN)
 * Advanced mode for editing the default OpenVPN configuration
 * Auto-configuration mode, with [dot cube files](http://internetcu.be/dotcubefiles.html)
-* Web interface
+and OVPN file with embeded certificates.
+* Web interface available from the web admin of YunoHost
 
 ## Screenshot
 
-![Screenshot of the web interface](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png)
+![Screenshot of the web interface](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/doc/screenshorts/vpnclient.png)
 
 
 ## Running vpnclient inside lxc

check_process

@@ -1,20 +1,18 @@
 ;; Test complet
     ; Manifest
-        domain="domain.tld" (DOMAIN)
-        path="/vpnconfig"   (PATH)
     ; Checks
         pkg_linter=1
-        setup_sub_dir=1
+        setup_sub_dir=0
         setup_root=1
         setup_nourl=0
-        setup_private=1
+        setup_private=0
         setup_public=0
         upgrade=1
         upgrade=1   from_commit=623d8a30453a26ee21aa2ce1142674a2ffdb85b9
         upgrade=1   from_commit=73aa672346e40fc1857aef7441c449f0bd322082
         backup_restore=1
         multi_instance=0
-        incorrect_path=1
+        incorrect_path=0
         port_already_use=0
         change_url=0
 ;;; Options

conf/ipv6_compressed

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# VPN Client app for YunoHost 
-# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
-# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-# 
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-# 
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-sipcalc "${1}" | grep Compressed | awk '{ print $NF; }'

conf/ipv6_expanded

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# VPN Client app for YunoHost 
-# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
-# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-# 
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-# 
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-sipcalc "${1}" | grep Expanded | awk '{ print $NF; }'

conf/nginx.conf

@@ -1,49 +0,0 @@
-# VPN Client app for YunoHost
-# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
-# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location __PATH__/ {
-
-  # Path to source
-  alias __FINALPATH__/ ;
-
-  # Force usage of https
-  if ($scheme = http) {
-    rewrite ^ https://$server_name$request_uri? permanent;
-  }
-
-  # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
-  client_max_body_size 10G;
-
-  index index.php;
-
-  try_files $uri $uri/ index.php;
-
-  location ~ [^/]\.php(/|$) {
-    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-    fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
-    fastcgi_index index.php;
-    include fastcgi_params;
-    fastcgi_read_timeout 600;
-    fastcgi_param REMOTE_USER $remote_user;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
-    fastcgi_param SCRIPT_FILENAME $request_filename;
-  }
-
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
-}

conf/php-fpm.conf

@@ -1,202 +0,0 @@
-; VPN Client app for YunoHost
-; Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
-; Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-;
-; This program is free software: you can redistribute it and/or modify
-; it under the terms of the GNU Affero General Public License as published by
-; the Free Software Foundation, either version 3 of the License, or
-; (at your option) any later version.
-;
-; This program is distributed in the hope that it will be useful,
-; but WITHOUT ANY WARRANTY; without even the implied warranty of
-; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-; GNU Affero General Public License for more details.
-;
-; You should have received a copy of the GNU Affero General Public License
-; along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('www' here)
-[__NAMETOCHANGE__]
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses on a
-;                            specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0666
-listen.owner = www-data
-listen.group = www-data
-listen.mode = 0600
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = __USER__
-group = __USER__
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives:
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes to be created when pm is set to 'dynamic'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI.
-; Note: Used when pm is set to either 'static' or 'dynamic'
-; Note: This value is mandatory.
-pm.max_children = 6
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 3
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 3
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 5
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. By default, the status page shows the following
-; information:
-;   accepted conn        - the number of request accepted by the pool;
-;   pool                 - the name of the pool;
-;   process manager      - static or dynamic;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes.
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic')
-; The values of 'idle processes', 'active processes' and 'total processes' are
-; updated each second. The value of 'accepted conn' is updated in real time.
-; Example output:
-;   accepted conn:        12073
-;   pool:                 www
-;   process manager:      static
-;   idle processes:       35
-;   active processes:     65
-;   total processes:      100
-;   max children reached: 1
-; By default the status page output is formatted as text/plain. Passing either
-; 'html' or 'json' as a query string will return the corresponding output
-; syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-pm.status_path = /fpm-status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-ping.path = /ping
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-request_terminate_timeout = 600s
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-request_slowlog_timeout = 0
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-slowlog = /var/log/nginx/[__NAMETOCHANGE__].slow.log
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-rlimit_files = 4096
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-rlimit_core = 0
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-chdir = __FINALPATH__
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-catch_workers_output = no
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-;
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-;
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-php_value[max_execution_time] = 600
-php_value[upload_max_filesize] = 10G
-php_value[post_max_size] = 10G

conf/ynh-vpnclient

@@ -140,11 +140,16 @@ is_hotspot_knowme() {
 ###################################################################################
 
 is_dns_set() {
+  if [[ "$ynh_dns_method" == "custom" ]]
+  then
   
-  current_dns=$(grep -o -P '\s*nameserver\s+\K[ABCDEFabcdef\d.:]+' /etc/resolv.dnsmasq.conf | sort | uniq)
-  wanted_dns=$(echo "${ynh_dns}" | sort | uniq)
-  [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
-  && [[ "$current_dns" == "$wanted_dns" ]]
+    current_dns=$(grep -o -P '\s*nameserver\s+\K[ABCDEFabcdef\d.:]+' /etc/resolv.dnsmasq.conf | sort | uniq)
+    wanted_dns=$(echo "${ynh_dns}" | sort | uniq)
+    [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
+    && [[ "$current_dns" == "$wanted_dns" ]]
+  else
+    true
+  fi
 }
 
 set_dns() {
@@ -154,12 +159,14 @@ set_dns() {
   [ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
 
   cp -fa "${resolvconf}" "${resolvconf}.ynh"
-
-  cat << EOF > /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+  if [[ "$ynh_dns_method" == "custom" ]]
+  then
+    cat << EOF > /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
 echo "${ynh_dns}" | sed 's/,/\n/g' | sort | uniq | sed 's/^/nameserver /g' > ${resolvconf}
 EOF
+    bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+  fi
 
-  bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
 }
 
 unset_dns() {
@@ -173,7 +180,7 @@ unset_dns() {
   # FIXME : this situation happened to a user ...
   # We could try to force regen the dns conf 
   # (though for now it's tightly coupled to dnsmasq)
-  grep -q "^nameserver" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
+  grep -q "^nameserver\s" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
 }
 
 ###################################################################################
@@ -339,6 +346,7 @@ if [ "$1" != restart ]; then
 
   ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled)
   ynh_ip6_addr=$(ynh_setting_get vpnclient ip6_addr)
+  ynh_dns_method=$(ynh_setting_get vpnclient dns_method)
   ynh_dns=$(ynh_setting_get vpnclient nameservers)
 
   old_ip6_gw=$(ynh_setting_get vpnclient ip6_gw)

conf/ynh-vpnclient-loadcubefile.sh

@@ -50,79 +50,10 @@ while getopts "u:p:c:h" opt; do
   esac
 done
 
-if [ -z "${ynh_user}" ]; then
-  echo "[ERR] Option -u is mandatory (-h for help)" >&2
-  exit 1
-fi
-
-if [ -z "${ynh_password}" ]; then
-  echo "[ERR] Option -p is mandatory (-h for help)" >&2
-  exit 1
-fi
-
 if [ -z "${cubefile_path}" ]; then
   echo "[ERR] Option -c is mandatory (-h for help)" >&2
   exit 1
 fi
 
 
-# Other variables
-
-ynh_setting() {
-  app=${1}
-  setting=${2}
-
-  sudo grep "^${setting}:" "/etc/yunohost/apps/${app}/settings.yml" | sed s/^[^:]\\+:\\s*[\"\']\\?// | sed s/\\s*[\"\']\$//
-}
-
-tmpdir=$(mktemp -dp /tmp/ vpnclient-loadcubefile-XXXXX)
-
-cubefile_ip6=$(sed -n '/ip6_net/ { s/.*"\([0-9a-zA-Z:]\+\)".*/\1/p }' "${cubefile_path}")
-
-ynh_domain=$(ynh_setting vpnclient domain)
-ynh_path=$(ynh_setting vpnclient path)
-ynh_service_enabled=$(ynh_setting vpnclient service_enabled)
-
-
-# SSO login
-
-curl -D - -skLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -o /dev/null -c "${tmpdir}/cookies" 2> /dev/null | grep -q "set-cookie: SSOwAuthUser=${ynh_user}"
-
-if [ $? -ne 0 ]; then
-  echo "[ERROR] SSO login failed" >&2
-  exit 1
-fi
-
-
-# Upload cube file
-
-output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
-
-
-# Configure IPv6 Delegated Prefix on Hotspot
-
-if [ ! -z "${cubefile_ip6}" ] && (sudo yunohost app info hotspot | grep -q Hotspot); then
-  ynh_multissid=$(ynh_setting hotspot multissid)
-
-  if [ "${ynh_multissid}" -eq 1 ]; then
-    ynh_ip6_net=$(ynh_setting vpnclient ip6_net)
-    ynh_ip6_addr=$(ynh_setting vpnclient ip6_addr)
-
-    sudo systemctl stop ynh-hotspot &> /dev/null
-    sudo yunohost app setting hotspot ip6_net -v "${ynh_ip6_net}"
-    sudo yunohost app setting hotspot ip6_addr -v "${ynh_ip6_addr}"
-    sudo systemctl start ynh-hotspot &> /dev/null
-
-    echo "[INFO] Wifi Hotspot found with only one SSID: IPv6 Delegated Prefix automatically configured" >&2
-  fi
-fi
-
-
-# Done!
-
-echo [VPN] $output
-(echo $output | grep -q Error) && exit 1
-
-rm -r "${tmpdir}/"
-
-exit 0
+sudo yunohost app config set vpnclient --args "config_file=${cubefile_path}"

config_panel.toml

@@ -5,75 +5,75 @@ name = "Auto-configuration"
 
     [main.vpn]
     name = ""
+    optional = false
         
         [main.vpn.status]
         ask = "The status of your VPN is unknown."
         type = "alert"
         style = "info"
         
-        [main.vpn.doc]
-        ask = "Only VPN with a dedicated public ip that accept inbound traffic are compatible. See the compatible providers list."
-        type = "warning"
-
         [main.vpn.service_enabled]
         ask = "Enable VPN"
         type = "boolean"
         help = "If disabled, the VPN service will not automatically be started at boot."
         
+        [main.vpn.doc]
+        ask = "Only VPN with a dedicated public ip that accept inbound traffic are compatible. See the compatible providers list."
+        type = "alert"
+        style = "warning"
+
         [main.vpn.config_file]
         ask = "Configuration file"
         type = "file"
-        accept = [".cube", ".ovpn", ".conf"]
+        accept = ".cube, .ovpn, .conf"
         help = ".cube file recommended, .ovpn file accepted"
         bind = "/etc/openvpn/client.conf"
         
     [main.auth]
     name = "Authentication"
+    optional = true
+    visible = 'config_file && ((match(config_file,"^\s*ca\s") && ! match(config_file,"^\s*<ca>")) || (match(config_file,"^\s*cert\s") && ! match(config_file,"^\s*<cert>")) || (match(config_file,"^\s*key\s") && ! match(config_file,"^\s*<key>")) || (match(config_file,"^\s*tls-auth\s") && ! match(config_file,"^\s*<tls-auth>")) || match(config_file,"^\s*auth-user-pass(\s.*)?$"))'
 
         [main.auth.crt_server_ca]
         ask = "Update Server CA"
         type = "file"
         help = "You should upload a CA certificate to start"
-        bind="/etc/openvpn/keys/ca-server.crt"
-        visible = "! match(config_file,'^\s*<ca>')"
+        bind = "/etc/openvpn/keys/ca-server.crt"
+        visible = 'config_file && match(config_file,"^\s*ca\s") && ! match(config_file,"^\s*<ca>")'
         
         [main.auth.crt_client]
         ask = "Update Client Certificate"
         type = "file"
-        optional = true
-        bind="/etc/openvpn/keys/user.crt"
-        visible = "match(config_file,'^\s*crt\s') && ! match(config_file,'^\s*<crt>')"
+        bind = "/etc/openvpn/keys/user.crt"
+        visible = 'config_file && match(config_file,"^\s*cert\s") && ! match(config_file,"^\s*<cert>")'
         
         [main.auth.crt_client_key]
         ask = "Update Client Key"
         type = "file"
         help = "This file begins with -----BEGIN PRIVATE KEY-----"
-        optional = true
-        bind="/etc/openvpn/keys/user.key"
-        visible = "match(config_file,'^\s*key\s') && ! match(config_file,'^\s*<key>')"
+        bind = "/etc/openvpn/keys/user.key"
+        visible = 'config_file && match(config_file,"^\s*key\s") && ! match(config_file,"^\s*<key>")'
         
         [main.auth.login_user]
         ask = "Username"
         type = "string"
         example = "camille"
-        optional = true
-        pattern = "^[a-zA-Z_-\.@]+$"
-        visible = "match(config_file,'^\s*auth-user-pass\s')"
+        pattern.regexp = '^[a-zA-Z_\-\\\.@]+$'
+        pattern.error = "OpenVPN accept only alphabetic chars and -_\\.@"
+        visible = 'config_file && match(config_file,"^\s*auth-user-pass\s")'
         
         [main.auth.login_passphrase]
         ask = "Password"
         type = "password"
-        optional = true
-        visible = "match(config_file,'^\s*auth-user-pass\s')"
+        visible = 'config_file && match(config_file,"^\s*auth-user-pass(\s.*)?$")'
         
         [main.auth.crt_client_ta]
         ask = "TLS Auth shared secret"
         type = "file"
-        optional = true
         example = "ta.key"
         help = "Some servers have an additional protection agains Deny of Service attack. If you have no tls-auth key in your ovpn, skip this question."
-        bind="/etc/openvpn/keys/user_ta.key"
-        visible = "match(config_file,'^\s*tls-auth\s') && ! match(config_file,'^\s*<tls-auth>')"
+        bind = "/etc/openvpn/keys/user_ta.key"
+        visible = 'config_file && match(config_file,"^\s*tls-auth\s") && ! match(config_file,"^\s*<tls-auth>")'
         
 [advanced]
 name = "DNS & IPv6"
@@ -92,7 +92,8 @@ name = "DNS & IPv6"
         type = "tags"
         optional = true
         visible = "dns_method == 'custom'"
-        pattern = "^([0-9.]{8,16}|[0-9a-fA-F:]+)$"
+        pattern.regexp = "^([0-9.]{8,16}|[0-9a-fA-F:]+)$"
+        pattern.error = "Not an ip"
         
     [advanced.ipv6]
     name = "IPv6"

manifest.json

@@ -6,7 +6,7 @@
     "en": "Tunnel the internet traffic through a VPN",
     "fr": "Fait passer le trafic internet à travers un VPN"
   },
-  "version": "1.4.1~ynh4",
+  "version": "2.0~ynh1",
   "url": "https://labriqueinter.net",
   "license": "AGPL-3.0",
   "maintainer": {
@@ -17,31 +17,7 @@
   "requirements": {
     "yunohost": ">= 4.2"
   },
-  "services": [
-    "nginx",
-    "php7.0-fpm"
-  ],
+  "services": [],
   "arguments": {
-    "install": [
-      {
-        "name": "domain",
-        "type": "domain",
-        "ask": {
-          "en": "Choose a domain for the web administration",
-          "fr": "Choisissez un domaine pour l'administration web"
-        },
-        "example": "domain.org"
-      },
-      {
-        "name": "path",
-        "type": "path",
-        "ask": {
-          "en": "Choose a path for the web administration",
-          "fr": "Choisissez un chemin pour l'administration web"
-        },
-        "example": "/vpnadmin",
-        "default": "/vpnadmin"
-      }
-    ]
   }
 }

scripts/_common.sh

@@ -3,8 +3,6 @@
 # Common variables and helpers
 #
 
-YNH_PHP_VERSION="7.3"
-
 pkg_dependencies="sipcalc dnsutils openvpn curl fake-hwclock"
 
 service_name="ynh-vpnclient"
@@ -24,15 +22,10 @@ function vpnclient_deploy_files_and_services()
   install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
   ynh_replace_string "__VPNCLIENT_SYSUSER__" "${app}" /etc/sudoers.d/${app}_ynh
 
-  # Install IPv6 scripts
-  install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
-  install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
-
   # Install command-line cube file loader
   install -o root -g root -m 0755 ../conf/$service_name-loadcubefile.sh /usr/local/bin/
 
   # Copy confs
-  mkdir -pm 0755 /var/log/nginx/
   chown root:${app} /etc/openvpn/
   chmod 775 /etc/openvpn/
   mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
@@ -42,38 +35,11 @@ function vpnclient_deploy_files_and_services()
   install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
   install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
 
-  # Copy web sources
-  mkdir -pm 0755 /var/www/${app}/
-  cp -a ../sources/* /var/www/${app}/
-
-  chown -R root: /var/www/${app}/
-  chmod -R 0644 /var/www/${app}/*
-  find /var/www/${app}/ -type d -exec chmod +x {} \;
-
   # Create certificates directory
   mkdir -pm 0770 /etc/openvpn/keys/
   chown root:${app} /etc/openvpn/keys/
 
   #=================================================
-  # NGINX CONFIGURATION
-  #=================================================
-  ynh_print_info "Configuring nginx web server..."
-
-  ynh_add_nginx_config
-
-  #=================================================
-  # PHP-FPM CONFIGURATION
-  #=================================================
-  ynh_print_info "Configuring PHP-FPM..."
-
-  # Create a dedicated PHP-FPM config
-  ynh_add_fpm_config --phpversion=$YNH_PHP_VERSION
-  phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
-
-  #=================================================
-
-  # Fix sources
-  ynh_replace_string "__PATH__" "${path_url%%/}" "/var/www/${app}/config.php"
 
   # Copy init script
   install -o root -g root -m 0755 ../conf/$service_name /usr/local/bin/

scripts/backup

@@ -24,8 +24,6 @@ ynh_print_info "Loading installation settings..."
 app=$YNH_APP_INSTANCE_NAME
 
 final_path=$(ynh_app_setting_get $app final_path)
-domain=$(ynh_app_setting_get $app domain)
-phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 
 #=================================================
 # STANDARD BACKUP STEPS
@@ -38,8 +36,6 @@ ynh_backup "$final_path"
 
 ynh_backup "/etc/sudoers.d/${app}_ynh"
 
-ynh_backup "/usr/local/bin/ipv6_expanded"
-ynh_backup "/usr/local/bin/ipv6_compressed"
 ynh_backup "/usr/local/bin/$service_name-loadcubefile.sh"
 
 ynh_backup "/etc/yunohost/hooks.d/90-vpnclient.tpl"
@@ -52,20 +48,6 @@ ynh_backup "/usr/local/bin/$service_name"
 ynh_backup "/usr/local/bin/$service_checker_name.sh"
 
 #=================================================
-# BACKUP THE NGINX CONFIGURATION
-#=================================================
-ynh_print_info "Backing up NGINX web server configuration..."
-
-ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
-
-#=================================================
-# BACKUP THE PHP-FPM CONFIGURATION
-#=================================================
-ynh_print_info "Backing up PHP-FPM configuration..."
-
-ynh_backup "/etc/php/$phpversion/fpm/pool.d/$app.conf"
-
-#=================================================
 # SPECIFIC BACKUP
 #=================================================
 # BACKUP SYSTEMD

scripts/config

@@ -20,18 +20,25 @@ ynh_abort_if_errors
 # RETRIEVE ARGUMENTS
 #=================================================
 
-app=$YNH_APP_INSTANCE_NAME
-
 final_path=$(ynh_app_setting_get $app final_path)
 
+set_right() {
+    if [ -f $1 ]
+    then
+        chown $app:$app $1
+        chmod go=--- $1
+    fi
+}
+
 #=================================================
 # SPECIFIC GETTERS FOR TOML SHORT KEY
 #=================================================
 
 get__status() {
+    local service_enabled=$(ynh_app_setting_get $app service_enabled)
     if [ -f "/sys/class/net/tun0/operstate" ] && [ "$(cat /sys/class/net/tun0/operstate)" == "up" ]
     then
-        if [ $old[service_enabled] -eq 1 ]
+        if [ $service_enabled -eq 1 ]
         then
             cat << EOF
 style: success
@@ -45,7 +52,7 @@ ask:
   en: Your VPN is running, but it shouldn't !
 EOF
         fi
-    elif [ $old[service_enabled] -eq 1 ]
+    elif [ $service_enabled -eq 1 ]
     then
         cat << EOF
 style: danger
@@ -65,14 +72,18 @@ EOF
 get__login_user() {
     if [ -s /etc/openvpn/keys/credentials ]
     then
-        sed -n 1p /etc/openvpn/keys/credentials 
+        echo "value: $(sed -n 1p /etc/openvpn/keys/credentials)" 
+    else
+        echo ""
     fi
 }
 
 get__login_passphrase() {
     if [ -s /etc/openvpn/keys/credentials ]
     then
-        sed -n 2p /etc/openvpn/keys/credentials 
+        echo "value: $(sed -n 2p /etc/openvpn/keys/credentials)"
+    else
+        echo ""
     fi
 }
 
@@ -84,54 +95,68 @@ validate__login_user() {
 
     if grep -q '^\s*auth-user-pass' ${config_file}
     then
-        [[ -z "${login_user}" ]] &&
+        if [[ -z "${login_user}" ]]
+        then
             echo 'A Username is needed with this configuration file'
+        fi
     fi
 }
 
 validate__login_passphrase() {
     if grep -q '^\s*auth-user-pass' ${config_file}
     then
-        [[ -z "${login_passphrase}" ]] &&
+        if [[ -z "${login_passphrase}" ]]
+        then
             echo 'A Password is needed with this configuration file'
+        fi
     fi
 }
 
 validate__crt_server_ca() {
     if grep -q '^\s*ca\s' ${config_file}
     then
-        [[ ! -e "${crt_server_ca}" ]] &&
+        if [[ ! -e "${crt_server_ca}" ]]
+        then
             echo "A server CA certificate is needed"
+        fi
     fi
 }
 
 validate__crt_client() {
     if grep -q '^\s*cert\s' ${config_file}
     then
-        [[ ! -e "${crt_client}" ]] &&
+        if [[ ! -e "${crt_client}" ]]
+        then
             echo "A Client certificate is needed with this configuration file"
+        fi
     fi
 }
 
 validate__crt_client_key() {
     if grep -q '^\s*key\s' ${config_file}
     then
-        [[ ! -e "${crt_client_key}" ]] &&
+        if [[ ! -e "${crt_client_key}" ]]
+        then
             echo "A client private key is needed with this configuration file"
+        fi
     fi
 }
 
 validate__crt_client_ta() {
     if grep -q '^\s*tls-auth\s' ${config_file}
     then
-        [[ ! -e "${crt_client_ta}" ]] &&
+        if [[ ! -e "${crt_client_ta}" ]]
+        then
             echo "A TLS auth shared secret is needed with this configuration file"
+        fi
     fi
 }
 
 validate__nameservers() {
-    [[ "$dns_method" == "custom" ]] && [[ -z "$nameservers" ]]
+    if [[ "$dns_method" == "custom" ]] && [[ -z "$nameservers" ]]
+    then
         echo "You need to choose DNS resolvers or select an other method to provide DNS resolvers"
+    fi
 }
 #=================================================
 # SPECIFIC SETTERS FOR TOML SHORT KEYS
@@ -139,7 +164,8 @@ validate__nameservers() {
 set__login_user() {
     if [ -n "${login_user}" ]
     then
-        echo "${login_user}\n${login_passphrase}" > /etc/openvpn/keys/credentials 
+        echo "${login_user}\n${login_passphrase}" > /etc/openvpn/keys/credentials
+        set_right /etc/openvpn/keys/credentials
     else
         echo "" > /etc/openvpn/keys/credentials
     fi
@@ -152,11 +178,12 @@ set__login_passphrase() {
 #=================================================
 # OVERWRITING VALIDATE STEP 
 #=================================================
-ynh_panel_validate() {
+ynh_app_config_validate() {
     tmp_dir=$(dirname "${config_file}")
     # Overwrite form response with cube files data before validation process
     if [ -f "${config_file}" ] && [[ $config_file == *.cube ]]
     then
+        ynh_print_info --message="Transforming .cube into OVPN file"
         declare -A settings
         settings[server_name]=""
         settings[server_port]=""
@@ -207,6 +234,7 @@ ynh_panel_validate() {
 
         # Build directly the OVPN file
         cp /etc/openvpn/client.conf.tpl "${config_file}"
+        [ "${settings[server_proto]}" == tcp ] && settings[server_proto]=tcp-client
         sed "s|<TPL:SERVER_NAME>|${settings[server_name]}|g" -i "${config_file}"
         sed "s|<TPL:SERVER_PORT>|${settings[server_port]}|g" -i "${config_file}"
         sed "s|<TPL:PROTO>|${settings[server_proto]}|g" -i "${config_file}"
@@ -234,6 +262,7 @@ ynh_panel_validate() {
 
     elif [ -f "${config_file}" ] && [[ "${config_file}" =~ ^.*\.(ovpn|conf)$ ]]
     then
+        ynh_print_info --message="Extracting TLS keys from .ovpn file"
         if grep -q '^\s*<ca>' ${config_file}
         then
             grep -Poz '(?<=<ca>)(.*\n)*.*(?=</ca>)' ${config_file} > $tmp_dir/crt_server_ca
@@ -241,6 +270,8 @@ ynh_panel_validate() {
             sed -i '/^\s*<ca>/,/\s*<\/ca>/d' ${config_file}
             sed -i '/^\s*ca\s/d' ${config_file}
             echo "ca /etc/openvpn/keys/ca-server.crt" >> ${config_file}
+        else
+            crt_server_ca=""
         fi
         if grep -q '^\s*<cert>' ${config_file}
         then
@@ -249,6 +280,8 @@ ynh_panel_validate() {
             sed -i '/^\s*<cert>/,/\s*<\/cert>/d' ${config_file}
             sed -i '/^\s*cert\s/d' ${config_file}
             echo "cert /etc/openvpn/keys/user.crt" >> ${config_file}
+        else
+            crt_client=""
         fi
         if grep -q '^\s*<key>' ${config_file}
         then
@@ -257,6 +290,8 @@ ynh_panel_validate() {
             sed -i '/^\s*<key>/,/\s*<\/key>/d' ${config_file}
             sed -i '/^\s*key\s/d' ${config_file}
             echo "key /etc/openvpn/keys/user.key" >> ${config_file}
+        else
+            crt_client_key=""
         fi
         if grep -q '^\s*<tls-auth>' ${config_file}
         then
@@ -265,6 +300,8 @@ ynh_panel_validate() {
             sed -i '/^\s*<tls-auth>/,/\s*<\/tls-auth>/d' ${config_file}
             sed -i '/^\s*tls-auth\s/d' ${config_file}
             echo "tls-auth /etc/openvpn/keys/user_ta.key 1" >> ${config_file}
+        else
+            crt_client_ta=""
         fi
         sed -i 's@^\s*ca\s.*$@ca /etc/openvpn/keys/ca-server.crt@g' ${config_file}
         sed -i 's@^\s*cert\s.*$@cert /etc/openvpn/keys/user.crt@g' ${config_file}
@@ -272,24 +309,44 @@ ynh_panel_validate() {
         sed -i 's@^\s*tls-auth\s.*$@tls-auth /etc/openvpn/keys/user-ta.key@g' ${config_file}
     fi
 
-    _ynh_panel_validate
+    # Restrict permission
+    if [ -f "${config_file}" ]
+    then
+        sed -i '/^\s*user\s/d' ${config_file}
+        sed -i '/^\s*group\s/d' ${config_file}
+        echo "user vpnclient" >> ${config_file}
+        echo "group vpnclient" >> ${config_file}
+    fi
+
+    _ynh_app_config_validate
 }
 
 #=================================================
 # OVERWRITING APPLY STEP 
 #=================================================
-ynh_panel_apply() {
+ynh_app_config_apply() {
     
     # Stop vpn client
+    ynh_print_info --message="Stopping vpnclient in order to edit files"
     touch /tmp/.ynh-vpnclient-stopped
-    systemctl stop ynh-vpnclient
-
-    _ynh_panel_apply
+    /usr/local/bin/ynh-vpnclient stop
 
+    chown $app:$app /etc/openvpn/keys
+    chmod go=--- /etc/openvpn/keys
+    
+    _ynh_app_config_apply
+    
+    set_right /etc/openvpn/client.conf
+    set_right /etc/openvpn/keys/ca-server.crt
+    set_right /etc/openvpn/keys/user.crt
+    set_right /etc/openvpn/keys/user.key
+    set_right /etc/openvpn/keys/user_ta.key
+    
     # Start vpn client
-    systemctl start ynh-vpnclient
+    ynh_print_info --message="Starting vpnclient service if needed"
+    /usr/local/bin/ynh-vpnclient start
     rm -f /tmp/.ynh-vpnclient-stopped
 
 }
 
-ynh_panel_run $1
+ynh_app_config_run $1

scripts/install

@@ -38,8 +38,6 @@ ynh_abort_if_errors
 #=================================================
 
 # Retrieve arguments
-domain=$YNH_APP_ARG_DOMAIN
-path_url=$YNH_APP_ARG_PATH
 app=$YNH_APP_INSTANCE_NAME
 final_path="/var/www/$app"
 
@@ -51,15 +49,12 @@ ynh_script_progression "Validating installation parameters..."
 # Check destination directory
 test ! -e "$final_path" || ynh_die "Path is already in use: ${final_path}."
 
-# Register (book) web path
-ynh_webpath_register "$app" "$domain" "$path_url"
 
 #=================================================
 # STORE SETTINGS FROM MANIFEST
 #=================================================
 ynh_script_progression "Storing installation settings..."
 
-ynh_app_setting_set "$app" domain "$domain"
 ynh_app_setting_set "$app" final_path "$final_path"
 
 # Default values for config panel

scripts/remove

@@ -32,7 +32,6 @@ source /usr/share/yunohost/helpers
 ynh_print_info "Loading installation settings..."
 
 app=$YNH_APP_INSTANCE_NAME
-domain=$(ynh_app_setting_get $app domain)
 
 #=================================================
 # STOP AND REMOVE SERVICES
@@ -57,22 +56,6 @@ do
 done
 
 #=================================================
-# REMOVE NGINX CONFIGURATION
-#=================================================
-ynh_print_info "Removing NGINX web server configuration"
-
-# Remove the dedicated NGINX config
-ynh_remove_nginx_config
-
-#=================================================
-# REMOVE PHP-FPM CONFIGURATION
-#=================================================
-ynh_print_info "Removing PHP-FPM configuration"
-
-# Remove the dedicated PHP-FPM config
-ynh_remove_fpm_config
-
-#=================================================
 # SPECIFIC REMOVE
 #================================================
 ynh_print_info "Removing openvpn configuration"

scripts/restore

@@ -23,28 +23,19 @@ ynh_print_info "Loading settings..."
 
 app=$YNH_APP_INSTANCE_NAME
 
-domain=$(ynh_app_setting_get $app domain)
-path_url=$(ynh_app_setting_get $app path)
 final_path=$(ynh_app_setting_get $app final_path)
-phpversion=$(ynh_app_setting_get $app phpversion)
 
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
 #=================================================
 ynh_print_info "Validating restoration parameters..."
 
-ynh_webpath_available $domain $path_url \
-	|| ynh_die "Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die "There is already a directory: $final_path "
 
 #=================================================
 # STANDARD RESTORATION STEPS
 #=================================================
-# RESTORE THE NGINX CONFIGURATION
-#=================================================
-
-ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
 
 #=================================================
 # RESTORE THE APP MAIN DIR
@@ -55,8 +46,6 @@ ynh_restore_file "$final_path"
 
 ynh_restore_file "/etc/sudoers.d/${app}_ynh"
 
-ynh_restore_file "/usr/local/bin/ipv6_expanded"
-ynh_restore_file "/usr/local/bin/ipv6_compressed"
 ynh_restore_file "/usr/local/bin/$service_name-loadcubefile.sh"
 
 ynh_restore_file "/etc/yunohost/hooks.d/90-vpnclient.tpl"
@@ -84,12 +73,6 @@ ynh_system_user_create $app
 chown -R $app: $final_path
 
 #=================================================
-# RESTORE THE PHP-FPM CONFIGURATION
-#=================================================
-
-ynh_restore_file "/etc/php/$phpversion/fpm/pool.d/$app.conf"
-
-#=================================================
 # SPECIFIC RESTORATION
 #=================================================
 # REINSTALL DEPENDENCIES
@@ -122,12 +105,6 @@ yunohost service add $service_name --description "Tunnels the internet traffic t
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
-# RELOAD NGINX AND PHP-FPM
-#=================================================
-ynh_print_info "Reloading NGINX web server and PHP-FPM..."
-
-systemctl reload php$phpversion-fpm
-systemctl reload nginx
 
 #=================================================
 # END OF SCRIPT