Init (wip)

conf/client.conf.tpl

@@ -0,0 +1,33 @@
+remote <TPL:SERVER_NAME>
+
+# proto [ udp6 | udp | tcp6-client | tcp-client ]
+proto <TPL:PROTO>
+
+pull
+nobind
+dev tun
+tun-ipv6
+keepalive 10 30
+comp-lzo adaptive
+
+# UDP only
+<TPL:UDP_COMMENT>mssfix
+<TPL:UDP_COMMENT>fragment 1300
+<TPL:UDP_COMMENT>explicit-exit-notify
+
+# TLS
+tls-client
+remote-cert-tls server
+cert /etc/openvpn/keys/user.crt
+key /etc/openvpn/keys/user.key
+ca /etc/openvpn/keys/ca-server.crt
+
+# Logs
+verb 3
+mute 5
+status /var/log/openvpn-client.status
+log-append /var/log/openvpn-client.log
+
+# Routing
+route-ipv6 2000::/3
+redirect-gateway def1 bypass-dhcp

conf/ynh-vpnclient

@@ -0,0 +1,125 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides: ynh-vpnclient
+# Required-Start:    $network $remote_fs $syslog
+# Required-Stop:     $network $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start VPN client.
+# Description:       Start VPN client.
+### END INIT INFO
+
+has_nativeip6() {
+  ip -6 r | grep -q default\ via
+}
+
+is_ip6addr_set() {
+  yunohost app list -f hotspot --json | grep -q '"installed": true'\
+  || ip a s dev tun0 | grep -q <TPL:IP6_ADDR>/128
+}
+
+is_ip6interco_set() {
+  ip -6 r | grep -q <TPL:IP6_INTERCO>/
+}
+
+is_openvpn_running() {
+  service openvpn status &> /dev/null
+}
+
+is_running() {
+  ((has_nativeip6 && is_ip6interco_set) || ! has_nativeip6) && is_openvpn_running
+}
+
+gw6=$(ip -6 r | grep default\ via | awk '{ print $3 }')
+
+case "$1" in
+  start)
+    if is_running; then
+      echo "Already correctly set"
+    else
+      if ! is_openvpn_running; then
+        echo "Run openvpn"
+
+        proto=udp
+        [ ! -z "${gw6}" ] && proto=udp6
+        sed "s|<TPL:PROTO>|${proto}|" /etc/openvpn/client.conf.tpl > /etc/openvpn/client.conf
+        sed 's|^<TPL:UDP_COMMENT>||' -i /etc/openvpn/client.conf
+
+        service openvpn start
+
+        false || while [ $? -ne 0 ]; do
+          sleep 1
+          ip l sh dev tun0 &> /dev/null
+        done
+
+        sleep 2
+      fi
+
+      if has_nativeip6 && ! is_ip6interco_set; then
+        echo "Set IPv6 interco route"
+        ip r a <TPL:IP6_INTERCO>/128 via ${gw6} dev <TPL:WIRED_DEVICE>
+      fi
+
+      if ! is_ip6addr_set; then
+        echo "Set IPv6 address"
+        ip a a <TPL:IP6_ADDR>/128 dev tun0
+      fi
+    fi
+  ;;
+  stop)
+    if is_ip6addr_set; then
+      echo "Unset IPv6 address"
+      ip a d <TPL:IP6_ADDR>/128 dev tun0
+    fi
+
+    if is_ip6interco_set; then
+      echo "Unset IPv6 interco route"
+      ip r d <TPL:IP6_INTERCO>/128 via ${gw6} dev <TPL:WIRED_DEVICE>
+    fi
+  
+    if is_openvpn_running; then
+      echo "Stop openvpn"
+      service openvpn stop
+    fi
+  ;;
+  restart)
+    $0 stop
+    $0 start
+  ;;
+  status)
+    exitcode=0
+
+    if is_ip6addr_set; then
+      echo "IPv6 address is correctly set"
+    else
+      echo "IPv6 address is NOT set"
+      exitcode=1
+    fi
+
+    if has_nativeip6; then
+      if is_ip6interco_set; then
+        echo "IPv6 interco route is correctly set"
+      else
+        echo "IPv6 interco route is NOT set"
+        exitcode=1
+      fi
+    else
+      echo "No native IPv6 detected"
+    fi
+
+    if is_openvpn_running; then
+      echo "Openvpn is running"
+    else
+      echo "Openvpn is NOT running"
+      exitcode=1
+    fi
+
+    exit ${exitcode}
+  ;;
+  *)
+    echo "Usage: $0 {start|stop|restart|status}"
+    exit 1
+  ;;
+esac
+
+exit 0

manifest.json

@@ -0,0 +1,63 @@
+{
+  "name": "VPN Client",
+  "id": "vpnclient",
+  "description": {
+    "en": "VPN Client",
+    "fr": "Client VPN"
+  },
+  "license": "AGPL-3",
+  "developer": {
+    "name": "Julien Vaubourg",
+    "email": "julien@vaubourg.com",
+    "url": "http://julien.vaubourg.com"
+  },
+  "multi_instance": "false",
+  "arguments": {
+    "install" : [
+      {
+        "name": "Server name",
+        "ask": {
+            "en": "Select a VPN server"
+        },
+        "example": "access.ldn-fai.net",
+        "default": "access.ldn-fai.net"
+      },
+      {
+        "name": "Client certificate",
+        "ask": {
+            "en": "Select your client certificate"
+        },
+        "example": "-----BEGIN CERTIFICATE-----"
+      },
+      {
+        "name": "Client certificate key",
+        "ask": {
+            "en": "Select your client certificate key"
+        },
+        "example": "-----BEGIN PRIVATE KEY-----"
+      },
+      {
+        "name": "Server CA",
+        "ask": {
+            "en": "Select your server certificate authority"
+        },
+        "example": "-----BEGIN CERTIFICATE-----"
+      },
+      {
+        "name": "IPv6 network",
+        "ask": {
+            "en": "Select your IPv6 delegated network (netmask number must be <= 64)"
+        },
+        "example": "2001:db8:42::/48"
+      },
+      {
+        "name": "IPv6 interco",
+        "ask": {
+            "en": "Select your IPv6 interco (server side)"
+        },
+        "example": "2001:db8:1337::42",
+	"default": "2001:db8:1337::42"
+      }
+    ]
+  }
+}

scripts/install

@@ -0,0 +1,82 @@
+#!/bin/bash
+
+# Retrieve arguments
+server_name=$1
+crt_client=$2
+crt_client_key=$3
+crt_server_ca=$4
+ip6_net=$5
+ip6_interco=$6
+
+# Check arguments
+# TODO
+
+# Install packages
+sudo apt-get --assume-yes --force-yes install openvpn
+
+# Install extra packages
+sudo apt-get --assume-yes --force-yes install sipcalc
+
+# Compute extra arguments
+wired_device=$(ip r | awk '/default via/ { print $NF; }')
+ip6_interco=$(sipcalc ${ip6_interco} | grep Compressed | awk '{ print $NF; }')
+ip6_expanded_net=$(sipcalc ${ip6_net} | grep Expanded | awk '{ print $NF; }')
+ip6_net=$(sipcalc ${ip6_net} | grep Compressed | awk '{ print $NF; }')
+ip6_addr=$(echo "$(echo ${ip6_expanded_net} | cut -d: -f1-7):42")
+ip6_addr=$(sipcalc ${ip6_addr} | grep Compressed | awk '{ print $NF; }')
+
+# Save arguments for future upgrades
+sudo yunohost app setting vpnclient wired_device -v ${wired_device}
+sudo yunohost app setting vpnclient ip6_addr -v ${ip6_addr}
+sudo yunohost app setting vpnclient ip6_net -v ${ip6_net}
+sudo yunohost app setting vpnclient ip6_interco -v ${ip6_interco}
+sudo yunohost app setting vpnclient crt_client -v ${crt_client}
+sudo yunohost app setting vpnclient crt_client_key -v ${crt_client_key}
+sudo yunohost app setting vpnclient crt_server_ca -v ${crt_server_ca}
+
+# Copy confs
+sudo install -b -o root -g root -m 0644 ../conf/client.conf.tpl /etc/openvpn/
+
+# Create certificates
+mkdir -pm 0700 /etc/openvpn/keys/
+
+sudo cat << EOF > /etc/openvpn/keys/user.crt
+${crt_client}
+EOF
+sudo cat << EOF > /etc/openvpn/keys/user.key
+${crt_client_key}
+EOF
+sudo cat << EOF > /etc/openvpn/keys/ca-server.crt
+${crt_server_ca}
+EOF
+
+sudo chown root: /etc/openvpn/keys/*
+sudo chmod 0600 /etc/openvpn/keys/*
+
+# Fix confs
+## openvpn
+sudo sed "s|<TPL:SERVER_NAME>|${server_name}|g" -i /etc/openvpn/client.conf.tpl
+
+# Copy init script
+sudo install -b -o root -g root -m 0755 ../conf/ynh-vpnclient /etc/init.d/
+
+# Fix init script
+## ynh-vpnclient
+sudo sed "s|<TPL:IP6_ADDR>|${ip6_addr}|g" -i /etc/init.d/ynh-vpnclient
+sudo sed "s|<TPL:IP6_INTERCO>|${ip6_interco}|g" -i /etc/init.d/ynh-vpnclient
+sudo sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/init.d/ynh-vpnclient
+
+# Set default inits
+# The boot order of these services are important, so they are disabled by default
+# and the ynh-vpnclient service handles them.
+# All services are registred by yunohost in order to prevent conflicts after the uninstall.
+sudo yunohost service add openvpn
+sudo yunohost service stop openvpn
+sudo yunohost service disable openvpn
+
+# Gooo
+sudo yunohost service add ynh-vpnclient
+sudo yunohost service enable ynh-vpnclient
+sudo yunohost service start ynh-vpnclient
+
+exit 0

scripts/remove

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# The End
+sudo yunohost service stop ynh-hotspot
+sudo yunohost service remove ynh-hotspot
+sudo rm -f /etc/init.d/ynh-hotspot
+
+# Remove confs
+sudo rm -rf /etc/hostapd/ /etc/radvd.conf /etc/dhcp/dhcpd.conf
+
+# Remove packets
+# The yunohost policy is currently to not uninstall packets (dependency problems)
+## sudo apt-get --assume-yes --force-yes remove hostapd radvd isc-dhcp-server iptables
+## sudo apt-get --assume-yes --force-yes remove sipcalc
+
+exit 0