#!/bin/bash # VPN Client app for YunoHost # Copyright (C) 2015 Julien Vaubourg # Contribute at https://github.com/labriqueinternet/vpnclient_ynh # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . ################################################################################### # Logging helpers # ################################################################################### LOGFILE="/var/log/ynh-vpnclient.log" touch $LOGFILE chown root:root $LOGFILE chmod 600 $LOGFILE function success() { echo "[ OK ] $1" | tee -a $LOGFILE } function info() { echo "[INFO] $1" | tee -a $LOGFILE } function warn() { echo "[WARN] $1" | tee -a $LOGFILE >&2 } function error() { echo "[FAIL] $1" | tee -a $LOGFILE >&2 } function critical() { echo "[CRIT] $1" | tee -a $LOGFILE >&2 exit 1 } ################################################################################### # Cleanup # ################################################################################### cleanup() { local last_exit_code="$?" if [[ "${action}" != "stop" && "${last_exit_code}" -ne 0 ]]; then rm -f /tmp/.ynh-vpnclient-started fi } # Cleanup before exit trap cleanup 0 ################################################################################### # Time sync # ################################################################################### sync_time() { info "Now synchronizing time using ntp..." systemctl stop ntp timeout 20 ntpd -qg &> /dev/null # Some networks drop ntp port (udp 123). # Try to get the date with an http request on the internetcube web site if [ $? -ne 0 ]; then info "ntp synchronization failed, falling back to curl method" http_date=$(curl --max-time 5 -sD - yunohost.org | grep -i '^Date:' | cut -d' ' -f2-) http_date_seconds=$(date -d "${http_date}" +%s) curr_date_seconds=$(date +%s) # Set the new date if it's greater than the current date # So it does if 1970 year or if old fake-hwclock date is used if [ $http_date_seconds -ge $curr_date_seconds ]; then date -s "${http_date}" fi fi systemctl start ntp } ################################################################################### # The actual ynh vpnclient management thing # ################################################################################### check_config() { info "Checking if configuration is valid..." if [[ ! -e /etc/openvpn/keys/ca-server.crt ]]; then critical "You need a CA server (you can add it through the web admin)" fi if ! openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -checkend 0 >/dev/null; then ca_server_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -enddate | cut -d '=' -f 2) critical "The CA server expired on $ca_server_cert_expired_date" fi if [[ ! -e /etc/openvpn/keys/user.crt || ! -e /etc/openvpn/keys/user.key ]]; then if [[ -s /etc/openvpn/keys/credentials ]]; then login_user=$(sed -n 1p /etc/openvpn/keys/credentials) login_passphrase=$(sed -n 2p /etc/openvpn/keys/credentials) else login_user="" login_passphrase="" fi if [[ $login_user == "" || $login_passphrase == "" ]]; then critical "You need either a client certificate, either a username, or both (you can add one through the web admin)" fi elif [[ -e /etc/openvpn/keys/user.crt ]] && ! openssl x509 -in /etc/openvpn/keys/user.crt -noout -checkend 0 >/dev/null; then user_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate | cut -d '=' -f 2) critical "The client certificate expired on $user_cert_expired_date" fi } action=${1} if [[ "$action" != restart ]]; then # Variables info "Retrieving Yunohost settings... " ynh_service_enabled=$(yunohost app setting "vpnclient" "service_enabled") success "Settings retrieved" fi ################################################################################### # Start / stop / restart / status handling # ################################################################################### case "$action" in # ########## # # Starting # # ########## # start) info "[vpnclient] Starting..." if [[ -e /tmp/.ynh-vpnclient.started ]] || systemctl -q is-active openvpn@client.service; then info "Service is already running" exit 0 elif [[ "${ynh_service_enabled}" -eq 0 ]]; then warn "Service is disabled, not starting it" exit 0 fi touch /tmp/.ynh-vpnclient-started sync_time check_config info "Now actually starting OpenVPN client..." if systemctl start openvpn@client.service; then info "OpenVPN client started ... waiting for tun0 interface to show up" else tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE critical "Failed to start OpenVPN :/" fi has_errors=true for attempt in $(seq 0 20); do sleep 1 if ip link show dev tun0 &> /dev/null; then success "tun0 interface is up!" has_errors=false break fi done if $has_errors; then error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue" tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE systemctl stop openvpn@client.service critical "Failed to start OpenVPN client : tun0 interface did not show up" fi info "Waiting for VPN client to be ready..." if ! timeout 180 tail -n 0 -f /var/log/openvpn-client.log | grep -q "Initialization Sequence Completed"; then error "The VPN client didn't complete initiliasation" tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE systemctl stop openvpn@client.service critical "Failed to start OpenVPN client" fi info "Validating that VPN is up and the server is connected to internet..." ipv4=$(timeout 5 ping -w3 -c1 ip.yunohost.org >/dev/null 2>&1 && curl --max-time 5 https://ip.yunohost.org --silent) ipv6=$(timeout 5 ping -w3 -c1 ip6.yunohost.org >/dev/null 2>&1 && curl --max-time 5 https://ip6.yunohost.org --silent) if ip route get 1.2.3.4 | grep -q tun0; then if timeout 5 ping -c1 -w3 debian.org >/dev/null; then success "YunoHost VPN client started!" info "IPv4 address is $ipv4" info "IPv6 address is $ipv6" else critical "The VPN is up but debian.org cannot be reached, indicating that something is probably misconfigured/blocked." fi else critical "[CRIT] IPv4 routes are misconfigured !?" fi ;; # ########## # # Stopping # # ########## # stop) info "[vpnclient] Stopping..." rm -f /tmp/.ynh-vpnclient-started if systemctl is-active -q openvpn@client.service; then info "Stopping OpenVPN service" systemctl stop openvpn@client.service for attempt in $(seq 0 20); do if ip link show dev tun0 &> /dev/null; then info "(Waiting for tun0 to disappear if it was up)" sleep 1 fi done fi ;; # ########## # # Restart # # ########## # restart) $0 stop $0 start ;; # ########## # # Halp # # ########## # *) echo "Usage: $0 {start|stop|restart}" ;; esac exit 0