labriqueinternet
/
vpnclient_ynh
miroir de https://github.com/labriqueinternet/vpnclient_ynh


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543
							#!/bin/bash

# VPN Client app for YunoHost
# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

###################################################################################
# Logging helpers                                                                 #
###################################################################################

LOGFILE="/var/log/ynh-vpnclient.log"
touch $LOGFILE
chown root:root $LOGFILE
chmod 600 $LOGFILE

function success()
{
  echo "[ OK ] $1" | tee -a $LOGFILE
}

function info()
{
  echo "[INFO] $1" | tee -a $LOGFILE
}

function warn()
{
  echo "[WARN] $1" | tee -a $LOGFILE >&2
}

function error()
{
  echo "[FAIL] $1" | tee -a $LOGFILE >&2
}

function critical()
{
  echo "[CRIT] $1" | tee -a $LOGFILE >&2
  exit 1
}

###################################################################################
# IPv6 and route config stuff                                                     #
###################################################################################

has_nativeip6() {
  ip -6 route | grep -q "default via"
}

has_ip6delegatedprefix() {
  [[ -n "${ynh_ip6_addr}" ]] && [[ "${ynh_ip6_addr}" != none ]]
}

is_ip6addr_set() {
  ip address show dev tun0 2> /dev/null | grep -q "${ynh_ip6_addr}/"
}

#
# Server IPv6 route
#

is_serverip6route_set() {
  server_ip6s=${1}

  if [[ -z "${server_ip6s}" ]]; then
    return 0
  fi

  for server_ip6 in ${server_ip6s}; do
    if ! ip -6 route | grep -q "^${server_ip6}"; then
      return 1
    fi
  done
}

set_serverip6route() {
  server_ip6s=${1}
  ip6_gw=${2}
  wired_device=${3}

  info "Adding IPv6 server route"
    for server_ip6 in ${server_ip6s};
    do
        ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
    done
}


unset_serverip6route() {
  server_ip6s=${1}
  ip6_gw=${2}
  wired_device=${3}

  info "Removing IPv6 server route"
    for server_ip6 in ${server_ip6s};
    do
        ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
    done
}

###################################################################################
# DNS rules                                                                       #
###################################################################################

is_dns_set() {
  if [[ "$ynh_dns_method" == "custom" ]]
  then
  
    current_dns=$(grep -o -P '\s*nameserver\s+\K[abcdefabcdef\d.:]+' /etc/resolv.dnsmasq.conf | sort | uniq)
    wanted_dns=$(echo "${ynh_dns}" | sed 's/,/\n/g'  | sort | uniq)
    [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
    && [[ "$current_dns" == "$wanted_dns" ]]
  else
    true
  fi
}

set_dns() {
  info "Enforcing custom DNS resolvers from vpnclient"

  resolvconf=/etc/resolv.dnsmasq.conf

  cp -fa "${resolvconf}" "${resolvconf}.ynh"
  if [[ "$ynh_dns_method" == "custom" ]]
  then
    cat << EOF > /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
echo "${ynh_dns}" | sed 's/,/\n/g' | sort | uniq | sed 's/^/nameserver /g' > ${resolvconf}
EOF
    bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
  fi

}

unset_dns() {
  resolvconf=/etc/resolv.dnsmasq.conf

  info "Removing custom DNS resolvers from vpnclient"
  rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
  [ -e "${resolvconf}.ynh" ] && mv "${resolvconf}.ynh" "${resolvconf}"

  # FIXME : this situation happened to a user ...
  # We could try to force regen the dns conf 
  # (though for now it's tightly coupled to dnsmasq)
  grep -q "^nameserver\s" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
}

###################################################################################
# Firewall rules management                                                       #
###################################################################################

is_firewall_set() {
  wired_device=$(ip route | awk '/default via/ { print $5; }')

  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}

set_firewall() {
  info "Adding vpnclient custom rules to the firewall"

  cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}

  info "Restarting yunohost firewall..."
  yunohost firewall reload >/dev/null && success "Firewall restarted!"
}

unset_firewall() {
  info "Cleaning vpnclient custom rules from the firewall"
  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
  info "Restarting yunohost firewall..."
  yunohost firewall reload >/dev/null && success "Firewall restarted!"
}

###################################################################################
# Time sync                                                                       #
###################################################################################

sync_time() {
  info "Now synchronizing time using ntp..."
  systemctl stop ntp
  timeout 20 ntpd -qg &> /dev/null
  
  # Some networks drop ntp port (udp 123). 
  # Try to get the date with an http request on the internetcube web site
  if [ $? -ne 0 ]; then
    info "ntp synchronization failed, falling back to curl method"
    http_date=$(curl --max-time 5 -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6)
    http_date_seconds=$(date -d "${http_date}" +%s)
    curr_date_seconds=$(date +%s)

    # Set the new date if it's greater than the current date
    # So it does if 1970 year or if old fake-hwclock date is used
    if [ $http_date_seconds -ge $curr_date_seconds ]; then
      date -s "${http_date}"
    fi
  fi 
  systemctl start ntp
}

###################################################################################
# OpenVPN client start/stop procedures                                            #
###################################################################################

is_openvpn_running() {
  systemctl is-active openvpn@client.service &> /dev/null
}

start_openvpn() {

  # Unset firewall to let DNS and NTP resolution works
  # Firewall is reset after vpn is mounted (more details on #1016)
  unset_firewall

  sync_time

  info "Now actually starting OpenVPN client..."

  if systemctl start openvpn@client.service
  then
    info "OpenVPN client started ... waiting for tun0 interface to show up"
  else
    tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
	critical "Failed to start OpenVPN :/"
  fi

  for attempt in $(seq 0 20)
  do
    sleep 1
    if ip link show dev tun0 &> /dev/null
    then
       success "tun0 interface is up!"
       return 0
    fi
  done
  
  error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue"
  tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
  stop_openvpn
  critical "Failed to start OpenVPN client : tun0 interface did not show up"
}

stop_openvpn() {
  info "Stopping OpenVPN service"
  systemctl stop openvpn@client.service

  for attempt in $(seq 0 20)
  do
    if ip link show dev tun0 &> /dev/null
    then
       info "(Waiting for tun0 to disappear if it was up)"
       sleep 1
    fi
  done
}

###################################################################################
# Yunohost settings interface                                                     #
###################################################################################

ynh_setting_get() {
  app=${1}
  setting=${2}

  grep "^${setting}:" "/etc/yunohost/apps/${app}/settings.yml" | sed s/^[^:]\\+:\\s*[\"\']\\?// | sed s/\\s*[\"\']\$//
  # '"
}

ynh_setting_set() {
  app=${1}
  setting=${2}
  value=${3}

  yunohost app setting "${app}" "${setting}" -v "${value}"
}

###################################################################################
# The actual ynh vpnclient management thing                                       #
###################################################################################

is_running() {
  ((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
  && ((has_ip6delegatedprefix && is_ip6addr_set) || ! has_ip6delegatedprefix)\
  && is_dns_set && is_firewall_set && is_openvpn_running
}

check_config() {
  if [[ ! -e /etc/openvpn/keys/ca-server.crt ]]; then
    critical "You need a CA server (you can add it through the web admin)"
  fi

  if ! openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -checkend 0 >/dev/null; then
    ca_server_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -enddate | cut -d '=' -f 2)
    critical "The CA server expired on $ca_server_cert_expired_date"
  fi

  if [[ ! -e /etc/openvpn/keys/user.crt || ! -e /etc/openvpn/keys/user.key ]]; then
    if [[ -s /etc/openvpn/keys/credentials ]]; then
      login_user=$(sed -n 1p /etc/openvpn/keys/credentials)
      login_passphrase=$(sed -n 2p /etc/openvpn/keys/credentials)
    else
      login_user=""
      login_passphrase=""
    fi

    if [[ $login_user == "" || $login_passphrase == "" ]]; then
      critical "You need either a client certificate, either a username, or both (you can add one through the web admin)"
    fi
  elif [[ -e /etc/openvpn/keys/user.crt ]] && ! openssl x509 -in /etc/openvpn/keys/user.crt -noout -checkend 0 >/dev/null; then
    user_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate | cut -d '=' -f 2)
    critical "The client certificate expired on $user_cert_expired_date"
  fi
}

if [ "$1" != restart ]; then

  # Variables

  info "Retrieving Yunohost settings... "

  ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled)
  ynh_ip6_addr=$(ynh_setting_get vpnclient ip6_addr)
  ynh_dns_method=$(ynh_setting_get vpnclient dns_method)
  ynh_dns=$(ynh_setting_get vpnclient nameservers)

  old_ip6_gw=$(ynh_setting_get vpnclient ip6_gw)
  old_wired_device=$(ynh_setting_get vpnclient wired_device)
  old_server_ip6=$(ynh_setting_get vpnclient server_ip6)

  new_ip6_gw=$(ip -6 route | awk '/default via/ { print $3 }')
  new_wired_device=$(ip route | awk '/default via/ { print $5; }')
  ynh_server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
  new_server_ip6=$(dig AAAA +short $ynh_server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out" | sort | uniq)

  for i in $ynh_server_names; do
    if [[ "${i}" =~ : ]] && [[ ! "$new_server_ip6" == *"${i}"* ]] ; then
        new_server_ip6+=" ${i}"
    fi
  done

  success "Settings retrieved"

fi

###################################################################################
# Start / stop / restart / status handling                                        #
###################################################################################

case "${1}" in

  # ########## #
  #  Starting  #
  # ########## #

  start)

    if is_running; then
      info "Service is already running"
      exit 0
    elif [ "${ynh_service_enabled}" -eq 0 ]; then
      warn "Service is disabled, not starting it"
      exit 0
    fi

    check_config

    info "[vpnclient] Starting..."
    touch /tmp/.ynh-vpnclient-started

    # Run openvpn
    if is_openvpn_running; then
      info "(openvpn is already running)"
    else
      start_openvpn
    fi

    # Check old state of the server ipv6 route
    if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
         -a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
         -o "${new_wired_device}" != "${old_wired_device}" \) ]\
       && is_serverip6route_set "${old_server_ip6}"
    then
       unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
    fi

    # Set the new server ipv6 route
    if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"
    then
      set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
    fi

    # Set host DNS resolvers
    if ! is_dns_set; then
       set_dns
    fi

    # Set ipv6/ipv4 firewall
    if ! is_firewall_set; then
      set_firewall
    fi

    # Update dynamic settings
    info "Saving settings..."
    ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
    ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
    ynh_setting_set vpnclient wired_device "${new_wired_device}"

    ipv4=$(ping -w3 -c1 ip.yunohost.org  >/dev/null 2>&1 && curl --max-time 5 https://ip.yunohost.org --silent)
    ipv6=$(ping -w3 -c1 ip6.yunohost.org >/dev/null 2>&1 && curl --max-time 5 https://ip6.yunohost.org --silent)

    info "Validating that VPN is up and the server is connected to internet..."
    if ip route get 1.2.3.4 | grep -q tun0; then
        if ping -c1 -w5 debian.org >/dev/null; then
            success "YunoHost VPN client started!"
            info "IPv4 address is $ipv4"
            info "IPv6 address is $ipv6"
        else
            critical "The VPN is up but debian.org cannot be reached, indicating that something is probably misconfigured/blocked."
        fi
    else
        critical "IPv4 routes are misconfigured !?"
    fi
  ;;

  # ########## #
  #  Stopping  #
  # ########## #

  stop)
    info "[vpnclient] Stopping..."
    rm -f /tmp/.ynh-vpnclient-started

    if is_serverip6route_set "${old_server_ip6}"; then
      unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
    fi

    is_firewall_set && unset_firewall

    is_dns_set && unset_dns

    is_openvpn_running && stop_openvpn
  ;;

  # ########## #
  #  Restart   #
  # ########## #

  restart)
    $0 stop
    $0 start
  ;;

  # ########## #
  #   Status   #
  # ########## #

  status)
    exitcode=0

    if [ "${ynh_service_enabled}" -eq 0 ]; then
      error "VPN Client Service disabled"
      exitcode=1
    fi

    info "Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
    info "Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"

    if has_ip6delegatedprefix; then
      info "IPv6 delegated prefix found"
      info "IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"

      if is_ip6addr_set; then
        success "IPv6 address correctly set"
      else
        error "No IPv6 address set"
        exitcode=1
      fi
    else
      info "No IPv6 delegated prefix found"
    fi

    if has_nativeip6; then
      info "Native IPv6 detected"
      info "Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"

      if is_serverip6route_set "${new_server_ip6}"; then
        success "IPv6 server route correctly set"
      else
        error "No IPv6 server route set"
        exitcode=1
      fi
    else
      info "No native IPv6 detected"
      info "No IPv6 server route to set"
    fi

    if is_firewall_set; then
      success "IPv6/IPv4 firewall set"
    else
      info "No IPv6/IPv4 firewall set"
      exitcode=1
    fi

    if is_dns_set; then
      success "Host DNS correctly set"
    else
      error "No host DNS set"
      exitcode=1
    fi

    if is_openvpn_running; then
      success "Openvpn is running"
    else
      error "Openvpn is not running"
      exitcode=1
    fi

    exit ${exitcode}
  ;;

  # ########## #
  #    Halp    #
  # ########## #

  *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
  ;;
esac

exit 0