vpnclient_ynh/conf/ynh-vpnclient

#!/bin/bash

# VPN Client app for YunoHost
# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
# Contribute at https://github.com/labriqueinternet/vpnclient_ynh
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

###################################################################################
# Logging helpers                                                                 #
###################################################################################

LOGFILE="/var/log/ynh-vpnclient.log"
touch $LOGFILE
chown root:root $LOGFILE
chmod 600 $LOGFILE

function success()
{
  echo "[ OK ] $1" | tee -a $LOGFILE
}

function info()
{
  echo "[INFO] $1" | tee -a $LOGFILE
}

function warn()
{
  echo "[WARN] $1" | tee -a $LOGFILE >&2
}

function error()
{
  echo "[FAIL] $1" | tee -a $LOGFILE >&2
}

function critical()
{
  echo "[CRIT] $1" | tee -a $LOGFILE >&2
  exit 1
}

###################################################################################
# Cleanup                                                                         #
###################################################################################

cleanup() {
  local last_exit_code="$?"
  if [[ "${action}" != "stop" && "${last_exit_code}" -ne 0 ]]; then
    rm -f /tmp/.ynh-vpnclient-started
  fi
}

# Cleanup before exit
trap cleanup 0

###################################################################################
# Time sync                                                                       #
###################################################################################

sync_time() {
  info "Now synchronizing time using ntp..."
  systemctl stop ntp
  timeout 20 ntpd -qg &> /dev/null
  
  # Some networks drop ntp port (udp 123). 
  # Try to get the date with an http request on the internetcube web site
  if [ $? -ne 0 ]; then
    info "ntp synchronization failed, falling back to curl method"
    http_date=$(curl --max-time 5 -sD - yunohost.org | grep -i '^Date:' | cut -d' ' -f2-)
    http_date_seconds=$(date -d "${http_date}" +%s)
    curr_date_seconds=$(date +%s)

    # Set the new date if it's greater than the current date
    # So it does if 1970 year or if old fake-hwclock date is used
    if [ $http_date_seconds -ge $curr_date_seconds ]; then
      date -s "${http_date}"
    fi
  fi 
  systemctl start ntp
}

###################################################################################
# The actual ynh vpnclient management thing                                       #
###################################################################################

check_config() {
  info "Checking if configuration is valid..."

  if [[ ! -e /etc/openvpn/keys/ca-server.crt ]]; then
    critical "You need a CA server (you can add it through the web admin)"
  fi

  if ! openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -checkend 0 >/dev/null; then
    ca_server_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/ca-server.crt -noout -enddate | cut -d '=' -f 2)
    critical "The CA server expired on $ca_server_cert_expired_date"
  fi

  if [[ ! -e /etc/openvpn/keys/user.crt || ! -e /etc/openvpn/keys/user.key ]]; then
    if [[ -s /etc/openvpn/keys/credentials ]]; then
      login_user=$(sed -n 1p /etc/openvpn/keys/credentials)
      login_passphrase=$(sed -n 2p /etc/openvpn/keys/credentials)
    else
      login_user=""
      login_passphrase=""
    fi

    if [[ $login_user == "" || $login_passphrase == "" ]]; then
      critical "You need either a client certificate, either a username, or both (you can add one through the web admin)"
    fi
  elif [[ -e /etc/openvpn/keys/user.crt ]] && ! openssl x509 -in /etc/openvpn/keys/user.crt -noout -checkend 0 >/dev/null; then
    user_cert_expired_date=$(openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate | cut -d '=' -f 2)
    critical "The client certificate expired on $user_cert_expired_date"
  fi
}

is_firewall_set() {
  local wired_device="$1"
  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
}

set_firewall() {
  info "Applying firewall rules..."

  local wired_device=$(ip route | awk '/default via/ { print $5; }')

  if ! is_firewall_set "${wired_device}"; then
    bash /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules
  fi
  cp /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient

  if is_firewall_set "${wired_device}"; then
    success "IPv6/IPv4 firewall set"
  else
    error "No IPv6/IPv4 firewall set" >&2
  fi
}

unset_firewall() {
  info "Removing firewall rules..."

  local wired_device=$(ip route | awk '/default via/ { print $5; }')

  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
  if is_firewall_set "${wired_device}"; then  
    # IPv4

    iptables -w -D INPUT -i "${wired_device}" -j vpnclient_in
    iptables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
    iptables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd

    iptables -w -F vpnclient_in
    iptables -w -F vpnclient_out
    iptables -w -F vpnclient_fwd

    iptables -w -X vpnclient_in
    iptables -w -X vpnclient_out
    iptables -w -X vpnclient_fwd

    # IPv6
    
    ip6tables -w -D INPUT -i "${wired_device}" -j vpnclient_in
    ip6tables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
    ip6tables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd

    ip6tables -w -F vpnclient_in
    ip6tables -w -F vpnclient_out
    ip6tables -w -F vpnclient_fwd

    ip6tables -w -X vpnclient_in
    ip6tables -w -X vpnclient_out
    ip6tables -w -X vpnclient_fwd
  fi
}

action=${1}
if [[ "$action" != restart ]]; then
  # Variables

  info "Retrieving Yunohost settings... "

  ynh_service_enabled=$(yunohost app setting "vpnclient" "service_enabled")

  success "Settings retrieved"
fi

###################################################################################
# Start / stop / restart / status handling                                        #
###################################################################################

case "$action" in

  # ########## #
  #  Starting  #
  # ########## #

  start)
    info "[vpnclient] Starting..."
    
    if [[ -e /tmp/.ynh-vpnclient.started ]] || systemctl -q is-active openvpn@client.service; then
      info "Service is already running"
      exit 0
    elif [[ "${ynh_service_enabled}" -eq 0 ]]; then
      warn "Service is disabled, not starting it"
      exit 0
    fi

    touch /tmp/.ynh-vpnclient-started

    # We need to remove firewall rules in order to sync time
    unset_firewall

    sync_time
    check_config

    set_firewall

    info "Now actually starting OpenVPN client..."

    if systemctl start openvpn@client.service; then
      info "OpenVPN client started ... waiting for tun0 interface to show up"
    else
      tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
	    critical "Failed to start OpenVPN :/"
    fi

    has_errors=true
    for attempt in $(seq 0 20); do
      sleep 1
      if ip link show dev tun0 &> /dev/null; then
        success "tun0 interface is up!"
        has_errors=false
        break
      fi
    done
  
    if $has_errors; then
      error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue"
      tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
      systemctl stop openvpn@client.service
      critical "Failed to start OpenVPN client : tun0 interface did not show up"
    fi

    info "Waiting for VPN client to be ready..."
    if ! timeout 180 tail -n 0 -f /var/log/openvpn-client.log | grep -q "Initialization Sequence Completed"; then
      error "The VPN client didn't complete initiliasation"
      tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
      systemctl stop openvpn@client.service
      critical "Failed to start OpenVPN client"
    fi

    info "Validating that VPN is up and the server is connected to internet..."

    ipv4=$(timeout 5 ping -w3 -c1 ip.yunohost.org  >/dev/null 2>&1 && curl --max-time 5 https://ip.yunohost.org --silent)
    ipv6=$(timeout 5 ping -w3 -c1 ip6.yunohost.org >/dev/null 2>&1 && curl --max-time 5 https://ip6.yunohost.org --silent)

    if ip route get 1.2.3.4 | grep -q tun0; then
      if timeout 5 ping -c1 -w3 debian.org >/dev/null; then
        success "YunoHost VPN client started!"
        info "IPv4 address is $ipv4"
        info "IPv6 address is $ipv6"
      else
        critical "The VPN is up but debian.org cannot be reached, indicating that something is probably misconfigured/blocked."
      fi
    else
      critical "IPv4 routes are misconfigured !?"
    fi
  ;;

  # ########## #
  #  Stopping  #
  # ########## #

  stop)
    info "[vpnclient] Stopping..."
    rm -f /tmp/.ynh-vpnclient-started

    if systemctl is-active -q openvpn@client.service; then
      info "Stopping OpenVPN service"
      systemctl stop openvpn@client.service

      for attempt in $(seq 0 20); do
        if ip link show dev tun0 &> /dev/null; then
          info "(Waiting for tun0 to disappear if it was up)"
          sleep 1
        fi
      done
    fi

    unset_firewall
  ;;

  # ########## #
  #  Restart   #
  # ########## #

  restart)
    $0 stop
    $0 start
  ;;

  # ########## #
  #    Halp    #
  # ########## #

  *)
    echo "Usage: $0 {start|stop|restart}"
  ;;
esac

exit 0