openvpn: remove gw switching logic; closes #3449
This removes the last part of gw switching capabilities from OpenVPN in a backwards-incompatible way. For clients they can already reconnect if you use "any" or an internal LAN. For servers you don't bind to WAN in Multi-WAN or gateway groups. Use localhost + NAT rules for both WANs instead. Discussed with: @adschellevis
This commit is contained in:
parent
18422180ad
commit
1bc478fbaa
2
LICENSE
2
LICENSE
|
@ -32,7 +32,7 @@ Copyright (c) 2004-2005 Jonathan Watt <jwatt@jwatt.org>
|
|||
Copyright (c) 2014-2015 Jos Schellevis <jos@opnsense.org>
|
||||
Copyright (c) 2003-2004 Justin Ellison <justin@techadvise.com>
|
||||
Copyright (c) 2015 Manuel Faux <mfaux@conf.at>
|
||||
Copyright (c) 2003-2007 Manuel Kasper <mk@neon1.net>
|
||||
Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
|
||||
Copyright (c) 2012 Marcello Coutinho
|
||||
Copyright (c) 2018 Martin Wasley <martin@team-rebellion.net>
|
||||
Copyright (c) 2010-2015 Michael Bostock
|
||||
|
|
2
plist
2
plist
|
@ -98,7 +98,6 @@
|
|||
/usr/local/etc/rc.monitor
|
||||
/usr/local/etc/rc.newwanip
|
||||
/usr/local/etc/rc.newwanipv6
|
||||
/usr/local/etc/rc.openvpn
|
||||
/usr/local/etc/rc.reboot
|
||||
/usr/local/etc/rc.reload_all
|
||||
/usr/local/etc/rc.resolv_conf_generate
|
||||
|
@ -777,7 +776,6 @@
|
|||
/usr/local/opnsense/service/conf/actions.d/actions_monit.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_plugins.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
|
||||
/usr/local/opnsense/service/conf/actions.d/actions_system.conf
|
||||
|
|
|
@ -567,9 +567,6 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
|
|||
/* defaults to SHA1, so use it when unset to maintain compatibility */
|
||||
$digest = !empty($settings['digest']) ? $settings['digest'] : 'SHA1';
|
||||
|
||||
/* the function is used incorrectly, but works as it only checks the link connectivity */
|
||||
$interface = get_real_interface($settings['interface']);
|
||||
|
||||
/*
|
||||
* If a specific IP address (VIP) is requested, use it.
|
||||
* Otherwise, if a specific interface is requested, use
|
||||
|
@ -963,14 +960,9 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
|
|||
|
||||
openvpn_add_custom($settings, $conf);
|
||||
|
||||
openvpn_create_dirs();
|
||||
$fpath = "/var/etc/openvpn/{$mode_id}.conf";
|
||||
file_put_contents($fpath, $conf);
|
||||
unset($conf);
|
||||
$fpath = "/var/etc/openvpn/{$mode_id}.interface";
|
||||
file_put_contents($fpath, $interface);
|
||||
file_put_contents("/var/etc/openvpn/{$mode_id}.conf", $conf);
|
||||
|
||||
@chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
|
||||
@chmod("/var/etc/openvpn/{$mode_id}.interface", 0600);
|
||||
@chmod("/var/etc/openvpn/{$mode_id}.key", 0600);
|
||||
@chmod("/var/etc/openvpn/{$mode_id}.tls-auth", 0600);
|
||||
@chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
|
||||
|
@ -1608,36 +1600,3 @@ function openvpn_refresh_crls()
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
function openvpn_resync_if_needed($mode, $ovpn_settings, $interface)
|
||||
{
|
||||
global $config;
|
||||
|
||||
$resync_needed = true;
|
||||
if (isset($ovpn_settings['disable'])) {
|
||||
$resync_needed = false;
|
||||
} else {
|
||||
if (!empty($interface)) {
|
||||
$mode_id = $mode . $ovpn_settings['vpnid'];
|
||||
$fpath = "/var/etc/openvpn/{$mode_id}.interface";
|
||||
if (file_exists($fpath)) {
|
||||
$current_device = file_get_contents($fpath);
|
||||
$current_device = trim($current_device, " \t\n");
|
||||
/* the function is used incorrectly, but works as it only checks the link connectivity */
|
||||
$new_device = get_real_interface($ovpn_settings['interface']);
|
||||
if (isset($config['interfaces'][$interface])) {
|
||||
/* this is tied to IPv4, but as stated above it only checks the link connectivity */
|
||||
$this_device = $config['interfaces'][$interface]['if'];
|
||||
if (($current_device == $new_device) && ($current_device != $this_device)) {
|
||||
$resync_needed = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($resync_needed == true) {
|
||||
log_error("OpenVPN: Resync " . $mode_id . " " . $ovpn_settings['description']);
|
||||
openvpn_reconfigure($mode, $ovpn_settings);
|
||||
openvpn_restart($mode, $ovpn_settings);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -37,7 +37,6 @@ fi
|
|||
# XXX we should use configctl plugins configure here
|
||||
/usr/local/opnsense/service/configd_ctl.py -m \
|
||||
"filter reload" \
|
||||
"openvpn reload ${GATEWAY}" \
|
||||
"dyndns reload ${GATEWAY}" \
|
||||
"rfc2136 reload ${GATEWAY}"
|
||||
|
||||
|
|
|
@ -1,99 +0,0 @@
|
|||
#!/usr/local/bin/php
|
||||
<?php
|
||||
|
||||
/*
|
||||
* Copyright (C) 2007 Manuel Kasper <mk@neon1.net>
|
||||
* Copyright (C) 2009 Seth Mos <seth.mos@dds.nl>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
||||
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
require_once("util.inc");
|
||||
require_once("config.inc");
|
||||
require_once("interfaces.inc");
|
||||
require_once("filter.inc");
|
||||
require_once("plugins.inc.d/openvpn.inc");
|
||||
|
||||
function try_lock($lock, $timeout = 5)
|
||||
{
|
||||
if (!$lock) {
|
||||
die(gettext("WARNING: You must give a name as parameter to try_lock() function."));
|
||||
}
|
||||
|
||||
if (!file_exists("/tmp/{$lock}.lock")) {
|
||||
@touch("/tmp/{$lock}.lock");
|
||||
@chmod("/tmp/{$lock}.lock", 0666);
|
||||
}
|
||||
|
||||
if ($fp = fopen("/tmp/{$lock}.lock", "w")) {
|
||||
$trycounter = 0;
|
||||
while(!flock($fp, LOCK_EX | LOCK_NB)) {
|
||||
if ($trycounter >= $timeout) {
|
||||
fclose($fp);
|
||||
return NULL;
|
||||
}
|
||||
sleep(1);
|
||||
$trycounter++;
|
||||
}
|
||||
|
||||
return $fp;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/* make sure to wait until the boot scripts have finished */
|
||||
if (file_exists('/var/run/booting')) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Input argument is a gateway name, blank or "all". */
|
||||
$argument = trim($argv[1], " \n");
|
||||
|
||||
if (isset($config['openvpn']['openvpn-server']) || isset($config['openvpn']['openvpn-client'])) {
|
||||
$log_text = "endpoints that may use " . $argument;
|
||||
log_error("OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading " . $log_text . ".");
|
||||
} else {
|
||||
return;
|
||||
}
|
||||
|
||||
$openvpnlck = try_lock('openvpn', 10);
|
||||
if (!$openvpnlck) {
|
||||
log_error('Could not obtain openvpn lock for executing rc.openvpn for more than 10 seconds continuing...');
|
||||
@unlink("/tmp/openvpn.lock");
|
||||
$openvpnlck = lock('openvpn', LOCK_EX);
|
||||
}
|
||||
|
||||
$interface = (new \OPNsense\Routing\Gateways(legacy_interfaces_details()))->getInterfaceName($argument);
|
||||
foreach (['server', 'client'] as $ovpntype) {
|
||||
if(is_array($config['openvpn']['openvpn-'.$ovpntype])) {
|
||||
foreach($config['openvpn']['openvpn-'.$ovpntype] as &$confitem) {
|
||||
if ($confitem['interface'] == $interface || empty($interface)) {
|
||||
openvpn_resync_if_needed($ovpntype, $confitem, $interface);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
unlock($openvpnlck);
|
|
@ -1,5 +0,0 @@
|
|||
[reload]
|
||||
command:/usr/local/etc/rc.openvpn
|
||||
parameters:%s
|
||||
type:script
|
||||
message:Restarting OpenVPN tunnels/interfaces %s
|
Loading…
Reference in New Issue