opensourcemirror
/
opnsense-core
mirror of https://github.com/opnsense/core.git
1
0
Fork 0
Code Issues Releases Wiki Activity

openvpn: remove gw switching logic; closes #3449 

This removes the last part of gw switching capabilities from OpenVPN
in a backwards-incompatible way.  For clients they can already reconnect
if you use "any" or an internal LAN. For servers you don't bind to WAN
in Multi-WAN or gateway groups.  Use localhost + NAT rules for both
WANs instead.

Discussed with: @adschellevis
This commit is contained in:
Franco Fichtner 2019-04-29 13:35:28 +02:00
parent 18422180ad
commit 1bc478fbaa
6 changed files with 3 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@ -32,7 +32,7 @@ Copyright (c) 2004-2005 Jonathan Watt <jwatt@jwatt.org>
Copyright (c) 2014-2015 Jos Schellevis <jos@opnsense.org>
Copyright (c) 2003-2004 Justin Ellison <justin@techadvise.com>
Copyright (c) 2015 Manuel Faux <mfaux@conf.at>
Copyright (c) 2003-2007 Manuel Kasper <mk@neon1.net>
Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
Copyright (c) 2012 Marcello Coutinho
Copyright (c) 2018 Martin Wasley <martin@team-rebellion.net>
Copyright (c) 2010-2015 Michael Bostock

2
plist
View File

@ -98,7 +98,6 @@
/usr/local/etc/rc.monitor
/usr/local/etc/rc.newwanip
/usr/local/etc/rc.newwanipv6
/usr/local/etc/rc.openvpn
/usr/local/etc/rc.reboot
/usr/local/etc/rc.reload_all
/usr/local/etc/rc.resolv_conf_generate
@ -777,7 +776,6 @@
/usr/local/opnsense/service/conf/actions.d/actions_monit.conf
/usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
/usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
/usr/local/opnsense/service/conf/actions.d/actions_plugins.conf
/usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
/usr/local/opnsense/service/conf/actions.d/actions_system.conf

45
src/etc/inc/plugins.inc.d/openvpn.inc
View File

@ -567,9 +567,6 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
/* defaults to SHA1, so use it when unset to maintain compatibility */
$digest = !empty($settings['digest']) ? $settings['digest'] : 'SHA1';
/* the function is used incorrectly, but works as it only checks the link connectivity */
$interface = get_real_interface($settings['interface']);
/*
* If a specific IP address (VIP) is requested, use it.
* Otherwise, if a specific interface is requested, use
@ -963,14 +960,9 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
openvpn_add_custom($settings, $conf);
openvpn_create_dirs();
$fpath = "/var/etc/openvpn/{$mode_id}.conf";
file_put_contents($fpath, $conf);
unset($conf);
$fpath = "/var/etc/openvpn/{$mode_id}.interface";
file_put_contents($fpath, $interface);
file_put_contents("/var/etc/openvpn/{$mode_id}.conf", $conf);
@chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
@chmod("/var/etc/openvpn/{$mode_id}.interface", 0600);
@chmod("/var/etc/openvpn/{$mode_id}.key", 0600);
@chmod("/var/etc/openvpn/{$mode_id}.tls-auth", 0600);
@chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
@ -1608,36 +1600,3 @@ function openvpn_refresh_crls()
}
}
}
function openvpn_resync_if_needed($mode, $ovpn_settings, $interface)
{
global $config;
$resync_needed = true;
if (isset($ovpn_settings['disable'])) {
$resync_needed = false;
} else {
if (!empty($interface)) {
$mode_id = $mode . $ovpn_settings['vpnid'];
$fpath = "/var/etc/openvpn/{$mode_id}.interface";
if (file_exists($fpath)) {
$current_device = file_get_contents($fpath);
$current_device = trim($current_device, " \t\n");
/* the function is used incorrectly, but works as it only checks the link connectivity */
$new_device = get_real_interface($ovpn_settings['interface']);
if (isset($config['interfaces'][$interface])) {
/* this is tied to IPv4, but as stated above it only checks the link connectivity */
$this_device = $config['interfaces'][$interface]['if'];
if (($current_device == $new_device) && ($current_device != $this_device)) {
$resync_needed = false;
}
}
}
}
}
if ($resync_needed == true) {
log_error("OpenVPN: Resync " . $mode_id . " " . $ovpn_settings['description']);
openvpn_reconfigure($mode, $ovpn_settings);
openvpn_restart($mode, $ovpn_settings);
}
}

1
src/etc/rc.monitor
View File

@ -37,7 +37,6 @@ fi
# XXX we should use configctl plugins configure here
/usr/local/opnsense/service/configd_ctl.py -m \
"filter reload" \
"openvpn reload ${GATEWAY}" \
"dyndns reload ${GATEWAY}" \
"rfc2136 reload ${GATEWAY}"

99
src/etc/rc.openvpn
View File

@ -1,99 +0,0 @@
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2007 Manuel Kasper <mk@neon1.net>
* Copyright (C) 2009 Seth Mos <seth.mos@dds.nl>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
require_once("util.inc");
require_once("config.inc");
require_once("interfaces.inc");
require_once("filter.inc");
require_once("plugins.inc.d/openvpn.inc");
function try_lock($lock, $timeout = 5)
{
if (!$lock) {
die(gettext("WARNING: You must give a name as parameter to try_lock() function."));
}
if (!file_exists("/tmp/{$lock}.lock")) {
@touch("/tmp/{$lock}.lock");
@chmod("/tmp/{$lock}.lock", 0666);
}
if ($fp = fopen("/tmp/{$lock}.lock", "w")) {
$trycounter = 0;
while(!flock($fp, LOCK_EX | LOCK_NB)) {
if ($trycounter >= $timeout) {
fclose($fp);
return NULL;
}
sleep(1);
$trycounter++;
}
return $fp;
}
return NULL;
}
/* make sure to wait until the boot scripts have finished */
if (file_exists('/var/run/booting')) {
return;
}
/* Input argument is a gateway name, blank or "all". */
$argument = trim($argv[1], " \n");
if (isset($config['openvpn']['openvpn-server']) || isset($config['openvpn']['openvpn-client'])) {
$log_text = "endpoints that may use " . $argument;
log_error("OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading " . $log_text . ".");
} else {
return;
}
$openvpnlck = try_lock('openvpn', 10);
if (!$openvpnlck) {
log_error('Could not obtain openvpn lock for executing rc.openvpn for more than 10 seconds continuing...');
@unlink("/tmp/openvpn.lock");
$openvpnlck = lock('openvpn', LOCK_EX);
}
$interface = (new \OPNsense\Routing\Gateways(legacy_interfaces_details()))->getInterfaceName($argument);
foreach (['server', 'client'] as $ovpntype) {
if(is_array($config['openvpn']['openvpn-'.$ovpntype])) {
foreach($config['openvpn']['openvpn-'.$ovpntype] as &$confitem) {
if ($confitem['interface'] == $interface || empty($interface)) {
openvpn_resync_if_needed($ovpntype, $confitem, $interface);
}
}
}
}
unlock($openvpnlck);

5
src/opnsense/service/conf/actions.d/actions_openvpn.conf
View File

@ -1,5 +0,0 @@
[reload]
command:/usr/local/etc/rc.openvpn
parameters:%s
type:script
message:Restarting OpenVPN tunnels/interfaces %s