Gitiles
Code Review Sign In
192.168.1.100 / T108 / e958203796650e3959a43708d67534bf36f4c83b / . / external / subpack / net / ocserv / files / ocserv.init
blob: 489ec897f4fcdf5a6e17caaee96924c3fde44f60 [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame^]1#!/bin/sh /etc/rc.common
2
3START=50
4USE_PROCD=1
5
6. $IPKG_INSTROOT/lib/functions/network.sh
7
8setup_config() {
9 config_get port $1 port "4443"
10 config_get max_clients $1 max_clients "8"
11 config_get max_same $1 max_same "2"
12 config_get dpd $1 dpd "120"
13 config_get predictable_ips $1 predictable_ips "1"
14 config_get compression $1 compression "0"
15 config_get udp $1 udp "1"
16 config_get udp_port $1 udp_port ""
17 config_get auth $1 auth "plain"
18 config_get cisco_compat $1 cisco_compat "1"
19 config_get ipaddr $1 ipaddr ""
20 config_get netmask $1 netmask ""
21 config_get ip6addr $1 ip6addr ""
22 config_get proxy_arp $1 proxy_arp "0"
23 config_get ping_leases $1 ping_leases "0"
24 config_get split_dns $1 split_dns "0"
25 config_get default_domain $1 default_domain ""
26
27 # Enable proxy arp, and make sure that ping leases is set to true in that case,
28 # to prevent conflicts.
29 if test "$proxy_arp" = 1;then
30 local ip
31 # IP address is empty. Auto-configure LAN + VPN.
32 if test -z "$ipaddr";then
33 local mask
34 mask=$(uci get network.lan.netmask)
35 if test "$mask" = "255.255.255.0";then
36 uci set dhcp.lan.start=100
37 uci set dhcp.lan.limit=91
38 fi
39 network_get_ipaddr ip lan
40 ipaddr="$(echo $ip|cut -d . -f1,2,3).192"
41 netmask="255.255.255.192"
42 fi
43
44 if test -z "$ip6addr";then
45 network_get_ipaddr6 ip6addr lan
46 # Append ipv6 prefix
47 test -n "$ip6addr" && ip6addr="$ip6addr/96"
48 fi
49
50 ping_leases=1
51 local ifname
52 if network_get_device ifname lan; then
53 test -n "$ipaddr" && sysctl -w "net.ipv4.conf.$ifname.proxy_arp"=1 >/dev/null
54 test -n "$ip6addr" && sysctl -w "net.ipv6.conf.$ifname.proxy_ndp"=1 >/dev/null
55 fi
56 else
57 test -z "$ipaddr" && ipaddr="192.168.100.0"
58 test -z "$netmask" && netmask="255.255.255.0"
59 fi
60
61 enable_default_domain="#"
62 enable_udp="#"
63 enable_compression="#"
64 enable_split_dns="#"
65 test $predictable_ips = "0" && predictable_ips="false"
66 test $predictable_ips = "1" && predictable_ips="true"
67 test $cisco_compat = "0" && cisco_compat="false"
68 test $cisco_compat = "1" && cisco_compat="true"
69 test $ping_leases = "0" && ping_leases="false"
70 test $ping_leases = "1" && ping_leases="true"
71 test $udp = "1" && enable_udp=""
72 test $split_dns = "1" && enable_split_dns=""
73 test $compression = "1" && enable_compression=""
74
75 test -z $udp_port && udp_port="$port"
76 test -z $default_domain && default_domain=$(uci get dhcp.@dnsmasq[0].domain)
77 test -n $default_domain && enable_default_domain=""
78 test -z $ip6addr && enable_ipv6="#"
79
80 test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"
81
82 dyndns="false"
83 hostname=`uci show ddns 2>/dev/null|grep domain|head -1|cut -d '=' -f 2`
84 [ -n "$hostname" ] && dyndns="true"
85
86 mkdir -p /var/etc
87 sed -e "s/|PORT|/$port/g" \
88 -e "s/|UDP_PORT|/$udp_port/g" \
89 -e "s/|MAX_CLIENTS|/$max_clients/g" \
90 -e "s/|MAX_SAME|/$max_same/g" \
91 -e "s/|DPD|/$dpd/g" \
92 -e "s#|AUTH|#$auth$authsuffix#g" \
93 -e "s#|DYNDNS|#$dyndns#g" \
94 -e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
95 -e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
96 -e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
97 -e "s/|ENABLE_SPLIT_DNS|/$enable_split_dns/g" \
98 -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
99 -e "s/|PING_LEASES|/$ping_leases/g" \
100 -e "s/|UDP|/$enable_udp/g" \
101 -e "s/|COMPRESSION|/$enable_compression/g" \
102 -e "s/|IPV4ADDR|/$ipaddr/g" \
103 -e "s/|NETMASK|/$netmask/g" \
104 -e "s#|IPV6ADDR|#$ip6addr#g" \
105 -e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
106 /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
107
108 test -f /etc/ocserv/ocserv.conf.local && cat /etc/ocserv/ocserv.conf.local >> /var/etc/ocserv.conf
109}
110
111setup_users() {
112 local name
113 local group
114 local password
115
116 config_get name $1 name
117 config_get group $1 group '*'
118 config_get password $1 password
119
120 [ -z "$name" -o -z "$password" ] && return
121
122 echo "$name:$group:$password" >> /var/etc/ocpasswd
123}
124
125setup_routes() {
126 local routes
127
128 config_get ip $1 ip
129 config_get netmask $1 netmask
130
131 [ -z "$ip" -o -z "$netmask" ] && return
132
133 echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
134}
135
136setup_dns() {
137 local routes
138
139 config_get ip $1 ip
140
141 [ -z "$ip" ] && return
142
143 echo "dns = $ip" >> /var/etc/ocserv.conf
144}
145
146start_service() {
147 local hostname iface
148
149 hostname=`uci show ddns 2>/dev/null|grep domain|head -1|cut -d '=' -f 2`
150 [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname 2>/dev/null`
151
152 [ -f /etc/config/ocserv-dir/ca-key.pem ] && mv /etc/config/ocserv-dir/ca-key.pem /etc/ocserv/ca-key.pem
153 [ -f /etc/config/ocserv-dir/ca.pem ] && mv /etc/config/ocserv-dir/ca.pem /etc/ocserv/ca.pem
154 [ -f /etc/config/ocserv-dir/server-key.pem ] && mv /etc/config/ocserv-dir/server-key.pem /etc/ocserv/server-key.pem
155 [ -f /etc/config/ocserv-dir/server-cert.pem ] && mv /etc/config/ocserv-dir/server-cert.pem /etc/ocserv/server-cert.pem
156 [ -d /etc/config/ocserv-dir ] && rmdir /etc/config/ocserv-dir
157
158 [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
159 logger -t ocserv "Generating CA certificate..."
160 mkdir -p /etc/ocserv/pki/
161 certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
162 echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
163 echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
164 echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
165 echo "ca" >>/etc/ocserv/pki/ca.tmpl
166 echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
167
168 certtool --template /etc/ocserv/pki/ca.tmpl \
169 --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
170 --outfile /etc/ocserv/ca.pem >/dev/null 2>&1
171 }
172
173 #generate server certificate/key
174 [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
175 logger -t ocserv "Generating server certificate..."
176 mkdir -p /etc/ocserv/pki/
177 certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
178 echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
179 echo "serial=2" >>/etc/ocserv/pki/server.tmpl
180 echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
181 echo "signing_key" >>/etc/ocserv/pki/server.tmpl
182 echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
183 certtool --template /etc/ocserv/pki/server.tmpl \
184 --generate-certificate --load-privkey /etc/ocserv/server-key.pem \
185 --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
186 /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
187 }
188
189 [ -f /var/run/ocserv.pid ] || {
190 touch /var/run/ocserv.pid
191 chown ocserv:ocserv /var/run/ocserv.pid
192 }
193 [ -d /var/lib/ocserv ] || {
194 mkdir -m 0755 -p /var/lib/ocserv
195 chmod 0700 /var/lib/ocserv
196 chown ocserv:ocserv /var/lib/ocserv
197 }
198
199 config_load "ocserv"
200
201 rm -f /var/etc/ocserv.conf
202 touch /var/etc/ocserv.conf
203 setup_config config
204 config_foreach setup_routes routes
205 config_foreach setup_dns dns
206
207 rm -f /var/etc/ocpasswd
208 touch /var/etc/ocpasswd
209 chmod 600 /var/etc/ocpasswd
210 config_foreach setup_users ocservusers
211
212 procd_open_instance
213 procd_set_param command /usr/sbin/ocserv -f -c /var/etc/ocserv.conf
214 procd_set_param respawn
215 procd_close_instance
216}
217