summaryrefslogtreecommitdiff
blob: 1786f4d50235b79540451ceb6d9b4181f4606bad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/sbin/runscript
# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

VPNDIR=${VPNDIR:-/etc/openvpn}
VPN=${SVCNAME#*.}
if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
	VPNPID="/var/run/openvpn.${VPN}.pid"
else
	VPNPID="/var/run/openvpn.pid"
fi
VPNCONF="${VPNDIR}/${VPN}.conf"

depend() {
	need localmount net
	use dns
	after bootmisc
}

checkconfig() {
	# Linux has good dynamic tun/tap creation
	if [ $(uname -s) = "Linux" ] ; then
		if [ ! -e /dev/net/tun ]; then
			if ! modprobe tun ; then
				eerror "TUN/TAP support is not available" \
					"in this kernel"
				return 1
			fi
		fi
		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
			ebegin "Detected broken /dev/net/tun symlink, fixing..."
			rm -f /dev/net/tun
			ln -s /dev/misc/net/tun /dev/net/tun
			eend $?
		fi
		return 0
	fi

	# Other OS's don't, so we rely on a pre-configured interface
	# per vpn instance
	local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
	if [ -z ${ifname} ] ; then
		eerror "You need to specify the interface that this openvpn" \
			"instance should use" \
			"by using the dev option in ${VPNCONF}"
		return 1
	fi

	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
		# Try and create it
		echo > /dev/"${ifname}" >/dev/null
	fi
	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
		eerror "${VPNCONF} requires interface ${ifname}" \
			"but that does not exist"
		return 1
	fi
}

start() {
	# If we are re-called by the openvpn gentoo-up.sh script
	# then we don't actually want to start openvpn
	[ "${IN_BACKGROUND}" = "true" ] && return 0
	
	ebegin "Starting ${SVCNAME}"

	checkconfig || return 1

	local args="" reenter=${RE_ENTER:-no}
	# If the config file does not specify the cd option, we do
	# But if we specify it, we override the config option which we do not want
	if ! grep -q "^[ \t]*cd[ \t].*" "${VPNCONF}" ; then
		args="${args} --cd ${VPNDIR}"
	fi
	
	# We mark the service as inactive and then start it.
	# When we get an authenticated packet from the peer then we run our script
	# which configures our DNS if any and marks us as up.
	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
	grep -q "^[ \t]*remote[ \t].*" "${VPNCONF}" ; then
		reenter="yes"
		args="${args} --up-delay --up-restart"
		args="${args} --script-security 2"
		args="${args} --up /etc/openvpn/up.sh"
		args="${args} --down-pre --down /etc/openvpn/down.sh"

		# Warn about setting scripts as we override them
		if grep -Eq "^[ \t]*(up|down)[ \t].*" "${VPNCONF}" ; then
			ewarn "WARNING: You have defined your own up/down scripts"
			ewarn "As you're running as a client, we now force Gentoo specific"
			ewarn "scripts to be run for up and down events."
			ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
			ewarn "where you can put your own code."
		fi

		# Warn about the inability to change ip/route/dns information when
		# dropping privs
		if grep -q "^[ \t]*user[ \t].*" "${VPNCONF}" ; then
			ewarn "WARNING: You are dropping root privileges!"
			ewarn "As such openvpn may not be able to change ip, routing"
			ewarn "or DNS configuration."
		fi
	else
		# So we're a server. Run as openvpn unless otherwise specified
		grep -q "^[ \t]*user[ \t].*" "${VPNCONF}" || args="${args} --user openvpn"
		grep -q "^[ \t]*group[ \t].*" "${VPNCONF}" || args="${args} --group openvpn"
	fi

	# Ensure that our scripts get the PEER_DNS variable
	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"

	[ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
		--setenv SVCNAME "${SVCNAME}" ${args}
	eend $? "Check your logs to see why startup failed"
}

stop() {
	# If we are re-called by the openvpn gentoo-down.sh script
	# then we don't actually want to stop openvpn
	if [ "${IN_BACKGROUND}" = "true" ] ; then
		mark_service_inactive "${SVCNAME}"
		return 0
	fi

	ebegin "Stopping ${SVCNAME}"
	start-stop-daemon --stop --quiet \
		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
	eend $?
}

# vim: set ts=4 :