916fa87c33
According to David Woodhouse, OpenConnect has no issues reconnecting on any interface. Make the host dependency optional, as it can cause issues in multiple WAN scenarios. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
159 lines
4.5 KiB
Bash
Executable file
159 lines
4.5 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
[ -n "$INCLUDE_ONLY" ] || {
|
|
. /lib/functions.sh
|
|
. ../netifd-proto.sh
|
|
init_proto "$@"
|
|
}
|
|
|
|
append_args() {
|
|
while [ $# -gt 0 ]; do
|
|
append cmdline "'${1//\'/\'\\\'\'}'"
|
|
shift
|
|
done
|
|
}
|
|
|
|
proto_openconnect_init_config() {
|
|
proto_config_add_string "server"
|
|
proto_config_add_int "port"
|
|
proto_config_add_int "mtu"
|
|
proto_config_add_int "juniper"
|
|
proto_config_add_string "vpn_protocol"
|
|
proto_config_add_boolean "no_dtls"
|
|
proto_config_add_string "interface"
|
|
proto_config_add_string "username"
|
|
proto_config_add_string "serverhash"
|
|
proto_config_add_string "authgroup"
|
|
proto_config_add_string "usergroup"
|
|
proto_config_add_string "password"
|
|
proto_config_add_string "password2"
|
|
proto_config_add_string "token_mode"
|
|
proto_config_add_string "token_secret"
|
|
proto_config_add_string "token_script"
|
|
proto_config_add_string "os"
|
|
proto_config_add_string "csd_wrapper"
|
|
proto_config_add_array 'form_entry:regex("[^:]+:[^=]+=.*")'
|
|
no_device=1
|
|
available=1
|
|
}
|
|
|
|
proto_openconnect_add_form_entry() {
|
|
[ -n "$1" ] && append_args --form-entry "$1"
|
|
}
|
|
|
|
proto_openconnect_setup() {
|
|
local config="$1"
|
|
|
|
json_get_vars \
|
|
authgroup \
|
|
csd_wrapper \
|
|
form_entry \
|
|
interface \
|
|
juniper \
|
|
vpn_protocol \
|
|
mtu \
|
|
no_dtls \
|
|
os \
|
|
password \
|
|
password2 \
|
|
port \
|
|
server \
|
|
serverhash \
|
|
token_mode \
|
|
token_script \
|
|
token_secret \
|
|
usergroup \
|
|
username \
|
|
|
|
ifname="vpn-$config"
|
|
|
|
logger -t openconnect "initializing..."
|
|
|
|
[ -n "$interface" ] && {
|
|
logger -t "openconnect" "adding host dependency for $server at $config"
|
|
for ip in $(resolveip -t 10 "$server"); do
|
|
logger -t "openconnect" "adding host dependency for $ip at $config"
|
|
proto_add_host_dependency "$config" "$ip" "$interface"
|
|
done
|
|
}
|
|
|
|
[ -n "$port" ] && port=":$port"
|
|
|
|
append_args "$server$port" -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script
|
|
[ "$no_dtls" = 1 ] && append_args --no-dtls
|
|
[ -n "$mtu" ] && append_args --mtu "$mtu"
|
|
|
|
# migrate to standard config files
|
|
[ -f "/etc/config/openconnect-user-cert-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-cert-vpn-$config.pem" "/etc/openconnect/user-cert-vpn-$config.pem"
|
|
[ -f "/etc/config/openconnect-user-key-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-key-vpn-$config.pem" "/etc/openconnect/user-key-vpn-$config.pem"
|
|
[ -f "/etc/config/openconnect-ca-vpn-$config.pem" ] && mv "/etc/config/openconnect-ca-vpn-$config.pem" "/etc/openconnect/ca-vpn-$config.pem"
|
|
|
|
[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append_args -c "/etc/openconnect/user-cert-vpn-$config.pem"
|
|
[ -f /etc/openconnect/user-key-vpn-$config.pem ] && append_args --sslkey "/etc/openconnect/user-key-vpn-$config.pem"
|
|
[ -f /etc/openconnect/ca-vpn-$config.pem ] && {
|
|
append_args --cafile "/etc/openconnect/ca-vpn-$config.pem"
|
|
append_args --no-system-trust
|
|
}
|
|
|
|
[ "${juniper:-0}" -gt 0 ] && [ -z "$vpn_protocol" ] && {
|
|
vpn_protocol="nc"
|
|
}
|
|
|
|
[ -n "$vpn_protocol" ] && {
|
|
append_args --protocol "$vpn_protocol"
|
|
}
|
|
|
|
[ -n "$serverhash" ] && {
|
|
append_args "--servercert=$serverhash"
|
|
append_args --no-system-trust
|
|
}
|
|
[ -n "$authgroup" ] && append_args --authgroup "$authgroup"
|
|
[ -n "$usergroup" ] && append_args --usergroup "$usergroup"
|
|
[ -n "$username" ] && append_args -u "$username"
|
|
[ -n "$password" ] || [ "$token_mode" = "script" ] && {
|
|
umask 077
|
|
mkdir -p /var/etc
|
|
pwfile="/var/etc/openconnect-$config.passwd"
|
|
[ -n "$password" ] && {
|
|
echo "$password" > "$pwfile"
|
|
[ -n "$password2" ] && echo "$password2" >> "$pwfile"
|
|
}
|
|
[ "$token_mode" = "script" ] && {
|
|
$token_script >> "$pwfile" 2> /dev/null || {
|
|
logger -t openconenct "Cannot get password from script '$token_script'"
|
|
proto_setup_failed "$config"
|
|
}
|
|
}
|
|
append_args --passwd-on-stdin
|
|
}
|
|
|
|
[ -n "$token_mode" -a "$token_mode" != "script" ] && append_args "--token-mode=$token_mode"
|
|
[ -n "$token_secret" ] && append_args "--token-secret=$token_secret"
|
|
[ -n "$os" ] && append_args "--os=$os"
|
|
[ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append_args "--csd-wrapper=$csd_wrapper"
|
|
|
|
json_for_each_item proto_openconnect_add_form_entry form_entry
|
|
|
|
proto_export INTERFACE="$config"
|
|
logger -t openconnect "executing 'openconnect $cmdline'"
|
|
|
|
if [ -f "$pwfile" ]; then
|
|
eval "proto_run_command '$config' /usr/sbin/openconnect-wrapper '$pwfile' $cmdline"
|
|
else
|
|
eval "proto_run_command '$config' /usr/sbin/openconnect $cmdline"
|
|
fi
|
|
}
|
|
|
|
proto_openconnect_teardown() {
|
|
local config="$1"
|
|
|
|
pwfile="/var/etc/openconnect-$config.passwd"
|
|
|
|
rm -f $pwfile
|
|
logger -t openconnect "bringing down openconnect"
|
|
proto_kill_command "$config" 2
|
|
}
|
|
|
|
[ -n "$INCLUDE_ONLY" ] || {
|
|
add_protocol openconnect
|
|
}
|