From 0cc907daf433bd1d2c9ac7dae3f38c84863e1e24 Mon Sep 17 00:00:00 2001 From: lean Date: Mon, 7 Mar 2022 20:29:29 +0800 Subject: [PATCH] pacakge: add luci-app-ipsec-server --- package/lean/luci-app-ipsec-server/Makefile | 14 + .../luasrc/controller/ipsec-server.lua | 22 ++ .../model/cbi/ipsec-server/l2tp_user.lua | 35 +++ .../luasrc/model/cbi/ipsec-server/online.lua | 83 ++++++ .../model/cbi/ipsec-server/settings.lua | 60 ++++ .../luasrc/model/cbi/ipsec-server/users.lua | 54 ++++ .../luasrc/view/ipsec-server/index.htm | 21 ++ .../luci-app-ipsec-server/po/zh-cn/ipsec.po | 77 +++++ package/lean/luci-app-ipsec-server/po/zh_Hans | 1 + .../root/etc/config/luci-app-ipsec-server | 7 + .../root/etc/init.d/luci-app-ipsec-server | 274 ++++++++++++++++++ .../etc/uci-defaults/luci-app-ipsec-server | 23 ++ .../rpcd/acl.d/luci-app-ipsec-server.json | 11 + .../root/usr/share/xl2tpd/ip-down | 27 ++ .../root/usr/share/xl2tpd/ip-up | 58 ++++ tools/Makefile | 1 - tools/expat/Makefile | 22 +- 17 files changed, 776 insertions(+), 14 deletions(-) create mode 100644 package/lean/luci-app-ipsec-server/Makefile create mode 100644 package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua create mode 100644 package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua create mode 100644 package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua create mode 100644 package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua create mode 100644 package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua create mode 100644 package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm create mode 100644 package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po create mode 120000 package/lean/luci-app-ipsec-server/po/zh_Hans create mode 100644 package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server create mode 100755 package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server create mode 100755 package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server create mode 100644 package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json create mode 100755 package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down create mode 100755 package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up diff --git a/package/lean/luci-app-ipsec-server/Makefile b/package/lean/luci-app-ipsec-server/Makefile new file mode 100644 index 000000000..8934d4946 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/Makefile @@ -0,0 +1,14 @@ +# Copyright (C) 2018-2021 Lienol +# +# This is free software, licensed under the Apache License, Version 2.0 . +# + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=LuCI support for IPSec VPN Server +LUCI_DEPENDS:=+kmod-tun +luci-lib-jsonc +strongswan +strongswan-minimal +strongswan-mod-kernel-libipsec +strongswan-mod-openssl +strongswan-mod-xauth-generic +xl2tpd +LUCI_PKGARCH:=all + +include $(TOPDIR)/feeds/luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua b/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua new file mode 100644 index 000000000..921c2599c --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua @@ -0,0 +1,22 @@ +-- Copyright 2018-2020 Lienol +module("luci.controller.ipsec-server", package.seeall) + +function index() + if not nixio.fs.access("/etc/config/luci-app-ipsec-server") then return end + + entry({"admin", "vpn"}, firstchild(), "VPN", 45).dependent = false + entry({"admin", "vpn", "ipsec-server"}, alias("admin", "vpn", "ipsec-server", "settings"), _("IPSec VPN Server"), 49).dependent = false + entry({"admin", "vpn", "ipsec-server", "settings"}, cbi("ipsec-server/settings"), _("General Settings"), 10).leaf = true + entry({"admin", "vpn", "ipsec-server", "users"}, cbi("ipsec-server/users"), _("Users Manager"), 20).leaf = true + entry({"admin", "vpn", "ipsec-server", "l2tp_user"}, cbi("ipsec-server/l2tp_user")).leaf = true + entry({"admin", "vpn", "ipsec-server", "online"}, cbi("ipsec-server/online"), _("L2TP Online Users"), 30).leaf = true + entry({"admin", "vpn", "ipsec-server", "status"}, call("status")).leaf = true +end + +function status() + local e = {} + e["ipsec_status"] = luci.sys.call("/usr/bin/pgrep ipsec >/dev/null") == 0 + e["l2tp_status"] = luci.sys.call("top -bn1 | grep -v grep | grep '/var/etc/xl2tpd' >/dev/null") == 0 + luci.http.prepare_content("application/json") + luci.http.write_json(e) +end diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua new file mode 100644 index 000000000..7781a4b6e --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua @@ -0,0 +1,35 @@ +local d = require "luci.dispatcher" +local sys = require "luci.sys" + +m = Map("luci-app-ipsec-server", "L2TP/IPSec PSK " .. translate("Users Manager")) +m.redirect = d.build_url("admin", "vpn", "ipsec-server", "users") + +if sys.call("command -v xl2tpd > /dev/null") == 0 then + s = m:section(NamedSection, arg[1], "l2tp_users", "") + s.addremove = false + s.anonymous = true + + o = s:option(Flag, "enabled", translate("Enabled")) + o.default = 1 + o.rmempty = false + + o = s:option(Value, "username", translate("Username")) + o.placeholder = translate("Username") + o.rmempty = false + + o = s:option(Value, "password", translate("Password")) + o.placeholder = translate("Password") + o.rmempty = false + + o = s:option(Value, "ipaddress", translate("IP address")) + o.placeholder = translate("Automatically") + o.datatype = "ip4addr" + o.rmempty = true + + o = s:option(DynamicList, "routes", translate("Static Routes")) + o.placeholder = "192.168.10.0/24" + o.datatype = "ipmask4" + o.rmempty = true +end + +return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua new file mode 100644 index 000000000..8b3498cc5 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua @@ -0,0 +1,83 @@ +local o = require "luci.dispatcher" +local fs = require "nixio.fs" +local jsonc = require "luci.jsonc" + +local sessions = {} +local session_path = "/var/etc/xl2tpd/session" +if fs.access(session_path) then + for filename in fs.dir(session_path) do + local session_file = session_path .. "/" .. filename + local file = io.open(session_file, "r") + local t = jsonc.parse(file:read("*a")) + if t then + t.session_file = session_file + sessions[#sessions + 1] = t + end + file:close() + end +end + +local blacklist = {} +local firewall_user_path = "/etc/firewall.user" +if fs.access(firewall_user_path) then + for line in io.lines(firewall_user_path) do + local m = line:match('xl2tpd%-blacklist%-([^\n]+)') + if m then + local t = {} + t.ip = m + blacklist[#blacklist + 1] = t + end + end +end + +f = SimpleForm("processes") +f.reset = false +f.submit = false + +t = f:section(Table, sessions, translate("L2TP Online Users")) +t:option(DummyValue, "username", translate("Username")) +t:option(DummyValue, "interface", translate("Interface")) +t:option(DummyValue, "ip", translate("Client IP")) +t:option(DummyValue, "remote_ip", translate("IP address")) +t:option(DummyValue, "login_time", translate("Login Time")) + +_blacklist = t:option(Button, "_blacklist", translate("Blacklist")) +function _blacklist.render(e, t, a) + e.title = translate("Add to Blacklist") + e.inputstyle = "remove" + Button.render(e, t, a) +end +function _blacklist.write(t, s) + local e = t.map:get(s, "remote_ip") + luci.util.execi("echo 'iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP ## xl2tpd-blacklist-%s' >> /etc/firewall.user" % {e, e}) + luci.util.execi("iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e}) + luci.util.execi("rm -f " .. t.map:get(s, "session_file")) + null, t.tag_error[s] = luci.sys.process.signal(t.map:get(s, "pid"), 9) + luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) +end + +_kill = t:option(Button, "_kill", translate("Forced offline")) +_kill.inputstyle = "remove" +function _kill.write(t, s) + luci.util.execi("rm -f " .. t.map:get(s, "session_file")) + null, t.tag_error[t] = luci.sys.process.signal(t.map:get(s, "pid"), 9) + luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) +end + +t = f:section(Table, blacklist, translate("Blacklist")) +t:option(DummyValue, "ip", translate("IP address")) + +_blacklist2 = t:option(Button, "_blacklist2", translate("Blacklist")) +function _blacklist2.render(e, t, a) + e.title = translate("Remove from Blacklist") + e.inputstyle = "apply" + Button.render(e, t, a) +end +function _blacklist2.write(t, s) + local e = t.map:get(s, "ip") + luci.util.execi("sed -i -e '/## xl2tpd-blacklist-%s/d' /etc/firewall.user" % {e}) + luci.util.execi("iptables -D INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e}) + luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) +end + +return f diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua new file mode 100644 index 000000000..73c7f24e7 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua @@ -0,0 +1,60 @@ +local sys = require "luci.sys" + +m = Map("luci-app-ipsec-server", translate("IPSec VPN Server")) +m.template = "ipsec-server/index" + +s = m:section(TypedSection, "service") +s.anonymous = true + +o = s:option(DummyValue, "ipsec-server_status", translate("Current Condition")) +o.rawhtml = true +o.cfgvalue = function(t, n) + return '' +end + +enabled = s:option(Flag, "enabled", translate("Enable"), translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.")) +enabled.default = 0 +enabled.rmempty = false + +clientip = s:option(Value, "clientip", translate("VPN Client IP")) +clientip.datatype = "ip4addr" +clientip.description = translate("VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24") +clientip.optional = false +clientip.rmempty = false + +secret = s:option(Value, "secret", translate("Secret Pre-Shared Key")) +secret.password = true + +if sys.call("command -v xl2tpd > /dev/null") == 0 then + o = s:option(DummyValue, "l2tp_status", "L2TP " .. translate("Current Condition")) + o.rawhtml = true + o.cfgvalue = function(t, n) + return '' + end + + o = s:option(Flag, "l2tp_enable", "L2TP " .. translate("Enable"), translate("Use a client that supports L2TP over IPSec PSK to connect to this server.")) + o.default = 0 + o.rmempty = false + + o = s:option(Value, "l2tp_localip", "L2TP " .. translate("Server IP"), translate("VPN Server IP address, such as: 192.168.101.1")) + o.datatype = "ip4addr" + o.rmempty = true + o.default = "192.168.101.1" + o.placeholder = o.default + + o = s:option(Value, "l2tp_remoteip", "L2TP " .. translate("Client IP"), translate("VPN Client IP address range, such as: 192.168.101.10-20")) + o.rmempty = true + o.default = "192.168.101.10-20" + o.placeholder = o.default + + if sys.call("ls -L /usr/lib/ipsec/libipsec* 2>/dev/null >/dev/null") == 0 then + o = s:option(DummyValue, "_o", " ") + o.rawhtml = true + o.cfgvalue = function(t, n) + return string.format('%s', translate("L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module.")) + end + o:depends("l2tp_enable", true) + end +end + +return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua new file mode 100644 index 000000000..d5c883d86 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua @@ -0,0 +1,54 @@ +local d = require "luci.dispatcher" +local sys = require "luci.sys" + +m = Map("luci-app-ipsec-server") + +s = m:section(TypedSection, "ipsec_users", "IPSec Xauth PSK " .. translate("Users Manager")) +s.description = translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.") +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" + +o = s:option(Flag, "enabled", translate("Enabled")) +o.default = 1 +o.rmempty = false + +o = s:option(Value, "username", translate("Username")) +o.placeholder = translate("Username") +o.rmempty = false + +o = s:option(Value, "password", translate("Password")) +o.placeholder = translate("Password") +o.rmempty = false + +if sys.call("command -v xl2tpd > /dev/null") == 0 then + s = m:section(TypedSection, "l2tp_users", "L2TP/IPSec PSK " .. translate("Users Manager")) + s.description = translate("Use a client that supports L2TP over IPSec PSK to connect to this server.") + s.addremove = true + s.anonymous = true + s.template = "cbi/tblsection" + s.extedit = d.build_url("admin", "vpn", "ipsec-server", "l2tp_user", "%s") + function s.create(e, t) + t = TypedSection.create(e, t) + luci.http.redirect(e.extedit:format(t)) + end + + o = s:option(Flag, "enabled", translate("Enabled")) + o.default = 1 + o.rmempty = false + + o = s:option(Value, "username", translate("Username")) + o.placeholder = translate("Username") + o.rmempty = false + + o = s:option(Value, "password", translate("Password")) + o.placeholder = translate("Password") + o.rmempty = false + + o = s:option(Value, "ipaddress", translate("IP address")) + o.placeholder = translate("Automatically") + o.datatype = "ip4addr" + o.rmempty = true +end + +return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm b/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm new file mode 100644 index 000000000..93e36a405 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm @@ -0,0 +1,21 @@ +<% include("cbi/map") %> + diff --git a/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po b/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po new file mode 100644 index 000000000..b822a2f03 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po @@ -0,0 +1,77 @@ +msgid "IPSec VPN Server" +msgstr "IPSec VPN 服务器" + +msgid "Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server." +msgstr "使用支持 IPSec Xauth PSK(iOS 或 Android)的客户端连接到此服务端。" + +msgid "Use a client that supports L2TP over IPSec PSK to connect to this server." +msgstr "使用支持 L2TP over IPSec PSK 的客户端连接到此服务端。" + +msgid "Current Condition" +msgstr "当前状态" + +msgid "General settings" +msgstr "基本设置" + +msgid "Enabled" +msgstr "启用" + +msgid "VPN Client IP" +msgstr "VPN客户端地址段" + +msgid "VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24" +msgstr "VPN客户端获取IP的起始地址,例如:192.168.100.10/24" + +msgid "Secret Pre-Shared Key" +msgstr "PSK密钥" + +msgid "VPN Server IP address, such as: 192.168.101.1" +msgstr "VPN服务端IP地址,例如:192.168.101.1" + +msgid "VPN Client IP address range, such as: 192.168.101.10-20" +msgstr "VPN客户端获取IP范围,例如:192.168.101.10-20" + +msgid "L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module." +msgstr "L2TP/IPSec不兼容kernel-libipsec,开启将会禁用此模块。" + +msgid "Users Manager" +msgstr "用户管理" + +msgid "Username" +msgstr "用户名" + +msgid "Password" +msgstr "密码" + +msgid "IP address" +msgstr "IP 地址" + +msgid "Automatically" +msgstr "自动分配" + +msgid "Online Users" +msgstr "在线用户" + +msgid "L2TP Online Users" +msgstr "L2TP 在线用户" + +msgid "Login Time" +msgstr "登录时间" + +msgid "Blacklist" +msgstr "黑名单" + +msgid "Add to Blacklist" +msgstr "加入黑名单" + +msgid "Remove from Blacklist" +msgstr "移出黑名单" + +msgid "Forced offline" +msgstr "强制下线" + +msgid "NOT RUNNING" +msgstr "未运行" + +msgid "RUNNING" +msgstr "运行中" \ No newline at end of file diff --git a/package/lean/luci-app-ipsec-server/po/zh_Hans b/package/lean/luci-app-ipsec-server/po/zh_Hans new file mode 120000 index 000000000..41451e4a1 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/po/zh_Hans @@ -0,0 +1 @@ +zh-cn \ No newline at end of file diff --git a/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server new file mode 100644 index 000000000..6d90a5d69 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server @@ -0,0 +1,7 @@ + +config service 'ipsec' + option enabled '0' + option secret 'ipsec' + option clientip '192.168.100.10/24' + + diff --git a/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server new file mode 100755 index 000000000..9371763e2 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server @@ -0,0 +1,274 @@ +#!/bin/sh /etc/rc.common + +START=99 + +CONFIG="luci-app-ipsec-server" +IPSEC_SECRETS_FILE=/etc/ipsec.secrets +IPSEC_CONN_FILE=/etc/ipsec.conf +CHAP_SECRETS=/etc/ppp/chap-secrets +L2TP_PATH=/var/etc/xl2tpd +L2TP_CONTROL_FILE=${L2TP_PATH}/control +L2TP_CONFIG_FILE=${L2TP_PATH}/xl2tpd.conf +L2TP_OPTIONS_FILE=${L2TP_PATH}/options.xl2tpd +L2TP_LOG_FILE=${L2TP_PATH}/xl2tpd.log + +vt_clientip=$(uci -q get ${CONFIG}.@service[0].clientip) +l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable) +l2tp_localip=$(uci -q get ${CONFIG}.@service[0].l2tp_localip) + +ipt_flag="IPSec VPN Server" + +get_enabled_anonymous_secs() { + uci -q show "${CONFIG}" | grep "${1}\[.*\.enabled='1'" | cut -d '.' -sf2 +} + +ipt_rule() { + if [ "$1" = "add" ]; then + iptables -t nat -I POSTROUTING -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null + iptables -I forwarding_rule -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -I forwarding_rule -m policy --dir in --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -I forwarding_rule -m policy --dir out --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -t mangle -I OUTPUT -p udp -m multiport --sports 500,4500 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null + [ "${l2tp_enabled}" = 1 ] && { + iptables -t nat -I POSTROUTING -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null + iptables -I forwarding_rule -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -I INPUT -p udp --dport 1701 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null + iptables -t mangle -I OUTPUT -p udp --sport 1701 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null + } + else + ipt_del() { + for i in $(seq 1 $($1 -nL $2 | grep -c "${ipt_flag}")); do + local index=$($1 --line-number -nL $2 | grep "${ipt_flag}" | head -1 | awk '{print $1}') + $1 -w -D $2 $index 2>/dev/null + done + } + ipt_del "iptables" "forwarding_rule" + ipt_del "iptables" "INPUT" + ipt_del "iptables -t nat" "POSTROUTING" + ipt_del "iptables -t mangle" "OUTPUT" + fi +} + +gen_include() { + echo '#!/bin/sh' > /var/etc/ipsecvpn.include + extract_rules() { + echo "*$1" + iptables-save -t $1 | grep "${ipt_flag}" | \ + sed -e "s/^-A \(INPUT\)/-I \1 1/" + echo 'COMMIT' + } + cat <<-EOF >> /var/etc/ipsecvpn.include + iptables-save -c | grep -v "${ipt_flag}" | iptables-restore -c + iptables-restore -n <<-EOT + $(extract_rules filter) + $(extract_rules nat) + EOT + EOF + return 0 +} + +start() { + local vt_enabled=$(uci -q get ${CONFIG}.@service[0].enabled) + [ "$vt_enabled" = 0 ] && return 1 + + local vt_gateway="${vt_clientip%.*}.1" + local vt_secret=$(uci -q get ${CONFIG}.@service[0].secret) + + local l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable) + [ "${l2tp_enabled}" = 1 ] && { + touch ${CHAP_SECRETS} + local vt_remoteip=$(uci -q get ${CONFIG}.@service[0].l2tp_remoteip) + local ipsec_l2tp_config=$(cat <<-EOF + ####################################### + # L2TP Connections + ####################################### + + conn L2TP-IKEv1-PSK + type=transport + keyexchange=ikev1 + authby=secret + leftprotoport=udp/l2tp + left=%any + right=%any + rekey=no + forceencaps=yes + ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536 + esp=aes128-sha1,3des-sha1 + EOF + ) + + mkdir -p ${L2TP_PATH} + cat > ${L2TP_OPTIONS_FILE} <<-EOF + name "l2tp-server" + ipcp-accept-local + ipcp-accept-remote + ms-dns ${l2tp_localip} + noccp + auth + idle 1800 + mtu 1400 + mru 1400 + lcp-echo-failure 10 + lcp-echo-interval 60 + connect-delay 5000 + EOF + cat > ${L2TP_CONFIG_FILE} <<-EOF + [global] + port = 1701 + ;debug avp = yes + ;debug network = yes + ;debug state = yes + ;debug tunnel = yes + [lns default] + ip range = ${vt_remoteip} + local ip = ${l2tp_localip} + require chap = yes + refuse pap = yes + require authentication = no + name = l2tp-server + ;ppp debug = yes + pppoptfile = ${L2TP_OPTIONS_FILE} + length bit = yes + EOF + + local l2tp_users=$(get_enabled_anonymous_secs "@l2tp_users") + [ -n "${l2tp_users}" ] && { + for _user in ${l2tp_users}; do + local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled) + [ "${u_enabled}" -eq 1 ] || continue + + local u_username=$(uci -q get ${CONFIG}.${_user}.username) + [ -n "${u_username}" ] || continue + + local u_password=$(uci -q get ${CONFIG}.${_user}.password) + [ -n "${u_password}" ] || continue + + local u_ipaddress=$(uci -q get ${CONFIG}.${_user}.ipaddress) + [ -n "${u_ipaddress}" ] || u_ipaddress="*" + + echo "${u_username} l2tp-server ${u_password} ${u_ipaddress}" >> ${CHAP_SECRETS} + done + } + unset user + + echo "ip-up-script /usr/share/xl2tpd/ip-up" >> ${L2TP_OPTIONS_FILE} + echo "ip-down-script /usr/share/xl2tpd/ip-down" >> ${L2TP_OPTIONS_FILE} + + xl2tpd -c ${L2TP_CONFIG_FILE} -C ${L2TP_CONTROL_FILE} -D >${L2TP_LOG_FILE} 2>&1 & + rm -f "/usr/lib/ipsec/libipsec.so.0" + } + + cat > ${IPSEC_CONN_FILE} <<-EOF + # ipsec.conf - strongSwan IPsec configuration file + + config setup + uniqueids=no + charondebug="cfg 2, dmn 2, ike 2, net 0" + + conn %default + dpdaction=clear + dpddelay=300s + rekey=no + left=%defaultroute + leftfirewall=yes + right=%any + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auto=add + + ####################################### + # Default non L2TP Connections + ####################################### + + conn Non-L2TP + leftsubnet=0.0.0.0/0 + rightsubnet=${vt_clientip} + rightsourceip=${vt_clientip} + rightdns=${vt_gateway} + ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536 + esp=aes128-sha1,3des-sha1 + + # Cisco IPSec + conn IKEv1-PSK-XAuth + also=Non-L2TP + keyexchange=ikev1 + leftauth=psk + rightauth=psk + rightauth2=xauth + + $ipsec_l2tp_config + EOF + + cat > /etc/ipsec.secrets <<-EOF + # /etc/ipsec.secrets - strongSwan IPsec secrets file + : PSK "$vt_secret" + EOF + + local ipsec_users=$(get_enabled_anonymous_secs "@ipsec_users") + [ -n "${ipsec_users}" ] && { + for _user in ${ipsec_users}; do + local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled) + [ "${u_enabled}" -eq 1 ] || continue + + local u_username=$(uci -q get ${CONFIG}.${_user}.username) + [ -n "${u_username}" ] || continue + + local u_password=$(uci -q get ${CONFIG}.${_user}.password) + [ -n "${u_password}" ] || continue + + echo "${u_username} : XAUTH '${u_password}'" >> ${IPSEC_SECRETS_FILE} + done + } + unset user + + ipt_rule add + + /usr/lib/ipsec/starter --daemon charon --nofork > /dev/null 2>&1 & + gen_include + + uci -q batch <<-EOF >/dev/null + set network.ipsec_server.ipaddr="${vt_clientip%.*}.1" + commit network + EOF + ifup ipsec_server > /dev/null 2>&1 +} + +stop() { + ifdown ipsec_server > /dev/null 2>&1 + sed -i '/l2tp-server/d' ${CHAP_SECRETS} 2>/dev/null + top -bn1 | grep "${L2TP_PATH}" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 + rm -rf ${L2TP_PATH} + ps -w | grep "/usr/lib/ipsec" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 + ipt_rule del + rm -rf /var/etc/ipsecvpn.include + ln -s "libipsec.so.0.0.0" "/usr/lib/ipsec/libipsec.so.0" >/dev/null 2>&1 +} + +gen_iface_and_firewall() { + uci -q batch <<-EOF >/dev/null + delete network.ipsec_server + set network.ipsec_server=interface + set network.ipsec_server.ifname="ipsec0" + set network.ipsec_server.device="ipsec0" + set network.ipsec_server.proto="static" + set network.ipsec_server.ipaddr="${vt_clientip%.*}.1" + set network.ipsec_server.netmask="255.255.255.0" + commit network + + delete firewall.ipsecserver + set firewall.ipsecserver=zone + set firewall.ipsecserver.name="ipsecserver" + set firewall.ipsecserver.input="ACCEPT" + set firewall.ipsecserver.forward="ACCEPT" + set firewall.ipsecserver.output="ACCEPT" + set firewall.ipsecserver.network="ipsec_server" + commit firewall + EOF +} + +if [ -z "$(uci -q get network.ipsec_server)" ] || [ -z "$(uci -q get firewall.ipsecserver)" ]; then + gen_iface_and_firewall +fi diff --git a/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server new file mode 100755 index 000000000..3a791a03a --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server @@ -0,0 +1,23 @@ +#!/bin/sh + +uci -q batch <<-EOF >/dev/null + delete firewall.luci_app_ipsec_server + set firewall.luci_app_ipsec_server=include + set firewall.luci_app_ipsec_server.type=script + set firewall.luci_app_ipsec_server.path=/var/etc/ipsecvpn.include + set firewall.luci_app_ipsec_server.reload=1 +EOF + +uci -q batch <<-EOF >/dev/null + delete ucitrack.@luci-app-ipsec-server[-1] + add ucitrack luci-app-ipsec-server + set ucitrack.@luci-app-ipsec-server[-1].init=luci-app-ipsec-server + commit ucitrack +EOF + +/etc/init.d/ipsec disable 2>/dev/null +/etc/init.d/ipsec stop 2>/dev/null +/etc/init.d/xl2tpd disable 2>/dev/null +/etc/init.d/xl2tpd stop 2>/dev/null +rm -rf /tmp/luci-*cache +exit 0 diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json b/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json new file mode 100644 index 000000000..d12ed9841 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json @@ -0,0 +1,11 @@ +{ + "luci-app-ipsec-server": { + "description": "Grant UCI access for luci-app-ipsec-server", + "read": { + "uci": [ "luci-app-ipsec-server" ] + }, + "write": { + "uci": [ "luci-app-ipsec-server" ] + } + } +} diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down new file mode 100755 index 000000000..9434e7615 --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down @@ -0,0 +1,27 @@ +#!/bin/sh + +_LOGOUT_TIME="$(date "+%Y-%m-%d %H:%M:%S")" +CONFIG="luci-app-ipsec-server" +L2TP_PATH=/var/etc/xl2tpd +L2TP_SESSION_PATH=${L2TP_PATH}/session + +_USERNAME=${PEERNAME} +_IFACE=${1} +_TTY=${2} +_SPEED=${3} +_LOCALIP=${4} +_PEERIP=${5} +_REMOTEIP=${6} +_BYTES_SENT=${BYTES_SENT} +_BYTES_RCVD=${BYTES_RCVD} +_CONNECT_TIME=${CONNECT_TIME} + +rm -f ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE} +rm -f /var/run/${_IFACE}.pid + +#可根据退出的账号自定义脚本,如静态路由表,组网等。 +SCRIPT="/usr/share/xl2tpd/ip-down.d/${_USERNAME}" +[ -s "$SCRIPT" ] && { + [ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT" + "$SCRIPT" "$@" +} diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up new file mode 100755 index 000000000..6109d037e --- /dev/null +++ b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up @@ -0,0 +1,58 @@ +#!/bin/sh + +_LOGIN_TIME="$(date "+%Y-%m-%d %H:%M:%S")" +CONFIG="luci-app-ipsec-server" +L2TP_PATH=/var/etc/xl2tpd +L2TP_SESSION_PATH=${L2TP_PATH}/session + +_USERNAME=${PEERNAME} +_IFACE=${1} +_TTY=${2} +_SPEED=${3} +_LOCALIP=${4} +_PEERIP=${5} + +_PID=$(cat /var/run/${_IFACE}.pid 2>/dev/null) +_REMOTEIP=$(cat /var/etc/xl2tpd/xl2tpd.log 2>/dev/null | grep "PID: ${_PID}" | grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}') + +mkdir -p ${L2TP_SESSION_PATH} + +cat <<-EOF > ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE} + { + "username": "${_USERNAME}", + "interface": "${_IFACE}", + "tty": "${_TTY}", + "speed": "${_SPEED}", + "ip": "${_PEERIP}", + "remote_ip": "${_REMOTEIP}", + "pid": "${_PID}", + "login_time": "${_LOGIN_TIME}" + } +EOF + +#只能单用户使用 +cfgid=$(uci show ${CONFIG} | grep "@l2tp_users" | grep "\.username='${_USERNAME}'" | cut -d '.' -sf 2) +[ -n "$cfgid" ] && { + HAS_LOGIN=$(ls ${L2TP_SESSION_PATH} | grep "^${_USERNAME}\.ppp" | grep -v "${_IFACE}") + [ -n "$HAS_LOGIN" ] && { + #踢出之前的用户 + KO_IFACE=$(echo $HAS_LOGIN | awk -F '.' '{print $2}') + KO_PID=$(cat /var/run/${KO_IFACE}.pid 2>/dev/null) + [ -n "$KO_PID" ] && kill -9 ${KO_PID} >/dev/null 2>&1 + rm -f ${L2TP_SESSION_PATH}/${HAS_LOGIN} + rm -f /var/run/${KO_IFACE}.pid + } + routes=$(uci -q get ${CONFIG}.${cfgid}.routes) + [ -n "$routes" ] && { + for router in ${routes}; do + route add -net ${router} dev ${_IFACE} >/dev/null 2>&1 + done + } +} + +#可根据登录的账号自定义脚本,如组网、日志、限速、权限等特殊待遇。 +SCRIPT="/usr/share/xl2tpd/ip-up.d/${_USERNAME}" +[ -s "$SCRIPT" ] && { + [ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT" + "$SCRIPT" "$@" +} diff --git a/tools/Makefile b/tools/Makefile index 25a8c1f84..eb1ad84b9 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -46,7 +46,6 @@ $(curdir)/bison/compile := $(curdir)/flex/compile $(curdir)/cbootimage/compile += $(curdir)/automake/compile $(curdir)/cmake/compile += $(curdir)/libressl/compile $(curdir)/ninja/compile $(curdir)/dosfstools/compile := $(curdir)/autoconf/compile $(curdir)/automake/compile -$(curdir)/expat/compile := $(curdir)/cmake/compile $(curdir)/e2fsprogs/compile := $(curdir)/libtool/compile $(curdir)/fakeroot/compile := $(curdir)/libtool/compile $(curdir)/findutils/compile := $(curdir)/bison/compile diff --git a/tools/expat/Makefile b/tools/expat/Makefile index 0bc54a3d4..c79667af3 100644 --- a/tools/expat/Makefile +++ b/tools/expat/Makefile @@ -15,19 +15,15 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_HASH:=ce317706b07cae150f90cddd4253f5b4fba929607488af5ac47bf2bc08e31f09 PKG_SOURCE_URL:=https://github.com/libexpat/libexpat/releases/download/R_$(subst .,_,$(PKG_VERSION)) +HOST_BUILD_PARALLEL:=1 + include $(INCLUDE_DIR)/host-build.mk -include $(INCLUDE_DIR)/cmake.mk -CMAKE_HOST_OPTIONS += \ - -DDOCBOOK_TO_MAN=OFF \ - -DEXPAT_BUILD_TOOLS=OFF \ - -DEXPAT_BUILD_EXAMPLES=OFF \ - -DEXPAT_BUILD_TESTS=OFF \ - -DEXPAT_BUILD_DOCS=OFF \ - -DEXPAT_WITH_LIBBSD=OFF \ - -DEXPAT_ENABLE_INSTALL=ON \ - -DEXPAT_DTD=OFF \ - -DEXPAT_NS=OFF \ - -DEXPAT_DEV_URANDOM=OFF +HOST_CONFIGURE_ARGS += \ + --without-docbook -$(eval $(call HostBuild)) +define Host/Install + $(MAKE) -C $(HOST_BUILD_DIR) install +endef + +$(eval $(call HostBuild)) \ No newline at end of file