pacakge: add luci-app-ipsec-server

package/lean/luci-app-ipsec-server/Makefile

@@ -0,0 +1,14 @@
+# Copyright (C) 2018-2021 Lienol <lawlienol@gmail.com>
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=LuCI support for IPSec VPN Server
+LUCI_DEPENDS:=+kmod-tun +luci-lib-jsonc +strongswan +strongswan-minimal +strongswan-mod-kernel-libipsec +strongswan-mod-openssl +strongswan-mod-xauth-generic +xl2tpd
+LUCI_PKGARCH:=all
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature

package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua

@@ -0,0 +1,22 @@
+-- Copyright 2018-2020 Lienol <lawlienol@gmail.com>
+module("luci.controller.ipsec-server", package.seeall)
+
+function index()
+    if not nixio.fs.access("/etc/config/luci-app-ipsec-server") then return end
+
+    entry({"admin", "vpn"}, firstchild(), "VPN", 45).dependent = false
+    entry({"admin", "vpn", "ipsec-server"}, alias("admin", "vpn", "ipsec-server", "settings"), _("IPSec VPN Server"), 49).dependent = false
+    entry({"admin", "vpn", "ipsec-server", "settings"}, cbi("ipsec-server/settings"), _("General Settings"), 10).leaf = true
+    entry({"admin", "vpn", "ipsec-server", "users"}, cbi("ipsec-server/users"), _("Users Manager"), 20).leaf = true
+    entry({"admin", "vpn", "ipsec-server", "l2tp_user"}, cbi("ipsec-server/l2tp_user")).leaf = true
+    entry({"admin", "vpn", "ipsec-server", "online"}, cbi("ipsec-server/online"), _("L2TP Online Users"), 30).leaf = true
+    entry({"admin", "vpn", "ipsec-server", "status"}, call("status")).leaf = true
+end
+
+function status()
+    local e = {}
+    e["ipsec_status"] = luci.sys.call("/usr/bin/pgrep ipsec >/dev/null") == 0
+    e["l2tp_status"] = luci.sys.call("top -bn1 | grep -v grep | grep '/var/etc/xl2tpd' >/dev/null") == 0
+    luci.http.prepare_content("application/json")
+    luci.http.write_json(e)
+end

package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua

@@ -0,0 +1,35 @@
+local d = require "luci.dispatcher"
+local sys = require "luci.sys"
+
+m = Map("luci-app-ipsec-server", "L2TP/IPSec PSK " .. translate("Users Manager"))
+m.redirect = d.build_url("admin", "vpn", "ipsec-server", "users")
+
+if sys.call("command -v xl2tpd > /dev/null") == 0 then
+    s = m:section(NamedSection, arg[1], "l2tp_users", "")
+    s.addremove = false
+    s.anonymous = true
+
+    o = s:option(Flag, "enabled", translate("Enabled"))
+    o.default = 1
+    o.rmempty = false
+
+    o = s:option(Value, "username", translate("Username"))
+    o.placeholder = translate("Username")
+    o.rmempty = false
+
+    o = s:option(Value, "password", translate("Password"))
+    o.placeholder = translate("Password")
+    o.rmempty = false
+
+    o = s:option(Value, "ipaddress", translate("IP address"))
+    o.placeholder = translate("Automatically")
+    o.datatype = "ip4addr"
+    o.rmempty = true
+
+    o = s:option(DynamicList, "routes", translate("Static Routes"))
+    o.placeholder = "192.168.10.0/24"
+    o.datatype = "ipmask4"
+    o.rmempty = true
+end
+
+return m

package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua

@@ -0,0 +1,83 @@
+local o = require "luci.dispatcher"
+local fs = require "nixio.fs"
+local jsonc = require "luci.jsonc"
+
+local sessions = {}
+local session_path = "/var/etc/xl2tpd/session"
+if fs.access(session_path) then
+    for filename in fs.dir(session_path) do
+        local session_file = session_path .. "/" .. filename
+        local file = io.open(session_file, "r")
+        local t = jsonc.parse(file:read("*a"))
+        if t then
+            t.session_file = session_file
+            sessions[#sessions + 1] = t
+        end
+        file:close()
+    end
+end
+
+local blacklist = {}
+local firewall_user_path = "/etc/firewall.user"
+if fs.access(firewall_user_path) then
+    for line in io.lines(firewall_user_path) do
+        local m = line:match('xl2tpd%-blacklist%-([^\n]+)')
+        if m then
+            local t = {}
+            t.ip = m
+            blacklist[#blacklist + 1] = t
+        end
+    end
+end
+
+f = SimpleForm("processes")
+f.reset = false
+f.submit = false
+
+t = f:section(Table, sessions, translate("L2TP Online Users"))
+t:option(DummyValue, "username", translate("Username"))
+t:option(DummyValue, "interface", translate("Interface"))
+t:option(DummyValue, "ip", translate("Client IP"))
+t:option(DummyValue, "remote_ip", translate("IP address"))
+t:option(DummyValue, "login_time", translate("Login Time"))
+
+_blacklist = t:option(Button, "_blacklist", translate("Blacklist"))
+function _blacklist.render(e, t, a)
+    e.title = translate("Add to Blacklist")
+    e.inputstyle = "remove"
+    Button.render(e, t, a)
+end
+function _blacklist.write(t, s)
+    local e = t.map:get(s, "remote_ip")
+    luci.util.execi("echo 'iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP ## xl2tpd-blacklist-%s' >> /etc/firewall.user" % {e, e})
+    luci.util.execi("iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e})
+    luci.util.execi("rm -f " .. t.map:get(s, "session_file"))
+    null, t.tag_error[s] = luci.sys.process.signal(t.map:get(s, "pid"), 9)
+    luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
+end
+
+_kill = t:option(Button, "_kill", translate("Forced offline"))
+_kill.inputstyle = "remove"
+function _kill.write(t, s)
+    luci.util.execi("rm -f " .. t.map:get(s, "session_file"))
+    null, t.tag_error[t] = luci.sys.process.signal(t.map:get(s, "pid"), 9)
+    luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
+end
+
+t = f:section(Table, blacklist, translate("Blacklist"))
+t:option(DummyValue, "ip", translate("IP address"))
+
+_blacklist2 = t:option(Button, "_blacklist2", translate("Blacklist"))
+function _blacklist2.render(e, t, a)
+    e.title = translate("Remove from Blacklist")
+    e.inputstyle = "apply"
+    Button.render(e, t, a)
+end
+function _blacklist2.write(t, s)
+    local e = t.map:get(s, "ip")
+    luci.util.execi("sed -i -e '/## xl2tpd-blacklist-%s/d' /etc/firewall.user" % {e})
+    luci.util.execi("iptables -D INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e})
+    luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
+end
+
+return f

package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua

@@ -0,0 +1,60 @@
+local sys = require "luci.sys"
+
+m = Map("luci-app-ipsec-server", translate("IPSec VPN Server"))
+m.template = "ipsec-server/index"
+
+s = m:section(TypedSection, "service")
+s.anonymous = true
+
+o = s:option(DummyValue, "ipsec-server_status", translate("Current Condition"))
+o.rawhtml = true
+o.cfgvalue = function(t, n)
+    return '<font class="ipsec-server_status"></font>'
+end
+
+enabled = s:option(Flag, "enabled", translate("Enable"), translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server."))
+enabled.default = 0
+enabled.rmempty = false
+
+clientip = s:option(Value, "clientip", translate("VPN Client IP"))
+clientip.datatype = "ip4addr"
+clientip.description = translate("VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24")
+clientip.optional = false
+clientip.rmempty = false
+
+secret = s:option(Value, "secret", translate("Secret Pre-Shared Key"))
+secret.password = true
+
+if sys.call("command -v xl2tpd > /dev/null") == 0 then
+    o = s:option(DummyValue, "l2tp_status", "L2TP " .. translate("Current Condition"))
+    o.rawhtml = true
+    o.cfgvalue = function(t, n)
+        return '<font class="l2tp_status"></font>'
+    end
+
+    o = s:option(Flag, "l2tp_enable", "L2TP " .. translate("Enable"), translate("Use a client that supports L2TP over IPSec PSK to connect to this server."))
+    o.default = 0
+    o.rmempty = false
+
+    o = s:option(Value, "l2tp_localip", "L2TP " .. translate("Server IP"), translate("VPN Server IP address, such as: 192.168.101.1"))
+    o.datatype = "ip4addr"
+    o.rmempty = true
+    o.default = "192.168.101.1"
+    o.placeholder = o.default
+
+    o = s:option(Value, "l2tp_remoteip", "L2TP " .. translate("Client IP"), translate("VPN Client IP address range, such as: 192.168.101.10-20"))
+    o.rmempty = true
+    o.default = "192.168.101.10-20"
+    o.placeholder = o.default
+
+    if sys.call("ls -L /usr/lib/ipsec/libipsec* 2>/dev/null >/dev/null") == 0 then 
+        o = s:option(DummyValue, "_o", " ")
+        o.rawhtml = true
+        o.cfgvalue = function(t, n)
+            return string.format('<a style="color: red">%s</a>', translate("L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module."))
+        end
+        o:depends("l2tp_enable", true)
+    end
+end
+
+return m

package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua

@@ -0,0 +1,54 @@
+local d = require "luci.dispatcher"
+local sys = require "luci.sys"
+
+m = Map("luci-app-ipsec-server")
+
+s = m:section(TypedSection, "ipsec_users", "IPSec Xauth PSK " .. translate("Users Manager"))
+s.description = translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.")
+s.addremove = true
+s.anonymous = true
+s.template = "cbi/tblsection"
+
+o = s:option(Flag, "enabled", translate("Enabled"))
+o.default = 1
+o.rmempty = false
+
+o = s:option(Value, "username", translate("Username"))
+o.placeholder = translate("Username")
+o.rmempty = false
+
+o = s:option(Value, "password", translate("Password"))
+o.placeholder = translate("Password")
+o.rmempty = false
+
+if sys.call("command -v xl2tpd > /dev/null") == 0 then
+    s = m:section(TypedSection, "l2tp_users", "L2TP/IPSec PSK " .. translate("Users Manager"))
+    s.description = translate("Use a client that supports L2TP over IPSec PSK to connect to this server.")
+    s.addremove = true
+    s.anonymous = true
+    s.template = "cbi/tblsection"
+    s.extedit = d.build_url("admin", "vpn", "ipsec-server", "l2tp_user", "%s")
+    function s.create(e, t)
+        t = TypedSection.create(e, t)
+        luci.http.redirect(e.extedit:format(t))
+    end
+
+    o = s:option(Flag, "enabled", translate("Enabled"))
+    o.default = 1
+    o.rmempty = false
+
+    o = s:option(Value, "username", translate("Username"))
+    o.placeholder = translate("Username")
+    o.rmempty = false
+
+    o = s:option(Value, "password", translate("Password"))
+    o.placeholder = translate("Password")
+    o.rmempty = false
+
+    o = s:option(Value, "ipaddress", translate("IP address"))
+    o.placeholder = translate("Automatically")
+    o.datatype = "ip4addr"
+    o.rmempty = true
+end
+
+return m

package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm

@@ -0,0 +1,21 @@
+<% include("cbi/map") %>
+<script type="text/javascript">//<![CDATA[
+	XHR.poll(2, '<%=luci.dispatcher.build_url("admin", "vpn", "ipsec-server", "status")%>', null,
+		function(x, result)
+		{
+			var ipsec_status = document.getElementsByClassName('ipsec-server_status')[0];
+			if (ipsec_status) {
+				ipsec_status.setAttribute("style","font-weight:bold;");
+				ipsec_status.setAttribute("color",result.ipsec_status ? "green":"red");
+				ipsec_status.innerHTML = result.ipsec_status?'<%=translate("RUNNING")%>':'<%=translate("NOT RUNNING")%>';
+			}
+			var l2tp_status = document.getElementsByClassName('l2tp_status')[0];
+			if (l2tp_status) {
+				l2tp_status.setAttribute("style","font-weight:bold;");
+				l2tp_status.setAttribute("color",result.l2tp_status ? "green":"red");
+				l2tp_status.innerHTML = result.l2tp_status?'<%=translate("RUNNING")%>':'<%=translate("NOT RUNNING")%>';
+			}
+		}
+	)
+//]]>
+</script>

package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po

@@ -0,0 +1,77 @@
+msgid "IPSec VPN Server"
+msgstr "IPSec VPN 服务器"
+
+msgid "Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server."
+msgstr "使用支持 IPSec Xauth PSK（iOS 或 Android）的客户端连接到此服务端。"
+
+msgid "Use a client that supports L2TP over IPSec PSK to connect to this server."
+msgstr "使用支持 L2TP over IPSec PSK 的客户端连接到此服务端。"
+
+msgid "Current Condition"
+msgstr "当前状态"
+
+msgid "General settings"
+msgstr "基本设置"
+
+msgid "Enabled"
+msgstr "启用"
+
+msgid "VPN Client IP"
+msgstr "VPN客户端地址段"
+
+msgid "VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24"
+msgstr "VPN客户端获取IP的起始地址，例如：192.168.100.10/24"
+
+msgid "Secret Pre-Shared Key"
+msgstr "PSK密钥"
+
+msgid "VPN Server IP address, such as: 192.168.101.1"
+msgstr "VPN服务端IP地址，例如：192.168.101.1"
+
+msgid "VPN Client IP address range, such as: 192.168.101.10-20"
+msgstr "VPN客户端获取IP范围，例如：192.168.101.10-20"
+
+msgid "L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module."
+msgstr "L2TP/IPSec不兼容kernel-libipsec，开启将会禁用此模块。"
+
+msgid "Users Manager"
+msgstr "用户管理"
+
+msgid "Username"
+msgstr "用户名"
+
+msgid "Password"
+msgstr "密码"
+
+msgid "IP address"
+msgstr "IP 地址"
+
+msgid "Automatically"
+msgstr "自动分配"
+
+msgid "Online Users"
+msgstr "在线用户"
+
+msgid "L2TP Online Users"
+msgstr "L2TP 在线用户"
+
+msgid "Login Time"
+msgstr "登录时间"
+
+msgid "Blacklist"
+msgstr "黑名单"
+
+msgid "Add to Blacklist"
+msgstr "加入黑名单"
+
+msgid "Remove from Blacklist"
+msgstr "移出黑名单"
+
+msgid "Forced offline"
+msgstr "强制下线"
+
+msgid "NOT RUNNING"
+msgstr "未运行"
+
+msgid "RUNNING"
+msgstr "运行中"

package/lean/luci-app-ipsec-server/po/zh_Hans

@@ -0,0 +1 @@
+zh-cn

package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server

@@ -0,0 +1,7 @@
+
+config service 'ipsec'
+	option enabled '0'
+	option secret 'ipsec'
+	option clientip '192.168.100.10/24'
+
+

package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server

@@ -0,0 +1,274 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+
+CONFIG="luci-app-ipsec-server"
+IPSEC_SECRETS_FILE=/etc/ipsec.secrets
+IPSEC_CONN_FILE=/etc/ipsec.conf
+CHAP_SECRETS=/etc/ppp/chap-secrets
+L2TP_PATH=/var/etc/xl2tpd
+L2TP_CONTROL_FILE=${L2TP_PATH}/control
+L2TP_CONFIG_FILE=${L2TP_PATH}/xl2tpd.conf
+L2TP_OPTIONS_FILE=${L2TP_PATH}/options.xl2tpd
+L2TP_LOG_FILE=${L2TP_PATH}/xl2tpd.log
+
+vt_clientip=$(uci -q get ${CONFIG}.@service[0].clientip)
+l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable)
+l2tp_localip=$(uci -q get ${CONFIG}.@service[0].l2tp_localip)
+
+ipt_flag="IPSec VPN Server"
+
+get_enabled_anonymous_secs() {
+	uci -q show "${CONFIG}" | grep "${1}\[.*\.enabled='1'" | cut -d '.' -sf2
+}
+
+ipt_rule() {
+	if [ "$1" = "add" ]; then
+		iptables -t nat -I POSTROUTING -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null
+		iptables -I forwarding_rule -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+		iptables -I forwarding_rule -m policy --dir in --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+		iptables -I forwarding_rule -m policy --dir out --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+		iptables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+		iptables -t mangle -I OUTPUT -p udp -m multiport --sports 500,4500 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null
+		[ "${l2tp_enabled}" = 1 ] && {
+			iptables -t nat -I POSTROUTING -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null
+			iptables -I forwarding_rule -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+			iptables -I INPUT -p udp --dport 1701 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
+			iptables -t mangle -I OUTPUT -p udp --sport 1701 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null
+		}
+	else
+		ipt_del() {
+			for i in $(seq 1 $($1 -nL $2 | grep -c "${ipt_flag}")); do
+				local index=$($1 --line-number -nL $2 | grep "${ipt_flag}" | head -1 | awk '{print $1}')
+				$1 -w -D $2 $index 2>/dev/null
+			done
+		}
+		ipt_del "iptables" "forwarding_rule"
+		ipt_del "iptables" "INPUT"
+		ipt_del "iptables -t nat" "POSTROUTING"
+		ipt_del "iptables -t mangle" "OUTPUT"
+	fi
+}
+
+gen_include() {
+	echo '#!/bin/sh' > /var/etc/ipsecvpn.include
+	extract_rules() {
+		echo "*$1"
+		iptables-save -t $1 | grep "${ipt_flag}" | \
+		sed -e "s/^-A \(INPUT\)/-I \1 1/"
+		echo 'COMMIT'
+	}
+	cat <<-EOF >> /var/etc/ipsecvpn.include
+		iptables-save -c | grep -v "${ipt_flag}" | iptables-restore -c
+		iptables-restore -n <<-EOT
+		$(extract_rules filter)
+		$(extract_rules nat)
+		EOT
+	EOF
+	return 0
+}
+
+start() {
+	local vt_enabled=$(uci -q get ${CONFIG}.@service[0].enabled)
+	[ "$vt_enabled" = 0 ] && return 1
+	
+	local vt_gateway="${vt_clientip%.*}.1"
+	local vt_secret=$(uci -q get ${CONFIG}.@service[0].secret)
+	
+	local l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable)
+	[ "${l2tp_enabled}" = 1 ] && {
+		touch ${CHAP_SECRETS}
+		local vt_remoteip=$(uci -q get ${CONFIG}.@service[0].l2tp_remoteip)
+		local ipsec_l2tp_config=$(cat <<-EOF
+		#######################################
+		# L2TP Connections
+		#######################################
+
+		conn L2TP-IKEv1-PSK
+		  type=transport
+		  keyexchange=ikev1
+		  authby=secret
+		  leftprotoport=udp/l2tp
+		  left=%any
+		  right=%any
+		  rekey=no
+		  forceencaps=yes
+		  ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536
+		  esp=aes128-sha1,3des-sha1
+		EOF
+		)
+		
+		mkdir -p ${L2TP_PATH}
+		cat > ${L2TP_OPTIONS_FILE} <<-EOF
+			name "l2tp-server"
+			ipcp-accept-local
+			ipcp-accept-remote
+			ms-dns ${l2tp_localip}
+			noccp
+			auth
+			idle 1800
+			mtu 1400
+			mru 1400
+			lcp-echo-failure 10
+			lcp-echo-interval 60
+			connect-delay 5000
+		EOF
+		cat > ${L2TP_CONFIG_FILE} <<-EOF
+			[global]
+			port = 1701
+			;debug avp = yes
+			;debug network = yes
+			;debug state = yes
+			;debug tunnel = yes
+			[lns default]
+			ip range = ${vt_remoteip}
+			local ip = ${l2tp_localip}
+			require chap = yes
+			refuse pap = yes
+			require authentication = no
+			name = l2tp-server
+			;ppp debug = yes
+			pppoptfile = ${L2TP_OPTIONS_FILE}
+			length bit = yes
+		EOF
+		
+		local l2tp_users=$(get_enabled_anonymous_secs "@l2tp_users")
+		[ -n "${l2tp_users}" ] && {
+			for _user in ${l2tp_users}; do
+				local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled)
+				[ "${u_enabled}" -eq 1 ] || continue
+				
+				local u_username=$(uci -q get ${CONFIG}.${_user}.username)
+				[ -n "${u_username}" ] || continue
+				
+				local u_password=$(uci -q get ${CONFIG}.${_user}.password)
+				[ -n "${u_password}" ] || continue
+				
+				local u_ipaddress=$(uci -q get ${CONFIG}.${_user}.ipaddress)
+				[ -n "${u_ipaddress}" ] || u_ipaddress="*"
+				
+				echo "${u_username} l2tp-server ${u_password} ${u_ipaddress}" >> ${CHAP_SECRETS}
+			done
+		}
+		unset user
+		
+		echo "ip-up-script /usr/share/xl2tpd/ip-up" >> ${L2TP_OPTIONS_FILE}
+		echo "ip-down-script /usr/share/xl2tpd/ip-down" >> ${L2TP_OPTIONS_FILE}
+
+		xl2tpd -c ${L2TP_CONFIG_FILE} -C ${L2TP_CONTROL_FILE} -D >${L2TP_LOG_FILE} 2>&1 &
+		rm -f "/usr/lib/ipsec/libipsec.so.0"
+	}
+	
+	cat > ${IPSEC_CONN_FILE} <<-EOF
+		# ipsec.conf - strongSwan IPsec configuration file
+
+		config setup
+		  uniqueids=no
+		  charondebug="cfg 2, dmn 2, ike 2, net 0"
+
+		conn %default
+		  dpdaction=clear
+		  dpddelay=300s
+		  rekey=no
+		  left=%defaultroute
+		  leftfirewall=yes
+		  right=%any
+		  ikelifetime=60m
+		  keylife=20m
+		  rekeymargin=3m
+		  keyingtries=1
+		  auto=add
+		  
+		#######################################
+		# Default non L2TP Connections
+		#######################################
+
+		conn Non-L2TP
+		  leftsubnet=0.0.0.0/0
+		  rightsubnet=${vt_clientip}
+		  rightsourceip=${vt_clientip}
+		  rightdns=${vt_gateway}
+		  ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536
+		  esp=aes128-sha1,3des-sha1
+
+		# Cisco IPSec
+		conn IKEv1-PSK-XAuth
+		  also=Non-L2TP
+		  keyexchange=ikev1
+		  leftauth=psk
+		  rightauth=psk
+		  rightauth2=xauth
+
+		$ipsec_l2tp_config
+	EOF
+
+	cat > /etc/ipsec.secrets <<-EOF
+	# /etc/ipsec.secrets - strongSwan IPsec secrets file
+	: PSK "$vt_secret"
+	EOF
+	
+	local ipsec_users=$(get_enabled_anonymous_secs "@ipsec_users")
+	[ -n "${ipsec_users}" ] && {
+		for _user in ${ipsec_users}; do
+			local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled)
+			[ "${u_enabled}" -eq 1 ] || continue
+			
+			local u_username=$(uci -q get ${CONFIG}.${_user}.username)
+			[ -n "${u_username}" ] || continue
+			
+			local u_password=$(uci -q get ${CONFIG}.${_user}.password)
+			[ -n "${u_password}" ] || continue
+			
+			echo "${u_username} : XAUTH '${u_password}'" >> ${IPSEC_SECRETS_FILE}
+		done
+	}
+	unset user
+	
+	ipt_rule add
+	
+	/usr/lib/ipsec/starter --daemon charon --nofork > /dev/null 2>&1 &
+	gen_include
+	
+	uci -q batch <<-EOF >/dev/null
+		set network.ipsec_server.ipaddr="${vt_clientip%.*}.1"
+		commit network
+	EOF
+	ifup ipsec_server > /dev/null 2>&1
+}
+
+stop() {
+	ifdown ipsec_server > /dev/null 2>&1
+	sed -i '/l2tp-server/d' ${CHAP_SECRETS} 2>/dev/null
+	top -bn1 | grep "${L2TP_PATH}" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1
+	rm -rf ${L2TP_PATH}
+	ps -w | grep "/usr/lib/ipsec" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1
+	ipt_rule del
+	rm -rf /var/etc/ipsecvpn.include
+	ln -s "libipsec.so.0.0.0" "/usr/lib/ipsec/libipsec.so.0" >/dev/null 2>&1
+}
+
+gen_iface_and_firewall() {
+	uci -q batch <<-EOF >/dev/null
+		delete network.ipsec_server
+		set network.ipsec_server=interface
+		set network.ipsec_server.ifname="ipsec0"
+		set network.ipsec_server.device="ipsec0"
+		set network.ipsec_server.proto="static"
+		set network.ipsec_server.ipaddr="${vt_clientip%.*}.1"
+		set network.ipsec_server.netmask="255.255.255.0"
+		commit network
+		
+		delete firewall.ipsecserver
+		set firewall.ipsecserver=zone
+		set firewall.ipsecserver.name="ipsecserver"
+		set firewall.ipsecserver.input="ACCEPT"
+		set firewall.ipsecserver.forward="ACCEPT"
+		set firewall.ipsecserver.output="ACCEPT"
+		set firewall.ipsecserver.network="ipsec_server"
+		commit firewall
+	EOF
+}
+
+if [ -z "$(uci -q get network.ipsec_server)" ] || [ -z "$(uci -q get firewall.ipsecserver)" ]; then
+	gen_iface_and_firewall
+fi

package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete firewall.luci_app_ipsec_server
+	set firewall.luci_app_ipsec_server=include
+	set firewall.luci_app_ipsec_server.type=script
+	set firewall.luci_app_ipsec_server.path=/var/etc/ipsecvpn.include
+	set firewall.luci_app_ipsec_server.reload=1
+EOF
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@luci-app-ipsec-server[-1]
+	add ucitrack luci-app-ipsec-server
+	set ucitrack.@luci-app-ipsec-server[-1].init=luci-app-ipsec-server
+	commit ucitrack
+EOF
+
+/etc/init.d/ipsec disable 2>/dev/null
+/etc/init.d/ipsec stop 2>/dev/null
+/etc/init.d/xl2tpd disable 2>/dev/null
+/etc/init.d/xl2tpd stop 2>/dev/null
+rm -rf /tmp/luci-*cache
+exit 0

package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json

@@ -0,0 +1,11 @@
+{
+	"luci-app-ipsec-server": {
+		"description": "Grant UCI access for luci-app-ipsec-server",
+		"read": {
+			"uci": [ "luci-app-ipsec-server" ]
+		},
+		"write": {
+			"uci": [ "luci-app-ipsec-server" ]
+		}
+	}
+}

package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+_LOGOUT_TIME="$(date "+%Y-%m-%d %H:%M:%S")"
+CONFIG="luci-app-ipsec-server"
+L2TP_PATH=/var/etc/xl2tpd
+L2TP_SESSION_PATH=${L2TP_PATH}/session
+
+_USERNAME=${PEERNAME}
+_IFACE=${1}
+_TTY=${2}
+_SPEED=${3}
+_LOCALIP=${4}
+_PEERIP=${5}
+_REMOTEIP=${6}
+_BYTES_SENT=${BYTES_SENT}
+_BYTES_RCVD=${BYTES_RCVD}
+_CONNECT_TIME=${CONNECT_TIME}
+
+rm -f ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE}
+rm -f /var/run/${_IFACE}.pid
+
+#可根据退出的账号自定义脚本，如静态路由表，组网等。
+SCRIPT="/usr/share/xl2tpd/ip-down.d/${_USERNAME}"
+[ -s "$SCRIPT" ] && {
+	[ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT"
+	"$SCRIPT" "$@"
+}

package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+_LOGIN_TIME="$(date "+%Y-%m-%d %H:%M:%S")"
+CONFIG="luci-app-ipsec-server"
+L2TP_PATH=/var/etc/xl2tpd
+L2TP_SESSION_PATH=${L2TP_PATH}/session
+
+_USERNAME=${PEERNAME}
+_IFACE=${1}
+_TTY=${2}
+_SPEED=${3}
+_LOCALIP=${4}
+_PEERIP=${5}
+
+_PID=$(cat /var/run/${_IFACE}.pid 2>/dev/null)
+_REMOTEIP=$(cat /var/etc/xl2tpd/xl2tpd.log 2>/dev/null | grep "PID: ${_PID}" | grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}')
+
+mkdir -p ${L2TP_SESSION_PATH}
+
+cat <<-EOF > ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE}
+	{
+	    "username": "${_USERNAME}",
+	    "interface": "${_IFACE}",
+	    "tty": "${_TTY}",
+	    "speed": "${_SPEED}",
+	    "ip": "${_PEERIP}",
+	    "remote_ip": "${_REMOTEIP}",
+	    "pid": "${_PID}",
+	    "login_time": "${_LOGIN_TIME}"
+	}
+EOF
+
+#只能单用户使用
+cfgid=$(uci show ${CONFIG} | grep "@l2tp_users" | grep "\.username='${_USERNAME}'" | cut -d '.' -sf 2)
+[ -n "$cfgid" ] && {
+	HAS_LOGIN=$(ls ${L2TP_SESSION_PATH} | grep "^${_USERNAME}\.ppp" | grep -v "${_IFACE}")
+	[ -n "$HAS_LOGIN" ] && {
+		#踢出之前的用户
+		KO_IFACE=$(echo $HAS_LOGIN | awk -F '.' '{print $2}')
+		KO_PID=$(cat /var/run/${KO_IFACE}.pid 2>/dev/null)
+		[ -n "$KO_PID" ] && kill -9 ${KO_PID} >/dev/null 2>&1
+		rm -f ${L2TP_SESSION_PATH}/${HAS_LOGIN}
+		rm -f /var/run/${KO_IFACE}.pid
+	}
+	routes=$(uci -q get ${CONFIG}.${cfgid}.routes)
+	[ -n "$routes" ] && {
+		for router in ${routes}; do
+			route add -net ${router} dev ${_IFACE} >/dev/null 2>&1
+		done
+	}
+}
+
+#可根据登录的账号自定义脚本，如组网、日志、限速、权限等特殊待遇。
+SCRIPT="/usr/share/xl2tpd/ip-up.d/${_USERNAME}"
+[ -s "$SCRIPT" ] && {
+	[ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT"
+	"$SCRIPT" "$@"
+}

tools/Makefile

@@ -46,7 +46,6 @@ $(curdir)/bison/compile := $(curdir)/flex/compile
 $(curdir)/cbootimage/compile += $(curdir)/automake/compile
 $(curdir)/cmake/compile += $(curdir)/libressl/compile $(curdir)/ninja/compile
 $(curdir)/dosfstools/compile := $(curdir)/autoconf/compile $(curdir)/automake/compile
-$(curdir)/expat/compile := $(curdir)/cmake/compile
 $(curdir)/e2fsprogs/compile := $(curdir)/libtool/compile
 $(curdir)/fakeroot/compile := $(curdir)/libtool/compile
 $(curdir)/findutils/compile := $(curdir)/bison/compile

tools/expat/Makefile

@@ -15,19 +15,15 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_HASH:=ce317706b07cae150f90cddd4253f5b4fba929607488af5ac47bf2bc08e31f09
 PKG_SOURCE_URL:=https://github.com/libexpat/libexpat/releases/download/R_$(subst .,_,$(PKG_VERSION))
 
+HOST_BUILD_PARALLEL:=1
+
 include $(INCLUDE_DIR)/host-build.mk
-include $(INCLUDE_DIR)/cmake.mk
 
-CMAKE_HOST_OPTIONS += \
+HOST_CONFIGURE_ARGS += \
-	-DDOCBOOK_TO_MAN=OFF \
+	--without-docbook
-	-DEXPAT_BUILD_TOOLS=OFF \
-	-DEXPAT_BUILD_EXAMPLES=OFF \
-	-DEXPAT_BUILD_TESTS=OFF \
-	-DEXPAT_BUILD_DOCS=OFF \
-	-DEXPAT_WITH_LIBBSD=OFF \
-	-DEXPAT_ENABLE_INSTALL=ON \
-	-DEXPAT_DTD=OFF \
-	-DEXPAT_NS=OFF \
-	-DEXPAT_DEV_URANDOM=OFF
 
-$(eval $(call HostBuild))
+define Host/Install
+	$(MAKE) -C $(HOST_BUILD_DIR) install
+endef
+
+$(eval $(call HostBuild))