diff --git a/package/lean/luci-app-ipsec-server/Makefile b/package/lean/luci-app-ipsec-server/Makefile deleted file mode 100644 index 8934d4946..000000000 --- a/package/lean/luci-app-ipsec-server/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (C) 2018-2021 Lienol -# -# This is free software, licensed under the Apache License, Version 2.0 . -# - -include $(TOPDIR)/rules.mk - -LUCI_TITLE:=LuCI support for IPSec VPN Server -LUCI_DEPENDS:=+kmod-tun +luci-lib-jsonc +strongswan +strongswan-minimal +strongswan-mod-kernel-libipsec +strongswan-mod-openssl +strongswan-mod-xauth-generic +xl2tpd -LUCI_PKGARCH:=all - -include $(TOPDIR)/feeds/luci/luci.mk - -# call BuildPackage - OpenWrt buildroot signature diff --git a/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua b/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua deleted file mode 100644 index 921c2599c..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/controller/ipsec-server.lua +++ /dev/null @@ -1,22 +0,0 @@ --- Copyright 2018-2020 Lienol -module("luci.controller.ipsec-server", package.seeall) - -function index() - if not nixio.fs.access("/etc/config/luci-app-ipsec-server") then return end - - entry({"admin", "vpn"}, firstchild(), "VPN", 45).dependent = false - entry({"admin", "vpn", "ipsec-server"}, alias("admin", "vpn", "ipsec-server", "settings"), _("IPSec VPN Server"), 49).dependent = false - entry({"admin", "vpn", "ipsec-server", "settings"}, cbi("ipsec-server/settings"), _("General Settings"), 10).leaf = true - entry({"admin", "vpn", "ipsec-server", "users"}, cbi("ipsec-server/users"), _("Users Manager"), 20).leaf = true - entry({"admin", "vpn", "ipsec-server", "l2tp_user"}, cbi("ipsec-server/l2tp_user")).leaf = true - entry({"admin", "vpn", "ipsec-server", "online"}, cbi("ipsec-server/online"), _("L2TP Online Users"), 30).leaf = true - entry({"admin", "vpn", "ipsec-server", "status"}, call("status")).leaf = true -end - -function status() - local e = {} - e["ipsec_status"] = luci.sys.call("/usr/bin/pgrep ipsec >/dev/null") == 0 - e["l2tp_status"] = luci.sys.call("top -bn1 | grep -v grep | grep '/var/etc/xl2tpd' >/dev/null") == 0 - luci.http.prepare_content("application/json") - luci.http.write_json(e) -end diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua deleted file mode 100644 index 7781a4b6e..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/l2tp_user.lua +++ /dev/null @@ -1,35 +0,0 @@ -local d = require "luci.dispatcher" -local sys = require "luci.sys" - -m = Map("luci-app-ipsec-server", "L2TP/IPSec PSK " .. translate("Users Manager")) -m.redirect = d.build_url("admin", "vpn", "ipsec-server", "users") - -if sys.call("command -v xl2tpd > /dev/null") == 0 then - s = m:section(NamedSection, arg[1], "l2tp_users", "") - s.addremove = false - s.anonymous = true - - o = s:option(Flag, "enabled", translate("Enabled")) - o.default = 1 - o.rmempty = false - - o = s:option(Value, "username", translate("Username")) - o.placeholder = translate("Username") - o.rmempty = false - - o = s:option(Value, "password", translate("Password")) - o.placeholder = translate("Password") - o.rmempty = false - - o = s:option(Value, "ipaddress", translate("IP address")) - o.placeholder = translate("Automatically") - o.datatype = "ip4addr" - o.rmempty = true - - o = s:option(DynamicList, "routes", translate("Static Routes")) - o.placeholder = "192.168.10.0/24" - o.datatype = "ipmask4" - o.rmempty = true -end - -return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua deleted file mode 100644 index 8b3498cc5..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/online.lua +++ /dev/null @@ -1,83 +0,0 @@ -local o = require "luci.dispatcher" -local fs = require "nixio.fs" -local jsonc = require "luci.jsonc" - -local sessions = {} -local session_path = "/var/etc/xl2tpd/session" -if fs.access(session_path) then - for filename in fs.dir(session_path) do - local session_file = session_path .. "/" .. filename - local file = io.open(session_file, "r") - local t = jsonc.parse(file:read("*a")) - if t then - t.session_file = session_file - sessions[#sessions + 1] = t - end - file:close() - end -end - -local blacklist = {} -local firewall_user_path = "/etc/firewall.user" -if fs.access(firewall_user_path) then - for line in io.lines(firewall_user_path) do - local m = line:match('xl2tpd%-blacklist%-([^\n]+)') - if m then - local t = {} - t.ip = m - blacklist[#blacklist + 1] = t - end - end -end - -f = SimpleForm("processes") -f.reset = false -f.submit = false - -t = f:section(Table, sessions, translate("L2TP Online Users")) -t:option(DummyValue, "username", translate("Username")) -t:option(DummyValue, "interface", translate("Interface")) -t:option(DummyValue, "ip", translate("Client IP")) -t:option(DummyValue, "remote_ip", translate("IP address")) -t:option(DummyValue, "login_time", translate("Login Time")) - -_blacklist = t:option(Button, "_blacklist", translate("Blacklist")) -function _blacklist.render(e, t, a) - e.title = translate("Add to Blacklist") - e.inputstyle = "remove" - Button.render(e, t, a) -end -function _blacklist.write(t, s) - local e = t.map:get(s, "remote_ip") - luci.util.execi("echo 'iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP ## xl2tpd-blacklist-%s' >> /etc/firewall.user" % {e, e}) - luci.util.execi("iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e}) - luci.util.execi("rm -f " .. t.map:get(s, "session_file")) - null, t.tag_error[s] = luci.sys.process.signal(t.map:get(s, "pid"), 9) - luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) -end - -_kill = t:option(Button, "_kill", translate("Forced offline")) -_kill.inputstyle = "remove" -function _kill.write(t, s) - luci.util.execi("rm -f " .. t.map:get(s, "session_file")) - null, t.tag_error[t] = luci.sys.process.signal(t.map:get(s, "pid"), 9) - luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) -end - -t = f:section(Table, blacklist, translate("Blacklist")) -t:option(DummyValue, "ip", translate("IP address")) - -_blacklist2 = t:option(Button, "_blacklist2", translate("Blacklist")) -function _blacklist2.render(e, t, a) - e.title = translate("Remove from Blacklist") - e.inputstyle = "apply" - Button.render(e, t, a) -end -function _blacklist2.write(t, s) - local e = t.map:get(s, "ip") - luci.util.execi("sed -i -e '/## xl2tpd-blacklist-%s/d' /etc/firewall.user" % {e}) - luci.util.execi("iptables -D INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e}) - luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online")) -end - -return f diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua deleted file mode 100644 index 73c7f24e7..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/settings.lua +++ /dev/null @@ -1,60 +0,0 @@ -local sys = require "luci.sys" - -m = Map("luci-app-ipsec-server", translate("IPSec VPN Server")) -m.template = "ipsec-server/index" - -s = m:section(TypedSection, "service") -s.anonymous = true - -o = s:option(DummyValue, "ipsec-server_status", translate("Current Condition")) -o.rawhtml = true -o.cfgvalue = function(t, n) - return '' -end - -enabled = s:option(Flag, "enabled", translate("Enable"), translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.")) -enabled.default = 0 -enabled.rmempty = false - -clientip = s:option(Value, "clientip", translate("VPN Client IP")) -clientip.datatype = "ip4addr" -clientip.description = translate("VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24") -clientip.optional = false -clientip.rmempty = false - -secret = s:option(Value, "secret", translate("Secret Pre-Shared Key")) -secret.password = true - -if sys.call("command -v xl2tpd > /dev/null") == 0 then - o = s:option(DummyValue, "l2tp_status", "L2TP " .. translate("Current Condition")) - o.rawhtml = true - o.cfgvalue = function(t, n) - return '' - end - - o = s:option(Flag, "l2tp_enable", "L2TP " .. translate("Enable"), translate("Use a client that supports L2TP over IPSec PSK to connect to this server.")) - o.default = 0 - o.rmempty = false - - o = s:option(Value, "l2tp_localip", "L2TP " .. translate("Server IP"), translate("VPN Server IP address, such as: 192.168.101.1")) - o.datatype = "ip4addr" - o.rmempty = true - o.default = "192.168.101.1" - o.placeholder = o.default - - o = s:option(Value, "l2tp_remoteip", "L2TP " .. translate("Client IP"), translate("VPN Client IP address range, such as: 192.168.101.10-20")) - o.rmempty = true - o.default = "192.168.101.10-20" - o.placeholder = o.default - - if sys.call("ls -L /usr/lib/ipsec/libipsec* 2>/dev/null >/dev/null") == 0 then - o = s:option(DummyValue, "_o", " ") - o.rawhtml = true - o.cfgvalue = function(t, n) - return string.format('%s', translate("L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module.")) - end - o:depends("l2tp_enable", true) - end -end - -return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua b/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua deleted file mode 100644 index d5c883d86..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/model/cbi/ipsec-server/users.lua +++ /dev/null @@ -1,54 +0,0 @@ -local d = require "luci.dispatcher" -local sys = require "luci.sys" - -m = Map("luci-app-ipsec-server") - -s = m:section(TypedSection, "ipsec_users", "IPSec Xauth PSK " .. translate("Users Manager")) -s.description = translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.") -s.addremove = true -s.anonymous = true -s.template = "cbi/tblsection" - -o = s:option(Flag, "enabled", translate("Enabled")) -o.default = 1 -o.rmempty = false - -o = s:option(Value, "username", translate("Username")) -o.placeholder = translate("Username") -o.rmempty = false - -o = s:option(Value, "password", translate("Password")) -o.placeholder = translate("Password") -o.rmempty = false - -if sys.call("command -v xl2tpd > /dev/null") == 0 then - s = m:section(TypedSection, "l2tp_users", "L2TP/IPSec PSK " .. translate("Users Manager")) - s.description = translate("Use a client that supports L2TP over IPSec PSK to connect to this server.") - s.addremove = true - s.anonymous = true - s.template = "cbi/tblsection" - s.extedit = d.build_url("admin", "vpn", "ipsec-server", "l2tp_user", "%s") - function s.create(e, t) - t = TypedSection.create(e, t) - luci.http.redirect(e.extedit:format(t)) - end - - o = s:option(Flag, "enabled", translate("Enabled")) - o.default = 1 - o.rmempty = false - - o = s:option(Value, "username", translate("Username")) - o.placeholder = translate("Username") - o.rmempty = false - - o = s:option(Value, "password", translate("Password")) - o.placeholder = translate("Password") - o.rmempty = false - - o = s:option(Value, "ipaddress", translate("IP address")) - o.placeholder = translate("Automatically") - o.datatype = "ip4addr" - o.rmempty = true -end - -return m diff --git a/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm b/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm deleted file mode 100644 index 607e5ff35..000000000 --- a/package/lean/luci-app-ipsec-server/luasrc/view/ipsec-server/index.htm +++ /dev/null @@ -1,21 +0,0 @@ -<% include("cbi/map") %> - diff --git a/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po b/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po deleted file mode 100644 index b822a2f03..000000000 --- a/package/lean/luci-app-ipsec-server/po/zh-cn/ipsec.po +++ /dev/null @@ -1,77 +0,0 @@ -msgid "IPSec VPN Server" -msgstr "IPSec VPN 服务器" - -msgid "Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server." -msgstr "使用支持 IPSec Xauth PSK(iOS 或 Android)的客户端连接到此服务端。" - -msgid "Use a client that supports L2TP over IPSec PSK to connect to this server." -msgstr "使用支持 L2TP over IPSec PSK 的客户端连接到此服务端。" - -msgid "Current Condition" -msgstr "当前状态" - -msgid "General settings" -msgstr "基本设置" - -msgid "Enabled" -msgstr "启用" - -msgid "VPN Client IP" -msgstr "VPN客户端地址段" - -msgid "VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24" -msgstr "VPN客户端获取IP的起始地址,例如:192.168.100.10/24" - -msgid "Secret Pre-Shared Key" -msgstr "PSK密钥" - -msgid "VPN Server IP address, such as: 192.168.101.1" -msgstr "VPN服务端IP地址,例如:192.168.101.1" - -msgid "VPN Client IP address range, such as: 192.168.101.10-20" -msgstr "VPN客户端获取IP范围,例如:192.168.101.10-20" - -msgid "L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module." -msgstr "L2TP/IPSec不兼容kernel-libipsec,开启将会禁用此模块。" - -msgid "Users Manager" -msgstr "用户管理" - -msgid "Username" -msgstr "用户名" - -msgid "Password" -msgstr "密码" - -msgid "IP address" -msgstr "IP 地址" - -msgid "Automatically" -msgstr "自动分配" - -msgid "Online Users" -msgstr "在线用户" - -msgid "L2TP Online Users" -msgstr "L2TP 在线用户" - -msgid "Login Time" -msgstr "登录时间" - -msgid "Blacklist" -msgstr "黑名单" - -msgid "Add to Blacklist" -msgstr "加入黑名单" - -msgid "Remove from Blacklist" -msgstr "移出黑名单" - -msgid "Forced offline" -msgstr "强制下线" - -msgid "NOT RUNNING" -msgstr "未运行" - -msgid "RUNNING" -msgstr "运行中" \ No newline at end of file diff --git a/package/lean/luci-app-ipsec-server/po/zh_Hans b/package/lean/luci-app-ipsec-server/po/zh_Hans deleted file mode 120000 index 41451e4a1..000000000 --- a/package/lean/luci-app-ipsec-server/po/zh_Hans +++ /dev/null @@ -1 +0,0 @@ -zh-cn \ No newline at end of file diff --git a/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server deleted file mode 100644 index 6d90a5d69..000000000 --- a/package/lean/luci-app-ipsec-server/root/etc/config/luci-app-ipsec-server +++ /dev/null @@ -1,7 +0,0 @@ - -config service 'ipsec' - option enabled '0' - option secret 'ipsec' - option clientip '192.168.100.10/24' - - diff --git a/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server deleted file mode 100755 index 9371763e2..000000000 --- a/package/lean/luci-app-ipsec-server/root/etc/init.d/luci-app-ipsec-server +++ /dev/null @@ -1,274 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=99 - -CONFIG="luci-app-ipsec-server" -IPSEC_SECRETS_FILE=/etc/ipsec.secrets -IPSEC_CONN_FILE=/etc/ipsec.conf -CHAP_SECRETS=/etc/ppp/chap-secrets -L2TP_PATH=/var/etc/xl2tpd -L2TP_CONTROL_FILE=${L2TP_PATH}/control -L2TP_CONFIG_FILE=${L2TP_PATH}/xl2tpd.conf -L2TP_OPTIONS_FILE=${L2TP_PATH}/options.xl2tpd -L2TP_LOG_FILE=${L2TP_PATH}/xl2tpd.log - -vt_clientip=$(uci -q get ${CONFIG}.@service[0].clientip) -l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable) -l2tp_localip=$(uci -q get ${CONFIG}.@service[0].l2tp_localip) - -ipt_flag="IPSec VPN Server" - -get_enabled_anonymous_secs() { - uci -q show "${CONFIG}" | grep "${1}\[.*\.enabled='1'" | cut -d '.' -sf2 -} - -ipt_rule() { - if [ "$1" = "add" ]; then - iptables -t nat -I POSTROUTING -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null - iptables -I forwarding_rule -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -I forwarding_rule -m policy --dir in --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -I forwarding_rule -m policy --dir out --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -t mangle -I OUTPUT -p udp -m multiport --sports 500,4500 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null - [ "${l2tp_enabled}" = 1 ] && { - iptables -t nat -I POSTROUTING -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null - iptables -I forwarding_rule -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -I INPUT -p udp --dport 1701 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null - iptables -t mangle -I OUTPUT -p udp --sport 1701 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null - } - else - ipt_del() { - for i in $(seq 1 $($1 -nL $2 | grep -c "${ipt_flag}")); do - local index=$($1 --line-number -nL $2 | grep "${ipt_flag}" | head -1 | awk '{print $1}') - $1 -w -D $2 $index 2>/dev/null - done - } - ipt_del "iptables" "forwarding_rule" - ipt_del "iptables" "INPUT" - ipt_del "iptables -t nat" "POSTROUTING" - ipt_del "iptables -t mangle" "OUTPUT" - fi -} - -gen_include() { - echo '#!/bin/sh' > /var/etc/ipsecvpn.include - extract_rules() { - echo "*$1" - iptables-save -t $1 | grep "${ipt_flag}" | \ - sed -e "s/^-A \(INPUT\)/-I \1 1/" - echo 'COMMIT' - } - cat <<-EOF >> /var/etc/ipsecvpn.include - iptables-save -c | grep -v "${ipt_flag}" | iptables-restore -c - iptables-restore -n <<-EOT - $(extract_rules filter) - $(extract_rules nat) - EOT - EOF - return 0 -} - -start() { - local vt_enabled=$(uci -q get ${CONFIG}.@service[0].enabled) - [ "$vt_enabled" = 0 ] && return 1 - - local vt_gateway="${vt_clientip%.*}.1" - local vt_secret=$(uci -q get ${CONFIG}.@service[0].secret) - - local l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable) - [ "${l2tp_enabled}" = 1 ] && { - touch ${CHAP_SECRETS} - local vt_remoteip=$(uci -q get ${CONFIG}.@service[0].l2tp_remoteip) - local ipsec_l2tp_config=$(cat <<-EOF - ####################################### - # L2TP Connections - ####################################### - - conn L2TP-IKEv1-PSK - type=transport - keyexchange=ikev1 - authby=secret - leftprotoport=udp/l2tp - left=%any - right=%any - rekey=no - forceencaps=yes - ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536 - esp=aes128-sha1,3des-sha1 - EOF - ) - - mkdir -p ${L2TP_PATH} - cat > ${L2TP_OPTIONS_FILE} <<-EOF - name "l2tp-server" - ipcp-accept-local - ipcp-accept-remote - ms-dns ${l2tp_localip} - noccp - auth - idle 1800 - mtu 1400 - mru 1400 - lcp-echo-failure 10 - lcp-echo-interval 60 - connect-delay 5000 - EOF - cat > ${L2TP_CONFIG_FILE} <<-EOF - [global] - port = 1701 - ;debug avp = yes - ;debug network = yes - ;debug state = yes - ;debug tunnel = yes - [lns default] - ip range = ${vt_remoteip} - local ip = ${l2tp_localip} - require chap = yes - refuse pap = yes - require authentication = no - name = l2tp-server - ;ppp debug = yes - pppoptfile = ${L2TP_OPTIONS_FILE} - length bit = yes - EOF - - local l2tp_users=$(get_enabled_anonymous_secs "@l2tp_users") - [ -n "${l2tp_users}" ] && { - for _user in ${l2tp_users}; do - local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled) - [ "${u_enabled}" -eq 1 ] || continue - - local u_username=$(uci -q get ${CONFIG}.${_user}.username) - [ -n "${u_username}" ] || continue - - local u_password=$(uci -q get ${CONFIG}.${_user}.password) - [ -n "${u_password}" ] || continue - - local u_ipaddress=$(uci -q get ${CONFIG}.${_user}.ipaddress) - [ -n "${u_ipaddress}" ] || u_ipaddress="*" - - echo "${u_username} l2tp-server ${u_password} ${u_ipaddress}" >> ${CHAP_SECRETS} - done - } - unset user - - echo "ip-up-script /usr/share/xl2tpd/ip-up" >> ${L2TP_OPTIONS_FILE} - echo "ip-down-script /usr/share/xl2tpd/ip-down" >> ${L2TP_OPTIONS_FILE} - - xl2tpd -c ${L2TP_CONFIG_FILE} -C ${L2TP_CONTROL_FILE} -D >${L2TP_LOG_FILE} 2>&1 & - rm -f "/usr/lib/ipsec/libipsec.so.0" - } - - cat > ${IPSEC_CONN_FILE} <<-EOF - # ipsec.conf - strongSwan IPsec configuration file - - config setup - uniqueids=no - charondebug="cfg 2, dmn 2, ike 2, net 0" - - conn %default - dpdaction=clear - dpddelay=300s - rekey=no - left=%defaultroute - leftfirewall=yes - right=%any - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - auto=add - - ####################################### - # Default non L2TP Connections - ####################################### - - conn Non-L2TP - leftsubnet=0.0.0.0/0 - rightsubnet=${vt_clientip} - rightsourceip=${vt_clientip} - rightdns=${vt_gateway} - ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536 - esp=aes128-sha1,3des-sha1 - - # Cisco IPSec - conn IKEv1-PSK-XAuth - also=Non-L2TP - keyexchange=ikev1 - leftauth=psk - rightauth=psk - rightauth2=xauth - - $ipsec_l2tp_config - EOF - - cat > /etc/ipsec.secrets <<-EOF - # /etc/ipsec.secrets - strongSwan IPsec secrets file - : PSK "$vt_secret" - EOF - - local ipsec_users=$(get_enabled_anonymous_secs "@ipsec_users") - [ -n "${ipsec_users}" ] && { - for _user in ${ipsec_users}; do - local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled) - [ "${u_enabled}" -eq 1 ] || continue - - local u_username=$(uci -q get ${CONFIG}.${_user}.username) - [ -n "${u_username}" ] || continue - - local u_password=$(uci -q get ${CONFIG}.${_user}.password) - [ -n "${u_password}" ] || continue - - echo "${u_username} : XAUTH '${u_password}'" >> ${IPSEC_SECRETS_FILE} - done - } - unset user - - ipt_rule add - - /usr/lib/ipsec/starter --daemon charon --nofork > /dev/null 2>&1 & - gen_include - - uci -q batch <<-EOF >/dev/null - set network.ipsec_server.ipaddr="${vt_clientip%.*}.1" - commit network - EOF - ifup ipsec_server > /dev/null 2>&1 -} - -stop() { - ifdown ipsec_server > /dev/null 2>&1 - sed -i '/l2tp-server/d' ${CHAP_SECRETS} 2>/dev/null - top -bn1 | grep "${L2TP_PATH}" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 - rm -rf ${L2TP_PATH} - ps -w | grep "/usr/lib/ipsec" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 - ipt_rule del - rm -rf /var/etc/ipsecvpn.include - ln -s "libipsec.so.0.0.0" "/usr/lib/ipsec/libipsec.so.0" >/dev/null 2>&1 -} - -gen_iface_and_firewall() { - uci -q batch <<-EOF >/dev/null - delete network.ipsec_server - set network.ipsec_server=interface - set network.ipsec_server.ifname="ipsec0" - set network.ipsec_server.device="ipsec0" - set network.ipsec_server.proto="static" - set network.ipsec_server.ipaddr="${vt_clientip%.*}.1" - set network.ipsec_server.netmask="255.255.255.0" - commit network - - delete firewall.ipsecserver - set firewall.ipsecserver=zone - set firewall.ipsecserver.name="ipsecserver" - set firewall.ipsecserver.input="ACCEPT" - set firewall.ipsecserver.forward="ACCEPT" - set firewall.ipsecserver.output="ACCEPT" - set firewall.ipsecserver.network="ipsec_server" - commit firewall - EOF -} - -if [ -z "$(uci -q get network.ipsec_server)" ] || [ -z "$(uci -q get firewall.ipsecserver)" ]; then - gen_iface_and_firewall -fi diff --git a/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server b/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server deleted file mode 100755 index 3a791a03a..000000000 --- a/package/lean/luci-app-ipsec-server/root/etc/uci-defaults/luci-app-ipsec-server +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -uci -q batch <<-EOF >/dev/null - delete firewall.luci_app_ipsec_server - set firewall.luci_app_ipsec_server=include - set firewall.luci_app_ipsec_server.type=script - set firewall.luci_app_ipsec_server.path=/var/etc/ipsecvpn.include - set firewall.luci_app_ipsec_server.reload=1 -EOF - -uci -q batch <<-EOF >/dev/null - delete ucitrack.@luci-app-ipsec-server[-1] - add ucitrack luci-app-ipsec-server - set ucitrack.@luci-app-ipsec-server[-1].init=luci-app-ipsec-server - commit ucitrack -EOF - -/etc/init.d/ipsec disable 2>/dev/null -/etc/init.d/ipsec stop 2>/dev/null -/etc/init.d/xl2tpd disable 2>/dev/null -/etc/init.d/xl2tpd stop 2>/dev/null -rm -rf /tmp/luci-*cache -exit 0 diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json b/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json deleted file mode 100644 index d12ed9841..000000000 --- a/package/lean/luci-app-ipsec-server/root/usr/share/rpcd/acl.d/luci-app-ipsec-server.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "luci-app-ipsec-server": { - "description": "Grant UCI access for luci-app-ipsec-server", - "read": { - "uci": [ "luci-app-ipsec-server" ] - }, - "write": { - "uci": [ "luci-app-ipsec-server" ] - } - } -} diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down deleted file mode 100755 index 9434e7615..000000000 --- a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-down +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -_LOGOUT_TIME="$(date "+%Y-%m-%d %H:%M:%S")" -CONFIG="luci-app-ipsec-server" -L2TP_PATH=/var/etc/xl2tpd -L2TP_SESSION_PATH=${L2TP_PATH}/session - -_USERNAME=${PEERNAME} -_IFACE=${1} -_TTY=${2} -_SPEED=${3} -_LOCALIP=${4} -_PEERIP=${5} -_REMOTEIP=${6} -_BYTES_SENT=${BYTES_SENT} -_BYTES_RCVD=${BYTES_RCVD} -_CONNECT_TIME=${CONNECT_TIME} - -rm -f ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE} -rm -f /var/run/${_IFACE}.pid - -#可根据退出的账号自定义脚本,如静态路由表,组网等。 -SCRIPT="/usr/share/xl2tpd/ip-down.d/${_USERNAME}" -[ -s "$SCRIPT" ] && { - [ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT" - "$SCRIPT" "$@" -} diff --git a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up b/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up deleted file mode 100755 index 6109d037e..000000000 --- a/package/lean/luci-app-ipsec-server/root/usr/share/xl2tpd/ip-up +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh - -_LOGIN_TIME="$(date "+%Y-%m-%d %H:%M:%S")" -CONFIG="luci-app-ipsec-server" -L2TP_PATH=/var/etc/xl2tpd -L2TP_SESSION_PATH=${L2TP_PATH}/session - -_USERNAME=${PEERNAME} -_IFACE=${1} -_TTY=${2} -_SPEED=${3} -_LOCALIP=${4} -_PEERIP=${5} - -_PID=$(cat /var/run/${_IFACE}.pid 2>/dev/null) -_REMOTEIP=$(cat /var/etc/xl2tpd/xl2tpd.log 2>/dev/null | grep "PID: ${_PID}" | grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}') - -mkdir -p ${L2TP_SESSION_PATH} - -cat <<-EOF > ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE} - { - "username": "${_USERNAME}", - "interface": "${_IFACE}", - "tty": "${_TTY}", - "speed": "${_SPEED}", - "ip": "${_PEERIP}", - "remote_ip": "${_REMOTEIP}", - "pid": "${_PID}", - "login_time": "${_LOGIN_TIME}" - } -EOF - -#只能单用户使用 -cfgid=$(uci show ${CONFIG} | grep "@l2tp_users" | grep "\.username='${_USERNAME}'" | cut -d '.' -sf 2) -[ -n "$cfgid" ] && { - HAS_LOGIN=$(ls ${L2TP_SESSION_PATH} | grep "^${_USERNAME}\.ppp" | grep -v "${_IFACE}") - [ -n "$HAS_LOGIN" ] && { - #踢出之前的用户 - KO_IFACE=$(echo $HAS_LOGIN | awk -F '.' '{print $2}') - KO_PID=$(cat /var/run/${KO_IFACE}.pid 2>/dev/null) - [ -n "$KO_PID" ] && kill -9 ${KO_PID} >/dev/null 2>&1 - rm -f ${L2TP_SESSION_PATH}/${HAS_LOGIN} - rm -f /var/run/${KO_IFACE}.pid - } - routes=$(uci -q get ${CONFIG}.${cfgid}.routes) - [ -n "$routes" ] && { - for router in ${routes}; do - route add -net ${router} dev ${_IFACE} >/dev/null 2>&1 - done - } -} - -#可根据登录的账号自定义脚本,如组网、日志、限速、权限等特殊待遇。 -SCRIPT="/usr/share/xl2tpd/ip-up.d/${_USERNAME}" -[ -s "$SCRIPT" ] && { - [ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT" - "$SCRIPT" "$@" -}