mirror of
https://github.com/coolsnowwolf/lede.git
synced 2025-04-16 14:23:38 +00:00
luci-app-ipsec-server: move to luci feeds (#9130)
This commit is contained in:
Beginner
GitHub
parent
5a916c954d
commit
6d687a132e
@ -1,14 +0,0 @@
|
||||
# Copyright (C) 2018-2021 Lienol <lawlienol@gmail.com>
|
||||
#
|
||||
# This is free software, licensed under the Apache License, Version 2.0 .
|
||||
#
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
LUCI_TITLE:=LuCI support for IPSec VPN Server
|
||||
LUCI_DEPENDS:=+kmod-tun +luci-lib-jsonc +strongswan +strongswan-minimal +strongswan-mod-kernel-libipsec +strongswan-mod-openssl +strongswan-mod-xauth-generic +xl2tpd
|
||||
LUCI_PKGARCH:=all
|
||||
|
||||
include $(TOPDIR)/feeds/luci/luci.mk
|
||||
|
||||
# call BuildPackage - OpenWrt buildroot signature
|
||||
@ -1,22 +0,0 @@
|
||||
-- Copyright 2018-2020 Lienol <lawlienol@gmail.com>
|
||||
module("luci.controller.ipsec-server", package.seeall)
|
||||
|
||||
function index()
|
||||
if not nixio.fs.access("/etc/config/luci-app-ipsec-server") then return end
|
||||
|
||||
entry({"admin", "vpn"}, firstchild(), "VPN", 45).dependent = false
|
||||
entry({"admin", "vpn", "ipsec-server"}, alias("admin", "vpn", "ipsec-server", "settings"), _("IPSec VPN Server"), 49).dependent = false
|
||||
entry({"admin", "vpn", "ipsec-server", "settings"}, cbi("ipsec-server/settings"), _("General Settings"), 10).leaf = true
|
||||
entry({"admin", "vpn", "ipsec-server", "users"}, cbi("ipsec-server/users"), _("Users Manager"), 20).leaf = true
|
||||
entry({"admin", "vpn", "ipsec-server", "l2tp_user"}, cbi("ipsec-server/l2tp_user")).leaf = true
|
||||
entry({"admin", "vpn", "ipsec-server", "online"}, cbi("ipsec-server/online"), _("L2TP Online Users"), 30).leaf = true
|
||||
entry({"admin", "vpn", "ipsec-server", "status"}, call("status")).leaf = true
|
||||
end
|
||||
|
||||
function status()
|
||||
local e = {}
|
||||
e["ipsec_status"] = luci.sys.call("/usr/bin/pgrep ipsec >/dev/null") == 0
|
||||
e["l2tp_status"] = luci.sys.call("top -bn1 | grep -v grep | grep '/var/etc/xl2tpd' >/dev/null") == 0
|
||||
luci.http.prepare_content("application/json")
|
||||
luci.http.write_json(e)
|
||||
end
|
||||
@ -1,35 +0,0 @@
|
||||
local d = require "luci.dispatcher"
|
||||
local sys = require "luci.sys"
|
||||
|
||||
m = Map("luci-app-ipsec-server", "L2TP/IPSec PSK " .. translate("Users Manager"))
|
||||
m.redirect = d.build_url("admin", "vpn", "ipsec-server", "users")
|
||||
|
||||
if sys.call("command -v xl2tpd > /dev/null") == 0 then
|
||||
s = m:section(NamedSection, arg[1], "l2tp_users", "")
|
||||
s.addremove = false
|
||||
s.anonymous = true
|
||||
|
||||
o = s:option(Flag, "enabled", translate("Enabled"))
|
||||
o.default = 1
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "username", translate("Username"))
|
||||
o.placeholder = translate("Username")
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "password", translate("Password"))
|
||||
o.placeholder = translate("Password")
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "ipaddress", translate("IP address"))
|
||||
o.placeholder = translate("Automatically")
|
||||
o.datatype = "ip4addr"
|
||||
o.rmempty = true
|
||||
|
||||
o = s:option(DynamicList, "routes", translate("Static Routes"))
|
||||
o.placeholder = "192.168.10.0/24"
|
||||
o.datatype = "ipmask4"
|
||||
o.rmempty = true
|
||||
end
|
||||
|
||||
return m
|
||||
@ -1,83 +0,0 @@
|
||||
local o = require "luci.dispatcher"
|
||||
local fs = require "nixio.fs"
|
||||
local jsonc = require "luci.jsonc"
|
||||
|
||||
local sessions = {}
|
||||
local session_path = "/var/etc/xl2tpd/session"
|
||||
if fs.access(session_path) then
|
||||
for filename in fs.dir(session_path) do
|
||||
local session_file = session_path .. "/" .. filename
|
||||
local file = io.open(session_file, "r")
|
||||
local t = jsonc.parse(file:read("*a"))
|
||||
if t then
|
||||
t.session_file = session_file
|
||||
sessions[#sessions + 1] = t
|
||||
end
|
||||
file:close()
|
||||
end
|
||||
end
|
||||
|
||||
local blacklist = {}
|
||||
local firewall_user_path = "/etc/firewall.user"
|
||||
if fs.access(firewall_user_path) then
|
||||
for line in io.lines(firewall_user_path) do
|
||||
local m = line:match('xl2tpd%-blacklist%-([^\n]+)')
|
||||
if m then
|
||||
local t = {}
|
||||
t.ip = m
|
||||
blacklist[#blacklist + 1] = t
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
f = SimpleForm("processes")
|
||||
f.reset = false
|
||||
f.submit = false
|
||||
|
||||
t = f:section(Table, sessions, translate("L2TP Online Users"))
|
||||
t:option(DummyValue, "username", translate("Username"))
|
||||
t:option(DummyValue, "interface", translate("Interface"))
|
||||
t:option(DummyValue, "ip", translate("Client IP"))
|
||||
t:option(DummyValue, "remote_ip", translate("IP address"))
|
||||
t:option(DummyValue, "login_time", translate("Login Time"))
|
||||
|
||||
_blacklist = t:option(Button, "_blacklist", translate("Blacklist"))
|
||||
function _blacklist.render(e, t, a)
|
||||
e.title = translate("Add to Blacklist")
|
||||
e.inputstyle = "remove"
|
||||
Button.render(e, t, a)
|
||||
end
|
||||
function _blacklist.write(t, s)
|
||||
local e = t.map:get(s, "remote_ip")
|
||||
luci.util.execi("echo 'iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP ## xl2tpd-blacklist-%s' >> /etc/firewall.user" % {e, e})
|
||||
luci.util.execi("iptables -I INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e})
|
||||
luci.util.execi("rm -f " .. t.map:get(s, "session_file"))
|
||||
null, t.tag_error[s] = luci.sys.process.signal(t.map:get(s, "pid"), 9)
|
||||
luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
|
||||
end
|
||||
|
||||
_kill = t:option(Button, "_kill", translate("Forced offline"))
|
||||
_kill.inputstyle = "remove"
|
||||
function _kill.write(t, s)
|
||||
luci.util.execi("rm -f " .. t.map:get(s, "session_file"))
|
||||
null, t.tag_error[t] = luci.sys.process.signal(t.map:get(s, "pid"), 9)
|
||||
luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
|
||||
end
|
||||
|
||||
t = f:section(Table, blacklist, translate("Blacklist"))
|
||||
t:option(DummyValue, "ip", translate("IP address"))
|
||||
|
||||
_blacklist2 = t:option(Button, "_blacklist2", translate("Blacklist"))
|
||||
function _blacklist2.render(e, t, a)
|
||||
e.title = translate("Remove from Blacklist")
|
||||
e.inputstyle = "apply"
|
||||
Button.render(e, t, a)
|
||||
end
|
||||
function _blacklist2.write(t, s)
|
||||
local e = t.map:get(s, "ip")
|
||||
luci.util.execi("sed -i -e '/## xl2tpd-blacklist-%s/d' /etc/firewall.user" % {e})
|
||||
luci.util.execi("iptables -D INPUT -s %s -p udp -m multiport --dports 500,4500,1701 -j DROP" % {e})
|
||||
luci.http.redirect(o.build_url("admin/vpn/ipsec-server/online"))
|
||||
end
|
||||
|
||||
return f
|
||||
@ -1,60 +0,0 @@
|
||||
local sys = require "luci.sys"
|
||||
|
||||
m = Map("luci-app-ipsec-server", translate("IPSec VPN Server"))
|
||||
m.template = "ipsec-server/index"
|
||||
|
||||
s = m:section(TypedSection, "service")
|
||||
s.anonymous = true
|
||||
|
||||
o = s:option(DummyValue, "ipsec-server_status", translate("Current Condition"))
|
||||
o.rawhtml = true
|
||||
o.cfgvalue = function(t, n)
|
||||
return '<font class="ipsec-server_status"></font>'
|
||||
end
|
||||
|
||||
enabled = s:option(Flag, "enabled", translate("Enable"), translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server."))
|
||||
enabled.default = 0
|
||||
enabled.rmempty = false
|
||||
|
||||
clientip = s:option(Value, "clientip", translate("VPN Client IP"))
|
||||
clientip.datatype = "ip4addr"
|
||||
clientip.description = translate("VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24")
|
||||
clientip.optional = false
|
||||
clientip.rmempty = false
|
||||
|
||||
secret = s:option(Value, "secret", translate("Secret Pre-Shared Key"))
|
||||
secret.password = true
|
||||
|
||||
if sys.call("command -v xl2tpd > /dev/null") == 0 then
|
||||
o = s:option(DummyValue, "l2tp_status", "L2TP " .. translate("Current Condition"))
|
||||
o.rawhtml = true
|
||||
o.cfgvalue = function(t, n)
|
||||
return '<font class="l2tp_status"></font>'
|
||||
end
|
||||
|
||||
o = s:option(Flag, "l2tp_enable", "L2TP " .. translate("Enable"), translate("Use a client that supports L2TP over IPSec PSK to connect to this server."))
|
||||
o.default = 0
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "l2tp_localip", "L2TP " .. translate("Server IP"), translate("VPN Server IP address, such as: 192.168.101.1"))
|
||||
o.datatype = "ip4addr"
|
||||
o.rmempty = true
|
||||
o.default = "192.168.101.1"
|
||||
o.placeholder = o.default
|
||||
|
||||
o = s:option(Value, "l2tp_remoteip", "L2TP " .. translate("Client IP"), translate("VPN Client IP address range, such as: 192.168.101.10-20"))
|
||||
o.rmempty = true
|
||||
o.default = "192.168.101.10-20"
|
||||
o.placeholder = o.default
|
||||
|
||||
if sys.call("ls -L /usr/lib/ipsec/libipsec* 2>/dev/null >/dev/null") == 0 then
|
||||
o = s:option(DummyValue, "_o", " ")
|
||||
o.rawhtml = true
|
||||
o.cfgvalue = function(t, n)
|
||||
return string.format('<a style="color: red">%s</a>', translate("L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module."))
|
||||
end
|
||||
o:depends("l2tp_enable", true)
|
||||
end
|
||||
end
|
||||
|
||||
return m
|
||||
@ -1,54 +0,0 @@
|
||||
local d = require "luci.dispatcher"
|
||||
local sys = require "luci.sys"
|
||||
|
||||
m = Map("luci-app-ipsec-server")
|
||||
|
||||
s = m:section(TypedSection, "ipsec_users", "IPSec Xauth PSK " .. translate("Users Manager"))
|
||||
s.description = translate("Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server.")
|
||||
s.addremove = true
|
||||
s.anonymous = true
|
||||
s.template = "cbi/tblsection"
|
||||
|
||||
o = s:option(Flag, "enabled", translate("Enabled"))
|
||||
o.default = 1
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "username", translate("Username"))
|
||||
o.placeholder = translate("Username")
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "password", translate("Password"))
|
||||
o.placeholder = translate("Password")
|
||||
o.rmempty = false
|
||||
|
||||
if sys.call("command -v xl2tpd > /dev/null") == 0 then
|
||||
s = m:section(TypedSection, "l2tp_users", "L2TP/IPSec PSK " .. translate("Users Manager"))
|
||||
s.description = translate("Use a client that supports L2TP over IPSec PSK to connect to this server.")
|
||||
s.addremove = true
|
||||
s.anonymous = true
|
||||
s.template = "cbi/tblsection"
|
||||
s.extedit = d.build_url("admin", "vpn", "ipsec-server", "l2tp_user", "%s")
|
||||
function s.create(e, t)
|
||||
t = TypedSection.create(e, t)
|
||||
luci.http.redirect(e.extedit:format(t))
|
||||
end
|
||||
|
||||
o = s:option(Flag, "enabled", translate("Enabled"))
|
||||
o.default = 1
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "username", translate("Username"))
|
||||
o.placeholder = translate("Username")
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "password", translate("Password"))
|
||||
o.placeholder = translate("Password")
|
||||
o.rmempty = false
|
||||
|
||||
o = s:option(Value, "ipaddress", translate("IP address"))
|
||||
o.placeholder = translate("Automatically")
|
||||
o.datatype = "ip4addr"
|
||||
o.rmempty = true
|
||||
end
|
||||
|
||||
return m
|
||||
@ -1,21 +0,0 @@
|
||||
<% include("cbi/map") %>
|
||||
<script type="text/javascript">//<![CDATA[
|
||||
XHR.poll(2, '<%=luci.dispatcher.build_url("admin", "vpn", "ipsec-server", "status")%>', null,
|
||||
function(x, result)
|
||||
{
|
||||
var ipsec_status = document.getElementsByClassName('ipsec-server_status')[0];
|
||||
if (ipsec_status) {
|
||||
ipsec_status.setAttribute("style","font-weight:bold;");
|
||||
ipsec_status.setAttribute("style",result.ipsec_status ? "color:green":"color:red");
|
||||
ipsec_status.innerHTML = result.ipsec_status?'<b><%=translate("RUNNING")%></b>':'<b><%=translate("NOT RUNNING")%></b>';
|
||||
}
|
||||
var l2tp_status = document.getElementsByClassName('l2tp_status')[0];
|
||||
if (l2tp_status) {
|
||||
l2tp_status.setAttribute("style","font-weight:bold;");
|
||||
l2tp_status.setAttribute("style",result.l2tp_status ? "color:green":"color:red");
|
||||
l2tp_status.innerHTML = result.l2tp_status?'<b><%=translate("RUNNING")%></b>':'<b><%=translate("NOT RUNNING")%></b>';
|
||||
}
|
||||
}
|
||||
)
|
||||
//]]>
|
||||
</script>
|
||||
@ -1,77 +0,0 @@
|
||||
msgid "IPSec VPN Server"
|
||||
msgstr "IPSec VPN 服务器"
|
||||
|
||||
msgid "Use a client that supports IPSec Xauth PSK (iOS or Android) to connect to this server."
|
||||
msgstr "使用支持 IPSec Xauth PSK(iOS 或 Android)的客户端连接到此服务端。"
|
||||
|
||||
msgid "Use a client that supports L2TP over IPSec PSK to connect to this server."
|
||||
msgstr "使用支持 L2TP over IPSec PSK 的客户端连接到此服务端。"
|
||||
|
||||
msgid "Current Condition"
|
||||
msgstr "当前状态"
|
||||
|
||||
msgid "General settings"
|
||||
msgstr "基本设置"
|
||||
|
||||
msgid "Enabled"
|
||||
msgstr "启用"
|
||||
|
||||
msgid "VPN Client IP"
|
||||
msgstr "VPN客户端地址段"
|
||||
|
||||
msgid "VPN Client reserved started IP addresses with the same subnet mask, such as: 192.168.100.10/24"
|
||||
msgstr "VPN客户端获取IP的起始地址,例如:192.168.100.10/24"
|
||||
|
||||
msgid "Secret Pre-Shared Key"
|
||||
msgstr "PSK密钥"
|
||||
|
||||
msgid "VPN Server IP address, such as: 192.168.101.1"
|
||||
msgstr "VPN服务端IP地址,例如:192.168.101.1"
|
||||
|
||||
msgid "VPN Client IP address range, such as: 192.168.101.10-20"
|
||||
msgstr "VPN客户端获取IP范围,例如:192.168.101.10-20"
|
||||
|
||||
msgid "L2TP/IPSec is not compatible with kernel-libipsec, which will disable this module."
|
||||
msgstr "L2TP/IPSec不兼容kernel-libipsec,开启将会禁用此模块。"
|
||||
|
||||
msgid "Users Manager"
|
||||
msgstr "用户管理"
|
||||
|
||||
msgid "Username"
|
||||
msgstr "用户名"
|
||||
|
||||
msgid "Password"
|
||||
msgstr "密码"
|
||||
|
||||
msgid "IP address"
|
||||
msgstr "IP 地址"
|
||||
|
||||
msgid "Automatically"
|
||||
msgstr "自动分配"
|
||||
|
||||
msgid "Online Users"
|
||||
msgstr "在线用户"
|
||||
|
||||
msgid "L2TP Online Users"
|
||||
msgstr "L2TP 在线用户"
|
||||
|
||||
msgid "Login Time"
|
||||
msgstr "登录时间"
|
||||
|
||||
msgid "Blacklist"
|
||||
msgstr "黑名单"
|
||||
|
||||
msgid "Add to Blacklist"
|
||||
msgstr "加入黑名单"
|
||||
|
||||
msgid "Remove from Blacklist"
|
||||
msgstr "移出黑名单"
|
||||
|
||||
msgid "Forced offline"
|
||||
msgstr "强制下线"
|
||||
|
||||
msgid "NOT RUNNING"
|
||||
msgstr "未运行"
|
||||
|
||||
msgid "RUNNING"
|
||||
msgstr "运行中"
|
||||
@ -1 +0,0 @@
|
||||
zh-cn
|
||||
@ -1,7 +0,0 @@
|
||||
|
||||
config service 'ipsec'
|
||||
option enabled '0'
|
||||
option secret 'ipsec'
|
||||
option clientip '192.168.100.10/24'
|
||||
|
||||
|
||||
@ -1,274 +0,0 @@
|
||||
#!/bin/sh /etc/rc.common
|
||||
|
||||
START=99
|
||||
|
||||
CONFIG="luci-app-ipsec-server"
|
||||
IPSEC_SECRETS_FILE=/etc/ipsec.secrets
|
||||
IPSEC_CONN_FILE=/etc/ipsec.conf
|
||||
CHAP_SECRETS=/etc/ppp/chap-secrets
|
||||
L2TP_PATH=/var/etc/xl2tpd
|
||||
L2TP_CONTROL_FILE=${L2TP_PATH}/control
|
||||
L2TP_CONFIG_FILE=${L2TP_PATH}/xl2tpd.conf
|
||||
L2TP_OPTIONS_FILE=${L2TP_PATH}/options.xl2tpd
|
||||
L2TP_LOG_FILE=${L2TP_PATH}/xl2tpd.log
|
||||
|
||||
vt_clientip=$(uci -q get ${CONFIG}.@service[0].clientip)
|
||||
l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable)
|
||||
l2tp_localip=$(uci -q get ${CONFIG}.@service[0].l2tp_localip)
|
||||
|
||||
ipt_flag="IPSec VPN Server"
|
||||
|
||||
get_enabled_anonymous_secs() {
|
||||
uci -q show "${CONFIG}" | grep "${1}\[.*\.enabled='1'" | cut -d '.' -sf2
|
||||
}
|
||||
|
||||
ipt_rule() {
|
||||
if [ "$1" = "add" ]; then
|
||||
iptables -t nat -I POSTROUTING -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null
|
||||
iptables -I forwarding_rule -s ${vt_clientip} -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -I forwarding_rule -m policy --dir in --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -I forwarding_rule -m policy --dir out --pol ipsec --proto esp -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -t mangle -I OUTPUT -p udp -m multiport --sports 500,4500 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null
|
||||
[ "${l2tp_enabled}" = 1 ] && {
|
||||
iptables -t nat -I POSTROUTING -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j MASQUERADE 2>/dev/null
|
||||
iptables -I forwarding_rule -s ${l2tp_localip%.*}.0/24 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -I INPUT -p udp --dport 1701 -m comment --comment "${ipt_flag}" -j ACCEPT 2>/dev/null
|
||||
iptables -t mangle -I OUTPUT -p udp --sport 1701 -m comment --comment "${ipt_flag}" -j RETURN 2>/dev/null
|
||||
}
|
||||
else
|
||||
ipt_del() {
|
||||
for i in $(seq 1 $($1 -nL $2 | grep -c "${ipt_flag}")); do
|
||||
local index=$($1 --line-number -nL $2 | grep "${ipt_flag}" | head -1 | awk '{print $1}')
|
||||
$1 -w -D $2 $index 2>/dev/null
|
||||
done
|
||||
}
|
||||
ipt_del "iptables" "forwarding_rule"
|
||||
ipt_del "iptables" "INPUT"
|
||||
ipt_del "iptables -t nat" "POSTROUTING"
|
||||
ipt_del "iptables -t mangle" "OUTPUT"
|
||||
fi
|
||||
}
|
||||
|
||||
gen_include() {
|
||||
echo '#!/bin/sh' > /var/etc/ipsecvpn.include
|
||||
extract_rules() {
|
||||
echo "*$1"
|
||||
iptables-save -t $1 | grep "${ipt_flag}" | \
|
||||
sed -e "s/^-A \(INPUT\)/-I \1 1/"
|
||||
echo 'COMMIT'
|
||||
}
|
||||
cat <<-EOF >> /var/etc/ipsecvpn.include
|
||||
iptables-save -c | grep -v "${ipt_flag}" | iptables-restore -c
|
||||
iptables-restore -n <<-EOT
|
||||
$(extract_rules filter)
|
||||
$(extract_rules nat)
|
||||
EOT
|
||||
EOF
|
||||
return 0
|
||||
}
|
||||
|
||||
start() {
|
||||
local vt_enabled=$(uci -q get ${CONFIG}.@service[0].enabled)
|
||||
[ "$vt_enabled" = 0 ] && return 1
|
||||
|
||||
local vt_gateway="${vt_clientip%.*}.1"
|
||||
local vt_secret=$(uci -q get ${CONFIG}.@service[0].secret)
|
||||
|
||||
local l2tp_enabled=$(uci -q get ${CONFIG}.@service[0].l2tp_enable)
|
||||
[ "${l2tp_enabled}" = 1 ] && {
|
||||
touch ${CHAP_SECRETS}
|
||||
local vt_remoteip=$(uci -q get ${CONFIG}.@service[0].l2tp_remoteip)
|
||||
local ipsec_l2tp_config=$(cat <<-EOF
|
||||
#######################################
|
||||
# L2TP Connections
|
||||
#######################################
|
||||
|
||||
conn L2TP-IKEv1-PSK
|
||||
type=transport
|
||||
keyexchange=ikev1
|
||||
authby=secret
|
||||
leftprotoport=udp/l2tp
|
||||
left=%any
|
||||
right=%any
|
||||
rekey=no
|
||||
forceencaps=yes
|
||||
ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536
|
||||
esp=aes128-sha1,3des-sha1
|
||||
EOF
|
||||
)
|
||||
|
||||
mkdir -p ${L2TP_PATH}
|
||||
cat > ${L2TP_OPTIONS_FILE} <<-EOF
|
||||
name "l2tp-server"
|
||||
ipcp-accept-local
|
||||
ipcp-accept-remote
|
||||
ms-dns ${l2tp_localip}
|
||||
noccp
|
||||
auth
|
||||
idle 1800
|
||||
mtu 1400
|
||||
mru 1400
|
||||
lcp-echo-failure 10
|
||||
lcp-echo-interval 60
|
||||
connect-delay 5000
|
||||
EOF
|
||||
cat > ${L2TP_CONFIG_FILE} <<-EOF
|
||||
[global]
|
||||
port = 1701
|
||||
;debug avp = yes
|
||||
;debug network = yes
|
||||
;debug state = yes
|
||||
;debug tunnel = yes
|
||||
[lns default]
|
||||
ip range = ${vt_remoteip}
|
||||
local ip = ${l2tp_localip}
|
||||
require chap = yes
|
||||
refuse pap = yes
|
||||
require authentication = no
|
||||
name = l2tp-server
|
||||
;ppp debug = yes
|
||||
pppoptfile = ${L2TP_OPTIONS_FILE}
|
||||
length bit = yes
|
||||
EOF
|
||||
|
||||
local l2tp_users=$(get_enabled_anonymous_secs "@l2tp_users")
|
||||
[ -n "${l2tp_users}" ] && {
|
||||
for _user in ${l2tp_users}; do
|
||||
local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled)
|
||||
[ "${u_enabled}" -eq 1 ] || continue
|
||||
|
||||
local u_username=$(uci -q get ${CONFIG}.${_user}.username)
|
||||
[ -n "${u_username}" ] || continue
|
||||
|
||||
local u_password=$(uci -q get ${CONFIG}.${_user}.password)
|
||||
[ -n "${u_password}" ] || continue
|
||||
|
||||
local u_ipaddress=$(uci -q get ${CONFIG}.${_user}.ipaddress)
|
||||
[ -n "${u_ipaddress}" ] || u_ipaddress="*"
|
||||
|
||||
echo "${u_username} l2tp-server ${u_password} ${u_ipaddress}" >> ${CHAP_SECRETS}
|
||||
done
|
||||
}
|
||||
unset user
|
||||
|
||||
echo "ip-up-script /usr/share/xl2tpd/ip-up" >> ${L2TP_OPTIONS_FILE}
|
||||
echo "ip-down-script /usr/share/xl2tpd/ip-down" >> ${L2TP_OPTIONS_FILE}
|
||||
|
||||
xl2tpd -c ${L2TP_CONFIG_FILE} -C ${L2TP_CONTROL_FILE} -D >${L2TP_LOG_FILE} 2>&1 &
|
||||
rm -f "/usr/lib/ipsec/libipsec.so.0"
|
||||
}
|
||||
|
||||
cat > ${IPSEC_CONN_FILE} <<-EOF
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
uniqueids=no
|
||||
charondebug="cfg 2, dmn 2, ike 2, net 0"
|
||||
|
||||
conn %default
|
||||
dpdaction=clear
|
||||
dpddelay=300s
|
||||
rekey=no
|
||||
left=%defaultroute
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
auto=add
|
||||
|
||||
#######################################
|
||||
# Default non L2TP Connections
|
||||
#######################################
|
||||
|
||||
conn Non-L2TP
|
||||
leftsubnet=0.0.0.0/0
|
||||
rightsubnet=${vt_clientip}
|
||||
rightsourceip=${vt_clientip}
|
||||
rightdns=${vt_gateway}
|
||||
ike=aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1536
|
||||
esp=aes128-sha1,3des-sha1
|
||||
|
||||
# Cisco IPSec
|
||||
conn IKEv1-PSK-XAuth
|
||||
also=Non-L2TP
|
||||
keyexchange=ikev1
|
||||
leftauth=psk
|
||||
rightauth=psk
|
||||
rightauth2=xauth
|
||||
|
||||
$ipsec_l2tp_config
|
||||
EOF
|
||||
|
||||
cat > /etc/ipsec.secrets <<-EOF
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
: PSK "$vt_secret"
|
||||
EOF
|
||||
|
||||
local ipsec_users=$(get_enabled_anonymous_secs "@ipsec_users")
|
||||
[ -n "${ipsec_users}" ] && {
|
||||
for _user in ${ipsec_users}; do
|
||||
local u_enabled=$(uci -q get ${CONFIG}.${_user}.enabled)
|
||||
[ "${u_enabled}" -eq 1 ] || continue
|
||||
|
||||
local u_username=$(uci -q get ${CONFIG}.${_user}.username)
|
||||
[ -n "${u_username}" ] || continue
|
||||
|
||||
local u_password=$(uci -q get ${CONFIG}.${_user}.password)
|
||||
[ -n "${u_password}" ] || continue
|
||||
|
||||
echo "${u_username} : XAUTH '${u_password}'" >> ${IPSEC_SECRETS_FILE}
|
||||
done
|
||||
}
|
||||
unset user
|
||||
|
||||
ipt_rule add
|
||||
|
||||
/usr/lib/ipsec/starter --daemon charon --nofork > /dev/null 2>&1 &
|
||||
gen_include
|
||||
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set network.ipsec_server.ipaddr="${vt_clientip%.*}.1"
|
||||
commit network
|
||||
EOF
|
||||
ifup ipsec_server > /dev/null 2>&1
|
||||
}
|
||||
|
||||
stop() {
|
||||
ifdown ipsec_server > /dev/null 2>&1
|
||||
sed -i '/l2tp-server/d' ${CHAP_SECRETS} 2>/dev/null
|
||||
top -bn1 | grep "${L2TP_PATH}" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1
|
||||
rm -rf ${L2TP_PATH}
|
||||
ps -w | grep "/usr/lib/ipsec" | grep -v "grep" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1
|
||||
ipt_rule del
|
||||
rm -rf /var/etc/ipsecvpn.include
|
||||
ln -s "libipsec.so.0.0.0" "/usr/lib/ipsec/libipsec.so.0" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
gen_iface_and_firewall() {
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
delete network.ipsec_server
|
||||
set network.ipsec_server=interface
|
||||
set network.ipsec_server.ifname="ipsec0"
|
||||
set network.ipsec_server.device="ipsec0"
|
||||
set network.ipsec_server.proto="static"
|
||||
set network.ipsec_server.ipaddr="${vt_clientip%.*}.1"
|
||||
set network.ipsec_server.netmask="255.255.255.0"
|
||||
commit network
|
||||
|
||||
delete firewall.ipsecserver
|
||||
set firewall.ipsecserver=zone
|
||||
set firewall.ipsecserver.name="ipsecserver"
|
||||
set firewall.ipsecserver.input="ACCEPT"
|
||||
set firewall.ipsecserver.forward="ACCEPT"
|
||||
set firewall.ipsecserver.output="ACCEPT"
|
||||
set firewall.ipsecserver.network="ipsec_server"
|
||||
commit firewall
|
||||
EOF
|
||||
}
|
||||
|
||||
if [ -z "$(uci -q get network.ipsec_server)" ] || [ -z "$(uci -q get firewall.ipsecserver)" ]; then
|
||||
gen_iface_and_firewall
|
||||
fi
|
||||
@ -1,23 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
delete firewall.luci_app_ipsec_server
|
||||
set firewall.luci_app_ipsec_server=include
|
||||
set firewall.luci_app_ipsec_server.type=script
|
||||
set firewall.luci_app_ipsec_server.path=/var/etc/ipsecvpn.include
|
||||
set firewall.luci_app_ipsec_server.reload=1
|
||||
EOF
|
||||
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
delete ucitrack.@luci-app-ipsec-server[-1]
|
||||
add ucitrack luci-app-ipsec-server
|
||||
set ucitrack.@luci-app-ipsec-server[-1].init=luci-app-ipsec-server
|
||||
commit ucitrack
|
||||
EOF
|
||||
|
||||
/etc/init.d/ipsec disable 2>/dev/null
|
||||
/etc/init.d/ipsec stop 2>/dev/null
|
||||
/etc/init.d/xl2tpd disable 2>/dev/null
|
||||
/etc/init.d/xl2tpd stop 2>/dev/null
|
||||
rm -rf /tmp/luci-*cache
|
||||
exit 0
|
||||
@ -1,11 +0,0 @@
|
||||
{
|
||||
"luci-app-ipsec-server": {
|
||||
"description": "Grant UCI access for luci-app-ipsec-server",
|
||||
"read": {
|
||||
"uci": [ "luci-app-ipsec-server" ]
|
||||
},
|
||||
"write": {
|
||||
"uci": [ "luci-app-ipsec-server" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
_LOGOUT_TIME="$(date "+%Y-%m-%d %H:%M:%S")"
|
||||
CONFIG="luci-app-ipsec-server"
|
||||
L2TP_PATH=/var/etc/xl2tpd
|
||||
L2TP_SESSION_PATH=${L2TP_PATH}/session
|
||||
|
||||
_USERNAME=${PEERNAME}
|
||||
_IFACE=${1}
|
||||
_TTY=${2}
|
||||
_SPEED=${3}
|
||||
_LOCALIP=${4}
|
||||
_PEERIP=${5}
|
||||
_REMOTEIP=${6}
|
||||
_BYTES_SENT=${BYTES_SENT}
|
||||
_BYTES_RCVD=${BYTES_RCVD}
|
||||
_CONNECT_TIME=${CONNECT_TIME}
|
||||
|
||||
rm -f ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE}
|
||||
rm -f /var/run/${_IFACE}.pid
|
||||
|
||||
#可根据退出的账号自定义脚本,如静态路由表,组网等。
|
||||
SCRIPT="/usr/share/xl2tpd/ip-down.d/${_USERNAME}"
|
||||
[ -s "$SCRIPT" ] && {
|
||||
[ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT"
|
||||
"$SCRIPT" "$@"
|
||||
}
|
||||
@ -1,58 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
_LOGIN_TIME="$(date "+%Y-%m-%d %H:%M:%S")"
|
||||
CONFIG="luci-app-ipsec-server"
|
||||
L2TP_PATH=/var/etc/xl2tpd
|
||||
L2TP_SESSION_PATH=${L2TP_PATH}/session
|
||||
|
||||
_USERNAME=${PEERNAME}
|
||||
_IFACE=${1}
|
||||
_TTY=${2}
|
||||
_SPEED=${3}
|
||||
_LOCALIP=${4}
|
||||
_PEERIP=${5}
|
||||
|
||||
_PID=$(cat /var/run/${_IFACE}.pid 2>/dev/null)
|
||||
_REMOTEIP=$(cat /var/etc/xl2tpd/xl2tpd.log 2>/dev/null | grep "PID: ${_PID}" | grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}')
|
||||
|
||||
mkdir -p ${L2TP_SESSION_PATH}
|
||||
|
||||
cat <<-EOF > ${L2TP_SESSION_PATH}/${_USERNAME}.${_IFACE}
|
||||
{
|
||||
"username": "${_USERNAME}",
|
||||
"interface": "${_IFACE}",
|
||||
"tty": "${_TTY}",
|
||||
"speed": "${_SPEED}",
|
||||
"ip": "${_PEERIP}",
|
||||
"remote_ip": "${_REMOTEIP}",
|
||||
"pid": "${_PID}",
|
||||
"login_time": "${_LOGIN_TIME}"
|
||||
}
|
||||
EOF
|
||||
|
||||
#只能单用户使用
|
||||
cfgid=$(uci show ${CONFIG} | grep "@l2tp_users" | grep "\.username='${_USERNAME}'" | cut -d '.' -sf 2)
|
||||
[ -n "$cfgid" ] && {
|
||||
HAS_LOGIN=$(ls ${L2TP_SESSION_PATH} | grep "^${_USERNAME}\.ppp" | grep -v "${_IFACE}")
|
||||
[ -n "$HAS_LOGIN" ] && {
|
||||
#踢出之前的用户
|
||||
KO_IFACE=$(echo $HAS_LOGIN | awk -F '.' '{print $2}')
|
||||
KO_PID=$(cat /var/run/${KO_IFACE}.pid 2>/dev/null)
|
||||
[ -n "$KO_PID" ] && kill -9 ${KO_PID} >/dev/null 2>&1
|
||||
rm -f ${L2TP_SESSION_PATH}/${HAS_LOGIN}
|
||||
rm -f /var/run/${KO_IFACE}.pid
|
||||
}
|
||||
routes=$(uci -q get ${CONFIG}.${cfgid}.routes)
|
||||
[ -n "$routes" ] && {
|
||||
for router in ${routes}; do
|
||||
route add -net ${router} dev ${_IFACE} >/dev/null 2>&1
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
#可根据登录的账号自定义脚本,如组网、日志、限速、权限等特殊待遇。
|
||||
SCRIPT="/usr/share/xl2tpd/ip-up.d/${_USERNAME}"
|
||||
[ -s "$SCRIPT" ] && {
|
||||
[ ! -x "$SCRIPT" ] && chmod 0755 "$SCRIPT"
|
||||
"$SCRIPT" "$@"
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user