From 2e082dfed76851117cafd488388a010cac25df09 Mon Sep 17 00:00:00 2001 From: ian Date: Mon, 11 Dec 2000 02:41:27 +0000 Subject: [PATCH] Merge udptunnelconf branch; cvs up -j branchpoint-2000-12-10-udptunnelconf -j mergepoint-1-2000-12-10-udptunnelconf --- Makefile | 2 +- changelog | 3 + debian/changelog | 3 + ipif/.cvsignore | 1 + ipif/INSTALL | 177 ++++++++++++++++++++++---------- ipif/Makefile | 30 +++++- ipif/Makefile-udptunnelconf | 68 ++++++++++++ ipif/global.example | 22 ++++ ipif/sites.example | 35 +++++++ ipif/tunnels.example | 20 ++++ ipif/udptunnel-reconf.pl | 194 +++++++++++++++++++++++++++++++++++ ipif/udptunnel-vpn-config.m4 | 70 +++++++++++++ ipif/udptunnel-vpn-defaults | 105 +++++++++++++++++++ 13 files changed, 669 insertions(+), 61 deletions(-) create mode 100644 ipif/Makefile-udptunnelconf create mode 100644 ipif/global.example create mode 100644 ipif/sites.example create mode 100644 ipif/tunnels.example create mode 100755 ipif/udptunnel-reconf.pl create mode 100644 ipif/udptunnel-vpn-config.m4 create mode 100644 ipif/udptunnel-vpn-defaults diff --git a/Makefile b/Makefile index 5f795f9..df3a8b0 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ # # $Id$ -VERSION=0.2.0 +VERSION=0.2.1 all: @echo >&2 'See README. This is not a unified package.' diff --git a/changelog b/changelog index b834e3d..3baf0ef 100644 --- a/changelog +++ b/changelog @@ -2,6 +2,9 @@ userv-utils (0.2.1) unstable; urgency=low * service.c (userv ipif) /32 prefixes work properly now. + * New udptunnel-reconf program for generating invoke scripts, inittab + entries, and the like. + -- userv-utils (0.2.0) unstable; urgency=low diff --git a/debian/changelog b/debian/changelog index b834e3d..3baf0ef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,9 @@ userv-utils (0.2.1) unstable; urgency=low * service.c (userv ipif) /32 prefixes work properly now. + * New udptunnel-reconf program for generating invoke scripts, inittab + entries, and the like. + -- userv-utils (0.2.0) unstable; urgency=low diff --git a/ipif/.cvsignore b/ipif/.cvsignore index 8272b90..d9a8d7c 100644 --- a/ipif/.cvsignore +++ b/ipif/.cvsignore @@ -1,4 +1,5 @@ service automech.[ch] udptunnel-forwarder +udptunnel-reconf blowfishtest diff --git a/ipif/INSTALL b/ipif/INSTALL index 841ff22..8837ae6 100644 --- a/ipif/INSTALL +++ b/ipif/INSTALL @@ -1,6 +1,9 @@ -This file, INSTALL, is a tutorial on how to - * install userv ipif and udptunnel, and - * configure them to create a VPN tunnel between two hosts or networks. +This file, INSTALL, is a -*- text -*- file tutorial on how to + * install userv ipif and udptunnel, + * configure them to create a VPN tunnel between two hosts or + networks, or + * use udptunnel-reconf to create a multi-site VPN. + See README for details of other available documentation. @@ -13,7 +16,12 @@ BUILD AND INSTALLATION INSTRUCTIONS 2. Make sure your Linux kernel has SLIP and CSLIP compiled in. You will need to be using Linux 2.2 (with Unix98-style ptys). -3. Obtain a fresh copy of userv-utils, if you haven't already. +3. udptunnel works best if your ssh can do ssh-protocol-level + keepalives. Currently these are only supported by using a special + patch, which can be found (for OpenSSH 1.2.x) at + ftp.chiark.greenend.org.uk:/users/ian/openssh+protocolkeepalives. + +4. Obtain a fresh copy of userv-utils, if you haven't already. cd to ipif, and run `make' and (as root) `make install'. After you have done this the software will still not do anything, and @@ -119,10 +127,11 @@ UDPTUNNEL SETUP TUTORIAL host or network number - - - Encrypted Data Flow || -2. SETUP INSTRUCTIONS +2. INFORMATION COLLECTION AND PRELIMINARY SETUP - All of these steps can be done using the appropriate normal user - accounts, unless otherwise indicated. + You will need to collect and/or decide upon various information, and + make sure that your two endpoint systems can talk to each other over + the public network. 2.1. Find out, or choose, private network numbers @@ -164,8 +173,9 @@ UDPTUNNEL SETUP TUTORIAL In some situations you may find yourself using a `public network' which is not actually the public Internet - for example, you may want to run one tunnel `through' another, or your `public network' is - actually a private radio LAN. In this case you'll have to choose the - addresses to use from RFC1918-space, as above. + actually a `private', but not sufficiently secure, radio LAN. In + this case you'll have to choose the addresses to use from + RFC1918-space, as above. 2.3. Decide which user account(s) on alice and bob you will use @@ -186,7 +196,55 @@ UDPTUNNEL SETUP TUTORIAL (Obviously, if you need to create accounts, edit groups, or change the sshd configuratioon, you may need to be root.) -2.3. Configure the private network numbers in /etc/userv/ipif-networks +2.4. Decide whether to use `udptunnel-reconf' + + There are two ways to set up a tunnel with udptunnel. Either you can + simply give udptunnel the right command, by putting it in an + appropriate script and arranging it to be called, or you can have a + program `udptunnel-reconf' read some configuration files and do it + for you. + + udptunnel-reconf is not as well documented, but its behaviour is + somewhat more `cooked'. It is especially useful if you need to + maintain many tunnels as part of an organised, multi-site, VPN. + + Using udptunnel directly is somewhat more flexible, and may be easier + if you only want one tunnel. + + +3. SETUP INSTRUCTIONS - USING UDPTUNNEL-RECONF + + Edit or create the following files, as root: + /etc/userv/vpn/sites + /etc/userv/vpn/tunnels + /etc/userv/vpn/global + + Run udptunnel-reconf, as root. This will create: + /var/lib/userv/vpn/passive-sites + /var/lib/userv/vpn/active-sites + /var/lib/userv/vpn/command. + + It will also spit out to stdout two things: firstly, a list of + suggested commands to put in your inittab, and secondly a suggested + line to put in your /etc/userv/ipif-networks. + + Test that your setup is working, by running (one of) the + /var/lib/userv/vpn/command. file(s) by hand - see section 5. + If it works, you can put the relevant things in your inittab and say + `init q'. + + To find out what all the configuration settings do, look at + /usr/local/share/userv/udptunnel-vpn-defaults, which contains the + default settings and shows where all the hooks are. Consult section + 4 of this file to understand what the options to udptunnel do. + + +4. SETUP INSTRUCTIONS - INVOKING UDPTUNNEL DIRECTLY + + All of these steps can be done using the appropriate normal user + accounts, unless otherwise indicated. + +4.1. Configure the private network numbers in /etc/userv/ipif-networks (This step needs to be done as root.) @@ -215,7 +273,7 @@ UDPTUNNEL SETUP TUTORIAL interface with that address, but the address may not be assigned to a remote host or route. -2.4. Construct the udptunnel invocation (on alice) +4.2. Construct the udptunnel invocation (on alice) udptunnel has a long and complicated command line, rather than a configuration file. The best way to deal with this is to create a @@ -244,7 +302,7 @@ UDPTUNNEL SETUP TUTORIAL You have to fill in the right values for things in angle brackets. (See also section 6. for a moderately complex example, below.) -2.4.1. Syntax of and +4.4.1. Syntax of and These arguments to udptunnel are the network address ranges at each end which are to be connected via the tunnel. Let us consider just @@ -259,7 +317,7 @@ UDPTUNNEL SETUP TUTORIAL just to connect alice to bob and things at bob's end, then specify `-' for . -2.4.2. IP masquerading (NAT) at alice's end +4.4.2. IP masquerading (NAT) at alice's end If alice is behind a masquerading (NAT) firewall, you can still get it to work. You need to add an option `-m' before the other @@ -269,7 +327,7 @@ UDPTUNNEL SETUP TUTORIAL way alice doesn't need to know what port number the NAT proxy will use. -2.4.3. Using fixed UDP port numbers (eg to make firewally happy) +4.4.3. Using fixed UDP port numbers (eg to make firewally happy) If alice is behind a firewall which will not allow incoming UDP to arbitrary ports, even when sent in reply to packets of alice's, you @@ -290,7 +348,7 @@ UDPTUNNEL SETUP TUTORIAL with , \ -2.4.4. Clock skew and excessive delay +4.4.4. Clock skew and excessive delay The default configuration given above, which includes this -e nonce -e timestamp/10/30 \ @@ -318,7 +376,7 @@ UDPTUNNEL SETUP TUTORIAL with -e sequence \ -2.4.5. Other things to tweak (it's usually safe to ignore this part) +4.4.5. Other things to tweak (it's usually safe to ignore this part) Do not mess with the `-e' parameters and arguments except as explained above, unless you are a cryptographer. @@ -342,10 +400,46 @@ UDPTUNNEL SETUP TUTORIAL will be increased in size by 24 bytes + the size of a UDP and IP header + the effects of SLIP duplication of certain bytes.) +4.5. Testing your script + + After you've written your script, you should run it to see if it + works. See section 5 for details. + +4.6. Configure the tunnel to run automatically + + Now that the tunnel works if you invoke it by hand, it is time to + arrange to run it automatically. + + If you want the tunnel to run over a dialup link only when the dialup + link is up, then I'm afraid you'll have to arrange to start and kill + it yourself, probably. I haven't set up such a configuration. More + information about this for this document, if you manage to do it, + would be good. + + So, I shall assume that you want the tunnel to be up all of the time + (or at least, as much as possible). The best way to do this is to + run it from `init', by setting it up in inittab. + + For example, you could put something like this in your inittab: + t0:23:respawn:su Tbob -c ./udptunnel-invoke-bob 2>&1 | logger -p local2.info -t tunnel-bob + (Note that if you have more than one tunnel the `id' field, at the + start of the inittab line, must be different for each one.) + + This would use `su' to become bob and run the actual tunnelling + software, and arrange for the diagnostic output to be sent to syslog + with facility `local2' and priority `info', tagged with `tunnel-bob'. + With an appropriate line in /etc/syslog.conf, such as + local2.* /var/log/local2-all.log + (remember that you have to use tabs in syslog.conf) this will + produce, in /var/log/local2-all.log, all the diagnostics, including + reassuring messages like this: + Sep 18 00:27:48 alice tunnel-bob: udptunnel-forwarder: alice: tunnel still open: received 5262 packets, 5262 bytes + Sep 18 00:28:44 alice tunnel-bob: udptunnel-forwarder: bob: tunnel still open: received 5280 packets, 5280 bytes + -3. Test your udptunnel invocation script +5. TESTING YOUR UDPTUNNEL INVOCATION SCRIPT -3.1. Invocation +5.1. Invocation Log into alice as Tbob, and run ./udptunnel-invoke-bob. A great deal of diagnostic output will ensue. @@ -353,7 +447,8 @@ UDPTUNNEL SETUP TUTORIAL If all is well you will see two messages looking something like this udptunnel-forwarder: bob: tunnel open with peer 127.0.0.3:76543 udptunnel-forwarder: alice: tunnel open - and the session will just sit there. Go to 3.2. + and the session will just sit there. This means it thinks it's + working; go on to section 5.2. If it didn't say that, here are some debugging tips: @@ -412,7 +507,7 @@ UDPTUNNEL SETUP TUTORIAL because their checksums don't match. In this case they should go away in a minute or two. -3.2. Testing, once the tunnel claims to be working +5.2. Testing, once the tunnel claims to be working In another session on alice, you should be able to ping bob's virtual interface. If this works, test pinging between hosts on the private @@ -444,42 +539,10 @@ UDPTUNNEL SETUP TUTORIAL that, they can be a complete pain to debug. -4. Configure the tunnel to run automatically - - Now that the tunnel works if you invoke it by hand, it is time to - arrange to run it automatically. - - If you want the tunnel to run over a dialup link only when the dialup - link is up, then I'm afraid you'll have to arrange to start and kill - it yourself, probably. I haven't set up such a configuration. More - information about this for this document, if you manage to do it, - would be good. - - So, I shall assume that you want the tunnel to be up all of the time - (or at least, as much as possible). The best way to do this is to - run it from `init', by setting it up in inittab. - - For example, you could put something like this in your inittab: - t0:23:respawn:su Tbob -c ./udptunnel-invoke-bob 2>&1 | logger -p local2.info -t tunnel-bob - (Note that if you have more than one tunnel the `id' field, at the - start of the inittab line, must be different for each one.) - - This would use `su' to become bob and run the actual tunnelling - software, and arrange for the diagnostic output to be sent to syslog - with facility `local2' and priority `info', tagged with `tunnel-bob'. - With an appropriate line in /etc/syslog.conf, such as - local2.* /var/log/local2-all.log - (remember that you have to use tabs in syslog.conf) this will - produce, in /var/log/local2-all.log, all the diagnostics, including - reassuring messages like this: - Sep 18 00:27:48 alice tunnel-bob: udptunnel-forwarder: alice: tunnel still open: received 5262 packets, 5262 bytes - Sep 18 00:28:44 alice tunnel-bob: udptunnel-forwarder: bob: tunnel still open: received 5280 packets, 5280 bytes - - -5. DNS, firewall, mail, etc. +6. DNS, firewall, mail, etc. - Now you have IP level connectivity between your two networks. You - must now arrange for: + When you have IP level connectivity between your two networks, you + must also arrange for: * An appropriate firewall on each tunnel endpoint (to stop attacks from one network to another) and also at all the borders of each @@ -497,7 +560,7 @@ UDPTUNNEL SETUP TUTORIAL How to do these things is beyond the scope of this document. -6. Example +7. Example This example is the tunnel between chiark and Relativity. I'll quote it and explain the details, below. See also the comment at the top of @@ -599,7 +662,7 @@ UDPTUNNEL SETUP TUTORIAL t0:235:respawn:/usr/local/sbin/really -u ian /usr/local/sbin/udptunnel-invoke 2>&1 | logger -p local2.info -t tunnel-chiark -7. Copyright notice +8. Copyright notice Copyright (C) 1999-2000 Ian Jackson diff --git a/ipif/Makefile b/ipif/Makefile index e3dac05..6c4e7c0 100644 --- a/ipif/Makefile +++ b/ipif/Makefile @@ -26,14 +26,21 @@ CFLAGS= -Wall -Wmissing-prototypes -Wstrict-prototypes -Wpointer-arith \ etcdir= /etc prefix= /usr/local bindir= $(prefix)/bin +vardir= /var libdir= $(prefix)/lib +sharedir= $(prefix)/share libuserv= $(libdir)/userv +shareuserv= $(sharedir)/userv +varlib= $(vardir)/lib +varlibuserv= $(varlib)/userv +varlibvpn= $(varlibuserv)/vpn etcuserv= $(etcdir)/userv +etcvpn= $(etcdir)/userv/vpn services= $(etcuserv)/services.d -PROGRAM_TARGETS= udptunnel-forwarder +PROGRAM_TARGETS= udptunnel-forwarder udptunnel-reconf TARGETS= service blowfishtest $(PROGRAM_TARGETS) PROGRAMS= udptunnel $(PROGRAM_TARGETS) @@ -46,11 +53,28 @@ OBJS_BFTEST= blowfishtest.o blowfish.o hex.o all: $(TARGETS) install: all - mkdir -p $(libuserv) $(services) + mkdir -p $(libuserv) $(services) $(etcvpn) \ + $(varlibvpn) $(shareuserv) cp -b service $(libuserv)/ipif - cp ipif $(services)/ipif:new cp -b $(PROGRAMS) $(bindir)/. + cp ipif $(services)/ipif:new set -e; cd $(services); test -f ipif || mv ipif:new ipif + cp *.example $(etcvpn)/. + cp udptunnel-vpn-config.m4 udptunnel-vpn-defaults \ + $(shareuserv)/. + +udptunnel-reconf: udptunnel-reconf.pl Makefile + perl -pe ' \ + print "\ +\$$shareuserv= \"$(shareuserv)\";\n\ +\$$etcvpn= \"$(etcvpn)\";\n\ +\$$varlibvpn= \"$(varlibvpn)\";\n" if m#^\# \@\@\@\-#; \ + $$_="" if m/^\# \@\@\@\-/ .. m/^\# \-\@\@\@/; \ + ' \ + <$< >$@.new + chmod +x $@.new + mv -f $@.new $@ + udptunnel-forwarder: $(OBJS_FORWARD) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_FORWARD) diff --git a/ipif/Makefile-udptunnelconf b/ipif/Makefile-udptunnelconf new file mode 100644 index 0000000..fbaa6a9 --- /dev/null +++ b/ipif/Makefile-udptunnelconf @@ -0,0 +1,68 @@ +# Makefile for udptunnelconf + +# Copyright (C) 2000 Ian Jackson +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with userv-utils; if not, write to the Free Software +# Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Id$ + +etcdir= /etc +prefix= /usr/local +bindir= $(prefix)/bin + +sharedir= $(prefix)/share/udptunnelconf + +etcuserv= $(etcdir)/userv +services= $(etcuserv)/services.d + +PROGRAM_TARGETS= udptunnel-forwarder +TARGETS= service blowfishtest $(PROGRAM_TARGETS) +PROGRAMS= udptunnel $(PROGRAM_TARGETS) + +MECHFILES= null pkcs5 timestamp sequence blowfish +MECHOBJS= $(foreach m, $(MECHFILES), mech-$m.o) + +OBJS_FORWARD= forwarder.o $(MECHOBJS) blowfish.o automech.c utils.c +OBJS_BFTEST= blowfishtest.o blowfish.o hex.o + +all: $(TARGETS) + +install: all + mkdir -p $(libuserv) $(services) + cp -b service $(libuserv)/ipif + cp ipif $(services)/ipif:new + cp -b $(PROGRAMS) $(bindir)/. + set -e; cd $(services); test -f ipif || mv ipif:new ipif + +udptunnel-forwarder: $(OBJS_FORWARD) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_FORWARD) + +blowfishtest: $(OBJS_BFTEST) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_BFTEST) + +automech.h: automechgen.sh Makefile + ./$< $(MECHFILES) + +automech.c: automech.h + +clean: + rm -f *.o core automech.[ch] *~ ./#*# + +realclean: clean + rm -f $(TARGETS) + +forwarder.o $(MECHOBJS) automech.o utils.o: forwarder.h automech.h +blowfish.o mech-blowfish.o blowfishtest.o: blowfish.h +blowfishtest.o hex.o: hex.h diff --git a/ipif/global.example b/ipif/global.example new file mode 100644 index 0000000..7e20a60 --- /dev/null +++ b/ipif/global.example @@ -0,0 +1,22 @@ +m4_dnl You can edit this file, which is m4 input. +m4_dnl It defines global settings for your site. Settings here +m4_dnl override both the defaults shipped with udptunnelconf and +m4_dnl those which are mentioned in the `sites' file. + +SET( lend, [172.31.80.6]) +SET( lnets, [172.18.45.0/24]) + +SET( lcommand, [authbind udptunnel -m]) +SET( lpublic, [davenant-external]) +SET( lport, [ERROR]) + +SET( lgroup, tunnel) + +SET( invoke_hook, +[PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +export PATH]) + +SET( sshverbose, []) + +SET( inittab_runlevels, [235]) +SET( inittab_pfx, [/usr/local/sbin/really -u tunnel]) diff --git a/ipif/sites.example b/ipif/sites.example new file mode 100644 index 0000000..628b09f --- /dev/null +++ b/ipif/sites.example @@ -0,0 +1,35 @@ +m4_dnl This file is m4 input. It gives a list of the known sites +m4_dnl participating in the Sinister Greenend Organisation VPN. +m4_dnl +m4_dnl It should not usually be edited locally, BUT it should be +m4_dnl reviewed locally as installing a malicious copy would be +m4_dnl equivalent to giving it control over your computer ! +m4_dnl +m4_dnl It defines settings for each site. Settings here +m4_dnl can be overridden by things in `global', and on a per- +m4_dnl tunnel basis by entries in `tunnels'. + +SITE(relativity) +SET( rend, [172.31.80.6]) +SET( rnets, [172.18.45.0/24]) + +SITE(greenend) +SET( rpublic, [sinister.dynamic.greenend.org.uk]) +SET( rend, [192.168.73.70]) +SET( rnets, [192.168.0.0/23,192.168.73.0/24,172.16.22.0/24]) +SET( rcommandprefix, [PATH=/usr/local/bin:'$PATH']) +SET( proto, [slip]) + +SITE(rapun) +SET( rpublic, [rapun.sel.cam.ac.uk]) +SET( rend, [172.31.80.10]) + +SITE(chiark) +SET( rpublic, [login.chiark.greenend.org.uk]) +SET( rend, [172.31.80.8]) + +SITE(ecstacy) +SET( rpublic, [ecstacy.dynamic.greenend.org.uk]) +SET( rend, [172.31.80.7]) +SET( rnets, [192.168.76.0/24]) +SET( rcommandprefix, [PATH=/usr/local/bin:'$PATH']) diff --git a/ipif/tunnels.example b/ipif/tunnels.example new file mode 100644 index 0000000..5c0cd64 --- /dev/null +++ b/ipif/tunnels.example @@ -0,0 +1,20 @@ +m4_dnl You can edit this file, which is m4 input. +m4_dnl It defines settings for each site. Settings here +m4_dnl can be overridden by things in `global', and they +m4_dnl override things set in `sites'. You can also define +m4_dnl entirely new sites here with ACTIVE or PASSIVE - +m4_dnl there is no need for them to be listed in `sites'. + +ACTIVE(greenend) +SET( lport, [412]) +SET( ruser, [tgroad]) +SET( proto, [slip]) +SET( lnets, V_lnets[,172.18.239.192/28]) + +ACTIVE(ecstacy) +SET( lport, [411]) +SET( ruser, davenant) + +ACTIVE(rapun) +SET( lport, [413]) +SET( ruser, [ian]) diff --git a/ipif/udptunnel-reconf.pl b/ipif/udptunnel-reconf.pl new file mode 100755 index 0000000..e21d123 --- /dev/null +++ b/ipif/udptunnel-reconf.pl @@ -0,0 +1,194 @@ +#!/usr/bin/perl +# udptunnel-reconf +# Set up the relevant stuff in /etc/userv/vpn, and then run +# this. It should tell you what to do to inittab and ipif-networks. + +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with userv-utils; if not, write to the Free Software +# Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Id$ + +use Socket; + +# @@@- +$shareuserv= "`pwd`"; +$etcvpn= "`pwd`"; +$varlibvpn= "`pwd`"; +# -@@@ + +sub badusage () { die "usage: udptunnel-reconf []\n"; } +$debug=0; + +sub fault ($) { die "$0: $_[0]\n"; } + +while ($ARGV[0] =~ m/^-/) { + $_= shift @ARGV; + last if m/^--$/; + if (m/^-d$/) { $debug++; next; } + badusage(); +} + +if (@ARGV) { $etcvpn= shift @ARGV; } +badusage() if @ARGV; + +chdir $etcvpn or fault("$etcvpn: $!"); + +sub run_m4 ($$$) { + my ($wanted, $site, $variable) = @_; + $x= "m4 -P -DWANTED=$wanted -DWHVARIABLE=V_$variable -DV_global=global ". + "-DV_site=$site -DV_varlibvpn=$varlibvpn ". + "-DV_defaults=$shareuserv/udptunnel-vpn-defaults ". + "$shareuserv/udptunnel-vpn-config.m4"; + print STDERR $x,"\n" if $debug>=2; + open X, "$x |" or die $!; + undef $/; + $m4out= ; + $/= "\n"; + close X; $? and exit -1; + $m4out =~ s/^\s+//; + $m4out =~ s/\n+/\n/g; + $m4out =~ s/\s+$//; + print STDERR "$wanted/$variable($site) -> \`$m4out'\n" if $debug>=1; +# $m4out='' if $wanted eq 'VARIABLE' && substr($m4out,0,2) eq 'V_'; + return $m4out; +} + +sub check_junk ($$) { + my ($emsg, $site) = @_; + $j= run_m4('JUNK',$site,''); + $j =~ s/^\# //g; + fault("$emsg: $j") if length $j; +} + +sub var_global ($) { return run_m4('VARIABLE','',$_[0]) } +sub var_site ($) { return run_m4('VARIABLE',$site,$_[0]) } + +check_junk("error in config",''); + +@actives= split /\s+/, run_m4('ACTIVES','',''); +@passives= split /\s+/, run_m4('PASSIVES','',''); + +foreach $site (@actives, @passives) { + check_junk("error in config for site $site",$site); +} + +sub parse_addr_mask ($) { + my ($r) = @_; + my ($mask,$iaddr); + if ($r =~ s,/(\d+)$,,) { $mask=$1; } else { $mask=32; } + fault("invalid mask length $1") if $mask<0 || $mask>32; + $mask= $mask ? ~0 << (32-$mask) : 0; + $iaddr= inet_aton($r); fault("invalid address $r") unless defined $iaddr; + $iaddr= (unpack "N",$iaddr)[0]; + return ($iaddr, $mask); +} + +$forbid_remote= var_global('forbid_remote'); +@forbid_remote= (); +foreach $r (split /[, \t]+/, $forbid_remote) { + push @forbid_remote, [ parse_addr_mask($r) ]; +} + +sub ipif_permit ($$$$) { + my ($group,$local,$net,$why) = @_; + my ($pmask,$piaddr,$fmask,$fiaddr,@lgroup,$lgid); + + @lgroup= getgrnam($group); + @lgroup or fault("invalid group \`$group' ($why)"); + $lgid= $lgroup[2]; + + if (!$local) { + ($piaddr,$pmask) = parse_addr_mask($net); + foreach $fref (@forbid_remote) { + ($fiaddr,$fmask) = @$fref; + $jmask= $fmask & $pmask; +#printf STDERR "%8lx %8lx %l8x %8lx", $pmask,$pmask + fault("local network $net claimed as remote ($why)") + if (($fiaddr&$jmask) == ($piaddr&$jmask)); + } + } + $ipif_file .= "$lgid,$local$net, $group, $why\n"; +} + +$glgroup= var_global('lgroup'); +$glend= var_site('lend')."/32"; +if ($glend !~ m/^V_/ && $glgroup !~ m/^V_/ && + length $glend && length $glgroup) { + ipif_permit($glgroup, '=', "$glend", 'local endpoint'); +} else { + $glend='X'; $glgroup='X'; +} + +foreach $site (@actives, @passives) { + $tlend= var_site('lend')."/32"; + $tlgroup= var_site('lgroup'); + if ($tlend ne $glend || $tlgroup ne $glgroup) { + ipif_permit($tlgroup, '=', $tlend, "$site - local endpoint"); + } + $trend= var_site('rend').'/32'; + $ix= 0; + $trnets= var_site('rnets'); + ipif_permit($tlgroup, '', $trend, "$site - remote endpoint"); + if ($trnets ne '-') { + foreach $rnet (split /,/, $trnets) { + ipif_permit($tlgroup, '', $rnet, "$site - remote network #$ix"); + $ix++; + } + } +} + +sub write_file ($$$$) { + my ($fn,$why,$head,$body) = @_; + length $fn or fault("location to write $why not specified"); + open F, ">$fn.new" or fault("create $fn.new: $!"); + print F $head."\n# AUTOGENERATED BY $0 - DO NOT EDIT\n".$body or die $!; + close F or die $!; + rename "$fn.new",$fn or die $!; +} + +$ipifnetsfile= var_global(ipifnetsfile); +write_file($ipifnetsfile,'ipifnetsfile','', $ipif_file); + +$active_file= ''; +$inittab= ''; +$ix= 0; +foreach $site (@actives) { + $active_file.= "$site\t".var_site('activesxinfo')."\n"; + $inittab.= sprintf("t%d", $ix++).':'.var_site('inittab_line')."\n"; + $invoke_file= var_site('invoke_file'); + write_file($invoke_file, 'invoke_file', + var_site('invoke_head'), var_site('invoke_body')); + chmod 0777&~umask, $invoke_file or die $!; +} +write_file(var_global('activesfile'),'activesfile', '',$active_file); + +print +"# You can cut and paste all or part of this into your inittab if you like:\n", + $inittab; + +print +"# And consider adding this line, or some of this file's contents,\n". +"# to your /etc/userv/ipif-networks:\n", + "$ipifnetsfile\n" + if $ipifnetsfile =~ m,^/,; + +$passive_file= ''; +foreach $site (@passives) { + $passive_file.= "$site\t".var_site('passivesxinfo')."\n"; +} +write_file(var_global('passivesfile'),'passivesfile', '',$passive_file); + +system var_global('postconfigure'); $? and exit -1; + +exit 0; diff --git a/ipif/udptunnel-vpn-config.m4 b/ipif/udptunnel-vpn-config.m4 new file mode 100644 index 0000000..ddf1de6 --- /dev/null +++ b/ipif/udptunnel-vpn-config.m4 @@ -0,0 +1,70 @@ +m4_dnl udptunnel-vpn-config.m4: macros for udptunnel-reconf et al + +m4_dnl This is free software; you can redistribute it and/or modify it +m4_dnl under the terms of the GNU General Public License as published by +m4_dnl the Free Software Foundation; either version 2 of the License, or +m4_dnl (at your option) any later version. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, but +m4_dnl WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +m4_dnl General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with userv-utils; if not, write to the Free Software +m4_dnl Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +m4_dnl +m4_dnl $Id$ + +m4_define(V_JUNK,1)m4_divert(V_JUNK) +m4_define(V_VARIABLE,2) +m4_define(V_ACTIVES,3) +m4_define(V_PASSIVES,4) +m4_changequote([,]) + +m4_define(V_WARGS, [ + m4_define([$1], [m4_ifelse($][#,$2,[$3], + [# ]m4___file__:m4___line__[: wrong number of args to $1])])]) + +V_WARGS([SET], 2, [V_SET([V_$1], [$2])]) +m4_define(V_YES, [m4_define([V_SET],[m4_define($][@)])]) +m4_define(V_NO, [m4_define([V_SET], [])]) + +m4_define(V_ACTPA, [ + V_WARGS($1, 1, [m4_divert(V_$1S)$][1 m4_dnl + m4_divert(V_JUNK)m4_ifelse($][1,V_site, + [V_YES], + [V_NO] +)])]) + +m4_dnl V_WARGS(, 2, [m4_divert(V_PASSIVES)$1 m4_dnl +m4_dnl m4_divert(V_JUNK)m4_ifelse([$1],V_site, [$2])]) + +m4_divert(V_JUNK) + +V_YES +m4_include(V_defaults) +m4_include(V_global) + +V_WARGS(SITE, 1, [m4_ifelse([$1],V_site, [V_YES], [V_NO])]) +V_YES +m4_include(V_sites) +m4_undefine([SITE]) + +V_ACTPA(ACTIVE) +V_ACTPA(PASSIVE) +V_YES +m4_include(V_tunnels) + +m4_divert(V_VARIABLE) +WHVARIABLE +m4_divert(V_JUNK) + +m4_define(V_WANTED, V_[]WANTED) +m4_divert(0) +m4_undivert(V_WANTED) +m4_divert(-1) +m4_undivert(V_JUNK) +m4_undivert(V_ACTIVES) +m4_undivert(V_PASSIVES) +m4_undivert(V_VARIABLE) diff --git a/ipif/udptunnel-vpn-defaults b/ipif/udptunnel-vpn-defaults new file mode 100644 index 0000000..add96da --- /dev/null +++ b/ipif/udptunnel-vpn-defaults @@ -0,0 +1,105 @@ +m4_dnl udptunnel-vpn-defaults: default settings for udptunnel-reconf + +m4_dnl This is free software; you can redistribute it and/or modify it +m4_dnl under the terms of the GNU General Public License as published by +m4_dnl the Free Software Foundation; either version 2 of the License, or +m4_dnl (at your option) any later version. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, but +m4_dnl WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +m4_dnl General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with userv-utils; if not, write to the Free Software +m4_dnl Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +m4_dnl +m4_dnl $Id$ + +SET( lcommand, [udptunnel]) +SET( crypto, + [-e nonce -e timestamp/10/30 -e pkcs5/8 \ + -e blowfish-cbcmac/128 -e blowfish-cbc/128]) + +SET( lpublic, [`hostname`]) +SET( lport, [Any]) +m4_dnl rpublic -- usually set in sites +SET( rport, [Command]) +m4_dnl lend -- usually set in global +m4_dnl rend -- usually set in sites +SET( mtu, [1000]) +SET( proto, [cslip]) +SET( to_poll, [30]) +SET( to_quit, [130]) +SET( to_report, [1800]) +SET( timeouts, [V_to_poll,V_to_quit,V_to_report]) +SET( lnets, [-])m4_dnl often overridden in global +SET( rnets, [-])m4_dnl often overridden in sites +SET( forbid_remote, [V_lnets]) + +SET( rcommandprefix, []) +SET( rcommand, [V_rcommandprefix udptunnel]) + +SET( sshprotoka, [-o 'ProtocolKeepAlives 300']) +SET( sshstdopts, [-o 'ForwardAgent no' -o 'ForwardX11 no' -o 'BatchMode yes']) +SET( sshverbose, [-v]) +SET( sshopts, []) +SET( ssh, + [ssh V_sshstdopts \ + V_sshprotoka V_sshverbose \ + V_sshopts]) + +SET( sshdest, [V_rpublic]) + +SET( sites, [sites]) +SET( tunnels, [tunnels]) + +m4_dnl varlibvpn -- global can override + +SET( ipifnetsfile, [V_varlibvpn/ipif-networks]) +SET( activesfile, [V_varlibvpn/active-sites]) +SET( activesxinfo, []) +SET( passivesfile, [V_varlibvpn/passive-sites]) +SET( passivesxinfo, []) + +SET( postconfigure, []) + +SET( invoke_file, [V_varlibvpn/command.V_site]) +SET( invoke_head, [#!/bin/sh]) +SET( invoke_hook, []) + +SET( syslog_facility, local2) +SET( syslog_priority, info) + +SET( inittab_runlevels, 2345) +SET( inittab_pfx, []) +SET( inittab_sfx, + [2>&1 | logger -p V_syslog_facility.V_syslog_priority -t tunnel-V_site]) +SET( inittab_command,[V_inittab_pfx V_invoke_file V_inittab_sfx]) +SET( inittab_line, [V_inittab_runlevels:respawn:V_inittab_command]) + +SET( invoke_body, +[set -e +V_invoke_hook +echo "STARTING TUNNEL `date`" >&2 +V_command +rc=$? +echo "TUNNEL CLOSED rc=$rc" >&2 +exit $rc +]) + +m4_dnl lgroup -- usually set in global + +SET( command, +[V_lcommand \ + V_crypto \ + V_lpublic,V_lport \ + V_rpublic,V_rport \ + V_lend,V_rend,V_mtu,V_proto \ + V_timeouts \ + V_rnets \ + V_lnets \ + V_ssh \ + V_ruser@V_sshdest \ + V_rcommand + ]) -- 2.30.2