#!/bin/sh /etc/rc.common
SERVICE_USE_PID=1
START=50
setup_config() {
config_get port $1 port "4443"
config_get max_clients $1 max_clients "8"
config_get max_same $1 max_same "2"
config_get dpd $1 dpd "120"
config_get predictable_ips $1 predictable_ips "1"
config_get udp $1 udp "1"
config_get auth $1 auth "plain"
config_get cisco_compat $1 cisco_compat "1"
config_get ipaddr $1 ipaddr "192.168.100.0"
config_get netmask $1 netmask "255.255.255.0"
config_get ip6addr $1 ip6addr ""
config_get default_domain $1 default_domain ""
enable_default_domain="#"
enable_udp="#"
test $predictable_ips = "0" && predictable_ips="false"
test $predictable_ips = "1" && predictable_ips="true"
test $cisco_compat = "0" && cisco_compat="false"
test $cisco_compat = "1" && cisco_compat="true"
test $udp = "1" && enable_udp=""
test -z $default_domain && enable_default_domain=""
test -z $ip6addr && enable_ipv6="#"
ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
dyndns="false"
hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`
[ -n "$hostname" ] && dyndns="true"
mkdir -p /var/etc
sed -e "s/|PORT|/$port/g" \
-e "s/|MAX_CLIENTS|/$max_clients/g" \
-e "s/|MAX_SAME|/$max_same/g" \
-e "s/|DPD|/$dpd/g" \
-e "s#|AUTH|#$auth$authsuffix#g" \
-e "s#|DYNDNS|#$dyndns#g" \
-e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
-e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
-e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
-e "s/|CISCO_COMPAT|/$cisco_compat/g" \
-e "s/|UDP|/$enable_udp/g" \
-e "s/|IPV4ADDR|/$ipaddr/g" \
-e "s/|NETMASK|/$netmask/g" \
-e "s/|IPV6ADDR|/$ipv6_addr/g" \
-e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
-e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
/etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
}
setup_users() {
local name
local group
local password
config_get name $1 name
config_get group $1 group
config_get password $1 password
[ -z "$group" ] && group='*'
[ -z "$name" -o -z "$password" ] && return
echo "$name:$group:$password" >> /var/etc/ocpasswd
}
setup_routes() {
local routes
config_get ip $1 ip
config_get netmask $1 netmask
[ -z "$ip" -o -z "$netmask" ] && return
echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
}
setup_dns() {
local routes
config_get ip $1 ip
[ -z "$ip" ] && return
echo "dns = $ip" >> /var/etc/ocserv.conf
}
start() {
local hostname iface
hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`
[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname 2>/dev/null`
[ -f /etc/config/ocserv-dir/ca-key.pem ] && mv /etc/config/ocserv-dir/ca-key.pem /etc/ocserv/ca-key.pem
[ -f /etc/config/ocserv-dir/ca.pem ] && mv /etc/config/ocserv-dir/ca.pem /etc/ocserv/ca.pem
[ -f /etc/config/ocserv-dir/server-key.pem ] && mv /etc/config/ocserv-dir/server-key.pem /etc/ocserv/server-key.pem
[ -f /etc/config/ocserv-dir/server-cert.pem ] && mv /etc/config/ocserv-dir/server-cert.pem /etc/ocserv/server-cert.pem
[ -d /etc/config/ocserv-dir ] && rmdir /etc/config/ocserv-dir
[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating CA certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
echo "ca" >>/etc/ocserv/pki/ca.tmpl
echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
certtool --template /etc/ocserv/pki/ca.tmpl \
--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
}
#generate server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
echo "serial=2" >>/etc/ocserv/pki/server.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
echo "signing_key" >>/etc/ocserv/pki/server.tmpl
echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
certtool --template /etc/ocserv/pki/server.tmpl \
--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
}
[ -f /var/run/ocserv.pid ] || {
touch /var/run/ocserv.pid
chown ocserv:ocserv /var/run/ocserv.pid
}
[ -d /var/lib/ocserv ] || {
mkdir -m 0755 -p /var/lib/ocserv
chmod 0700 /var/lib/ocserv
chown ocserv:ocserv /var/lib/ocserv
}
config_load "ocserv"
rm -f /var/etc/ocserv.conf
touch /var/etc/ocserv.conf
setup_config config
config_foreach setup_routes routes
config_foreach setup_dns dns
rm -f /var/etc/ocpasswd
touch /var/etc/ocpasswd
chmod 600 /var/etc/ocpasswd
config_foreach setup_users ocservusers
service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
}
stop() {
service_stop /usr/sbin/ocserv
}
reload() {
rm -f /var/etc/ocpasswd
touch /var/etc/ocpasswd
chmod 600 /var/etc/ocpasswd
config_foreach setup_users ocservusers
/usr/bin/occtl show status >/dev/null 2>&1
if test $? != 0;then
start
else
/usr/bin/occtl reload
fi
}