packages/net/openconnect/files/openconnect.sh

#!/bin/sh
. /lib/functions.sh
. ../netifd-proto.sh
init_proto "$@"

proto_openconnect_init_config() {
	proto_config_add_string "server"
	proto_config_add_int "port"
	proto_config_add_int "mtu"
	proto_config_add_int "juniper"
	proto_config_add_string "interface"
	proto_config_add_string "username"
	proto_config_add_string "serverhash"
	proto_config_add_string "authgroup"
	proto_config_add_string "password"
	proto_config_add_string "password2"
	proto_config_add_string "token_mode"
	proto_config_add_string "token_secret"
	proto_config_add_string "token_script"
	proto_config_add_string "os"
	proto_config_add_string "csd_wrapper"
	proto_config_add_array 'form_entry:regex("[^:]+:[^=]+=.*")'
	no_device=1
	available=1
}

proto_openconnect_add_form_entry() {
	[ -n "$1" ] && append cmdline "--form-entry $1"
}

proto_openconnect_setup() {
	local config="$1"

	json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper form_entry

	grep -q tun /proc/modules || insmod tun
	ifname="vpn-$config"

	logger -t openconnect "initializing..."

	logger -t "openconnect" "adding host dependency for $server at $config"
	for ip in $(resolveip -t 10 "$server"); do
		logger -t "openconnect" "adding host dependency for $ip at $config"
		proto_add_host_dependency "$config" "$ip" "$interface"
	done

	[ -n "$port" ] && port=":$port"

	cmdline="$server$port -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script"
	[ -n "$mtu" ] && cmdline="$cmdline --mtu $mtu"

	# migrate to standard config files
	[ -f "/etc/config/openconnect-user-cert-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-cert-vpn-$config.pem" "/etc/openconnect/user-cert-vpn-$config.pem"
	[ -f "/etc/config/openconnect-user-key-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-key-vpn-$config.pem" "/etc/openconnect/user-key-vpn-$config.pem"
	[ -f "/etc/config/openconnect-ca-vpn-$config.pem" ] && mv "/etc/config/openconnect-ca-vpn-$config.pem" "/etc/openconnect/ca-vpn-$config.pem"

	[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/openconnect/user-cert-vpn-$config.pem"
	[ -f /etc/openconnect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/openconnect/user-key-vpn-$config.pem"
	[ -f /etc/openconnect/ca-vpn-$config.pem ] && {
		append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
		append cmdline "--no-system-trust"
	}

	if [ "${juniper:-0}" -gt 0 ]; then
		append cmdline "--juniper"
	fi

	[ -n "$serverhash" ] && {
		append cmdline " --servercert=$serverhash"
		append cmdline "--no-system-trust"
	}
	[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
	[ -n "$username" ] && append cmdline "-u $username"
	[ -n "$password" ] || [ "$token_mode" = "script" ] && {
		umask 077
		mkdir -p /var/etc
		pwfile="/var/etc/openconnect-$config.passwd"
		[ -n "$password" ] && {
			echo "$password" > "$pwfile"
			[ -n "$password2" ] && echo "$password2" >> "$pwfile"
		}
		[ "$token_mode" = "script" ] && {
			$token_script > "$pwfile" 2> /dev/null || {
				logger -t openconenct "Cannot get password from script '$token_script'"
				proto_setup_failed "$config"
			}
		}
		append cmdline "--passwd-on-stdin"
	}

	[ -n "$token_mode" -a "$token_mode" != "script" ] && append cmdline "--token-mode=$token_mode"
	[ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"
	[ -n "$os" ] && append cmdline "--os=$os"
	[ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper"

	json_for_each_item proto_openconnect_add_form_entry form_entry

	proto_export INTERFACE="$config"
	logger -t openconnect "executing 'openconnect $cmdline'"

	if [ -f "$pwfile" ]; then
		proto_run_command "$config" /usr/sbin/openconnect-wrapper $pwfile $cmdline
	else
		proto_run_command "$config" /usr/sbin/openconnect $cmdline
	fi
}

proto_openconnect_teardown() {
	local config="$1"

	pwfile="/var/etc/openconnect-$config.passwd"

	rm -f $pwfile
	logger -t openconnect "bringing down openconnect"
	proto_kill_command "$config" 2
}

add_protocol openconnect
Added openconnect 2014-06-04 00:18:17 +08:00			`#!/bin/sh`
			`. /lib/functions.sh`
			`. ../netifd-proto.sh`
			`init_proto "$@"`

			`proto_openconnect_init_config() {`
			`proto_config_add_string "server"`
			`proto_config_add_int "port"`
openconnect: new option mtu According to openconnect --help output: -m, --mtu=MTU Request MTU from server --base-mtu=MTU Indicate path MTU to/from server Fixes #2099 by allowing setting tunnel mtu Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-05-08 13:07:23 +08:00			`proto_config_add_int "mtu"`
openconnect: add options to support juniper Signed-off-by: Vladimir Berezhnoy <non7top@gmail.com> 2017-11-07 18:11:34 +08:00			`proto_config_add_int "juniper"`
openconnect: re-introduce config: interface In some cases, it's useful to specify which interface to establish the VPN connection Signed-off-by: Gavin Ni <gisngy@gmail.com> 2017-11-22 10:10:22 +08:00			`proto_config_add_string "interface"`
Added openconnect 2014-06-04 00:18:17 +08:00			`proto_config_add_string "username"`
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00			`proto_config_add_string "serverhash"`
			`proto_config_add_string "authgroup"`
Added openconnect 2014-06-04 00:18:17 +08:00			`proto_config_add_string "password"`
openconnect: allow processing multiple passwords from stdin Resolves #1419 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-06-19 04:40:25 +08:00			`proto_config_add_string "password2"`
openconnect: fix a couple of minor things and add an interface option Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> 2015-02-07 03:54:39 +08:00			`proto_config_add_string "token_mode"`
			`proto_config_add_string "token_secret"`
openconnect: support reading password from script "token_mode" add support for "script", which execute "token_script" to get the password. Some token is not supported by OpenConnect natively, e.g. "MobilePass" or "Softoken II" used in Cisco VPN Signed-off-by: Gavin Ni <gisngy@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-11-28 15:04:31 +08:00			`proto_config_add_string "token_script"`
openconnect: allow specifying "os" Some servers might be implementing ACLs based on the value specified by openconnect for "os", allow that to be configured. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2015-04-05 03:31:49 +08:00			`proto_config_add_string "os"`
openconnect: allow specifying a custom CSD wrapper script Some VPN servers might be configured in a way that a CSD wrapper script is mandatory to complete the authentication process, allow that to be specified for openconnect. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2015-04-05 03:32:59 +08:00			`proto_config_add_string "csd_wrapper"`
openconnect: allow specifying form_entry list Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2019-09-20 17:22:54 +08:00			`proto_config_add_array 'form_entry:regex("[^:]+:[^=]+=.*")'`
Added openconnect 2014-06-04 00:18:17 +08:00			`no_device=1`
			`available=1`
			`}`

openconnect: allow specifying form_entry list Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2019-09-20 17:22:54 +08:00			`proto_openconnect_add_form_entry() {`
			`[ -n "$1" ] && append cmdline "--form-entry $1"`
			`}`

Added openconnect 2014-06-04 00:18:17 +08:00			`proto_openconnect_setup() {`
			`local config="$1"`

openconnect: allow specifying form_entry list Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2019-09-20 17:22:54 +08:00			`json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper form_entry`
Added openconnect 2014-06-04 00:18:17 +08:00
			`grep -q tun /proc/modules \|\| insmod tun`
openconnect: corrected call to proto_add_host_dependency Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-07-08 04:48:44 +08:00			`ifname="vpn-$config"`
Added openconnect 2014-06-04 00:18:17 +08:00
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00			`logger -t openconnect "initializing..."`
openconnect: use proto_add_host_dependency This ensures that a direct route to the connected host is added by netifd. Resolves #2548 2016-05-22 23:42:22 +08:00
			`logger -t "openconnect" "adding host dependency for $server at $config"`
			`for ip in $(resolveip -t 10 "$server"); do`
			`logger -t "openconnect" "adding host dependency for $ip at $config"`
openconnect: re-introduce config: interface In some cases, it's useful to specify which interface to establish the VPN connection Signed-off-by: Gavin Ni <gisngy@gmail.com> 2017-11-22 10:10:22 +08:00			`proto_add_host_dependency "$config" "$ip" "$interface"`
openconnect: use proto_add_host_dependency This ensures that a direct route to the connected host is added by netifd. Resolves #2548 2016-05-22 23:42:22 +08:00			`done`
Added openconnect 2014-06-04 00:18:17 +08:00
			`[ -n "$port" ] && port=":$port"`

openconnect: corrected call to proto_add_host_dependency Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-07-08 04:48:44 +08:00			`cmdline="$server$port -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script"`
openconnect: new option mtu According to openconnect --help output: -m, --mtu=MTU Request MTU from server --base-mtu=MTU Indicate path MTU to/from server Fixes #2099 by allowing setting tunnel mtu Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-05-08 13:07:23 +08:00			`[ -n "$mtu" ] && cmdline="$cmdline --mtu $mtu"`
Added openconnect 2014-06-04 00:18:17 +08:00
openconnect: use openconnect.upgrade to save configured files Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-01-20 05:46:12 +08:00			`# migrate to standard config files`
			`[ -f "/etc/config/openconnect-user-cert-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-cert-vpn-$config.pem" "/etc/openconnect/user-cert-vpn-$config.pem"`
			`[ -f "/etc/config/openconnect-user-key-vpn-$config.pem" ] && mv "/etc/config/openconnect-user-key-vpn-$config.pem" "/etc/openconnect/user-key-vpn-$config.pem"`
			`[ -f "/etc/config/openconnect-ca-vpn-$config.pem" ] && mv "/etc/config/openconnect-ca-vpn-$config.pem" "/etc/openconnect/ca-vpn-$config.pem"`

Revert "openconnect: move certificate files to config/ to add graceful upgrade" This reverts commit b53e5bfe875d673fc8a57a4766d7af6fc1b3e074. 2015-01-20 05:37:43 +08:00			`[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/openconnect/user-cert-vpn-$config.pem"`
			`[ -f /etc/openconnect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/openconnect/user-key-vpn-$config.pem"`
			`[ -f /etc/openconnect/ca-vpn-$config.pem ] && {`
Revert "openconnect: cmdline parameter for CA not moved" This reverts commit fa8f5479458ee5163c9907ee3e92d8bd6b62389b. 2015-01-20 05:37:29 +08:00			`append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"`
openconnect: simplified cmdline appending Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-12-06 03:27:45 +08:00			`append cmdline "--no-system-trust"`
openconnect: Restore support for vpnc-script hooks * Restore hooks support from vpnc-script * Use consistent style for tests and blocks in openconnect.sh * Cleanup code that writes banner to syslog Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com> 2014-12-20 23:56:53 +08:00			`}`
openconnect: add options to support juniper Signed-off-by: Vladimir Berezhnoy <non7top@gmail.com> 2017-11-07 18:11:34 +08:00
			`if [ "${juniper:-0}" -gt 0 ]; then`
			`append cmdline "--juniper"`
			`fi`

openconnect: Restore support for vpnc-script hooks * Restore hooks support from vpnc-script * Use consistent style for tests and blocks in openconnect.sh * Cleanup code that writes banner to syslog Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com> 2014-12-20 23:56:53 +08:00			`[ -n "$serverhash" ] && {`
openconnect: simplified cmdline appending Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-12-06 03:27:45 +08:00			`append cmdline " --servercert=$serverhash"`
			`append cmdline "--no-system-trust"`
openconnect: Restore support for vpnc-script hooks * Restore hooks support from vpnc-script * Use consistent style for tests and blocks in openconnect.sh * Cleanup code that writes banner to syslog Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com> 2014-12-20 23:56:53 +08:00			`}`
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00			`[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"`
Added openconnect 2014-06-04 00:18:17 +08:00			`[ -n "$username" ] && append cmdline "-u $username"`
openconnect: support reading password from script "token_mode" add support for "script", which execute "token_script" to get the password. Some token is not supported by OpenConnect natively, e.g. "MobilePass" or "Softoken II" used in Cisco VPN Signed-off-by: Gavin Ni <gisngy@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-11-28 15:04:31 +08:00			`[ -n "$password" ] \|\| [ "$token_mode" = "script" ] && {`
Added openconnect 2014-06-04 00:18:17 +08:00			`umask 077`
openconnect: fix a couple of minor things and add an interface option Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> 2015-02-07 03:54:39 +08:00			`mkdir -p /var/etc`
			`pwfile="/var/etc/openconnect-$config.passwd"`
openconnect: support reading password from script "token_mode" add support for "script", which execute "token_script" to get the password. Some token is not supported by OpenConnect natively, e.g. "MobilePass" or "Softoken II" used in Cisco VPN Signed-off-by: Gavin Ni <gisngy@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-11-28 15:04:31 +08:00			`[ -n "$password" ] && {`
			`echo "$password" > "$pwfile"`
			`[ -n "$password2" ] && echo "$password2" >> "$pwfile"`
			`}`
			`[ "$token_mode" = "script" ] && {`
			`$token_script > "$pwfile" 2> /dev/null \|\| {`
			`logger -t openconenct "Cannot get password from script '$token_script'"`
			`proto_setup_failed "$config"`
			`}`
			`}`
Added openconnect 2014-06-04 00:18:17 +08:00			`append cmdline "--passwd-on-stdin"`
			`}`

openconnect: support reading password from script "token_mode" add support for "script", which execute "token_script" to get the password. Some token is not supported by OpenConnect natively, e.g. "MobilePass" or "Softoken II" used in Cisco VPN Signed-off-by: Gavin Ni <gisngy@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2017-11-28 15:04:31 +08:00			`[ -n "$token_mode" -a "$token_mode" != "script" ] && append cmdline "--token-mode=$token_mode"`
openconnect: add an option to support stoken Add a new build configuration option for openconnect and let it link against libstoken if instructed to. Two new uci configuration variables are introduced: "token_mode" and "token_secret" to allow openconnect to use those. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2014-12-05 14:51:45 +08:00			`[ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"`
openconnect: allow specifying "os" Some servers might be implementing ACLs based on the value specified by openconnect for "os", allow that to be configured. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2015-04-05 03:31:49 +08:00			`[ -n "$os" ] && append cmdline "--os=$os"`
openconnect: allow specifying a custom CSD wrapper script Some VPN servers might be configured in a way that a CSD wrapper script is mandatory to complete the authentication process, allow that to be specified for openconnect. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2015-04-05 03:32:59 +08:00			`[ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper"`
openconnect: add an option to support stoken Add a new build configuration option for openconnect and let it link against libstoken if instructed to. Two new uci configuration variables are introduced: "token_mode" and "token_secret" to allow openconnect to use those. Signed-off-by: Florian Fainelli <florian@openwrt.org> 2014-12-05 14:51:45 +08:00
openconnect: allow specifying form_entry list Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> 2019-09-20 17:22:54 +08:00			`json_for_each_item proto_openconnect_add_form_entry form_entry`

Added openconnect 2014-06-04 00:18:17 +08:00			`proto_export INTERFACE="$config"`
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00			`logger -t openconnect "executing 'openconnect $cmdline'"`

openconnect: Restore support for vpnc-script hooks * Restore hooks support from vpnc-script * Use consistent style for tests and blocks in openconnect.sh * Cleanup code that writes banner to syslog Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com> 2014-12-20 23:56:53 +08:00			`if [ -f "$pwfile" ]; then`
openconnect: set config variable on teardown and correctly pass the password This addresses https://dev.openwrt.org/ticket/16634 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-09-01 05:57:47 +08:00			`proto_run_command "$config" /usr/sbin/openconnect-wrapper $pwfile $cmdline`
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00			`else`
			`proto_run_command "$config" /usr/sbin/openconnect $cmdline`
			`fi`
Added openconnect 2014-06-04 00:18:17 +08:00			`}`

			`proto_openconnect_teardown() {`
openconnect: set config variable on teardown and correctly pass the password This addresses https://dev.openwrt.org/ticket/16634 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-09-01 05:57:47 +08:00			`local config="$1"`

openconnect: fix a couple of minor things and add an interface option Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> 2015-02-07 03:54:39 +08:00			`pwfile="/var/etc/openconnect-$config.passwd"`
openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-06-05 05:17:54 +08:00
			`rm -f $pwfile`
			`logger -t openconnect "bringing down openconnect"`
openconnect: use SIGINT to bring down openconnect Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2014-10-28 19:31:48 +08:00			`proto_kill_command "$config" 2`
Added openconnect 2014-06-04 00:18:17 +08:00			`}`

			`add_protocol openconnect`