From f166386a4335b6283f1f6b60acc0e545b8ee212f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 7 Jul 2023 09:50:53 +0800
Subject: [PATCH] update 2023-07-07 09:50:53

---
 luci-app-openvpn-client/Makefile              |  15 +
 .../luasrc/controller/openvpn-client.lua      |  10 +
 .../model/cbi/openvpn-client/client.lua       | 119 ++++++++
 .../model/cbi/openvpn-client/settings.lua     |  71 +++++
 .../po/zh-cn/openvpn-client.po                |  80 ++++++
 luci-app-openvpn-client/po/zh_Hans            |   1 +
 .../root/etc/config/luci-app-openvpn-client   |   0
 .../root/etc/init.d/luci-app-openvpn-client   | 264 ++++++++++++++++++
 .../etc/uci-defaults/luci-app-openvpn-client  |  12 +
 .../rpcd/acl.d/luci-app-openvpn-client.json   |  11 +
 10 files changed, 583 insertions(+)
 create mode 100644 luci-app-openvpn-client/Makefile
 create mode 100644 luci-app-openvpn-client/luasrc/controller/openvpn-client.lua
 create mode 100644 luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/client.lua
 create mode 100644 luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/settings.lua
 create mode 100644 luci-app-openvpn-client/po/zh-cn/openvpn-client.po
 create mode 120000 luci-app-openvpn-client/po/zh_Hans
 create mode 100644 luci-app-openvpn-client/root/etc/config/luci-app-openvpn-client
 create mode 100755 luci-app-openvpn-client/root/etc/init.d/luci-app-openvpn-client
 create mode 100755 luci-app-openvpn-client/root/etc/uci-defaults/luci-app-openvpn-client
 create mode 100644 luci-app-openvpn-client/root/usr/share/rpcd/acl.d/luci-app-openvpn-client.json

diff --git a/luci-app-openvpn-client/Makefile b/luci-app-openvpn-client/Makefile
new file mode 100644
index 000000000..7b19aeff3
--- /dev/null
+++ b/luci-app-openvpn-client/Makefile
@@ -0,0 +1,15 @@
+# Copyright (C) 2021-2022 Lienol <lawlienol@gmail.com>
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-openvpn-client
+PKG_VERSION:=20211229
+PKG_RELEASE:=1
+
+LUCI_TITLE:=LuCI support for OpenVPN Client
+LUCI_DEPENDS:=+openvpn-openssl +kmod-tun
+LUCI_PKGARCH:=all
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/luci-app-openvpn-client/luasrc/controller/openvpn-client.lua b/luci-app-openvpn-client/luasrc/controller/openvpn-client.lua
new file mode 100644
index 000000000..df8f58f11
--- /dev/null
+++ b/luci-app-openvpn-client/luasrc/controller/openvpn-client.lua
@@ -0,0 +1,10 @@
+-- Copyright 2021-2022 Lienol <lawlienol@gmail.com>
+module("luci.controller.openvpn-client", package.seeall)
+
+function index()
+    if not nixio.fs.access("/etc/config/luci-app-openvpn-client") then return end
+
+    entry({"admin", "vpn"}, firstchild(), "VPN", 45).dependent = false
+    entry({"admin", "vpn", "openvpn-client"}, cbi("openvpn-client/settings"), _("OpenVPN Client"), 50).acl_depends = { "luci-app-openvpn-client" }
+    entry({"admin", "vpn", "openvpn-client", "client"}, cbi("openvpn-client/client")).leaf = true
+end
diff --git a/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/client.lua b/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/client.lua
new file mode 100644
index 000000000..aab282077
--- /dev/null
+++ b/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/client.lua
@@ -0,0 +1,119 @@
+local d = require "luci.dispatcher"
+
+m = Map("luci-app-openvpn-client", translate("Client List"))
+m.apply_on_parse = true
+m.redirect = d.build_url("admin", "vpn", "openvpn-client")
+
+s = m:section(NamedSection, arg[1], "clients", "")
+s.addremove = false
+s.anonymous = true
+
+o = s:option(Flag, "enabled", translate("Enabled"))
+o.default = 1
+o.rmempty = false
+
+o = s:option(Value, "server", translate("Server IP/Host"))
+o.rmempty = false
+
+o = s:option(Value, "port", translate("Port"))
+o.datatype = "port"
+o.placeholder = "1194"
+o.rmempty = false
+
+o = s:option(ListValue, "proto", translate("Protocol"))
+o:value("tcp", "TCP")
+o:value("udp", "UDP")
+o.rmempty = false
+
+o = s:option(ListValue, "dev", translate("Type"))
+o:value("tun", "TUN")
+o:value("tap", "TAP")
+o.rmempty = false
+
+o = s:option(Flag, "lzo", translate("LZO compression"))
+o.default = "1"
+o.rmempty = false
+
+o = s:option(Flag, "route_nopull", translate("No pull route"))
+o.default = "1"
+o.rmempty = false
+
+o = s:option(DynamicList, "routes", translate("Static Routes"))
+o.placeholder = "192.168.10.0/24"
+
+o = s:option(ListValue, "auth", translate("Auth"))
+o:value("", translate("None"))
+o:value("user_pass", translate("User/Pass"))
+o:value("tls_auth", "tls-auth")
+o:value("tls_crypt", "tls-crypt")
+
+o = s:option(Value, "username", translate("Username"))
+o.placeholder = translate("Username")
+o:depends("auth", "user_pass")
+
+o = s:option(Value, "password", translate("Password"))
+o.placeholder = translate("Password")
+o:depends("auth", "user_pass")
+
+o = s:option(TextValue, "tls_auth", "tls-auth")
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+o:depends("auth", "tls_auth")
+
+o = s:option(TextValue, "tls_crypt", "tls-crypt")
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+o:depends("auth", "tls_crypt")
+
+o = s:option(TextValue, "ca", "CA")
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+o.rmempty = false
+
+o = s:option(TextValue, "cert", "Cert")
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+
+o = s:option(TextValue, "key", "Key")
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+
+o = s:option(ListValue, "proxy", translate("Proxy"))
+o:value("", translate("None"))
+o:value("socks", "Socks")
+o:value("http", "HTTP")
+
+o = s:option(Value, "proxy_server", translate("Proxy Server"))
+o.placeholder = "127.0.0.1"
+o.default = o.placeholder
+o:depends("proxy", "socks")
+o:depends("proxy", "http")
+
+o = s:option(Value, "proxy_port", translate("Proxy Port"))
+o.datatype = "port"
+o.placeholder = "1080"
+o.default = o.placeholder
+o:depends("proxy", "socks")
+o:depends("proxy", "http")
+
+o = s:option(Value, "proxy_username", translate("Proxy Username"))
+o.placeholder = translate("Username")
+o:depends("proxy", "socks")
+o:depends("proxy", "http")
+
+o = s:option(Value, "proxy_password", translate("Proxy Password"))
+o.placeholder = translate("Password")
+o:depends("proxy", "socks")
+o:depends("proxy", "http")
+
+o = s:option(TextValue, "extra_config", translate("Extra Config"))
+o.datatype = "string"
+o.rows = 3
+o.wrap = "off"
+
+return m
diff --git a/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/settings.lua b/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/settings.lua
new file mode 100644
index 000000000..0a63f891f
--- /dev/null
+++ b/luci-app-openvpn-client/luasrc/model/cbi/openvpn-client/settings.lua
@@ -0,0 +1,71 @@
+local d = require "luci.dispatcher"
+local sys = require "luci.sys"
+
+m = Map("luci-app-openvpn-client", translate("OpenVPN Client"))
+m.apply_on_parse = true
+
+s = m:section(TypedSection, "clients", translate("Client List"))
+s.addremove = true
+s.anonymous = true
+s.template = "cbi/tblsection"
+s.extedit = d.build_url("admin", "vpn", "openvpn-client", "client", "%s")
+function s.create(e, t)
+    t = TypedSection.create(e, t)
+    luci.http.redirect(e.extedit:format(t))
+end
+
+o = s:option(Flag, "enabled", translate("Enabled"))
+o.default = 1
+o.rmempty = false
+
+function s.getPID(section) -- Universal function which returns valid pid # or nil
+	local pid = sys.exec("top -bn1 | grep -v 'grep' | grep '/var/etc/openvpn-client/%s'" % { section })
+	if pid and #pid > 0 then
+		return tonumber(pid:match("^%s*(%d+)"))
+	else
+		return nil
+	end
+end
+
+local active = s:option( DummyValue, "_active", translate("Status") )
+function active.cfgvalue(self, section)
+	local pid = s.getPID(section)
+	if pid ~= nil then
+		return (sys.process.signal(pid, 0))
+			and translate("RUNNING") .. " (" .. pid .. ")"
+			or  translate("NOT RUNNING")
+	end
+	return translate("NOT RUNNING")
+end
+
+local updown = s:option( Button, "_updown", translate("Start/Stop") )
+updown._state = false
+updown.redirect = d.build_url(
+	"admin", "vpn", "openvpn-client"
+)
+function updown.cbid(self, section)
+	local pid = s.getPID(section)
+	self._state = pid ~= nil and sys.process.signal(pid, 0)
+	self.option = self._state and "stop" or "start"
+	return AbstractValue.cbid(self, section)
+end
+function updown.cfgvalue(self, section)
+	self.title = self._state and translate("stop") or translate("start")
+	self.inputstyle = self._state and "reset" or "reload"
+end
+function updown.write(self, section, value)
+	if self.option == "stop" then
+		sys.call("/etc/init.d/luci-app-openvpn-client stop %s" % section)
+	else
+		sys.call("/etc/init.d/luci-app-openvpn-client start %s" % section)
+	end
+	luci.http.redirect( self.redirect )
+end
+
+o = s:option(DummyValue, "server", translate("Server IP/Host"))
+
+o = s:option(DummyValue, "port", translate("Port"))
+
+o = s:option(DummyValue, "proto", translate("Protocol"))
+
+return m
diff --git a/luci-app-openvpn-client/po/zh-cn/openvpn-client.po b/luci-app-openvpn-client/po/zh-cn/openvpn-client.po
new file mode 100644
index 000000000..da6931bd3
--- /dev/null
+++ b/luci-app-openvpn-client/po/zh-cn/openvpn-client.po
@@ -0,0 +1,80 @@
+msgid "OpenVPN Client"
+msgstr "OpenVPN 客户端"
+
+msgid "Client List"
+msgstr "客户端列表"
+
+msgid "Status"
+msgstr "状态"
+
+msgid "NOT RUNNING"
+msgstr "未运行"
+
+msgid "RUNNING"
+msgstr "运行中"
+
+msgid "Start/Stop"
+msgstr "启动/关闭"
+
+msgid "start"
+msgstr "启动"
+
+msgid "stop"
+msgstr "关闭"
+
+msgid "Enabled"
+msgstr "启用"
+
+msgid "Server IP/Host"
+msgstr "服务器IP/域名"
+
+msgid "Port"
+msgstr "端口"
+
+msgid "Protocol"
+msgstr "协议"
+
+msgid "Type"
+msgstr "类型"
+
+msgid "LZO compression"
+msgstr "LZO 压缩"
+
+msgid "No pull route"
+msgstr "不拉取路由"
+
+msgid "Static Routes"
+msgstr "静态路由"
+
+msgid "Auth"
+msgstr "身份认证"
+
+msgid "None"
+msgstr "无"
+
+msgid "User/Pass"
+msgstr "用户/密码"
+
+msgid "Username"
+msgstr "用户名"
+
+msgid "Password"
+msgstr "密码"
+
+msgid "Proxy"
+msgstr "代理"
+
+msgid "Proxy Server"
+msgstr "代理服务器"
+
+msgid "Proxy Port"
+msgstr "代理端口"
+
+msgid "Proxy Username"
+msgstr "代理用户名"
+
+msgid "Proxy Password"
+msgstr "代理密码"
+
+msgid "Extra Config"
+msgstr "额外配置"
diff --git a/luci-app-openvpn-client/po/zh_Hans b/luci-app-openvpn-client/po/zh_Hans
new file mode 120000
index 000000000..41451e4a1
--- /dev/null
+++ b/luci-app-openvpn-client/po/zh_Hans
@@ -0,0 +1 @@
+zh-cn
\ No newline at end of file
diff --git a/luci-app-openvpn-client/root/etc/config/luci-app-openvpn-client b/luci-app-openvpn-client/root/etc/config/luci-app-openvpn-client
new file mode 100644
index 000000000..e69de29bb
diff --git a/luci-app-openvpn-client/root/etc/init.d/luci-app-openvpn-client b/luci-app-openvpn-client/root/etc/init.d/luci-app-openvpn-client
new file mode 100755
index 000000000..6a8b8df2c
--- /dev/null
+++ b/luci-app-openvpn-client/root/etc/init.d/luci-app-openvpn-client
@@ -0,0 +1,264 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2021-2022 Lienol <lawlienol@gmail.com>
+
+START=99
+STOP=10
+
+USE_PROCD=1
+PROG=/usr/sbin/openvpn
+
+CONFIG="luci-app-openvpn-client"
+TMP_OVPN_PATH=/var/etc/openvpn-client
+
+start_instance() {
+	local cfgid=${1}
+	stop_instance ${cfgid}
+	local c_enabled=$(uci -q get ${CONFIG}.${cfgid}.enabled)
+	[ "${c_enabled}" -eq 1 ] || return 1
+	
+	local c_server=$(uci -q get ${CONFIG}.${cfgid}.server)
+	[ -n "${c_server}" ] || return 1
+	
+	local c_port=$(uci -q get ${CONFIG}.${cfgid}.port)
+	[ -n "${c_port}" ] || return 1
+	
+	local c_ca="$(uci -q get ${CONFIG}.${cfgid}.ca)"
+	[ -n "${c_ca}" ] || return 1
+	
+	local cfgid=$(uci show ${CONFIG}.${cfgid} | head -n 1 | cut -d '.' -sf 2 | cut -d '=' -sf 1)
+	
+	local c_dev="ovpn_${cfgid}"
+	
+	mkdir -p ${TMP_OVPN_PATH}
+	mkdir -p ${TMP_OVPN_PATH}/${cfgid}
+	
+	echo "${c_ca}" >> ${TMP_OVPN_PATH}/${cfgid}/ca
+	local _ca="ca ca"
+	
+	local c_cert="$(uci -q get ${CONFIG}.${cfgid}.cert)"
+	[ -n "${c_cert}" ] && {
+		echo "${c_cert}" >> ${TMP_OVPN_PATH}/${cfgid}/cert
+		local _cert="cert cert"
+	}
+	
+	local c_key="$(uci -q get ${CONFIG}.${cfgid}.key)"
+	[ -n "${c_key}" ] && {
+		echo "${c_key}" >> ${TMP_OVPN_PATH}/${cfgid}/key
+		local _key="key key"
+	}
+	
+	local c_lzo=$(uci -q get ${CONFIG}.${cfgid}.lzo)
+	[ "${c_lzo}" = "1" ] && local _lzo="comp-lzo"
+	
+	local c_route_nopull=$(uci -q get ${CONFIG}.${cfgid}.route_nopull)
+	[ "${c_route_nopull}" = "1" ] && local _route_nopull="route-nopull"
+	
+	local c_auth=$(uci -q get ${CONFIG}.${cfgid}.auth)
+	[ -n "${c_auth}" ] && {
+		if [ "${c_auth}" = "user_pass" ]; then
+			local c_username=$(uci -q get ${CONFIG}.${cfgid}.username)
+			local c_password=$(uci -q get ${CONFIG}.${cfgid}.password)
+			echo "${c_username}" >> ${TMP_OVPN_PATH}/${cfgid}/auth-user-pass
+			echo "${c_password}" >> ${TMP_OVPN_PATH}/${cfgid}/auth-user-pass
+			local _auth_user_pass="auth-user-pass auth-user-pass"
+		elif [ "${c_auth}" = "tls_auth" ]; then
+			local c_tls_auth="$(uci -q get ${CONFIG}.${cfgid}.tls_auth)"
+			[ -n "${c_tls_auth}" ] && {
+				echo "${c_tls_auth}" >> ${TMP_OVPN_PATH}/${cfgid}/tls-auth
+				local _tls_auth="tls-auth tls-auth"
+			}
+		elif [ "${c_auth}" = "tls_crypt" ]; then
+			local c_tls_crypt="$(uci -q get ${CONFIG}.${cfgid}.tls_crypt)"
+			[ -n "${c_tls_crypt}" ] && {
+				echo "${c_tls_crypt}" >> ${TMP_OVPN_PATH}/${cfgid}/tls-crypt
+				local _tls_crypt="tls-crypt tls-crypt"
+			}
+		fi
+	}
+	
+	local c_proxy=$(uci -q get ${CONFIG}.${cfgid}.proxy)
+	[ -n "${c_proxy}" ] && {
+		local _proxy=""
+		
+		local c_p_username=$(uci -q get ${CONFIG}.${cfgid}.proxy_username)
+		local c_p_password=$(uci -q get ${CONFIG}.${cfgid}.proxy_password)
+		if [ -n "${c_p_username}" ] && [ -n "${c_p_password}" ]; then
+			echo "${c_p_username}" >> ${TMP_OVPN_PATH}/${cfgid}/proxy-auth
+			echo "${c_p_password}" >> ${TMP_OVPN_PATH}/${cfgid}/proxy-auth
+			local _proxy_auth="proxy-auth"
+		fi
+		
+		local c_p_server=$(uci -q get ${CONFIG}.${cfgid}.proxy_server)
+		local c_p_port=$(uci -q get ${CONFIG}.${cfgid}.proxy_port)
+		
+		if [ "${c_proxy}" = "http" ]; then
+			_proxy="http-proxy ${c_p_server} ${c_p_port} ${_proxy_auth}"
+		elif [ "${c_proxy}" = "socks" ]; then
+			_proxy="socks-proxy ${c_p_server} ${c_p_port} ${_proxy_auth}"
+		fi
+	}
+	
+	echo "#!/bin/sh" > ${TMP_OVPN_PATH}/${cfgid}/up.sh
+	echo "#!/bin/sh" > ${TMP_OVPN_PATH}/${cfgid}/down.sh
+	[ ! -s "/var/etc/${CONFIG}.include" ] && echo '#!/bin/sh' > /var/etc/${CONFIG}.include
+	
+	cat <<-EOF >> ${TMP_OVPN_PATH}/${cfgid}/up.sh
+		eval "\$(ipcalc.sh \${ifconfig_local} \${ifconfig_netmask})"
+		
+		echo "\${IP}" > ${TMP_OVPN_PATH}/${cfgid}/ip
+		echo "\${NETWORK}" > ${TMP_OVPN_PATH}/${cfgid}/network
+		echo "\${PREFIX}" > ${TMP_OVPN_PATH}/${cfgid}/mask
+		
+		${TMP_OVPN_PATH}/${cfgid}/iptables_add.sh
+	EOF
+	
+	cat <<-EOF >> ${TMP_OVPN_PATH}/${cfgid}/down.sh
+		ifup ovpn_${cfgid} >/dev/null 2>&1
+		ifdown ovpn_${cfgid} >/dev/null 2>&1
+		
+		${TMP_OVPN_PATH}/${cfgid}/iptables_del.sh
+	EOF
+	
+	cat <<-EOF >> ${TMP_OVPN_PATH}/${cfgid}/iptables_add.sh
+		${TMP_OVPN_PATH}/${cfgid}/iptables_del.sh
+		#允许服务端配置静态路由表访问内网
+		iptables -t nat -I POSTROUTING -s \$(cat ${TMP_OVPN_PATH}/${cfgid}/network)/\$(cat ${TMP_OVPN_PATH}/${cfgid}/mask) -m comment --comment "${c_dev}" -j MASQUERADE
+		iptables -t nat -I POSTROUTING -o ${c_dev} -m comment --comment "${c_dev}" -j MASQUERADE
+		iptables -I FORWARD -i ${c_dev} -m comment --comment "${c_dev}" -j ACCEPT
+		iptables -I FORWARD -o ${c_dev} -m comment --comment "${c_dev}" -j ACCEPT
+	EOF
+	
+	cat <<-EOF >> ${TMP_OVPN_PATH}/${cfgid}/iptables_del.sh
+		ipt_del() {
+			for i in \$(seq 1 \$(\$1 -nL \$2 | grep -c "${c_dev}")); do
+				local index=\$(\$1 --line-number -nL \$2 | grep "${c_dev}" | head -1 | awk '{print \$1}')
+				\$1 -w -D \$2 \$index 2>/dev/null
+			done
+		}
+		ipt_del "iptables" "FORWARD"
+		ipt_del "iptables -t nat" "POSTROUTING"
+	EOF
+	
+	cat <<-EOF >> /var/etc/${CONFIG}.include
+		${TMP_OVPN_PATH}/${cfgid}/iptables_add.sh
+	EOF
+	
+	local c_routes=$(uci -q get ${CONFIG}.${cfgid}.routes)
+	[ -n "${c_routes}" ] && {
+		for c_route in ${c_routes}; do
+			local c_network=$(echo -n "${c_route}" | awk -F ',' '{print $1}')
+			local c_gateway=$(echo -n "${c_route}" | awk -F ',' '{print $2}')
+			if [ -n "${c_gateway}" ]; then
+				echo "route add -net ${c_network} gw ${c_gateway} dev ${c_dev} >/dev/null 2>&1" >> ${TMP_OVPN_PATH}/${cfgid}/up.sh
+				echo "route del -net ${c_network} gw ${c_gateway} dev ${c_dev} >/dev/null 2>&1" >> ${TMP_OVPN_PATH}/${cfgid}/down.sh
+			else
+				echo "route add -net ${c_network} dev ${c_dev} >/dev/null 2>&1" >> ${TMP_OVPN_PATH}/${cfgid}/up.sh
+				echo "route del -net ${c_network} dev ${c_dev} >/dev/null 2>&1" >> ${TMP_OVPN_PATH}/${cfgid}/down.sh
+			fi
+		done
+	}
+	
+	chmod 0755 ${TMP_OVPN_PATH}/${cfgid}/*.sh
+	
+	cat <<-EOF >> ${TMP_OVPN_PATH}/${cfgid}/client.conf
+		client
+		float
+		dev ${c_dev}
+		dev-type $(uci -q get ${CONFIG}.${cfgid}.dev)
+		remote ${c_server} ${c_port}
+		proto $(uci -q get ${CONFIG}.${cfgid}.proto)
+		${_ca}
+		${_cert}
+		${_key}
+		${_proxy}
+		resolv-retry infinite
+		nobind
+		persist-key
+		persist-tun
+		auth-nocache
+		${_auth_user_pass}
+		${_tls_auth}
+		${_tls_crypt}
+		${_lzo}
+		${_route_nopull}
+		verb 3
+		
+		up up.sh
+		down down.sh
+		script-security 3
+		log         openvpn.log
+		log-append  openvpn.log
+		$(uci -q get ${CONFIG}.${cfgid}.extra_config)
+	EOF
+	
+	sed -i '/^\s*$/d' ${TMP_OVPN_PATH}/${cfgid}/client.conf >/dev/null 2>&1
+	
+	procd_open_instance "${CONFIG}_${cfgid}"
+	procd_set_param command "${PROG}"	\
+		--cd "${TMP_OVPN_PATH}/${cfgid}" \
+		--config "client.conf"
+	procd_set_param file "${TMP_OVPN_PATH}/${cfgid}/client.conf"
+	procd_set_param term_timeout 15
+	procd_set_param respawn
+	procd_append_param respawn 3600
+	procd_append_param respawn 5
+	procd_append_param respawn -1
+	procd_close_instance
+}
+
+stop_instance() {
+	local cfgid=${1}
+	[ -d "${TMP_OVPN_PATH}/${cfgid}" ] && {
+		"${TMP_OVPN_PATH}/${cfgid}/down.sh" >/dev/null 2>&1
+	}
+	top -bn1 | grep "${TMP_OVPN_PATH}/${cfgid}" | grep -v "grep" | awk '{print $1}' | xargs kill -2 >/dev/null 2>&1
+	sed -i "/${cfgid}/d" /var/etc/${CONFIG}.include >/dev/null 2>&1
+	rm -rf ${TMP_OVPN_PATH}/${cfgid}
+}
+
+start_instance_all() {
+	local _clients=$(uci -q show ${CONFIG} | grep "=clients" | cut -d '.' -sf2 | cut -d '=' -sf 1)
+	[ -n "${_clients}" ] && {
+		mkdir -p ${TMP_OVPN_PATH}
+		for _client in ${_clients}; do
+			start_instance ${_client}
+		done
+	}
+}
+
+stop_instance_all() {
+	[ -d "${TMP_OVPN_PATH}" ] && {
+		for cfgid in $(ls ${TMP_OVPN_PATH}); do
+			"${TMP_OVPN_PATH}/${cfgid}/down.sh" >/dev/null 2>&1
+		done
+	}
+	top -bn1 | grep "${TMP_OVPN_PATH}" | grep -v "grep" | awk '{print $1}' | xargs kill -2 >/dev/null 2>&1
+	rm -rf /var/etc/${CONFIG}.include
+	rm -rf ${TMP_OVPN_PATH}
+}
+
+start_service() {
+	local cfgid=${1}
+	if [ -n "${cfgid}" ]; then 
+		start_instance ${cfgid}
+	else
+		start_instance_all 
+	fi
+}
+
+stop_service() {
+	local cfgid=${1}
+	if [ -n "${cfgid}" ]; then 
+		stop_instance ${cfgid}
+	else
+		stop_instance_all 
+	fi
+}
+
+reload_service() {
+	restart
+}
+
+service_triggers() {
+	procd_add_reload_trigger "${CONFIG}"
+}
diff --git a/luci-app-openvpn-client/root/etc/uci-defaults/luci-app-openvpn-client b/luci-app-openvpn-client/root/etc/uci-defaults/luci-app-openvpn-client
new file mode 100755
index 000000000..bd5d626fd
--- /dev/null
+++ b/luci-app-openvpn-client/root/etc/uci-defaults/luci-app-openvpn-client
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete firewall.openvpn_client
+	set firewall.openvpn_client=include
+	set firewall.openvpn_client.type=script
+	set firewall.openvpn_client.path=/var/etc/luci-app-openvpn-client.include
+	set firewall.openvpn_client.reload=1
+EOF
+
+rm -rf /tmp/luci-*cache
+exit 0
diff --git a/luci-app-openvpn-client/root/usr/share/rpcd/acl.d/luci-app-openvpn-client.json b/luci-app-openvpn-client/root/usr/share/rpcd/acl.d/luci-app-openvpn-client.json
new file mode 100644
index 000000000..9ea2fe89e
--- /dev/null
+++ b/luci-app-openvpn-client/root/usr/share/rpcd/acl.d/luci-app-openvpn-client.json
@@ -0,0 +1,11 @@
+{
+	"luci-app-openvpn-client": {
+		"description": "Grant UCI access for luci-app-openvpn-client",
+		"read": {
+			"uci": [ "luci-app-openvpn-client" ]
+		},
+		"write": {
+			"uci": [ "luci-app-openvpn-client" ]
+		}
+	}
+}