main/openvpn: multiple changes like ipv6 and new initd

added ipv6 patch from: http://www.greenie.net/ipv6/openvpn.html move easy-rsa into subpkg and depend on openssl update init.d and conf.d from latest gentoo release added up/down scripts from latest gentoo release ref #618

main/openvpn: multiple changes like ipv6 and new initd
added ipv6 patch from: http://www.greenie.net/ipv6/openvpn.html move easy-rsa into subpkg and depend on openssl update init.d and conf.d from latest gentoo release added up/down scripts from latest gentoo release ref #618
f80c232c · Carlo Landmeter · 21bbd56f · f80c232c · f80c232c · f80c232c
Commit f80c232c authored Jun 04, 2011 by Carlo Landmeter
6 changed files
--- a/main/openvpn/APKBUILD
+++ b/main/openvpn/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openvpn
 pkgver=2.2.0
-pkgrel=0
+pkgrel=1
 pkgdesc="A robust, and highly configurable VPN (Virtual Private Network)"
 url="http://openvpn.sourceforge.net/"
 arch="all"
 license="custom"
-subpackages="$pkgname-doc"
+subpackages="$pkgname-doc $pkgname-easy-rsa:easy_rsa"
 depends="iproute2"
 makedepends="openssl-dev lzo-dev"
 install=
 source="http://swupdate.openvpn.net/community/releases/$pkgname-$pkgver.tar.gz
 	openvpn.initd
+	openvpn.confd
+	openvpn.up
+	openvpn.down
+	openvpn-2.2.0-ipv6-20110522-1.patch
 	"

 _builddir="$srcdir"/$pkgname-$pkgver
+
+prepare() {
+        local i
+        cd "$_builddir"
+        for i in $source; do
+                case $i in
+                *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+                esac
+        done
+}
+
 build() { 
 	cd "$_builddir"
 	./configure --prefix=/usr \
 		--mandir=/usr/share/man \
+		--sysconfdir=/etc/openvpn \
 		--enable-ssl \
 		--enable-crypto \
 		--disable-threads \
@@ -39,20 +55,42 @@ package() {
 	install -d "$pkgdir"/usr/lib/$pkgname
 	cp plugin/*/*.so "$pkgdir"/usr/lib/$pkgname

-	# install easy-rsa
-	sed -i -e 's/--directory/-d/g; s/--mode=/-m/g' easy-rsa/2.0/Makefile
-	sed -i -e '1s|#!/bin/bash|#!/bin/sh|' easy-rsa/2.0/*
-	make -C easy-rsa/2.0 DESTDIR="$pkgdir" \
-		PREFIX=etc/openvpn/easy-rsa \
-		install
-
 	# install examples
 	mkdir -p "$pkgdir"/usr/share/doc/$pkgname/examples
 	cp -a sample-config-files "$pkgdir"/usr/share/doc/$pkgname/examples
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING

-	# install init.d
-	install -Dm755 ../openvpn.initd "$pkgdir"/etc/init.d/openvpn
+	# install init.d and conf.d
+	install -Dm755 "$srcdir"/openvpn.initd "$pkgdir"/etc/init.d/openvpn
+	install -Dm644 "$srcdir"/openvpn.confd "$pkgdir"/etc/conf.d/openvpn
+
+	# install up and down scripts
+	install -Dm755 "$srcdir"/openvpn.up "$pkgdir"/etc/openvpn/up.sh
+	install -Dm755 "$srcdir"/openvpn.down "$pkgdir"/etc/openvpn/down.sh
+
 }
+
+easy_rsa() {
+	pkgdesc="OpenVPN RSA key management"
+	# easy rsa can by usefull on systems
+	# which do not have openvpn installed
+	depends="openssl"
+        # install easy-rsa
+	cd "$_builddir"
+        sed -i -e 's/--directory/-d/g; s/--mode=/-m/g' easy-rsa/2.0/Makefile
+        sed -i -e '1s|#!/bin/bash|#!/bin/sh|' easy-rsa/2.0/*
+        make -C easy-rsa/2.0 DESTDIR="$subpkgdir" \
+                PREFIX=usr/share/doc/openvpn/easy-rsa \
+                install
+}
+
+doc() {
+	default_doc
+}
+
 md5sums="4f440603eac45fec7be218b87d570834  openvpn-2.2.0.tar.gz
-020376f1e7ed6b4adbe20cf5ff774856  openvpn.initd"
+ec99092827faa7226e9f548c2cd1d20c  openvpn.initd
+9eca88cac6294027ec1bb7be74185c3a  openvpn.confd
+dc72fecd1a1bcef937603057cd6574b1  openvpn.up
+dc3ff0bae442b9aedd947b8ffda1687a  openvpn.down
+25172fa251672edc3f7a277b5d7f3f72  openvpn-2.2.0-ipv6-20110522-1.patch"
--- a/main/openvpn/openvpn-2.2.0-ipv6-20110522-1.patch
+++ b/main/openvpn/openvpn-2.2.0-ipv6-20110522-1.patch
--- a/main/openvpn/openvpn.confd
+++ b/main/openvpn/openvpn.confd
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+PEER_DNS="yes"
+
+# OpenVPN can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+DETECT_CLIENT="yes"
+
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
+RE_ENTER="no"
--- a/main/openvpn/openvpn.down
+++ b/main/openvpn/openvpn.down
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then
+	/etc/openvpn/"${SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+	if [ -x /sbin/resolvconf ] ; then
+		/sbin/resolvconf -d "${dev}"
+	elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+		# Important that we copy instead of move incase resolv.conf is
+		# a symlink and not an actual file
+		cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+		rm -f /etc/resolv.conf-"${dev}".sv
+	fi
+fi
+
+if [ -n "${SVCNAME}" ]; then
+	# Re-enter the init script to start any dependant services
+	if /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/"${SVCNAME}" --quiet stop
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :
--- a/main/openvpn/openvpn.initd
+++ b/main/openvpn/openvpn.initd
@@ -2,9 +2,9 @@
 # Copyright 1999-2007 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2

-VPNDIR="/etc/openvpn"
-VPN="${SVCNAME#*.}"
-if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then
+VPNDIR=${VPNDIR:-/etc/openvpn}
+VPN=${SVCNAME#*.}
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
 	VPNPID="/var/run/openvpn.${VPN}.pid"
 else
 	VPNPID="/var/run/openvpn.pid"
@@ -13,51 +13,121 @@ VPNCONF="${VPNDIR}/${VPN}.conf"

 depend() {
 	need localmount net
-	before netmount
-	after bootmisc firewall
+	use dns
+	after bootmisc
 }

-checktundevice() {
-	if [ ! -e /dev/net/tun ]; then
-		if ! modprobe tun ; then
-			eerror "TUN/TAP support is not available in this kernel"
-			return 1
+checkconfig() {
+	# Linux has good dynamic tun/tap creation
+	if [ $(uname -s) = "Linux" ] ; then
+		if [ ! -e /dev/net/tun ]; then
+			if ! modprobe tun ; then
+				eerror "TUN/TAP support is not available" \
+					"in this kernel"
+				return 1
+			fi
 		fi
+		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+			ebegin "Detected broken /dev/net/tun symlink, fixing..."
+			rm -f /dev/net/tun
+			ln -s /dev/misc/net/tun /dev/net/tun
+			eend $?
+		fi
+		return 0
 	fi
-	if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
-		ebegin "Detected broken /dev/net/tun symlink, fixing..."
-		rm -f /dev/net/tun
-		ln -s /dev/misc/net/tun /dev/net/tun
-		eend $?
+
+	# Other OS's don't, so we rely on a pre-configured interface
+	# per vpn instance
+	local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+	if [ -z ${ifname} ] ; then
+		eerror "You need to specify the interface that this openvpn" \
+			"instance should use" \
+			"by using the dev option in ${VPNCONF}"
+		return 1
+	fi
+
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		# Try and create it
+		echo > /dev/"${ifname}" >/dev/null
+	fi
+	if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+		eerror "${VPNCONF} requires interface ${ifname}" \
+			"but that does not exist"
+		return 1
 	fi
 }

 start() {
+	# If we are re-called by the openvpn gentoo-up.sh script
+	# then we don't actually want to start openvpn
+	[ "${IN_BACKGROUND}" = "true" ] && return 0
+	
 	ebegin "Starting ${SVCNAME}"

-	checktundevice || return 1
-
-	if [ ! -e "${VPNCONF}" ]; then
-		eend 1 "${VPNCONF} does not exist"
-		return 1
-	fi
+	checkconfig || return 1

-	local args=""
+	local args="" reenter=${RE_ENTER:-no}
 	# If the config file does not specify the cd option, we do
 	# But if we specify it, we override the config option which we do not want
-	if ! grep -q "^[ \t]*cd[ \t].*" "${VPNCONF}" ; then
+	if ! grep -q "^[ 	]*cd[ 	].*" "${VPNCONF}" ; then
 		args="${args} --cd ${VPNDIR}"
 	fi
+	
+	# We mark the service as inactive and then start it.
+	# When we get an authenticated packet from the peer then we run our script
+	# which configures our DNS if any and marks us as up.
+	if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+	grep -q "^[ 	]*remote[ 	].*" "${VPNCONF}" ; then
+		reenter="yes"
+		args="${args} --up-delay --up-restart"
+		args="${args} --script-security 2"
+		args="${args} --up /etc/openvpn/up.sh"
+		args="${args} --down-pre --down /etc/openvpn/down.sh"
+
+		# Warn about setting scripts as we override them
+		if grep -Eq "^[ 	]*(up|down)[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You have defined your own up/down scripts"
+			ewarn "As you're running as a client, we now force Alpine specific"
+			ewarn "scripts to be run for up and down events."
+			ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
+			ewarn "where you can put your own code."
+		fi

+		# Warn about the inability to change ip/route/dns information when
+		# dropping privs
+		if grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" ; then
+			ewarn "WARNING: You are dropping root privileges!"
+			ewarn "As such openvpn may not be able to change ip, routing"
+			ewarn "or DNS configuration."
+		fi
+	else
+		# So we're a server. Run as openvpn unless otherwise specified
+		grep -q "^[ 	]*user[ 	].*" "${VPNCONF}" || args="${args} --user openvpn"
+		grep -q "^[ 	]*group[ 	].*" "${VPNCONF}" || args="${args} --group openvpn"
+	fi
+
+	# Ensure that our scripts get the PEER_DNS variable
+	[ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+
+	[ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
 	start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
-		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args}
+		-- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+		--setenv SVCNAME "${SVCNAME}" ${args}
 	eend $? "Check your logs to see why startup failed"
 }

 stop() {
+	# If we are re-called by the openvpn gentoo-down.sh script
+	# then we don't actually want to stop openvpn
+	if [ "${IN_BACKGROUND}" = "true" ] ; then
+		mark_service_inactive "${SVCNAME}"
+		return 0
+	fi
+
 	ebegin "Stopping ${SVCNAME}"
-	start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+	start-stop-daemon --stop --quiet \
+		--exec /usr/sbin/openvpn --pidfile "${VPNPID}"
 	eend $?
 }

-# vim: ts=4
+# vim: set ts=4 :
--- a/main/openvpn/openvpn.up
+++ b/main/openvpn/openvpn.up
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+#  if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+if [ "${PEER_DNS}" != "no" ]; then
+	NS=
+	DOMAIN=
+	SEARCH=
+	i=1
+	while true ; do
+		eval opt=\$foreign_option_${i}
+		[ -z "${opt}" ] && break
+		if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+			if [ -z "${DOMAIN}" ] ; then
+				DOMAIN="${opt#dhcp-option DOMAIN *}"
+			else
+				SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+			fi
+		elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+			NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+		fi
+		i=$((${i} + 1))
+	done
+
+	if [ -n "${NS}" ] ; then
+		DNS="# Generated by openvpn for interface ${dev}\n"
+		if [ -n "${SEARCH}" ] ; then
+			DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+		elif [ -n "${DOMAIN}" ]; then
+			DNS="${DNS}domain ${DOMAIN}\n"
+		fi
+		DNS="${DNS}${NS}"
+		if [ -x /sbin/resolvconf ] ; then
+			printf "${DNS}" | /sbin/resolvconf -a "${dev}"
+		else
+			# Preserve the existing resolv.conf
+			if [ -e /etc/resolv.conf ] ; then
+				cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+			fi
+			printf "${DNS}" > /etc/resolv.conf
+			chmod 644 /etc/resolv.conf
+		fi
+	fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${SVCNAME}" ]; then
+	# If we have a service specific script, run this now
+	if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then
+		/etc/openvpn/"${SVCNAME}"-up.sh "$@"
+	fi
+
+	# Re-enter the init script to start any dependant services
+	if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+		export IN_BACKGROUND=true
+		/etc/init.d/${SVCNAME} --quiet start
+	fi
+fi
+
+exit 0
+
+# vim: ts=4 :