include $(TOPDIR)/rules.mk
PKG_NAME:=openconnect
-PKG_VERSION:=6.00
-PKG_RELEASE:=3
+PKG_VERSION:=7.03
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
-PKG_MD5SUM:=7e28e23c6e281be31446e6c365f5d273
+PKG_MD5SUM:=83f6a359906d49473f591ba613ca3fe5
+
+PKG_CONFIG_DEPENDS:= \
+ CONFIG_OPENCONNECT_GNUTLS \
+ CONFIG_OPENCONNECT_OPENSSL \
+
include $(INCLUDE_DIR)/package.mk
CONFIGURE_ARGS += \
--disable-shared \
- --with-vpnc-script=/lib/netifd/vpnc-script
+ --with-vpnc-script=/lib/netifd/vpnc-script \
+ --without-libpcsclite \
+ --without-stoken
ifeq ($(CONFIG_OPENCONNECT_OPENSSL),y)
CONFIGURE_ARGS += \
To setup a VPN connection, add the following to /etc/config/network:
config interface 'MYVPN'
- option _orig_ifname 'vpnc'
- option _orig_bridge 'false'
option proto 'openconnect'
option server 'vpn.example.com'
option port '4443'
option username 'test'
option password 'secret'
option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
+ option authgroup 'DEFAULT'
The additional files are also used:
-/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
-/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
-/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
+/etc/config/openconnect-user-cert-vpn-MYVPN.pem: The user certificate
+/etc/config/openconnect-user-key-vpn-MYVPN.pem: The user private key
+/etc/config/openconnect-ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
After these are setup you can initiate the VPN using "ifup MYVPN", and
deinitialize it using ifdown. You may also use the luci web interface
-(Network -> Interfaces -> AVPN Connect).
+(Network -> Interfaces -> MYVPN Connect).
Note that you need to configure the firewall to allow communication between
the MYVPN interface and lan.
There is a luci plugin to allow configuring an openconnect interface from
-the web environment; see the luci-protocol-openconnect package.
+the web environment; see the luci-proto-openconnect package.
exit 0
}
-trap cleanup 1 2 3 6 15
+cleanup2()
+{
+ if ! test -z "$pid";then
+ kill -2 $pid
+ wait $pid
+ fi
+ exit 0
+}
+
+trap cleanup2 2
+trap cleanup 1 3 6 15
rm -f "$pidfile"
/usr/sbin/openconnect $* <$pwfile &
proto_openconnect_setup() {
local config="$1"
- json_get_vars server port username serverhash authgroup password vgroup
+ json_get_vars server port username serverhash authgroup password vgroup token_mode token_secret
grep -q tun /proc/modules || insmod tun
cmdline="$server$port -i vpn-$config --non-inter --syslog --script /lib/netifd/vpnc-script"
- [ -f /etc/openconnect/ca-vpn-$config.pem ] && append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
- [ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/openconnect/user-cert-vpn-$config.pem"
- [ -f /etc/openconnect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/openconnect/user-key-vpn-$config.pem"
- [ -n "$serverhash" ] && append cmdline "--servercert=$serverhash"
+ # migrate to new config files
+ [ -f /etc/openconnect/user-cert-vpn-$config.pem ] && mv "/etc/openconnect/user-cert-vpn-$config.pem" "/etc/config/openconnect-user-cert-vpn-$config.pem"
+ [ -f /etc/openconnect/user-key-vpn-$config.pem ] && mv "/etc/openconnect/user-key-vpn-$config.pem" "/etc/config/openconnect-user-key-vpn-$config.pem"
+ [ -f /etc/openconnect/ca-vpn-$config.pem ] && mv "/etc/openconnect/ca-vpn-$config.pem" "/etc/config/openconnect-ca-vpn-$config.pem"
+
+ # read new config files
+ [ -f /etc/config/openconnect-user-cert-vpn-$config.pem ] && append cmdline "-c /etc/config/openconnect-user-cert-vpn-$config.pem"
+ [ -f /etc/config/openconnect-user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/config/openconnect-user-key-vpn-$config.pem"
+ [ -f /etc/config/openconnect-ca-vpn-$config.pem ] && {
+ append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
+ append cmdline "--no-system-trust"
+ }
+
+ [ -n "$serverhash" ] && {
+ append cmdline " --servercert=$serverhash"
+ append cmdline "--no-system-trust"
+ }
[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
[ -n "$username" ] && append cmdline "-u $username"
[ -n "$password" ] && {
append cmdline "--passwd-on-stdin"
}
+ [ -n "$token_mode" ] && append cmdline "--token-mode=$token_mode"
+ [ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"
+
proto_export INTERFACE="$config"
logger -t openconnect "executing 'openconnect $cmdline'"
- if [ -f "$pwfile" ];then
+ if [ -f "$pwfile" ]; then
proto_run_command "$config" /usr/sbin/openconnect-wrapper $pwfile $cmdline
else
proto_run_command "$config" /usr/sbin/openconnect $cmdline
rm -f $pwfile
logger -t openconnect "bringing down openconnect"
- proto_kill_command "$config"
+ proto_kill_command "$config" 2
}
add_protocol openconnect
#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
+HOOKS_DIR=/etc/openconnect
+
# FIXMEs:
# Section A: route handling
# Section B: Split DNS handling
-# 1) Maybe dnsmasq can do something like that
-# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
+# 1) We parse CISCO_SPLIT_DNS and use dnsmasq to set it
do_connect() {
if [ -n "$CISCO_BANNER" ]; then
logger -t openconnect "Connect Banner:"
- logger -t openconnect "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
+ echo "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
fi
proto_init_update "$TUNDEV" 1
[[ "$addr" != "$mask" ]] && proto_add_ipv6_address "$addr" "$mask"
fi
- [ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
- [ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+ if [ -n "$CISCO_SPLIT_DNS" ] && [ -d "/tmp/dnsmasq.d/" ];then
+ SDNS=`echo $CISCO_SPLIT_DNS|sed 's/,/\n/g'`
+ DNSMASQ_FILE="/tmp/dnsmasq.d/openconnect.$TUNDEV"
+ rm -f $DNSMASQ_FILE
+ echo "$SDNS" | while read i; do
+ if [ -n "$INTERNAL_IP4_DNS" ];then
+ echo "server=/$i/$INTERNAL_IP4_DNS" >> $DNSMASQ_FILE
+ fi
+ if [ -n "$INTERNAL_IP6_DNS" ];then
+ echo "server=/$i/$INTERNAL_IP6_DNS" >> $DNSMASQ_FILE
+ fi
+ done
+ /etc/init.d/dnsmasq restart
+ else
+ [ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
+ [ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+ fi
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
}
do_disconnect() {
+ rm -f "/tmp/dnsmasq.d/openconnect.$TUNDEV"
proto_init_update "$TUNDEV" 0
proto_send_update "$INTERFACE"
}
+#### Hooks
+run_hooks() {
+ HOOK="$1"
+
+ if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
+ for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
+ [ -f $script ] && . $script
+ done
+ fi
+}
+
#### Main
if [ -z "$reason" ]; then
case "$reason" in
pre-init)
+ run_hooks pre-init
;;
connect)
+ run_hooks connect
do_connect
+ run_hooks post-connect
;;
disconnect)
+ run_hooks disconnect
do_disconnect
+ run_hooks post-disconnect
;;
reconnect)
+ run_hooks reconnect
;;
*)
logger -t openconnect "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
projects / feed / packages.git / commitdiff