|
1
|
#!/usr/local/bin/php-cgi -f
|
|
2
|
<?php
|
|
3
|
/*
|
|
4
|
* rc.openvpn
|
|
5
|
*
|
|
6
|
* part of pfSense (https://www.pfsense.org)
|
|
7
|
* Copyright (c) 2009 Seth Mos <seth.mos@dds.nl>.
|
|
8
|
* Copyright (c) 2007-2013 BSD Perimeter
|
|
9
|
* Copyright (c) 2013-2016 Electric Sheep Fencing
|
|
10
|
* Copyright (c) 2014-2024 Rubicon Communications, LLC (Netgate)
|
|
11
|
* All rights reserved.
|
|
12
|
*
|
|
13
|
* Originally part of m0n0wall (http://m0n0.ch/wall)
|
|
14
|
* Copyright (c) 2007 Manuel Kasper <mk@neon1.net>.
|
|
15
|
* All rights reserved.
|
|
16
|
*
|
|
17
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
18
|
* you may not use this file except in compliance with the License.
|
|
19
|
* You may obtain a copy of the License at
|
|
20
|
*
|
|
21
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
22
|
*
|
|
23
|
* Unless required by applicable law or agreed to in writing, software
|
|
24
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
25
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
26
|
* See the License for the specific language governing permissions and
|
|
27
|
* limitations under the License.
|
|
28
|
*/
|
|
29
|
|
|
30
|
/* parse the configuration and include all functions used below */
|
|
31
|
require_once("util.inc");
|
|
32
|
require_once("config.inc");
|
|
33
|
require_once("functions.inc");
|
|
34
|
require_once("filter.inc");
|
|
35
|
require_once("gwlb.inc");
|
|
36
|
require_once("openvpn.inc");
|
|
37
|
|
|
38
|
function openvpn_resync_if_needed ($mode, $ovpn_settings, $interface) {
|
|
39
|
global $g, $config;
|
|
40
|
|
|
41
|
if (empty($mode) ||
|
|
42
|
!is_array($ovpn_settings) ||
|
|
43
|
empty($ovpn_settings)) {
|
|
44
|
return;
|
|
45
|
}
|
|
46
|
|
|
47
|
$resync_needed = true;
|
|
48
|
if (isset($ovpn_settings['disable'])) {
|
|
49
|
$resync_needed = false;
|
|
50
|
} else {
|
|
51
|
if (!empty($interface)) {
|
|
52
|
$mode_id = $mode . $ovpn_settings['vpnid'];
|
|
53
|
$fpath = "{$g['openvpn_base']}/{$mode_id}/interface";
|
|
54
|
if (file_exists($fpath)) {
|
|
55
|
/* Compare the interface currently used by the VPN with the interface that should be used.
|
|
56
|
If the VPN should stay on the same interface, do not resync */
|
|
57
|
if (trim(file_get_contents($fpath), " \t\n") == get_failover_interface($ovpn_settings['interface'])) {
|
|
58
|
$resync_needed = false;
|
|
59
|
}
|
|
60
|
}
|
|
61
|
}
|
|
62
|
}
|
|
63
|
if ($resync_needed == true) {
|
|
64
|
log_error("OpenVPN: Resync " . $mode_id . " " . $ovpn_settings['description']);
|
|
65
|
openvpn_resync($mode, $ovpn_settings);
|
|
66
|
}
|
|
67
|
}
|
|
68
|
|
|
69
|
/* make sure to wait until the boot scripts have finished */
|
|
70
|
if (file_exists("{$g['varrun_path']}/booting")) {
|
|
71
|
return;
|
|
72
|
}
|
|
73
|
|
|
74
|
/* Input argument is a comma-separated list of gateway names, blank or "all". */
|
|
75
|
if (isset($_GET['interface'])) {
|
|
76
|
$argument = $_GET['interface'];
|
|
77
|
} else {
|
|
78
|
$argument = trim($argv[1], " \n");
|
|
79
|
}
|
|
80
|
|
|
81
|
// Workaround as rc.openvpn is called by the gatewaymonitor / check_reload event system,..
|
|
82
|
//file_put_contents("/dev/console", "\n[".getmypid()."] OPENVPN CALLED ".$argument);
|
|
83
|
$gateways_arr = get_gateways();
|
|
84
|
if (isset($gateways_arr[$argument])) {
|
|
85
|
//file_put_contents("/dev/console", "\n[".getmypid()."] OPENVPN CALLED WITH GW:".$argument);
|
|
86
|
// called upon rc.gateway_alarm
|
|
87
|
system_routing_configure();
|
|
88
|
}
|
|
89
|
|
|
90
|
if (count(config_get_path("openvpn/openvpn-server", [])) ||
|
|
91
|
count(config_get_path("openvpn/openvpn-client", []))) {
|
|
92
|
if (empty($argument) || $argument == "all") {
|
|
93
|
$argument = "all";
|
|
94
|
$log_text = "all";
|
|
95
|
} else {
|
|
96
|
$log_text = "endpoints that may use " . $argument;
|
|
97
|
}
|
|
98
|
log_error("OpenVPN: One or more OpenVPN tunnel endpoints may have changed IP addresses. Reloading " . $log_text . ".");
|
|
99
|
} else {
|
|
100
|
return;
|
|
101
|
}
|
|
102
|
|
|
103
|
$openvpnlck = try_lock('openvpn', 10);
|
|
104
|
if (!$openvpnlck) {
|
|
105
|
log_error(gettext("Could not obtain openvpn lock for executing rc.openvpn for more than 10 seconds continuing..."));
|
|
106
|
unlock_force('openvpn');
|
|
107
|
$openvpnlck = lock('openvpn', LOCK_EX);
|
|
108
|
}
|
|
109
|
|
|
110
|
$arg_array = explode(",", $argument);
|
|
111
|
foreach ($arg_array as $arg_element) {
|
|
112
|
$gwgroups = array();
|
|
113
|
if ($arg_element == "all") {
|
|
114
|
$interface = "";
|
|
115
|
} else {
|
|
116
|
// e.g. $arg_element = "WANGW", $interface = "wan"
|
|
117
|
$interface = lookup_gateway_interface_by_name($arg_element);
|
|
118
|
if (empty($interface)) {
|
|
119
|
$interface = $arg_element;
|
|
120
|
} else {
|
|
121
|
// e.g. $arg_element = "WANGW", $gwgroups = array of gateway groups that use "wan"
|
|
122
|
$gwgroups = gateway_is_gwgroup_member($arg_element);
|
|
123
|
}
|
|
124
|
}
|
|
125
|
|
|
126
|
foreach (config_get_path("openvpn/openvpn-server", []) as $server) {
|
|
127
|
if (empty($server)) {
|
|
128
|
continue;
|
|
129
|
}
|
|
130
|
if ($server['interface'] == $interface || empty($interface) ||
|
|
131
|
(!empty($gwgroups) && in_array($server['interface'], $gwgroups))) {
|
|
132
|
openvpn_resync_if_needed('server', $server, $interface);
|
|
133
|
}
|
|
134
|
}
|
|
135
|
|
|
136
|
foreach (config_get_path("openvpn/openvpn-client", []) as $client) {
|
|
137
|
if (empty($client)) {
|
|
138
|
continue;
|
|
139
|
}
|
|
140
|
if ($client['interface'] == $interface || empty($interface) ||
|
|
141
|
(!empty($gwgroups) && in_array($client['interface'], $gwgroups))) {
|
|
142
|
openvpn_resync_if_needed('client', $client, $interface);
|
|
143
|
}
|
|
144
|
}
|
|
145
|
}
|
|
146
|
|
|
147
|
unlock($openvpnlck);
|
|
148
|
?>
|