upgrade 5.01 KB
Newer Older
1 2
#!/bin/sh

Peter Baldwin's avatar
Peter Baldwin committed
3
CONFIGS="/etc/openvpn/clients.conf /etc/openvpn/clients-tcp.conf"
Peter Baldwin's avatar
Peter Baldwin committed
4 5
TIMESTAMP=`date "+%b-%d-%Y-%T"`

6 7
# Create dh1024.pem if one does not exist
#----------------------------------------
8

9 10
if [ ! -e /etc/openvpn/ssl/dh1024.pem ]; then
    openssl dhparam -out /etc/openvpn/ssl/dh1024.pem 1024 >/dev/null 2>&1
11 12
fi

Peter Baldwin's avatar
Peter Baldwin committed
13 14 15 16 17 18 19 20 21 22
# PAM check
#----------

CHECK=`grep clearos/openvpn.d /etc/pam.d/openvpn 2>/dev/null`
if [ -z "$CHECK" ]; then
    logger -p local6.notice -t installer "app-openvpn-core - applying PAM configuration"
    [ -e /etc/pam.d/openvpn ] && cp /etc/pam.d/openvpn /var/clearos/openvpn/backup/openvpn.pam.$TIMESTAMP
    cp /usr/clearos/apps/openvpn/deploy/openvpn.pam /etc/pam.d/openvpn
fi

23 24
# Cleanup
#--------
25

26 27 28
CHECK=`grep "^cert /etc/openvpn/ssl/server.crt" /etc/openvpn/clients.conf 2>/dev/null`
if [ -n "$CHECK" ]; then
    sed -i -e 's/^cert \/etc\/openvpn\/ssl\/server.crt.*/cert \/etc\/pki\/CA\/sys-0-cert.pem/' /etc/openvpn/clients.conf
29 30
fi

31 32 33
CHECK=`grep "^key /etc/openvpn/ssl/server.key" /etc/openvpn/clients.conf 2>/dev/null`
if [ -n "$CHECK" ]; then
    sed -i -e 's/^key \/etc\/openvpn\/ssl\/server.key/key \/etc\/pki\/CA\/private\/sys-0-key.pem/' /etc/openvpn/clients.conf
34 35
fi

36 37 38 39 40 41 42 43 44 45 46
# Plugin file name change
#------------------------

for CONFIG in $CONFIGS; do
    CHECKOLD=`grep "^plugin[[:space:]].*openvpn-auth-pam.so" $CONFIG`
    if [ -n "$CHECKOLD" ]; then
        logger -p local6.notice -t installer "app-openvpn-core - upgrading plugin path in $CONFIG"
        sed -i -e "s/^plugin.*openvpn-auth-pam.so.*/plugin \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so openvpn/" $CONFIG
    fi
done

Peter Baldwin's avatar
Peter Baldwin committed
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
# Check arch for annoying lib64 path name in config file
#-------------------------------------------------------

for CONFIG in $CONFIGS; do
    if [ `/bin/arch` == "x86_64" ]; then
        CHECK=`grep "^plugin[[:space:]]/usr/lib/openvpn/" $CONFIG`
        if [ -n "$CHECK" ]; then
            logger -p local6.notice -t installer "app-openvpn-core - updating plugin path to 64-bit"
            sed -i -e 's/^plugin[[:space:]]*\/usr\/lib\/openvpn/plugin \/usr\/lib64\/openvpn/' $CONFIG
        fi
    else
        CHECK=`grep "^plugin[[:space:]]/usr/lib64/openvpn/" $CONFIG`
        if [ -n "$CHECK" ]; then
            logger -p local6.notice -t installer "app-openvpn-core - updating plugin path to 32-bit"
            sed -i -e 's/^plugin[[:space:]]*\/usr\/lib64\/openvpn/plugin \/usr\/lib\/openvpn/' $CONFIG
        fi
    fi
done

66 67 68 69 70 71 72 73 74 75 76
# Update ifconfig-pool-persist parameter (tracker #822)
#------------------------------------------------------

for CONFIG in $CONFIGS; do
    CHECK=`grep "^ifconfig-pool-persist.*ipp.txt$" $CONFIG`
    if [ -n "$CHECK" ] ; then
        logger -p local6.notice -t installer "app-openvpn-core - updating ifconfig-pool-persist time: $CONFIG"
        sed -i -e 's/^ifconfig-pool-persist.*/ifconfig-pool-persist \/var\/lib\/openvpn\/ipp.txt 120/' $CONFIG
    fi
done

77 78 79 80
CHECK=`grep "^ifconfig-pool-persist /var/lib/openvpn/ipp.txt" /etc/openvpn/clients-tcp.conf 2>/dev/null`
if [ -n "$CHECK" ]; then
    logger -p local6.notice -t installer "app-openvpn-core - updating ifconfig-pool-persist filename for TCP"
    sed -i -e 's/^ifconfig-pool-persist \/var\/lib\/openvpn\/ipp.txt/ifconfig-pool-persist \/var\/lib\/openvpn\/ipp-tcp.txt/' /etc/openvpn/clients-tcp.conf
81
    systemctl condrestart [email protected] >/dev/null 2>&1
82 83
fi

84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
# Check for comp-lzo in configs and replace
#------------------------------------------

for CONFIG in $CONFIGS; do
    CHECK=`grep "^comp-lzo$" $CONFIG`
    if [ -n "$CHECK" ]; then
        logger -p local6.notice -t installer "app-openvpn-core - removing comp-lzo in $CONFIG"
        sed -i '/comp-lzo/d' $CONFIG
        
        CHECKSTUB=`grep 'compress stub-v2' $CONFIG`
        if [ -z "$CHECKSTUB" ]; then
            echo 'compress stub-v2' >> $CONFIG
        fi

        CHECKPUSHSTUB=`grep 'push "compress stub-v2"' $CONFIG`
        if [ -z "$CHECKPUSHSTUB" ]; then
            echo 'push "compress stub-v2"' >> $CONFIG
        fi

        systemctl condrestart [email protected]$(basename $CONFIG .conf) >/dev/null 2>&1
    fi
done

107
# Update status parameter (gitlab #13)
108
#-------------------------------------
109 110 111 112 113 114 115

CHECK=`grep '^status /var/lib/openvpn/openvpn-status.log$' /etc/openvpn/clients-tcp.conf`
if [ -n "$CHECK" ] ; then
    logger -p local6.notice -t installer "app-openvpn-core - updating status file in /etc/openvpn/clients-tcp.conf"
    sed -i -e 's/^status \/var\/lib\/openvpn\/openvpn-status.log$/status \/var\/lib\/openvpn\/openvpn-status-tcp.log/' /etc/openvpn/clients-tcp.conf
fi

116 117 118 119 120 121 122 123 124
# Add nat_enabled to /etc/clearos/openvpn.conf (gitlab #4)
#---------------------------------------------------------

CHECK=$(grep '^nat_enabled' /etc/clearos/openvpn.conf)
if [ -z "$CHECK" ] ; then
    logger -p local6.notice -t installer "app-openvpn-core - adding nat_enabled to /etc/clearos/openvpn.conf"
    echo "nat_enabled = no" >> /etc/clearos/openvpn.conf
fi

125 126 127
# Sync action: updates configuration using clearsync hook
#--------------------------------------------------------

128
/var/clearos/events/network_configuration/openvpn