ports/78838: [New Port] security/openvpn2 Lots of new features
Kevin Leung
hysoka at gmail.com
Mon Mar 14 18:40:03 UTC 2005
>Number: 78838
>Category: ports
>Synopsis: [New Port] security/openvpn2 Lots of new features
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 14 18:40:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Kevin Leung
>Release: FreeBSD 5.4-PRERELEASE #0
>Organization:
>Environment:
>Description:
There aren't many OpenVPN 2.0 guides for FreeBSD. We may be better off to have a port to simplify things.
>How-To-Repeat:
>Fix:
--- openvpn2_port begins here ---
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# /usr/ports/security/openvpn2/
# /usr/ports/security/openvpn2/files
# /usr/ports/security/openvpn2/files/vpn-up
# /usr/ports/security/openvpn2/files/openvpn2.sh.sample
# /usr/ports/security/openvpn2/files/vpn-down
# /usr/ports/security/openvpn2/pkg-message
# /usr/ports/security/openvpn2/pkg-descr
# /usr/ports/security/openvpn2/pkg-plist
# /usr/ports/security/openvpn2/distinfo
# /usr/ports/security/openvpn2/Makefile
#
echo c - /usr/ports/security/openvpn2/
mkdir -p /usr/ports/security/openvpn2/ > /dev/null 2>&1
echo c - /usr/ports/security/openvpn2/files
mkdir -p /usr/ports/security/openvpn2/files > /dev/null 2>&1
echo x - /usr/ports/security/openvpn2/files/vpn-up
sed 's/^X//' >/usr/ports/security/openvpn2/files/vpn-up << 'END-of-/usr/ports/security/openvpn2/files/vpn-up'
X#!/bin/sh
X# $FreeBSD$
X# The compilation of software known as FreeBSD is distributed under the
X# following terms:
X#
X# Copyright (C) 1992-2005 The FreeBSD Project. All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X
X
XBRIDGE_KLD="bridge"
XVLAN_DEV="vlan0"
XVLAN_KLD="if_vlan"
XVLAN_DEV_IP="192.168.1.1"
XVLAN_DEV_NETMASK="255.255.255.0"
XETH_DEV="rl0"
XTAP_DEV="tap0"
XTAP_KLD="if_tap"
X
X( kldstat -n $BRIDGE_KLD > /dev/null 2>&1 ) || kldload $BRIDGE_KLD
X( kldstat -n $VLAN_KLD > /dev/null 2>&1 ) || kldload $VLAN_KLD
X( kldstat -n $TAP_KLD > /dev/null 2>&1 ) || kldload $TAP_KLD
X
X__vlan_ip=`ifconfig $VLAN_DEV | grep -E '([0-9]{1,3}\.){3}' | awk '{print $2}'`
Xif [ "$__vlan_ip" != "$VLAN_DEV_IP" ]; then
X if ! `ifconfig $VLAN_DEV > /dev/null 2>&1`; then
X ifconfig $VLAN_DEV create
X ifconfig $VLAN_DEV vlan 1 vlandev $ETH_DEV
X fi
X ifconfig $VLAN_DEV inet $VLAN_DEV_IP netmask $VLAN_DEV_NETMASK
Xfi
X
Xsysctl net.link.ether.bridge.enable=1
Xsysctl net.link.ether.bridge.config="${VLAN_DEV},${TAP_DEV}"
Xsysctl net.inet.ip.forwarding=1
Xpfctl -e -f /etc/pf/pf.conf
X
Xexit 0
END-of-/usr/ports/security/openvpn2/files/vpn-up
echo x - /usr/ports/security/openvpn2/files/openvpn2.sh.sample
sed 's/^X//' >/usr/ports/security/openvpn2/files/openvpn2.sh.sample << 'END-of-/usr/ports/security/openvpn2/files/openvpn2.sh.sample'
X#!/bin/sh
X#
X# $FreeBSD$
X#
X
X# PROVIDE: openvpn2
X# REQUIRE: NETWORKING SERVERS DAEMON
X# BEFORE: LOGIN
X# KEYWORD: shutdown
X
X#
X# Add the following line to /etc/rc.conf to enable openvpn2:
X# openvpn2_enable (bool): Set to "NO" by default.
X# Set it to "YES" to enable OpenVPN.
X
X. /etc/rc.subr
X
Xname="openvpn2"
Xrcvar=`set_rcvar`
X
Xload_rc_config $name
X
X: ${openvpn2_enable:="NO"}
X: ${openvpn2_conf:="server.conf"}
X
Xcommand=/usr/local/sbin/${name}
Xstart_cmd="${name}_start"
Xstop_cmd="${name}_stop"
Xrestart_cmd="${name}_restart"
X
Xopenvpn2_start()
X{
X ${command} --cd /usr/local/etc/${name} --config ${openvpn2_conf} --up /usr/local/libexec/openvpn2/vpn-up --daemon
X}
X
Xopenvpn2_stop()
X{
X killall ${name}
X /usr/local/libexec/openvpn2/vpn-down
X}
X
Xopenvpn2_restart()
X{
X $stop_cmd
X $start_cmd
X}
X
Xrun_rc_command "$1"
END-of-/usr/ports/security/openvpn2/files/openvpn2.sh.sample
echo x - /usr/ports/security/openvpn2/files/vpn-down
sed 's/^X//' >/usr/ports/security/openvpn2/files/vpn-down << 'END-of-/usr/ports/security/openvpn2/files/vpn-down'
X#!/bin/sh
X# $FreeBSD$
X# The compilation of software known as FreeBSD is distributed under the
X# following terms:
X#
X# Copyright (C) 1992-2005 The FreeBSD Project. All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X
Xsysctl net.link.ether.bridge.enable=0
Xsysctl net.link.ether.bridge.config=''
Xsysctl net.inet.ip.forwarding=0
Xpfctl -d
X
Xexit 0
END-of-/usr/ports/security/openvpn2/files/vpn-down
echo x - /usr/ports/security/openvpn2/pkg-message
sed 's/^X//' >/usr/ports/security/openvpn2/pkg-message << 'END-of-/usr/ports/security/openvpn2/pkg-message'
X
X### ---------------------------------------------------------------------- ###
X### To use the tap driver, you may need to do: kldload if_tap ###
X### See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this ###
X### automatically at system boot-up time. ###
X### ---------------------------------------------------------------------- ###
X### In version 2.0, --tun-mtu 1500 --mssfix 1450 is now the default.
X### In 1.x the default is --link-mtu 1300 for tun interfaces and
X### --tun-mtu 1500 for tap interfaces, with --mssfix disabled).
X###
X### Also in verson 2.0, when using TLS, --key-method 2 is now the default.
X### Use --key-method 1 on the 2.0 side to communicate with 1.x.
X###
X### Starting with version 2.0-beta12, OpenVPN has adopted a consistent
X### approach to string remapping to prevent trusted or semi-trusted peers
X### from sending maliciously crafted strings. The details are discussed
X### in the String Types and Remapping section of the man page.
X### ---------------------------------------------------------------------- ###
END-of-/usr/ports/security/openvpn2/pkg-message
echo x - /usr/ports/security/openvpn2/pkg-descr
sed 's/^X//' >/usr/ports/security/openvpn2/pkg-descr << 'END-of-/usr/ports/security/openvpn2/pkg-descr'
XOpenVPN is a robust and highly configurable VPN (Virtual Private
XNetwork) daemon. OpenVPN implements OSI layer 2 or 3 secure network
Xextension using the industry standard SSL/TLS protocol. The beauty
Xis that it tunnels networks through connection-oriented stateful
Xfirewalls without having to use explicit firewall rules.
X
XWWW: http://openvpn.net/
X
X- Kevin Leung
Xhysoka at gmail.com
END-of-/usr/ports/security/openvpn2/pkg-descr
echo x - /usr/ports/security/openvpn2/pkg-plist
sed 's/^X//' >/usr/ports/security/openvpn2/pkg-plist << 'END-of-/usr/ports/security/openvpn2/pkg-plist'
Xetc/openvpn2/client.conf.sample
Xetc/openvpn2/server.conf.sample
Xetc/rc.d/openvpn2.sh.sample
Xlibexec/openvpn2/easy-rsa/README
Xlibexec/openvpn2/easy-rsa/build-ca
Xlibexec/openvpn2/easy-rsa/build-dh
Xlibexec/openvpn2/easy-rsa/build-inter
Xlibexec/openvpn2/easy-rsa/build-key
Xlibexec/openvpn2/easy-rsa/build-key-pass
Xlibexec/openvpn2/easy-rsa/build-key-pkcs12
Xlibexec/openvpn2/easy-rsa/build-key-server
Xlibexec/openvpn2/easy-rsa/build-req
Xlibexec/openvpn2/easy-rsa/build-req-pass
Xlibexec/openvpn2/easy-rsa/clean-all
Xlibexec/openvpn2/easy-rsa/list-crl
Xlibexec/openvpn2/easy-rsa/make-crl
Xlibexec/openvpn2/easy-rsa/openssl.cnf
Xlibexec/openvpn2/easy-rsa/revoke-crt
Xlibexec/openvpn2/easy-rsa/revoke-full
Xlibexec/openvpn2/easy-rsa/sign-req
Xlibexec/openvpn2/easy-rsa/vars
Xlibexec/openvpn2/vpn-down
Xlibexec/openvpn2/vpn-up
Xsbin/openvpn2
Xshare/doc/openvpn2/AUTHORS
Xshare/doc/openvpn2/COPYING
Xshare/doc/openvpn2/COPYRIGHT.GPL
Xshare/doc/openvpn2/ChangeLog
Xshare/doc/openvpn2/INSTALL
Xshare/doc/openvpn2/NEWS
Xshare/doc/openvpn2/PORTS
Xshare/doc/openvpn2/README
Xshare/doc/openvpn2/sample-config-files/README
Xshare/doc/openvpn2/sample-config-files/client.conf
Xshare/doc/openvpn2/sample-config-files/firewall.sh
Xshare/doc/openvpn2/sample-config-files/home.up
Xshare/doc/openvpn2/sample-config-files/loopback-client
Xshare/doc/openvpn2/sample-config-files/loopback-server
Xshare/doc/openvpn2/sample-config-files/office.up
Xshare/doc/openvpn2/sample-config-files/openvpn-shutdown.sh
Xshare/doc/openvpn2/sample-config-files/openvpn-startup.sh
Xshare/doc/openvpn2/sample-config-files/server.conf
Xshare/doc/openvpn2/sample-config-files/static-home.conf
Xshare/doc/openvpn2/sample-config-files/static-office.conf
Xshare/doc/openvpn2/sample-config-files/tls-home.conf
Xshare/doc/openvpn2/sample-config-files/tls-office.conf
Xshare/doc/openvpn2/sample-config-files/xinetd-client-config
Xshare/doc/openvpn2/sample-config-files/xinetd-server-config
Xshare/doc/openvpn2/sample-scripts/auth-pam.pl
Xshare/doc/openvpn2/sample-scripts/bridge-start
Xshare/doc/openvpn2/sample-scripts/bridge-stop
Xshare/doc/openvpn2/sample-scripts/openvpn.init
Xshare/doc/openvpn2/sample-scripts/verify-cn
X at dirrm share/nls/en_US.US-ASCII
X at dirrm share/nls/POSIX
X at dirrm share/doc/openvpn2/sample-scripts
X at dirrm share/doc/openvpn2/sample-config-files
X at dirrm share/doc/openvpn2
X at dirrm libexec/openvpn2/easy-rsa
X at dirrm libexec/openvpn2
X at dirrm etc/openvpn2
END-of-/usr/ports/security/openvpn2/pkg-plist
echo x - /usr/ports/security/openvpn2/distinfo
sed 's/^X//' >/usr/ports/security/openvpn2/distinfo << 'END-of-/usr/ports/security/openvpn2/distinfo'
XMD5 (openvpn-2.0_rc16.tar.gz) = 296a4ca736405525a8de4cd46fef4af5
XSIZE (openvpn-2.0_rc16.tar.gz) = 637441
END-of-/usr/ports/security/openvpn2/distinfo
echo x - /usr/ports/security/openvpn2/Makefile
sed 's/^X//' >/usr/ports/security/openvpn2/Makefile << 'END-of-/usr/ports/security/openvpn2/Makefile'
X# New ports collection makefile for: openvpn2
X# Date created: 2005-03-13
X# Whom: Kevin Leung (hysoka.gmail.com)
X#
X# $FreeBSD$
X#
X
XPORTNAME= openvpn2
XPORTVERSION= 2.0p16
XCATEGORIES= security
XMASTER_SITES= ${MASTER_SITE_SOURCEFORGE} \
X http://osdn.dl.sourceforge.net/sourceforge/${PORTNAME}/
XMASTER_SITE_SUBDIR= ${PORTNAME}
XDISTNAME= openvpn-2.0_rc16
X
XMAINTAINER= hysoka at gmail.com
XCOMMENT= SSL/VPN solution
X
XLIB_DEPENDS= lzo.1:${PORTSDIR}/archivers/lzo
X
XGNU_CONFIGURE= yes
XUSE_GMAKE= yes
XUSE_OPENSSL= yes
XUSE_REINPLACE= yes
X
XCONFIGURE_TARGET= --build=${ARCH}-portbld-freebsd${OSREL}
XCONFIGURE_ARGS= --with-lzo-lib=${LOCALBASE}/lib \
X --with-lzo-headers=${LOCALBASE}/include \
X --prefix=${PREFIX}
X
XMAN8= ${PORTNAME}.8
X
Xdo-install:
X ${INSTALL_PROGRAM} ${WRKSRC}/openvpn ${PREFIX}/sbin/${PORTNAME}
X ${INSTALL_MAN} ${WRKSRC}/openvpn.8 ${MANPREFIX}/man/man8/${MAN8}
X
Xpost-install:
X ${INSTALL_SCRIPT} ${FILESDIR}/openvpn2.sh.sample \
X ${PREFIX}/etc/rc.d/openvpn2.sh.sample
X ${MKDIR} ${PREFIX}/libexec/${PORTNAME}
X for f in ${FILESDIR}/vpn-*; do \
X ${INSTALL_SCRIPT} $$f \
X ${PREFIX}/libexec/${PORTNAME}/`basename $$f` \
X ;done
X
X ${MKDIR} ${PREFIX}/etc/${PORTNAME}
X ${INSTALL_DATA} ${WRKSRC}/sample-config-files/server.conf ${PREFIX}/etc/${PORTNAME}/server.conf.sample
X ${INSTALL_DATA} ${WRKSRC}/sample-config-files/client.conf ${PREFIX}/etc/${PORTNAME}/client.conf.sample
X
X.if !defined(NOPORTDOCS)
X @${MKDIR} ${DOCSDIR}
X.for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS \
X PORTS README
X @${INSTALL_DATA} ${WRKSRC}/${docs} ${DOCSDIR}
X.endfor
X @${RM} -rf ${WRKSRC}/easy-rsa/Windows
X.for dirs in easy-rsa
X libexec_path=${PREFIX}/libexec/${PORTNAME}/${dirs} ; \
X ${MKDIR} $$libexec_path ; \
X ${INSTALL_SCRIPT} ${WRKSRC}/${dirs}/* $$libexec_path
X.endfor
X.for dirs in sample-scripts sample-config-files
X @${MKDIR} ${DOCSDIR}/${dirs}
X @${INSTALL_DATA} ${WRKSRC}/${dirs}/* ${DOCSDIR}/${dirs}
X.endfor
X.endif
X @${CAT} ${PKGMESSAGE}
X
X.include <bsd.port.mk>
END-of-/usr/ports/security/openvpn2/Makefile
exit
--- openvpn2_port ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list