#!/bin/sh -e ### BEGIN INIT INFO # Provides: openvpn # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: network-manager # Should-Stop: network-manager # X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm # X-Interactive: true # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Openvpn VPN service # Description: This script will start OpenVPN tunnels as specified # in /etc/default/openvpn and /etc/openvpn/*.conf ### END INIT INFO # Original version by Robert Leslie # , edited by iwj and cs # Modified for openvpn by Alberto Gonzalez Iniesta # Modified for restarting / starting / stopping single tunnels by Richard Mueller . /lib/lsb/init-functions test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/openvpn DESC="virtual private network daemon(s)" CONFIG_DIR=/config/openvpn test -x $DAEMON || exit 0 test -d $CONFIG_DIR || exit 0 # Source defaults file; edit that file to configure this script. AUTOSTART=$(find /config/openvpn -maxdepth 1 -name "*.ovpn" -printf "%f\n" -quit | cut -d '.' -f 1) STATUSREFRESH=10 OMIT_SENDSIGS=0 if test -e /etc/default/openvpn ; then . /etc/default/openvpn fi start_vpn () { OPENVPNLOG="/config/openvpn/$NAME.log" if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.ovpn ; then # daemon already given in config file DAEMONARG= else # need to daemonize DAEMONARG="--daemon ovpn-$NAME" fi if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.ovpn ; then # status file already given in config file STATUSARG="" elif test $STATUSREFRESH -eq 0 ; then # default status file disabled in /etc/default/openvpn STATUSARG="" else # prepare default status file STATUSARG="--status /run/openvpn/$NAME.status $STATUSREFRESH" fi # tun using the "subnet" topology confuses the routing code that wrongly # emits ICMP redirects for client to client communications SAVED_DEFAULT_SEND_REDIRECTS=0 if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.ovpn && \ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.ovpn ; then # When using "client-to-client", OpenVPN routes the traffic itself without # involving the TUN/TAP interface so no ICMP redirects are sent if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.ovpn ; then sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null # Save the default value for send_redirects before disabling it # to make sure the tun device is created with send_redirects disabled SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects) if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null fi fi fi # Handle backwards compatibility script_security="" if test -z "$( grep '^[[:space:]]*script-security[[:space:]]' $CONFIG_DIR/$NAME.ovpn )" ; then script_security="--script-security 2" fi STATUS=0 start-stop-daemon --start --quiet --oknodo \ --pidfile /run/openvpn/$NAME.pid \ --exec $DAEMON -- $OPTARGS --writepid /run/openvpn/$NAME.pid \ $DAEMONARG $STATUSARG --cd $CONFIG_DIR \ --config $CONFIG_DIR/$NAME.ovpn $script_security >> $OPENVPNLOG 2>&1 < /dev/null || STATUS=1 [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /run/openvpn/$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid # Set the back the original default value of send_redirects if it was changed if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null fi } stop_vpn () { start-stop-daemon --stop --quiet --oknodo \ --pidfile $PIDFILE --exec $DAEMON --retry 10 if [ "$?" -eq 0 ]; then rm -f $PIDFILE [ "$OMIT_SENDSIGS" -ne 1 ] || rm -f /run/sendsigs.omit.d/openvpn.$NAME.pid rm -f /run/openvpn/$NAME.status 2> /dev/null log_end_msg 0 else log_failure_msg " Unable to stop VPN '$NAME'" fi } case "$1" in start) log_action_begin_msg "Starting $DESC" # first create /run directory so it's present even # when no VPN are autostarted by this script, but later # by systemd openvpn@.service mkdir -p /run/openvpn # autostart VPNs if test -z "$2" ; then # check if automatic startup is disabled by AUTOSTART=none if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then log_warning_msg " Autostart disabled, no VPN will be started." exit 0 fi if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # all VPNs shall be started automatically for CONFIG in `cd $CONFIG_DIR; ls *.ovpn 2> /dev/null`; do NAME=${CONFIG%%.ovpn} log_daemon_msg " Autostarting VPN '$NAME'" start_vpn done else # start only specified VPNs for NAME in $AUTOSTART ; do if test -e $CONFIG_DIR/$NAME.ovpn ; then log_daemon_msg " Autostarting VPN '$NAME'" start_vpn else log_failure_msg " Autostarting VPN '$NAME': missing $CONFIG_DIR/$NAME.ovpn file !" STATUS=1 fi done fi #start VPNs from command line else while shift ; do [ -z "$1" ] && break NAME=$1 if test -e $CONFIG_DIR/$NAME.ovpn ; then log_daemon_msg " Starting VPN '$NAME'" start_vpn else log_failure_msg " Starting VPN '$NAME': missing $CONFIG_DIR/$NAME.ovpn file !" STATUS=1 fi done fi exit ${STATUS:-0} ;; stop) log_action_begin_msg "Stopping $DESC" if test -z "$2" ; then for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} log_daemon_msg " Stopping VPN '$NAME'" stop_vpn done if test -z "$PIDFILE" ; then log_warning_msg " No VPN is running." fi else while shift ; do [ -z "$1" ] && break if test -e /run/openvpn/$1.pid ; then log_daemon_msg " Stopping VPN '$1'" PIDFILE=`ls /run/openvpn/$1.pid 2> /dev/null` NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn else log_failure_msg " Stopping VPN '$1': No such VPN is running." fi done fi ;; # Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'. reload|force-reload) log_action_begin_msg "Reloading $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} # If openvpn if running under a different user than root we'll need to restart if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.ovpn > /dev/null 2>&1 ; then log_daemon_msg " Stopping VPN '$NAME'" stop_vpn log_daemon_msg " Restarting VPN '$NAME'" start_vpn else log_daemon_msg " Restarting VPN '$NAME'" kill -HUP `cat $PIDFILE` || true log_end_msg 0 fi done if test -z "$PIDFILE" ; then log_warning_msg " No VPN is running." fi ;; # Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'. soft-restart) log_action_begin_msg "Soft-restarting $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} log_daemon_msg " Soft-restarting VPN '$NAME'" kill -USR1 `cat $PIDFILE` || true log_end_msg 0 done if test -z "$PIDFILE" ; then log_warning_msg " No VPN is running." fi ;; restart) shift $0 stop ${@} $0 start ${@} ;; cond-restart) log_action_begin_msg "Restarting $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} log_daemon_msg " Stopping VPN '$NAME'" stop_vpn log_daemon_msg " Restarting VPN '$NAME'" start_vpn done if test -z "$PIDFILE" ; then log_warning_msg " No VPN is running." fi ;; status) GLOBAL_STATUS=0 if test -z "$2" ; then # We want status for all defined VPNs. # Returns success if all autostarted VPNs are defined and running if test "x$AUTOSTART" = "xnone" ; then # Consider it a failure if AUTOSTART=none log_warning_msg "No VPN autostarted" GLOBAL_STATUS=1 else if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # Consider it a failure if one of the autostarted VPN is not defined for VPN in $AUTOSTART ; do if ! test -f $CONFIG_DIR/$VPN.conf ; then log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined" GLOBAL_STATUS=1 fi done fi fi for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} # Is it an autostarted VPN ? if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then AUTOVPN=1 else if test "x$AUTOSTART" = "xnone" ; then AUTOVPN=0 else AUTOVPN=0 for VPN in $AUTOSTART; do if test "x$VPN" = "x$NAME" ; then AUTOVPN=1 fi done fi fi if test "x$AUTOVPN" = "x1" ; then # If it is autostarted, then it contributes to global status status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true fi done else # We just want status for specified VPNs. # Returns success if all specified VPNs are defined and running while shift ; do [ -z "$1" ] && break NAME=$1 if test -e $CONFIG_DIR/$NAME.ovpn ; then # Config exists status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else # Config does not exist log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.ovpn file !" GLOBAL_STATUS=1 fi done fi exit $GLOBAL_STATUS ;; *) echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2 exit 1 ;; esac exit 0 # vim:set ai sts=2 sw=2 tw=0: