OpenVPN: Add start of static routes in client N2N

  Fixes: #12529

- If a client N2N configuration will be imported into IPFire systems,
a line will be added which calls the --up script to restart the
static route initscript. Since this is IPFire specific, i will only be
added via import on IPFire system.
- Deleted unneeded line in CLIENTCONF section.
- Added description to SERVERCONF section.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
  

Hi all,
during some testings with N2N ciphers, i recognized a strange behavior
with this patch, the 'up /etc/init.d/static-routes start' command but
only with client connections. The complete network went down while
starting the connection and nothing was reachable anymore. The last
line in messages was 

Nov 25 23:53:21 ipfire-prime testcryptn2n[12261]: /etc/init.d/static-
routes start tun1 1500 1573 10.123.123.2 10.123.123.1 init

and from there on the screen freezes. The WUI was not reachable anymore
and SSH delivers a

ssh: connect to host 192.168.123.1 port 222: No route to host

have had no problems with the N2N TLS-Server which starts without
problems but the N2N TLS-Client crashed, even if no static route has
been defined, the whole network/routing.

Am not sure what causes this but i would strongly recommend to revert
this patch from origin/next !!!

May someone else can check this patch too ?

Best regards,

Erik


Am Mittwoch, den 11.11.2020, 18:12 +0000 schrieb ummeegge:
> Fixes: #12529
> 
> - If a client N2N configuration will be imported into IPFire systems,
> a line will be added which calls the --up script to restart the
> static route initscript. Since this is IPFire specific, i will only
> be
> added via import on IPFire system.
> - Deleted unneeded line in CLIENTCONF section.
> - Added description to SERVERCONF section.
> 
> Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 8626a94ca..44cb48996 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -953,6 +953,7 @@ unless(-d
> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
> "${General
>    print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; 
>    print SERVERCONF "# Client Gateway Network\n"; 
>    print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
> +  print SERVERCONF "# Call up script for static routes\n";
>    print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
>    print SERVERCONF "# tun Device\n"; 
>    print SERVERCONF "dev tun\n"; 
> @@ -1052,7 +1053,6 @@ unless(-d
> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
> "${General
>    print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
>    print CLIENTCONF "# Server Gateway Network\n"; 
>    print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; 
> -  print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
>    print CLIENTCONF "# tun Device\n"; 
>    print CLIENTCONF "dev tun\n"; 
>    print CLIENTCONF "#Logfile for statistics\n";
> @@ -3333,6 +3333,12 @@ END
>         print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
>         close FILE;
>  
> +       # Add static route command to client configuration
> +       open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to
> open config file.';
> +       print FILE "# Call up script for static routes\n";
> +       print FILE "up \"/etc/init.d/static-routes start\"\n";
> +       close FILE;
> +
>         move("$tempdir/$uplconffilename",
> "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
>  
>         if ($? ne 0) {
  

Hi,

interesting. We should have seen this before then because this parameter was added to the configuration file ages ago.

Is there a chance that OpenVPN has changed the parameters those scripts are called with?

No matter what, we will need a wrapper script that will accept all those parameters, probably not care much about them and then call /etc/init.d/static-routes.

I will revert the patch for now then, so that we have some time to work on a solution.

Best,
-Michael

> On 26 Nov 2020, at 11:13, ummeegge <ummeegge@ipfire.org> wrote:
> 
> Hi all,
> during some testings with N2N ciphers, i recognized a strange behavior
> with this patch, the 'up /etc/init.d/static-routes start' command but
> only with client connections. The complete network went down while
> starting the connection and nothing was reachable anymore. The last
> line in messages was 
> 
> Nov 25 23:53:21 ipfire-prime testcryptn2n[12261]: /etc/init.d/static-
> routes start tun1 1500 1573 10.123.123.2 10.123.123.1 init
> 
> and from there on the screen freezes. The WUI was not reachable anymore
> and SSH delivers a
> 
> ssh: connect to host 192.168.123.1 port 222: No route to host
> 
> have had no problems with the N2N TLS-Server which starts without
> problems but the N2N TLS-Client crashed, even if no static route has
> been defined, the whole network/routing.
> 
> Am not sure what causes this but i would strongly recommend to revert
> this patch from origin/next !!!
> 
> May someone else can check this patch too ?
> 
> Best regards,
> 
> Erik
> 
> 
> Am Mittwoch, den 11.11.2020, 18:12 +0000 schrieb ummeegge:
>> Fixes: #12529
>> 
>> - If a client N2N configuration will be imported into IPFire systems,
>> a line will be added which calls the --up script to restart the
>> static route initscript. Since this is IPFire specific, i will only
>> be
>> added via import on IPFire system.
>> - Deleted unneeded line in CLIENTCONF section.
>> - Added description to SERVERCONF section.
>> 
>> Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
>> ---
>>  html/cgi-bin/ovpnmain.cgi | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>> index 8626a94ca..44cb48996 100644
>> --- a/html/cgi-bin/ovpnmain.cgi
>> +++ b/html/cgi-bin/ovpnmain.cgi
>> @@ -953,6 +953,7 @@ unless(-d
>> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
>> "${General
>>    print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; 
>>    print SERVERCONF "# Client Gateway Network\n"; 
>>    print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
>> +  print SERVERCONF "# Call up script for static routes\n";
>>    print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
>>    print SERVERCONF "# tun Device\n"; 
>>    print SERVERCONF "dev tun\n"; 
>> @@ -1052,7 +1053,6 @@ unless(-d
>> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
>> "${General
>>    print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
>>    print CLIENTCONF "# Server Gateway Network\n"; 
>>    print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; 
>> -  print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
>>    print CLIENTCONF "# tun Device\n"; 
>>    print CLIENTCONF "dev tun\n"; 
>>    print CLIENTCONF "#Logfile for statistics\n";
>> @@ -3333,6 +3333,12 @@ END
>>         print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
>>         close FILE;
>>  
>> +       # Add static route command to client configuration
>> +       open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to
>> open config file.';
>> +       print FILE "# Call up script for static routes\n";
>> +       print FILE "up \"/etc/init.d/static-routes start\"\n";
>> +       close FILE;
>> +
>>         move("$tempdir/$uplconffilename",
>> "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
>>  
>>         if ($? ne 0) {
> 
>