From patchwork Wed Feb 5 11:24:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2752 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48CK373mrQz3xyK for ; Wed, 5 Feb 2020 11:24:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48CK355Z1Tz6Z9; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48CK352wD7z2yg5; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48CK3437xYz2xrx for ; Wed, 5 Feb 2020 11:24:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48CK336h62z6R9; Wed, 5 Feb 2020 11:24:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=5LlXNhHCWCeEyOD3ewxiQyMCwdEQ9MLWWKe5qnXQzP4=; b=+9ubzBIbRk4Bx+lp3d0AJr88Y1UQgRG42M26zILtURvIU6c8Drge3Ueom8lI8fuI1MH23a c83hVrD5idlM+hBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=5LlXNhHCWCeEyOD3ewxiQyMCwdEQ9MLWWKe5qnXQzP4=; b=IVSIbf2O66rebrgkCZjz5nejTQ4nc/HAE3+IPBEY/w1JUUv3q9wWRmEY8Th3vCV70K9m2o w+JFjlYWhkj9N7gwXqRDF250kMoKes3L1T6oHAHB3DIiaTu1BJJLodFdwt3OvyvBKZbXwM w/zN6kOMe/tS8WTiWryAA7mW1/odp/t1SUgUfpdsvZ0KDIB7xRUG0oUpG47cuhzJUeI1Cb xLcEF9WF4b2892i4h3Y6cruspxkZku+gtGzwwfcHmJGtcCjNSqv/mxV6prJFJ41Yf4zEXB t/D5IyxyUgLLlkCaYgIUxXAxPUh4eRtVVSyyaEnAViBIpnoqcDymF5a1irydjg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] ipsec: Add script to ensure VPNs are always on Date: Wed, 5 Feb 2020 11:24:24 +0000 Message-Id: <20200205112425.20108-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=michael.tremer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" With an IPFire box behind NAT it is difficult to keep an IPsec VPN up all of the time. On-demand mode does not work when one side cannot initiate the connection. This patch adds a script which will check every 5 minutes or when RED comes up if all VPNs are up and launch those which are not. This should ensure that we are constantly attempting to establish the connection. Additionally this patch changes that "always-on" VPNs will be "routed" like "on-demand" connections. When we see traffic, we will now automatically try to bring up the tunnel. Signed-off-by: Michael Tremer --- config/cron/crontab | 3 ++ config/rootfiles/common/aarch64/stage2 | 1 + config/rootfiles/common/stage2 | 1 + config/rootfiles/common/x86_64/stage2 | 1 + html/cgi-bin/vpnmain.cgi | 10 ++++-- src/misc-progs/ipsecctrl.c | 1 + src/scripts/ipsec-always-on | 65 ++++++++++++++++++++++++++++++++++ 7 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 src/scripts/ipsec-always-on diff --git a/config/cron/crontab b/config/cron/crontab index 56801394e..46cbe6ece 100644 --- a/config/cron/crontab +++ b/config/cron/crontab @@ -30,6 +30,9 @@ HOME=/ # Update dynamic DNS records every five minutes. */5 * * * * [ -f "/var/ipfire/red/active" ] && /usr/bin/ddns update-all +# Make sure VPNs are up +*/5 * * * * /usr/local/bin/ipsec-always-on + # Logwatch 05 0 * * * /usr/local/bin/logwatch > /var/log/logwatch/`date -I -d yesterday`; \ LOGWATCH_KEEP=$(sed -ne 's/^LOGWATCH_KEEP=\([0-9]\+\)$/\1/p' /var/ipfire/logging/settings); \ diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index f4169a44e..eda34f743 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -95,6 +95,7 @@ usr/local/bin/convert-dns-settings usr/local/bin/convert-ovpn usr/local/bin/filesystem-cleanup usr/local/bin/hddshutdown +usr/local/bin/ipsec-always-on usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index fca540431..cc0e1dea5 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -94,6 +94,7 @@ usr/local/bin/convert-dns-settings usr/local/bin/convert-ovpn usr/local/bin/filesystem-cleanup usr/local/bin/hddshutdown +usr/local/bin/ipsec-always-on usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index cc67837e5..28a99ceec 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -96,6 +96,7 @@ usr/local/bin/convert-dns-settings usr/local/bin/convert-ovpn usr/local/bin/filesystem-cleanup usr/local/bin/hddshutdown +usr/local/bin/ipsec-always-on usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 43cdc5aa0..b3cd3e51e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -453,7 +453,7 @@ sub writeipsecfiles { my $start_action = $lconfighash{$key}[33]; if (!$start_action) { - $start_action = "start"; + $start_action = "route"; } my $inactivity_timeout = $lconfighash{$key}[34]; @@ -466,13 +466,17 @@ sub writeipsecfiles { print CONF "\tauto=add\n"; print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; } else { - print CONF "\tauto=$start_action\n"; - # If in on-demand mode, we terminate the tunnel # after 15 min of no traffic if ($start_action eq 'route' && $inactivity_timeout > 0) { print CONF "\tinactivity=$inactivity_timeout\n"; } + + # Always route connections so that we have the triggers + if ($start_action eq "start") { + $start_action = "route"; + } + print CONF "\tauto=$start_action\n"; } # Fragmentation diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 2a64775f0..54e3b3410 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -216,6 +216,7 @@ int main(int argc, char *argv[]) { safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); + safe_system("/usr/local/bin/ipsec-always-on >/dev/null"); exit(0); } diff --git a/src/scripts/ipsec-always-on b/src/scripts/ipsec-always-on new file mode 100644 index 000000000..34cae169d --- /dev/null +++ b/src/scripts/ipsec-always-on @@ -0,0 +1,65 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2020 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +VPN_CONFIG="/var/ipfire/vpn/config" + +VARS=( + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest +) + +# Load IPsec configuration +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + +log() { + logger -t ipsec "$@" +} + +main() { + # Do nothing if IPsec is disabled + if [ "${ENABLED}" != "on" ]; then + return 0 + fi + + # Do nothing if we are not online + if [ ! -e "/var/ipfire/red/active" ]; then + return 0 + fi + + local "${VARS[@]}" + while IFS="," read -r "${VARS[@]}"; do + # Skip disabled connections + [ "${status}" = "on" ] || continue + + # Skip all connections that are not in always-on mode + [ "${route}" = "start" ] || continue + + # If the connection is not up, try bringing it up + if ! ipsec status "${name}" | grep -q "INSTALLED"; then + log "Trying to start ${name}..." + ipsec stroke up-nb "${name}" &>/dev/null + fi + done < "${VPN_CONFIG}" +} + +main "$@" || exit $? From patchwork Wed Feb 5 11:24:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2753 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48CK374HPvz3xyL for ; Wed, 5 Feb 2020 11:24:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48CK360gWSz6ZT; Wed, 5 Feb 2020 11:24:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48CK3553Ncz2yW9; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48CK3504Fkz2xrx for ; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48CK342x38z6Z2; Wed, 5 Feb 2020 11:24:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=twwV5TM8lTTnzZGHA5ebHjlbBMoyp+VqxLZtauc/snc=; b=NFDiv1WtaZYP4LKhvb31EC1lhz8u28m2xIXZmDH+wV8I+WtQDPe3EIXnQAyVl8s6T/Y/Ai aQ8CUqvBx50Bs8CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=twwV5TM8lTTnzZGHA5ebHjlbBMoyp+VqxLZtauc/snc=; b=j5eUys4GMA46bWNhYhId3mASxRMbpko6vfkGNXQtnuHTCsqm6GVgCCXflD3zSw/7DTLxkR tp6T+ZZIudh12yjTvcGAYIsqtpt4ox/4VikMJxZGTCSyL9/lOLVcIdVRvFE0dX4z0a3onB eqn8AP2J/tD9ra8lzQkR71bsfv3CE0+feZ6lnq9BR5wpAAnLdbGEjuyRjhjYYmGLjFOK37 /3ko69qfj0hXfk7V28k98tl2cfNncmVrQy1PAw5NpKZlsz/pDV/+/M2Xwasg6rTHpE3PnJ 9x8KL8IwVgcDMTtZ62sfSg00Dl7Re497BLTd67Oeb6cRCqkm7pnov0Nh28sTvQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] ipsec: Silence charon Date: Wed, 5 Feb 2020 11:24:25 +0000 Message-Id: <20200205112425.20108-2-michael.tremer@ipfire.org> In-Reply-To: <20200205112425.20108-1-michael.tremer@ipfire.org> References: <20200205112425.20108-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=michael.tremer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Charon has some verbose logging enabled by default. This clutters the logs a lot. This patch disables debug logging but still lets charon log important messages like tunnels that are going up or down. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index b3cd3e51e..d2bc70a27 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -266,6 +266,9 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; + print CONF "config setup\n"; + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; + print CONF "\n"; print CONF "conn %default\n"; print CONF "\tkeyingtries=%forever\n"; print CONF "\n";