Imported Debian patch 2.2.1-1

parent 349cfa7a
openvpn (2.1~rc15-1) unstable; urgency=low
* The openvpn utility changed its handling of pkcs11 certificates when it
switched from built-in code to the pkcs11-helper library (package
libpkcs11-helper1 on Debian). This means that you will have to update your
openvpn configuration files if you are using such certificates. For
example, a stanza in a configuration file might previously have referred to
a given pkcs11 certificate like this:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-slot-type id
pkcs11-slot 0
pkcs11-id-type label
pkcs11-id "YOUR_LABEL"
This stanza has to be rewritten now in the following way:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-id 'YOUR_PKCS11_SERIALIZED_ID'
The pkcs11-slot, pkcs11-slot-type, pkcs11-id-type options are obsolete;
a long ID string that is unique for each certificate is now used as the
only identifier. Note that YOUR_PKCS11_SERIALIZED_ID will almost
certainly be different from YOUR_LABEL that you used previously with the
pkcs11-id option. To find out the correct serialized ID(s) for your
certificate(s), you have to query the pkcs11-provider library:
$ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
The following objects are available for use.
Each object shown below may be used as parameter to --pkcs11-id option
please remember to use single quote mark.
Certificate
DN: /CN=YOUR_USER
Serial: SERIAL_NUMBER
Serialized id: YOUR_PKCS11_SERIALIZED_ID
You have to paste YOUR_PKCS11_SERIALIZED_ID as seen in this output into
your openvpn configuration file and make sure that the string is enclosed
in single quotation marks.
The example above assumes that your cryptographic token can be accessed
via the opensc-pkcs11.so library from libopensc2. If you have to use
another library, for example a proprietary driver from the vendor of your
token, then you have to adapt both the stanza in the configuration file
and the path given on the command line accordingly.
Florian Kulzer
-- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
openvpn (2.1~rc9-3) unstable; urgency=low
* Calling of external commands/scripts
Starting with version 2.1~rc9, openvpn has a new option to control the
ability to execute external commands (--script-security).
By default (script-security 1) it will only allow the execution of
built-in commands (ip, ifconfig, route,...). If you require the execution
of external commands, such as /etc/openvpn/update-resolv-conf, you'll have
to include the following option in your configuration file:
script-security 2
-- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 16 Aug 2008 13:34:24 +0200
In this file:
- 'writepid' option warning
- Multiple tunnels
- Starting or stopping multiple tunnels with a single command
- Compatibility notes on 2.x vs 1.x #
- Changes in string remapping (affects tls-remote certificate names)
- plugin support
- Using resolvconf
- Out of memory issues
- LDAP+TLS authentication runs into file exhaustion
- Possible consequences of the 'chroot' option
openvpn for Debian
------------------
Documentation to get OpenVPN to work is mostly on the openvpn(8) man page.
You'll find example configuration files and additional docs in the
/usr/share/doc/openvpn/examples directory.
OpenVPN requires TUN/TAP driver support in the kernel. You'll also need a
tun device file. If it's not present on your system, you may create one
with these commands (as root):
# mkdir /dev/net
# mknod /dev/net/tun c 10 200
'writepid' option warning
-------------------------
Don't specify a 'writepid' option in the .conf files, or the init.d
script won't be able to stop/reload the tunnels.
Multiple tunnels
----------------
When OpenVPN is started by /etc/init.d/openvpn the default is to start
a separate openvpn daemon for each .conf configuration file in the
/etc/openvpn directory. The /etc/default/openvpn file may be used to
alter this behavior.
[UPDATE: with OpenVPN 2.0 one openvpn daemon can serve multiple clients. That
way multiple instances of openvpn are no longer required to achieve this, and
one configuration file should be enough for these cases. Take a look at the
'Multi-Client Server options' on the man page]
Be sure that each .conf file defines a different local port
number with the "port" or "lport" options; see the openvpn
man page for more information.
Starting or stopping multiple tunnels with a single command
-----------------------------------------------------------
It is now possible to specify multiple tunnel names to the init.d script.
Just put the names after the action (start|stop), like this:
/etc/init.d/openvpn start vpn1 vpn4 vpn5
/etc/network/interfaces
-----------------------
/etc/network/interfaces can be configured to start and stop openvpn when the
underlying network interface is brought up and down. To do so add a line such
as "openvpn vpn1" to the stanza for the underlying network interface, where
"vpn1" is the name of the vpn to start and stop.
It is possible to control vpn interfaces using the standard ifup/ifdown
commands. This is helpful in case you want tunnels to be started right
after physical networks, so any network filesystems listed in fstab can be
mounted during the standard boot sequence. In order to do this several
steps need to be taken:
- Select a specific tun/tap device name using the 'dev' option in your
config file (e.g. dev tun_work). This will ensure that the name you
use in /etc/network/interfaces will always match the one this vpn
will utilize.
- Create a 'manual' type interface entry in /etc/network/interfaces.
There should be only one option - openvpn, which takes a config file
name as the argument (without the .conf suffix) For example:
auto tun_work
iface tun_work inet manual
openvpn work_vpn
- You should prevent openvpn from trying to start this tunnel when its
own init script runs, since the interface is already up. This is done
in /etc/default/openvpn by changing the AUTOSTART option as described
in the same file
If you'd like to use a bridged setup (utilizing a tap device) Debian provides
some helper tools in the bridge-utils package to help you setting up your
bridge via /etc/network/interfaces.
An easy example, creating a bridge interface 'br0' from 'eth0' and 'tap0',
can look like this:
auto lo br0 eth1
allow-hotplug eth0
iface br0 inet static
address 192.168.1.1
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
bridge_ports eth0 tap0
pre-up openvpn --mktun --dev tap0
It's recommended to read the manpage - man 5 bridge-utils-interfaces - aswell.
#####################################
# Compatibility notes on 2.x vs 1.x #
#####################################
In version 2.0, --tun-mtu 1500 --mssfix 1450 is now the default. In 1.x the
default is --link-mtu 1300 for tun interfaces and --tun-mtu 1500 for tap
interfaces, with --mssfix disabled).
Also in version 2.0, when using TLS, --key-method 2 is now the default,
it was 1 in versions 1.x.
To sum up, to make 2.0 work with 1.x put the following in the 1.x configuration
files:
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
key-method 2 ## (if you're using TLS)
Or, in case you'd rather not modify the 1.x configuration, set the 2.x side
configuration like this:
If using TLS:
key-method 1
If "dev tun":
link-mtu 1300
If "dev tap":
tun-mtu 1500
tun-mtu-extra 32
OpenVPN 1.x won't be able to act as a client against a OpenVPN 2.x
acting as multiple client server. OpenVPN 1.x can only work with 2.x
in point-to-point tunnels.
Changes in string remapping
---------------------------
Quoting James Yonan:
"Prior to 2.0-beta12, the string remapping code was a bit ad-hoc. Since then
I've tried to unify all string remapping towards a consistent model which
remaps illegal chars to '_'. The choice of underbar is arbitrary -- any inert
character will do."
So, you must use '_' instead of '.' to represent spaces in certificates names
from now on.
plugin support
--------------
Plugins are now included in the package. They get installed in /usr/lib/openvpn.
Info on what they are and what they do in README.auth-pam and README.down-root.
Append /usr/lib/openvpn/ to the plugin name in the plugin option.
i.e.
plugin /usr/lib/openvpn/openvpn-auth-pam.so [service-type]
Using resolvconf
----------------
Have a look at the shell script /etc/openvpn/update-resolv-conf
It parses DHCP options from openvpn to update /etc/resolv.conf
To use set as 'up' and 'down' script in your openvpn *.conf:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
You will need to install resolvconf package.
Out of Memory issues
-------------------
You might run into issues with openvpn complaining about out of memory. The
reason for this behavior is that openvpn uses mlockall to pin all of its
pages into memory. To correct this issue you can put a "ulimit -l
<reasonable number>" in the openvpn init script.
LDAP+TLS authentication runs into file exhaustion
-------------------------------------------------
When LDAP is used with TLS support a file handle to /dev/urandom is created but
never released on every authentication. This is due to a bug in libgcrypt.
Lars Ellenberg provided the following worked around:
Append LD_PRELOAD=/lib/security/pam_ldap.so before the call to openvpn (in the
init.d script). ie:
..... (around line 58 of the init.d script)....
LD_PRELOAD=/lib/security/pam_ldap.so start-stop-daemon --start --quiet --oknodo
Thanks Andreas Metzler, Lars Ellenberg, Simon Josefsson & chantra for folling
this issue.
Possible consequences of the 'chroot' option
--------------------------------------------
When running OpenVPN on a chroot environment you have to take into account that
things as /dev/log may change (i.e. when syslog is reloaded by logrotate) and
that may result in OpenVPN not logging anymore.
Christian Schneider suggested this solution:
Create an additional "dev/log" socket in the jail by "-a" option to sysklogd or
"$AddUnixListenSocket" parameter in /etc/rsyslog.conf, respectively
Kudos to him, for finding out and proposing a solution.
-- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:46:30 +0200
Please refer to /usr/share/doc/quilt/README.source before making changes to
the source package.
This diff is collapsed.
#!/bin/sh
# Copyright 2003 Alberto Gonzalez Iniesta <agi@agi.as>
# Licensed under the GNU General Public License, version 2. See the file
# /usr/share/common-licenses/GPL or <http://www.gnu.org/copyleft/gpl.txt>.
#
set -e
test $DEBIAN_SCRIPT_DEBUG && set -v -x
# Use debconf
. /usr/share/debconf/confmodule
# Do we want to create /dev/net/tun?
if [ ! -e /dev/.udev ] && [ ! -e /dev/net/tun ]; then
db_input medium openvpn/create_tun || true
db_go
fi
db_stop
exit 0
# vim: set ai et sts=2 sw=2 tw=0:
Source: openvpn
Section: net
Priority: optional
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Build-Depends: debhelper (>= 7), libssl-dev (>> 0.9.8g-9), liblzo2-dev, libpam0g-dev, quilt, libpkcs11-helper1-dev
Standards-Version: 3.9.2
Homepage: http://www.openvpn.net/
Package: openvpn
Architecture: any
Depends: debconf | debconf-2.0, ${shlibs:Depends}, ${misc:Depends}, net-tools
Suggests: openssl, resolvconf
Description: virtual private network daemon
OpenVPN is an application to securely tunnel IP networks over a
single UDP or TCP port. It can be used to access remote sites, make
secure point-to-point connections, enhance wireless security, etc.
.
OpenVPN uses all of the encryption, authentication, and certification
features provided by the OpenSSL library (any cipher, key size, or
HMAC digest).
.
OpenVPN may use static, pre-shared keys or TLS-based dynamic key exchange. It
also supports VPNs with dynamic endpoints (DHCP or dial-up clients), tunnels
over NAT or connection-oriented stateful firewalls (such as Linux's iptables).
This package was debianized by Alberto Gonzalez Iniesta <agi@agi.as> on
Tue, 2 Apr 2002 12:24:50 +0200.
It was downloaded from http://www.openvpn.net
Upstream Author: James Yonan <jim@yonan.net>
Copyright: (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 dated June, 1991.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
MA 02110-1301, USA.
On Debian GNU/Linux systems, the complete text of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL-2'.
In addition, as a special exception, James Yonan gives
permission to link the code of this program with the OpenSSL
library (or with modified versions of OpenSSL that use the same
license as OpenSSL), and distribute linked combinations including
the two. You must obey the GNU General Public License in all
respects for all of the code used other than OpenSSL. If you modify
this file, you may extend this exception to your version of the
file, but you are not obligated to do so. If you do not wish to
do so, delete this exception statement from your version.
Markus F.X.J. Oberhumer <markus@oberhumer.com> made the following
exception in LZO's license to make possible the use of LZO with OpenSSL
in OpenVPN:
Hereby I grant a special exception to the OpenVPN project
(http://openvpn.sourceforge.net) to link the LZO library with
the OpenSSL library (http://www.openssl.org).
Markus F.X.J. Oberhumer
# This is the configuration file for /etc/init.d/openvpn
#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0
etc/openvpn
etc/network/if-up.d
etc/network/if-down.d
etc/bash_completion.d
usr/sbin
usr/share/man/man8
usr/share/doc/openvpn
usr/share/openvpn
usr/lib/openvpn
usr/include/openvpn
AUTHORS
PORTS
README
README.IPv6
TODO.IPv6
README.ipv6
TODO.ipv6
ChangeLog.IPv6
sample-config-files/
sample-keys/
easy-rsa/
sample-scripts/
# bash completion for openvpn init.d script
# Written by Alberto Gonzalez Iniesta <agi@inittab.org>
_openvpn()
{
local cur
COMPREPLY=()
cur=${COMP_WORDS[COMP_CWORD]}
if [ $COMP_CWORD -eq 1 ] ; then
COMPREPLY=( $( compgen -W '$( /etc/init.d/openvpn 2>&1 \
| cut -d"{" -f2 | tr -d "}" | tr "|" " " )' -- $cur ) )
else
COMPREPLY=( $( compgen -W '$( command ls /etc/openvpn/*.conf 2>/dev/null \
| sed -e 's%/etc/openvpn/%%' -e 's/\.conf//' )' -- $cur ) )
fi
}
complete -F _openvpn /etc/init.d/openvpn
#!/bin/sh
OPENVPN=/etc/init.d/openvpn
if [ ! -x $OPENVPN ]; then
exit 0
fi
if [ -n "$IF_OPENVPN" ]; then
for vpn in $IF_OPENVPN; do
$OPENVPN stop $vpn
done
fi
#!/bin/sh
OPENVPN=/etc/init.d/openvpn
if [ ! -x $OPENVPN ]; then
exit 0
fi
if [ -n "$IF_OPENVPN" ]; then
for vpn in $IF_OPENVPN; do
$OPENVPN start $vpn
done
fi
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: openvpn
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: network-manager
# Should-Stop: network-manager
# X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm
# X-Interactive: true
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Openvpn VPN service
### END INIT INFO
# Original version by Robert Leslie
# <rob@mars.org>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
. /lib/lsb/init-functions
test $DEBIAN_SCRIPT_DEBUG && set -v -x
DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0
# Source defaults file; edit that file to configure this script.
AUTOSTART="all"
STATUSREFRESH=10
OMIT_SENDSIGS=0
if test -e /etc/default/openvpn ; then
. /etc/default/openvpn
fi
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
DAEMONARG=
else
# need to daemonize
DAEMONARG="--daemon ovpn-$NAME"
fi
if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then
# status file already given in config file
STATUSARG=""
elif test $STATUSREFRESH -eq 0 ; then
# default status file disabled in /etc/default/openvpn
STATUSARG=""
else
# prepare default status file
STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
fi
log_progress_msg "$NAME"
STATUS=0
start-stop-daemon --start --quiet --oknodo \
--pidfile /var/run/openvpn.$NAME.pid \
--exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
$DAEMONARG $STATUSARG --cd $CONFIG_DIR \
--config $CONFIG_DIR/$NAME.conf || STATUS=1
[ "$OMIT_SENDSIGS" -ne 0 ] || ln -s /var/run/openvpn.$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid
}
stop_vpn () {
kill `cat $PIDFILE` || true
rm -f $PIDFILE
[ "$OMIT_SENDSIGS" -ne 0 ] || rm -f /run/sendsigs.omit.d/openvpn.$NAME.pid
rm -f /var/run/openvpn.$NAME.status 2> /dev/null
}
case "$1" in
start)
log_daemon_msg "Starting $DESC"
# autostart VPNs
if test -z "$2" ; then
# check if automatic startup is disabled by AUTOSTART=none
if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then
log_warning_msg " Autostart disabled."
exit 0
fi
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# all VPNs shall be started automatically
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
start_vpn
done
else
# start only specified VPNs
for NAME in $AUTOSTART ; do
if test -e $CONFIG_DIR/$NAME.conf ; then
start_vpn
else
log_failure_msg "No such VPN: $NAME"
STATUS=1
fi
done
fi
#start VPNs from command line
else
while shift ; do
[ -z "$1" ] && break
if test -e $CONFIG_DIR/$1.conf ; then
NAME=$1
start_vpn
else
log_failure_msg " No such VPN: $1"
STATUS=1
fi
done
fi
log_end_msg ${STATUS:-0}
;;
stop)
log_daemon_msg "Stopping $DESC"
if test -z "$2" ; then
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
done
else
while shift ; do
[ -z "$1" ] && break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
else
log_failure_msg " (failure: No such VPN is running: $1)"
fi
done
fi
log_end_msg 0
;;
# Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
log_daemon_msg "Reloading $DESC"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
stop_vpn
sleep 1
start_vpn
log_progress_msg "(restarted)"
else
kill -HUP `cat $PIDFILE` || true
log_progress_msg "$NAME"
fi
done
log_end_msg 0
;;
# Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'.
soft-restart)
log_daemon_msg "$DESC sending SIGUSR1"
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
kill -USR1 `cat $PIDFILE` || true
log_progress_msg "$NAME"
done
log_end_msg 0
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
log_daemon_msg "Restarting $DESC."
for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
log_end_msg 0
;;
status)
GLOBAL_STATUS=0
if test -z "$2" ; then
# We want status for all defined VPNs.
# Returns success if all autostarted VPNs are defined and running
if test "x$AUTOSTART" = "xnone" ; then
# Consider it a failure if AUTOSTART=none
log_warning_msg "No VPN autostarted"
GLOBAL_STATUS=1
else
if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
# Consider it a failure if one of the autostarted VPN is not defined
for VPN in $AUTOSTART ; do
if ! test -f $CONFIG_DIR/$VPN.conf ; then
log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined"
GLOBAL_STATUS=1
fi
done
fi
fi
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
# Is it an autostarted VPN ?
if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
AUTOVPN=1
else
if test "x$AUTOSTART" = "xnone" ; then
AUTOVPN=0
else
AUTOVPN=0
for VPN in $AUTOSTART; do
if test "x$VPN" = "x$NAME" ; then
AUTOVPN=1
fi
done
fi
fi
if test "x$AUTOVPN" = "x1" ; then
# If it is autostarted, then it contributes to global status
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1
else
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true
fi
done
else