From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 5/5] update.sh: Adds code to update an existing ovpnconfig with pass or no-pass Date: Wed, 17 May 2023 11:56:52 +0200 Message-ID: <20230517095652.8248-5-adolf.belka@ipfire.org> In-Reply-To: <20230517095652.8248-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5992951912090378590==" List-Id: --===============5992951912090378590== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The code checks first if ovpnconfig exists and is not empty. - Then it makes all net2net connections no-pass since they do not use encrypt= ion - Then it cycles through all .p12 files and checks with openssl if a password= exists or not. If a password is present then pass is added to index 41 and if not then no= -pass is added to index 41 - This code should be left in update.sh for future Core Updates in case peopl= e don't update with Core Update 175 but leave it till later. This code works fine on code= that already has pass or no-pass entered into index 41 in ovpnconfig Fixes: Bug#11048 Suggested-by: Erik Kapfer Suggested-by: Adolf Belka Tested-by: Erik Kapfer Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/175/update.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/= update.sh index 03ce4a93d..8ed34f39e 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -175,6 +175,30 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi =20 +## Modify ovpnconfig according to bug 11048 for pass, no-pass modification i= n ovpnconfig index +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Make all N2N connections 'no-pass' since they do not use encryption + awk '{FS=3DOFS=3D","} {if($5=3D=3D"net") {$43=3D"no-pass"; print $0}}= ' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new + + # Evaluate roadwarrior connection names for *.p12 files + for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfi= g); do + # Sort all unencrypted roadwarriors out and set 'no-pass' in [43]= index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${= y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted') ]]; then + awk -v var=3D"$y" '{FS=3DOFS=3D","} {if($3=3D=3Dvar) = {$43=3D"no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn= /ovpnconfig.new + fi + # Sort all encrypted roadwarriors out and set 'pass' in [43] index + if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${= y}.p12 -noout -password pass:'' 2>&1 | grep 'error') ]]; then + awk -v var=3D"$y" '{FS=3DOFS=3D","} {if($3=3D=3Dvar) = {$43=3D"pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ov= pnconfig.new + fi + done +fi + +# Replace existing ovpnconfig with updated index +mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig +# Set correct ownership +chown nobody:nobody /var/ipfire/ovpn/ovpnconfig + # This update needs a reboot... touch /var/run/need_reboot =20 --=20 2.40.1 --===============5992951912090378590==--