From 647b67e18b6bf857e60e4e2e1874fd04d4138586 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 5 Mar 2026 09:02:44 +0100 Subject: [PATCH] openvpn: add hotplug handling back in This commit adds hotplug handling back in. Fixes: 2607b761 ("openvpn: introduce proto handler") Signed-off-by: Florian Eckert --- net/openvpn/Makefile | 19 +++++++++ .../files/etc/hotplug.d/openvpn/01-user | 40 +++++++++++++++++++ net/openvpn/files/etc/openvpn.user | 11 +++++ net/openvpn/files/lib/netifd/proto/openvpn.sh | 37 +++++++++++++++++ net/openvpn/files/usr/libexec/openvpn-hotplug | 18 +++++++++ 5 files changed, 125 insertions(+) create mode 100644 net/openvpn/files/etc/hotplug.d/openvpn/01-user create mode 100644 net/openvpn/files/etc/openvpn.user create mode 100644 net/openvpn/files/usr/libexec/openvpn-hotplug diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index cc34f4ff1d..1c1f2b4c71 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -90,6 +90,10 @@ define Build/Configure ) endef +define Package/openvpn-$(BUILD_VARIANT)/conffiles +/etc/openvpn.user +endef + define Package/openvpn-$(BUILD_VARIANT)/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) \ @@ -127,6 +131,21 @@ define Package/openvpn-$(BUILD_VARIANT)/install $(INSTALL_DATA) \ files/lib/upgrade/keep.d/openvpn \ $(1)/lib/upgrade/keep.d/ + + $(INSTALL_DIR) $(1)/usr/libexec + $(INSTALL_BIN) \ + files/usr/libexec/openvpn-hotplug \ + $(1)/usr/libexec/ + + $(INSTALL_DIR) $(1)/etc + $(INSTALL_DATA) \ + files/etc/openvpn.user \ + $(1)/etc/ + + $(INSTALL_DIR) $(1)/etc/hotplug.d/openvpn + $(INSTALL_DATA) \ + files/etc/hotplug.d/openvpn/01-user \ + $(1)/etc/hotplug.d/openvpn/ endef $(eval $(call BuildPackage,openvpn-openssl)) diff --git a/net/openvpn/files/etc/hotplug.d/openvpn/01-user b/net/openvpn/files/etc/hotplug.d/openvpn/01-user new file mode 100644 index 0000000000..375dba3026 --- /dev/null +++ b/net/openvpn/files/etc/hotplug.d/openvpn/01-user @@ -0,0 +1,40 @@ +#!/bin/sh + +main() { + local command + + [ -e "/etc/openvpn.user" ] && { + env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \ + /bin/sh \ + /etc/openvpn.user \ + $* + } + + # Wrap user defined scripts on up|down|route-up|route-pre-down|ipchange + # events. Scripts set with up|down|route-up|route-pre-down|ipchange + # in the openvpn config are also executed with the command=user_xxxx + case "$ACTION" in + up) + command=$user_up + ;; + down) + command=$user_down + ;; + route-up) + command=$user_route_up + ;; + route-pre-down) + command=$user_route_pre_down + ;; + ipchange) + command=$user_ipchange + ;; + esac + + if [ -n "$command" ]; then + shift + exec /bin/sh -c "$command $*" + fi +} + +main diff --git a/net/openvpn/files/etc/openvpn.user b/net/openvpn/files/etc/openvpn.user new file mode 100644 index 0000000000..a77566556a --- /dev/null +++ b/net/openvpn/files/etc/openvpn.user @@ -0,0 +1,11 @@ +#!/bin/sh +# +# This file is interpreted as shell script. +# Put your custom openvpn action here, they will +# be executed with each opevnp event. +# +# $ACTION +# down action is generated after the TUN/TAP device is closed +# up action is generated after the TUN/TAP device is opened +# $INSTANCE Name of the openvpn instance which went up or down + diff --git a/net/openvpn/files/lib/netifd/proto/openvpn.sh b/net/openvpn/files/lib/netifd/proto/openvpn.sh index c065465c69..ffb1ed6e1c 100755 --- a/net/openvpn/files/lib/netifd/proto/openvpn.sh +++ b/net/openvpn/files/lib/netifd/proto/openvpn.sh @@ -159,6 +159,43 @@ proto_openvpn_setup() { # Testing option # ${tls_exit:+--tls-exit} \ + # Check 'script_security' option + json_get_var script_security script_security + [ -z "$script_security" ] && { + script_security=3 + } + + # Add default hotplug handling if 'script_security' option is equal '3' + if [ "$script_security" -eq '3' ]; then + logger -t "openvpn(proto)" \ + -p daemon.info "Enabled default hotplug processing, as the openvpn configuration 'script_security' is '3'" + + append exec_params " --setenv INTERFACE $config" + append exec_params " --script-security 3" + + append exec_params "--up '/usr/libexec/openvpn-hotplug'" + [ -n "$up" ] && append exec_params "--setenv user_up '$up'" + + append exec_params "--down '/usr/libexec/openvpn-hotplug'" + [ -n "$down" ] && append exec_params "--setenv user_down '$down'" + + append exec_params "--route-up '/usr/libexec/openvpn-hotplug'" + [ -n "$route_up" ] && append exec_params "--setenv user_route_up '$route_up'" + + append exec_params "--route-pre-down '/usr/libexec/openvpn-hotplug'" + [ -n "$route_pre_down" ] && append exec_params "--setenv user_route_pre_down '$route_pre_down'" + + json_get_var client client + json_get_var tls_client tls_client + if [ "$client" = 1 ] || [ "$tls_client" = 1 ]; then + append exec_params "--ipchange '/usr/libexec/openvpn-hotplug'" + [ -n "$ip_change" ] && append exec_params "--setenv user_ipchange '$ipchange'" + fi + else + logger -t "openvpn(proto)" \ + -p daemon.warn "Default hotplug processing disabled, as the openvpn configuration 'script_security' is less than '3'" + fi + # shellcheck disable=SC2086 proto_run_command "$config" openvpn $exec_params diff --git a/net/openvpn/files/usr/libexec/openvpn-hotplug b/net/openvpn/files/usr/libexec/openvpn-hotplug new file mode 100644 index 0000000000..dcc5b01df9 --- /dev/null +++ b/net/openvpn/files/usr/libexec/openvpn-hotplug @@ -0,0 +1,18 @@ +#!/bin/sh + +[ -z "$script_type"] && { + logger -t "openvpn(proto)" -p daemon.warn "hotplug: variable 'script_type' not found" + exit +} + +[ -z "$INTERFACE"] && { + logger -t "openvpn(proto)" -p daemon.warn "hotplug: variable 'INTERFACE' not found" + exit +} + +ACTION="$script_type" +INSTANCE="$INTERFACE" + +export ACTION=$ACTION +export INSTANCE=$INSTANCE +exec /sbin/hotplug-call openvpn "$@"