Several improvements

* Add EC support * Make token form toggleable * Make client certificates compatible with iOS native IKEv2 * Fix OU for self-enroll * Improved sample scripts in web UI
2025-09-07 22:20:56 +00:00 · 2018-04-09 13:08:12 +00:00
parent 9c6872a949
commit 577962e09b
11 changed files with 253 additions and 184 deletions
--- a/doc/overlay/etc/hotplug.d/iface/50-certidude
+++ b/doc/overlay/etc/hotplug.d/iface/50-certidude
@@ -5,12 +5,13 @@

 # TODO: renewal

+AUTHORITY=certidude.@authority[0]
+
 [ $ACTION == "ifup" ] || exit 0
-[ $INTERFACE == "wan" ] || exit 0
+[ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0

 # TODO: iterate over all authorities

-AUTHORITY=certidude.@authority[0]
 URL=$(uci get $AUTHORITY.url)
 GATEWAY=$(uci get $AUTHORITY.gateway)

@@ -40,8 +41,9 @@ logger -t certidude -s "Time is now: $(date)"
 # If certificate file is there assume everything's set up
 if [ -f $CERTIFICATE_PATH ]; then
    SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
-    logger -t certidude -s "Certificate with serial $SERIAL already exists, attempting to bring up IPsec tunnel..."
-    ipsec up client-to-site
+    logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
+    /etc/init.d/openvpn start
+    /etc/init.d/ipsec start
    exit 0
 fi

@@ -60,7 +62,7 @@ fi
 if [ ! -f $KEY_PATH ]; then
    KEY_TEMP=$(mktemp -u)

-    logger -t certidude -s "Generating RSA key for IPsec..."
+    logger -t certidude -s "Generating RSA key for VPN..."
    if [ -d $GREEN_LED ]; then
        echo 250 | tee $GREEN_LED/delay_*
    fi
@@ -167,31 +169,10 @@ fi

 logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_TEMP)"

-
-
-
-###################################
-### Generate /etc/ipsec.secrets ###
-###################################
-
-SECRETS_TEMP=$(mktemp -u)
-
-for filename in /etc/ipsec.d/private/*.pem; do
-    echo ": RSA $filename" >> $SECRETS_TEMP
-done
-
 uci commit

-mv $SECRETS_TEMP /etc/ipsec.secrets
-mv $IPSEC_TEMP /etc/ipsec.conf
 mv $CERTIFICATE_TEMP $CERTIFICATE_PATH

-# Enable services
-/etc/init.d/ipsec enable
-
 # Restart services
-/etc/init.d/ipsec restart
-
-sleep 2
-
-ipsec up client-to-site
+/etc/init.d/ipsec start
+/etc/init.d/openvpn start
--- a/doc/overlay/etc/profile
+++ b/doc/overlay/etc/profile
@@ -14,18 +14,11 @@ export PS1='\u@\h:\w\$ '
 [ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }

 HOSTNAME=$(uci get system.@system[0].hostname)
-DOMAIN=$(uci -q get dhcp.@dnsmasq[0].domain)

-if [ $? -eq 0 ]; then
-    FQDN=$HOSTNAME.$DOMAIN
-else
-    FQDN=$HOSTNAME
-fi
-
-export PS1='\[\033[01;31m\]$FQDN\[\033[01;34m\] \W #\[\033[00m\] '
+export PS1='\[\033[01;31m\]$HOSTNAME\[\033[01;34m\] \W #\[\033[00m\] '
 case "$TERM" in
    xterm*|rxvt*)
-        echo -ne "\033]0;${USER}@${FQDN}:${PWD}\007"
+        echo -ne "\033]0;${USER}@${HOSTNAME}:${PWD}\007"
    ;;
    *)
    ;;
--- a/doc/overlay/etc/uci-defaults/50-access-point
+++ b/doc/overlay/etc/uci-defaults/50-access-point
@@ -1,66 +0,0 @@
-# Disable DHCP servers
-/etc/init.d/odhcpd disable
-/etc/init.d/dnsmasq disable
-
-# Remove firewall rules since AP bridges ethernet to wireless anyway
-uci delete firewall.@zone[1]
-uci delete firewall.@zone[0]
-uci delete firewall.@forwarding[0]
-for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
-
-# Remove WAN interface
-uci delete network.wan
-uci delete network.wan6
-
-# Reconfigure DHCP client for bridge over LAN and WAN ports
-uci delete network.lan.ipaddr
-uci delete network.lan.netmask
-uci delete network.lan.ip6assign
-uci delete network.globals.ula_prefix
-uci delete network.@switch_vlan[1]
-uci delete dhcp.@dnsmasq[0].domain
-uci set network.lan.proto=dhcp
-uci set network.lan.ipv6=0
-uci set network.lan.ifname='eth0'
-uci set network.lan.stp=1
-
-# Radio ordering differs among models
-case $(uci get wireless.radio0.hwmode) in
-    11a) uci rename wireless.radio0=radio5ghz;;
-    11g) uci rename wireless.radio0=radio2ghz;;
-esac
-case $(uci get wireless.radio1.hwmode) in
-    11a) uci rename wireless.radio1=radio5ghz;;
-    11g) uci rename wireless.radio1=radio2ghz;;
-esac
-
-# Reset virtual SSID-s
-uci delete wireless.@wifi-iface[1]
-uci delete wireless.@wifi-iface[0]
-
-# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
-case $(uci get system.@system[0].hostname | md5sum) in
-   1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
-   5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
-   9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
-   c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
-esac
-
-# Create bridge for guests
-uci set network.guest=interface
-uci set network.guest.proto='static'
-uci set network.guest.address='0.0.0.0'
-uci set network.guest.type='bridge'
-uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
-uci set network.guest.ipaddr='0.0.0.0'
-uci set network.guest.ipv6=0
-uci set network.guest.stp=1
-
-# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
-case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
-    tl-wdr*)
-        uci set network.@switch[0].enable_vlan=0
-        uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
-    ;;
-    *) ;;
-esac