security/openconnect: New plugin (#462)

2026-05-22 18:44:07 -07:00 · 2018-01-06 11:56:06 +01:00
parent 789845004b
commit db06a4d140
18 changed files with 502 additions and 0 deletions
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		openconnect
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		OpenConnect Client
+PLUGIN_DEPENDS=		openconnect
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
@@ -0,0 +1,11 @@
+OpenConnect is an SSL VPN client initially created to support
+Cisco's AnyConnect SSL VPN. It has since been ported to support
+the Juniper SSL VPN which is now known as Pulse Connect Secure.
+
+OpenConnect is released under the GNU Lesser Public License, version 2.1.
+
+Like vpnc, OpenConnect is not officially supported by, or associated
+in any way with, Cisco Systems, Juniper Networks or Pulse Secure.
+It just happens to interoperate with their equipment.
+
+WWW: http://www.infradead.org/openconnect/
@@ -0,0 +1,88 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function openconnect_enabled()
+{
+    $model = new \OPNsense\Openconnect\General();
+    if ((string)$model->enabled == '1') {
+        return true;
+    }
+
+    return false;
+}
+
+function openconnect_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['openconnect']['general']['enabled']) && $config['OPNsense']['openconnect']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Openconnect Client'),
+            'configd' => array(
+                'restart' => array('openconnect restart'),
+                'start' => array('openconnect start'),
+                'stop' => array('openconnect stop'),
+            ),
+            'name' => 'openconnect',
+            'pidfile' => '/var/run/openconnect.pid'
+        );
+    }
+
+    return $services;
+}
+
+
+function openconnect_interfaces()
+{
+    $interfaces = array();
+
+    if (!openconnect_enabled()) {
+        return $interfaces;
+    }
+
+    $oic = array('enable' => true);
+    $oic['if'] = 'ocvpn';
+    $oic['descr'] = 'OpenConnect';
+    $oic['type'] = 'group';
+    $oic['virtual'] = true;
+    $oic['networks'] = array();
+    $interfaces['ocvpn'] = $oic;
+
+    return $interfaces;
+}
+
+function openconnect_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'openconnectvpn';
+    $result['section'] = 'OPNsense.openconnect';
+    $result['description'] = gettext('OpenConnect Client');
+    return array($result);
+}
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: opnsense-openconnect
+# REQUIRE: SERVERS
+# KEYWORD: shutdown
+#
+
+. /etc/rc.subr
+
+name=openconnect
+
+stop_cmd=openconnect_stop
+start_cmd=openconnect_start
+status_cmd=openconnect_status
+rcvar=openconnect_enable
+
+load_rc_config opnsense-openconnect
+pidfile=/var/run/${name}.pid
+command=/usr/local/sbin/${name}
+
+secret=/usr/local/etc/openconnect.secret
+
+[ -z "$openconnect_enable" ] && openconnect_enable="NO"
+
+# status of openconnect
+openconnect_status()
+{
+	 if [ -n "$rc_pid" ]; then
+	     echo "${name} is running as pid $rc_pid."
+	     return 0
+	 else
+	     echo "${name} is not running."
+	 fi
+}
+
+# stop openconnect
+openconnect_stop()
+{
+	echo "stopping openconnect"
+	killall openconnect
+	ifconfig ocvpn0 destroy
+	return 0
+}
+
+# start openconnect
+openconnect_start()
+{
+        echo "starting openconnect"  
+	/usr/local/sbin/openconnect ${openconnect_flags} < /usr/local/etc/openconnect.secret 2>&1 > /dev/null
+        sleep 5
+	ifconfig tun30000 name ocvpn0
+	ifconfig ocvpn0 group ocvpn
+	return 0
+}
+
+run_rc_command $1
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Openconnect\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelClass = '\OPNsense\Openconnect\General';
+    static protected $internalModelName = 'general';
+}
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 - 2017 Deciso B.V.
+ *    Copyright (C) 2017 Michael Muenz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Openconnect\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    static protected $internalServiceClass = '\OPNsense\Openconnect\General';
+    static protected $internalServiceTemplate = 'OPNsense/Openconnect';
+    static protected $internalServiceEnabled = 'enabled';
+    static protected $internalServiceName = 'openconnect';
+}
@@ -0,0 +1,38 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Openconnect;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Openconnect/general');
+    }
+}
@@ -0,0 +1,26 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate OpenConnect Client.</help>
+    </field>
+    <field>
+        <id>general.server</id>
+        <label>VPN Server</label>
+        <type>text</type>
+        <help>The FQDN or IP address of the VPN server.</help>
+    </field>
+    <field>
+        <id>general.user</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>The user name for this connection.</help>
+    </field>
+    <field>
+        <id>general.password</id>
+        <label>Password</label>
+        <type>password</type>
+        <help>The password name for this connection. Be aware that it will stored in cleartext on this device.</help>
+    </field>
+</form>
@@ -0,0 +1,9 @@
+<acl>
+    <page-openconnect-config>
+        <name>VPN: OpenConnect configuration</name>
+        <patterns>
+            <pattern>ui/openconnect/*</pattern>
+            <pattern>api/openconnect/*</pattern>
+        </patterns>
+    </page-openconnect-config>
+</acl>
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Openconnect;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
@@ -0,0 +1,27 @@
+<model>
+    <mount>//OPNsense/openconnect/general</mount>
+    <description>Openconnect configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <server type="TextField">
+            <default>server</default>
+            <Required>Y</Required>
+            <mask>/\S*/</mask>
+            <ValidationMessage>Please provide IP or hostname (no spaces allowed).</ValidationMessage>
+        </server>
+        <user type="TextField">
+            <default>user</default>
+            <Required>Y</Required>
+            <mask>/^[a-z0-9._-]{1,32}$/</mask>
+            <ValidationMessage>Please provide a valid username. Allowed characters are a-z0-9._- and it has to be 1-32 characters long.</ValidationMessage>
+        </user>
+        <password type="TextField">
+            <default>password</default>
+            <Required>Y</Required>
+        </password>
+    </items>
+</model>
@@ -0,0 +1,5 @@
+<menu>
+    <VPN>
+      <OpenConnect cssClass="fa fa-lock fa-fw" url="/ui/openconnect/general/index" order="15" />
+    </VPN>
+</menu>
@@ -0,0 +1,61 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
+This file is Copyright © 2018 by Michael Muenz
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script type="text/javascript">
+    $( document ).ready(function() {
+        var data_get_map = {'frm_general_settings':"/api/openconnect/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+        ajaxCall(url="/api/openconnect/service/status", sendData={}, callback=function(data,status) {
+            updateServiceStatusUI(data['status']);
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/openconnect/general/set", formid='frm_general_settings',callback_ok=function(){
+                    $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                    ajaxCall(url="/api/openconnect/service/reconfigure", sendData={}, callback=function(data,status) {
+                            ajaxCall(url="/api/openconnect/service/status", sendData={}, callback=function(data,status) {
+                                    updateServiceStatusUI(data['status']);
+                            });
+                            $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    });
+            });
+        });
+    });
+</script>
@@ -0,0 +1,23 @@
+[stop]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0
+parameters:
+type:script_output
+message:stop openconnect
+
+[start]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+parameters:
+type:script_output
+message:start openconnect
+
+[restart]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+parameters:
+type:script_output
+message:restart openconnect
+
+[status]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect status
+parameters:
+type:script_output
+message:openconnect status
@@ -0,0 +1,3 @@
+openconnect:/etc/rc.conf.d/opnsense-openconnect
+openconnect.conf:/usr/local/etc/openconnect.conf
+openconnect.secret:/usr/local/etc/openconnect.secret
@@ -0,0 +1,12 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+openconnect_enable="YES"
+{%   if helpers.exists('OPNsense.openconnect.general.server') and OPNsense.openconnect.general.server != '' %}
+{%     if helpers.exists('OPNsense.openconnect.general.user') and OPNsense.openconnect.general.user != '' %}
+{%       if helpers.exists('OPNsense.openconnect.general.password') and OPNsense.openconnect.general.password != '' %}
+openconnect_flags="--config=/usr/local/etc/openconnect.conf {{ OPNsense.openconnect.general.server }}"
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% else %}
+openconnect_enable="NO"
+{% endif %}
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.openconnect.general.user') and OPNsense.openconnect.general.user != '' %}
+user={{ OPNsense.openconnect.general.user }}
+{%   endif %}
+pid-file=/var/run/openconnect.pid
+background
+quiet
+interface=tun30000
+syslog
+passwd-on-stdin
+{% endif %}
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.openconnect.general.password') and OPNsense.openconnect.general.password != '' %}
+{{ OPNsense.openconnect.general.password }}
+{%   endif %}
+{% endif %}