Merge pull request #117 from YunoHost-Apps/testing

Testing | Packaging v2 + generate config during upgrade + Add hook scripts

ALL_README.md

@@ -1,6 +1,6 @@
 # All available README files by language
 
 - [Read the README in English](README.md)
+- [Irakurri README euskaraz](README_eu.md)
 - [Lire le README en français](README_fr.md)
 - [Le o README en galego](README_gl.md)
-- [Leggi il “README” in italiano](README_it.md)

README.md

@@ -9,14 +9,14 @@ It shall NOT be edited by hand.
 
 [![Install VPN Client with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=vpnclient)
 
-*[Read this README is other languages.](./ALL_README.md)*
+*[Read this README in other languages.](./ALL_README.md)*
 
 > *This package allows you to install VPN Client quickly and simply on a YunoHost server.*  
 > *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.*
 
 ## Overview
 
-* Install a VPN connection on your self-hosted server.
+Install a VPN connection on your self-hosted server.
 * Useful for hosting your server behind a filtered (and/or non-neutral) internet access.
 * Useful to have static IP addresses (IPv6 and IPv4).
 * Useful to easily move your server anywhere.
@@ -25,18 +25,15 @@ It shall NOT be edited by hand.
 
 
 
-**Shipped version:** 2.1.2~ynh1
+**Shipped version:** 2.2~ynh1
 
 ## Screenshots
 
 ![Screenshot of VPN Client](./doc/screenshots/vpnclient.png)
 
-## Disclaimers / important information
-
-Please note that this application is designed to interface with **dedicated, public IP VPNs accepting inbound traffic**, preferably with an associated `.cube` (or `.ovpn/.conf`) configuration file. **Do not** expect that any VPN you randomly bought on the Internet can be used! Checkout the [list of known compatible providers](https://yunohost.org/providers/vpn) for more info.
-
 ## Documentation and resources
 
+- Official app website: <https://labriqueinter.net>
 - YunoHost Store: <https://apps.yunohost.org/app/vpnclient>
 - Report a bug: <https://github.com/YunoHost-Apps/vpnclient_ynh/issues>
 

README_eu.md

@@ -0,0 +1,52 @@
+<!--
+Ohart ongi: README hau automatikoki sortu da <https://github.com/YunoHost/apps/tree/master/tools/readme_generator>ri esker
+EZ editatu eskuz.
+-->
+
+# VPN Client YunoHost-erako
+
+[![Integrazio maila](https://dash.yunohost.org/integration/vpnclient.svg)](https://dash.yunohost.org/appci/app/vpnclient) ![Funtzionamendu egoera](https://ci-apps.yunohost.org/ci/badges/vpnclient.status.svg) ![Mantentze egoera](https://ci-apps.yunohost.org/ci/badges/vpnclient.maintain.svg)
+
+[![Instalatu VPN Client YunoHost-ekin](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=vpnclient)
+
+*[Irakurri README hau beste hizkuntzatan.](./ALL_README.md)*
+
+> *Pakete honek VPN Client YunoHost zerbitzari batean azkar eta zailtasunik gabe instalatzea ahalbidetzen dizu.*  
+> *YunoHost ez baduzu, kontsultatu [gida](https://yunohost.org/install) nola instalatu ikasteko.*
+
+## Aurreikuspena
+
+Install a VPN connection on your self-hosted server.
+* Useful for hosting your server behind a filtered (and/or non-neutral) internet access.
+* Useful to have static IP addresses (IPv6 and IPv4).
+* Useful to easily move your server anywhere.
+* Strong firewalling (internet access and self-hosted services only available through the VPN, not leaking to your commercial ISP)
+* Combine with the [Hotspot app](https://github.com/YunoHost-Apps/hotspot_ynh) to broadcast VPN-protected WiFi to other laptops without any further technical configuration needed.
+
+
+
+**Paketatutako bertsioa:** 2.2~ynh1
+
+## Pantaila-argazkiak
+
+![VPN Client(r)en pantaila-argazkia](./doc/screenshots/vpnclient.png)
+
+## Dokumentazioa eta baliabideak
+
+- Aplikazioaren webgune ofiziala: <https://labriqueinter.net>
+- YunoHost Denda: <https://apps.yunohost.org/app/vpnclient>
+- Eman errore baten berri: <https://github.com/YunoHost-Apps/vpnclient_ynh/issues>
+
+## Garatzaileentzako informazioa
+
+Bidali `pull request`a [`testing` abarrera](https://github.com/YunoHost-Apps/vpnclient_ynh/tree/testing).
+
+`testing` abarra probatzeko, ondorengoa egin:
+
+```bash
+sudo yunohost app install https://github.com/YunoHost-Apps/vpnclient_ynh/tree/testing --debug
+edo
+sudo yunohost app upgrade vpnclient -u https://github.com/YunoHost-Apps/vpnclient_ynh/tree/testing --debug
+```
+
+**Informazio gehiago aplikazioaren paketatzeari buruz:** <https://yunohost.org/packaging_apps>

README_fr.md

@@ -16,7 +16,7 @@ Il NE doit PAS être modifié à la main.
 
 ## Vue d’ensemble
 
-* Installez une connexion VPN sur votre serveur auto-hébergé
+Installez une connexion VPN sur votre serveur auto-hébergé
 * Utile pour héberger votre serveur derrière un accès internet filtré (et/ou non-neutre)
 * Utile pour obtenir une IP statique (v4 et v6)
 * Utile pour pouvoir facilement déplacer votre serveur
@@ -25,18 +25,15 @@ Il NE doit PAS être modifié à la main.
 
 
 
-**Version incluse :** 2.1.2~ynh1
+**Version incluse :** 2.2~ynh1
 
 ## Captures d’écran
 
 ![Capture d’écran de VPN Client](./doc/screenshots/vpnclient.png)
 
-## Avertissements / informations importantes
-
-Notez que cette application est prévue pour fonctionner avec des **VPN dédiés et à IP publique qui acceptent le traffic entrant**, et de préférence avec un fichier de configuration `.cube` (ou `.ovpn/.conf`) associé. Un VPN acheté au hasard sur Internet ne fonctionnera sans doute pas ! Consultez [la liste des fournisseurs connus et compatibles](https://yunohost.org/providers/vpn) pour plus d'infos.
-
 ## Documentations et ressources
 
+- Site officiel de l’app : <https://labriqueinter.net>
 - YunoHost Store : <https://apps.yunohost.org/app/vpnclient>
 - Signaler un bug : <https://github.com/YunoHost-Apps/vpnclient_ynh/issues>
 

README_gl.md

@@ -16,7 +16,7 @@ NON debe editarse manualmente.
 
 ## Vista xeral
 
-* Install a VPN connection on your self-hosted server.
+Install a VPN connection on your self-hosted server.
 * Useful for hosting your server behind a filtered (and/or non-neutral) internet access.
 * Useful to have static IP addresses (IPv6 and IPv4).
 * Useful to easily move your server anywhere.
@@ -25,18 +25,15 @@ NON debe editarse manualmente.
 
 
 
-**Versión proporcionada:** 2.1.2~ynh1
+**Versión proporcionada:** 2.2~ynh1
 
 ## Capturas de pantalla
 
 ![Captura de pantalla de VPN Client](./doc/screenshots/vpnclient.png)
 
-## Avisos / información importante
-
-Please note that this application is designed to interface with **dedicated, public IP VPNs accepting inbound traffic**, preferably with an associated `.cube` (or `.ovpn/.conf`) configuration file. **Do not** expect that any VPN you randomly bought on the Internet can be used! Checkout the [list of known compatible providers](https://yunohost.org/providers/vpn) for more info.
-
 ## Documentación e recursos
 
+- Web oficial da app: <https://labriqueinter.net>
 - Tenda YunoHost: <https://apps.yunohost.org/app/vpnclient>
 - Informar dun problema: <https://github.com/YunoHost-Apps/vpnclient_ynh/issues>
 

conf/scripts/route-down.d/10-vpnclient-unset-firewall

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+is_firewall_set() {
+  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
+  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
+}
+
+wired_device=$(ip route | awk '/default via/ { print $5; }')
+
+if is_firewall_set; then
+  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+
+  # IPv4
+
+  iptables -w -D INPUT -i "${wired_device}" -j vpnclient_in
+  iptables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
+  iptables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
+
+  iptables -w -F vpnclient_in
+  iptables -w -F vpnclient_out
+  iptables -w -F vpnclient_fwd
+
+  iptables -w -X vpnclient_in
+  iptables -w -X vpnclient_out
+  iptables -w -X vpnclient_fwd
+
+  # IPv6
+
+  ip6tables -w -D INPUT -i "${wired_device}" -j vpnclient_in
+  ip6tables -w -D OUTPUT -o "${wired_device}" -j vpnclient_out
+  ip6tables -w -D FORWARD -o "${wired_device}" -j vpnclient_fwd
+
+  ip6tables -w -F vpnclient_in
+  ip6tables -w -F vpnclient_out
+  ip6tables -w -F vpnclient_fwd
+
+  ip6tables -w -X vpnclient_in
+  ip6tables -w -X vpnclient_out
+  ip6tables -w -X vpnclient_fwd
+fi

conf/scripts/route-down.d/20-vpnclient-unset-dns

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+is_dns_set() {
+  if [[ "$ynh_dns_method" != "custom" ]]; then
+    return 0
+  fi
+
+  current_dns=$(grep -o -P '^\s*nameserver\s+\K[abcdefABCDEF\d.:]+$' /etc/resolv.dnsmasq.conf | sort | uniq)
+  wanted_dns=$(echo "${ynh_dns}" | sed 's/,/\n/g'  | sort | uniq)
+  [[ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]] \
+  && [[ "$current_dns" == "$wanted_dns" ]]
+}
+
+if is_dns_set; then
+  resolvconf=/etc/resolv.dnsmasq.conf
+
+  rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+  if [[ -e "${resolvconf}.ynh" ]]; then
+    mv "${resolvconf}.ynh" "${resolvconf}"
+  fi
+
+  # FIXME : this situation happened to a user ...
+  # We could try to force regen the dns conf 
+  # (though for now it's tightly coupled to dnsmasq)
+  if ! grep -q "^nameserver\s" "${resolvconf}"; then
+    echo "${resolvconf} does not have any nameserver line !?" >&2
+  fi
+fi

conf/scripts/route-down.d/30-vpnclient-unset-server-ipv6-route

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+is_serverip6route_set() {
+  local server_ip6s=${1}
+
+  if [[ -z "${server_ip6s}" ]]; then
+    return 0
+  fi
+
+  for server_ip6 in ${server_ip6s}; do
+    if ! ip -6 route | grep -q "^${server_ip6}"; then
+      return 1
+    fi
+  done
+}
+
+unset_serverip6route() {
+  local server_ip6s=${1}
+  local ip6_gw=${2}
+  local wired_device=${3}
+
+  for server_ip6 in ${server_ip6s}; do
+    ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
+  done
+}
+
+old_ip6_gw=$(yunohost app setting vpnclient ip6_gw)
+old_wired_device=$(yunohost app setting vpnclient wired_device)
+old_server_ip6=$(yunohost app setting vpnclient server_ip6)
+
+# Check old state of the server ipv6 route
+if [[ -n "${old_server_ip6}" && -n "${old_ip6_gw}" && -n "${old_wired_device}" ]]; then
+  if is_serverip6route_set "${old_server_ip6}"; then
+    unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
+  fi
+fi

conf/scripts/route-down.d/40-vpnclient-unset-ipv6

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+is_ip6addr_set() {
+  local ip6_addr=${1}
+  ip address show dev tun0 2> /dev/null | grep -q "${ip6_addr}/"
+}
+
+ip6_addr=$(yunohost app setting "vpnclient" "ip6_addr")
+if [[ -n "${ip6_addr}" ]] && [[ "${ip6_addr}" != none ]] && is_ip6addr_set "${ip6_addr}"; then
+  ip address delete "${ip6_addr}/64" dev tun0
+fi

conf/scripts/route-up.d/10-vpnclient-set-firewall

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+is_firewall_set() {
+  local wired_device=$(ip route | awk '/default via/ { print $5; }')
+
+  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}" \
+  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
+}
+
+if ! is_firewall_set; then
+  bash /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules
+  cp /etc/yunohost/apps/vpnclient/conf/hook_post-iptable-rules /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+fi
+
+if is_firewall_set; then
+  echo "[ OK ] IPv6/IPv4 firewall set"
+else
+  echo "[FAIL] No IPv6/IPv4 firewall set" >&2
+  exit 1
+fi

conf/scripts/route-up.d/20-vpnclient-set-dns

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+is_dns_set() {
+  if [[ "$ynh_dns_method" != "custom" ]]; then
+    return 0
+  fi
+
+  current_dns=$(grep -o -P '^\s*nameserver\s+\K[a-fA-F\d.:]+$' /etc/resolv.dnsmasq.conf | sort | uniq)
+  wanted_dns=$(echo "${ynh_dns}" | sed 's/,/\n/g'  | sort | uniq)
+  [[ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]] \
+  && [[ "$current_dns" == "$wanted_dns" ]]
+}
+
+ynh_dns_method=$(yunohost app setting vpnclient dns_method)
+ynh_dns=$(yunohost app setting vpnclient nameservers)
+
+# Set host DNS resolvers
+if ! is_dns_set; then
+  resolvconf=/etc/resolv.dnsmasq.conf
+
+  cp -fa "${resolvconf}" "${resolvconf}.ynh"
+  if [[ "$ynh_dns_method" == "custom" ]]; then
+    cat << EOF > /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+echo "${ynh_dns}" | sed 's/,/\n/g' | sort | uniq | sed 's/^/nameserver /g' > ${resolvconf}
+EOF
+    bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+  fi
+fi
+
+if is_dns_set; then
+  echo "[ OK ] Host DNS correctly set"
+else
+  echo "[FAIL] No host DNS set" >&2
+  exit 1
+fi