From 1bc478fbaa16239d31d484e0955ed5e761ce201a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Apr 2019 13:35:28 +0200
Subject: [PATCH] openvpn: remove gw switching logic; closes #3449

This removes the last part of gw switching capabilities from OpenVPN
in a backwards-incompatible way.  For clients they can already reconnect
if you use "any" or an internal LAN. For servers you don't bind to WAN
in Multi-WAN or gateway groups.  Use localhost + NAT rules for both
WANs instead.

Discussed with: @adschellevis
---
 LICENSE                                       |  2 +-
 plist                                         |  2 -
 src/etc/inc/plugins.inc.d/openvpn.inc         | 45 +--------
 src/etc/rc.monitor                            |  1 -
 src/etc/rc.openvpn                            | 99 -------------------
 .../conf/actions.d/actions_openvpn.conf       |  5 -
 6 files changed, 3 insertions(+), 151 deletions(-)
 delete mode 100755 src/etc/rc.openvpn
 delete mode 100644 src/opnsense/service/conf/actions.d/actions_openvpn.conf

diff --git a/LICENSE b/LICENSE
index bc3f22718..8eefdccf5 100644
--- a/LICENSE
+++ b/LICENSE
@@ -32,7 +32,7 @@ Copyright (c) 2004-2005 Jonathan Watt <jwatt@jwatt.org>
 Copyright (c) 2014-2015 Jos Schellevis <jos@opnsense.org>
 Copyright (c) 2003-2004 Justin Ellison <justin@techadvise.com>
 Copyright (c) 2015 Manuel Faux <mfaux@conf.at>
-Copyright (c) 2003-2007 Manuel Kasper <mk@neon1.net>
+Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2012 Marcello Coutinho
 Copyright (c) 2018 Martin Wasley <martin@team-rebellion.net>
 Copyright (c) 2010-2015 Michael Bostock
diff --git a/plist b/plist
index 0e10aa20c..1250aacc8 100644
--- a/plist
+++ b/plist
@@ -98,7 +98,6 @@
 /usr/local/etc/rc.monitor
 /usr/local/etc/rc.newwanip
 /usr/local/etc/rc.newwanipv6
-/usr/local/etc/rc.openvpn
 /usr/local/etc/rc.reboot
 /usr/local/etc/rc.reload_all
 /usr/local/etc/rc.resolv_conf_generate
@@ -777,7 +776,6 @@
 /usr/local/opnsense/service/conf/actions.d/actions_monit.conf
 /usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
 /usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
-/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
 /usr/local/opnsense/service/conf/actions.d/actions_plugins.conf
 /usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
 /usr/local/opnsense/service/conf/actions.d/actions_system.conf
diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index fb8bfce3f..e932ee69f 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -567,9 +567,6 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
     /* defaults to SHA1, so use it when unset to maintain compatibility */
     $digest = !empty($settings['digest']) ? $settings['digest'] : 'SHA1';
 
-    /* the function is used incorrectly, but works as it only checks the link connectivity */
-    $interface = get_real_interface($settings['interface']);
-
     /*
      * If a specific IP address (VIP) is requested, use it.
      * Otherwise, if a specific interface is requested, use
@@ -963,14 +960,9 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
 
     openvpn_add_custom($settings, $conf);
 
-    openvpn_create_dirs();
-    $fpath = "/var/etc/openvpn/{$mode_id}.conf";
-    file_put_contents($fpath, $conf);
-    unset($conf);
-    $fpath = "/var/etc/openvpn/{$mode_id}.interface";
-    file_put_contents($fpath, $interface);
+    file_put_contents("/var/etc/openvpn/{$mode_id}.conf", $conf);
+
     @chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
-    @chmod("/var/etc/openvpn/{$mode_id}.interface", 0600);
     @chmod("/var/etc/openvpn/{$mode_id}.key", 0600);
     @chmod("/var/etc/openvpn/{$mode_id}.tls-auth", 0600);
     @chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
@@ -1608,36 +1600,3 @@ function openvpn_refresh_crls()
         }
     }
 }
-
-function openvpn_resync_if_needed($mode, $ovpn_settings, $interface)
-{
-    global $config;
-
-    $resync_needed = true;
-    if (isset($ovpn_settings['disable'])) {
-        $resync_needed = false;
-    } else {
-        if (!empty($interface)) {
-            $mode_id = $mode . $ovpn_settings['vpnid'];
-            $fpath = "/var/etc/openvpn/{$mode_id}.interface";
-            if (file_exists($fpath)) {
-                $current_device = file_get_contents($fpath);
-                $current_device = trim($current_device, " \t\n");
-                /* the function is used incorrectly, but works as it only checks the link connectivity */
-                $new_device = get_real_interface($ovpn_settings['interface']);
-                if (isset($config['interfaces'][$interface])) {
-                    /* this is tied to IPv4, but as stated above it only checks the link connectivity */
-                    $this_device = $config['interfaces'][$interface]['if'];
-                    if (($current_device == $new_device) && ($current_device != $this_device)) {
-                        $resync_needed = false;
-                    }
-                }
-            }
-        }
-    }
-    if ($resync_needed == true) {
-        log_error("OpenVPN: Resync " . $mode_id . " " . $ovpn_settings['description']);
-        openvpn_reconfigure($mode, $ovpn_settings);
-        openvpn_restart($mode, $ovpn_settings);
-    }
-}
diff --git a/src/etc/rc.monitor b/src/etc/rc.monitor
index f12158132..b12c2061f 100755
--- a/src/etc/rc.monitor
+++ b/src/etc/rc.monitor
@@ -37,7 +37,6 @@ fi
 # XXX we should use configctl plugins configure here
 /usr/local/opnsense/service/configd_ctl.py -m \
     "filter reload" \
-    "openvpn reload ${GATEWAY}" \
     "dyndns reload ${GATEWAY}" \
     "rfc2136 reload ${GATEWAY}"
 
diff --git a/src/etc/rc.openvpn b/src/etc/rc.openvpn
deleted file mode 100755
index 931fc288d..000000000
--- a/src/etc/rc.openvpn
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2007 Manuel Kasper <mk@neon1.net>
- * Copyright (C) 2009 Seth Mos <seth.mos@dds.nl>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("util.inc");
-require_once("config.inc");
-require_once("interfaces.inc");
-require_once("filter.inc");
-require_once("plugins.inc.d/openvpn.inc");
-
-function try_lock($lock, $timeout = 5)
-{
-    if (!$lock) {
-        die(gettext("WARNING: You must give a name as parameter to try_lock() function."));
-    }
-
-    if (!file_exists("/tmp/{$lock}.lock")) {
-        @touch("/tmp/{$lock}.lock");
-        @chmod("/tmp/{$lock}.lock", 0666);
-    }
-
-    if ($fp = fopen("/tmp/{$lock}.lock", "w")) {
-        $trycounter = 0;
-        while(!flock($fp, LOCK_EX | LOCK_NB)) {
-            if ($trycounter >= $timeout) {
-                fclose($fp);
-                return NULL;
-            }
-            sleep(1);
-            $trycounter++;
-        }
-
-        return $fp;
-    }
-
-    return NULL;
-}
-
-
-/* make sure to wait until the boot scripts have finished */
-if (file_exists('/var/run/booting')) {
-        return;
-}
-
-/* Input argument is a gateway name, blank or "all". */
-$argument = trim($argv[1], " \n");
-
-if (isset($config['openvpn']['openvpn-server']) || isset($config['openvpn']['openvpn-client'])) {
-    $log_text = "endpoints that may use " . $argument;
-    log_error("OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading " . $log_text . ".");
-} else {
-    return;
-}
-
-$openvpnlck = try_lock('openvpn', 10);
-if (!$openvpnlck) {
-    log_error('Could not obtain openvpn lock for executing rc.openvpn for more than 10 seconds continuing...');
-    @unlink("/tmp/openvpn.lock");
-    $openvpnlck = lock('openvpn', LOCK_EX);
-}
-
-$interface = (new \OPNsense\Routing\Gateways(legacy_interfaces_details()))->getInterfaceName($argument);
-foreach (['server', 'client'] as $ovpntype) {
-    if(is_array($config['openvpn']['openvpn-'.$ovpntype])) {
-        foreach($config['openvpn']['openvpn-'.$ovpntype] as &$confitem) {
-            if ($confitem['interface'] == $interface || empty($interface)) {
-                openvpn_resync_if_needed($ovpntype, $confitem, $interface);
-            }
-        }
-    }
-}
-
-unlock($openvpnlck);
diff --git a/src/opnsense/service/conf/actions.d/actions_openvpn.conf b/src/opnsense/service/conf/actions.d/actions_openvpn.conf
deleted file mode 100644
index 2926bc534..000000000
--- a/src/opnsense/service/conf/actions.d/actions_openvpn.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[reload]
-command:/usr/local/etc/rc.openvpn
-parameters:%s
-type:script
-message:Restarting OpenVPN tunnels/interfaces %s