openvpn: improve netifd integration and implement hotplug logic

This commit enhances the OpenVPN protocol handler to allow netifd to
manage interface addressing and routing, ensuring correct status
reporting in LuCI and ubus.

These changes fix the "pending" interface status issue by ensuring
the tunnel device ($dev) is properly registered with netifd.

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>

Author: ptpt52

net/openvpn/files/lib/netifd/proto/openvpn.sh

@@ -129,7 +129,6 @@ proto_openvpn_setup() {
 	append exec_params "--status /var/run/openvpn.$config.status"
 	append exec_params "--syslog openvpn_$config"
 	append exec_params "--tmp-dir /tmp"
-	[ -n "$config_file" ] && append exec_params "--config \"$config_file\""
 
 	json_get_var ALLOW_DEPRECATED allow_deprecated
 	[ -z "$ALLOW_DEPRECATED" ] && ALLOW_DEPRECATED=0
@@ -144,7 +143,7 @@ proto_openvpn_setup() {
 
 	proto_add_dynamic_defaults
 
-	json_get_vars username password cert_password
+	json_get_vars auth_user_pass askpass username password cert_password
 
 	mkdir -p /var/run
 	# combine into --askpass:
@@ -174,9 +173,7 @@ proto_openvpn_setup() {
 
 	# Check 'script_security' option
 	json_get_var script_security script_security
-	[ -z "$script_security" ] && {
-		script_security=3
-	}
+	[ -z "$script_security" ] && script_security=3
 
 	# Add default hotplug handling if 'script_security' option is equal '3'
 	if [ "$script_security" -eq '3' ]; then
@@ -194,6 +191,11 @@ proto_openvpn_setup() {
 		json_get_vars up down route_up route_pre_down
 		json_get_vars tls_crypt_v2_verify mode learn_address client_connect
 		json_get_vars client_crresponse client_disconnect auth_user_pass_verify
+
+		json_get_vars ifconfig_noexec route_noexec
+		[ -z "$ifconfig_noexec" ] && append exec_params "--ifconfig-noexec"
+		[ -z "$route_noexec" ] && append exec_params "--route-noexec"
+
 		append exec_params "--up '/usr/libexec/openvpn-hotplug'"
 		[ -n "$up" ] && append exec_params "--setenv user_up '$up'"
 
@@ -218,8 +220,11 @@ proto_openvpn_setup() {
 			[ -n "$client_crresponse" ] && append exec_params "--setenv user_client_crresponse '$client_crresponse'"
 			append exec_params "--client-disconnect '/usr/libexec/openvpn-hotplug'"
 			[ -n "$client_disconnect" ] && append exec_params "--setenv user_client_disconnect '$client_disconnect'"
-			append exec_params "--auth-user-pass-verify '/usr/libexec/openvpn-hotplug' via-file"
-			[ -n "$auth_user_pass_verify" ] && append exec_params "--setenv user_auth_user_pass_verify '$auth_user_pass_verify'"
+
+			[ -n "$auth_user_pass_verify" ] && {
+				append exec_params "--auth-user-pass-verify '/usr/libexec/openvpn-hotplug' via-file"
+				append exec_params "--setenv user_auth_user_pass_verify '$auth_user_pass_verify'"
+			}
 		}
 
 		json_get_vars client tls_client tls_server
@@ -231,6 +236,7 @@ proto_openvpn_setup() {
 
 		if [ "$tls_client" = 1 ] || [ "$tls_server" = 1 ]; then
 			append exec_params "--tls-verify '/usr/libexec/openvpn-hotplug'"
+			json_get_var tls_verify tls_verify
 			[ -n "$tls_verify" ] && append exec_params "--setenv user_tls_verify '$tls_verify'"
 		fi
 	else

net/openvpn/files/usr/libexec/openvpn-hotplug

@@ -10,6 +10,106 @@
 	exit
 }
 
+. /lib/functions.sh
+. /lib/netifd/netifd-proto.sh
+
+mask2prefix() {
+	local mask="$1"
+	local n=0
+	local IFS=.
+	for o in $mask; do
+		case $o in
+			255) n=$((n+8)) ;;
+			254) n=$((n+7)) ;;
+			252) n=$((n+6)) ;;
+			248) n=$((n+5)) ;;
+			240) n=$((n+4)) ;;
+			224) n=$((n+3)) ;;
+			192) n=$((n+2)) ;;
+			128) n=$((n+1)) ;;
+			0)   break     ;;
+			*)   break     ;;
+		esac
+	done
+	echo "$n"
+}
+
+parse_cidr6() {
+	local val="$1"
+	local def_plen="$2"
+	local addr="${val%/*}"
+	local plen="${val#*/}"
+	[ "$addr" = "$plen" ] && plen="$def_plen"
+	echo "$addr $plen"
+}
+
+case "$script_type" in
+	up)
+		proto_init_update "$dev" 1
+
+		[ -n "$ifconfig_local" ] && proto_add_ipv4_address "$ifconfig_local" "${ifconfig_netmask:-255.255.255.255}"
+
+		[ -n "$trusted_ip" ] && [ -n "$route_net_gateway" ] && {
+			proto_add_ipv4_route "$trusted_ip" 32 "$route_net_gateway"
+		}
+
+		[ -n "$route_vpn_gateway" ] && proto_add_ipv4_route "0.0.0.0" 0 "$route_vpn_gateway"
+
+		for i in $(seq 1 32); do
+			eval "net=\$route_network_$i mask=\$route_netmask_$i gw=\$route_gateway_$i"
+			[ -z "$net" ] && break
+
+			plen=$(mask2prefix "$mask")
+			proto_add_ipv4_route "$net" "$plen" "$gw"
+		done
+
+		if [ -n "$ifconfig_ipv6_local" ]; then
+			read -r v6addr v6plen <<-EOF
+				$(parse_cidr6 "$ifconfig_ipv6_local" "${ifconfig_ipv6_netbits:-128}")
+			EOF
+			proto_add_ipv6_address "$v6addr" "$v6plen"
+		fi
+
+		[ -n "$trusted_ip6" ] && [ -n "$route_ipv6_gateway" ] && {
+			proto_add_ipv6_route "$trusted_ip6" 128 "$route_ipv6_gateway"
+		}
+
+		[ -n "$ifconfig_ipv6_remote" ] && proto_add_ipv6_route "::" 0 "$ifconfig_ipv6_remote"
+
+		for i in $(seq 1 32); do
+			eval "net=\$route_ipv6_network_$i gw=\$route_ipv6_gateway_$i"
+			[ -z "$net" ] && break
+
+			read -r v6net v6plen <<-EOF
+				$(parse_cidr6 "$net" 128)
+			EOF
+			proto_add_ipv6_route "$v6net" "$v6plen" "$gw"
+		done
+
+		[ -n "$tun_mtu" ] && json_add_int mtu "$tun_mtu"
+
+		for i in $(seq 1 32); do
+			eval "option=\$foreign_option_$i"
+			[ -z "$option" ] && break
+
+			set -- $option
+			[ "$1" != "dhcp-option" ] && continue
+
+			case "$2" in
+				DNS)           proto_add_dns_server "$3" ;;
+				DOMAIN*)       proto_add_dns_search "$3" ;; # Matches DOMAIN and DOMAIN-SEARCH
+			esac
+		done
+
+		proto_send_update "$INTERFACE"
+	;;
+
+	down)
+		proto_init_update "$dev" 0
+		proto_send_update "$INTERFACE"
+	;;
+esac
+
 ACTION="$script_type"
 INSTANCE="$INTERFACE"