1 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/createlinks smeserver-openvpn-bridge-2.1/createlinks |
2 |
--- smeserver-openvpn-bridge-2.1.old/createlinks 2021-03-23 15:47:30.917000000 -0400 |
3 |
+++ smeserver-openvpn-bridge-2.1/createlinks 2021-03-23 16:04:59.303000000 -0400 |
4 |
@@ -6,15 +6,6 @@ |
5 |
safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-bridge"); |
6 |
safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-bridge"); |
7 |
|
8 |
-#service_link_enhanced("openvpn-bridge", "S80", "7"); |
9 |
-#service_link_enhanced("openvpn-bridge", "K25", "6"); |
10 |
-#service_link_enhanced("openvpn-bridge", "K25", "0"); |
11 |
- |
12 |
- |
13 |
-#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-bridge'); |
14 |
-safe_symlink("/var/service/openvpn-bridge" , 'root/service/openvpn-bridge'); |
15 |
- |
16 |
-safe_touch("root/var/service/openvpn-bridge/down"); |
17 |
|
18 |
panel_link("openvpnbridge", 'manager'); |
19 |
|
20 |
@@ -46,8 +37,8 @@ |
21 |
} |
22 |
|
23 |
#action needed in case we have a systemd unit |
24 |
-event_link("systemd-default", $event, "10"); |
25 |
-event_link("systemd-reload", $event, "50"); |
26 |
+event_link("systemd-default", $event, "88"); |
27 |
+event_link("systemd-reload", $event, "89"); |
28 |
|
29 |
#action specific to this package |
30 |
event_link("openvpn-bridge-update", $event, "60"); |
31 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher |
32 |
--- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500 |
33 |
+++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-23 16:37:14.278000000 -0400 |
34 |
@@ -0,0 +1 @@ |
35 |
+AES-256-CBC |
36 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service |
37 |
--- smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 15:47:30.918000000 -0400 |
38 |
+++ smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 16:42:01.732000000 -0400 |
39 |
@@ -1,9 +1,27 @@ |
40 |
[Unit] |
41 |
Description=OpenVPN Server to Server |
42 |
After=network.service |
43 |
+After=bridge.service |
44 |
+Require=bridge.service |
45 |
+ |
46 |
[Service] |
47 |
-Type=forking |
48 |
-ExecStart=/usr/sbin/systemd/openvpn-bridge |
49 |
+Type=notify |
50 |
+PrivateTmp=true |
51 |
+WorkingDirectory=/etc/openvpn/bridge |
52 |
+ |
53 |
+ExecStart=/usr/sbin/openvpn --status /var/log/openvpn-bridge/status.log --status-version 2 --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge |
54 |
+ |
55 |
+PrivateTmp=true |
56 |
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
57 |
+LimitNPROC=10 |
58 |
+DeviceAllow=/dev/null rw |
59 |
+DeviceAllow=/dev/net/tun rw |
60 |
+ProtectSystem=true |
61 |
+ProtectHome=true |
62 |
+KillMode=process |
63 |
+RestartSec=5s |
64 |
+Restart=on-failure |
65 |
+ |
66 |
[Install] |
67 |
WantedBy=sme-server.target |
68 |
|
69 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge |
70 |
--- smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge 2021-03-23 15:47:30.918000000 -0400 |
71 |
+++ smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge 1969-12-31 19:00:00.000000000 -0500 |
72 |
@@ -1,5 +0,0 @@ |
73 |
-#!/bin/sh |
74 |
- |
75 |
-exec 2>&1 |
76 |
- |
77 |
-exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge |
78 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm |
79 |
--- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2013-11-11 12:27:02.000000000 -0500 |
80 |
+++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-23 16:42:01.498000000 -0400 |
81 |
@@ -650,7 +650,8 @@ |
82 |
} |
83 |
print KEY $key; |
84 |
close KEY; |
85 |
- |
86 |
+ chmod(0600, "$privdir/key.pem" ); |
87 |
+ esmith::util::chownFile("root", "root","$privdir/key.pem" ); |
88 |
if (! open (DH, ">$pubdir/dh.pem")){ |
89 |
$fm->error('ERROR_OPEN_DH','FIRST'); |
90 |
# Tell the user something bad has happened |
91 |
@@ -666,6 +667,8 @@ |
92 |
} |
93 |
print TA $ta; |
94 |
close TA; |
95 |
+ chmod(0600, "$privdir/takey.pem" ); |
96 |
+ esmith::util::chownFile("root", "root","$privdir/takey.pem" ); |
97 |
|
98 |
# Restrict permissions on sensitive data |
99 |
esmith::util::chownFile("root", "root","$privdir"); |
100 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run |
101 |
--- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run 2013-11-11 12:27:02.000000000 -0500 |
102 |
+++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run 1969-12-31 19:00:00.000000000 -0500 |
103 |
@@ -1,23 +0,0 @@ |
104 |
-#!/bin/sh |
105 |
- |
106 |
-#---------------------------------------------------------------------- |
107 |
-# copyright (C) 2003-2006 Mitel Networks Corporation |
108 |
-# |
109 |
-# This program is free software; you can redistribute it and/or modify |
110 |
-# it under the terms of the GNU General Public License as published by |
111 |
-# the Free Software Foundation; either version 2 of the License, or |
112 |
-# (at your option) any later version. |
113 |
-# |
114 |
-# This program is distributed in the hope that it will be useful, |
115 |
-# but WITHOUT ANY WARRANTY; without even the implied warranty of |
116 |
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
117 |
-# GNU General Public License for more details. |
118 |
-# |
119 |
-# You should have received a copy of the GNU General Public License |
120 |
-# along with this program; if not, write to the Free Software |
121 |
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
122 |
-#---------------------------------------------------------------------- |
123 |
-exec \ |
124 |
- /usr/local/bin/setuidgid smelog \ |
125 |
- /usr/local/bin/multilog t s5000000 \ |
126 |
- /var/log/openvpn-bridge |
127 |
diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run |
128 |
--- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run 2013-11-11 12:27:01.000000000 -0500 |
129 |
+++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run 1969-12-31 19:00:00.000000000 -0500 |
130 |
@@ -1,10 +0,0 @@ |
131 |
-#!/bin/sh |
132 |
- |
133 |
-exec 2>&1 |
134 |
- |
135 |
-BRIDGE=$(/sbin/e-smith/db configuration getprop bridge status) |
136 |
- |
137 |
-[ $BRIDGE == 'enabled' ] || exit 1 |
138 |
- |
139 |
-exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge |
140 |
- |