| 1 |
jpp |
1.1 |
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher |
| 2 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 1969-12-31 19:00:00.000000000 -0500 |
| 3 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 2021-04-01 01:57:09.416000000 -0400 |
| 4 |
|
|
@@ -0,0 +1 @@ |
| 5 |
|
|
+AES-128-CBC |
| 6 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC |
| 7 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 1969-12-31 19:00:00.000000000 -0500 |
| 8 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 2021-04-01 01:56:54.665000000 -0400 |
| 9 |
|
|
@@ -0,0 +1 @@ |
| 10 |
|
|
+SHA256 |
| 11 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption |
| 12 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500 |
| 13 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 2021-04-01 01:52:17.729000000 -0400 |
| 14 |
|
|
@@ -0,0 +1,33 @@ |
| 15 |
|
|
+{ |
| 16 |
|
|
+ #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one... |
| 17 |
|
|
+ # need to be changed on both side |
| 18 |
|
|
+ my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef; |
| 19 |
|
|
+ # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
| 20 |
|
|
+ # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
| 21 |
|
|
+ my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef; |
| 22 |
|
|
+ |
| 23 |
|
|
+ ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower |
| 24 |
|
|
+ my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2"; |
| 25 |
|
|
+ # TLS 1.3 encryption settings |
| 26 |
|
|
+ my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; |
| 27 |
|
|
+ # # TLS 1.2 encryption settings |
| 28 |
|
|
+ my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
| 29 |
|
|
+ |
| 30 |
|
|
+ |
| 31 |
|
|
+ |
| 32 |
|
|
+ $OUT .= "#securing control channel\n"; |
| 33 |
|
|
+ $OUT .= "tls-version-min $tlsVmin\n"; |
| 34 |
|
|
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
| 35 |
|
|
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
| 36 |
|
|
+ #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n"; |
| 37 |
|
|
+ #$OUT .= "ecdh-curve secp384r1\n"; |
| 38 |
|
|
+ |
| 39 |
|
|
+ # data channel |
| 40 |
|
|
+ $OUT .= "#securing data channel\n"; |
| 41 |
|
|
+ $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n"; |
| 42 |
|
|
+ #auth SHA512 |
| 43 |
|
|
+ $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n"; |
| 44 |
|
|
+ |
| 45 |
|
|
+ |
| 46 |
|
|
+ |
| 47 |
|
|
+} |
| 48 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options |
| 49 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2017-04-10 05:18:32.000000000 -0400 |
| 50 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2021-04-01 01:52:17.962000000 -0400 |
| 51 |
|
|
@@ -3,7 +3,6 @@ |
| 52 |
|
|
|
| 53 |
|
|
my $tunMtu = ${'openvpn-routed'}{Mtu} || ''; |
| 54 |
|
|
my $fragment = ${'openvpn-routed'}{Fragment} || ''; |
| 55 |
|
|
-my $cipher = ${'openvpn-routed'}{Cipher} || ''; |
| 56 |
|
|
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || ''; |
| 57 |
|
|
my $proto = ${'openvpn-routed'}{Protocol} || 'udp'; |
| 58 |
|
|
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled'; |
| 59 |
|
|
@@ -37,10 +36,6 @@ |
| 60 |
|
|
} |
| 61 |
|
|
$OUT .= "mssfix\n"; |
| 62 |
|
|
|
| 63 |
|
|
-if ($cipher ne ''){ |
| 64 |
|
|
- $OUT .= "cipher $cipher\n"; |
| 65 |
|
|
-} |
| 66 |
|
|
- |
| 67 |
|
|
if ($duplicate eq 'enabled'){ |
| 68 |
|
|
$OUT .= "duplicate-cn\n"; |
| 69 |
|
|
} |
| 70 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes |
| 71 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2017-04-10 05:18:32.000000000 -0400 |
| 72 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2021-04-01 02:04:36.125000000 -0400 |
| 73 |
|
|
@@ -19,6 +19,7 @@ |
| 74 |
|
|
my $mask = $network->prop('Mask'); |
| 75 |
|
|
my $gw = $network->prop('Router') || ''; |
| 76 |
|
|
my $vpn = $network->prop('VPN') || ''; |
| 77 |
|
|
+ next if (($network->prop('PushRoute') || 'enabled') eq 'disabled'); |
| 78 |
|
|
next if (($network->prop('VPNRouted') || 'no') eq 'yes'); |
| 79 |
|
|
$route .= "push \"route $addr $mask"; |
| 80 |
|
|
$route .= " $gw" if ($vpn eq '' && $gw ne ''); |
| 81 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed |
| 82 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500 |
| 83 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed 2021-04-01 01:56:24.102000000 -0400 |
| 84 |
|
|
@@ -0,0 +1,30 @@ |
| 85 |
|
|
+#!/bin/bash |
| 86 |
|
|
+ |
| 87 |
|
|
+[[ ! -f /etc/openvpn/routed/pub/cert.pem && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem |
| 88 |
|
|
+[[ ! -f /etc/openvpn/routed/pub/cacert.pem && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem |
| 89 |
|
|
+[[ ! -f /etc/openvpn/routed/pub/dh.pem && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem |
| 90 |
|
|
+[[ ! -f /etc/openvpn/routed/priv/key.pem && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem |
| 91 |
|
|
+[[ ! -f /etc/openvpn/routed/priv/takey.pem && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem |
| 92 |
|
|
+if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then |
| 93 |
|
|
+ cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem |
| 94 |
|
|
+ CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl` |
| 95 |
|
|
+ /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl=" |
| 96 |
|
|
+ |
| 97 |
|
|
+ myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort` |
| 98 |
|
|
+ oriport="$myiport" |
| 99 |
|
|
+ bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort` |
| 100 |
|
|
+ s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re 's/.*Port\|([0-9]+).*/\1/'|sort|uniq` |
| 101 |
|
|
+ while [[ $s2sports =~ $myport || $myport == $bridgeport ]] |
| 102 |
|
|
+ do |
| 103 |
|
|
+ myport=$[$myport+1] |
| 104 |
|
|
+ done |
| 105 |
|
|
+ if [[ $myport != $oriport ]]; then |
| 106 |
|
|
+ echo "set UDPPort to $myport as $oriport was already taken" |
| 107 |
|
|
+ /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport |
| 108 |
|
|
+ /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf |
| 109 |
|
|
+ fi |
| 110 |
|
|
+fi |
| 111 |
|
|
+chmod 0600 /etc/openvpn/routed/priv/* |
| 112 |
|
|
+chmod 0644 /etc/openvpn/routed/pub/* |
| 113 |
|
|
+chown root:admin /etc/openvpn/routed/priv/* |
| 114 |
|
|
+chown root:admin /etc/openvpn/routed/pub/* |
| 115 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service |
| 116 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:49:33.475000000 -0400 |
| 117 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:53:22.947000000 -0400 |
| 118 |
|
|
@@ -1,9 +1,26 @@ |
| 119 |
|
|
[Unit] |
| 120 |
|
|
-Description=OpenVPN Server to Server |
| 121 |
|
|
+Description=OpenVPN Server routed for Roadwariors |
| 122 |
|
|
After=network.service |
| 123 |
|
|
+ |
| 124 |
|
|
[Service] |
| 125 |
|
|
-Type=forking |
| 126 |
|
|
-ExecStart=/usr/sbin/systemd/openvpn-routed |
| 127 |
|
|
+Type=notify |
| 128 |
|
|
+PrivateTmp=true |
| 129 |
|
|
+WorkingDirectory=/etc/openvpn/routed |
| 130 |
|
|
+ |
| 131 |
|
|
+ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed' |
| 132 |
|
|
+ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed |
| 133 |
|
|
+ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed |
| 134 |
|
|
+ |
| 135 |
|
|
+PrivateTmp=true |
| 136 |
|
|
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
| 137 |
|
|
+LimitNPROC=10 |
| 138 |
|
|
+DeviceAllow=/dev/null rw |
| 139 |
|
|
+DeviceAllow=/dev/net/tun rw |
| 140 |
|
|
+KillMode=process |
| 141 |
|
|
+RestartSec=5s |
| 142 |
|
|
+Restart=on-failure |
| 143 |
|
|
+ |
| 144 |
|
|
+ |
| 145 |
|
|
[Install] |
| 146 |
|
|
WantedBy=sme-server.target |
| 147 |
|
|
|
| 148 |
|
|
diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed |
| 149 |
|
|
--- smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed 2021-04-01 01:49:33.476000000 -0400 |
| 150 |
|
|
+++ smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500 |
| 151 |
|
|
@@ -1,6 +0,0 @@ |
| 152 |
|
|
-#!/bin/sh |
| 153 |
|
|
- |
| 154 |
|
|
-exec 2>&1 |
| 155 |
|
|
- |
| 156 |
|
|
-exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed |
| 157 |
|
|
- |
Parent Directory
| 
Revision Log
| 
Revision Graph
