/[smecontribs]/rpms/smeserver-openvpn-routed/contribs10/smeserver-openvpn-routed-0.1.6-bz11336-sme10compatible.patch
ViewVC logotype

Annotation of /rpms/smeserver-openvpn-routed/contribs10/smeserver-openvpn-routed-0.1.6-bz11336-sme10compatible.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Apr 1 06:12:21 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-openvpn-routed-0_1_6-5_el7_sme, smeserver-openvpn-routed-0_1_6-3_el7_sme, smeserver-openvpn-routed-0_1_6-6_el7_sme, smeserver-openvpn-routed-0_1_6-4_el7_sme, smeserver-openvpn-routed-0_1_6-7_el7_sme, HEAD
* Thu Apr 01 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-3.sme
- autoconfiguration if openvpn-bridge is isntalled and configured [SME: 11336]
- reworked systemd unit and scripts
- new property HMAC forced to SHA256, instead of insecure default SHA1 [SME: 9925]
- Cipher now enforced to AES-128-CBC, instead of insecure default Blowfish [SME: 9919]
- possibility to exclude networks to push [SME: 10548]

1 jpp 1.1 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
2     --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 1969-12-31 19:00:00.000000000 -0500
3     +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 2021-04-01 01:57:09.416000000 -0400
4     @@ -0,0 +1 @@
5     +AES-128-CBC
6     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
7     --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 1969-12-31 19:00:00.000000000 -0500
8     +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 2021-04-01 01:56:54.665000000 -0400
9     @@ -0,0 +1 @@
10     +SHA256
11     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
12     --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500
13     +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 2021-04-01 01:52:17.729000000 -0400
14     @@ -0,0 +1,33 @@
15     +{
16     + #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
17     + # need to be changed on both side
18     + my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef;
19     + # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
20     + # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
21     + my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef;
22     +
23     + ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
24     + my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
25     + # TLS 1.3 encryption settings
26     + my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
27     + # # TLS 1.2 encryption settings
28     + my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
29     +
30     +
31     +
32     + $OUT .= "#securing control channel\n";
33     + $OUT .= "tls-version-min $tlsVmin\n";
34     + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
35     + $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
36     + #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
37     + #$OUT .= "ecdh-curve secp384r1\n";
38     +
39     + # data channel
40     + $OUT .= "#securing data channel\n";
41     + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
42     + #auth SHA512
43     + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
44     +
45     +
46     +
47     +}
48     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
49     --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2017-04-10 05:18:32.000000000 -0400
50     +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2021-04-01 01:52:17.962000000 -0400
51     @@ -3,7 +3,6 @@
52    
53     my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
54     my $fragment = ${'openvpn-routed'}{Fragment} || '';
55     -my $cipher = ${'openvpn-routed'}{Cipher} || '';
56     my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
57     my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
58     my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
59     @@ -37,10 +36,6 @@
60     }
61     $OUT .= "mssfix\n";
62    
63     -if ($cipher ne ''){
64     - $OUT .= "cipher $cipher\n";
65     -}
66     -
67     if ($duplicate eq 'enabled'){
68     $OUT .= "duplicate-cn\n";
69     }
70     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
71     --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2017-04-10 05:18:32.000000000 -0400
72     +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2021-04-01 02:04:36.125000000 -0400
73     @@ -19,6 +19,7 @@
74     my $mask = $network->prop('Mask');
75     my $gw = $network->prop('Router') || '';
76     my $vpn = $network->prop('VPN') || '';
77     + next if (($network->prop('PushRoute') || 'enabled') eq 'disabled');
78     next if (($network->prop('VPNRouted') || 'no') eq 'yes');
79     $route .= "push \"route $addr $mask";
80     $route .= " $gw" if ($vpn eq '' && $gw ne '');
81     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed
82     --- smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500
83     +++ smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed 2021-04-01 01:56:24.102000000 -0400
84     @@ -0,0 +1,30 @@
85     +#!/bin/bash
86     +
87     +[[ ! -f /etc/openvpn/routed/pub/cert.pem && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
88     +[[ ! -f /etc/openvpn/routed/pub/cacert.pem && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
89     +[[ ! -f /etc/openvpn/routed/pub/dh.pem && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
90     +[[ ! -f /etc/openvpn/routed/priv/key.pem && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
91     +[[ ! -f /etc/openvpn/routed/priv/takey.pem && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
92     +if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
93     + cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
94     + CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
95     + /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
96     +
97     + myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
98     + oriport="$myiport"
99     + bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
100     + s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re 's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
101     + while [[ $s2sports =~ $myport || $myport == $bridgeport ]]
102     + do
103     + myport=$[$myport+1]
104     + done
105     + if [[ $myport != $oriport ]]; then
106     + echo "set UDPPort to $myport as $oriport was already taken"
107     + /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
108     + /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf
109     + fi
110     +fi
111     +chmod 0600 /etc/openvpn/routed/priv/*
112     +chmod 0644 /etc/openvpn/routed/pub/*
113     +chown root:admin /etc/openvpn/routed/priv/*
114     +chown root:admin /etc/openvpn/routed/pub/*
115     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service
116     --- smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:49:33.475000000 -0400
117     +++ smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:53:22.947000000 -0400
118     @@ -1,9 +1,26 @@
119     [Unit]
120     -Description=OpenVPN Server to Server
121     +Description=OpenVPN Server routed for Roadwariors
122     After=network.service
123     +
124     [Service]
125     -Type=forking
126     -ExecStart=/usr/sbin/systemd/openvpn-routed
127     +Type=notify
128     +PrivateTmp=true
129     +WorkingDirectory=/etc/openvpn/routed
130     +
131     +ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
132     +ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
133     +ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
134     +
135     +PrivateTmp=true
136     +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
137     +LimitNPROC=10
138     +DeviceAllow=/dev/null rw
139     +DeviceAllow=/dev/net/tun rw
140     +KillMode=process
141     +RestartSec=5s
142     +Restart=on-failure
143     +
144     +
145     [Install]
146     WantedBy=sme-server.target
147    
148     diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed
149     --- smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed 2021-04-01 01:49:33.476000000 -0400
150     +++ smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500
151     @@ -1,6 +0,0 @@
152     -#!/bin/sh
153     -
154     -exec 2>&1
155     -
156     -exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
157     -

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed