/[smecontribs]/rpms/smeserver-openvpn-routed/contribs10/smeserver-openvpn-routed-0.1.6-bz11336-sme10compatible.patch
ViewVC logotype

Contents of /rpms/smeserver-openvpn-routed/contribs10/smeserver-openvpn-routed-0.1.6-bz11336-sme10compatible.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (show annotations) (download)
Thu Apr 1 06:12:21 2021 UTC (3 years, 1 month ago) by jpp
Branch: MAIN
CVS Tags: smeserver-openvpn-routed-0_1_6-5_el7_sme, smeserver-openvpn-routed-0_1_6-3_el7_sme, smeserver-openvpn-routed-0_1_6-6_el7_sme, smeserver-openvpn-routed-0_1_6-4_el7_sme, smeserver-openvpn-routed-0_1_6-7_el7_sme, HEAD 
* Thu Apr 01 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-3.sme
- autoconfiguration if openvpn-bridge is isntalled and configured [SME: 11336]
- reworked systemd unit and scripts
- new property HMAC forced to SHA256, instead of insecure default SHA1 [SME: 9925]
- Cipher now enforced to AES-128-CBC, instead of insecure default Blowfish [SME: 9919]
- possibility to exclude networks to push [SME: 10548]
1 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
2 --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 1969-12-31 19:00:00.000000000 -0500
3 +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher 2021-04-01 01:57:09.416000000 -0400
4 @@ -0,0 +1 @@
5 +AES-128-CBC
6 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
7 --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 1969-12-31 19:00:00.000000000 -0500
8 +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC 2021-04-01 01:56:54.665000000 -0400
9 @@ -0,0 +1 @@
10 +SHA256
11 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
12 --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 1969-12-31 19:00:00.000000000 -0500
13 +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption 2021-04-01 01:52:17.729000000 -0400
14 @@ -0,0 +1,33 @@
15 +{
16 + #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
17 + # need to be changed on both side
18 + my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef;
19 + # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
20 + # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
21 + my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef;
22 +
23 + ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
24 + my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
25 + # TLS 1.3 encryption settings
26 + my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
27 + # # TLS 1.2 encryption settings
28 + my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
29 +
30 +
31 +
32 + $OUT .= "#securing control channel\n";
33 + $OUT .= "tls-version-min $tlsVmin\n";
34 + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
35 + $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
36 + #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
37 + #$OUT .= "ecdh-curve secp384r1\n";
38 +
39 + # data channel
40 + $OUT .= "#securing data channel\n";
41 + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
42 + #auth SHA512
43 + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
44 +
45 +
46 +
47 +}
48 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
49 --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2017-04-10 05:18:32.000000000 -0400
50 +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options 2021-04-01 01:52:17.962000000 -0400
51 @@ -3,7 +3,6 @@
52
53 my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
54 my $fragment = ${'openvpn-routed'}{Fragment} || '';
55 -my $cipher = ${'openvpn-routed'}{Cipher} || '';
56 my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
57 my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
58 my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
59 @@ -37,10 +36,6 @@
60 }
61 $OUT .= "mssfix\n";
62
63 -if ($cipher ne ''){
64 - $OUT .= "cipher $cipher\n";
65 -}
66 -
67 if ($duplicate eq 'enabled'){
68 $OUT .= "duplicate-cn\n";
69 }
70 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
71 --- smeserver-openvpn-routed-0.1.6.old/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2017-04-10 05:18:32.000000000 -0400
72 +++ smeserver-openvpn-routed-0.1.6/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes 2021-04-01 02:04:36.125000000 -0400
73 @@ -19,6 +19,7 @@
74 my $mask = $network->prop('Mask');
75 my $gw = $network->prop('Router') || '';
76 my $vpn = $network->prop('VPN') || '';
77 + next if (($network->prop('PushRoute') || 'enabled') eq 'disabled');
78 next if (($network->prop('VPNRouted') || 'no') eq 'yes');
79 $route .= "push \"route $addr $mask";
80 $route .= " $gw" if ($vpn eq '' && $gw ne '');
81 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed
82 --- smeserver-openvpn-routed-0.1.6.old/root/sbin/e-smith/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500
83 +++ smeserver-openvpn-routed-0.1.6/root/sbin/e-smith/systemd/openvpn-routed 2021-04-01 01:56:24.102000000 -0400
84 @@ -0,0 +1,30 @@
85 +#!/bin/bash
86 +
87 +[[ ! -f /etc/openvpn/routed/pub/cert.pem && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
88 +[[ ! -f /etc/openvpn/routed/pub/cacert.pem && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
89 +[[ ! -f /etc/openvpn/routed/pub/dh.pem && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
90 +[[ ! -f /etc/openvpn/routed/priv/key.pem && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
91 +[[ ! -f /etc/openvpn/routed/priv/takey.pem && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
92 +if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
93 + cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
94 + CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
95 + /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
96 +
97 + myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
98 + oriport="$myiport"
99 + bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
100 + s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re 's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
101 + while [[ $s2sports =~ $myport || $myport == $bridgeport ]]
102 + do
103 + myport=$[$myport+1]
104 + done
105 + if [[ $myport != $oriport ]]; then
106 + echo "set UDPPort to $myport as $oriport was already taken"
107 + /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
108 + /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf
109 + fi
110 +fi
111 +chmod 0600 /etc/openvpn/routed/priv/*
112 +chmod 0644 /etc/openvpn/routed/pub/*
113 +chown root:admin /etc/openvpn/routed/priv/*
114 +chown root:admin /etc/openvpn/routed/pub/*
115 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service
116 --- smeserver-openvpn-routed-0.1.6.old/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:49:33.475000000 -0400
117 +++ smeserver-openvpn-routed-0.1.6/root/usr/lib/systemd/system/openvpn-routed.service 2021-04-01 01:53:22.947000000 -0400
118 @@ -1,9 +1,26 @@
119 [Unit]
120 -Description=OpenVPN Server to Server
121 +Description=OpenVPN Server routed for Roadwariors
122 After=network.service
123 +
124 [Service]
125 -Type=forking
126 -ExecStart=/usr/sbin/systemd/openvpn-routed
127 +Type=notify
128 +PrivateTmp=true
129 +WorkingDirectory=/etc/openvpn/routed
130 +
131 +ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
132 +ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
133 +ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
134 +
135 +PrivateTmp=true
136 +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
137 +LimitNPROC=10
138 +DeviceAllow=/dev/null rw
139 +DeviceAllow=/dev/net/tun rw
140 +KillMode=process
141 +RestartSec=5s
142 +Restart=on-failure
143 +
144 +
145 [Install]
146 WantedBy=sme-server.target
147
148 diff -Nur --no-dereference smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed
149 --- smeserver-openvpn-routed-0.1.6.old/root/usr/sbin/systemd/openvpn-routed 2021-04-01 01:49:33.476000000 -0400
150 +++ smeserver-openvpn-routed-0.1.6/root/usr/sbin/systemd/openvpn-routed 1969-12-31 19:00:00.000000000 -0500
151 @@ -1,6 +0,0 @@
152 -#!/bin/sh
153 -
154 -exec 2>&1
155 -
156 -exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
157 -
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed