1 |
jpp |
1.1 |
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/createlinks smeserver-openvpn-s2s-0.2/createlinks |
2 |
|
|
--- smeserver-openvpn-s2s-0.2.old/createlinks 2021-03-30 00:12:27.731000000 -0400 |
3 |
|
|
+++ smeserver-openvpn-s2s-0.2/createlinks 2021-03-30 01:01:21.126000000 -0400 |
4 |
|
|
@@ -5,9 +5,7 @@ |
5 |
|
|
safe_symlink("restart", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/openvpn-s2s"); |
6 |
|
|
safe_symlink("adjust", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/masq"); |
7 |
|
|
|
8 |
|
|
-#service_link_enhanced("openvpn-s2s", "S80", "7"); |
9 |
|
|
-#service_link_enhanced("openvpn-s2s", "K25", "6"); |
10 |
|
|
-#service_link_enhanced("openvpn-s2s", "K25", "0"); |
11 |
|
|
+event_link("openvpn-s2s-onelink", "openvpn-s2s-update-one", "50"); |
12 |
|
|
|
13 |
|
|
event_link("openvpn-s2s-delete-networks", "openvpn-s2s-update", "10"); |
14 |
|
|
event_link("openvpn-s2s-genconf", "openvpn-s2s-update", "20"); |
15 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink |
16 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink 1969-12-31 19:00:00.000000000 -0500 |
17 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink 2021-03-30 00:54:13.858000000 -0400 |
18 |
|
|
@@ -0,0 +1,60 @@ |
19 |
|
|
+#!/usr/bin/perl -w |
20 |
|
|
+ |
21 |
|
|
+#---------------------------------------------------------------------- |
22 |
|
|
+# copyright (C) 2010 Firewall Services |
23 |
|
|
+# Daniel Berteaud <daniel@firewall-services.com> |
24 |
|
|
+# |
25 |
|
|
+# This program is free software; you can redistribute it and/or modify |
26 |
|
|
+# it under the terms of the GNU General Public License as published by |
27 |
|
|
+# the Free Software Foundation; either version 2 of the License, or |
28 |
|
|
+# (at your option) any later version. |
29 |
|
|
+# |
30 |
|
|
+# This program is distributed in the hope that it will be useful, |
31 |
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of |
32 |
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
33 |
|
|
+# GNU General Public License for more details. |
34 |
|
|
+# |
35 |
|
|
+# You should have received a copy of the GNU General Public License |
36 |
|
|
+# along with this program; if not, write to the Free Software |
37 |
|
|
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
38 |
|
|
+#---------------------------------------------------------------------- |
39 |
|
|
+ |
40 |
|
|
+use strict; |
41 |
|
|
+use esmith::templates; |
42 |
|
|
+use esmith::ConfigDB; |
43 |
|
|
+ |
44 |
|
|
+ |
45 |
|
|
+my $event = $ARGV [0]; |
46 |
|
|
+my $vpn = $ARGV [1]; |
47 |
|
|
+my $lock="/var/lock/subsys/openvpn-s2s"; |
48 |
|
|
+my $piddir="/var/run/openvpn-s2s"; |
49 |
|
|
+ |
50 |
|
|
+die "missing vpn name" unless defined $vpn; |
51 |
|
|
+ |
52 |
|
|
+my $db = esmith::ConfigDB->open_ro("openvpn-s2s"); |
53 |
|
|
+ |
54 |
|
|
+my $conf = $db->get($vpn) or die "unknown site to site vpn"; |
55 |
|
|
+ |
56 |
|
|
+my $key = $conf->key; |
57 |
|
|
+my $status = $conf->prop('status') || 'disabled'; |
58 |
|
|
+if ($status eq 'enabled'){ |
59 |
|
|
+ processTemplate( |
60 |
|
|
+ { |
61 |
|
|
+ TEMPLATE_PATH => "/etc/openvpn/s2s/openvpn-s2s.conf", |
62 |
|
|
+ MORE_DATA => {DB_KEY=>$key}, |
63 |
|
|
+ OUTPUT_FILENAME => "/etc/openvpn/s2s/$key.conf", |
64 |
|
|
+ }); |
65 |
|
|
+ |
66 |
|
|
+ if ( -f $lock ) { |
67 |
|
|
+ my $pidf = "$piddir/$key.pid"; |
68 |
|
|
+ if ( -f $pidf ) { |
69 |
|
|
+ my $pid=`cat $pidf`; |
70 |
|
|
+ kill 'USR1', $pid || exit 1 ; |
71 |
|
|
+ exit 0; |
72 |
|
|
+ } |
73 |
|
|
+ } |
74 |
|
|
+ else { |
75 |
|
|
+ print "openvpn: service not started"; |
76 |
|
|
+ exit 1 |
77 |
|
|
+ } |
78 |
|
|
+} |
79 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s |
80 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500 |
81 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:14.068000000 -0400 |
82 |
|
|
@@ -285,4 +285,71 @@ |
83 |
|
|
<base>IP_IN_LOCAL_NET</base> |
84 |
|
|
<trans>This IP address is part of one of your local networks</trans> |
85 |
|
|
</entry> |
86 |
|
|
+ |
87 |
|
|
+ <entry> |
88 |
|
|
+ <base>UNSECURE</base> |
89 |
|
|
+ <trans>Unsecure parameter</trans> |
90 |
|
|
+ </entry> |
91 |
|
|
+ <entry> |
92 |
|
|
+ <base>SUGGESTED</base> |
93 |
|
|
+ <trans>Sugested value</trans> |
94 |
|
|
+ </entry> |
95 |
|
|
+ <entry> |
96 |
|
|
+ <base>DEFAULT</base> |
97 |
|
|
+ <trans>Default</trans> |
98 |
|
|
+ </entry> |
99 |
|
|
+ <entry> |
100 |
|
|
+ <base>DOWN</base> |
101 |
|
|
+ <trans>Down</trans> |
102 |
|
|
+ </entry> |
103 |
|
|
+ <entry> |
104 |
|
|
+ <base>UP</base> |
105 |
|
|
+ <trans>Up</trans> |
106 |
|
|
+ </entry> |
107 |
|
|
+ <entry> |
108 |
|
|
+ <base>SUCCESS_RELOAD</base> |
109 |
|
|
+ <trans>VPN connection reloaded with success</trans> |
110 |
|
|
+ </entry> |
111 |
|
|
+ <entry> |
112 |
|
|
+ <base>DESC_RELOAD</base> |
113 |
|
|
+ <trans>Do you really want to reload this vpn connection?</trans> |
114 |
|
|
+ </entry> |
115 |
|
|
+ <entry> |
116 |
|
|
+ <base>RELOAD</base> |
117 |
|
|
+ <trans>reload</trans> |
118 |
|
|
+ </entry> |
119 |
|
|
+ <entry> |
120 |
|
|
+ <base>DESC_HMAC</base> |
121 |
|
|
+ <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans> |
122 |
|
|
+ </entry> |
123 |
|
|
+ <entry> |
124 |
|
|
+ <base>LABEL_HMAC</base> |
125 |
|
|
+ <trans>HMAC algorithm</trans> |
126 |
|
|
+ </entry> |
127 |
|
|
+ <entry> |
128 |
|
|
+ <base>DESC_CIPHER</base> |
129 |
|
|
+ <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans> |
130 |
|
|
+ </entry> |
131 |
|
|
+ <entry> |
132 |
|
|
+ <base>LABEL_CIPHER</base> |
133 |
|
|
+ <trans>Cipher encryption algorithm</trans> |
134 |
|
|
+ </entry> |
135 |
|
|
+ <entry> |
136 |
|
|
+ <base>DESC_SNAT</base> |
137 |
|
|
+ <trans>SNAT Outbound can be enabled or disabled (default is enabled). When enabled, connections initiated by the server itself will be SNATed so they will appear to come from the internal IP. If disabled, connections from the server itself will have the virtual IP as source.</trans> |
138 |
|
|
+ </entry> |
139 |
|
|
+ <entry> |
140 |
|
|
+ <base>LABEL_SNAT</base> |
141 |
|
|
+ <trans>SNAT Outbound</trans> |
142 |
|
|
+ </entry> |
143 |
|
|
+ <entry> |
144 |
|
|
+ <base>CIPHER</base> |
145 |
|
|
+ <trans>Cipher</trans> |
146 |
|
|
+ </entry> |
147 |
|
|
+ <entry> |
148 |
|
|
+ <base>LINK</base> |
149 |
|
|
+ <trans>Link status</trans> |
150 |
|
|
+ </entry> |
151 |
|
|
+ |
152 |
|
|
+ |
153 |
|
|
</lexicon> |
154 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key |
155 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:12:27.713000000 -0400 |
156 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:54:12.710000000 -0400 |
157 |
|
|
@@ -5,16 +5,41 @@ |
158 |
|
|
my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled'; |
159 |
|
|
my $tlsremote = $db->get_prop($key,'RemoteCommonName') || ''; |
160 |
|
|
|
161 |
|
|
+#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one... |
162 |
|
|
+# need to be changed on both side |
163 |
|
|
+my $HMAC = ( $db->get_prop($key,'HMAC') ) ? $db->get_prop($key,'HMAC') : undef; |
164 |
|
|
+# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
165 |
|
|
+# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
166 |
|
|
+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef; |
167 |
|
|
+ |
168 |
|
|
+## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower |
169 |
|
|
+my $tlsVmin = ( $db->get_prop($key,'tlsVmin') && ( $db->get_prop($key,'tlsVmin') =~ /^1\.[0-9]{1}$/ ) ) ? $db->get_prop($key,'tlsVmin') : "1.2"; |
170 |
|
|
+# TLS 1.3 encryption settings |
171 |
|
|
+my $tlsCipherSuites13 = ( $db->get_prop($key,'tlsCipherSuites13') ) ? $db->get_prop($key,'tlsCipherSuites13') : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; |
172 |
|
|
+# # TLS 1.2 encryption settings |
173 |
|
|
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
174 |
|
|
+ |
175 |
|
|
+ |
176 |
|
|
+# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
177 |
|
|
+# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
178 |
|
|
+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef; |
179 |
|
|
+ |
180 |
|
|
+ |
181 |
|
|
if ($auth eq 'SharedKey'){ |
182 |
|
|
$OUT .= "secret priv/$key"."_sharedkey.pem\n"; |
183 |
|
|
} |
184 |
|
|
elsif ($auth eq 'TLS'){ |
185 |
|
|
if ($type eq 'server'){ |
186 |
|
|
$OUT .= "tls-server\n"; |
187 |
|
|
+ $OUT .= "tls-version-min $tlsVmin\n"; |
188 |
|
|
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
189 |
|
|
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
190 |
|
|
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
191 |
|
|
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
192 |
|
|
$OUT .= "key priv/$key" . "_key.pem\n"; |
193 |
|
|
$OUT .= "dh pub/$key" . "_dh.pem\n"; |
194 |
|
|
+ $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n"; |
195 |
|
|
+ $OUT .= "ecdh-curve secp384r1\n"; |
196 |
|
|
$OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n" |
197 |
|
|
if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && |
198 |
|
|
( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); |
199 |
|
|
@@ -26,9 +51,14 @@ |
200 |
|
|
} |
201 |
|
|
else{ |
202 |
|
|
$OUT .= "tls-client\n"; |
203 |
|
|
+ $OUT .= "tls-version-min $tlsVmin\n"; |
204 |
|
|
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
205 |
|
|
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
206 |
|
|
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
207 |
|
|
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
208 |
|
|
$OUT .= "key priv/$key" . "_key.pem\n"; |
209 |
|
|
+ $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n"; |
210 |
|
|
+ $OUT .= "ecdh-curve secp384r1\n"; |
211 |
|
|
$OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n" |
212 |
|
|
if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && |
213 |
|
|
( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); |
214 |
|
|
@@ -40,5 +70,12 @@ |
215 |
|
|
} |
216 |
|
|
} |
217 |
|
|
|
218 |
|
|
+ # available for both sharedkey and tls |
219 |
|
|
+ # data channel |
220 |
|
|
+ $OUT .= "#securing data channel\n"; |
221 |
|
|
+ $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n"; |
222 |
|
|
+ #auth SHA512 |
223 |
|
|
+ $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n"; |
224 |
|
|
+# |
225 |
|
|
} |
226 |
|
|
|
227 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options |
228 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2013-11-11 12:33:06.000000000 -0500 |
229 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2021-03-30 00:54:12.466000000 -0400 |
230 |
|
|
@@ -1,13 +1,11 @@ |
231 |
|
|
# Options |
232 |
|
|
{ |
233 |
|
|
|
234 |
|
|
-my $cipher = $db->get_prop($key,'Cipher') || 'auto'; |
235 |
|
|
my $comp = $db->get_prop($key,'Compression') || 'enabled'; |
236 |
|
|
|
237 |
|
|
|
238 |
|
|
$OUT .= "comp-lzo adaptive\n" if ($comp eq 'enabled'); |
239 |
|
|
|
240 |
|
|
-$OUT .= "cipher $cipher\n" if ($cipher ne 'auto'); |
241 |
|
|
|
242 |
|
|
if ($type eq 'server'){ |
243 |
|
|
$OUT .= "ping-timer-rem\n"; |
244 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s |
245 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500 |
246 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:12.925000000 -0400 |
247 |
|
|
@@ -4,7 +4,7 @@ |
248 |
|
|
#---------------------------------------------------------------------- |
249 |
|
|
# heading : Configuration |
250 |
|
|
# description : OpenVPN Site to Site |
251 |
|
|
-# navigation : 1000 1000 |
252 |
|
|
+# navigation : 6000 6750 |
253 |
|
|
#---------------------------------------------------------------------- |
254 |
|
|
|
255 |
|
|
#---------------------------------------------------------------------- |
256 |
|
|
@@ -99,6 +99,16 @@ |
257 |
|
|
<label>LABEL_AUTH</label> |
258 |
|
|
</field> |
259 |
|
|
|
260 |
|
|
+ <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()"> |
261 |
|
|
+ <description>DESC_HMAC</description> |
262 |
|
|
+ <label>LABEL_HMAC</label> |
263 |
|
|
+ </field> |
264 |
|
|
+ |
265 |
|
|
+ <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()"> |
266 |
|
|
+ <description>DESC_CIPHER</description> |
267 |
|
|
+ <label>LABEL_CIPHER</label> |
268 |
|
|
+ </field> |
269 |
|
|
+ |
270 |
|
|
<field type="text" id="remote_host" validation="is_hostname_or_ip()"> |
271 |
|
|
<description>DESC_REMOTE_HOST</description> |
272 |
|
|
<label>LABEL_REMOTE_HOST</label> |
273 |
|
|
@@ -119,13 +129,18 @@ |
274 |
|
|
<label>LABEL_REMOTE_IP</label> |
275 |
|
|
</field> |
276 |
|
|
|
277 |
|
|
+ <field type="select" id="SnatOutbound" value="" options="'disabled' => 'DISABLED', 'enabled' => 'ENABLED'"> |
278 |
|
|
+ <description>DESC_SNAT</description> |
279 |
|
|
+ <label>LABEL_SNAT</label> |
280 |
|
|
+ </field> |
281 |
|
|
+ |
282 |
|
|
+ |
283 |
|
|
<field type="text" size="53" id="remote_net" validation="is_valid_net_or_empty()"> |
284 |
|
|
<description>DESC_REMOTE_NET</description> |
285 |
|
|
<label>LABEL_REMOTE_NET</label> |
286 |
|
|
</field> |
287 |
|
|
|
288 |
|
|
<subroutine src="print_button('NEXT')"/> |
289 |
|
|
- |
290 |
|
|
</page> |
291 |
|
|
|
292 |
|
|
#---------------------------------------------------------------- |
293 |
|
|
@@ -156,6 +171,16 @@ |
294 |
|
|
<label>LABEL_AUTH</label> |
295 |
|
|
</field> |
296 |
|
|
|
297 |
|
|
+ <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()"> |
298 |
|
|
+ <description>DESC_HMAC</description> |
299 |
|
|
+ <label>LABEL_HMAC</label> |
300 |
|
|
+ </field> |
301 |
|
|
+ |
302 |
|
|
+ <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()"> |
303 |
|
|
+ <description>DESC_CIPHER</description> |
304 |
|
|
+ <label>LABEL_CIPHER</label> |
305 |
|
|
+ </field> |
306 |
|
|
+ |
307 |
|
|
<field type="text" id="port" validation="is_valid_and_available_port()"> |
308 |
|
|
<description>DESC_LOCAL_PORT</description> |
309 |
|
|
<label>LABEL_LOCAL_PORT</label> |
310 |
|
|
@@ -196,4 +221,11 @@ |
311 |
|
|
<subroutine src="print_conf_to_remove()"/> |
312 |
|
|
</page> |
313 |
|
|
|
314 |
|
|
+ <page name="RELOAD_PAGE" pre-event="turn_off_buttons()" post-event="reload()"> |
315 |
|
|
+ <field type="literal" id="conf_name"> |
316 |
|
|
+ <description>DESC_RELOAD</description> |
317 |
|
|
+ </field> |
318 |
|
|
+ <subroutine src="print_button('NEXT')"/> |
319 |
|
|
+ </page> |
320 |
|
|
+ |
321 |
|
|
</form> |
322 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service |
323 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:12:27.732000000 -0400 |
324 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:54:13.389000000 -0400 |
325 |
|
|
@@ -1,10 +1,16 @@ |
326 |
|
|
[Unit] |
327 |
|
|
Description=OpenVPN Server to Server |
328 |
|
|
After=network.service |
329 |
|
|
+ |
330 |
|
|
[Service] |
331 |
|
|
-Type=forking |
332 |
|
|
+Type=oneshot |
333 |
|
|
+RemainAfterExit=yes |
334 |
|
|
+GuessMainPID=no |
335 |
|
|
+ |
336 |
|
|
ExecStart=/usr/sbin/systemd/openvpn-s2s start |
337 |
|
|
ExecStop=/usr/sbin/systemd/openvpn-s2s stop |
338 |
|
|
+ExecReload=/usr/sbin/systemd/openvpn-s2s reopen |
339 |
|
|
+ |
340 |
|
|
[Install] |
341 |
|
|
WantedBy=sme-server.target |
342 |
|
|
|
343 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s |
344 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:12:27.732000000 -0400 |
345 |
|
|
+++ smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:54:13.631000000 -0400 |
346 |
|
|
@@ -90,6 +90,9 @@ |
347 |
|
|
fi |
348 |
|
|
done |
349 |
|
|
|
350 |
|
|
+#ncp |
351 |
|
|
+ncp=" --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC " |
352 |
|
|
+ |
353 |
|
|
# Lockfile |
354 |
|
|
lock="/var/lock/subsys/openvpn-s2s" |
355 |
|
|
|
356 |
|
|
@@ -218,6 +221,7 @@ |
357 |
|
|
kill -HUP `cat $pidf` >/dev/null 2>&1 |
358 |
|
|
fi |
359 |
|
|
done |
360 |
|
|
+ exit 0 |
361 |
|
|
else |
362 |
|
|
echo "openvpn: service not started" |
363 |
|
|
exit 1 |
364 |
|
|
@@ -230,6 +234,7 @@ |
365 |
|
|
kill -USR1 `cat $pidf` >/dev/null 2>&1 |
366 |
|
|
fi |
367 |
|
|
done |
368 |
|
|
+ exit 0 |
369 |
|
|
else |
370 |
|
|
echo "openvpn: service not started" |
371 |
|
|
exit 1 |
372 |
|
|
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm |
373 |
|
|
--- smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:12:27.724000000 -0400 |
374 |
jpp |
1.2 |
+++ smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 01:07:35.564000000 -0400 |
375 |
jpp |
1.1 |
@@ -26,6 +26,7 @@ |
376 |
|
|
remove_conf |
377 |
|
|
print_conf_to_remove |
378 |
|
|
read_file |
379 |
|
|
+ reload |
380 |
|
|
); |
381 |
|
|
|
382 |
|
|
our $pubdir = '/etc/openvpn/s2s/pub'; |
383 |
|
|
@@ -91,6 +92,21 @@ |
384 |
|
|
$ovpn_db->set_prop($conf, 'status', $q->param("status")); |
385 |
|
|
$ovpn_db->set_prop($conf, 'Comment', $q->param("comment")); |
386 |
|
|
$ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net")); |
387 |
|
|
+ $ovpn_db->set_prop($conf, 'SnatOutbound', $q->param("SnatOutbound")); |
388 |
|
|
+ if ($q->param("hmac") eq 'SHA1') { |
389 |
|
|
+ my $tmpk = $ovpn_db->get($conf); |
390 |
|
|
+ $tmpk->delete_prop('HMAC'); |
391 |
|
|
+ } |
392 |
|
|
+ else { |
393 |
|
|
+ $ovpn_db->set_prop($conf, 'HMAC' , $q->param("hmac")); |
394 |
|
|
+ } |
395 |
|
|
+ if ($q->param("cipher") eq 'BF-CBC') { |
396 |
|
|
+ my $tmpk = $ovpn_db->get($conf); |
397 |
|
|
+ $tmpk->delete_prop('cipher'); |
398 |
|
|
+ } |
399 |
|
|
+ else { |
400 |
|
|
+ $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher")); |
401 |
|
|
+ } |
402 |
|
|
|
403 |
|
|
# Now, update the main configuration entry |
404 |
|
|
update_ports(); |
405 |
|
|
@@ -153,6 +169,9 @@ |
406 |
|
|
} |
407 |
|
|
print KEY $q->param('key_pem'); |
408 |
|
|
close KEY; |
409 |
|
|
+ chmod(0600, "$privdir/${conf}_key.pem" ); |
410 |
|
|
+ esmith::util::chownFile("root", "root","$privdir/${conf}_key.pem" ); |
411 |
|
|
+ |
412 |
|
|
|
413 |
|
|
if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){ |
414 |
|
|
$fm->error('ERROR_OPEN_DH','FIRST_PAGE'); |
415 |
|
|
@@ -167,11 +186,13 @@ |
416 |
|
|
} |
417 |
|
|
print TA $q->param('shared_key'); |
418 |
|
|
close TA; |
419 |
|
|
+ chmod(0600, "$privdir/${conf}_sharedkey.pem" ); |
420 |
|
|
+ esmith::util::chownFile("root", "root","$privdir/${conf}_sharedkey.pem" ); |
421 |
|
|
|
422 |
|
|
- esmith::util::chownFile("root", "root", "$privdir/$conf*"); |
423 |
|
|
- esmith::util::chownFile("root", "root", "$pubdir/$conf*"); |
424 |
|
|
- chmod 0600, "$privdir/$conf*"; |
425 |
|
|
- chmod 0644, "$pubdir/$conf*"; |
426 |
|
|
+ esmith::util::chownFile("root", "root", "$privdir"); |
427 |
|
|
+ esmith::util::chownFile("root", "root", "$pubdir"); |
428 |
|
|
+ chmod 0600, "$privdir"; |
429 |
|
|
+ chmod 0644, "$pubdir"; |
430 |
|
|
|
431 |
|
|
$ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url")); |
432 |
|
|
|
433 |
|
|
@@ -294,6 +315,22 @@ |
434 |
|
|
|
435 |
|
|
|
436 |
|
|
# Print clients or servers table |
437 |
|
|
+sub reload{ |
438 |
|
|
+ my ($fm) = @_; |
439 |
|
|
+ my $q = $fm->{cgi}; |
440 |
|
|
+ my $conf = $q->param('conf_name'); |
441 |
|
|
+ #$conf = $conf=~ m/^([a-zA-Z\-\_0-9]+)$/; |
442 |
|
|
+ unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update-one", $conf) == 0 ){ |
443 |
|
|
+ $fm->error('ERROR_OCCURED1','FIRST_PAGE'); |
444 |
|
|
+ return undef; |
445 |
|
|
+ } |
446 |
|
|
+ $fm->success( $fm->localise('SUCCESS_RELOAD') . " $conf" ,'FIRST_PAGE'); |
447 |
|
|
+ return undef; |
448 |
|
|
+ |
449 |
|
|
+ |
450 |
|
|
+} |
451 |
|
|
+ |
452 |
|
|
+# Print clients or servers table |
453 |
|
|
sub print_conf_table{ |
454 |
|
|
my $fm = shift; |
455 |
|
|
my $type = shift; |
456 |
|
|
@@ -310,8 +347,15 @@ |
457 |
|
|
print $q->start_table({-CLASS => "sme-border"}),"\n"; |
458 |
|
|
print $q->Tr ( |
459 |
|
|
esmith::cgi::genSmallCell($q, $fm->localise('CONF_NAME'),"header"), |
460 |
|
|
- esmith::cgi::genSmallCell($q, $fm->localise('MODIFY'),"header"), |
461 |
|
|
- esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header")),"\n"; |
462 |
|
|
+ esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header"), |
463 |
|
|
+ esmith::cgi::genSmallCell($q, $fm->localise('CIPHER'),"header"), |
464 |
|
|
+ esmith::cgi::genSmallCell($q, 'HMAC',"header"), |
465 |
|
|
+ esmith::cgi::genSmallCell($q, $fm->localise('LABEL_AUTH'),"header"), |
466 |
|
|
+ esmith::cgi::genSmallCell($q, $fm->localise('LINK'),"header"), |
467 |
|
|
+ esmith::cgi::genSmallCell($q, $fm->localise('ACTION'),"header", 3), |
468 |
|
|
+ ), |
469 |
|
|
+ "\n"; |
470 |
|
|
+ |
471 |
|
|
|
472 |
|
|
foreach my $config (@conf){ |
473 |
|
|
my $key = $config->key; |
474 |
|
|
@@ -323,11 +367,28 @@ |
475 |
|
|
elsif ($status eq 'disabled'){ |
476 |
|
|
$status = $fm->localise('DISABLED'); |
477 |
|
|
} |
478 |
|
|
+ my $cipher = $config->prop('cipher') || 'BF-CBC'; |
479 |
|
|
+ $cipher = "<span style='color:red'>". $fm->localise('UNSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ ); |
480 |
|
|
+ my $hmac = $config->prop('hmac') || 'SHA1'; |
481 |
|
|
+ $hmac= "<span style='color:red'>". $fm->localise('UNSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/); |
482 |
|
|
+ my $authe = $config->prop('Authentication') || ''; |
483 |
|
|
+ my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ; |
484 |
|
|
+ use Net::Ping; |
485 |
|
|
+ my $p = Net::Ping->new(); |
486 |
|
|
+ $linkup = "<span style='color:green'>". $fm->localise('UP') ."</span>" if $p->ping($config->prop('RemoteIP')); |
487 |
|
|
+ |
488 |
|
|
print $q->Tr (esmith::cgi::genSmallCell($q,"$key"), |
489 |
|
|
+ esmith::cgi::genSmallCell($q,"$status"), |
490 |
|
|
+ esmith::cgi::genSmallCell($q,"$cipher"), |
491 |
|
|
+ esmith::cgi::genSmallCell($q,"$hmac"), |
492 |
|
|
+ esmith::cgi::genSmallCell($q,"$authe"), |
493 |
|
|
+ esmith::cgi::genSmallCell($q,"$linkup"), |
494 |
|
|
+ esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1). |
495 |
|
|
+ $base_url."RELOAD_PAGE&action=reload&conf_name=". |
496 |
|
|
+ $key}, $fm->localise('RELOAD'))), |
497 |
|
|
esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1). |
498 |
|
|
$base_url."CREATE_OR_MODIFY_".uc($type)."_CONF_PAGE&action=modify&conf_name=". |
499 |
|
|
$key}, $fm->localise('MODIFY'))), |
500 |
|
|
- esmith::cgi::genSmallCell($q,"$status"), |
501 |
|
|
esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1). |
502 |
|
|
$base_url."REMOVE_CONF_PAGE&conf_name=". |
503 |
|
|
$key}, $fm->localise('REMOVE')))); |
504 |
|
|
@@ -376,6 +437,13 @@ |
505 |
|
|
$rec->prop('status')); |
506 |
|
|
$q->param(-name=>'remote_net',-value=> |
507 |
|
|
$rec->prop('RemoteNetworks')); |
508 |
|
|
+ $q->param(-name=>'hmac',-value=> |
509 |
|
|
+ get_current_hmac($fm)); |
510 |
|
|
+ $q->param(-name=>'cipher',-value=> |
511 |
|
|
+ get_current_cipher($fm)); |
512 |
|
|
+ $q->param(-name=>'SnatOutbound',-value=> |
513 |
|
|
+ $rec->prop('SnatOutbound')); |
514 |
|
|
+ |
515 |
|
|
} |
516 |
|
|
} |
517 |
|
|
else { |
518 |
|
|
@@ -487,7 +555,7 @@ |
519 |
|
|
sub is_url_or_empty{ |
520 |
|
|
my ($fm, $url) = @_; |
521 |
|
|
my $ret = 'OK'; |
522 |
|
|
- if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){ |
523 |
|
|
+ if (defined $url && ($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){ |
524 |
|
|
$ret = $fm->localise('NOT_A_VALID_URL',{string => $url}); |
525 |
|
|
} |
526 |
|
|
return $ret; |
527 |
jpp |
1.2 |
@@ -604,4 +672,110 @@ |
528 |
jpp |
1.1 |
return $ret; |
529 |
|
|
} |
530 |
|
|
|
531 |
|
|
+ |
532 |
|
|
+ |
533 |
|
|
+###### those are copy paste for bridge and s2s |
534 |
|
|
+# |
535 |
|
|
+=head2 get_current_hmac |
536 |
|
|
+ |
537 |
|
|
+=cut |
538 |
|
|
+sub get_current_hmac{ |
539 |
|
|
+ my ($self) = @_; |
540 |
|
|
+ my $name = $self->cgi->param('conf_name') or return "SHA256"; |
541 |
|
|
+ my $cvpn= $ovpn_db->get($name); |
542 |
|
|
+ return "SHA1" unless defined $cvpn->prop('HMAC'); |
543 |
|
|
+ return $cvpn->prop('HMAC') ; |
544 |
|
|
+} |
545 |
|
|
+ |
546 |
|
|
+ |
547 |
|
|
+=head2 get_digests_options |
548 |
|
|
+ |
549 |
|
|
+=cut |
550 |
|
|
+sub get_digests_options{ |
551 |
|
|
+ my ($self) = @_; |
552 |
|
|
+ my $translate = $self->localise('DEFAULT'); |
553 |
|
|
+ my $suggested = $self->localise('SUGGESTED'); |
554 |
|
|
+ my %options= ( |
555 |
|
|
+ 'whirlpool' => 'whirlpool (512)', |
556 |
|
|
+ 'SHA512' => 'SHA512', |
557 |
|
|
+ 'SHA384' => 'SHA384', |
558 |
|
|
+ 'SHA256' => 'SHA256' . ": $suggested", |
559 |
|
|
+ 'SHA224' => 'SHA224', |
560 |
|
|
+ 'SHA1' => 'SHA1 (160)' . ": $translate", |
561 |
|
|
+ 'SHA' => 'SHA (160)', |
562 |
|
|
+ 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)', |
563 |
|
|
+ 'RIPEMD160' => 'RIPEMD160', |
564 |
|
|
+ 'MD5' => 'MD5 (128)', |
565 |
|
|
+ 'MD4' => 'MD4 (128)', |
566 |
|
|
+ ); |
567 |
|
|
+ return \%options; |
568 |
|
|
+} |
569 |
|
|
+ |
570 |
|
|
+ |
571 |
|
|
+=head2 get_current_cipher |
572 |
|
|
+list obtained using |
573 |
|
|
+openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '} |
574 |
|
|
+=cut |
575 |
|
|
+sub get_current_cipher{ |
576 |
|
|
+ my ($self) = @_; |
577 |
|
|
+ my $name = $self->cgi->param('conf_name') or return "AES-128-CBC"; |
578 |
|
|
+ my $cvpn= $ovpn_db->get($name); |
579 |
|
|
+ return "BF-CBC" unless defined $cvpn->prop('cipher'); |
580 |
|
|
+ return $cvpn->prop('cipher') ; |
581 |
|
|
+} |
582 |
|
|
+ |
583 |
|
|
+=head2 get_ciphers_options |
584 |
|
|
+list obtained using |
585 |
|
|
+openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '} |
586 |
|
|
+then reduced to remove most of unsecure ciphers |
587 |
|
|
+Using a CBC or GCM mode is recommended. |
588 |
|
|
+In static key mode only CBC mode is allowed. |
589 |
|
|
+ |
590 |
|
|
+=cut |
591 |
|
|
+sub get_ciphers_options{ |
592 |
|
|
+ my ($self) = @_; |
593 |
|
|
+ my $translate = $self->localise('DEFAULT'); |
594 |
|
|
+ my $suggested = $self->localise('SUGGESTED'); |
595 |
|
|
+ my %options= ( |
596 |
|
|
+ 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested", |
597 |
|
|
+ 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)', |
598 |
|
|
+ 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)', |
599 |
|
|
+ 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)', |
600 |
|
|
+ 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)', |
601 |
|
|
+ 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)', |
602 |
|
|
+ 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)', |
603 |
|
|
+ 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)', |
604 |
|
|
+ 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)', |
605 |
|
|
+ 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)', |
606 |
|
|
+ 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)', |
607 |
|
|
+ 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)', |
608 |
|
|
+ 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)', |
609 |
|
|
+ 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)', |
610 |
|
|
+ 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)', |
611 |
|
|
+ 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)', |
612 |
|
|
+ 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)', |
613 |
|
|
+ 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)', |
614 |
|
|
+ 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)', |
615 |
|
|
+ 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)', |
616 |
|
|
+ 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)', |
617 |
|
|
+ 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)', |
618 |
|
|
+ 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)', |
619 |
|
|
+ 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)', |
620 |
|
|
+ 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)', |
621 |
|
|
+ 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)', |
622 |
|
|
+ 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)', |
623 |
|
|
+ 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)', |
624 |
|
|
+ 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)', |
625 |
|
|
+ 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)', |
626 |
|
|
+ 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)', |
627 |
|
|
+ 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)', |
628 |
|
|
+ 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)', |
629 |
|
|
+ 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)', |
630 |
|
|
+ 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)', |
631 |
|
|
+ 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)', |
632 |
|
|
+ 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ", |
633 |
|
|
+ ); |
634 |
|
|
+ return \%options; |
635 |
|
|
+} |
636 |
|
|
+ |
637 |
|
|
1; |