smecontribs/smeserver-openvpn-routed
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit of file from CVS for smeserver-openvpn-routed on Thu 6 Mar 14:40:52 GMT 2025

Browse Source
This commit is contained in:
Brian Read 2025-03-06 14:40:52 +00:00
parent 08020c8369
commit 73d65d729e
38 changed files with 866 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.rpm
*.log
*spec-20*
*.tar.gz

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: smeserver-openvpn-routed
# $Id: Makefile,v 1.1 2021/02/04 16:20:21 brianr Exp $
NAME := smeserver-openvpn-routed
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

16
README.md
View File

@ -1,3 +1,15 @@
# smeserver-openvpn-routed
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-openvpn-routed
SMEServer Koozali developed git repo for smeserver-openvpn-routed smecontribs
SMEServer Koozali developed git repo for smeserver-openvpn-routed smecontribs
## Wiki
<br />https://wiki.koozali.org/
## Bugzilla
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openvpn-routed&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />

155
additional/CHANGELOG.git Normal file
View File

@ -0,0 +1,155 @@
commit 66557c7d543573cdd5e3eb332bb54ba2517a3d60
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon Apr 10 11:18:17 2017 +0200
Update pam plugin path
commit 848752010a3a37d1bd75d38b4f0c0e3011109884
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon Feb 8 10:59:41 2016 +0100
Create urandom in chroot
commit 5e590ef5b9bda1aa62264b104fed5a8aa8d8f099
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue Sep 29 12:02:31 2015 +0200
Spec file update
commit c595fbe31a78521383074be878e6afe810b11d0a
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue Sep 29 11:42:30 2015 +0200
Make crl verification optional
commit 36f5d2b782c5cfdf1717dc73dfeff5d7867cdf85
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue Sep 29 11:23:44 2015 +0200
Restrict access to the management-pass.txt file
commit d66b9396e182fda414eaf994884b6244caa00204
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue Sep 29 11:21:01 2015 +0200
Set default network in the up script
commit 019d0e2d50184ca5822b7ce6736c4ba3ad0f0fd5
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed Dec 3 22:25:19 2014 +0100
Spec file update
commit 6a3d60d9a8ab6a33b04aad4bf059eab45eac438b
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed Dec 3 21:54:49 2014 +0100
Correctly push route for local network
commit 496a2b678f383f2980f6a7c9677b2166dd5b7835
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon Jun 23 18:26:42 2014 +0200
Spec file update
commit 5534d9a3cb739d20b202f92b755e66a0c5a3a56b
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon Jun 23 18:25:55 2014 +0200
Fix plugin path on x86_64
commit 890a6c2e09bcaccfe7c9a2b2f9a88e6dadc3ae0d
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed Aug 21 16:06:26 2013 +0200
update spec file
commit b89fdff8d3018f849456d4b408dba274e5e7f955
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed Aug 21 16:05:48 2013 +0200
Use full path the the up script
commit d31a088f194a3d8d1ca9ecf51b2f37aaf64d42e4
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue Jun 11 10:58:01 2013 +0200
update spec file
commit 2d0c9d80dde1ccc7f99deb0720db5ad0d252c568
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed May 29 14:45:14 2013 +0200
Use different name for the crl to prevent race conditions with openvpn-bridge
commit 9d0d164b4d8d589d62343dd9e9a1f8f1b8f912fe
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon May 27 09:44:28 2013 +0200
Fix update CRL script, refers to Routed mode, not bridged one
commit 7b7d1f9e50435deb3608c370dedf75b056fed561
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:59:45 2013 +0200
Do not try to update the CRL if its URL is not set
commit 322061737010908e87e582e54af86219dc84d60d
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:36:12 2013 +0200
Comment unused reload-ccd event
commit 655898a494ffb6323d3876058dc2eb3077540252
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:35:23 2013 +0200
Remove copyright notice in up script
commit 2995895c2005c0a764b67230c67045e6fe7ca6f5
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:35:03 2013 +0200
Fix up script
commit 69aa3d3988a0b08196a19374746c6c7f28ccaa84
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:34:29 2013 +0200
Add script-security 2, as required to execute external scripts
commit 5230402365b0758c764da2acfb1d5677be7cb00d
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:29:49 2013 +0200
Call the up script during service startup
commit 6378427fdf9590f69117997c83ce6023e377c48e
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:29:15 2013 +0200
Fix permission of the up script
commit 42036e42ee291404c96db59f07e667e0d6688a75
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:26:57 2013 +0200
Fix openvpn-routed-delete-net script and remove copyright notice
commit 74bfd5d71beb9a094a1011a621135308f3cea761
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:06:42 2013 +0200
Don't add template header in management-pass file
commit bc7246dd740f47b6c9f5aa619fc59ddf5228753c
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 16:05:29 2013 +0200
Fixes in templates for openvpn.conf
commit e201d0a9b0c059f23eb9750f383fc2a5f331663e
Author: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri May 24 15:38:55 2013 +0200
FIrst commit

90
additional/smeserver-openvpn-routed.spec Normal file
View File

@ -0,0 +1,90 @@
# Authority: vip-ire
# Name: Daniel Berteaud
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
Name: smeserver-openvpn-routed
%define version 0.1.5
%define release 1
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Remote access
Source: %{name}-%{version}.tar.gz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
Requires: e-smith-base
Requires: openvpn
#Requires: perl(Net::OpenVPN::Manage)
%description
This package contains all the needed scripts and templates
to have a full working openvpn server running in routed mode.
%changelog
* Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
- Create /etc/openvpn/routed/dev/urandom [SME: 9238]
* Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
- Make crl verification optional
- Set a default Network if none is set
- restrict permission on the management-pass.txt file
* Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
- Correctly push route to local network when not redirecting gw
* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
- Fix plugin path on x86_64
* Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
- Use full path to the up script
* Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
- initial release
%prep
%setup -q -n %{name}-%{version}
%build
perl createlinks
%{__mkdir_p} root/etc/openvpn/routed/ccd
%{__mkdir_p} root/etc/openvpn/routed/priv
%{__mkdir_p} root/etc/openvpn/routed/pub
%{__mkdir_p} root/etc/openvpn/routed/tmp
%{__mkdir_p} root/etc/openvpn/routed/dev
%{__mkdir_p} root/var/log/openvpn-routed
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
--file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
--dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
--dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
--dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
--file /usr/bin/ovpn-routed-update-crl 'attr(0750,root,root)' \
--file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
fi
%preun

1
contriborbase Normal file
View File

@ -0,0 +1 @@
contribs10

69
createlinks Normal file
View File

@ -0,0 +1,69 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed");
safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed");
safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed");
#service_link_enhanced("openvpn-routed", "S80", "7");
#service_link_enhanced("openvpn-routed", "K25", "6");
#service_link_enhanced("openvpn-routed", "K25", "0");
#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed');
safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed');
safe_touch("root/var/service/openvpn-routed/down");
safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-begin");
safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-end");
#panel_link("openvpnrouted", 'manager');
templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update");
templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save));
templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete));
templates2events("/etc/crontab", qw(openvpn-routed-update));
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20");
event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30");
event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40");
event_link("openvpn-bridge-jail", "openvpn-routed-update", "03");
event_link("openvpn-bridge-jail", "bootstrap-console-save", "03");
#event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20");
#event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30");
# our event specific for updating with yum without reboot
$event = "smeserver-openvpn-routed-update";
#add here the path to your templates needed to expand
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
foreach my $file (qw(
/etc/systemd/system-preset/49-koozali.preset
/etc/crontab
/etc/openvpn/routed/management-pass.txt
/etc/openvpn/routed/openvpn.conf
))
{
templates2events( $file, $event );
}
#action needed in case we have a systemd unit
event_link("systemd-default", $event, "10");
event_link("systemd-reload", $event, "50");
#action specific to this package
event_link("openvpn-routed-update", $event, "60");
event_link("openvpn-bridge-jail", $event, "03");
#services we need to restart
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/openvpn-routed");
use esmith::Build::Backup qw(:all);
backup_includes("smeserver-openvpn-routed", qw(
/etc/openvpn/routed/priv
/etc/openvpn/routed/pub
/var/log/openvpn-routed
));

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher Normal file
View File

@ -0,0 +1 @@
AES-128-CBC

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC Normal file
View File

@ -0,0 +1 @@
SHA256

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort Normal file
View File

@ -0,0 +1 @@
1194

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/access Normal file
View File

@ -0,0 +1 @@
public

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/status Normal file
View File

@ -0,0 +1 @@
enabled

1
root/etc/e-smith/db/configuration/defaults/openvpn-routed/type Normal file
View File

@ -0,0 +1 @@
service

9
root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass Normal file
View File

@ -0,0 +1,9 @@
{
my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'});
my $management = $openvpn->prop('ManagementPassword') || '';
return "" if ($management ne '');
# Generate a random password
$pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`;
$openvpn->set_prop('ManagementPassword',"$pass");
}

25
root/etc/e-smith/events/actions/openvpn-routed-delete-net Normal file
View File

@ -0,0 +1,25 @@
#!/usr/bin/perl -w
use strict;
use esmith::ConfigDB;
use esmith::NetworksDB;
use esmith::event;
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n";
my @nets = $n->networks;
my $ovpn = $c->get('openvpn-routed');
my $net = $ovpn->prop('Network') || '192.168.29.0/255.255.255.0';
my ($vpnnet,$mask) = split /\//, $net;
foreach my $net (@nets){
my $key = $net->key;
my $vpn = $n->get_prop($key,"VPNRouted") || '';
if ($vpn eq 'yes'){
unless ($key eq $vpnnet){
$n->set_prop($key, type=>'network-deleted');
event_signal("network-delete","$key");
$n->get($key)->delete;
}
}
}

7
root/etc/e-smith/events/actions/openvpn-routed-jail Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
#copy any files needed for the jail
#be sure we have the needed timezone
/bin/cp -L /etc/localtime /etc/openvpn/routed/etc

32
root/etc/e-smith/events/actions/openvpn-routed-update-crl Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl)
DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
if [ -z $URL ]; then
exit 0
fi
/usr/bin/wget $URL -O /tmp/cacrl_routed.pem > /dev/null 2>&1
/usr/bin/openssl crl -inform PEM -in /tmp/cacrl_routed.pem -text > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
/bin/mv -f /tmp/cacrl_routed.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1
else
cat > /tmp/crlmail_routed <<END
An error occured while updating the CRL for OpenVPN-Routed
because openssl didn't recognize the file as a valid CRL.
Below is the copy of the latest CRL downloaded from
$URL
END
cat /tmp/cacrl_routed.pem >> /tmp/crlmail_routed
mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail_routed
fi
rm -f /tmp/cacrl_routed.pem
rm -f /tmp/crlmail_routed

3
root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt Normal file
View File

@ -0,0 +1,3 @@
PERMS=0600
UID="root"
GID="root"

7
root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl Normal file
View File

@ -0,0 +1,7 @@
{
my $url = ${'openvpn-routed'}{'CrlUrl'} || '';
if ($url =~ /^http(s)?:\/\/.*$/){
$OUT .= "# Update OpenVPN routed CRL\n";
$OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n";
}
}

4
root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All Normal file
View File

@ -0,0 +1,4 @@
{
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
$OUT = "$pass";
}

21
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev Normal file
View File

@ -0,0 +1,21 @@
{
my $OUT='';
my $protocol = ${'openvpn-routed'}{Protocol} || 'udp';
my $port='';
if ($protocol eq 'udp'){
$port = ${'openvpn-routed'}{UDPPort} || '1194';
}
if ($protocol eq 'tcp'){
$port = ${'openvpn-routed'}{TCPPort} || '1194';
$protocol = 'tcp-server';
}
$OUT .=<<"HERE";
port $port
proto $protocol
dev tunvpn0
HERE
}

5
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon Normal file
View File

@ -0,0 +1,5 @@
user openvpn
group openvpn
chroot /etc/openvpn/routed
persist-key
persist-tun

20
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert Normal file
View File

@ -0,0 +1,20 @@
# Certificates config
dh pub/dh.pem
ca pub/cacert.pem
cert pub/cert.pem
key priv/key.pem
tls-server
{
if (-e "/etc/openvpn/routed/priv/takey.pem" &&
!-z "/etc/openvpn/routed/priv/takey.pem"){
$OUT .= "tls-auth priv/takey.pem 0\n";
}
if (-e '/etc/openvpn/routed/pub/cacrl.pem' &&
!-z '/etc/openvpn/routed/pub/cacrl.pem'){
$OUT .= "crl-verify pub/cacrl.pem\n";
}
}

33
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption Normal file
View File

@ -0,0 +1,33 @@
{
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
# need to be changed on both side
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef;
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef;
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
# TLS 1.3 encryption settings
my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
# # TLS 1.2 encryption settings
my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
$OUT .= "#securing control channel\n";
$OUT .= "tls-version-min $tlsVmin\n";
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
#$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
#$OUT .= "ecdh-curve secp384r1\n";
# data channel
$OUT .= "#securing data channel\n";
$OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
#auth SHA512
$OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
}

8
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth Normal file
View File

@ -0,0 +1,8 @@
{
my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
if ($userAuth eq 'CrtWithPass'){
my $libdir = (-d "/usr/lib64/") ? '/usr/lib64' : '/usr/lib';
$OUT .= "plugin " . $libdir . "/openvpn/plugins/openvpn-plugin-auth-pam.so login\n";
}
$OUT .= '';
}

9
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server Normal file
View File

@ -0,0 +1,9 @@
{
my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
my ($addr,$mask) = split /\//, $net;
$OUT = "server $addr $mask\n";
}
topology subnet
up /etc/openvpn/routed/bin/up
script-security 2

55
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options Normal file
View File

@ -0,0 +1,55 @@
# Options
{
my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
my $fragment = ${'openvpn-routed'}{Fragment} || '';
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
if ($proto eq 'tcp'){
$mtuTest = 'disabled';
$fragment = '';
}
$OUT .=<<"HERE";
keepalive 40 180
push "dhcp-option DOMAIN $DomainName"
push "dhcp-option DNS $LocalIP"
push "dhcp-option WINS $LocalIP"
HERE
if ($tunMtu !~ /^\d+$/){
$OUT .= "mtu-test\n";
}
else{
if ($tunMtu ne ''){
$OUT .= "tun-mtu $tunMtu\n";
}
}
if (($proto eq 'udp') && ($fragment =~ /^\d+$/)){
$OUT .= "fragment $fragment\n";
}
$OUT .= "mssfix\n";
if ($duplicate eq 'enabled'){
$OUT .= "duplicate-cn\n";
}
if ($passtos eq 'enabled'){
$OUT .= "passtos\n";
}
if ($compress eq 'enabled'){
$OUT .= "comp-lzo adaptive\n";
$OUT .= "push \"comp-lzo adaptive\"\n";
}
}
nice 5

29
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes Normal file
View File

@ -0,0 +1,29 @@
{
my $pushRoutes = ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || 'disabled';
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro() ||
die('Can not open Networks DB');
my @networks = $ndb->networks();
if ($redirectGW eq 'enabled'){
$OUT .= "push \"redirect-gateway def1\"\n";
}
elsif ($pushRoutes eq 'enabled'){
foreach my $network (@networks) {
my $route = '';
my $addr = $network->key;
my $mask = $network->prop('Mask');
my $gw = $network->prop('Router') || '';
my $vpn = $network->prop('VPN') || '';
next if (($network->prop('PushRoute') || 'enabled') eq 'disabled');
next if (($network->prop('VPNRouted') || 'no') eq 'yes');
$route .= "push \"route $addr $mask";
$route .= " $gw" if ($vpn eq '' && $gw ne '');
$OUT .= "$route\"\n";
}
}
}

5
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management Normal file
View File

@ -0,0 +1,5 @@
{
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
$OUT ="management 127.0.0.1 11195 management-pass.txt\n";
}

13
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients Normal file
View File

@ -0,0 +1,13 @@
{
my $OUT = '';
my $maxClient = ${'openvpn-routed'}{MaxClients} || '';
my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled';
if ($configRequired eq 'enabled'){
$OUT .= 'ccd-exclusive\n';
}
if ($maxClient =~ /^\d+$/){
$OUT .= "max-clients $maxClient\n";
}
}
client-config-dir ccd

10
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs Normal file
View File

@ -0,0 +1,10 @@
status-version 2
status bridge-status.txt
{
#suppress-timestamps
my $OUT = '';
my $verb = ${'openvpn-routed'}{Verbose} || '3';
$OUT .= "verb $verb\n";
}
log-append /var/log/openvpn-routed/openvpn-routed.log

8
root/etc/logrotate.d/openvpn-routed Normal file
View File

@ -0,0 +1,8 @@
/var/log/openvpn-routed/*.log{
monthly
rotate 6
compress
copytruncate
missingok
}

12
root/etc/openvpn/routed/bin/up Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network || echo '192.168.29.0/255.255.255.0')
addr=${net%%/*}
mask=${net#*/}
db=$(/sbin/e-smith/db networks getprop $addr VPNRouted)
if [ -z $db ]; then
/sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no
/sbin/e-smith/signal-event network-create $addr
fi
exit 0

30
root/sbin/e-smith/systemd/openvpn-routed Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
[[ ! -f /etc/openvpn/routed/pub/cert.pem && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
[[ ! -f /etc/openvpn/routed/pub/cacert.pem && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
[[ ! -f /etc/openvpn/routed/pub/dh.pem && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
[[ ! -f /etc/openvpn/routed/priv/key.pem && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
[[ ! -f /etc/openvpn/routed/priv/takey.pem && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
/sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
oriport="$myiport"
bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re 's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
while [[ $s2sports =~ $myport || $myport == $bridgeport ]]
do
myport=$[$myport+1]
done
if [[ $myport != $oriport ]]; then
echo "set UDPPort to $myport as $oriport was already taken"
/sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
/sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf
fi
fi
chmod 0600 /etc/openvpn/routed/priv/*
chmod 0644 /etc/openvpn/routed/pub/*
chown root:admin /etc/openvpn/routed/priv/*
chown root:admin /etc/openvpn/routed/pub/*

26
root/usr/lib/systemd/system/openvpn-routed.service Normal file
View File

@ -0,0 +1,26 @@
[Unit]
Description=OpenVPN Server routed for Roadwariors
After=network.service
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/routed
ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
PrivateTmp=true
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
KillMode=process
RestartSec=5s
Restart=on-failure
[Install]
WantedBy=sme-server.target

6
root/var/service/openvpn-routed/log/run Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
exec \
/usr/local/bin/setuidgid smelog \
/usr/local/bin/multilog t s5000000 \
/var/log/openvpn-routed

5
root/var/service/openvpn-routed/run Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
exec 2>&1
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed

124
smeserver-openvpn-routed.spec Normal file
View File

@ -0,0 +1,124 @@
# Authority: vip-ire
# Name: Daniel Berteaud
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
Name: smeserver-openvpn-routed
%define version 0.1.6
%define release 8
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Remote access
Source: %{name}-%{version}.tar.xz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
Requires: e-smith-base
Requires: openvpn
#Requires: perl(Net::OpenVPN::Manage)
%description
This package contains all the needed scripts and templates
to have a full working openvpn server running in routed mode.
%changelog
* Thu Mar 06 2025 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.1.6-8.sme
- Roll up patches and move to git repo [SME: 12338]
* Thu Mar 06 2025 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
* Wed Nov 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-7.sme
- log to a dedicated file [SME: 12243]
use locale timestamp
* Sat Jul 30 2022 Brian Read <brianr@bjsystems.co.uk> 0.1.6-6.sme
- Re-build and link to latest devtools [SME: 11997]
* Sat Jul 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-5.sme
- add to core backup [SME: 11997]
* Thu Apr 01 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-4.sme
- autoconfiguration if openvpn-bridge is isntalled and configured [SME: 11336]
- reworked systemd unit and scripts
- new property HMAC forced to SHA256, instead of insecure default SHA1 [SME: 9925]
- Cipher now enforced to AES-128-CBC, instead of insecure default Blowfish [SME: 9919]
- possibility to exclude networks to push [SME: 10548]
* Thu Feb 04 2021 Brian Read <brianr@bjsystems.co.uk> 0.1.6-2.sme
- Initial import to SME10 [SME: 11336]
- Add-in-systemd-startup
* Mon Apr 10 2017 Daniel Berteaud <daniel@firewall-services.com> 0.1.6-1
- Update pam plugin path [SME: 10220]
* Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
- Create /etc/openvpn/routed/dev/urandom [SME: 9238]
* Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
- Make crl verification optional
- Set a default Network if none is set
- restrict permission on the management-pass.txt file
* Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
- Correctly push route to local network when not redirecting gw
* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
- Fix plugin path on x86_64
* Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
- Use full path to the up script
* Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
- initial release
%prep
%setup -q -n %{name}-%{version}
%build
perl createlinks
%{__mkdir_p} root/etc/openvpn/routed/ccd
%{__mkdir_p} root/etc/openvpn/routed/priv
%{__mkdir_p} root/etc/openvpn/routed/pub
%{__mkdir_p} root/etc/openvpn/routed/etc
%{__mkdir_p} root/etc/openvpn/routed/tmp
%{__mkdir_p} root/etc/openvpn/routed/dev
%{__mkdir_p} root/var/log/openvpn-routed
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--file /sbin/e-smith/systemd/openvpn-routed 'attr(0755,root,root)' \
--file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
--file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
--dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
--dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
--dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/etc 'attr(0755,root,root)' \
--dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
--file /usr/bin/ovpn-routed-update-crl 'attr(0750,root,root)' \
--file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
fi
%preun