initial commit of file from CVS for smeserver-openvpn-routed on Thu 6 Mar 14:40:52 GMT 2025
This commit is contained in:
@@ -0,0 +1 @@
|
||||
AES-128-CBC
|
||||
@@ -0,0 +1 @@
|
||||
SHA256
|
||||
@@ -0,0 +1 @@
|
||||
1194
|
||||
@@ -0,0 +1 @@
|
||||
public
|
||||
@@ -0,0 +1 @@
|
||||
enabled
|
||||
@@ -0,0 +1 @@
|
||||
service
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'});
|
||||
my $management = $openvpn->prop('ManagementPassword') || '';
|
||||
return "" if ($management ne '');
|
||||
|
||||
# Generate a random password
|
||||
$pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`;
|
||||
$openvpn->set_prop('ManagementPassword',"$pass");
|
||||
}
|
||||
25
root/etc/e-smith/events/actions/openvpn-routed-delete-net
Normal file
25
root/etc/e-smith/events/actions/openvpn-routed-delete-net
Normal file
@@ -0,0 +1,25 @@
|
||||
#!/usr/bin/perl -w
|
||||
use strict;
|
||||
use esmith::ConfigDB;
|
||||
use esmith::NetworksDB;
|
||||
use esmith::event;
|
||||
|
||||
my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
|
||||
my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n";
|
||||
my @nets = $n->networks;
|
||||
my $ovpn = $c->get('openvpn-routed');
|
||||
my $net = $ovpn->prop('Network') || '192.168.29.0/255.255.255.0';
|
||||
my ($vpnnet,$mask) = split /\//, $net;
|
||||
|
||||
foreach my $net (@nets){
|
||||
my $key = $net->key;
|
||||
my $vpn = $n->get_prop($key,"VPNRouted") || '';
|
||||
|
||||
if ($vpn eq 'yes'){
|
||||
unless ($key eq $vpnnet){
|
||||
$n->set_prop($key, type=>'network-deleted');
|
||||
event_signal("network-delete","$key");
|
||||
$n->get($key)->delete;
|
||||
}
|
||||
}
|
||||
}
|
||||
7
root/etc/e-smith/events/actions/openvpn-routed-jail
Normal file
7
root/etc/e-smith/events/actions/openvpn-routed-jail
Normal file
@@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
#copy any files needed for the jail
|
||||
|
||||
#be sure we have the needed timezone
|
||||
/bin/cp -L /etc/localtime /etc/openvpn/routed/etc
|
||||
|
||||
32
root/etc/e-smith/events/actions/openvpn-routed-update-crl
Normal file
32
root/etc/e-smith/events/actions/openvpn-routed-update-crl
Normal file
@@ -0,0 +1,32 @@
|
||||
#!/bin/bash
|
||||
|
||||
URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl)
|
||||
DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
|
||||
|
||||
if [ -z $URL ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
/usr/bin/wget $URL -O /tmp/cacrl_routed.pem > /dev/null 2>&1
|
||||
|
||||
/usr/bin/openssl crl -inform PEM -in /tmp/cacrl_routed.pem -text > /dev/null 2>&1
|
||||
|
||||
if [ "$?" -eq "0" ]; then
|
||||
/bin/mv -f /tmp/cacrl_routed.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1
|
||||
else
|
||||
cat > /tmp/crlmail_routed <<END
|
||||
|
||||
An error occured while updating the CRL for OpenVPN-Routed
|
||||
because openssl didn't recognize the file as a valid CRL.
|
||||
Below is the copy of the latest CRL downloaded from
|
||||
$URL
|
||||
|
||||
|
||||
END
|
||||
|
||||
cat /tmp/cacrl_routed.pem >> /tmp/crlmail_routed
|
||||
mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail_routed
|
||||
fi
|
||||
|
||||
rm -f /tmp/cacrl_routed.pem
|
||||
rm -f /tmp/crlmail_routed
|
||||
@@ -0,0 +1,3 @@
|
||||
PERMS=0600
|
||||
UID="root"
|
||||
GID="root"
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
my $url = ${'openvpn-routed'}{'CrlUrl'} || '';
|
||||
if ($url =~ /^http(s)?:\/\/.*$/){
|
||||
$OUT .= "# Update OpenVPN routed CRL\n";
|
||||
$OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
|
||||
$OUT = "$pass";
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
my $OUT='';
|
||||
my $protocol = ${'openvpn-routed'}{Protocol} || 'udp';
|
||||
my $port='';
|
||||
if ($protocol eq 'udp'){
|
||||
$port = ${'openvpn-routed'}{UDPPort} || '1194';
|
||||
}
|
||||
if ($protocol eq 'tcp'){
|
||||
$port = ${'openvpn-routed'}{TCPPort} || '1194';
|
||||
$protocol = 'tcp-server';
|
||||
}
|
||||
|
||||
$OUT .=<<"HERE";
|
||||
|
||||
port $port
|
||||
proto $protocol
|
||||
dev tunvpn0
|
||||
|
||||
HERE
|
||||
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
user openvpn
|
||||
group openvpn
|
||||
chroot /etc/openvpn/routed
|
||||
persist-key
|
||||
persist-tun
|
||||
@@ -0,0 +1,20 @@
|
||||
# Certificates config
|
||||
dh pub/dh.pem
|
||||
ca pub/cacert.pem
|
||||
cert pub/cert.pem
|
||||
key priv/key.pem
|
||||
tls-server
|
||||
|
||||
{
|
||||
|
||||
if (-e "/etc/openvpn/routed/priv/takey.pem" &&
|
||||
!-z "/etc/openvpn/routed/priv/takey.pem"){
|
||||
$OUT .= "tls-auth priv/takey.pem 0\n";
|
||||
}
|
||||
|
||||
if (-e '/etc/openvpn/routed/pub/cacrl.pem' &&
|
||||
!-z '/etc/openvpn/routed/pub/cacrl.pem'){
|
||||
$OUT .= "crl-verify pub/cacrl.pem\n";
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,33 @@
|
||||
{
|
||||
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# need to be changed on both side
|
||||
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef;
|
||||
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
|
||||
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef;
|
||||
|
||||
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
|
||||
my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
|
||||
# TLS 1.3 encryption settings
|
||||
my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
|
||||
# # TLS 1.2 encryption settings
|
||||
my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
|
||||
|
||||
|
||||
|
||||
$OUT .= "#securing control channel\n";
|
||||
$OUT .= "tls-version-min $tlsVmin\n";
|
||||
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
|
||||
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
|
||||
#$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
|
||||
#$OUT .= "ecdh-curve secp384r1\n";
|
||||
|
||||
# data channel
|
||||
$OUT .= "#securing data channel\n";
|
||||
$OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
|
||||
#auth SHA512
|
||||
$OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
|
||||
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
|
||||
if ($userAuth eq 'CrtWithPass'){
|
||||
my $libdir = (-d "/usr/lib64/") ? '/usr/lib64' : '/usr/lib';
|
||||
$OUT .= "plugin " . $libdir . "/openvpn/plugins/openvpn-plugin-auth-pam.so login\n";
|
||||
}
|
||||
$OUT .= '';
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
|
||||
my ($addr,$mask) = split /\//, $net;
|
||||
$OUT = "server $addr $mask\n";
|
||||
}
|
||||
topology subnet
|
||||
|
||||
up /etc/openvpn/routed/bin/up
|
||||
script-security 2
|
||||
@@ -0,0 +1,55 @@
|
||||
# Options
|
||||
{
|
||||
|
||||
my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
|
||||
my $fragment = ${'openvpn-routed'}{Fragment} || '';
|
||||
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
|
||||
my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
|
||||
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
|
||||
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
|
||||
my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
|
||||
|
||||
if ($proto eq 'tcp'){
|
||||
$mtuTest = 'disabled';
|
||||
$fragment = '';
|
||||
}
|
||||
|
||||
$OUT .=<<"HERE";
|
||||
keepalive 40 180
|
||||
push "dhcp-option DOMAIN $DomainName"
|
||||
push "dhcp-option DNS $LocalIP"
|
||||
push "dhcp-option WINS $LocalIP"
|
||||
|
||||
HERE
|
||||
|
||||
if ($tunMtu !~ /^\d+$/){
|
||||
$OUT .= "mtu-test\n";
|
||||
}
|
||||
else{
|
||||
if ($tunMtu ne ''){
|
||||
$OUT .= "tun-mtu $tunMtu\n";
|
||||
}
|
||||
}
|
||||
|
||||
if (($proto eq 'udp') && ($fragment =~ /^\d+$/)){
|
||||
$OUT .= "fragment $fragment\n";
|
||||
}
|
||||
$OUT .= "mssfix\n";
|
||||
|
||||
if ($duplicate eq 'enabled'){
|
||||
$OUT .= "duplicate-cn\n";
|
||||
}
|
||||
|
||||
if ($passtos eq 'enabled'){
|
||||
$OUT .= "passtos\n";
|
||||
}
|
||||
|
||||
if ($compress eq 'enabled'){
|
||||
$OUT .= "comp-lzo adaptive\n";
|
||||
$OUT .= "push \"comp-lzo adaptive\"\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
nice 5
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
{
|
||||
|
||||
my $pushRoutes = ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
|
||||
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || 'disabled';
|
||||
|
||||
use esmith::NetworksDB;
|
||||
my $ndb = esmith::NetworksDB->open_ro() ||
|
||||
die('Can not open Networks DB');
|
||||
|
||||
my @networks = $ndb->networks();
|
||||
|
||||
if ($redirectGW eq 'enabled'){
|
||||
$OUT .= "push \"redirect-gateway def1\"\n";
|
||||
}
|
||||
elsif ($pushRoutes eq 'enabled'){
|
||||
foreach my $network (@networks) {
|
||||
my $route = '';
|
||||
my $addr = $network->key;
|
||||
my $mask = $network->prop('Mask');
|
||||
my $gw = $network->prop('Router') || '';
|
||||
my $vpn = $network->prop('VPN') || '';
|
||||
next if (($network->prop('PushRoute') || 'enabled') eq 'disabled');
|
||||
next if (($network->prop('VPNRouted') || 'no') eq 'yes');
|
||||
$route .= "push \"route $addr $mask";
|
||||
$route .= " $gw" if ($vpn eq '' && $gw ne '');
|
||||
$OUT .= "$route\"\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
|
||||
$OUT ="management 127.0.0.1 11195 management-pass.txt\n";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
{
|
||||
my $OUT = '';
|
||||
my $maxClient = ${'openvpn-routed'}{MaxClients} || '';
|
||||
my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled';
|
||||
|
||||
if ($configRequired eq 'enabled'){
|
||||
$OUT .= 'ccd-exclusive\n';
|
||||
}
|
||||
if ($maxClient =~ /^\d+$/){
|
||||
$OUT .= "max-clients $maxClient\n";
|
||||
}
|
||||
}
|
||||
client-config-dir ccd
|
||||
@@ -0,0 +1,10 @@
|
||||
status-version 2
|
||||
status bridge-status.txt
|
||||
{
|
||||
#suppress-timestamps
|
||||
my $OUT = '';
|
||||
my $verb = ${'openvpn-routed'}{Verbose} || '3';
|
||||
$OUT .= "verb $verb\n";
|
||||
}
|
||||
log-append /var/log/openvpn-routed/openvpn-routed.log
|
||||
|
||||
8
root/etc/logrotate.d/openvpn-routed
Normal file
8
root/etc/logrotate.d/openvpn-routed
Normal file
@@ -0,0 +1,8 @@
|
||||
/var/log/openvpn-routed/*.log{
|
||||
monthly
|
||||
rotate 6
|
||||
compress
|
||||
copytruncate
|
||||
missingok
|
||||
}
|
||||
|
||||
12
root/etc/openvpn/routed/bin/up
Normal file
12
root/etc/openvpn/routed/bin/up
Normal file
@@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network || echo '192.168.29.0/255.255.255.0')
|
||||
addr=${net%%/*}
|
||||
mask=${net#*/}
|
||||
|
||||
db=$(/sbin/e-smith/db networks getprop $addr VPNRouted)
|
||||
if [ -z $db ]; then
|
||||
/sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no
|
||||
/sbin/e-smith/signal-event network-create $addr
|
||||
fi
|
||||
exit 0
|
||||
30
root/sbin/e-smith/systemd/openvpn-routed
Normal file
30
root/sbin/e-smith/systemd/openvpn-routed
Normal file
@@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
[[ ! -f /etc/openvpn/routed/pub/cert.pem && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
|
||||
[[ ! -f /etc/openvpn/routed/pub/cacert.pem && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
|
||||
[[ ! -f /etc/openvpn/routed/pub/dh.pem && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
|
||||
[[ ! -f /etc/openvpn/routed/priv/key.pem && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
|
||||
[[ ! -f /etc/openvpn/routed/priv/takey.pem && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
|
||||
if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
|
||||
cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
|
||||
CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
|
||||
/sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
|
||||
|
||||
myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
|
||||
oriport="$myiport"
|
||||
bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
|
||||
s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re 's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
|
||||
while [[ $s2sports =~ $myport || $myport == $bridgeport ]]
|
||||
do
|
||||
myport=$[$myport+1]
|
||||
done
|
||||
if [[ $myport != $oriport ]]; then
|
||||
echo "set UDPPort to $myport as $oriport was already taken"
|
||||
/sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
|
||||
/sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf
|
||||
fi
|
||||
fi
|
||||
chmod 0600 /etc/openvpn/routed/priv/*
|
||||
chmod 0644 /etc/openvpn/routed/pub/*
|
||||
chown root:admin /etc/openvpn/routed/priv/*
|
||||
chown root:admin /etc/openvpn/routed/pub/*
|
||||
26
root/usr/lib/systemd/system/openvpn-routed.service
Normal file
26
root/usr/lib/systemd/system/openvpn-routed.service
Normal file
@@ -0,0 +1,26 @@
|
||||
[Unit]
|
||||
Description=OpenVPN Server routed for Roadwariors
|
||||
After=network.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
PrivateTmp=true
|
||||
WorkingDirectory=/etc/openvpn/routed
|
||||
|
||||
ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
|
||||
ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
|
||||
ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
|
||||
|
||||
PrivateTmp=true
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||
LimitNPROC=10
|
||||
DeviceAllow=/dev/null rw
|
||||
DeviceAllow=/dev/net/tun rw
|
||||
KillMode=process
|
||||
RestartSec=5s
|
||||
Restart=on-failure
|
||||
|
||||
|
||||
[Install]
|
||||
WantedBy=sme-server.target
|
||||
|
||||
6
root/var/service/openvpn-routed/log/run
Normal file
6
root/var/service/openvpn-routed/log/run
Normal file
@@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
exec \
|
||||
/usr/local/bin/setuidgid smelog \
|
||||
/usr/local/bin/multilog t s5000000 \
|
||||
/var/log/openvpn-routed
|
||||
5
root/var/service/openvpn-routed/run
Normal file
5
root/var/service/openvpn-routed/run
Normal file
@@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
|
||||
exec 2>&1
|
||||
|
||||
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
|
||||
Reference in New Issue
Block a user