initial commit of file from CVS for smeserver-openvpn-routed on Thu 6 Mar 14:40:52 GMT 2025

2025-03-06 14:40:52 +00:00 · 2025-03-06 14:40:52 +00:00 · 73d65d729e
commit 73d65d729e
parent 08020c8369
38 changed files with 866 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
 *.rpm
 *.log
 *spec-20*
 *.tar.gz
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 # Makefile for source rpm: smeserver-openvpn-routed
 # $Id: Makefile,v 1.1 2021/02/04 16:20:21 brianr Exp $
 NAME := smeserver-openvpn-routed
 SPECFILE = $(firstword $(wildcard *.spec))
 define find-makefile-common
 for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 MAKEFILE_COMMON := $(shell $(find-makefile-common))
 ifeq ($(MAKEFILE_COMMON),)
 # attept a checkout
 define checkout-makefile-common
 test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
 endef
 MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
 endif
 include $(MAKEFILE_COMMON)
--- a/README.md
+++ b/README.md
@ -1,3 +1,15 @@
-# smeserver-openvpn-routed
+# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-openvpn-routed
 SMEServer Koozali developed git repo for smeserver-openvpn-routed smecontribs
 ## Wiki
 <br />https://wiki.koozali.org/
 ## Bugzilla
 Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openvpn-routed&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
 ## Description
 <br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
 *Once it has been checked, then this comment will be deleted*
 <br />
--- a/additional/CHANGELOG.git
+++ b/additional/CHANGELOG.git
@ -0,0 +1,155 @@
 commit 66557c7d543573cdd5e3eb332bb54ba2517a3d60
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Mon Apr 10 11:18:17 2017 +0200
    Update pam plugin path
 commit 848752010a3a37d1bd75d38b4f0c0e3011109884
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Mon Feb 8 10:59:41 2016 +0100
    Create urandom in chroot
 commit 5e590ef5b9bda1aa62264b104fed5a8aa8d8f099
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Tue Sep 29 12:02:31 2015 +0200
    Spec file update
 commit c595fbe31a78521383074be878e6afe810b11d0a
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Tue Sep 29 11:42:30 2015 +0200
    Make crl verification optional
 commit 36f5d2b782c5cfdf1717dc73dfeff5d7867cdf85
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Tue Sep 29 11:23:44 2015 +0200
    Restrict access to the management-pass.txt file
 commit d66b9396e182fda414eaf994884b6244caa00204
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Tue Sep 29 11:21:01 2015 +0200
    Set default network in the up script
 commit 019d0e2d50184ca5822b7ce6736c4ba3ad0f0fd5
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Wed Dec 3 22:25:19 2014 +0100
    Spec file update
 commit 6a3d60d9a8ab6a33b04aad4bf059eab45eac438b
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Wed Dec 3 21:54:49 2014 +0100
    Correctly push route for local network
 commit 496a2b678f383f2980f6a7c9677b2166dd5b7835
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Mon Jun 23 18:26:42 2014 +0200
    Spec file update
 commit 5534d9a3cb739d20b202f92b755e66a0c5a3a56b
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Mon Jun 23 18:25:55 2014 +0200
    Fix plugin path on x86_64
 commit 890a6c2e09bcaccfe7c9a2b2f9a88e6dadc3ae0d
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Wed Aug 21 16:06:26 2013 +0200
    update spec file
 commit b89fdff8d3018f849456d4b408dba274e5e7f955
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Wed Aug 21 16:05:48 2013 +0200
    Use full path the the up script
 commit d31a088f194a3d8d1ca9ecf51b2f37aaf64d42e4
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Tue Jun 11 10:58:01 2013 +0200
    update spec file
 commit 2d0c9d80dde1ccc7f99deb0720db5ad0d252c568
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Wed May 29 14:45:14 2013 +0200
    Use different name for the crl to prevent race conditions with openvpn-bridge
 commit 9d0d164b4d8d589d62343dd9e9a1f8f1b8f912fe
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Mon May 27 09:44:28 2013 +0200
    Fix update CRL script, refers to Routed mode, not bridged one
 commit 7b7d1f9e50435deb3608c370dedf75b056fed561
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:59:45 2013 +0200
    Do not try to update the CRL if its URL is not set
 commit 322061737010908e87e582e54af86219dc84d60d
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:36:12 2013 +0200
    Comment unused reload-ccd event
 commit 655898a494ffb6323d3876058dc2eb3077540252
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:35:23 2013 +0200
    Remove copyright notice in up script
 commit 2995895c2005c0a764b67230c67045e6fe7ca6f5
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:35:03 2013 +0200
    Fix up script
 commit 69aa3d3988a0b08196a19374746c6c7f28ccaa84
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:34:29 2013 +0200
    Add script-security 2, as required to execute external scripts
 commit 5230402365b0758c764da2acfb1d5677be7cb00d
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:29:49 2013 +0200
    Call the up script during service startup
 commit 6378427fdf9590f69117997c83ce6023e377c48e
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:29:15 2013 +0200
    Fix permission of the up script
 commit 42036e42ee291404c96db59f07e667e0d6688a75
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:26:57 2013 +0200
    Fix openvpn-routed-delete-net script and remove copyright notice
 commit 74bfd5d71beb9a094a1011a621135308f3cea761
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:06:42 2013 +0200
    Don't add template header in management-pass file
 commit bc7246dd740f47b6c9f5aa619fc59ddf5228753c
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 16:05:29 2013 +0200
    Fixes in templates for openvpn.conf
 commit e201d0a9b0c059f23eb9750f383fc2a5f331663e
 Author: Daniel Berteaud <daniel@firewall-services.com>
 Date:   Fri May 24 15:38:55 2013 +0200
    FIrst commit
--- a/additional/smeserver-openvpn-routed.spec
+++ b/additional/smeserver-openvpn-routed.spec
@ -0,0 +1,90 @@
 # Authority: vip-ire
 # Name: Daniel Berteaud
 Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
 Name: smeserver-openvpn-routed
 %define version 0.1.5
 %define release 1
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
 Group: Networking/Remote access
 Source: %{name}-%{version}.tar.gz
 BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
 BuildArchitectures: noarch
 BuildRequires: e-smith-devtools
 Requires: e-smith-base
 Requires: openvpn
 #Requires: perl(Net::OpenVPN::Manage)
 %description
 This package contains all the needed scripts and templates
 to have a full working openvpn server running in routed mode.
 %changelog
 * Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
 - Create /etc/openvpn/routed/dev/urandom [SME: 9238]
 * Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
 - Make crl verification optional
 - Set a default Network if none is set
 - restrict permission on the management-pass.txt file
 * Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
 - Correctly push route to local network when not redirecting gw
 * Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
 - Fix plugin path on x86_64
 * Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
 - Use full path to the up script
 * Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
 - initial release
 %prep
 %setup -q -n %{name}-%{version}
 %build
 perl createlinks
 %{__mkdir_p} root/etc/openvpn/routed/ccd
 %{__mkdir_p} root/etc/openvpn/routed/priv
 %{__mkdir_p} root/etc/openvpn/routed/pub
 %{__mkdir_p} root/etc/openvpn/routed/tmp
 %{__mkdir_p} root/etc/openvpn/routed/dev
 %{__mkdir_p} root/var/log/openvpn-routed
 %install
 /bin/rm -rf $RPM_BUILD_ROOT
 (cd root   ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
 /bin/rm -f %{name}-%{version}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
  --file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
  --file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
  --dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
  --dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
  --dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
  --dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
  --dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
  --file /usr/bin/ovpn-routed-update-crl  'attr(0750,root,root)' \
  --file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
  > %{name}-%{version}-filelist
 %files -f %{name}-%{version}-filelist
 %defattr(-,root,root)
 %clean
 rm -rf $RPM_BUILD_ROOT
 %post
 if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
    mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
 fi
 %preun
--- a/1
+++ b/1
@ -0,0 +1 @@
 contribs10
--- a/69
+++ b/69
@ -0,0 +1,69 @@
 #!/usr/bin/perl -w
 use esmith::Build::CreateLinks qw(:all);
 safe_symlink("restart", "root/etc/e-smith/events/openvpn-routed-update/services2adjust/openvpn-routed");
 safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-routed");
 safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-routed");
 #service_link_enhanced("openvpn-routed", "S80", "7");
 #service_link_enhanced("openvpn-routed", "K25", "6");
 #service_link_enhanced("openvpn-routed", "K25", "0");
 #safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-routed');
 safe_symlink("/var/service/openvpn-routed" , 'root/service/openvpn-routed');
 safe_touch("root/var/service/openvpn-routed/down");
 safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-begin");
 safe_touch("root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/template-end");
 #panel_link("openvpnrouted", 'manager');
 templates2events("/etc/openvpn/routed/openvpn.conf", "openvpn-routed-update");
 templates2events("/etc/openvpn/routed/management-pass.txt", qw(openvpn-routed-update bootstrap-console-save));
 templates2events("/etc/openvpn/routed/openvpn.conf", qw(openvpn-routed-update bootstrap-console-save network-create network-delete));
 templates2events("/etc/crontab", qw(openvpn-routed-update));
 #event_link("openvpn-routed-reload-ccd", "openvpn-routed-update", "20");
 event_link("openvpn-routed-update-crl", "openvpn-routed-update", "30");
 event_link("openvpn-routed-delete-net", "openvpn-routed-update", "40");
 event_link("openvpn-bridge-jail", "openvpn-routed-update", "03");
 event_link("openvpn-bridge-jail", "bootstrap-console-save", "03");
 #event_link("openvpn-routed-reload-ccd", "openvpn-routed-reload-ccd", "20");
 #event_link("openvpn-routed-update-crl", "openvpn-routed-reload-ccd", "30");
 # our event specific for updating with yum without reboot
 $event = "smeserver-openvpn-routed-update";
 #add here the path to your templates needed to expand
 #see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
 foreach my $file (qw(
                /etc/systemd/system-preset/49-koozali.preset
                /etc/crontab
 		/etc/openvpn/routed/management-pass.txt
 		/etc/openvpn/routed/openvpn.conf
 ))
 {
    templates2events( $file, $event );
 }
 #action needed in case we have a systemd unit
 event_link("systemd-default", $event, "10");
 event_link("systemd-reload", $event, "50");
 #action specific to this package
 event_link("openvpn-routed-update", $event, "60");
 event_link("openvpn-bridge-jail", $event, "03");
 #services we need to restart
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/openvpn-routed");
 use esmith::Build::Backup qw(:all);
 backup_includes("smeserver-openvpn-routed", qw(
 /etc/openvpn/routed/priv
 /etc/openvpn/routed/pub
 /var/log/openvpn-routed
 ));
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
@ -0,0 +1 @@
 AES-128-CBC
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/HMAC
@ -0,0 +1 @@
 SHA256
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/UDPPort
@ -0,0 +1 @@
 1194
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/access
@ -0,0 +1 @@
 public
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/status
@ -0,0 +1 @@
 enabled
--- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
+++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/type
@ -0,0 +1 @@
 service
--- a/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
+++ b/root/etc/e-smith/db/configuration/migrate/50openvpn-routed-management-pass
@ -0,0 +1,9 @@
 {
    my $openvpn = $DB->get('openvpn-routed') || $DB->new_record('openvpn-routed', {type => 'service'});
    my $management = $openvpn->prop('ManagementPassword') || '';
    return "" if ($management ne '');
    # Generate a random password
    $pass=`/usr/bin/openssl rand -base64 20 | tr -c -d '[:alnum:]'`;
    $openvpn->set_prop('ManagementPassword',"$pass");
 }
--- a/root/etc/e-smith/events/actions/openvpn-routed-delete-net
+++ b/root/etc/e-smith/events/actions/openvpn-routed-delete-net
@ -0,0 +1,25 @@
 #!/usr/bin/perl -w
 use strict;
 use esmith::ConfigDB;
 use esmith::NetworksDB;
 use esmith::event;
 my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
 my $n = esmith::NetworksDB->open || die "Couldn't open netwoks db\n";
 my @nets = $n->networks;
 my $ovpn = $c->get('openvpn-routed');
 my $net = $ovpn->prop('Network') || '192.168.29.0/255.255.255.0';
 my ($vpnnet,$mask) = split /\//, $net;
 foreach my $net (@nets){
    my $key = $net->key;
    my $vpn = $n->get_prop($key,"VPNRouted") || '';
    if ($vpn eq 'yes'){
        unless ($key eq $vpnnet){
            $n->set_prop($key, type=>'network-deleted');
            event_signal("network-delete","$key");
            $n->get($key)->delete;
        }
    }
 }
--- a/root/etc/e-smith/events/actions/openvpn-routed-jail
+++ b/root/etc/e-smith/events/actions/openvpn-routed-jail
@ -0,0 +1,7 @@
 #!/bin/bash
 #copy any files needed for the jail
 #be sure we have the needed timezone
 /bin/cp -L /etc/localtime  /etc/openvpn/routed/etc
--- a/root/etc/e-smith/events/actions/openvpn-routed-update-crl
+++ b/root/etc/e-smith/events/actions/openvpn-routed-update-crl
@ -0,0 +1,32 @@
 #!/bin/bash
 URL=$(/sbin/e-smith/db configuration getprop openvpn-routed CrlUrl)
 DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
 if [ -z $URL ]; then
    exit 0
 fi
 /usr/bin/wget $URL -O /tmp/cacrl_routed.pem > /dev/null 2>&1
 /usr/bin/openssl crl -inform PEM -in /tmp/cacrl_routed.pem -text > /dev/null 2>&1
 if [ "$?" -eq "0" ]; then
        /bin/mv -f /tmp/cacrl_routed.pem /etc/openvpn/routed/pub/cacrl.pem > /dev/null 2>&1
 else
        cat > /tmp/crlmail_routed <<END
 An error occured while updating the CRL for OpenVPN-Routed
 because openssl didn't recognize the file as a valid CRL.
 Below is the copy of the latest CRL downloaded from
 $URL
 END
        cat /tmp/cacrl_routed.pem >> /tmp/crlmail_routed
        mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail_routed
 fi
 rm -f /tmp/cacrl_routed.pem
 rm -f /tmp/crlmail_routed
--- a/root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt
+++ b/root/etc/e-smith/templates.metadata/etc/openvpn/routed/management-pass.txt
@ -0,0 +1,3 @@
 PERMS=0600
 UID="root"
 GID="root"
--- a/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
+++ b/root/etc/e-smith/templates/etc/crontab/openvpn-routed-crl
@ -0,0 +1,7 @@
 {
 my $url = ${'openvpn-routed'}{'CrlUrl'} || '';
 if ($url =~ /^http(s)?:\/\/.*$/){
        $OUT .= "# Update OpenVPN routed CRL\n";
        $OUT .= "5 * * * * root /etc/e-smith/events/actions/openvpn-routed-update-crl 2>&1 /dev/null\n";
 }
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/management-pass.txt/10All
@ -0,0 +1,4 @@
 {
    my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
    $OUT = "$pass";
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/10dev
@ -0,0 +1,21 @@
 {
    my $OUT='';
    my $protocol = ${'openvpn-routed'}{Protocol} || 'udp';
    my $port='';
    if ($protocol eq 'udp'){
        $port = ${'openvpn-routed'}{UDPPort} || '1194';
    }
    if ($protocol eq 'tcp'){
        $port = ${'openvpn-routed'}{TCPPort} || '1194';
        $protocol = 'tcp-server';
    }
 $OUT .=<<"HERE";
 port $port
 proto $protocol
 dev tunvpn0
 HERE
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/20daemon
@ -0,0 +1,5 @@
 user openvpn
 group openvpn
 chroot /etc/openvpn/routed
 persist-key
 persist-tun
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert
@ -0,0 +1,20 @@
 # Certificates config
 dh pub/dh.pem
 ca pub/cacert.pem
 cert pub/cert.pem
 key priv/key.pem
 tls-server
 {
 if (-e "/etc/openvpn/routed/priv/takey.pem" &&
    !-z "/etc/openvpn/routed/priv/takey.pem"){
  $OUT .= "tls-auth priv/takey.pem 0\n";
 }
 if (-e '/etc/openvpn/routed/pub/cacrl.pem' &&
   !-z '/etc/openvpn/routed/pub/cacrl.pem'){
  $OUT .= "crl-verify pub/cacrl.pem\n";
 }
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
@ -0,0 +1,33 @@
 {
    #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
    # need to be changed on both side
    my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ?  ${'openvpn-routed'}{'HMAC'} : undef;
    # cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
    # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
    my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'}  : undef;
    ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
    my $tlsVmin = (  ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/  ) ) ? ${'openvpn-routed'}{'tlsVmin'}  : "1.2";
    # TLS 1.3 encryption settings
    my $tlsCipherSuites13 = (  ${'openvpn-routed'}{'tlsCipherSuites13'} ) ?  ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
    # # TLS 1.2 encryption settings
    my $tlsCipher12 = (  ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
     $OUT .= "#securing control channel\n";
     $OUT .= "tls-version-min $tlsVmin\n";
     $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
     $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
     #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
     #$OUT .= "ecdh-curve secp384r1\n";
     # data channel
     $OUT .= "#securing data channel\n";
     $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
     #auth SHA512
     $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth
@ -0,0 +1,8 @@
 {
    my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
    if ($userAuth eq 'CrtWithPass'){
        my $libdir = (-d "/usr/lib64/") ? '/usr/lib64' : '/usr/lib';
        $OUT .= "plugin " . $libdir . "/openvpn/plugins/openvpn-plugin-auth-pam.so login\n";
    }
    $OUT .= '';
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/50server
@ -0,0 +1,9 @@
 {
    my $net = ${'openvpn-routed'}{'Network'} || '192.168.29.0/255.255.255.0';
    my ($addr,$mask) = split /\//, $net;
    $OUT = "server $addr $mask\n";
 }
 topology subnet
 up /etc/openvpn/routed/bin/up
 script-security 2
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
@ -0,0 +1,55 @@
 # Options
 {
 my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
 my $fragment = ${'openvpn-routed'}{Fragment} || '';
 my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
 my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
 my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
 my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
 my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
 if ($proto eq 'tcp'){
    $mtuTest = 'disabled';
    $fragment = '';
 }
 $OUT .=<<"HERE";
 keepalive 40 180
 push "dhcp-option DOMAIN $DomainName"
 push "dhcp-option DNS $LocalIP"
 push "dhcp-option WINS $LocalIP"
 HERE
 if ($tunMtu !~ /^\d+$/){
    $OUT .= "mtu-test\n";
 }
 else{
    if ($tunMtu ne ''){
        $OUT .= "tun-mtu $tunMtu\n";
    }
 }
 if (($proto eq 'udp') && ($fragment =~ /^\d+$/)){
    $OUT .= "fragment $fragment\n";
 }
 $OUT .= "mssfix\n";
 if ($duplicate eq 'enabled'){
    $OUT .= "duplicate-cn\n";
 }
 if ($passtos eq 'enabled'){
    $OUT .= "passtos\n";
 }
 if ($compress eq 'enabled'){
    $OUT .= "comp-lzo adaptive\n";
    $OUT .= "push \"comp-lzo adaptive\"\n";
 }
 }
 nice 5
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/70routes
@ -0,0 +1,29 @@
 {
 my $pushRoutes =  ${'openvpn-routed'}{PushLocalNetworks} || 'enabled';
 my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || 'disabled';
 use esmith::NetworksDB;
 my $ndb = esmith::NetworksDB->open_ro() ||
    die('Can not open Networks DB');
 my @networks = $ndb->networks();
 if ($redirectGW eq 'enabled'){
    $OUT .= "push \"redirect-gateway def1\"\n";
 }
 elsif ($pushRoutes eq 'enabled'){
    foreach my $network (@networks) {
        my $route = '';
        my $addr = $network->key;
        my $mask = $network->prop('Mask');
        my $gw = $network->prop('Router') || '';
        my $vpn = $network->prop('VPN') || '';
 	next if (($network->prop('PushRoute') || 'enabled') eq 'disabled'); 
        next if (($network->prop('VPNRouted') || 'no') eq 'yes');
        $route .= "push \"route $addr $mask";
        $route .= " $gw" if ($vpn eq '' && $gw ne '');
        $OUT .= "$route\"\n";
    }
 }
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/80management
@ -0,0 +1,5 @@
 {
    my $pass = ${'openvpn-routed'}{'ManagementPassword'} || 'secret';
    $OUT ="management 127.0.0.1 11195 management-pass.txt\n";
 }
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/90clients
@ -0,0 +1,13 @@
 {   
    my $OUT = '';
    my $maxClient = ${'openvpn-routed'}{MaxClients} || '';
    my $configRequired = ${'openvpn-routed'}{ConfigRequired} || 'disabled';
    if ($configRequired eq 'enabled'){
        $OUT .= 'ccd-exclusive\n';
    }
    if ($maxClient =~ /^\d+$/){
        $OUT .= "max-clients $maxClient\n";
    }
 }
 client-config-dir ccd
--- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
+++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/95logs
@ -0,0 +1,10 @@
 status-version 2
 status bridge-status.txt
 {
 	#suppress-timestamps
        my $OUT = '';
        my $verb = ${'openvpn-routed'}{Verbose} || '3';
        $OUT .= "verb $verb\n";
 }
 log-append /var/log/openvpn-routed/openvpn-routed.log
--- a/root/etc/logrotate.d/openvpn-routed
+++ b/root/etc/logrotate.d/openvpn-routed
@ -0,0 +1,8 @@
 /var/log/openvpn-routed/*.log{
    monthly
    rotate 6
    compress
    copytruncate
    missingok
 }
--- a/root/etc/openvpn/routed/bin/up
+++ b/root/etc/openvpn/routed/bin/up
@ -0,0 +1,12 @@
 #!/bin/bash
 net=$(/sbin/e-smith/db configuration getprop openvpn-routed Network || echo '192.168.29.0/255.255.255.0')
 addr=${net%%/*}
 mask=${net#*/}
 db=$(/sbin/e-smith/db networks getprop $addr VPNRouted)
 if [ -z $db ]; then
    /sbin/e-smith/db networks set $addr network Mask $mask VPNRouted yes Removable no
    /sbin/e-smith/signal-event network-create $addr
 fi
 exit 0
--- a/root/sbin/e-smith/systemd/openvpn-routed
+++ b/root/sbin/e-smith/systemd/openvpn-routed
@ -0,0 +1,30 @@
 #!/bin/bash
 [[ ! -f /etc/openvpn/routed/pub/cert.pem  && -f /etc/openvpn/bridge/pub/cert.pem ]] && cp -a /etc/openvpn/bridge/pub/cert.pem /etc/openvpn/routed/pub/cert.pem
 [[ ! -f /etc/openvpn/routed/pub/cacert.pem  && -f /etc/openvpn/bridge/pub/cacert.pem ]] && cp -a /etc/openvpn/bridge/pub/cacert.pem /etc/openvpn/routed/pub/cacert.pem
 [[ ! -f /etc/openvpn/routed/pub/dh.pem  && -f /etc/openvpn/bridge/pub/dh.pem ]] && cp -a /etc/openvpn/bridge/pub/dh.pem /etc/openvpn/routed/pub/dh.pem
 [[ ! -f /etc/openvpn/routed/priv/key.pem  && -f /etc/openvpn/bridge/priv/key.pem ]] && cp -a /etc/openvpn/bridge/priv/key.pem /etc/openvpn/routed/priv/key.pem
 [[ ! -f /etc/openvpn/routed/priv/takey.pem  && -f /etc/openvpn/bridge/priv/takey.pem ]] && cp -a /etc/openvpn/bridge/priv/takey.pem /etc/openvpn/routed/priv/takey.pem
 if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl.pem ]] ; then
  cp -a /etc/openvpn/bridge/pub/cacrl.pem /etc/openvpn/routed/pub/cacrl.pem
  CrlUrl=`/sbin/e-smith/config getprop openvpn-bridge CrlUrl`
  /sbin/e-smith/config setprop openvpn-routed CrlUrl "$CrlUrl="
  myport=`/sbin/e-smith/config getprop openvpn-routed UDPPort`
  oriport="$myiport"
  bridgeport=`/sbin/e-smith/config getprop openvpn-bridge UDPPort`
  s2sports=`/sbin/e-smith/db openvpn-s2s print |sed -re  's/.*Port\|([0-9]+).*/\1/'|sort|uniq`
  while [[ $s2sports =~ $myport  || $myport == $bridgeport ]]
  do
    myport=$[$myport+1]
  done
  if [[ $myport != $oriport ]]; then
    echo "set UDPPort to $myport as $oriport was already taken"
    /sbin/e-smith/db configuration setprop openvpn-routed UDPPort $myport
    /sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf 
  fi
 fi
 chmod 0600 /etc/openvpn/routed/priv/*
 chmod 0644 /etc/openvpn/routed/pub/*
 chown root:admin /etc/openvpn/routed/priv/*
 chown root:admin /etc/openvpn/routed/pub/*
--- a/root/usr/lib/systemd/system/openvpn-routed.service
+++ b/root/usr/lib/systemd/system/openvpn-routed.service
@ -0,0 +1,26 @@
 [Unit]
 Description=OpenVPN Server routed for Roadwariors
 After=network.service
 [Service]
 Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/routed
 ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
 ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
 ExecStart=/usr/sbin/openvpn --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC  --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed 
 PrivateTmp=true
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 KillMode=process
 RestartSec=5s
 Restart=on-failure
 [Install]
 WantedBy=sme-server.target
--- a/root/var/service/openvpn-routed/log/run
+++ b/root/var/service/openvpn-routed/log/run
@ -0,0 +1,6 @@
 #!/bin/sh
 exec                                    \
    /usr/local/bin/setuidgid smelog     \
    /usr/local/bin/multilog t s5000000  \
    /var/log/openvpn-routed
--- a/root/var/service/openvpn-routed/run
+++ b/root/var/service/openvpn-routed/run
@ -0,0 +1,5 @@
 #!/bin/sh
 exec 2>&1
 exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
--- a/smeserver-openvpn-routed.spec
+++ b/smeserver-openvpn-routed.spec
@ -0,0 +1,124 @@
 # Authority: vip-ire
 # Name: Daniel Berteaud
 Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
 Name: smeserver-openvpn-routed
 %define version 0.1.6
 %define release 8
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
 Group: Networking/Remote access
 Source: %{name}-%{version}.tar.xz
 BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
 BuildArchitectures: noarch
 BuildRequires: e-smith-devtools
 Requires: e-smith-base
 Requires: openvpn
 #Requires: perl(Net::OpenVPN::Manage)
 %description
 This package contains all the needed scripts and templates
 to have a full working openvpn server running in routed mode.
 %changelog
 * Thu Mar 06 2025 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.1.6-8.sme
 - Roll up patches and move to git repo [SME: 12338]
 * Thu Mar 06 2025 BogusDateBot
 - Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.
 * Wed Nov 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-7.sme
 - log to a dedicated file [SME: 12243]
  use locale timestamp 
 * Sat Jul 30 2022 Brian Read <brianr@bjsystems.co.uk> 0.1.6-6.sme
 - Re-build and link to latest devtools [SME: 11997]
 * Sat Jul 23 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-5.sme
 - add to core backup [SME: 11997]
 * Thu Apr 01 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.1.6-4.sme
 - autoconfiguration if openvpn-bridge is isntalled and configured [SME: 11336]
 - reworked systemd unit and scripts
 - new property HMAC forced to SHA256, instead of insecure default SHA1 [SME: 9925]
 - Cipher now enforced to AES-128-CBC, instead of insecure default Blowfish [SME: 9919]
 - possibility to exclude networks to push [SME: 10548]
 * Thu Feb 04 2021 Brian Read <brianr@bjsystems.co.uk> 0.1.6-2.sme
 - Initial import to SME10 [SME: 11336]
 - Add-in-systemd-startup
 * Mon Apr 10 2017 Daniel Berteaud <daniel@firewall-services.com> 0.1.6-1
 - Update pam plugin path [SME: 10220]
 * Mon Feb 8 2016 Daniel Berteaud <daniel@firewall-services.com> 0.1.5-1
 - Create /etc/openvpn/routed/dev/urandom [SME: 9238]
 * Tue Sep 29 2015 Daniel Berteaud <daniel@firewall-services.com> 0.1.4-1
 - Make crl verification optional
 - Set a default Network if none is set
 - restrict permission on the management-pass.txt file
 * Wed Dec 3 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.3-1
 - Correctly push route to local network when not redirecting gw
 * Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> 0.1.2-1
 - Fix plugin path on x86_64
 * Wed Aug 21 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.1-1
 - Use full path to the up script
 * Tue Jun 11 2013 Daniel Berteaud <daniel@firewall-services.com> 0.1.0-1
 - initial release
 %prep
 %setup -q -n %{name}-%{version}
 %build
 perl createlinks
 %{__mkdir_p} root/etc/openvpn/routed/ccd
 %{__mkdir_p} root/etc/openvpn/routed/priv
 %{__mkdir_p} root/etc/openvpn/routed/pub
 %{__mkdir_p} root/etc/openvpn/routed/etc
 %{__mkdir_p} root/etc/openvpn/routed/tmp
 %{__mkdir_p} root/etc/openvpn/routed/dev
 %{__mkdir_p} root/var/log/openvpn-routed
 %install
 /bin/rm -rf $RPM_BUILD_ROOT
 (cd root   ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
 /bin/rm -f %{name}-%{version}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
  --file /sbin/e-smith/systemd/openvpn-routed 'attr(0755,root,root)' \
  --file /var/service/openvpn-routed/run 'attr(0755,root,root)' \
  --file /var/service/openvpn-routed/log/run 'attr(0755,root,root)' \
  --dir /var/log/openvpn-routed 'attr(0750,smelog,smelog)' \
  --dir /etc/openvpn/routed/pub 'attr(0755,root,root)' \
  --dir /etc/openvpn/routed/priv 'attr(0750,root,root)' \
  --dir /etc/openvpn/routed/ccd 'attr(0755,root,root)' \
  --dir /etc/openvpn/routed/etc 'attr(0755,root,root)' \
  --dir /etc/openvpn/routed/tmp 'attr(0770,root,openvpn)' \
  --file /usr/bin/ovpn-routed-update-crl  'attr(0750,root,root)' \
  --file /etc/openvpn/routed/bin/up 'attr(755,root,root)' \
  > %{name}-%{version}-filelist
 %files -f %{name}-%{version}-filelist
 %defattr(-,root,root)
 %clean
 rm -rf $RPM_BUILD_ROOT
 %post
 if [ \! -c /etc/openvpn/routed/dev/urandom ]; then
    mknod -m 0444 /etc/openvpn/routed/dev/urandom c 1 9
 fi
 %preun