diff --git a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher index f2defb7..a4abe4d 100644 --- a/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher +++ b/root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher @@ -1 +1 @@ -AES-128-CBC +AES-256-GCM diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption index 0bc25fd..9d4d955 100644 --- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption @@ -1,10 +1,12 @@ { #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one... # need to be changed on both side - my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef; + # SME 11 has openvpn2.4 which still default to sha1, as 2025, we force next default sha256 + my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : SHA256; # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel - my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef; + # SME11 we force GCM AES-256-GCM + my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : 'AES-256-GCM'; ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2"; diff --git a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options index 6cb7327..e045d6c 100644 --- a/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options +++ b/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options @@ -3,11 +3,10 @@ my $tunMtu = ${'openvpn-routed'}{Mtu} || ''; my $fragment = ${'openvpn-routed'}{Fragment} || ''; -my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || ''; my $proto = ${'openvpn-routed'}{Protocol} || 'udp'; my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled'; my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled'; -my $compress = ${'openvpn-routed'}{Compression} || 'enabled'; +my $compress = ${'openvpn-routed'}{Compression} || 'disabled'; if ($proto eq 'tcp'){ $mtuTest = 'disabled'; diff --git a/root/sbin/e-smith/systemd/openvpn-routed b/root/sbin/e-smith/systemd/openvpn-routed index ea4205d..fc7819b 100644 --- a/root/sbin/e-smith/systemd/openvpn-routed +++ b/root/sbin/e-smith/systemd/openvpn-routed @@ -25,6 +25,11 @@ if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl fi fi +# to use localtime to log +/usr/bin/cp -f /etc/localtime /etc/openvpn/routed/etc/ +mkdir -p /etc/openvpn/routed/usr/share +cp -af /usr/share/zoneinfo /etc/openvpn/routed/usr/share + if [ ! -z "$( ls -A '/etc/openvpn/routed/priv/' )" ]; then chmod 0600 /etc/openvpn/routed/priv/* chown root:admin /etc/openvpn/routed/priv/* @@ -33,3 +38,4 @@ if [ ! -z "$( ls -A '/etc/openvpn/routed/pub/' )" ]; then chmod 0644 /etc/openvpn/routed/pub/* chown root:admin /etc/openvpn/routed/pub/* fi +exit 0 diff --git a/root/var/service/openvpn-routed/log/run b/root/var/service/openvpn-routed/log/run deleted file mode 100644 index 0479041..0000000 --- a/root/var/service/openvpn-routed/log/run +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -exec \ - /usr/local/bin/setuidgid smelog \ - /usr/local/bin/multilog t s5000000 \ - /var/log/openvpn-routed diff --git a/root/var/service/openvpn-routed/run b/root/var/service/openvpn-routed/run deleted file mode 100644 index e78ed1e..0000000 --- a/root/var/service/openvpn-routed/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -exec 2>&1 - -exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed diff --git a/smeserver-openvpn-routed.spec b/smeserver-openvpn-routed.spec index afd2be3..d8e0be1 100644 --- a/smeserver-openvpn-routed.spec +++ b/smeserver-openvpn-routed.spec @@ -4,7 +4,7 @@ Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode Name: smeserver-openvpn-routed %define version 0.1.6 -%define release 9 +%define release 10 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -26,6 +26,13 @@ to have a full working openvpn server running in routed mode. %changelog +* Tue Sep 02 2025 Jean-Philippe Pialasse 0.1.6-10.sme +- set lzo compression as disabled [SME: 13123] +- set default hmac sha256 and ciphers AES-256-GCM [SME: 13115] + remove BF-CBC +- remove /var/service/openvpn-routed [SME: 12379] +- use locatime to log connexions [SME: 13128] + * Fri Aug 29 2025 Jean-Philippe Pialasse 0.1.6-9.sme - fix service unit permission issues [SME: 12258]