smecontribs/smeserver-openvpn-routed
6
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Tue Sep 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-10.sme

Browse Source 
- set lzo compression as disabled [SME: 13123]
- set default hmac sha256 and ciphers AES-256-GCM [SME: 13115]
  remove BF-CBC
- remove /var/service/openvpn-routed [SME: 12379]
- use locatime to log connexions [SME: 13128]
This commit is contained in:
Jean-Philippe Pialasse
2025-09-02 13:52:05 -04:00
parent 7fa421b070
commit df2484857d
7 changed files with 20 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
root/etc/e-smith/db/configuration/defaults/openvpn-routed/Cipher
View File

@@ -1 +1 @@
AES-128-CBC AES-256-GCM

6
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
View File

@@ -1,10 +1,12 @@
{ {
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one... #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
# need to be changed on both side # need to be changed on both side
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef; # SME 11 has openvpn2.4 which still default to sha1, as 2025, we force next default sha256
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : SHA256;
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... # cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef; # SME11 we force GCM AES-256-GCM
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : 'AES-256-GCM';
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2"; my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";

3
root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/60options
View File

@@ -3,11 +3,10 @@
my $tunMtu = ${'openvpn-routed'}{Mtu} || ''; my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
my $fragment = ${'openvpn-routed'}{Fragment} || ''; my $fragment = ${'openvpn-routed'}{Fragment} || '';
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
my $proto = ${'openvpn-routed'}{Protocol} || 'udp'; my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled'; my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled'; my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
my $compress = ${'openvpn-routed'}{Compression} || 'enabled'; my $compress = ${'openvpn-routed'}{Compression} || 'disabled';
if ($proto eq 'tcp'){ if ($proto eq 'tcp'){
$mtuTest = 'disabled'; $mtuTest = 'disabled';

6
root/sbin/e-smith/systemd/openvpn-routed
View File

@@ -25,6 +25,11 @@ if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl
fi fi
fi fi
# to use localtime to log
/usr/bin/cp -f /etc/localtime /etc/openvpn/routed/etc/
mkdir -p /etc/openvpn/routed/usr/share
cp -af /usr/share/zoneinfo /etc/openvpn/routed/usr/share
if [ ! -z "$( ls -A '/etc/openvpn/routed/priv/' )" ]; then if [ ! -z "$( ls -A '/etc/openvpn/routed/priv/' )" ]; then
chmod 0600 /etc/openvpn/routed/priv/* chmod 0600 /etc/openvpn/routed/priv/*
chown root:admin /etc/openvpn/routed/priv/* chown root:admin /etc/openvpn/routed/priv/*
@@ -33,3 +38,4 @@ if [ ! -z "$( ls -A '/etc/openvpn/routed/pub/' )" ]; then
chmod 0644 /etc/openvpn/routed/pub/* chmod 0644 /etc/openvpn/routed/pub/*
chown root:admin /etc/openvpn/routed/pub/* chown root:admin /etc/openvpn/routed/pub/*
fi fi
exit 0

6
root/var/service/openvpn-routed/log/run
View File

@@ -1,6 +0,0 @@
#!/bin/sh
exec \
/usr/local/bin/setuidgid smelog \
/usr/local/bin/multilog t s5000000 \
/var/log/openvpn-routed

5
root/var/service/openvpn-routed/run
View File

@@ -1,5 +0,0 @@
#!/bin/sh
exec 2>&1
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed

9
smeserver-openvpn-routed.spec
View File

@@ -4,7 +4,7 @@
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
Name: smeserver-openvpn-routed Name: smeserver-openvpn-routed
%define version 0.1.6 %define version 0.1.6
%define release 9 %define release 10
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@@ -26,6 +26,13 @@ to have a full working openvpn server running in routed mode.
%changelog %changelog
* Tue Sep 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-10.sme
- set lzo compression as disabled [SME: 13123]
- set default hmac sha256 and ciphers AES-256-GCM [SME: 13115]
remove BF-CBC
- remove /var/service/openvpn-routed [SME: 12379]
- use locatime to log connexions [SME: 13128]
* Fri Aug 29 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-9.sme * Fri Aug 29 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-9.sme
- fix service unit permission issues [SME: 12258] - fix service unit permission issues [SME: 12258]