Compare commits
3 Commits
0_1_6-8_el
...
0_1_6-11_e
| Author | SHA1 | Date | |
|---|---|---|---|
| 10d358c088 | |||
| df2484857d | |||
| 7fa421b070 |
@@ -1 +1 @@
|
||||
AES-128-CBC
|
||||
AES-256-GCM
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
{
|
||||
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# need to be changed on both side
|
||||
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : undef;
|
||||
# SME 11 has openvpn2.4 which still default to sha1, as 2025, we force next default sha256
|
||||
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : SHA256;
|
||||
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
|
||||
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : undef;
|
||||
# SME11 we force GCM AES-256-GCM
|
||||
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : 'AES-256-GCM';
|
||||
|
||||
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
|
||||
my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
|
||||
|
||||
@@ -3,11 +3,10 @@
|
||||
|
||||
my $tunMtu = ${'openvpn-routed'}{Mtu} || '';
|
||||
my $fragment = ${'openvpn-routed'}{Fragment} || '';
|
||||
my $redirectGW = ${'openvpn-routed'}{RedirectGateway} || '';
|
||||
my $proto = ${'openvpn-routed'}{Protocol} || 'udp';
|
||||
my $duplicate = ${'openvpn-routed'}{DuplicateCN} || 'disabled';
|
||||
my $passtos = ${'openvpn-routed'}{PassTOS} || 'enabled';
|
||||
my $compress = ${'openvpn-routed'}{Compression} || 'enabled';
|
||||
my $compress = ${'openvpn-routed'}{Compression} || 'disabled';
|
||||
|
||||
if ($proto eq 'tcp'){
|
||||
$mtuTest = 'disabled';
|
||||
|
||||
@@ -24,7 +24,16 @@ if [[ ! -f /etc/openvpn/routed/pub/cacrl.pem && -f /etc/openvpn/bridge/pub/cacrl
|
||||
/sbin/e-smith/expand-template /etc/openvpn/routed/openvpn.conf
|
||||
fi
|
||||
fi
|
||||
chmod 0600 /etc/openvpn/routed/priv/*
|
||||
chmod 0644 /etc/openvpn/routed/pub/*
|
||||
chown root:admin /etc/openvpn/routed/priv/*
|
||||
chown root:admin /etc/openvpn/routed/pub/*
|
||||
|
||||
# to use localtime to log
|
||||
/usr/bin/cp -L /etc/localtime /etc/openvpn/routed/etc/
|
||||
|
||||
if [ ! -z "$( ls -A '/etc/openvpn/routed/priv/' )" ]; then
|
||||
chmod 0600 /etc/openvpn/routed/priv/*
|
||||
chown root:admin /etc/openvpn/routed/priv/*
|
||||
fi
|
||||
if [ ! -z "$( ls -A '/etc/openvpn/routed/pub/' )" ]; then
|
||||
chmod 0644 /etc/openvpn/routed/pub/*
|
||||
chown root:admin /etc/openvpn/routed/pub/*
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@@ -1,11 +1,17 @@
|
||||
[Unit]
|
||||
Description=OpenVPN Server routed for Roadwariors
|
||||
After=network.service
|
||||
ConditionPathExists=/etc/openvpn/routed/priv/key.pem
|
||||
ConditionPathExists=/etc/openvpn/routed/pub/cert.pem
|
||||
ConditionPathExists=/etc/openvpn/routed/pub/cacert.pem
|
||||
ConditionPathExists=/etc/openvpn/routed/pub/dh.pem
|
||||
# /etc/openvpn/routed/priv/takey.pem is optional
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
PrivateTmp=true
|
||||
WorkingDirectory=/etc/openvpn/routed
|
||||
PermissionsStartOnly=true
|
||||
|
||||
ExecStartPre=-/sbin/e-smith/service-status 'openvpn-routed'
|
||||
ExecStartPre=-/sbin/e-smith/systemd/openvpn-routed
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
exec \
|
||||
/usr/local/bin/setuidgid smelog \
|
||||
/usr/local/bin/multilog t s5000000 \
|
||||
/var/log/openvpn-routed
|
||||
@@ -1,5 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
exec 2>&1
|
||||
|
||||
exec /usr/sbin/openvpn --config /etc/openvpn/routed/openvpn.conf --cd /etc/openvpn/routed
|
||||
@@ -4,7 +4,7 @@
|
||||
Summary: OpenVPN, a strong VPN solution build over SSL, pre-configured for routed mode
|
||||
Name: smeserver-openvpn-routed
|
||||
%define version 0.1.6
|
||||
%define release 8
|
||||
%define release 11
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
License: GPL
|
||||
@@ -26,6 +26,16 @@ to have a full working openvpn server running in routed mode.
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Sep 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-11.sme
|
||||
- set lzo compression as disabled [SME: 13123]
|
||||
- set default hmac sha256 and ciphers AES-256-GCM [SME: 13115]
|
||||
remove BF-CBC
|
||||
- remove /var/service/openvpn-routed [SME: 12379]
|
||||
- use locatime to log connexions [SME: 13128]
|
||||
|
||||
* Fri Aug 29 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-9.sme
|
||||
- fix service unit permission issues [SME: 12258]
|
||||
|
||||
* Thu Mar 06 2025 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.1.6-8.sme
|
||||
- Roll up patches and move to git repo [SME: 12338]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user