initial commit of file from CVS for smeserver-openvpn-s2s on Sat Sep 7 19:57:57 AEST 2024
This commit is contained in:
Trevor Batley
17
root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl
Normal file
17
root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl
Normal file
@@ -0,0 +1,17 @@
|
||||
{
|
||||
if ((${'openvpn-s2s'}{'status'} || 'disabled') eq 'enabled'){
|
||||
$OUT .=<<"HERE";
|
||||
# Update OpenVPN Site To Site CRLs
|
||||
10 * * * * root /etc/e-smith/events/actions/openvpn-s2s-update-crl 2>&1 /dev/null
|
||||
|
||||
HERE
|
||||
}
|
||||
else{
|
||||
$OUT .=<<"HERE";
|
||||
# OpenVPN Site to Site service is disabled
|
||||
# CRL updates are not running
|
||||
|
||||
HERE
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
$db = esmith::ConfigDB->open_ro('openvpn-s2s') || die "Couldn't open Ovpns2sDB\n";
|
||||
$key = $DB_KEY;
|
||||
$type = $db->get_prop($key,'type') || 'server';
|
||||
$log = $db->get_prop($key,'LogLevel') || '3';
|
||||
$OUT .= '';
|
||||
}
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
{
|
||||
|
||||
my $remote = $db->get_prop($key,'RemoteHost') || '';
|
||||
my $port = $db->get_prop($key,'Port') || '1195';
|
||||
my $protocol = $db->get_prop($key,'Protocol') || 'udp';
|
||||
$protocol = 'tcp-'."$type" if ($protocol eq 'tcp');
|
||||
|
||||
$OUT .= "port $port\n";
|
||||
$OUT .= "proto $protocol\n";
|
||||
$OUT .= "dev tun".$key."\n";
|
||||
|
||||
# In server mode, if remote is emtpy, we should add the float directive
|
||||
if ($type eq 'server'){
|
||||
$OUT .= ($remote eq '') ? "float\n":"remote $remote\n";
|
||||
}
|
||||
else{
|
||||
$OUT .= "nobind\n";
|
||||
$OUT .= "remote $remote\n";
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
|
||||
# Drop down privileges
|
||||
user openvpn
|
||||
group openvpn
|
||||
chroot /etc/openvpn/s2s
|
||||
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
@@ -0,0 +1,81 @@
|
||||
# Authentication
|
||||
{
|
||||
|
||||
my $auth = $db->get_prop($key,'Authentication') || 'TLS';
|
||||
my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled';
|
||||
my $tlsremote = $db->get_prop($key,'RemoteCommonName') || '';
|
||||
|
||||
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# need to be changed on both side
|
||||
my $HMAC = ( $db->get_prop($key,'HMAC') ) ? $db->get_prop($key,'HMAC') : undef;
|
||||
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
|
||||
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
|
||||
my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
|
||||
|
||||
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
|
||||
my $tlsVmin = ( $db->get_prop($key,'tlsVmin') && ( $db->get_prop($key,'tlsVmin') =~ /^1\.[0-9]{1}$/ ) ) ? $db->get_prop($key,'tlsVmin') : "1.2";
|
||||
# TLS 1.3 encryption settings
|
||||
my $tlsCipherSuites13 = ( $db->get_prop($key,'tlsCipherSuites13') ) ? $db->get_prop($key,'tlsCipherSuites13') : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
|
||||
# # TLS 1.2 encryption settings
|
||||
my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if ($auth eq 'SharedKey'){
|
||||
$OUT .= "secret priv/$key"."_sharedkey.pem\n";
|
||||
}
|
||||
elsif ($auth eq 'TLS'){
|
||||
if ($type eq 'server'){
|
||||
$OUT .= "tls-server\n";
|
||||
$OUT .= "tls-version-min $tlsVmin\n";
|
||||
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
|
||||
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
|
||||
$OUT .= "ca pub/$key" . "_cacert.pem\n";
|
||||
$OUT .= "cert pub/$key" . "_cert.pem\n";
|
||||
$OUT .= "key priv/$key" . "_key.pem\n";
|
||||
$OUT .= "dh pub/$key" . "_dh.pem\n";
|
||||
$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
|
||||
$OUT .= "ecdh-curve secp384r1\n";
|
||||
$OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
|
||||
if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
|
||||
( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
|
||||
$OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
|
||||
if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
|
||||
( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
|
||||
$OUT .= "ns-cert-type client\n" if ($checkcrt eq 'enabled');
|
||||
$OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
|
||||
}
|
||||
else{
|
||||
$OUT .= "tls-client\n";
|
||||
$OUT .= "tls-version-min $tlsVmin\n";
|
||||
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
|
||||
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
|
||||
$OUT .= "ca pub/$key" . "_cacert.pem\n";
|
||||
$OUT .= "cert pub/$key" . "_cert.pem\n";
|
||||
$OUT .= "key priv/$key" . "_key.pem\n";
|
||||
$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
|
||||
$OUT .= "ecdh-curve secp384r1\n";
|
||||
$OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
|
||||
if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
|
||||
( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
|
||||
$OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
|
||||
if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
|
||||
( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
|
||||
$OUT .= "ns-cert-type server\n" if ($checkcrt eq 'enabled');
|
||||
$OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
|
||||
}
|
||||
}
|
||||
|
||||
# available for both sharedkey and tls
|
||||
# data channel
|
||||
$OUT .= "#securing data channel\n";
|
||||
$OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
|
||||
#auth SHA512
|
||||
$OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
|
||||
#
|
||||
}
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
route-noexec
|
||||
up bin/up
|
||||
|
||||
# Remote Networks
|
||||
{
|
||||
|
||||
foreach my $net (split(/[;,]/,($db->get_prop($key,'RemoteNetworks') || ''))){
|
||||
$net =~ m!(.*)/(.*)!;
|
||||
my ($netaddr,$mask) = ($1,$2);
|
||||
$OUT .= "route $netaddr $mask\n";
|
||||
}
|
||||
|
||||
}
|
||||
setenv vpnid {"$key";}
|
||||
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
|
||||
my $localip = $db->get_prop($key,'LocalIP');
|
||||
my $remoteip = $db->get_prop($key,'RemoteIP');
|
||||
|
||||
$OUT .= "ifconfig $localip $remoteip\n";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
# Options
|
||||
{
|
||||
|
||||
my $comp = $db->get_prop($key,'Compression') || 'enabled';
|
||||
|
||||
|
||||
$OUT .= "comp-lzo adaptive\n" if ($comp eq 'enabled');
|
||||
|
||||
|
||||
if ($type eq 'server'){
|
||||
$OUT .= "ping-timer-rem\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
keepalive 5 20
|
||||
mtu-test
|
||||
passtos
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
# Custom options
|
||||
{
|
||||
|
||||
my $custom = "/etc/openvpn/s2s/$key" . '.conf.custom';
|
||||
|
||||
if ( -e "$custom" ){
|
||||
Text::Template::_load_text("$custom");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
# Log
|
||||
status-version 2
|
||||
status status-{"$key";}.txt
|
||||
verb {"$log";}
|
||||
log-append /var/log/openvpn-s2s/{"$key";}.log
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
|
||||
# Will handle SNAT for Site to Site VPN
|
||||
/sbin/iptables --table nat --new-chain SnatVPN
|
||||
/sbin/iptables --table nat --new-chain SnatVPN_1
|
||||
/sbin/iptables --table nat --append SnatVPN -j SnatVPN_1
|
||||
/sbin/iptables --table nat --append POSTROUTING \
|
||||
--out-interface tun+ -j SnatVPN
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
{
|
||||
my $ovpndb = esmith::ConfigDB->open_ro('openvpn-s2s');
|
||||
|
||||
# Find the current SnatVPN_$$ chain, and create a new one.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_SnatVPN=$(get_safe_id SnatVPN nat find)
|
||||
NEW_SnatVPN=$(get_safe_id SnatVPN nat new)
|
||||
/sbin/iptables --table nat --new-chain $NEW_SnatVPN
|
||||
EOF
|
||||
|
||||
foreach my $vpn ($ovpndb->get_all_by_prop(type=>('client')),
|
||||
$ovpndb->get_all_by_prop(type=>('server'))){
|
||||
$OUT .= " /sbin/iptables --table nat --append \$NEW_SnatVPN --out-interface tun" . $vpn->key .
|
||||
" -s " . $vpn->prop('LocalIP') . " -j SNAT --to-source $InternalInterface{'IPAddress'}\n"
|
||||
if (($vpn->prop('SnatOutbound') || 'yes') =~ m/(yes|enabled)/i);
|
||||
}
|
||||
|
||||
# Having created a new SnatVPN chain, activate it and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --table nat --replace SnatVPN 1 \
|
||||
--jump $NEW_SnatVPN
|
||||
/sbin/iptables --table nat --flush $OLD_SnatVPN
|
||||
/sbin/iptables --table nat --delete-chain $OLD_SnatVPN
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
my $ovpndb = esmith::ConfigDB->open_ro('openvpn-s2s');
|
||||
|
||||
foreach my $vpn ($ovpndb->get_all_by_prop(type=>('client')),
|
||||
$ovpndb->get_all_by_prop(type=>('server'))){
|
||||
$OUT .= "/sbin/iptables -A \$NEW_local_chk --in-interface tun" . $vpn->key .
|
||||
" -j denylog\n" if (($vpn->prop('AllowInbound') || 'yes') eq 'no');
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user