|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Copyright 2015 François Kooman <[email protected]>. |
|
4
|
|
|
* |
|
5
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
6
|
|
|
* you may not use this file except in compliance with the License. |
|
7
|
|
|
* You may obtain a copy of the License at |
|
8
|
|
|
* |
|
9
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
10
|
|
|
* |
|
11
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
12
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
13
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14
|
|
|
* See the License for the specific language governing permissions and |
|
15
|
|
|
* limitations under the License. |
|
16
|
|
|
*/ |
|
17
|
|
|
|
|
18
|
|
|
namespace fkooman\VPN\Server; |
|
19
|
|
|
|
|
20
|
|
|
use RuntimeException; |
|
21
|
|
|
|
|
22
|
|
|
class ServerConfig |
|
23
|
|
|
{ |
|
24
|
|
|
public function get(array $serverConfig) |
|
25
|
|
|
{ |
|
26
|
|
|
$requiredParameters = [ |
|
27
|
|
|
'cn', |
|
28
|
|
|
'valid_from', |
|
29
|
|
|
'valid_to', |
|
30
|
|
|
'dev', // tun-udp, tun-tcp, tun0, tun1, ... |
|
31
|
|
|
'proto', // udp6, tcp-server |
|
32
|
|
|
'port', // 1194, 443, ... |
|
|
|
|
|
|
33
|
|
|
'v4_prefix', // 10.42.42.0/24, ... |
|
|
|
|
|
|
34
|
|
|
'v6_prefix', |
|
35
|
|
|
'dns', |
|
36
|
|
|
'management_port', // 7505, 7506, ... |
|
|
|
|
|
|
37
|
|
|
'ca', |
|
38
|
|
|
'cert', |
|
39
|
|
|
'key', |
|
40
|
|
|
'dh', |
|
41
|
|
|
'ta', |
|
42
|
|
|
'listen', |
|
43
|
|
|
'otp', |
|
44
|
|
|
]; |
|
45
|
|
|
|
|
46
|
|
|
// XXX verify the parameters and types |
|
47
|
|
|
|
|
48
|
|
|
foreach ($requiredParameters as $p) { |
|
49
|
|
|
if (!array_key_exists($p, $serverConfig)) { |
|
50
|
|
|
throw new RuntimeException(sprintf('missing parameter "%s"', $p)); |
|
51
|
|
|
} |
|
52
|
|
|
} |
|
53
|
|
|
|
|
54
|
|
|
$v4 = new IPv4($serverConfig['v4_prefix']); |
|
55
|
|
|
|
|
56
|
|
|
$dnsEntries = []; |
|
57
|
|
|
foreach ($serverConfig['dns'] as $dnsAddress) { |
|
58
|
|
|
$dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress); |
|
59
|
|
|
} |
|
60
|
|
|
|
|
61
|
|
|
$otpEntries = []; |
|
62
|
|
|
if ($serverConfig['otp']) { |
|
63
|
|
|
$otpEntries[] = 'auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env'; |
|
64
|
|
|
} |
|
65
|
|
|
|
|
66
|
|
|
return [ |
|
67
|
|
|
sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']), |
|
68
|
|
|
|
|
69
|
|
|
sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])), |
|
70
|
|
|
sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])), |
|
71
|
|
|
|
|
72
|
|
|
sprintf('dev %s', $serverConfig['dev']), |
|
73
|
|
|
|
|
74
|
|
|
sprintf('local %s', $serverConfig['listen']), |
|
75
|
|
|
|
|
76
|
|
|
# UDP6 (works also for UDP) |
|
77
|
|
|
sprintf('proto %s', $serverConfig['proto']), |
|
78
|
|
|
sprintf('port %d', $serverConfig['port']), |
|
79
|
|
|
|
|
80
|
|
|
# IPv4 |
|
81
|
|
|
sprintf('server %s %s', $v4->getNetwork(), $v4->getNetmask()), |
|
82
|
|
|
|
|
83
|
|
|
# IPv6 |
|
84
|
|
|
sprintf('server-ipv6 %s', $serverConfig['v6_prefix']), |
|
85
|
|
|
|
|
86
|
|
|
'push "redirect-gateway def1 bypass-dhcp"', |
|
87
|
|
|
|
|
88
|
|
|
# for Windows clients we need this extra route to mark the TAP adapter as |
|
89
|
|
|
# trusted and as having "Internet" access to allow the user to set it to |
|
90
|
|
|
# "Home" or "Work" to allow accessing file shares and printers |
|
91
|
|
|
#'push "route 0.0.0.0 0.0.0.0"', |
|
92
|
|
|
|
|
93
|
|
|
# for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway |
|
94
|
|
|
# See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html |
|
95
|
|
|
'push "redirect-gateway ipv6"', |
|
96
|
|
|
|
|
97
|
|
|
# we use 2000::/3 instead of ::/0 because it seems to break on native IPv6 |
|
98
|
|
|
# networks where the ::/0 default route already exists |
|
99
|
|
|
'push "route-ipv6 2000::/3"', |
|
100
|
|
|
|
|
101
|
|
|
'topology subnet', |
|
102
|
|
|
# disable compression |
|
103
|
|
|
'comp-lzo no', |
|
104
|
|
|
'push "comp-lzo no"', |
|
105
|
|
|
'persist-key', |
|
106
|
|
|
'persist-tun', |
|
107
|
|
|
'verb 3', |
|
108
|
|
|
sprintf('max-clients %d', $v4->getNumberOfHosts() - 1), |
|
109
|
|
|
'keepalive 10 60', |
|
110
|
|
|
'user openvpn', |
|
111
|
|
|
'group openvpn', |
|
112
|
|
|
'remote-cert-tls client', |
|
113
|
|
|
|
|
114
|
|
|
# CRYPTO (DATA CHANNEL) |
|
115
|
|
|
'auth SHA256', |
|
116
|
|
|
'cipher AES-256-CBC', |
|
117
|
|
|
|
|
118
|
|
|
# CRYPTO (CONTROL CHANNEL) |
|
119
|
|
|
# @see RFC 7525 |
|
120
|
|
|
# @see https://bettercrypto.org |
|
121
|
|
|
# @see https://community.openvpn.net/openvpn/wiki/Hardening |
|
122
|
|
|
'tls-version-min 1.2', |
|
123
|
|
|
|
|
124
|
|
|
# To work with default configuration in iOS OpenVPN with |
|
125
|
|
|
# "Force AES-CBC ciphersuites" enabled, we need to accept an |
|
126
|
|
|
# additional cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" |
|
127
|
|
|
'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA', |
|
128
|
|
|
|
|
129
|
|
|
sprintf('script-security %d', $serverConfig['otp'] ? 3 : 2), |
|
130
|
|
|
'client-connect /usr/bin/vpn-server-api-client-connect', |
|
131
|
|
|
'client-disconnect /usr/bin/vpn-server-api-client-disconnect', |
|
132
|
|
|
|
|
133
|
|
|
# OTP |
|
134
|
|
|
implode(PHP_EOL, $otpEntries), |
|
135
|
|
|
|
|
136
|
|
|
# Certificate Revocation List |
|
137
|
|
|
'crl-verify /var/lib/vpn-server-api/ca.crl', |
|
138
|
|
|
|
|
139
|
|
|
# ask client to tell us on disconnect |
|
140
|
|
|
'push "explicit-exit-notify 3"', |
|
141
|
|
|
|
|
142
|
|
|
# DNS |
|
143
|
|
|
implode(PHP_EOL, $dnsEntries), |
|
144
|
|
|
|
|
145
|
|
|
# disable "netbios", i.e. Windows file sharing over TCP/IP |
|
146
|
|
|
#push "dhcp-option DISABLE-NBT" |
|
147
|
|
|
|
|
148
|
|
|
# also send a NTP server |
|
149
|
|
|
#push "dhcp-option NTP time.example.org" |
|
150
|
|
|
|
|
151
|
|
|
# allow client-to-client communication, see openvpn(8) |
|
152
|
|
|
#client-to-client |
|
153
|
|
|
|
|
154
|
|
|
# need to allow 7505 also with SELinux |
|
155
|
|
|
sprintf('management localhost %d', $serverConfig['management_port']), |
|
156
|
|
|
|
|
157
|
|
|
sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL), |
|
158
|
|
|
sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL), |
|
159
|
|
|
sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL), |
|
160
|
|
|
sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL), |
|
161
|
|
|
|
|
162
|
|
|
'key-direction 0', |
|
163
|
|
|
|
|
164
|
|
|
sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL), |
|
165
|
|
|
]; |
|
166
|
|
|
} |
|
167
|
|
|
} |
|
168
|
|
|
|
eduVPN /
vpn-server-api
Loading history...
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.