ServerConfig::getProto() - Code Metrics - Inspection of "rework server-config, always have INSTANCE_ID, upd..." - eduVPN/vpn-server-api - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 366122...007524 )

by François

created 2016-08-21 18:27 UTC

ServerConfig::getProto() B

↳ Parent: ServerConfig

Complexity

Conditions	5
Paths	4

Size

Total Lines	23
Code Lines	13

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	1	Features	0

Metric	Value
c	2
b	1
f	0
dl	0
loc	23
rs	8.5906
cc	5
eloc	13
nc	4
nop	2

<?php
/**
 * Copyright 2016 François Kooman <[email protected]>.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
namespace fkooman\VPN\Server;

class ServerConfig
{
    /**
     * Get the server configuration.
     *
     * @param string $instanceId the instance ID
     * @param Pools  $pools      the VPN pools for this instance
     */
    public static function getConfig($instanceId, Pools $pools)
    {
        $allConfig = [];
        $tlsDir = '/etc/openvpn/tls';
        if ('default' !== $instanceId) {
            $tlsDir = sprintf('/etc/openvpn/tls/%s', $instanceId);
        }

        foreach ($pools as $pool) {
            foreach ($pool->getInstances() as $i => $instance) {
                // static options
                $serverConfig = [
                    '# OpenVPN Server Configuration',
                    'verb 3',
                    'user openvpn',
                    'group openvpn',
                    'topology subnet',
                    'persist-key',
                    'persist-tun',
                    'keepalive 10 60',
                    'comp-lzo no',
                    'remote-cert-tls client',
                    'tls-version-min 1.2',
                    'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
                    'auth SHA256',
                    'cipher AES-256-CBC',
                    sprintf('ca %s/ca.crt', $tlsDir),
                    sprintf('cert %s/server.crt', $tlsDir),
                    sprintf('key %s/server.key', $tlsDir),
                    sprintf('dh %s/dh.pem', $tlsDir),
                    sprintf('tls-auth %s/ta.key 0', $tlsDir),
                    'client-connect /usr/bin/vpn-server-api-client-connect',
                    'client-disconnect /usr/bin/vpn-server-api-client-disconnect',
                    'push "comp-lzo no"',
                    'push "explicit-exit-notify 3"',
                ];

                // Routes
                $serverConfig = array_merge($serverConfig, self::getRoutes($pool));

                // DNS
                $serverConfig = array_merge($serverConfig, self::getDns($pool));

                // Client-to-client
                $serverConfig = array_merge($serverConfig, self::getClientToClient($pool));

                // OTP
                $serverConfig = array_merge($serverConfig, self::getOtp($pool));

                // IP configuration
                $serverConfig[] = sprintf('server %s %s', $instance->getRange()->getNetwork(), $instance->getRange()->getNetmask());
                $serverConfig[] = sprintf('server-ipv6 %s', $instance->getRange6());
                $serverConfig[] = sprintf('max-clients %d', $instance->getRange()->getNumberOfHosts() - 1);

                // TCP options
                $serverConfig = array_merge($serverConfig, self::getTcpOptions($instance));

                // Script Security
                $serverConfig[] = sprintf('script-security %d', $pool->getTwoFactor() ? 3 : 2);

                // increase the renegotiation time to 8h from the default of 1h when
                // using 2FA, otherwise the user will be asked for the 2FA key every
                // hour
                $serverConfig[] = sprintf('reneg-sec %d', $pool->getTwoFactor() ? 28800 : 3600);

                // Management
                $serverConfig[] = sprintf('management %s %d', $pool->getManagementIp()->getAddress(), $instance->getManagementPort());

                // Listen
                $serverConfig = array_merge($serverConfig, self::getListen($pool, $instance));

                // Dev
                $serverConfig[] = sprintf('dev %s', $instance->getDev());

                // Proto
                $serverConfig = array_merge($serverConfig, self::getProto($pool, $instance));

                // Port
                $serverConfig[] = sprintf('port %d', $instance->getPort());

                // Log
                $serverConfig = array_merge($serverConfig, self::getLog($pool));

                // Instance ID
                $serverConfig[] = sprintf('setenv INSTANCE_ID %s', $instanceId);

                // Pool ID
                $serverConfig[] = sprintf('setenv POOL_ID %s', $pool->getId());

                sort($serverConfig, SORT_STRING);

                $allConfig[sprintf('%s-%d', $pool->getId(), $i)] = $serverConfig;
            }
        }

        return $allConfig;
    }

    private static function getRoutes(Pool $pool)
    {
        $routeConfig = [];
        if ($pool->getDefaultGateway()) {
            $routeConfig[] = 'push "redirect-gateway def1 bypass-dhcp"';

            // for Windows clients we need this extra route to mark the TAP adapter as
            // trusted and as having "Internet" access to allow the user to set it to
            // "Home" or "Work" to allow accessing file shares and printers
            // NOTE: this will break OS X tunnelblick because on disconnect it will
            // remove all default routes, including the one set before the VPN
            // was brought up
            //$routeConfig[] = 'push "route 0.0.0.0 0.0.0.0"';


            // for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
            // See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
            $routeConfig[] = 'push "redirect-gateway ipv6"';

            // we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
            // networks where the ::/0 default route already exists
            $routeConfig[] = 'push "route-ipv6 2000::/3"';
        } else {
            // there may be some routes specified, push those, and not the default
            foreach ($pool->getRoutes() as $route) {
                if (6 === $route->getFamily()) {
                    // IPv6
                    $routeConfig[] = sprintf('push "route-ipv6 %s"', $route->getAddressPrefix());
                } else {
                    // IPv4
                    $routeConfig[] = sprintf('push "route %s %s"', $route->getAddress(), $route->getNetmask());
                }
            }
        }

        return $routeConfig;
    }

    private static function getDns(Pool $pool)
    {
        // only push DNS if we are the default route
        if (!$pool->getDefaultGateway()) {
            return [];
        }

        $dnsEntries = [];
        foreach ($pool->getDns() as $dnsAddress) {
            $dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress->getAddress());
        }

        // prevent DNS leakage on Windows
        $dnsEntries[] = 'push "block-outside-dns"';

        return $dnsEntries;
    }

    private static function getOtp(Pool $pool)
    {
        if (!$pool->getTwoFactor()) {
            return [];
        }

        return ['auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env'];
    }

    private static function getLog(Pool $pool)
    {
        if ($pool->getEnableLog()) {
            return [];
        }

        return ['log /dev/null'];
    }

    private static function getClientToClient(Pool $pool)
    {
        if (!$pool->getClientToClient()) {
            return [];
        }

        return [
            'client-to-client',
            sprintf('push "route %s %s"', $pool->getRange()->getAddress(), $pool->getRange()->getNetmask()),
            sprintf('push "route-ipv6 %s"', $pool->getRange6()->getAddressPrefix()),
        ];
    }

    private static function getTcpOptions(Instance $instance)
    {
        if ('tcp' !== $instance->getProto()) {
            return [];
        }

        return [
            'tcp-nodelay',
        ];
    }

    private static function getListen(Pool $pool, Instance $instance)
    {
        // TCP instance always listens on management IP as sniproxy
        // will redirect traffic there
        if ('tcp' === $instance->getProto()) {
            return [
                sprintf('local %s', $pool->getManagementIp()->getAddress()),
            ];
        }

        return [
            sprintf('local %s', $pool->getListen()->getAddress()),
        ];
    }

    private static function getProto(Pool $pool, Instance $instance)
    {
        if ('tcp' === $instance->getProto()) {
            // tcp
            if (4 === $pool->getListen()->getFamily() || '::' === $pool->getListen()->getAddress()) {
                // this is the default, so we listen on IPv4
                $proto = 'tcp-server';
            } else {
                $proto = 'tcp6-server';
            }
        } else {
            // udp
            if (6 === $pool->getListen()->getFamily()) {
                $proto = 'udp6';
            } else {
                $proto = 'udp';
            }
        }

        return [
            sprintf('proto %s', $proto),
        ];
    }
}


1			<?php
2			/**
3			* Copyright 2016 François Kooman <[email protected]>.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17			namespace fkooman\VPN\Server;
18
19			class ServerConfig
20			{
21			/**
22			* Get the server configuration.
23			*
24			* @param string $instanceId the instance ID
25			* @param Pools $pools the VPN pools for this instance
26			*/
27			public static function getConfig($instanceId, Pools $pools)
28			{
29			$allConfig = [];
30			$tlsDir = '/etc/openvpn/tls';
31			if ('default' !== $instanceId) {
32			$tlsDir = sprintf('/etc/openvpn/tls/%s', $instanceId);
33			}
34
35			foreach ($pools as $pool) {
36			foreach ($pool->getInstances() as $i => $instance) {
37			// static options
38			$serverConfig = [
39			'# OpenVPN Server Configuration',
40			'verb 3',
41			'user openvpn',
42			'group openvpn',
43			'topology subnet',
44			'persist-key',
45			'persist-tun',
46			'keepalive 10 60',
47			'comp-lzo no',
48			'remote-cert-tls client',
49			'tls-version-min 1.2',
50			'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
51			'auth SHA256',
52			'cipher AES-256-CBC',
53			sprintf('ca %s/ca.crt', $tlsDir),
54			sprintf('cert %s/server.crt', $tlsDir),
55			sprintf('key %s/server.key', $tlsDir),
56			sprintf('dh %s/dh.pem', $tlsDir),
57			sprintf('tls-auth %s/ta.key 0', $tlsDir),
58			'client-connect /usr/bin/vpn-server-api-client-connect',
59			'client-disconnect /usr/bin/vpn-server-api-client-disconnect',
60			'push "comp-lzo no"',
61			'push "explicit-exit-notify 3"',
62			];
63
64			// Routes
65			$serverConfig = array_merge($serverConfig, self::getRoutes($pool));
66
67			// DNS
68			$serverConfig = array_merge($serverConfig, self::getDns($pool));
69
70			// Client-to-client
71			$serverConfig = array_merge($serverConfig, self::getClientToClient($pool));
72
73			// OTP
74			$serverConfig = array_merge($serverConfig, self::getOtp($pool));
75
76			// IP configuration
77			$serverConfig[] = sprintf('server %s %s', $instance->getRange()->getNetwork(), $instance->getRange()->getNetmask());
78			$serverConfig[] = sprintf('server-ipv6 %s', $instance->getRange6());
79			$serverConfig[] = sprintf('max-clients %d', $instance->getRange()->getNumberOfHosts() - 1);
80
81			// TCP options
82			$serverConfig = array_merge($serverConfig, self::getTcpOptions($instance));
83
84			// Script Security
85			$serverConfig[] = sprintf('script-security %d', $pool->getTwoFactor() ? 3 : 2);
86
87			// increase the renegotiation time to 8h from the default of 1h when
88			// using 2FA, otherwise the user will be asked for the 2FA key every
89			// hour
90			$serverConfig[] = sprintf('reneg-sec %d', $pool->getTwoFactor() ? 28800 : 3600);
91
92			// Management
93			$serverConfig[] = sprintf('management %s %d', $pool->getManagementIp()->getAddress(), $instance->getManagementPort());
94
95			// Listen
96			$serverConfig = array_merge($serverConfig, self::getListen($pool, $instance));
97
98			// Dev
99			$serverConfig[] = sprintf('dev %s', $instance->getDev());
100
101			// Proto
102			$serverConfig = array_merge($serverConfig, self::getProto($pool, $instance));
103
104			// Port
105			$serverConfig[] = sprintf('port %d', $instance->getPort());
106
107			// Log
108			$serverConfig = array_merge($serverConfig, self::getLog($pool));
109
110			// Instance ID
111			$serverConfig[] = sprintf('setenv INSTANCE_ID %s', $instanceId);
112
113			// Pool ID
114			$serverConfig[] = sprintf('setenv POOL_ID %s', $pool->getId());
115
116			sort($serverConfig, SORT_STRING);
117
118			$allConfig[sprintf('%s-%d', $pool->getId(), $i)] = $serverConfig;
119			}
120			}
121
122			return $allConfig;
123			}
124
125			private static function getRoutes(Pool $pool)
126			{
127			$routeConfig = [];
128			if ($pool->getDefaultGateway()) {
129			$routeConfig[] = 'push "redirect-gateway def1 bypass-dhcp"';
130
131			// for Windows clients we need this extra route to mark the TAP adapter as
132			// trusted and as having "Internet" access to allow the user to set it to
133			// "Home" or "Work" to allow accessing file shares and printers
134			// NOTE: this will break OS X tunnelblick because on disconnect it will
135			// remove all default routes, including the one set before the VPN
136			// was brought up
137			//$routeConfig[] = 'push "route 0.0.0.0 0.0.0.0"';
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-05-05 17:30 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
138
139			// for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
140			// See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
141			$routeConfig[] = 'push "redirect-gateway ipv6"';
142
143			// we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
144			// networks where the ::/0 default route already exists
145			$routeConfig[] = 'push "route-ipv6 2000::/3"';
146			} else {
147			// there may be some routes specified, push those, and not the default
148			foreach ($pool->getRoutes() as $route) {
149			if (6 === $route->getFamily()) {
150			// IPv6
151			$routeConfig[] = sprintf('push "route-ipv6 %s"', $route->getAddressPrefix());
152			} else {
153			// IPv4
154			$routeConfig[] = sprintf('push "route %s %s"', $route->getAddress(), $route->getNetmask());
155			}
156			}
157			}
158
159			return $routeConfig;
160			}
161
162			private static function getDns(Pool $pool)
163			{
164			// only push DNS if we are the default route
165			if (!$pool->getDefaultGateway()) {
166			return [];
167			}
168
169			$dnsEntries = [];
170			foreach ($pool->getDns() as $dnsAddress) {
171			$dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress->getAddress());
172			}
173
174			// prevent DNS leakage on Windows
175			$dnsEntries[] = 'push "block-outside-dns"';
176
177			return $dnsEntries;
178			}
179
180			private static function getOtp(Pool $pool)
181			{
182			if (!$pool->getTwoFactor()) {
183			return [];
184			}
185
186			return ['auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env'];
187			}
188
189			private static function getLog(Pool $pool)
190			{
191			if ($pool->getEnableLog()) {
192			return [];
193			}
194
195			return ['log /dev/null'];
196			}
197
198			private static function getClientToClient(Pool $pool)
199			{
200			if (!$pool->getClientToClient()) {
201			return [];
202			}
203
204			return [
205			'client-to-client',
206			sprintf('push "route %s %s"', $pool->getRange()->getAddress(), $pool->getRange()->getNetmask()),
207			sprintf('push "route-ipv6 %s"', $pool->getRange6()->getAddressPrefix()),
208			];
209			}
210
211			private static function getTcpOptions(Instance $instance)
212			{
213			if ('tcp' !== $instance->getProto()) {
214			return [];
215			}
216
217			return [
218			'tcp-nodelay',
219			];
220			}
221
222			private static function getListen(Pool $pool, Instance $instance)
223			{
224			// TCP instance always listens on management IP as sniproxy
225			// will redirect traffic there
226			if ('tcp' === $instance->getProto()) {
227			return [
228			sprintf('local %s', $pool->getManagementIp()->getAddress()),
229			];
230			}
231
232			return [
233			sprintf('local %s', $pool->getListen()->getAddress()),
234			];
235			}
236
237			private static function getProto(Pool $pool, Instance $instance)
238			{
239			if ('tcp' === $instance->getProto()) {
240			// tcp
241			if (4 === $pool->getListen()->getFamily() \|\| '::' === $pool->getListen()->getAddress()) {
242			// this is the default, so we listen on IPv4
243			$proto = 'tcp-server';
244			} else {
245			$proto = 'tcp6-server';
246			}
247			} else {
248			// udp
249			if (6 === $pool->getListen()->getFamily()) {
250			$proto = 'udp6';
251			} else {
252			$proto = 'udp';
253			}
254			}
255
256			return [
257			sprintf('proto %s', $proto),
258			];
259			}
260			}
261

eduVPN / vpn-server-api

GitHub Access Token became invalid

Push — master ( 366122...007524 )

ServerConfig::getProto() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like