|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Copyright 2015 François Kooman <[email protected]>. |
|
4
|
|
|
* |
|
5
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
6
|
|
|
* you may not use this file except in compliance with the License. |
|
7
|
|
|
* You may obtain a copy of the License at |
|
8
|
|
|
* |
|
9
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
10
|
|
|
* |
|
11
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
12
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
13
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14
|
|
|
* See the License for the specific language governing permissions and |
|
15
|
|
|
* limitations under the License. |
|
16
|
|
|
*/ |
|
17
|
|
|
|
|
18
|
|
|
namespace fkooman\VPN\Server\Config; |
|
19
|
|
|
|
|
20
|
|
|
use RuntimeException; |
|
21
|
|
|
|
|
22
|
|
|
class ServerConfig |
|
23
|
|
|
{ |
|
24
|
|
|
public function get(array $serverConfig) |
|
25
|
|
|
{ |
|
26
|
|
|
$requiredParameters = [ |
|
27
|
|
|
'cn', |
|
28
|
|
|
'valid_from', |
|
29
|
|
|
'valid_to', |
|
30
|
|
|
'dev', // tun-udp, tun-tcp, tun0, tun1, ... |
|
31
|
|
|
'proto', // udp6, tcp-server |
|
32
|
|
|
'port', // 1194 |
|
33
|
|
|
'v4_network', |
|
34
|
|
|
'v4_netmask', |
|
35
|
|
|
'v6_network', |
|
36
|
|
|
'v6_gateway', |
|
37
|
|
|
'management_port', // 7505, 7506, ... |
|
|
|
|
|
|
38
|
|
|
'ca', |
|
39
|
|
|
'cert', |
|
40
|
|
|
'key', |
|
41
|
|
|
'dh', |
|
42
|
|
|
'ta', |
|
43
|
|
|
]; |
|
44
|
|
|
|
|
45
|
|
|
// XXX verfiy the parameters and types |
|
46
|
|
|
|
|
47
|
|
|
foreach ($requiredParameters as $p) { |
|
48
|
|
|
if (!array_key_exists($p, $serverConfig)) { |
|
49
|
|
|
throw new RuntimeException(sprintf('missing parameter "%s"', $p)); |
|
50
|
|
|
} |
|
51
|
|
|
} |
|
52
|
|
|
|
|
53
|
|
|
return [ |
|
54
|
|
|
sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']), |
|
55
|
|
|
|
|
56
|
|
|
sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])), |
|
57
|
|
|
sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])), |
|
58
|
|
|
|
|
59
|
|
|
sprintf('dev %s', $serverConfig['dev']), |
|
60
|
|
|
|
|
61
|
|
|
# UDP6 (works also for UDP) |
|
62
|
|
|
sprintf('proto %s', $serverConfig['proto']), |
|
63
|
|
|
sprintf('port %d', $serverConfig['port']), |
|
64
|
|
|
|
|
65
|
|
|
# IPv4 |
|
66
|
|
|
sprintf('server %s %s nopool', $serverConfig['v4_network'], $serverConfig['v4_netmask']), |
|
67
|
|
|
|
|
68
|
|
|
# IPv6 |
|
69
|
|
|
sprintf('ifconfig-ipv6 %s %s', $serverConfig['v6_network'], $serverConfig['v6_gateway']), |
|
70
|
|
|
'tun-ipv6', |
|
71
|
|
|
'push "tun-ipv6"', |
|
72
|
|
|
|
|
73
|
|
|
'topology subnet', |
|
74
|
|
|
# enable comp-lzo |
|
75
|
|
|
'comp-lzo yes', |
|
76
|
|
|
'push "comp-lzo yes"', |
|
77
|
|
|
'persist-key', |
|
78
|
|
|
'persist-tun', |
|
79
|
|
|
'verb 3', |
|
80
|
|
|
'max-clients 100', |
|
81
|
|
|
'keepalive 10 60', |
|
82
|
|
|
'user openvpn', |
|
83
|
|
|
'group openvpn', |
|
84
|
|
|
'remote-cert-tls client', |
|
85
|
|
|
|
|
86
|
|
|
# CRYPTO |
|
87
|
|
|
# |
|
88
|
|
|
# See RFC 7525 for TLS configuration recommendations |
|
89
|
|
|
# See https://bettercrypto.org for more OpenVPN configuration guidelines |
|
90
|
|
|
# OpenVPN does not support ECDHE (https://community.openvpn.net/openvpn/wiki/Hardening) |
|
91
|
|
|
|
|
92
|
|
|
'auth SHA256', |
|
93
|
|
|
'cipher AES-256-CBC', |
|
94
|
|
|
'tls-version-min 1.2', |
|
95
|
|
|
|
|
96
|
|
|
# to support iOS OpenVPN Connect 1.0.5 in the default configuration with |
|
97
|
|
|
# "Force AES-CBC ciphersuites" enabled, we also need to accept an additional |
|
98
|
|
|
# cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", in that case add the previous to |
|
99
|
|
|
# the below tls-cipher directive |
|
100
|
|
|
'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384', |
|
101
|
|
|
|
|
102
|
|
|
'script-security 2', |
|
103
|
|
|
'client-connect /usr/bin/vpn-server-api-client-connect', |
|
104
|
|
|
'client-disconnect /usr/bin/vpn-server-api-client-disconnect', |
|
105
|
|
|
|
|
106
|
|
|
# Certificate Revocation List |
|
107
|
|
|
'crl-verify /var/lib/vpn-server-api/ca.crl', |
|
108
|
|
|
|
|
109
|
|
|
# ask client to tell us on disconnect |
|
110
|
|
|
'push "explicit-exit-notify 3"', |
|
111
|
|
|
|
|
112
|
|
|
# disable "netbios", i.e. Windows file sharing over TCP/IP |
|
113
|
|
|
#push "dhcp-option DISABLE-NBT" |
|
114
|
|
|
|
|
115
|
|
|
# also send a NTP server |
|
116
|
|
|
#push "dhcp-option NTP time.example.org" |
|
117
|
|
|
|
|
118
|
|
|
# allow client-to-client communication, see openvpn(8) |
|
119
|
|
|
#client-to-client |
|
120
|
|
|
|
|
121
|
|
|
# need to allow 7505 also with SELinux |
|
122
|
|
|
sprintf('management localhost %d', $serverConfig['management_port']), |
|
123
|
|
|
|
|
124
|
|
|
sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL), |
|
125
|
|
|
sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL), |
|
126
|
|
|
sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL), |
|
127
|
|
|
sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL), |
|
128
|
|
|
|
|
129
|
|
|
'key-direction 0', |
|
130
|
|
|
|
|
131
|
|
|
sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL), |
|
132
|
|
|
]; |
|
133
|
|
|
} |
|
134
|
|
|
} |
|
135
|
|
|
|
eduVPN /
vpn-server-api
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.