Issues in OpenVpn.php (master) - Issues in master - eduvpn/vpn-server-node - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/OpenVpn.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * eduVPN - End-user friendly VPN.
 *
 * Copyright: 2016-2017, The Commons Conservancy eduVPN Programme
 * SPDX-License-Identifier: AGPL-3.0+
 */

namespace SURFnet\VPN\Node;

use RuntimeException;
use SURFnet\VPN\Common\FileIO;
use SURFnet\VPN\Common\HttpClient\ServerClient;
use SURFnet\VPN\Common\ProfileConfig;

class OpenVpn
{
    /** @var string */
    private $vpnConfigDir;

    /** @var string */
    private $vpnTlsDir;

    public function __construct($vpnConfigDir, $vpnTlsDir)
    {
        FileIO::createDir($vpnConfigDir, 0700);
        $this->vpnConfigDir = $vpnConfigDir;
        FileIO::createDir($vpnTlsDir, 0700);
        $this->vpnTlsDir = $vpnTlsDir;
    }

    public function generateKeys(ServerClient $serverClient, $commonName)
    {
        $certData = $serverClient->post('add_server_certificate', ['common_name' => $commonName]);

        $certFileMapping = [
            'ca' => sprintf('%s/ca.crt', $this->vpnTlsDir),
            'certificate' => sprintf('%s/server.crt', $this->vpnTlsDir),
            'private_key' => sprintf('%s/server.key', $this->vpnTlsDir),
            'ta' => sprintf('%s/ta.key', $this->vpnTlsDir),
        ];

        foreach ($certFileMapping as $k => $v) {
            FileIO::writeFile($v, $certData[$k], 0600);
        }
    }

    public function writeProfile($instanceNumber, $instanceId, $profileId, ProfileConfig $profileConfig)
    {
        $range = new IP($profileConfig->getItem('range'));
        $range6 = new IP($profileConfig->getItem('range6'));
        $processCount = count($profileConfig->getItem('vpnProtoPorts'));

        $splitRange = $range->split($processCount);
        $splitRange6 = $range6->split($processCount);

        $managementIp = $profileConfig->getItem('managementIp');
        $profileNumber = $profileConfig->getItem('profileNumber');

        $processConfig = [
            'managementIp' => $managementIp,
        ];

        for ($i = 0; $i < $processCount; ++$i) {
            list($proto, $port) = self::getProtoPort($profileConfig->getItem('vpnProtoPorts'), $profileConfig->getItem('listen'))[$i];
            $processConfig['range'] = $splitRange[$i];
            $processConfig['range6'] = $splitRange6[$i];
            $processConfig['dev'] = sprintf('tun-%d-%d-%d', $instanceNumber, $profileConfig->getItem('profileNumber'), $i);
            $processConfig['proto'] = $proto;
            $processConfig['port'] = $port;
            $processConfig['local'] = $profileConfig->getItem('listen');
            $processConfig['managementPort'] = 11940 + $this->toPort($instanceNumber, $profileNumber, $i);
            $processConfig['configName'] = sprintf(
                '%s-%s-%d.conf',
                $instanceId,
                $profileId,
                $i
            );

            $this->writeProcess($instanceId, $profileId, $profileConfig, $processConfig);
        }
    }

    private static function getFamilyProto($listenAddress, $proto)
    {
        $v6 = false !== strpos($listenAddress, ':');
        if ('udp' === $proto) {
            return $v6 ? 'udp6' : 'udp';
        }
        if ('tcp' === $proto) {
            return $v6 ? 'tcp6-server' : 'tcp-server';
        }

        throw new RuntimeException('only "tcp" and "udp" are supported as protocols');
    }

    private static function getProtoPort(array $vpnProcesses, $listenAddress)
    {
        $convertedPortProto = [];

        foreach ($vpnProcesses as $vpnProcess) {
            list($proto, $port) = explode('/', $vpnProcess);
            $convertedPortProto[] = [self::getFamilyProto($listenAddress, $proto), $port];
        }

        return $convertedPortProto;
    }

    private function writeProcess($instanceId, $profileId, ProfileConfig $profileConfig, array $processConfig)
    {
        $tlsDir = sprintf('tls/%s/%s', $instanceId, $profileId);

        $rangeIp = new IP($processConfig['range']);
        $range6Ip = new IP($processConfig['range6']);

        // static options
        $serverConfig = [
            'verb 3',
            'dev-type tun',
            sprintf('user %s', $profileConfig->getItem('_user')),
            sprintf('group %s', $profileConfig->getItem('_group')),
            'topology subnet',
            'persist-key',
            'persist-tun',
            'keepalive 10 60',
            'comp-lzo no',
            'remote-cert-tls client',
            'tls-version-min 1.2',
            'tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384',
            'auth SHA256',
            'dh none',  // Only ECDHE

            // 2.4 only clients: 'ncp-ciphers AES-256-GCM',
            // 2.4 only clients: 'cipher AES-256-GCM', // also should update the client config to set this, but ncp overrides --cipher
            'cipher AES-256-CBC',
            'client-connect /usr/libexec/vpn-server-node-client-connect',
            'client-disconnect /usr/libexec/vpn-server-node-client-disconnect',
            'push "comp-lzo no"',
            'push "explicit-exit-notify 3"',

            // we probably do NOT want this, it is up to the client to decide
            // about this!
            //'push "persist-key"',
            //'push "persist-tun"',

            sprintf('ca %s/ca.crt', $tlsDir),
            sprintf('cert %s/server.crt', $tlsDir),
            sprintf('key %s/server.key', $tlsDir),
            sprintf('server %s %s', $rangeIp->getNetwork(), $rangeIp->getNetmask()),
            sprintf('server-ipv6 %s', $range6Ip->getAddressPrefix()),
            sprintf('max-clients %d', $rangeIp->getNumberOfHosts() - 1),
            sprintf('script-security %d', $profileConfig->getItem('twoFactor') ? 3 : 2),
            sprintf('dev %s', $processConfig['dev']),
            sprintf('port %d', $processConfig['port']),
            sprintf('management %s %d', $processConfig['managementIp'], $processConfig['managementPort']),
            sprintf('setenv INSTANCE_ID %s', $instanceId),
            sprintf('setenv PROFILE_ID %s', $profileId),
            sprintf('proto %s', $processConfig['proto']),
            sprintf('local %s', $processConfig['local']),
        ];

        if (!$profileConfig->getItem('enableLog')) {
            $serverConfig[] = 'log /dev/null';
        }

        if ('tcp-server' === $processConfig['proto'] || 'tcp6-server' === $processConfig['proto']) {
            $serverConfig[] = 'tcp-nodelay';
        }

        if ('udp' === $processConfig['proto'] || 'udp6' === $processConfig['proto']) {
            // notify the clients to reconnect when restarting OpenVPN on the server
            // OpenVPN server >= 2.4
            $serverConfig[] = 'explicit-exit-notify 1';
        }

        if ($profileConfig->getItem('twoFactor')) {
            $serverConfig[] = 'auth-gen-token';  // Added in OpenVPN 2.4
            $serverConfig[] = 'auth-user-pass-verify /usr/libexec/vpn-server-node-verify-otp via-env';
        }

        if ($profileConfig->getItem('tlsCrypt')) {
            $serverConfig[] = sprintf('tls-crypt %s/ta.key', $tlsDir);
        } else {
            $serverConfig[] = sprintf('tls-auth %s/ta.key 0', $tlsDir);
        }

        // Routes
        $serverConfig = array_merge($serverConfig, self::getRoutes($profileConfig));

        // DNS
        $serverConfig = array_merge($serverConfig, self::getDns($profileConfig));

        // Client-to-client
        $serverConfig = array_merge($serverConfig, self::getClientToClient($profileConfig));

        sort($serverConfig, SORT_STRING);

        $serverConfig = array_merge(
            [
                '#',
                '# OpenVPN Server Configuration',
                '#',
                '# ******************************************',
                '# * THIS FILE IS GENERATED, DO NOT MODIFY! *',
                '# ******************************************',
                '#',
            ],
            $serverConfig
        );

        $configFile = sprintf('%s/%s', $this->vpnConfigDir, $processConfig['configName']);

        FileIO::writeFile($configFile, implode(PHP_EOL, $serverConfig), 0600);
    }

    private static function getRoutes(ProfileConfig $profileConfig)
    {
        $routeConfig = [];
        if ($profileConfig->getItem('defaultGateway')) {
            // For OpenVPN >= 2.4 client only support:
            //$routeConfig[] = 'push "redirect-gateway def1 ipv6"';


            $routeConfig[] = 'push "redirect-gateway def1 bypass-dhcp"';
            // for Windows clients we need this extra route to mark the TAP adapter as
            // trusted and as having "Internet" access to allow the user to set it to
            // "Home" or "Work" to allow accessing file shares and printers
            // NOTE: this will break OS X tunnelblick because on disconnect it will
            // remove all default routes, including the one set before the VPN
            // was brought up
            //$routeConfig[] = 'push "route 0.0.0.0 0.0.0.0"';


            // for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
            // See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
            $routeConfig[] = 'push "redirect-gateway ipv6"';

            // we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
            // networks where the ::/0 default route already exists
            // XXX: no longer needed in OpenVPN 2.4! But not all our clients are
            // up to date, e.g. NetAidKit...
            $routeConfig[] = 'push "route-ipv6 2000::/3"';
        } else {
            // there may be some routes specified, push those, and not the default
            foreach ($profileConfig->getSection('routes')->toArray() as $route) {
                $routeIp = new IP($route);
                if (6 === $routeIp->getFamily()) {
                    // IPv6
                    $routeConfig[] = sprintf('push "route-ipv6 %s"', $routeIp->getAddressPrefix());
                } else {
                    // IPv4
                    $routeConfig[] = sprintf('push "route %s %s"', $routeIp->getAddress(), $routeIp->getNetmask());
                }
            }
        }

        return $routeConfig;
    }

    private static function getDns(ProfileConfig $profileConfig)
    {
        // only push DNS if we are the default route
        if (!$profileConfig->getItem('defaultGateway')) {
            return [];
        }

        $dnsEntries = [];
        foreach ($profileConfig->getSection('dns')->toArray() as $dnsAddress) {
            // also add DNS6 for OpenVPN >= 2.4beta2
            if (false !== strpos($dnsAddress, ':')) {
                $dnsEntries[] = sprintf('push "dhcp-option DNS6 %s"', $dnsAddress);
                continue;
            }
            $dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
        }

        // prevent DNS leakage on Windows
        $dnsEntries[] = 'push "block-outside-dns"';

        return $dnsEntries;
    }

    private static function getClientToClient(ProfileConfig $profileConfig)
    {
        if (!$profileConfig->getItem('clientToClient')) {
            return [];
        }

        $rangeIp = new IP($profileConfig->getItem('range'));
        $range6Ip = new IP($profileConfig->getItem('range6'));

        return [
            'client-to-client',
            sprintf('push "route %s %s"', $rangeIp->getAddress(), $rangeIp->getNetmask()),
            sprintf('push "route-ipv6 %s"', $range6Ip->getAddressPrefix()),
        ];
    }

    private function toPort($instanceNumber, $profileNumber, $processNumber)
    {
        // convert an instanceNumber, $profileNumber and $processNumber to a management port

        // instanceId = 6 bits (max 64)
        // profileNumber = 4 bits (max 16)
        // processNumber = 4 bits  (max 16)
        return ($instanceNumber - 1 << 8) | ($profileNumber - 1 << 4) | ($processNumber);
    }
}


GitHub Access Token became invalid

Issues (6)

Security Analysis no request data

src/OpenVpn.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2
3			/**
4			* eduVPN - End-user friendly VPN.
5			*
6			* Copyright: 2016-2017, The Commons Conservancy eduVPN Programme
7			* SPDX-License-Identifier: AGPL-3.0+
8			*/
9
10			namespace SURFnet\VPN\Node;
11
12			use RuntimeException;
13			use SURFnet\VPN\Common\FileIO;
14			use SURFnet\VPN\Common\HttpClient\ServerClient;
15			use SURFnet\VPN\Common\ProfileConfig;
16
17			class OpenVpn
18			{
19			/** @var string */
20			private $vpnConfigDir;
21
22			/** @var string */
23			private $vpnTlsDir;
24
25			public function __construct($vpnConfigDir, $vpnTlsDir)
26			{
27			FileIO::createDir($vpnConfigDir, 0700);
28			$this->vpnConfigDir = $vpnConfigDir;
29			FileIO::createDir($vpnTlsDir, 0700);
30			$this->vpnTlsDir = $vpnTlsDir;
31			}
32
33			public function generateKeys(ServerClient $serverClient, $commonName)
34			{
35			$certData = $serverClient->post('add_server_certificate', ['common_name' => $commonName]);
36
37			$certFileMapping = [
38			'ca' => sprintf('%s/ca.crt', $this->vpnTlsDir),
39			'certificate' => sprintf('%s/server.crt', $this->vpnTlsDir),
40			'private_key' => sprintf('%s/server.key', $this->vpnTlsDir),
41			'ta' => sprintf('%s/ta.key', $this->vpnTlsDir),
42			];
43
44			foreach ($certFileMapping as $k => $v) {
45			FileIO::writeFile($v, $certData[$k], 0600);
46			}
47			}
48
49			public function writeProfile($instanceNumber, $instanceId, $profileId, ProfileConfig $profileConfig)
50			{
51			$range = new IP($profileConfig->getItem('range'));
52			$range6 = new IP($profileConfig->getItem('range6'));
53			$processCount = count($profileConfig->getItem('vpnProtoPorts'));
54
55			$splitRange = $range->split($processCount);
56			$splitRange6 = $range6->split($processCount);
57
58			$managementIp = $profileConfig->getItem('managementIp');
59			$profileNumber = $profileConfig->getItem('profileNumber');
60
61			$processConfig = [
62			'managementIp' => $managementIp,
63			];
64
65			for ($i = 0; $i < $processCount; ++$i) {
66			list($proto, $port) = self::getProtoPort($profileConfig->getItem('vpnProtoPorts'), $profileConfig->getItem('listen'))[$i];
67			$processConfig['range'] = $splitRange[$i];
68			$processConfig['range6'] = $splitRange6[$i];
69			$processConfig['dev'] = sprintf('tun-%d-%d-%d', $instanceNumber, $profileConfig->getItem('profileNumber'), $i);
70			$processConfig['proto'] = $proto;
71			$processConfig['port'] = $port;
72			$processConfig['local'] = $profileConfig->getItem('listen');
73			$processConfig['managementPort'] = 11940 + $this->toPort($instanceNumber, $profileNumber, $i);
74			$processConfig['configName'] = sprintf(
75			'%s-%s-%d.conf',
76			$instanceId,
77			$profileId,
78			$i
79			);
80
81			$this->writeProcess($instanceId, $profileId, $profileConfig, $processConfig);
82			}
83			}
84
85			private static function getFamilyProto($listenAddress, $proto)
86			{
87			$v6 = false !== strpos($listenAddress, ':');
88			if ('udp' === $proto) {
89			return $v6 ? 'udp6' : 'udp';
90			}
91			if ('tcp' === $proto) {
92			return $v6 ? 'tcp6-server' : 'tcp-server';
93			}
94
95			throw new RuntimeException('only "tcp" and "udp" are supported as protocols');
96			}
97
98			private static function getProtoPort(array $vpnProcesses, $listenAddress)
99			{
100			$convertedPortProto = [];
101
102			foreach ($vpnProcesses as $vpnProcess) {
103			list($proto, $port) = explode('/', $vpnProcess);
104			$convertedPortProto[] = [self::getFamilyProto($listenAddress, $proto), $port];
105			}
106
107			return $convertedPortProto;
108			}
109
110			private function writeProcess($instanceId, $profileId, ProfileConfig $profileConfig, array $processConfig)
111			{
112			$tlsDir = sprintf('tls/%s/%s', $instanceId, $profileId);
113
114			$rangeIp = new IP($processConfig['range']);
115			$range6Ip = new IP($processConfig['range6']);
116
117			// static options
118			$serverConfig = [
119			'verb 3',
120			'dev-type tun',
121			sprintf('user %s', $profileConfig->getItem('_user')),
122			sprintf('group %s', $profileConfig->getItem('_group')),
123			'topology subnet',
124			'persist-key',
125			'persist-tun',
126			'keepalive 10 60',
127			'comp-lzo no',
128			'remote-cert-tls client',
129			'tls-version-min 1.2',
130			'tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384',
131			'auth SHA256',
132			'dh none', // Only ECDHE
133
134			// 2.4 only clients: 'ncp-ciphers AES-256-GCM',
135			// 2.4 only clients: 'cipher AES-256-GCM', // also should update the client config to set this, but ncp overrides --cipher
136			'cipher AES-256-CBC',
137			'client-connect /usr/libexec/vpn-server-node-client-connect',
138			'client-disconnect /usr/libexec/vpn-server-node-client-disconnect',
139			'push "comp-lzo no"',
140			'push "explicit-exit-notify 3"',
141
142			// we probably do NOT want this, it is up to the client to decide
143			// about this!
144			//'push "persist-key"',
145			//'push "persist-tun"',
146
147			sprintf('ca %s/ca.crt', $tlsDir),
148			sprintf('cert %s/server.crt', $tlsDir),
149			sprintf('key %s/server.key', $tlsDir),
150			sprintf('server %s %s', $rangeIp->getNetwork(), $rangeIp->getNetmask()),
151			sprintf('server-ipv6 %s', $range6Ip->getAddressPrefix()),
152			sprintf('max-clients %d', $rangeIp->getNumberOfHosts() - 1),
153			sprintf('script-security %d', $profileConfig->getItem('twoFactor') ? 3 : 2),
154			sprintf('dev %s', $processConfig['dev']),
155			sprintf('port %d', $processConfig['port']),
156			sprintf('management %s %d', $processConfig['managementIp'], $processConfig['managementPort']),
157			sprintf('setenv INSTANCE_ID %s', $instanceId),
158			sprintf('setenv PROFILE_ID %s', $profileId),
159			sprintf('proto %s', $processConfig['proto']),
160			sprintf('local %s', $processConfig['local']),
161			];
162
163			if (!$profileConfig->getItem('enableLog')) {
164			$serverConfig[] = 'log /dev/null';
165			}
166
167			if ('tcp-server' === $processConfig['proto'] \|\| 'tcp6-server' === $processConfig['proto']) {
168			$serverConfig[] = 'tcp-nodelay';
169			}
170
171			if ('udp' === $processConfig['proto'] \|\| 'udp6' === $processConfig['proto']) {
172			// notify the clients to reconnect when restarting OpenVPN on the server
173			// OpenVPN server >= 2.4
174			$serverConfig[] = 'explicit-exit-notify 1';
175			}
176
177			if ($profileConfig->getItem('twoFactor')) {
178			$serverConfig[] = 'auth-gen-token'; // Added in OpenVPN 2.4
179			$serverConfig[] = 'auth-user-pass-verify /usr/libexec/vpn-server-node-verify-otp via-env';
180			}
181
182			if ($profileConfig->getItem('tlsCrypt')) {
183			$serverConfig[] = sprintf('tls-crypt %s/ta.key', $tlsDir);
184			} else {
185			$serverConfig[] = sprintf('tls-auth %s/ta.key 0', $tlsDir);
186			}
187
188			// Routes
189			$serverConfig = array_merge($serverConfig, self::getRoutes($profileConfig));
190
191			// DNS
192			$serverConfig = array_merge($serverConfig, self::getDns($profileConfig));
193
194			// Client-to-client
195			$serverConfig = array_merge($serverConfig, self::getClientToClient($profileConfig));
196
197			sort($serverConfig, SORT_STRING);
198
199			$serverConfig = array_merge(
200			[
201			'#',
202			'# OpenVPN Server Configuration',
203			'#',
204			'# ******************************************',
205			'# * THIS FILE IS GENERATED, DO NOT MODIFY! *',
206			'# ******************************************',
207			'#',
208			],
209			$serverConfig
210			);
211
212			$configFile = sprintf('%s/%s', $this->vpnConfigDir, $processConfig['configName']);
213
214			FileIO::writeFile($configFile, implode(PHP_EOL, $serverConfig), 0600);
215			}
216
217			private static function getRoutes(ProfileConfig $profileConfig)
218			{
219			$routeConfig = [];
220			if ($profileConfig->getItem('defaultGateway')) {
221			// For OpenVPN >= 2.4 client only support:
222			//$routeConfig[] = 'push "redirect-gateway def1 ipv6"';
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-14 21:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
223
224			$routeConfig[] = 'push "redirect-gateway def1 bypass-dhcp"';
225			// for Windows clients we need this extra route to mark the TAP adapter as
226			// trusted and as having "Internet" access to allow the user to set it to
227			// "Home" or "Work" to allow accessing file shares and printers
228			// NOTE: this will break OS X tunnelblick because on disconnect it will
229			// remove all default routes, including the one set before the VPN
230			// was brought up
231			//$routeConfig[] = 'push "route 0.0.0.0 0.0.0.0"';
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-10-18 14:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
232
233			// for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
234			// See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
235			$routeConfig[] = 'push "redirect-gateway ipv6"';
236
237			// we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
238			// networks where the ::/0 default route already exists
239			// XXX: no longer needed in OpenVPN 2.4! But not all our clients are
240			// up to date, e.g. NetAidKit...
241			$routeConfig[] = 'push "route-ipv6 2000::/3"';
242			} else {
243			// there may be some routes specified, push those, and not the default
244			foreach ($profileConfig->getSection('routes')->toArray() as $route) {
245			$routeIp = new IP($route);
246			if (6 === $routeIp->getFamily()) {
247			// IPv6
248			$routeConfig[] = sprintf('push "route-ipv6 %s"', $routeIp->getAddressPrefix());
249			} else {
250			// IPv4
251			$routeConfig[] = sprintf('push "route %s %s"', $routeIp->getAddress(), $routeIp->getNetmask());
252			}
253			}
254			}
255
256			return $routeConfig;
257			}
258
259			private static function getDns(ProfileConfig $profileConfig)
260			{
261			// only push DNS if we are the default route
262			if (!$profileConfig->getItem('defaultGateway')) {
263			return [];
264			}
265
266			$dnsEntries = [];
267			foreach ($profileConfig->getSection('dns')->toArray() as $dnsAddress) {
268			// also add DNS6 for OpenVPN >= 2.4beta2
269			if (false !== strpos($dnsAddress, ':')) {
270			$dnsEntries[] = sprintf('push "dhcp-option DNS6 %s"', $dnsAddress);
271			continue;
272			}
273			$dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
274			}
275
276			// prevent DNS leakage on Windows
277			$dnsEntries[] = 'push "block-outside-dns"';
278
279			return $dnsEntries;
280			}
281
282			private static function getClientToClient(ProfileConfig $profileConfig)
283			{
284			if (!$profileConfig->getItem('clientToClient')) {
285			return [];
286			}
287
288			$rangeIp = new IP($profileConfig->getItem('range'));
289			$range6Ip = new IP($profileConfig->getItem('range6'));
290
291			return [
292			'client-to-client',
293			sprintf('push "route %s %s"', $rangeIp->getAddress(), $rangeIp->getNetmask()),
294			sprintf('push "route-ipv6 %s"', $range6Ip->getAddressPrefix()),
295			];
296			}
297
298			private function toPort($instanceNumber, $profileNumber, $processNumber)
299			{
300			// convert an instanceNumber, $profileNumber and $processNumber to a management port
301
302			// instanceId = 6 bits (max 64)
303			// profileNumber = 4 bits (max 16)
304			// processNumber = 4 bits (max 16)
305			return ($instanceNumber - 1 << 8) \| ($profileNumber - 1 << 4) \| ($processNumber);
306			}
307			}
308

eduvpn / vpn-server-node

GitHub Access Token became invalid

Issues (6)

Security Analysis no request data

src/OpenVpn.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like