diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 00000000000..a0ef3a5d23c --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,63 @@ +name: ubuntu +on: + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + push: + branches: + - main + - lthn + - further-improvements + pull_request: + branches: + - main + - lthn + - further-improvements +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Cancel Previous Runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + submodules: recursive + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + with: + install: true + - name: Login to GitHub Container registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Docker Build + if: ${{ github.event_name != 'pull_request' }} + uses: docker/build-push-action@v3 + with: + context: . + file: Dockerfile + cache-to: ghcr.io/dappserver/openvpn + cache-from: ghcr.io/dappserver/openvpn + push: true + tags: lthn/openvpn,ghcr.io/dappserver/openvpn + - name: Docker Build + if: ${{ github.event_name == 'pull_request' }} + uses: docker/build-push-action@v3 + with: + context: . + file: Dockerfile + cache-to: ghcr.io/dappserver/openvpn + cache-from: ghcr.io/dappserver/openvpn + push: false + tags: lthn/openvpn,ghcr.io/dappserver/openvpn + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000000..585015d5b40 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,55 @@ +# Use Ubuntu as the build image. +FROM lthn/ubuntu-build:20.04 as build + +RUN apt-get update && apt-get install -y python-docutils python3-docutils + +WORKDIR /build/lthn + +# Copy source files +COPY . . + +# Configure code checkout +RUN autoreconf -i -v -f + +# Configure build for Linux amd64 +RUN ./configure --prefix=/home/lthn + +# Compile OpenVPN +RUN make -j2 + +RUN make install + +# Use Ubuntu as the final image. +FROM ubuntu:20.04 as final + +# Add Image Authors +LABEL org.opencontainers.image.authors="darbs@lethean.io,snider@lethean.io" + +# Install necessary packages to run OpenVPN. +RUN apt-get update && apt-get install -y sudo openssl iptables libssl-dev libpam0g-dev liblzo2-dev + +# Path where all openvpn scripts and configs will live. +WORKDIR /home/lthn/openvpn + +# Copy openvpn binary +COPY --from=build --chmod=0777 /home/lthn /home/lthn +# Copy config & profile folders +COPY ./conf/ /home/lthn/openvpn/conf/ +COPY ./profile/ /home/lthn/openvpn/profile/ + +# Copy all helper shell script files locally. +COPY --chmod=0777 ./*.sh /home/lthn/bin/ +COPY ./*.conf ./ + +# Set Lethean environment PATH +ENV PATH=/home/lthn/bin:/home/lthn/sbin:${PATH} + +# Expose the OpenVPN port +EXPOSE 1194/udp + +# Set environment variables +ENV SCRIPT="" + +# Run a specified script (if provided), or run OpenVPN server if none is provided. +CMD ["/bin/bash", "-c", "if [ -f \"$SCRIPT\" ]; then \"$SCRIPT\"; else /bin/bash startup.sh; fi"] + diff --git a/README b/README index 5a720cfd857..bd52eefc2fc 100644 --- a/README +++ b/README @@ -1,152 +1,242 @@ -OpenVPN -- A Secure tunneling daemon - -Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; -you can redistribute it and/or modify -it under the terms of the GNU General Public License version 2 -as published by the Free Software Foundation. - -************************************************************************* - -1. Install dependencies: - -Ubuntu/Debian: - - apt-get install liblzo2-dev libpam0g-dev - -RHEL/CentOS - - yum install lzo-devel pam-devel - -2. Download openvpn, Build and Install: - - cd ~ - git clone https://github.com/dAppServer/openvpn.git - cd openvpn - ./configure - make - make install - -or see the file INSTALL for more info. - -3. Below was tested on a factory defaulted Raspberry Pi2. Iptables already permitted all required incoming connections. - -On Linux: - -Forward traffic through desired interfaces. Below is an example. Replace eth0 with your local adapter. - - iptables -A FORWARD -i tun+ -j ACCEPT - iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - -Setup iptables to source NAT vpn client address space when egressing the openvpn server. -A destination or egress interface should be specified in the statement where appropriate. Single homed systems shouldn't need an interface specified. -This is optional in environments where visibility and you understand what routing changes are required in your environment. -The below subnet is the openvpn conf file default. Change to your requirements. - - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE - -NOTE: On a PI used for testing the MASQUERADE syntax may not be possible. You can use the command "sudo update-alternatives --config iptables" to change iptables to "iptables-legacy", which will then allow the above to be executed. - -4. Enable ip forwarding and promiscious mode on in-path interfaces. - -Enable IP Forwarding - -On Linux: - - echo 1 > /proc/sys/net/ipv4/ip_forward - -On OS X: - - sudo sysctl -w net.inet.ip.forwarding=1 - -Set NIC to promiscious mode - -On Linux: - -Example, set based on the interface which will be used for routing VPN clients. - - sudo ip link set eth0 promisc on - sudo ip link set wlan0 promisc on - -5. Create required cerificates. - -On Linux: - - Generate TLS Auth Key - - openvpn --genkey tls-auth ta.key - -To simplify the cerificate creation process, generate DH, CA, server and client keys using easy-rsa tool and instructions here: - - https://github.com/OpenVPN/easy-rsa - https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md - - Guide will be added here in future. - - NOTE: Methods other than easy-rsa can be used to generate certificates. The above repository simplies the process. - -7. Run your openvpn server. - Run in daemon mode if desired with the "--daemon" option. - Config file "client-cert-ftm.conf" is a working sample for ease of use and setup. - Ensure all certificates/keys are in the paths stated within "client-cert-ftm.conf" or updated accordingly. Paths can be overriden during command execution. - - Client certificate authentication in full tunnel mode. - - openvpn --config client-cert-ftm.conf - -8. Connect to your openvpn server. Enjoy! - -************************************************************************* - -For detailed information on OpenVPN, including examples, see the man page - http://openvpn.net/man.html - -For a sample VPN configuration, see - http://openvpn.net/howto.html - -To report an issue, see - https://github.com/OpenVPN/openvpn/issues/new - (Note: We recently switched to GitHub for reporting new issues, - old issues can be found at: - https://community.openvpn.net/openvpn/report) - -For a description of OpenVPN's underlying protocol, - see the file ssl.h included in the source distribution. - -************************************************************************* - -Other Files & Directories: - -* configure.ac -- script to rebuild our configure - script and makefile. - -* sample/sample-scripts/verify-cn - - A sample perl script which can be used with OpenVPN's - --tls-verify option to provide a customized authentication - test on embedded X509 certificate fields. - -* sample/sample-keys/ - - Sample RSA keys and certificates. DON'T USE THESE FILES - FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. - -* sample/sample-config-files/ - - A collection of OpenVPN config files and scripts from - the HOWTO at http://openvpn.net/howto.html - -************************************************************************* - -Note that easy-rsa and tap-windows are now maintained in their own subprojects. -Their source code is available here: - - https://github.com/OpenVPN/easy-rsa - https://github.com/OpenVPN/tap-windows6 - -The old cross-compilation environment (domake-win) and the Python-based -buildsystem have been replaced with openvpn-build: - - https://github.com/OpenVPN/openvpn-build - -See the INSTALL file for usage information. +OpenVPN -- A Secure tunneling daemon + +Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; +you can redistribute it and/or modify +it under the terms of the GNU General Public License version 2 +as published by the Free Software Foundation. + +************************************************************************* + +1. Install dependencies: + +Ubuntu/Debian: + + apt-get install autoconf automake libtool libcap-ng-dev pkg-config liblz4-dev python-docutils python3-docutils liblzo2-dev libpam0g-dev + +RHEL/CentOS + + yum install lzo-devel pam-devel + +2. Download openvpn, Build and Install: + + cd ~ + git clone -b lthn https://github.com/dAppServer/openvpn.git + mkdir bin + cd openvpn + autoreconf -i + ./configure --prefix=$PWD/bin + make + make install + mv bin/sbin/openvpn ../bin/openvpn + export PATH=/home/lthn/bin:$PATH + +3. Create required cerificates. + +On Linux: + + You have 2 options: + + a) Generate your CA, server and one client certificate automatically (default key passwords). Including generating a client VPN profile for the default client name which is "Lethean_VPN_Client". + + chmod +x generate_certs.sh + chmod +x generate_client_profile.sh + ./generate_certs.sh --defaults + ./generate_client_profile.sh Lethean_VPN_Client + + NOTE: Generated profile resides in the "profile" folder. + + OR + + b) Generate your own certificates. Recommended for better validation, control and security through entering your own private key passwords. + + chmod +x generate_certs.sh + chmod +x generate_client_profile.sh + ./generate_certs.sh --ca --with-capass --with-cacn + ./generate_certs.sh --server --with-capass --with-serverpass --with-servercn + ./generate_certs.sh --client --with-capass --with-clientpass --with-clientcn + ./generate_client_profile.sh + + NOTE: Generated profile resides in "profile" folder. + + +4. Below was tested on a factory defaulted Raspberry Pi2. Iptables already permitted all required incoming connections. + +On Linux: + +Forward traffic through desired interfaces. Below is an example. Replace eth0 with your local adapter. + + iptables -A FORWARD -i tun+ -j ACCEPT + iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + +Setup iptables to source NAT vpn client address space when egressing the openvpn server. +A destination or egress interface should be specified in the statement where appropriate. Single homed systems shouldn't need an interface specified. +This is optional in environments where visibility and you understand what routing changes are required in your environment. +The below subnet is the openvpn conf file default. Change to your requirements. + + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE + +NOTE: On a PI used for testing the MASQUERADE syntax may not be possible. You can use the command "sudo update-alternatives --config iptables" to change iptables to "iptables-legacy", which will then allow the above to be executed. + +5. Enable ip forwarding and promiscious mode on in-path interfaces. + +Enable IP Forwarding + +On Linux: + + echo 1 > /proc/sys/net/ipv4/ip_forward + +On OS X: + + sudo sysctl -w net.inet.ip.forwarding=1 + +Set NIC to promiscious mode + +On Linux: + +Example, set based on the interface which will be used for routing VPN clients. + + sudo ip link set eth0 promisc on + sudo ip link set wlan0 promisc on + +6. Run your openvpn server. + Run in daemon mode if desired with the "--daemon" option. + Config file "client-cert-ftm.conf" is a working sample for ease of use and setup. + Ensure all certificates/keys are in the paths stated within "client-cert-ftm.conf" or updated accordingly. Paths can be overriden during command execution. + + Client certificate authentication in full tunnel mode. + + openvpn --config client-cert-ftm.conf + +7. Share the openvpn client profile with your user. + + Enjoy! + +************************************************************************* + + DOCKER USAGE + + Generate certificates: + + LINUX + + mkdir openvpn && cd openvpn + docker run --rm -v $(pwd)/etc:/home/lthn/openvpn/etc lthn/openvpn generate_certs.sh --defaults + + OR + + docker run -v $(pwd)/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --ca --with-capass --with-cacn + docker run -v $(pwd)/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --with-capass --server --with-serverpass --with-servercn + docker run -v $(pwd)/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --client --with-capass --with-clientpass --with-clientcn + + WINDOWS (powershell) + + mkdir openvpn && cd openvpn + docker run --rm -v ${pwd}/etc:/home/lthn/openvpn/etc lthn/openvpn generate_certs.sh --defaults + + OR + + docker run -v ${pwd}/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --ca --with-capass --with-cacn + docker run -v ${pwd}/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --with-capass --server --with-serverpass --with-servercn + docker run -v ${pwd}/etc:/home/lthn/openvpn/etc --rm lthn/openvpn generate_certs.sh --client --with-capass --with-clientpass --with-clientcn + + Generate client profile: + + LINUX + + (Defaults profile) + + docker run -v $(pwd)/etc:/home/lthn/openvpn/etc -v $(pwd)/profile:/home/lthn/openvpn/profile --rm lthn/openvpn generate_client_profile.sh Lethean_VPN_Client + + OR + + docker run -v $(pwd)/etc:/home/lthn/openvpn/etc -v $(pwd)/profile:/home/lthn/openvpn/profile --rm lthn/openvpn generate_client_profile.sh + + WINDOWS (powershell) + + (Defaults profile) + + docker run -v ${pwd}/etc:/home/lthn/openvpn/etc -v $(pwd)/profile:/home/lthn/openvpn/profile --rm lthn/openvpn generate_client_profile.sh Lethean_VPN_Client + + OR + + docker run -v ${pwd}/etc:/home/lthn/openvpn/etc -v $(pwd)/profile:/home/lthn/openvpn/profile --rm lthn/openvpn generate_client_profile.sh + + Run openvpn server: + + Give your local host user running docker rights to access the TUN interface, then run the container. + Container is assuming you already have a local "etc" folder containing your certificates generated earlier. This ensures openvpn server can bind an already created certificate. + Container is also assuming you already have a local "profile" folder. This ensures client vpn profiles can be generated and served to localhost for easy access. + + LINUX + + docker run -p 1194:1194/udp --name lthn-openvpn --device=/dev/net/tun --cap-add=NET_ADMIN -v $(pwd)/etc:/home/lthn/openvpn/etc -v $(pwd)/profile:/home/lthn/openvpn/profile lthn/openvpn + + WINDOWS (powershell) + + docker run -p 1194:1194/udp --name lthn-openvpn --device=/dev/net/tun --cap-add=NET_ADMIN -v ${pwd}/etc:/home/lthn/openvpn/etc -v ${pwd}/profile:/home/lthn/openvpn/profile lthn/openvpn + + + Generating additional client certficates or profiles from the live running container. + + LINUX / WINDOWS (powershell) + + docker exec lthn-openvpn generate_certs.sh --client --with-capass --with-clientpass --with-clientcn + + docker exec lthn-openvpn generate_client_profile.sh + + +************************************************************************* + +For detailed information on OpenVPN, including examples, see the man page + http://openvpn.net/man.html + +For a sample VPN configuration, see + http://openvpn.net/howto.html + +To report an issue, see + https://github.com/OpenVPN/openvpn/issues/new + (Note: We recently switched to GitHub for reporting new issues, + old issues can be found at: + https://community.openvpn.net/openvpn/report) + +For a description of OpenVPN's underlying protocol, + see the file ssl.h included in the source distribution. + +************************************************************************* + +Other Files & Directories: + +* configure.ac -- script to rebuild our configure + script and makefile. + +* sample/sample-scripts/verify-cn + + A sample perl script which can be used with OpenVPN's + --tls-verify option to provide a customized authentication + test on embedded X509 certificate fields. + +* sample/sample-keys/ + + Sample RSA keys and certificates. DON'T USE THESE FILES + FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. + +* sample/sample-config-files/ + + A collection of OpenVPN config files and scripts from + the HOWTO at http://openvpn.net/howto.html + +************************************************************************* + +Note that easy-rsa and tap-windows are now maintained in their own subprojects. +Their source code is available here: + + https://github.com/OpenVPN/easy-rsa + https://github.com/OpenVPN/tap-windows6 + +The old cross-compilation environment (domake-win) and the Python-based +buildsystem have been replaced with openvpn-build: + + https://github.com/OpenVPN/openvpn-build + +See the INSTALL file for usage information. diff --git a/cert-auth-ftm.conf b/cert-auth-ftm.conf index 335f175b520..df1c7ed9b47 100644 --- a/cert-auth-ftm.conf +++ b/cert-auth-ftm.conf @@ -78,15 +78,15 @@ dev tun #ca ca.crt #cert server.crt #key server.key # This file should be kept secret -/home/lthn/etc/ca/certs ca.crt.pem -/home/lthn/etc/ca/certs openvpn.cert.pem -/home/lthn/etc/ca/private openvpn.key.pem +ca /home/lthn/openvpn/etc/ca/certs/ca.cert.pem +cert /home/lthn/openvpn/etc/ca/certs/openvpn.cert.pem +key /home/lthn/openvpn/etc/ca/private/openvpn.key.pem # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 #dh dh2048.pem -dh /home/lthn/etc/dhparam.pem +dh /home/lthn/openvpn/etc/dhparam.pem # Network topology # Should be subnet (addressing via IP) @@ -205,9 +205,12 @@ push "redirect-gateway def1 bypass-dhcp autolocal block-local ipv6" # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" -push "dhcp-option DNS 8.8.8.8" # Google DNS. Comment line once having your own preferred DNS setup. -push "dhcp-option DNS 8.8.4.4" # Google DNS. Comment line once having your own preferred DNS setup. -;push "dhcp-option DNS" x.x.x.x # Recommend setting your own and removing the above entries. + +# Google DNS. Comment line once having your own preferred DNS setup. +push "dhcp-option DNS 8.8.8.8" +push "dhcp-option DNS 8.8.4.4" +# Recommend setting your own DNS below and removing the above entries. +;push "dhcp-option DNS x.x.x.x" # Uncomment this directive to allow different # clients to be able to "see" each other. @@ -251,7 +254,7 @@ keepalive 10 120 # The second parameter should be '0' # on the server and '1' on the clients. #tls-auth ta.key 0 # This file is secret -tls-auth /home/lthn/etc/ta.key 0 # This file is secret +tls-auth /home/lthn/openvpn/etc/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to @@ -259,7 +262,9 @@ tls-auth /home/lthn/etc/ta.key 0 # This file is secret # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage -cipher AES-256-CBC +cipher AES-256-GCM +auth SHA512 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # Enable compression on the VPN link and push the # option to the client (v2.4+ only, for earlier @@ -323,3 +328,8 @@ verb 3 # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1 + +# Apply iptables policy changes on connect/disconnect. +script-security 2 +client-connect /home/lthn/bin/openvpn-client-connect.sh +client-disconnect /home/lthn/bin/openvpn-client-disconnect.sh diff --git a/conf/ca.cfg b/conf/ca.cfg index a99e7922a89..6fc35266d76 100644 --- a/conf/ca.cfg +++ b/conf/ca.cfg @@ -45,8 +45,6 @@ x509_extensions = v3_ca [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE -nsCertType = client, email -nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment @@ -55,8 +53,6 @@ extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment diff --git a/generate_certs.sh b/generate_certs.sh index 8a4f15615ac..a942a8d5a35 100644 --- a/generate_certs.sh +++ b/generate_certs.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash # set PATH to find all binaries -PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin +PATH=$PATH:/home/lthn/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin export TOPDIR=$(realpath $(dirname $0)) # Static defaults -LTHN_PREFIX=/home/lthn +LTHN_PREFIX=/home/lthn/openvpn # General usage help usage() { - echo + echo echo "To generate root CA" echo $0 "--ca [--with-cacn commonname --with-capass pass] [--generate-dh] [--generate-tls-auth]" echo @@ -88,7 +88,7 @@ generate_ca() { echo -n 00 >serial "${OPENSSL_BIN}" genrsa -aes256 -out private/ca.key.pem -passout pass:$ca_pass 4096 chmod 400 private/ca.key.pem - "${OPENSSL_BIN}" req -config $TOPDIR/openvpn/conf/ca.cfg -batch -subj "/CN=$cn" -passin pass:$ca_pass \ + "${OPENSSL_BIN}" req -config $LTHN_PREFIX/conf/ca.cfg -batch -subj "/CN=$cn" -passin pass:$ca_pass \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem @@ -107,10 +107,10 @@ generate_server() { "${OPENSSL_BIN}" genrsa -aes256 \ -out private/"$cn".key.pem -passout pass:$server_pass 4096 chmod 400 private/"$cn".key.pem - "${OPENSSL_BIN}" req -config $TOPDIR/openvpn/conf/ca.cfg -batch -subj "/CN=$cn" -passin "pass:$server_pass" \ + "${OPENSSL_BIN}" req -config $LTHN_PREFIX/conf/ca.cfg -batch -subj "/CN=$cn" -passin "pass:$server_pass" \ -key private/"$cn".key.pem \ -new -sha256 -out csr/"$cn".csr.pem - "${OPENSSL_BIN}" ca -batch -config $TOPDIR/openvpn/conf/ca.cfg -subj "/CN=$cn" -passin "pass:$server_pass" \ + "${OPENSSL_BIN}" ca -batch -config $LTHN_PREFIX/conf/ca.cfg -subj "/CN=$cn" -passin "pass:$server_pass" \ -extensions server_cert -days 375 -notext -md sha256 \ -in csr/"$cn".csr.pem \ -out certs/"$cn".cert.pem @@ -131,10 +131,10 @@ generate_client() { "${OPENSSL_BIN}" genrsa -aes256 \ -out private/client/"$cn".key.pem -passout pass:$client_pass 2048 chmod 400 private/client/"$cn".key.pem - "${OPENSSL_BIN}" req -config $TOPDIR/openvpn/conf/ca.cfg -batch -subj "/CN=$cn" -passin "pass:$client_pass" \ + "${OPENSSL_BIN}" req -config $LTHN_PREFIX/conf/ca.cfg -batch -subj "/CN=$cn" -passin "pass:$client_pass" \ -key private/client/"$cn".key.pem \ -new -sha256 -out csr/client/"$cn".csr.pem - "${OPENSSL_BIN}" ca -batch -config $TOPDIR/openvpn/conf/ca.cfg -subj "/CN=$cn" -passin "pass:$client_pass" \ + "${OPENSSL_BIN}" ca -batch -config $LTHN_PREFIX/conf/ca.cfg -subj "/CN=$cn" -passin "pass:$client_pass" \ -extensions usr_cert -days 375 -notext -md sha256 \ -in csr/client/"$cn".csr.pem \ -out certs/client/"$cn".cert.pem @@ -253,10 +253,10 @@ done # Make directories for creation and moving generate keys mkdir -p build/etc -mkdir -p etc/ca/certs -mkdir -p etc/ca/private -mkdir -p etc/ca/certs/client -mkdir -p etc/ca/private/client +mkdir -p $LTHN_PREFIX/etc/ca/certs +mkdir -p $LTHN_PREFIX/etc/ca/private +mkdir -p $LTHN_PREFIX/etc/ca/certs/client +mkdir -p $LTHN_PREFIX/etc/ca/private/client # Where files will eventually live sysconf_dir=${LTHN_PREFIX}/etc/ @@ -283,7 +283,7 @@ if [ -n "$generate_ca" ] && ! [ -f build/etc/ca/index.txt ]; then mkdir -p build/etc/ca generate_ca build/etc/ca/ "$ca_cn" ) - cp build/etc/ca/certs/ca.cert.pem etc/ca/certs/ + cp build/etc/ca/certs/ca.cert.pem $LTHN_PREFIX/etc/ca/certs/ fi # Abort server certificate creation if duplicate CN certificate already exists. @@ -305,8 +305,10 @@ if [ -n "$generate_server" ] && ! [ -f build/etc/ca/certs/"$server_cn".cert.pem ( generate_server build/etc/ca/ "$server_cn" ) - cp build/etc/ca/certs/"$server_cn"* etc/ca/certs/ - cp build/etc/ca/private/"$server_cn"* etc/ca/private/ + cp build/etc/ca/certs/"$server_cn"* $LTHN_PREFIX/etc/ca/certs/ + cp build/etc/ca/certs/"$server_cn".cert.pem $LTHN_PREFIX/etc/ca/certs/openvpn.cert.pem + cp build/etc/ca/private/"$server_cn"* $LTHN_PREFIX/etc/ca/private/ + cp build/etc/ca/private/"$server_cn".key.pem $LTHN_PREFIX/etc/ca/private/openvpn.key.pem fi # Abort client certificate creation if duplicate CN certificate already exists. @@ -328,8 +330,8 @@ if [ -n "$generate_client" ] && ! [ -f build/etc/ca/certs/client/$client_cn.cert ( generate_client build/etc/ca/ "$client_cn" ) - cp build/etc/ca/certs/client/"$client_cn"* etc/ca/certs/client/ - cp build/etc/ca/private/client/"$client_cn"* etc/ca/private/client/ + cp build/etc/ca/certs/client/"$client_cn"* $LTHN_PREFIX/etc/ca/certs/client/ + cp build/etc/ca/private/client/"$client_cn"* $LTHN_PREFIX/etc/ca/private/client/ fi # Abort DH key creation if already exists. @@ -340,9 +342,9 @@ fi # Generate and copy DH key to desired folder if [ -n "$generate_dh" ] && ! [ -f build/etc/dhparam.pem ]; then - if ! [ -f build/etc/dhparam.pem ]; then + if ! [ -f build/etc/dhparam.pem ]; then "$OPENSSL_BIN" dhparam -out build/etc/dhparam.pem 2048 - cp build/etc/dhparam.pem etc/ + cp build/etc/dhparam.pem $LTHN_PREFIX/etc/ fi fi @@ -354,11 +356,11 @@ fi # Generate and copy tls-auth key to desired folder if [ -n "$generate_tls_auth" ] && ! [ -f build/etc/ta.key ]; then - if ! [ -f build/etc/ca/ta.key ]; then + if ! [ -f build/etc/ca/ta.key ]; then "$OPENVPN_BIN" --genkey secret build/etc/ta.key - cp build/etc/ta.key etc/ + cp build/etc/ta.key $LTHN_PREFIX/etc/ fi fi generate_env >env.mk -summary \ No newline at end of file +summary diff --git a/generate_client_profile.sh b/generate_client_profile.sh new file mode 100644 index 00000000000..8773d85e868 --- /dev/null +++ b/generate_client_profile.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# Set the Common Name for the client certificate +CLIENT_NAME=$1 + +# Set the server public DNS record +SERVER_DNS=$2 + +# Static defaults +LTHN_PREFIX=/home/lthn/openvpn + +# Read the server configuration file to get the port and protocol +SERVER_CONFIG=cert-auth-ftm.conf +SERVER_PORT=$(grep "^port " ${SERVER_CONFIG} | awk '{print $2}') +SERVER_PROTO=$(grep "^proto " ${SERVER_CONFIG} | awk '{print $2}') + +# Make profile folder if not exists +if [ ! -d profile ]; then + mkdir -p $LTHN_PREFIX/profile +fi + +# Abort client profile creation if already exists. +if [ -f profile/"$CLIENT_NAME".ovpn ]; then + echo "Client profile "$CLIENT_NAME" already exists. Aborting." + exit 2 +fi + +# Generate client profile if it does not exist. +if ! [ -f $LTHN_PREFIX/profile/"$CLIENT_NAME".ovpn ]; then + + # Write all required config to file. + echo "client" > $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "dev tun" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "nobind" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "remote-cert-tls server" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "remote ${SERVER_DNS} ${SERVER_PORT} ${SERVER_PROTO}" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "cipher AES-256-GCM" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "auth SHA512" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + cat $LTHN_PREFIX/etc/ca/certs/ca.cert.pem >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + cat $LTHN_PREFIX/etc/ca/certs/client/${CLIENT_NAME}.cert.pem >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + cat $LTHN_PREFIX/etc/ca/private/client/${CLIENT_NAME}.key.pem >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "key-direction 1" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + cat $LTHN_PREFIX/etc/ta.key >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + echo "" >> $LTHN_PREFIX/profile/${CLIENT_NAME}.ovpn + + echo "Client profile file generated in the "profile" folder for ${CLIENT_NAME}." +fi + diff --git a/openvpn-client-connect.sh b/openvpn-client-connect.sh new file mode 100644 index 00000000000..904dec74a9c --- /dev/null +++ b/openvpn-client-connect.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +# Get the IP address of the connected client +CLIENT_IPv4=$trusted_ip + +# Add an iptables rule to block the client from accessing the openvpn server +# however permit routing of everything else. +iptables -I INPUT -s $CLIENT_IPv4 -d 127.0.0.1 -j DROP +iptables -I INPUT -s $CLIENT_IPv4 -d 10.8.0.1 -j DROP \ No newline at end of file diff --git a/openvpn-client-disconnect.sh b/openvpn-client-disconnect.sh new file mode 100644 index 00000000000..590780ec1ca --- /dev/null +++ b/openvpn-client-disconnect.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +# Get the IP address of the disconnected client +CLIENT_IPv4=$trusted_ip + +# Remove the iptables rule that blocks the client from accessing the local host +iptables -D INPUT -s $CLIENT_IPv4 -d 127.0.0.1 -j DROP +iptables -D INPUT -s $CLIENT_IPv4 -d 10.8.0.1 -j DROP \ No newline at end of file diff --git a/profile/README b/profile/README new file mode 100644 index 00000000000..ad80150060d --- /dev/null +++ b/profile/README @@ -0,0 +1 @@ +All OpenVPN client profiles created by "generate_client_profiles.sh", are placed locally in this directory. \ No newline at end of file diff --git a/startup.sh b/startup.sh new file mode 100644 index 00000000000..509b0f52648 --- /dev/null +++ b/startup.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +# Run OpenVPN server +openvpn --config cert-auth-ftm.conf