From e579a0929a3e952056b2e4876bfce27bc26bc687 Mon Sep 17 00:00:00 2001 From: bugsyb Date: Sat, 13 Mar 2021 21:43:37 +0100 Subject: [PATCH] ARMv8 compile and integration with latest openvpn core --- README.md | 12 ++ build/assets/generate_ca_and_server_certs.sh | 38 +++-- build/assets/start.sh | 11 +- build/assets/vars.template | 142 +++++++++--------- controllers/certificates.go | 2 +- controllers/ovconfig.go | 2 +- lib/certificates.go | 8 +- models/models.go | 12 +- .../adamwalach/go-openvpn/server/mi/parse.go | 10 +- 9 files changed, 128 insertions(+), 109 deletions(-) diff --git a/README.md b/README.md index 7adcf1c0..5de609c7 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,17 @@ # OpenVPN-web-ui + +## Changes + +Modifications allowing to: +- use on ARMv8 +- bandwidth consumed (didn't work on original code) +- integration with current OpenVPN version (use docker-openvpn repo) +- default pass to different - static in "models/model.go "OhLaVache2020" + +Credits for software go to original author - mine is just little port to ARMv8. + + ## Summary OpenVPN server web administration interface. diff --git a/build/assets/generate_ca_and_server_certs.sh b/build/assets/generate_ca_and_server_certs.sh index 443ee741..45018558 100755 --- a/build/assets/generate_ca_and_server_certs.sh +++ b/build/assets/generate_ca_and_server_certs.sh @@ -1,25 +1,35 @@ -#!/bin/bash -e +#!/bin/bash -ex CA_NAME=LocalCA -SERVER_NAME=server EASY_RSA=/usr/share/easy-rsa +OD=$PWD +export EASYRSA_BATCH="true" -mkdir -p /etc/openvpn/keys -touch /etc/openvpn/keys/index.txt -echo 01 > /etc/openvpn/keys/serial -cp -f /opt/scripts/vars.template /etc/openvpn/keys/vars +dd if=/dev/urandom of=/etc/openvpn/pki/.rnd bs=256 count=1 + +cd $OVDIR -$EASY_RSA/clean-all -source /etc/openvpn/keys/vars export KEY_NAME=$CA_NAME echo "Generating CA cert" +$EASY_RSA/easyrsa init-pki +cp -f /opt/scripts/vars.template $OVDIR/pki/vars +dd if=/dev/urandom of=/etc/openvpn/pki/.rnd bs=256 count=1 > /dev/null 2>&1 + +$EASY_RSA/easyrsa build-ca nopass + +# only temporarily for tests as it takes ages... use existing one + +# $EASY_RSA/easyrsa gen-dh + #$EASY_RSA/build-ca -export EASY_RSA="${EASY_RSA:-.}" +#export EASY_RSA="${EASY_RSA:-.}" -$EASY_RSA/pkitool --initca $* +# build server key +echo "Generating server cert $SERVER_FQDN" +export KEY_NAME=$SERVER_FQDN +$EASY_RSA/easyrsa build-server-full $SERVER_FQDN nopass -export KEY_NAME=$SERVER_NAME +$EASY_RSA/easyrsa gen-crl -echo "Generating server cert" -#$EASY_RSA/build-key-server $SERVER_NAME -$EASY_RSA/pkitool --server $SERVER_NAME +echo "Missing is still ta.key" +echo "openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key" diff --git a/build/assets/start.sh b/build/assets/start.sh index 11a61403..180de0a6 100755 --- a/build/assets/start.sh +++ b/build/assets/start.sh @@ -1,15 +1,20 @@ -#!/bin/bash +#!/bin/bash -x set -e -OVDIR=/etc/openvpn +export OVDIR=/etc/openvpn cd /opt/ if [ ! -f $OVDIR/.provisioned ]; then echo "Preparing certificates" - mkdir -p $OVDIR + mkdir -p $OVDIR/pki ./scripts/generate_ca_and_server_certs.sh +# openssl dhparam -dsaparam -out $OVDIR/dh2048.pem 2048 openssl dhparam -dsaparam -out $OVDIR/dh2048.pem 2048 + openssl dhparam -dsaparam -out $OVDIR/dh4096.pem 4096 +# touch $OVDIR/dh4096.pem + cd $OVDIR/pki/ + ln -s ../dh4096.pem dh.pem touch $OVDIR/.provisioned fi cd /opt/openvpn-gui diff --git a/build/assets/vars.template b/build/assets/vars.template index 33e62ff0..491343fc 100644 --- a/build/assets/vars.template +++ b/build/assets/vars.template @@ -1,80 +1,74 @@ -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export EASY_RSA="/usr/share/easy-rsa" +# Easy-RSA 3 parameter settings +# HOW TO USE THIS FILE # -# This variable should point to -# the requested executables +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file 'vars' if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. # -export OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the 'vars' file. +# +# All of the editable settings are shown commented and start with the command +# 'set_var' -- this means any set_var command that is uncommented has been +# modified by the user. If you're happy with a default, there is no need to +# define the value to its default. +# A little housekeeping: DON'T EDIT THIS SECTION +# +# Easy-RSA 3.x doesn't source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "'How to use this file' near the top comments for more details." >&2 + return 1 +fi -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` +# DO YOUR EDITS BELOW THIS POINT -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR="/etc/openvpn/keys" - -# Issue rm -rf warning -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# PKCS11 fixes -export PKCS11_MODULE_PATH="dummy" -export PKCS11_PIN="dummy" - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=2048 - -# In how many days should the root CA key expire? -export CA_EXPIRE=3650 - -# In how many days should certificates expire? -export KEY_EXPIRE=3650 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY="US" -export KEY_PROVINCE="NY" -export KEY_CITY="New York" -export KEY_ORG="dummy" -export KEY_EMAIL="demo@example.com" -export KEY_OU="IT" - -# X509 Subject Field -export KEY_NAME="iXa-CA" - -# PKCS11 Smart Card -# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" -# export PKCS11_PIN=1234 - -# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below -# You will also need to make sure your OpenVPN server config has the duplicate-cn option set -# export KEY_CN="CommonName" \ No newline at end of file +#set_var EASYRSA "${0%/*}" +#set_var EASYRSA_OPENSSL "openssl" +#set_var EASYRSA_PKI "$PWD/pki" +set_var EASYRSA_PKI "/etc/openvpn/pki" + +# Update as required +set_var EASYRSA_REQ_COUNTRY "FR" +set_var EASYRSA_REQ_PROVINCE "Soleil" +set_var EASYRSA_REQ_CITY "Mer" +set_var EASYRSA_REQ_ORG "Private" +set_var EASYRSA_REQ_EMAIL "call@me.out" +set_var EASYRSA_REQ_OU "Yours" + +set_var EASYRSA_KEY_SIZE 4096 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec mode only: + +#set_var EASYRSA_CURVE secp384r1 + +set_var EASYRSA_CA_EXPIRE 7200 +set_var EASYRSA_CERT_EXPIRE 7200 + +set_var EASYRSA_CERT_RENEW 120 + +set_var EASYRSA_CRL_DAYS 180 + +#set_var EASYRSA_NS_SUPPORT "no" +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# Experimental +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" +set_var EASYRSA_DIGEST "sha512" + +set_var EASYRSA_REQ_CN "yours.domain.and.not.dkadds2.domain" + +#set_var EASYRSA_BATCH "true" diff --git a/controllers/certificates.go b/controllers/certificates.go index 09deb48a..97fce13b 100644 --- a/controllers/certificates.go +++ b/controllers/certificates.go @@ -90,7 +90,7 @@ func (c *CertificatesController) Get() { } func (c *CertificatesController) showCerts() { - path := models.GlobalCfg.OVConfigPath + "keys/index.txt" + path := models.GlobalCfg.OVConfigPath + "pki/index.txt" certs, err := lib.ReadCerts(path) if err != nil { beego.Error(err) diff --git a/controllers/ovconfig.go b/controllers/ovconfig.go index 072b0033..ee5922be 100644 --- a/controllers/ovconfig.go +++ b/controllers/ovconfig.go @@ -48,7 +48,7 @@ func (c *OVConfigController) Post() { lib.Dump(cfg) c.Data["Settings"] = &cfg - destPath := models.GlobalCfg.OVConfigPath + "/server.conf" + destPath := models.GlobalCfg.OVConfigPath + "/openvpn.conf" err := config.SaveToFile("conf/openvpn-server-config.tpl", cfg.Config, destPath) if err != nil { beego.Warning(err) diff --git a/lib/certificates.go b/lib/certificates.go index 5b9d6505..840604dc 100644 --- a/lib/certificates.go +++ b/lib/certificates.go @@ -94,13 +94,11 @@ func trim(s string) string { } func CreateCertificate(name string) error { - rsaPath := "/usr/share/easy-rsa/" - varsPath := models.GlobalCfg.OVConfigPath + "keys/vars" + rsaPath := "/usr/share/easy-rsa/easyrsa" cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf( - "source %s &&"+ - "export KEY_NAME=%s &&"+ - "%s/build-key --batch %s", varsPath, name, rsaPath, name)) + "cd /etc/openvpn/ && "+ + "%s build-client-full %s nopass", rsaPath, name)) cmd.Dir = models.GlobalCfg.OVConfigPath output, err := cmd.CombinedOutput() if err != nil { diff --git a/models/models.go b/models/models.go index f0fcef0b..980f0989 100644 --- a/models/models.go +++ b/models/models.go @@ -48,7 +48,7 @@ func initDB() { } func createDefaultUsers() { - hash, err := passlib.Hash("b3secure") + hash, err := passlib.Hash("OhLaVache2020") if err != nil { beego.Error("Unable to hash password", err) } @@ -107,9 +107,9 @@ func createDefaultOVConfig() { Management: "0.0.0.0 2080", MaxClients: 100, Server: "10.8.0.0 255.255.255.0", - Ca: "keys/ca.crt", - Cert: "keys/server.crt", - Key: "keys/server.key", + Ca: "pki/ca.crt", + Cert: "pki/server.crt", + Key: "pki/server.key", }, } o := orm.NewOrm() @@ -119,9 +119,9 @@ func createDefaultOVConfig() { } else { beego.Debug(c) } - path := GlobalCfg.OVConfigPath + "/server.conf" + path := GlobalCfg.OVConfigPath + "/openvpn.conf" if _, err = os.Stat(path); os.IsNotExist(err) { - destPath := GlobalCfg.OVConfigPath + "/server.conf" + destPath := GlobalCfg.OVConfigPath + "/openvpn.conf" if err = config.SaveToFile("conf/openvpn-server-config.tpl", c.Config, destPath); err != nil { beego.Error(err) diff --git a/vendor/github.com/adamwalach/go-openvpn/server/mi/parse.go b/vendor/github.com/adamwalach/go-openvpn/server/mi/parse.go index 05df01e9..368753ae 100644 --- a/vendor/github.com/adamwalach/go-openvpn/server/mi/parse.go +++ b/vendor/github.com/adamwalach/go-openvpn/server/mi/parse.go @@ -88,17 +88,17 @@ func ParseStatus(input string) (*Status, error) { } s.RoutingTable = append(s.RoutingTable, item) case c == "CLIENT_LIST": - bytesR, _ := strconv.ParseUint(fields[4], 10, 64) - bytesS, _ := strconv.ParseUint(fields[5], 10, 64) + bytesR, _ := strconv.ParseUint(fields[5], 10, 64) + bytesS, _ := strconv.ParseUint(fields[6], 10, 64) item := &OVClient{ CommonName: fields[1], RealAddress: fields[2], VirtualAddress: fields[3], BytesReceived: bytesR, BytesSent: bytesS, - ConnectedSince: fields[6], - ConnectedSinceT: fields[7], - Username: fields[8], + ConnectedSince: fields[7], + ConnectedSinceT: fields[8], + Username: fields[9], } s.ClientList = append(s.ClientList, item) }