ARMv8 compile and integration with latest openvpn core

README.md

@@ -1,5 +1,17 @@
 # OpenVPN-web-ui
 
+
+## Changes
+
+Modifications allowing to:
+- use on ARMv8
+- bandwidth consumed (didn't work on original code)
+- integration with current OpenVPN version (use docker-openvpn repo)
+- default pass to different - static in "models/model.go "OhLaVache2020"
+
+Credits for software go to original author - mine is just little port to ARMv8.
+
+
 ## Summary
 OpenVPN server web administration interface.
 

build/assets/generate_ca_and_server_certs.sh

@@ -1,25 +1,35 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
 CA_NAME=LocalCA
-SERVER_NAME=server
 EASY_RSA=/usr/share/easy-rsa
+OD=$PWD
+export EASYRSA_BATCH="true"
 
-mkdir -p /etc/openvpn/keys
-touch /etc/openvpn/keys/index.txt
-echo 01 > /etc/openvpn/keys/serial
-cp -f /opt/scripts/vars.template /etc/openvpn/keys/vars
+dd if=/dev/urandom of=/etc/openvpn/pki/.rnd bs=256 count=1
+
+cd $OVDIR
 
-$EASY_RSA/clean-all
-source /etc/openvpn/keys/vars
 export KEY_NAME=$CA_NAME
 echo "Generating CA cert"
+$EASY_RSA/easyrsa init-pki
+cp -f /opt/scripts/vars.template $OVDIR/pki/vars 
+dd if=/dev/urandom of=/etc/openvpn/pki/.rnd bs=256 count=1 > /dev/null 2>&1
+
+$EASY_RSA/easyrsa build-ca nopass
+
+# only temporarily for tests as it takes ages... use existing one
+
+# $EASY_RSA/easyrsa gen-dh
+
 #$EASY_RSA/build-ca
-export EASY_RSA="${EASY_RSA:-.}"
+#export EASY_RSA="${EASY_RSA:-.}"
 
-$EASY_RSA/pkitool --initca $*
+# build server key
+echo "Generating server cert $SERVER_FQDN"
+export KEY_NAME=$SERVER_FQDN
+$EASY_RSA/easyrsa build-server-full $SERVER_FQDN nopass
 
-export KEY_NAME=$SERVER_NAME
+$EASY_RSA/easyrsa gen-crl
 
-echo "Generating server cert"
-#$EASY_RSA/build-key-server $SERVER_NAME
-$EASY_RSA/pkitool --server $SERVER_NAME
+echo "Missing is still ta.key"
+echo "openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key"

build/assets/start.sh

@@ -1,15 +1,20 @@
-#!/bin/bash
+#!/bin/bash -x
 
 set -e
-OVDIR=/etc/openvpn
+export OVDIR=/etc/openvpn
 
 cd /opt/
 
 if [ ! -f $OVDIR/.provisioned ]; then
   echo "Preparing certificates"
-  mkdir -p $OVDIR
+  mkdir -p $OVDIR/pki
   ./scripts/generate_ca_and_server_certs.sh
+#  openssl dhparam -dsaparam -out $OVDIR/dh2048.pem 2048
   openssl dhparam -dsaparam -out $OVDIR/dh2048.pem 2048
+  openssl dhparam -dsaparam -out $OVDIR/dh4096.pem 4096
+#  touch $OVDIR/dh4096.pem
+  cd $OVDIR/pki/
+  ln -s ../dh4096.pem dh.pem
   touch $OVDIR/.provisioned
 fi
 cd /opt/openvpn-gui

build/assets/vars.template

@@ -1,80 +1,74 @@
-# easy-rsa parameter settings
-
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
-
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export EASY_RSA="/usr/share/easy-rsa"
+# Easy-RSA 3 parameter settings
 
+# HOW TO USE THIS FILE
 #
-# This variable should point to
-# the requested executables
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file 'vars' if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
 #
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the 'vars' file.
+#
+# All of the editable settings are shown commented and start with the command
+# 'set_var' -- this means any set_var command that is uncommented has been
+# modified by the user. If you're happy with a default, there is no need to
+# define the value to its default.
 
+# A little housekeeping: DON'T EDIT THIS SECTION
+# 
+# Easy-RSA 3.x doesn't source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+	echo "This is no longer necessary and is disallowed. See the section called" >&2
+	echo "'How to use this file' near the top comments for more details." >&2
+	return 1
+fi
 
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+# DO YOUR EDITS BELOW THIS POINT
 
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR="/etc/openvpn/keys"
-
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-# Increase this to 2048 if you
-# are paranoid.  This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=2048
-
-# In how many days should the root CA key expire?
-export CA_EXPIRE=3650
-
-# In how many days should certificates expire?
-export KEY_EXPIRE=3650
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY="US"
-export KEY_PROVINCE="NY"
-export KEY_CITY="New York"
-export KEY_ORG="dummy"
-export KEY_EMAIL="[email protected]"
-export KEY_OU="IT"
-
-# X509 Subject Field
-export KEY_NAME="iXa-CA"
-
-# PKCS11 Smart Card
-# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
-# export PKCS11_PIN=1234
-
-# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
-# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
-# export KEY_CN="CommonName"
+#set_var EASYRSA	"${0%/*}"
+#set_var EASYRSA_OPENSSL	"openssl"
+#set_var EASYRSA_PKI		"$PWD/pki"
+set_var EASYRSA_PKI	"/etc/openvpn/pki"
+
+# Update as required
+set_var EASYRSA_REQ_COUNTRY	"FR"
+set_var EASYRSA_REQ_PROVINCE	"Soleil"
+set_var EASYRSA_REQ_CITY	"Mer"
+set_var EASYRSA_REQ_ORG		"Private"
+set_var EASYRSA_REQ_EMAIL	"[email protected]"
+set_var EASYRSA_REQ_OU		"Yours"
+
+set_var EASYRSA_KEY_SIZE	4096
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+
+#set_var EASYRSA_ALGO		rsa
+
+# Define the named curve, used in ec mode only:
+
+#set_var EASYRSA_CURVE		secp384r1
+
+set_var EASYRSA_CA_EXPIRE	7200
+set_var EASYRSA_CERT_EXPIRE	7200
+
+set_var EASYRSA_CERT_RENEW	120
+
+set_var EASYRSA_CRL_DAYS	180
+
+#set_var EASYRSA_NS_SUPPORT	"no"
+#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
+
+# Experimental
+#set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"
+set_var EASYRSA_DIGEST		"sha512"
+
+set_var EASYRSA_REQ_CN          "yours.domain.and.not.dkadds2.domain"
+
+#set_var EASYRSA_BATCH		"true"

controllers/certificates.go

@@ -90,7 +90,7 @@ func (c *CertificatesController) Get() {
 }
 
 func (c *CertificatesController) showCerts() {
-	path := models.GlobalCfg.OVConfigPath + "keys/index.txt"
+	path := models.GlobalCfg.OVConfigPath + "pki/index.txt"
 	certs, err := lib.ReadCerts(path)
 	if err != nil {
 		beego.Error(err)

controllers/ovconfig.go

@@ -48,7 +48,7 @@ func (c *OVConfigController) Post() {
 	lib.Dump(cfg)
 	c.Data["Settings"] = &cfg
 
-	destPath := models.GlobalCfg.OVConfigPath + "/server.conf"
+	destPath := models.GlobalCfg.OVConfigPath + "/openvpn.conf"
 	err := config.SaveToFile("conf/openvpn-server-config.tpl", cfg.Config, destPath)
 	if err != nil {
 		beego.Warning(err)

lib/certificates.go

@@ -94,13 +94,11 @@ func trim(s string) string {
 }
 
 func CreateCertificate(name string) error {
-	rsaPath := "/usr/share/easy-rsa/"
-	varsPath := models.GlobalCfg.OVConfigPath + "keys/vars"
+	rsaPath := "/usr/share/easy-rsa/easyrsa"
 	cmd := exec.Command("/bin/bash", "-c",
 		fmt.Sprintf(
-			"source %s &&"+
-				"export KEY_NAME=%s &&"+
-				"%s/build-key --batch %s", varsPath, name, rsaPath, name))
+			"cd /etc/openvpn/ && "+
+				"%s build-client-full %s nopass", rsaPath, name))
 	cmd.Dir = models.GlobalCfg.OVConfigPath
 	output, err := cmd.CombinedOutput()
 	if err != nil {

models/models.go

@@ -48,7 +48,7 @@ func initDB() {
 }
 
 func createDefaultUsers() {
-	hash, err := passlib.Hash("b3secure")
+	hash, err := passlib.Hash("OhLaVache2020")
 	if err != nil {
 		beego.Error("Unable to hash password", err)
 	}
@@ -107,9 +107,9 @@ func createDefaultOVConfig() {
 			Management:          "0.0.0.0 2080",
 			MaxClients:          100,
 			Server:              "10.8.0.0 255.255.255.0",
-			Ca:                  "keys/ca.crt",
-			Cert:                "keys/server.crt",
-			Key:                 "keys/server.key",
+			Ca:                  "pki/ca.crt",
+			Cert:                "pki/server.crt",
+			Key:                 "pki/server.key",
 		},
 	}
 	o := orm.NewOrm()
@@ -119,9 +119,9 @@ func createDefaultOVConfig() {
 		} else {
 			beego.Debug(c)
 		}
-		path := GlobalCfg.OVConfigPath + "/server.conf"
+		path := GlobalCfg.OVConfigPath + "/openvpn.conf"
 		if _, err = os.Stat(path); os.IsNotExist(err) {
-			destPath := GlobalCfg.OVConfigPath + "/server.conf"
+			destPath := GlobalCfg.OVConfigPath + "/openvpn.conf"
 			if err = config.SaveToFile("conf/openvpn-server-config.tpl",
 				c.Config, destPath); err != nil {
 				beego.Error(err)