From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] [PATCH] OpenVPN: Update to version 2.4.4 . Date: Fri, 26 Jan 2018 11:22:38 +0100 Message-ID: <1516962158-17324-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3568004381813249964==" List-Id: --===============3568004381813249964== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first = the cipher negotiation. script-security flag 'system' has been dropped cause of security concerns. Directive changes/explanations can be found in here https://community.ope= nvpn.net/openvpn/wiki/Openvpn24ManPage . Update script for OpenVPN CRL has been integrated since OpenVPN refactors the= CRL handling since v.2.4.0 . Script checks the next update field from the CRL and preforms an update t= wo days before it expires. Script is placed under fcron.daily for daily checks. Changes can be found in here https://github.com/OpenVPN/openvpn/commit/16= 0504a2955c4478cd2c0323452929e07016a336 . update.sh for Core 118 includes needed server.conf changes but also an update= of the CRL to prevent connection problems if systems have already an expired CRL. Server stop and start if active will be also executed. Signed-off-by: Erik Kapfer --- config/rootfiles/common/openvpn | 5 ++++- config/rootfiles/core/118/update.sh | 13 +++++++++++++ html/cgi-bin/ovpnmain.cgi | 3 ++- lfs/openvpn | 11 ++++++++--- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/118/= update.sh index 545c8ef..ea56832 100644 --- a/config/rootfiles/core/118/update.sh +++ b/config/rootfiles/core/118/update.sh @@ -58,6 +58,19 @@ ldconfig /etc/init.d/apache restart /etc/init.d/snort start =20 +# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL +if [ -e /var/ipfire/ovpn/server.conf ]; then + if pgrep openvpn >/dev/null; then + openvpnctrl -k + sed -i -e 's/script-security 3 system/script-security 3/' -e '/statu= s .*/ a ncp-disable' /var/ipfire/ovpn/server.conf + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var= /ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/= ipfire/ovpn/openssl/ovpn.cnf + openvpnctrl -s + else + sed -i -e 's/script-security 3 system/script-security 3/' -e '/statu= s .*/ a ncp-disable' /var/ipfire/ovpn/server.conf + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var= /ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/= ipfire/ovpn/openssl/ovpn.cnf + fi +fi + # This update need a reboot... touch /var/run/need_reboot =20 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9f5e682..424a5c9 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -216,7 +216,7 @@ sub writeserverconf { print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n= "; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -289,6 +289,7 @@ sub writeserverconf { }=09 print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..e7f9bc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2017 IPFire Team = # +# Copyright (C) 2018 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.3.18 +VER =3D 2.4.4 =20 THISAPP =3D openvpn-$(VER) DL_FILE =3D $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 =3D 7a2002aad1671b24457bc9432a0c5c52 =20 install : $(TARGET) =20 @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh + @rm -rf $(DIR_APP) @$(POSTBUILD) + --=20 2.7.4 --===============3568004381813249964==--