From 7fa92079cb981c755f69802a9b10042f40fcc1b2 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 10 Dec 2018 15:16:32 +0100 Subject: [PATCH] OpenVPN export (https://github.com/opnsense/core/issues/2787) - change server cn validation to server subject - move "use random port" to custom option - tgb format issue with SHA1 --- .../OPNsense/OpenVPN/Api/ExportController.php | 2 ++ .../OPNsense/OpenVPN/forms/export_options.xml | 5 +++-- .../app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php | 2 +- .../app/library/OPNsense/OpenVPN/PlainOpenVPN.php | 6 +++--- .../mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php | 12 ++++++++++-- .../app/library/OPNsense/OpenVPN/ViscosityVisz.php | 2 +- .../mvc/app/views/OPNsense/OpenVPN/export.volt | 1 + 7 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php index 11524096b..f04138d93 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php @@ -332,6 +332,7 @@ class ExportController extends ApiControllerBase // fetch associated certificate data, add to config $config['server_ca_chain'] = array(); $config['server_cn'] = null; + $config['server_subject_name'] = null; $config['server_cert_is_srv'] = null; if (!empty($server->certref)) { if (isset(Config::getInstance()->object()->cert)) { @@ -346,6 +347,7 @@ class ExportController extends ApiControllerBase $str_crt = base64_decode((string)$cert->crt); $inf_crt = openssl_x509_parse($str_crt); $config['server_cn'] = $inf_crt['subject']['CN']; + $config['server_subject_name'] = $inf_crt['name']; // Is server type cert $config['server_cert_is_srv'] = ( isset($inf_crt['extensions']['extendedKeyUsage']) && diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml index d0f9ef7e0..a4b95fb00 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml @@ -28,6 +28,7 @@ openvpn_export.random_local_port + checkbox Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently. @@ -40,9 +41,9 @@ openvpn_export.validate_server_cn - + checkbox - Verify the server certificate Common Name (CN) when the client connects + Verify the server certificate name when the client connects openvpn_export.plain_config diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php index 600b33099..059167b36 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php @@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN */ public function supportedOptions() { - return array("plain_config", "p12_password"); + return array("plain_config", "p12_password", "random_local_port"); } /** diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php index 0fd8f40db..ddc85a194 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php @@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider */ public function supportedOptions() { - return array("plain_config"); + return array("plain_config", "random_local_port"); } /** @@ -117,9 +117,9 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider $conf[] = "lport 0"; } - if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_cn']) + if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_subject_name']) && !empty($this->config['validate_server_cn'])) { - $conf[] = "verify-x509-name \"{$this->config['server_cn']}\" name"; + $conf[] = "verify-x509-name \"{$this->config['server_subject_name']}\" subject"; if (!empty($this->config['server_cert_is_srv'])) { $conf[] = "remote-cert-tls server"; } diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php index 70b49bb18..127e59419 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php @@ -124,8 +124,8 @@ class TheGreenBow extends BaseExporter implements IExportProvider if (!empty($this->config['digest'])) { if (strpos($this->config['digest'], "SHA1") !== false) { - $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "MD5"; - $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "128"; + $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA1"; + $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "160"; } elseif ($this->config['digest'] == "SHA256") { $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA2"; $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "256"; @@ -135,6 +135,9 @@ class TheGreenBow extends BaseExporter implements IExportProvider } elseif ($this->config['digest'] == "SHA512") { $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "SHA2"; $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "SHA512"; + } else { + $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Auth = "MD5"; + $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->AuthSize = "128"; } } if (!empty($this->config['compression'])) { @@ -143,6 +146,11 @@ class TheGreenBow extends BaseExporter implements IExportProvider $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->Compression = 'no'; } + if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_subject_name']) + && !empty($this->config['validate_server_cn'])) { + $output->cfg_ssl->cfg_sslconnection->cfg_tunnelestablish->GatewayName = $this->config['server_subject_name']; + } + $output->cfg_ssl->cfg_sslconnection->cfg_tunneloptions->RenegSeconds = $this->config['reneg-sec']; if (!empty($this->config['tls'])) { $tls = array("\n-----BEGIN Static key-----"); diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php index def2d22c7..2a8e88c29 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php @@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN */ public function supportedOptions() { - return array("plain_config", "p12_password"); + return array("plain_config", "p12_password", "random_local_port"); } /** diff --git a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt index dbfd10919..97a251e84 100644 --- a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt +++ b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt @@ -65,6 +65,7 @@ $("#openvpn_export\\.template").append(this_opt); }); $("#openvpn_export\\.servers").change(); + $("#openvpn_export\\.template").change(); $("#openvpn_export\\.template").selectpicker('refresh'); } });