From db9abc927623aef89da9d8810c8f3080053e5ebb Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 27 Jun 2023 13:55:39 +0200 Subject: [PATCH] VPN: OpenVPN: Instances (MVC) (#6636) * VPN: OpenVPN: Instances (MVC) bugfixes and additions: o fix lookup in tls_verify.php o add auth attribute o fix connection status reporting non existing clients * VPN: OpenVPN: Instances (MVC) bugfixes and additions: o add missing syshook for startup at boot o show instances in connection states when not connected --- plist | 1 + src/etc/rc.syshook.d/start/90-openvpn | 3 ++ .../OpenVPN/Api/ServiceController.php | 10 +++-- .../OPNsense/OpenVPN/forms/dialogInstance.xml | 17 +++++++++ .../app/models/OPNsense/OpenVPN/OpenVPN.php | 7 +++- .../app/models/OPNsense/OpenVPN/OpenVPN.xml | 38 +++++++++++++++++++ .../app/views/OPNsense/OpenVPN/status.volt | 2 +- .../scripts/openvpn/ovpn_service_control.php | 2 +- src/opnsense/scripts/openvpn/tls_verify.php | 11 +----- 9 files changed, 73 insertions(+), 18 deletions(-) create mode 100755 src/etc/rc.syshook.d/start/90-openvpn diff --git a/plist b/plist index e9254bd53..363dfbb29 100644 --- a/plist +++ b/plist @@ -136,6 +136,7 @@ /usr/local/etc/rc.syshook.d/start/25-syslog /usr/local/etc/rc.syshook.d/start/90-carp /usr/local/etc/rc.syshook.d/start/90-cron +/usr/local/etc/rc.syshook.d/start/90-openvpn /usr/local/etc/rc.syshook.d/start/90-sysctl /usr/local/etc/rc.syshook.d/start/95-beep /usr/local/etc/rc.syshook.d/stop/05-beep diff --git a/src/etc/rc.syshook.d/start/90-openvpn b/src/etc/rc.syshook.d/start/90-openvpn new file mode 100755 index 000000000..675a7a0ca --- /dev/null +++ b/src/etc/rc.syshook.d/start/90-openvpn @@ -0,0 +1,3 @@ +#!/bin/sh + +configctl -dq openvpn configure diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php index 82fd52bc1..444372bd3 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php @@ -55,10 +55,12 @@ class ServiceController extends ApiControllerBase } } foreach ((new OpenVPN())->Instances->Instance->iterateItems() as $node_uuid => $node) { - $config_payload[$node_uuid] = [ - 'enabled' => (string)$node->enabled, - 'description' => (string)$node->description - ]; + if ((string)$node->role == $role) { + $config_payload[$node_uuid] = [ + 'enabled' => (string)$node->enabled, + 'description' => (string)$node->description + ]; + } } return $config_payload; } diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml index e5d37b455..93e93bbad 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml @@ -143,6 +143,7 @@ instance.crl dropdown + Select a certificate revocation list to use for this service. @@ -151,6 +152,13 @@ dropdown Specify if the client is required to offer a certificate. + + instance.cert_depth + + dropdown + + When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server. + instance.tls_key @@ -160,6 +168,15 @@ The prefixed mode determines if this measurement is only used for authentication (--tls-auth) or includes encryption (--tls-crypt). + + instance.auth + + true + dropdown + + Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. + + instance.data-ciphers diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php index 9be8393c0..d2edf2c97 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php @@ -276,6 +276,7 @@ class OpenVPN extends BaseModel 'tlsmode' => $this_mode, 'certref' => (string)$node->cert, 'caref' => $this_caref, + 'cert_depth' => (string)$node->cert_depth, 'description' => (string)$node->description ]; } @@ -311,6 +312,7 @@ class OpenVPN extends BaseModel 'tlsmode' => (string)$item->tlsmode, 'certref' => (string)$item->certref, 'caref' => (string)$item->caref, + 'cert_depth' => (string)$item->cert_depth, 'description' => (string)$item->description, // legacy only (backwards compatibility) 'compression' => (string)$item->compression, @@ -482,8 +484,9 @@ class OpenVPN extends BaseModel $options['verb'] = (string)$node->verb; $options['verify-client-cert'] = (string)$node->verify_client_cert; - foreach ( - ['reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback'] as $opt + foreach ([ + 'reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth' + ] as $opt ) { if ((string)$node->$opt != '') { $options[$opt] = str_replace(',', ':', (string)$node->$opt); diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml index a11dcec95..9fdc6996e 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml @@ -197,6 +197,17 @@ None Please select a valid certificate from the list + + N + Do Not Check + + One (Client+Server) + Two (Client+Intermediate+Server) + Three (Client+2xIntermediate+Server) + Four (Client+3xIntermediate+Server) + Five (Client+4xIntermediate+Server) + + Y require @@ -205,6 +216,33 @@ required + + N + SHA1 + + BLAKE2b512 (512-bit) + BLAKE2s256 (256-bit) + MD4 (128-bit) + MD5 (128-bit) + MD5-SHA1 (288-bit) + RIPEMD160 (160-bit) + SHA1 (160-bit) + SHA224 (224-bit) + SHA256 (256-bit) + SHA3-224 (224-bit) + SHA3-256 (256-bit) + SHA3-384 (384-bit) + SHA3-512 (512-bit) + SHA384 (384-bit) + SHA512 (512-bit) + SHA512-224 (224-bit) + SHA512-256 (256-bit) + SHAKE128 (128-bit) + SHAKE256 (256-bit) + whirlpool (512-bit) + None (No Authentication) + + N Y diff --git a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt index f6dbf62d0..57cca9a33 100644 --- a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt +++ b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt @@ -34,7 +34,7 @@ selection: false, formatters:{ bytes: function(column, row) { - if (row[column.id]) { + if (row[column.id] && row[column.id] > 0) { return byteFormat(row[column.id], 2); } return ''; diff --git a/src/opnsense/scripts/openvpn/ovpn_service_control.php b/src/opnsense/scripts/openvpn/ovpn_service_control.php index ca15bbb6a..f0000d178 100755 --- a/src/opnsense/scripts/openvpn/ovpn_service_control.php +++ b/src/opnsense/scripts/openvpn/ovpn_service_control.php @@ -133,7 +133,7 @@ if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', ' ovpn_start($node, $statHandle); break; case 'configure': - if ($instance_stats['has_changed']) { + if ($instance_stats['has_changed'] || !isvalidpid($node->pidFilename)) { ovpn_stop($node); ovpn_start($node, $statHandle); } diff --git a/src/opnsense/scripts/openvpn/tls_verify.php b/src/opnsense/scripts/openvpn/tls_verify.php index 2e21fa45b..ba02afa49 100755 --- a/src/opnsense/scripts/openvpn/tls_verify.php +++ b/src/opnsense/scripts/openvpn/tls_verify.php @@ -36,16 +36,7 @@ require_once("config.inc"); */ function do_verify($serverid) { - global $config; - $a_server = null; - if (isset($config['openvpn']['openvpn-server'])) { - foreach ($config['openvpn']['openvpn-server'] as $server) { - if ($server['vpnid'] == $serverid) { - $a_server = $server; - break; - } - } - } + $a_server = (new OPNsense\OpenVPN\OpenVPN())->getInstanceById($serverid, 'server'); if ($a_server === null) { return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}"; }