* Server.conf generator added (written on php)

* Server.conf file deleted * New version of php-openvpn library * Few new env options in file and in scripts * New questions on evn stage
7 years ago · 14fd5ed48c
8 changed files with 132 additions and 160 deletions
--- a/.env.example
+++ b/.env.example
@ -11,14 +11,15 @@ DB_PASS=openvpn_pass
 # OpenVPN settings
 VPN_CONF=/etc/openvpn
-VPN_LOCAL=192.168.1.2
+VPN_DEV=tun0
 VPN_PROTO=tcp
 VPN_LISTEN=192.168.1.2
 VPN_LISTEN_PORT=1194
 VPN_REMOTE=172.10.12.15
 VPN_REMOTE_PORT=443
 VPN_USER=nobody
 VPN_GROUP=nogroup
-VPN_PORT=1194
+VPN_IF=eth0
 VPN_PROTO=tcp
 VPN_INIF=tun0
 VPN_OUTIF=eth0
 # TODO: Rewrite this part to ipcalc
 VPN_SERVER="10.8.0.0 255.255.255.0"
 VPN_NET=10.8.0.0/24
--- a/app/ovpn.php
+++ b/app/ovpn.php
@ -2,38 +2,39 @@
 $_ovpn = new EvilFreelancer\OpenVPN();
-$_ovpn->dev = getenv('VPN_INIF');
+$_ovpn
-$_ovpn->proto = getenv('VPN_PROTO');
+    ->addParam('client')
-$_ovpn->port = getenv('VPN_PORT');
+    ->addParam('dev', getenv('VPN_INIF'))
-$_ovpn->remote = getenv('VPN_REMOTE');
+    ->addParam('proto', getenv('VPN_PROTO'))
-$_ovpn->resolvRetry = 'infinite';
+    ->addParam('remote', getenv('VPN_REMOTE'))
-$_ovpn->cipher = 'AES-256-CBC';
+    ->addParam('port', getenv('VPN_REMOTE_PORT'))
-$_ovpn->redirectGateway = true;
+    ->addParam('resolv-retry', 'infinite')
-
+    ->addParam('cipher', 'AES-256-CBC')
-$_ovpn->addCert('ca', getenv('VPN_CONF') . '/ca.crt', true)
+    ->addParam('redirect-gateway', true)
->addCert('tls-auth', getenv('VPN_CONF') . '/ta.key', true);
+    ->addParam('key-direction', 1)
-
+    ->addParam('remote-cert-tls', 'server')
-$_ovpn->keyDirection = 1;
+    ->addParam('auth-user-pass', true)
-$_ovpn->remoteCertTls = 'server';
+    ->addParam('auth-nocache', true)
-$_ovpn->authUserPass = true;
+    ->addParam('nobind', true)
-$_ovpn->authNocache = true;
+    ->addParam('persist-key', true)
-
+    ->addParam('persist-tun', true)
-$_ovpn->nobind = true;
+    ->addParam('comp-lzo', true)
-$_ovpn->persistKey = true;
+    ->addParam('verb', 3);
-$_ovpn->persistTun = true;
+
-$_ovpn->compLzo = true;
+$_ovpn
-$_ovpn->verb = 3;
+    ->addCert('ca', getenv('VPN_CONF') . '/ca.crt', true)
-
+    ->addCert('tls-auth', getenv('VPN_CONF') . '/ta.key', true);
-$config = $_ovpn->getClientConfig();
+
 $config = $_ovpn->generateConfig();
 switch ($_POST['configuration_os']) {
-case 'gnu_linux':
+    case 'gnu_linux':
-case 'configuration_os':
+    case 'configuration_os':
-$filename = 'client.conf';
+        $filename = 'client.conf';
-break;
+        break;
-default:
+    default:
-$filename = 'client.ovpn';
+        $filename = 'client.ovpn';
-break;
+        break;
 }
 header('Content-Type:text/plain');
--- a/composer.json
+++ b/composer.json
@ -12,6 +12,6 @@
    ],
    "require": {
        "vlucas/phpdotenv": "^2.4",
-        "evilfreelancer/openvpn-php": "^0.1.1"
+        "evilfreelancer/openvpn-php": "^0.2.0"
    }
 }
--- a/configs/server.conf
+++ b/configs/server.conf
@ -1,91 +0,0 @@
 ## GENERAL ##
 # TCP or UDP, port 443, tunneling
 mode server
 proto VPN_PROTO
 port VPN_PORT
 dev VPN_INIF
 ## KEY, CERTS AND NETWORK CONFIGURATION ##
 # Identity
 ca ca.crt
 # Public key
 cert server.crt
 # Private key
 key server.key
 # Symmetric encryption
 dh dh.pem
 # Improve security (DDOS, port flooding...)
 # 0 for the server, 1 for the client
 tls-auth ta.key 0
 # Encryption protocol
 cipher AES-256-CBC
 # Network
 # Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
 server VPN_SERVER
 # Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
 push "redirect-gateway def1"
 # Alternatives DNS (FDN)
 push "dhcp-option DNS 80.67.169.12"
 push "dhcp-option DNS 80.67.169.40"
 # (OpenDNS)
 # push "dhcp-option DNS 208.67.222.222"
 # push "dhcp-option DNS 208.67.220.220"
 # (Google)
 # push "dhcp-option DNS 8.8.8.8"
 # push "dhcp-option DNS 8.8.4.4"
 # Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
 keepalive 10 120
 # Regenerate key each 5 hours (disconnect the client)
 reneg-sec 18000
 ## SECURITY ##
 # Downgrade privileges of the daemon
 user VPN_USER
 group VPN_GROUP
 # Persist keys (because we are nobody, so we couldn't read them again)
 persist-key
 # Don't close and re open TUN/TAP device
 persist-tun
 # Enable compression
 comp-lzo
 ## LOG ##
 # Verbosity
 # 3/4 for a normal utilisation
 verb 3
 # Max 20 messages of the same category
 mute 20
 # Log gile where we put the clients status
 status /var/log/openvpn/status.log
 # Log file
 log-append /var/log/openvpn/openvpn.log
 # Configuration directory of the clients
 client-config-dir ccd
 ## PASS ##
 # Allow running external scripts with password in ENV variables
 script-security 3
 # Use the authenticated username as the common name, rather than the common name from the client cert
 username-as-common-name
 # Client certificate is not required 
 verify-client-cert none
 # Maximum of clients
 max-clients 50
 # Use the connection script when a user wants to login
 auth-user-pass-verify SCRIPTS_LOGIN via-env
 # Run this scripts when the client connects/disconnects
 client-connect SCRIPTS_CONNECT
 client-disconnect SCRIPTS_DISCONNECT
--- a/scripts/install/00_env.sh
+++ b/scripts/install/00_env.sh
@ -2,22 +2,26 @@
 printf "\n################## Server informations ##################\n"
-[ ! -z "$VPN_LOCAL" ] && echo "VPN_LOCAL=$VPN_LOCAL"
+[ ! -z "$VPN_LISTEN" ] && echo "VPN_LISTEN=$VPN_LISTEN"
-[ -z "$VPN_LOCAL" ]  && read -p "Server local Hostname/IP: " VPN_LOCAL
+[ -z "$VPN_LISTEN" ]  && read -p "Server local Hostname/IP: " VPN_LISTEN
-[ -z "$VPN_LOCAL" ]  && print_error "Server local address is required!"
+[ -z "$VPN_LISTEN" ]  && print_error "Server local address is required!"
-[ ! -z "$VPN_REMOTE" ] && echo "VPN_LOCAL=$VPN_REMOTE"
+[ ! -z "$VPN_LISTEN_PORT" ] && echo "VPN_LISTEN_PORT=$VPN_LISTEN_PORT"
 [ -z "$VPN_LISTEN_PORT" ]  && read -p "OpenVPN listen port [1194]: " VPN_LISTEN_PORT
 [ -z "$VPN_LISTEN_PORT" ]  && VPN_LISTEN_PORT="1194"
 [ ! -z "$VPN_REMOTE" ] && echo "VPN_REMOTE=$VPN_REMOTE"
 [ -z "$VPN_REMOTE" ]  && read -p "Server remote Hostname/IP: " VPN_REMOTE
 [ -z "$VPN_REMOTE" ]  && print_error "Server remote address is required!"
 [ ! -z "$VPN_REMOTE_PORT" ] && echo "VPN_REMOTE_PORT=$VPN_REMOTE_PORT"
 [ -z "$VPN_REMOTE_PORT" ]  && read -p "OpenVPN remote port [443]: " VPN_REMOTE_PORT
 [ -z "$VPN_REMOTE_PORT" ]  && VPN_REMOTE_PORT="443"
 [ ! -z "$VPN_PROTO" ] && echo "VPN_PROTO=$VPN_PROTO"
 [ -z "$VPN_PROTO" ] && read -p "OpenVPN protocol (tcp or udp) [tcp]: " VPN_PROTO
 [ -z "$VPN_PROTO" ] && VPN_PROTO="tcp"
 [ ! -z "$VPN_PORT" ] && echo "VPN_PORT=$VPN_PORT"
 [ -z "$VPN_PORT" ]  && read -p "OpenVPN port [443]: " VPN_PORT
 [ -z "$VPN_PORT" ]  && VPN_PORT="443"
 [ ! -z "$VPN_USER" ] && echo "VPN_USER=$VPN_USER"
 [ -z "$VPN_USER" ] && read -p "OpenVPN user [nobody]: " VPN_USER
 [ -z "$VPN_USER" ] && VPN_USER="nobody"
@ -26,13 +30,13 @@ printf "\n################## Server informations ##################\n"
 [ -z "$VPN_GROUP" ] && read -p "OpenVPN group [nogroup]: " VPN_GROUP
 [ -z "$VPN_GROUP" ] && VPN_GROUP="nogroup"
-[ ! -z "$VPN_INIF" ] && echo "VPN_INIF=$VPN_INIF"
+[ ! -z "$VPN_DEV" ] && echo "VPN_DEV=$VPN_DEV"
-[ -z "$VPN_INIF" ]  && read -p "OpenVPN tunnel interface [tun0]: " VPN_INIF
+[ -z "$VPN_DEV" ]  && read -p "OpenVPN tunnel interface [tun0]: " VPN_DEV
-[ -z "$VPN_INIF" ]  && VPN_INIF="tun0"
+[ -z "$VPN_DEV" ]  && VPN_DEV="tun0"
-[ ! -z "$VPN_OUTIF" ] && echo "VPN_OUTIF=$VPN_OUTIF"
+[ ! -z "$VPN_IF" ] && echo "VPN_IF=$VPN_IF"
-[ -z "$VPN_OUTIF" ] && read -p "OpenVPN physical interface [eth0]: " VPN_OUTIF
+[ -z "$VPN_IF" ] && read -p "OpenVPN physical interface [eth0]: " VPN_IF
-[ -z "$VPN_OUTIF" ] && VPN_OUTIF="eth0"
+[ -z "$VPN_IF" ] && VPN_IF="eth0"
 [ ! -z "$VPN_NET" ] && echo "VPN_NET=$VPN_NET"
 [ -z "$VPN_NET" ]   && read -p "OpenVPN clients subnet [10.8.0.0/24]: " VPN_NET
--- a/scripts/install/04_openvpn.sh
+++ b/scripts/install/04_openvpn.sh
@ -4,18 +4,12 @@ printf "\n################## Setup OpenVPN ##################\n"
 # Copy certificates and the server configuration in the openvpn directory
 cp "$VPN_CONF/easy-rsa/pki/"{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "$VPN_CONF/"
 # Certs must be readable via web interface
 chmod +r $VPN_CONF/{ca.crt,ta.key}
-cp "$base_path/../configs/server.conf" "$VPN_CONF/"
+
 # Configuration directory of the clients
 mkdir -p "$VPN_CONF/ccd"
-sed "
+# Generate server config
-s/VPN_SERVER/$VPN_SERVER/;
+php -f "$base_path/server-conf.php" > "$VPN_CONF/server.conf"
 s/VPN_PORT/$VPN_PORT/
 s/VPN_INIF/$VPN_INIF/
 s/VPN_PROTO/$VPN_PROTO/
 s/VPN_GROUP/$VPN_GROUP/
 s/VPN_USER/$VPN_USER/
 s|SCRIPTS_LOGIN|$SCRIPTS_LOGIN|
 s|SCRIPTS_CONNECT|$SCRIPTS_CONNECT|
 s|SCRIPTS_DISCONNECT|$SCRIPTS_DISCONNECT|
 " -i "$VPN_CONF/server.conf"
--- a/scripts/install/05_firewall.sh
+++ b/scripts/install/05_firewall.sh
@ -7,10 +7,10 @@ echo 1 > "/proc/sys/net/ipv4/ip_forward"
 echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf"
 # Iptable rules
-iptables -I FORWARD -i $VPN_INIF -j ACCEPT
+iptables -I FORWARD -i $VPN_DEV -j ACCEPT
-iptables -I FORWARD -o $VPN_INIF -j ACCEPT
+iptables -I FORWARD -o $VPN_DEV -j ACCEPT
-iptables -I OUTPUT -o $VPN_INIF -j ACCEPT
+iptables -I OUTPUT -o $VPN_DEV -j ACCEPT
-iptables -A FORWARD -i $VPN_INIF -o $VPN_OUTIF -j ACCEPT
+iptables -A FORWARD -i $VPN_DEV -o $VPN_IF -j ACCEPT
-iptables -t nat -A POSTROUTING -o $VPN_OUTIF -j MASQUERADE
+iptables -t nat -A POSTROUTING -o $VPN_IF -j MASQUERADE
-iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OUTIF -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_IF -j MASQUERADE
--- a/scripts/server-conf.php
+++ b/scripts/server-conf.php
@ -0,0 +1,63 @@
 <?php
 // Enable dotEnv support
 require_once __DIR__ . '/../vendor/autoload.php';
 $dotenv = new Dotenv\Dotenv(__DIR__ . '/../');
 if (file_exists(__DIR__ . '/../.env')) $dotenv->load();
 $_ovpn = new EvilFreelancer\OpenVPN();
 // TCP or UDP, port 443, tunneling
 $_ovpn
    ->addParam('server')
    ->addParam('dev', getenv('VPN_DEV'))
    ->addParam('proto', getenv('VPN_PROTO'))
    ->addParam('port', getenv('VPN_LISTEN_PORT'));
 // If listening address is set
 if (!empty(getenv('VPN_LISTEN')))
    $_ovpn->addParam('listen', getenv('VPN_LISTEN'));
 // KEY, CERTS AND NETWORK CONFIGURATION
 $_ovpn
    ->addCert('ca', getenv('VPN_CONF') . '/ca.crt')
    ->addCert('cert', getenv('VPN_CONF') . '/server.crt')
    ->addCert('key', getenv('VPN_CONF') . '/server.key')
    ->addCert('dh', getenv('VPN_CONF') . '/dh.pem')
    ->addCert('tls-auth', getenv('VPN_CONF') . '/ta.key', false, '0')
    ->addParam('cipher', 'AES-256-CBC')
    ->addParam('server', getenv('VPN_SERVER'))
    ->addPush('redirect-gateway def1')
    ->addPush('dhcp-option DNS 8.8.8.8')
    ->addPush('dhcp-option DNS 8.8.4.4')
    ->addParam('keepalive', '10 120')
    ->addParam('reneg-sec', '18000');
 // SECURITY
 $_ovpn
    ->addParam('user', getenv('VPN_USER'))
    ->addParam('group', getenv('VPN_GROUP'))
    ->addParam('persist-key')
    ->addParam('persist-tun')
    ->addParam('comp-lzo');
 // LOG
 $_ovpn
    ->addParam('verb', 3)
    ->addParam('mute', 20)
    ->addParam('status', '/var/log/openvpn/status.log')
    ->addParam('log-append', '/var/log/openvpn/openvpn.log')
    ->addParam('client-config-dir', 'ccd');
 // PASS
 $_ovpn
    ->addParam('script-security', 3)
    ->addParam('username-as-common-name')
    ->addParam('verify-client-cert', 'none')
    ->addParam('max-clients', '50')
    ->addParam('auth-user-pass-verify', getenv('SCRIPTS_LOGIN') . ' via-env')
    ->addParam('client-connect', getenv('SCRIPTS_CONNECT'))
    ->addParam('client-disconnect', getenv('SCRIPTS_DISCONNECT'));
 $config = $_ovpn->generateConfig();
 die("$config");