Signed-off-by: Rosen Penev <rosenp@gmail.com>lilik-openwrt-22.03
@ -0,0 +1,58 @@ | |||
if PACKAGE_openvpn-mbedtls | |||
config OPENVPN_mbedtls_ENABLE_LZO | |||
bool "Enable LZO compression support" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_LZ4 | |||
bool "Enable LZ4 compression support" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_SERVER | |||
bool "Enable server support (otherwise only client mode is support)" | |||
default y | |||
#config OPENVPN_mbedtls_ENABLE_EUREPHIA | |||
# bool "Enable support for the eurephia plug-in" | |||
# default n | |||
config OPENVPN_mbedtls_ENABLE_MANAGEMENT | |||
bool "Enable management server support" | |||
default n | |||
#config OPENVPN_mbedtls_ENABLE_PKCS11 | |||
# bool "Enable pkcs11 support" | |||
# default n | |||
config OPENVPN_mbedtls_ENABLE_FRAGMENT | |||
bool "Enable internal fragmentation support (--fragment)" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_MULTIHOME | |||
bool "Enable multi-homed UDP server support (--multihome)" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_PORT_SHARE | |||
bool "Enable TCP server port-share support (--port-share)" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_DEF_AUTH | |||
bool "Enable deferred authentication" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_PF | |||
bool "Enable internal packet filter" | |||
default y | |||
config OPENVPN_mbedtls_ENABLE_IPROUTE2 | |||
bool "Enable support for iproute2" | |||
default n | |||
config OPENVPN_mbedtls_ENABLE_SMALL | |||
bool "Enable size optimization" | |||
default y | |||
help | |||
enable smaller executable size (disable OCC, usage | |||
message, and verb 4 parm list) | |||
endif |
@ -0,0 +1,50 @@ | |||
if PACKAGE_openvpn-nossl | |||
config OPENVPN_nossl_ENABLE_LZO | |||
bool "Enable LZO compression support" | |||
default y | |||
config OPENVPN_nossl_ENABLE_LZ4 | |||
bool "Enable LZ4 compression support" | |||
default y | |||
config OPENVPN_nossl_ENABLE_SERVER | |||
bool "Enable server support (otherwise only client mode is support)" | |||
default y | |||
config OPENVPN_nossl_ENABLE_MANAGEMENT | |||
bool "Enable management server support" | |||
default n | |||
config OPENVPN_nossl_ENABLE_FRAGMENT | |||
bool "Enable internal fragmentation support (--fragment)" | |||
default y | |||
config OPENVPN_nossl_ENABLE_MULTIHOME | |||
bool "Enable multi-homed UDP server support (--multihome)" | |||
default y | |||
config OPENVPN_nossl_ENABLE_PORT_SHARE | |||
bool "Enable TCP server port-share support (--port-share)" | |||
default y | |||
config OPENVPN_nossl_ENABLE_DEF_AUTH | |||
bool "Enable deferred authentication" | |||
default y | |||
config OPENVPN_nossl_ENABLE_PF | |||
bool "Enable internal packet filter" | |||
default y | |||
config OPENVPN_nossl_ENABLE_IPROUTE2 | |||
bool "Enable support for iproute2" | |||
default n | |||
config OPENVPN_nossl_ENABLE_SMALL | |||
bool "Enable size optimization" | |||
default y | |||
help | |||
enable smaller executable size (disable OCC, usage | |||
message, and verb 4 parm list) | |||
endif |
@ -0,0 +1,62 @@ | |||
if PACKAGE_openvpn-openssl | |||
config OPENVPN_openssl_ENABLE_LZO | |||
bool "Enable LZO compression support" | |||
default y | |||
config OPENVPN_openssl_ENABLE_LZ4 | |||
bool "Enable LZ4 compression support" | |||
default y | |||
config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME | |||
bool "Enable the --x509-username-field feature" | |||
default n | |||
config OPENVPN_openssl_ENABLE_SERVER | |||
bool "Enable server support (otherwise only client mode is support)" | |||
default y | |||
#config OPENVPN_openssl_ENABLE_EUREPHIA | |||
# bool "Enable support for the eurephia plug-in" | |||
# default n | |||
config OPENVPN_openssl_ENABLE_MANAGEMENT | |||
bool "Enable management server support" | |||
default n | |||
#config OPENVPN_openssl_ENABLE_PKCS11 | |||
# bool "Enable pkcs11 support" | |||
# default n | |||
config OPENVPN_openssl_ENABLE_FRAGMENT | |||
bool "Enable internal fragmentation support (--fragment)" | |||
default y | |||
config OPENVPN_openssl_ENABLE_MULTIHOME | |||
bool "Enable multi-homed UDP server support (--multihome)" | |||
default y | |||
config OPENVPN_openssl_ENABLE_PORT_SHARE | |||
bool "Enable TCP server port-share support (--port-share)" | |||
default y | |||
config OPENVPN_openssl_ENABLE_DEF_AUTH | |||
bool "Enable deferred authentication" | |||
default y | |||
config OPENVPN_openssl_ENABLE_PF | |||
bool "Enable internal packet filter" | |||
default y | |||
config OPENVPN_openssl_ENABLE_IPROUTE2 | |||
bool "Enable support for iproute2" | |||
default n | |||
config OPENVPN_openssl_ENABLE_SMALL | |||
bool "Enable size optimization" | |||
default y | |||
help | |||
enable smaller executable size (disable OCC, usage | |||
message, and verb 4 parm list) | |||
endif |
@ -0,0 +1,158 @@ | |||
# | |||
# Copyright (C) 2010-2015 OpenWrt.org | |||
# | |||
# This is free software, licensed under the GNU General Public License v2. | |||
# See /LICENSE for more information. | |||
# | |||
include $(TOPDIR)/rules.mk | |||
PKG_NAME:=openvpn | |||
PKG_VERSION:=2.4.9 | |||
PKG_RELEASE:=5 | |||
PKG_SOURCE_URL:=\ | |||
https://build.openvpn.net/downloads/releases/ \ | |||
https://swupdate.openvpn.net/community/releases/ | |||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz | |||
PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 | |||
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name> | |||
PKG_INSTALL:=1 | |||
PKG_FIXUP:=autoreconf | |||
PKG_BUILD_PARALLEL:=1 | |||
PKG_LICENSE:=GPL-2.0 | |||
PKG_CPE_ID:=cpe:/a:openvpn:openvpn | |||
include $(INCLUDE_DIR)/package.mk | |||
define Package/openvpn/Default | |||
TITLE:=Open source VPN solution using $(2) | |||
SECTION:=net | |||
CATEGORY:=Network | |||
URL:=http://openvpn.net | |||
SUBMENU:=VPN | |||
MENU:=1 | |||
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) | |||
VARIANT:=$(1) | |||
ifeq ($(1),nossl) | |||
PROVIDES:=openvpn | |||
else | |||
PROVIDES:=openvpn openvpn-crypto | |||
endif | |||
endef | |||
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) | |||
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) | |||
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) | |||
define Package/openvpn/config/Default | |||
source "$(SOURCE)/Config-$(1).in" | |||
endef | |||
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) | |||
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) | |||
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl) | |||
ifeq ($(BUILD_VARIANT),mbedtls) | |||
CONFIG_OPENVPN_MBEDTLS:=y | |||
endif | |||
ifeq ($(BUILD_VARIANT),openssl) | |||
CONFIG_OPENVPN_OPENSSL:=y | |||
endif | |||
ifeq ($(BUILD_VARIANT),nossl) | |||
CONFIG_OPENVPN_NOSSL:=y | |||
endif | |||
CONFIGURE_VARS += \ | |||
IFCONFIG=/sbin/ifconfig \ | |||
ROUTE=/sbin/route \ | |||
IPROUTE=/sbin/ip \ | |||
NETSTAT=/sbin/netstat | |||
TARGET_CFLAGS += -ffunction-sections -fdata-sections | |||
TARGET_LDFLAGS += -Wl,--gc-sections | |||
define Build/Configure | |||
$(call Build/Configure/Default, \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SMALL),--enable-small) \ | |||
--disable-selinux \ | |||
--disable-systemd \ | |||
--disable-plugins \ | |||
--disable-debug \ | |||
--disable-pkcs11 \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ | |||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ | |||
$(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \ | |||
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ | |||
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ | |||
) | |||
endef | |||
define Package/openvpn-$(BUILD_VARIANT)/conffiles | |||
/etc/config/openvpn | |||
/etc/openvpn.user | |||
endef | |||
define Package/openvpn-$(BUILD_VARIANT)/install | |||
$(INSTALL_DIR) \ | |||
$(1)/usr/sbin \ | |||
$(1)/usr/share/openvpn \ | |||
$(1)/etc/init.d \ | |||
$(1)/etc/config \ | |||
$(1)/etc/openvpn \ | |||
$(1)/lib/functions \ | |||
$(1)/lib/upgrade/keep.d \ | |||
$(1)/usr/libexec \ | |||
$(1)/etc/hotplug.d/openvpn | |||
$(INSTALL_BIN) \ | |||
$(PKG_INSTALL_DIR)/usr/sbin/openvpn \ | |||
$(1)/usr/sbin/ | |||
$(INSTALL_BIN) \ | |||
files/openvpn.init \ | |||
$(1)/etc/init.d/openvpn | |||
$(INSTALL_BIN) \ | |||
files/usr/libexec/openvpn-hotplug \ | |||
$(1)/usr/libexec/openvpn-hotplug | |||
$(INSTALL_DATA) \ | |||
files/lib/functions/openvpn.sh \ | |||
$(1)/lib/functions/openvpn.sh | |||
$(INSTALL_DATA) \ | |||
files/etc/hotplug.d/openvpn/01-user \ | |||
$(1)/etc/hotplug.d/openvpn/01-user | |||
$(INSTALL_DATA) \ | |||
files/etc/openvpn.user \ | |||
$(1)/etc/openvpn.user | |||
$(INSTALL_DATA) \ | |||
files/openvpn.options \ | |||
$(1)/usr/share/openvpn/openvpn.options | |||
$(INSTALL_CONF) files/openvpn.config \ | |||
$(1)/etc/config/openvpn | |||
$(INSTALL_DATA) \ | |||
files/openvpn.upgrade \ | |||
$(1)/lib/upgrade/keep.d/openvpn | |||
endef | |||
$(eval $(call BuildPackage,openvpn-openssl)) | |||
$(eval $(call BuildPackage,openvpn-mbedtls)) | |||
$(eval $(call BuildPackage,openvpn-nossl)) |
@ -0,0 +1,22 @@ | |||
#!/bin/sh | |||
. /lib/functions/openvpn.sh | |||
[ -e "/etc/openvpn.user" ] && { | |||
env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \ | |||
/bin/sh \ | |||
/etc/openvpn.user \ | |||
$* | |||
} | |||
# Wrap user defined scripts on up/down events | |||
case "$ACTION" in | |||
up|down) | |||
if get_openvpn_option "$config" command "$ACTION"; then | |||
shift | |||
exec /bin/sh -c "$command $*" | |||
fi | |||
;; | |||
esac | |||
exit 0 |
@ -0,0 +1,11 @@ | |||
#!/bin/sh | |||
# | |||
# This file is interpreted as shell script. | |||
# Put your custom openvpn action here, they will | |||
# be executed with each opevnp event. | |||
# | |||
# $ACTION | |||
# <down> down action is generated after the TUN/TAP device is closed | |||
# <up> up action is generated after the TUN/TAP device is opened | |||
# $INSTANCE Name of the openvpn instance which went up or down | |||
@ -0,0 +1,16 @@ | |||
#!/bin/sh | |||
get_openvpn_option() { | |||
local config="$1" | |||
local variable="$2" | |||
local option="$3" | |||
local value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+(([^ \t\\]|\\.)+)[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')" | |||
[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+'"'([^']+)'"'[ \t]*$/\1/p' "$config" | tail -n1)" | |||
[ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+"(([^"\\]|\\.)+)"[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')" | |||
[ -n "$value" ] || return 1 | |||
export -n "$variable=$value" | |||
return 0 | |||
} | |||
@ -0,0 +1,474 @@ | |||
package openvpn | |||
################################################# | |||
# Sample to include a custom config file. # | |||
################################################# | |||
config openvpn custom_config | |||
# Set to 1 to enable this instance: | |||
option enabled 0 | |||
# Include OpenVPN configuration | |||
option config /etc/openvpn/my-vpn.conf | |||
################################################# | |||
# Sample OpenVPN 2.0 uci config for # | |||
# multi-client server. # | |||
################################################# | |||
config openvpn sample_server | |||
# Set to 1 to enable this instance: | |||
option enabled 0 | |||
# Which local IP address should OpenVPN | |||
# listen on? (optional) | |||
# option local 0.0.0.0 | |||
# Which TCP/UDP port should OpenVPN listen on? | |||
# If you want to run multiple OpenVPN instances | |||
# on the same machine, use a different port | |||
# number for each one. You will need to | |||
# open up this port on your firewall. | |||
option port 1194 | |||
# TCP or UDP server? | |||
# option proto tcp | |||
option proto udp | |||
# "dev tun" will create a routed IP tunnel, | |||
# "dev tap" will create an ethernet tunnel. | |||
# Use "dev tap0" if you are ethernet bridging | |||
# and have precreated a tap0 virtual interface | |||
# and bridged it with your ethernet interface. | |||
# If you want to control access policies | |||
# over the VPN, you must create firewall | |||
# rules for the the TUN/TAP interface. | |||
# On non-Windows systems, you can give | |||
# an explicit unit number, such as tun0. | |||
# On Windows, use "dev-node" for this. | |||
# On most systems, the VPN will not function | |||
# unless you partially or fully disable | |||
# the firewall for the TUN/TAP interface. | |||
# option dev tap | |||
option dev tun | |||
# SSL/TLS root certificate (ca), certificate | |||
# (cert), and private key (key). Each client | |||
# and the server must have their own cert and | |||
# key file. The server and all clients will | |||
# use the same ca file. | |||
# | |||
# See the "easy-rsa" directory for a series | |||
# of scripts for generating RSA certificates | |||
# and private keys. Remember to use | |||
# a unique Common Name for the server | |||
# and each of the client certificates. | |||
# | |||
# Any X509 key management system can be used. | |||
# OpenVPN can also use a PKCS #12 formatted key file | |||
# (see "pkcs12" directive in man page). | |||
option ca /etc/openvpn/ca.crt | |||
option cert /etc/openvpn/server.crt | |||
# This file should be kept secret: | |||
option key /etc/openvpn/server.key | |||
# Diffie hellman parameters. | |||
# Generate your own with: | |||
# openssl dhparam -out dh2048.pem 2048 | |||
# Substitute 2048 for 1024 if you are using | |||
# 1024 bit keys. | |||
option dh /etc/openvpn/dh2048.pem | |||
# Configure server mode and supply a VPN subnet | |||
# for OpenVPN to draw client addresses from. | |||
# The server will take 10.8.0.1 for itself, | |||
# the rest will be made available to clients. | |||
# Each client will be able to reach the server | |||
# on 10.8.0.1. Comment this line out if you are | |||
# ethernet bridging. See the man page for more info. | |||
option server "10.8.0.0 255.255.255.0" | |||
# Maintain a record of client <-> virtual IP address | |||
# associations in this file. If OpenVPN goes down or | |||
# is restarted, reconnecting clients can be assigned | |||
# the same virtual IP address from the pool that was | |||
# previously assigned. | |||
option ifconfig_pool_persist /tmp/ipp.txt | |||
# Configure server mode for ethernet bridging. | |||
# You must first use your OS's bridging capability | |||
# to bridge the TAP interface with the ethernet | |||
# NIC interface. Then you must manually set the | |||
# IP/netmask on the bridge interface, here we | |||
# assume 10.8.0.4/255.255.255.0. Finally we | |||
# must set aside an IP range in this subnet | |||
# (start=10.8.0.50 end=10.8.0.100) to allocate | |||
# to connecting clients. Leave this line commented | |||
# out unless you are ethernet bridging. | |||
# option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100" | |||
# Push routes to the client to allow it | |||
# to reach other private subnets behind | |||
# the server. Remember that these | |||
# private subnets will also need | |||
# to know to route the OpenVPN client | |||
# address pool (10.8.0.0/255.255.255.0) | |||
# back to the OpenVPN server. | |||
# list push "route 192.168.10.0 255.255.255.0" | |||
# list push "route 192.168.20.0 255.255.255.0" | |||
# To assign specific IP addresses to specific | |||
# clients or if a connecting client has a private | |||
# subnet behind it that should also have VPN access, | |||
# use the subdirectory "ccd" for client-specific | |||
# configuration files (see man page for more info). | |||
# EXAMPLE: Suppose the client | |||
# having the certificate common name "Thelonious" | |||
# also has a small subnet behind his connecting | |||
# machine, such as 192.168.40.128/255.255.255.248. | |||
# First, uncomment out these lines: | |||
# option client_config_dir /etc/openvpn/ccd | |||
# list route "192.168.40.128 255.255.255.248" | |||
# Then create a file ccd/Thelonious with this line: | |||
# iroute 192.168.40.128 255.255.255.248 | |||
# This will allow Thelonious' private subnet to | |||
# access the VPN. This example will only work | |||
# if you are routing, not bridging, i.e. you are | |||
# using "dev tun" and "server" directives. | |||
# EXAMPLE: Suppose you want to give | |||
# Thelonious a fixed VPN IP address of 10.9.0.1. | |||
# First uncomment out these lines: | |||
# option client_config_dir /etc/openvpn/ccd | |||
# list route "10.9.0.0 255.255.255.252" | |||
# list route "192.168.100.0 255.255.255.0" | |||
# Then add this line to ccd/Thelonious: | |||
# ifconfig-push "10.9.0.1 10.9.0.2" | |||
# Suppose that you want to enable different | |||
# firewall access policies for different groups | |||
# of clients. There are two methods: | |||
# (1) Run multiple OpenVPN daemons, one for each | |||
# group, and firewall the TUN/TAP interface | |||
# for each group/daemon appropriately. | |||
# (2) (Advanced) Create a script to dynamically | |||
# modify the firewall in response to access | |||
# from different clients. See man | |||
# page for more info on learn-address script. | |||
# option learn_address /etc/openvpn/script | |||
# If enabled, this directive will configure | |||
# all clients to redirect their default | |||
# network gateway through the VPN, causing | |||
# all IP traffic such as web browsing and | |||
# and DNS lookups to go through the VPN | |||
# (The OpenVPN server machine may need to NAT | |||
# the TUN/TAP interface to the internet in | |||
# order for this to work properly). | |||
# CAVEAT: May break client's network config if | |||
# client's local DHCP server packets get routed | |||
# through the tunnel. Solution: make sure | |||
# client's local DHCP server is reachable via | |||
# a more specific route than the default route | |||
# of 0.0.0.0/0.0.0.0. | |||
# list push "redirect-gateway" | |||
# Certain Windows-specific network settings | |||
# can be pushed to clients, such as DNS | |||
# or WINS server addresses. CAVEAT: | |||
# http://openvpn.net/faq.html#dhcpcaveats | |||
# list push "dhcp-option DNS 10.8.0.1" | |||
# list push "dhcp-option WINS 10.8.0.1" | |||
# Uncomment this directive to allow different | |||
# clients to be able to "see" each other. | |||
# By default, clients will only see the server. | |||
# To force clients to only see the server, you | |||
# will also need to appropriately firewall the | |||
# server's TUN/TAP interface. | |||
# option client_to_client 1 | |||
# Uncomment this directive if multiple clients | |||
# might connect with the same certificate/key | |||
# files or common names. This is recommended | |||
# only for testing purposes. For production use, | |||
# each client should have its own certificate/key | |||
# pair. | |||
# | |||
# IF YOU HAVE NOT GENERATED INDIVIDUAL | |||
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, | |||
# EACH HAVING ITS OWN UNIQUE "COMMON NAME", | |||
# UNCOMMENT THIS LINE OUT. | |||
# option duplicate_cn 1 | |||
# The keepalive directive causes ping-like | |||
# messages to be sent back and forth over | |||
# the link so that each side knows when | |||
# the other side has gone down. | |||
# Ping every 10 seconds, assume that remote | |||
# peer is down if no ping received during | |||
# a 120 second time period. | |||
option keepalive "10 120" | |||
# For extra security beyond that provided | |||
# by SSL/TLS, create an "HMAC firewall" | |||
# to help block DoS attacks and UDP port flooding. | |||
# | |||
# Generate with: | |||
# openvpn --genkey --secret ta.key | |||
# | |||
# The server and each client must have | |||
# a copy of this key. | |||
# The second parameter should be '0' | |||
# on the server and '1' on the clients. | |||
# This file is secret: | |||
# option tls_auth "/etc/openvpn/ta.key 0" | |||
# For additional privacy, a shared secret key | |||
# can be used for both authentication (as in tls_auth) | |||
# and encryption of the TLS control channel. | |||
# | |||
# Generate a shared secret with: | |||
# openvpn --genkey --secret ta.key | |||
# | |||
# The server and each client must have | |||
# a copy of this key. | |||
# | |||
# tls_auth and tls_crypt should NOT | |||
# be combined, as tls_crypt implies tls_auth. | |||
# Use EITHER tls_crypt, tls_auth, or neither option. | |||
# option tls_crypt "/etc/openvpn/ta.key" | |||
# Set the minimum required TLS protocol version | |||
# for all connections. | |||
# | |||
# Require at least TLS 1.1 | |||
# option tls_version_min "1.1" | |||
# Require at least TLS 1.2 | |||
# option tls_version_min "1.2" | |||
# Require TLS 1.2, or the highest version supported | |||
# on the system | |||
# option tls_version_min "1.2 'or-highest'" | |||
# OpenVPN versions 2.4 and later will attempt to | |||
# automatically negotiate the most secure cipher | |||
# between the client and server, regardless of a | |||
# configured "option cipher" (see below). | |||
# Automatic negotiation is recommended. | |||
# | |||
# Uncomment this option to disable this behavior, | |||
# and force all OpenVPN peers to use the configured | |||
# cipher option instead (not recommended). | |||
# option ncp_disable | |||
# Select a cryptographic cipher. | |||
# This config item must be copied to | |||
# the client config file as well. | |||
# | |||
# To see all supported ciphers, run: | |||
# openvpn --show-ciphers | |||
# | |||
# Blowfish (default for backwards compatibility, | |||
# but not recommended due to weaknesses): | |||
# option cipher BF-CBC | |||
# AES: | |||
# option cipher AES-128-CBC | |||
# Triple-DES: | |||
# option cipher DES-EDE3-CBC | |||
# Enable compression on the VPN link. | |||
# If you enable it here, you must also | |||
# enable it in the client config file. | |||
# | |||
# Compression is not recommended, as compression and | |||
# encryption in combination can weaken the security | |||
# of the connection. | |||
# | |||
# LZ4 requires OpenVPN 2.4+ client and server | |||
# option compress lz4 | |||
# LZO is compatible with most OpenVPN versions | |||
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) | |||
# option compress lzo | |||
# The maximum number of concurrently connected | |||
# clients we want to allow. | |||
# option max_clients 100 | |||
# The persist options will try to avoid | |||
# accessing certain resources on restart | |||
# that may no longer be accessible because | |||
# of the privilege downgrade. | |||
option persist_key 1 | |||
option persist_tun 1 | |||
option user nobody | |||
# Output a short status file showing | |||
# current connections, truncated | |||
# and rewritten every minute. | |||
option status /tmp/openvpn-status.log | |||
# By default, log messages will go to the syslog (or | |||
# on Windows, if running as a service, they will go to | |||
# the "\Program Files\OpenVPN\log" directory). | |||
# Use log or log-append to override this default. | |||
# "log" will truncate the log file on OpenVPN startup, | |||
# while "log-append" will append to it. Use one | |||
# or the other (but not both). | |||
# option log /tmp/openvpn.log | |||
# option log_append /tmp/openvpn.log | |||
# Set the appropriate level of log | |||
# file verbosity. | |||
# | |||
# 0 is silent, except for fatal errors | |||
# 4 is reasonable for general usage | |||
# 5 and 6 can help to debug connection problems | |||
# 9 is extremely verbose | |||
option verb 3 | |||
# Silence repeating messages. At most 20 | |||
# sequential messages of the same message | |||
# category will be output to the log. | |||
# option mute 20 | |||
############################################## | |||
# Sample client-side OpenVPN 2.0 uci config # | |||
# for connecting to multi-client server. # | |||
############################################## | |||
config openvpn sample_client | |||
# Set to 1 to enable this instance: | |||
option enabled 0 | |||
# Specify that we are a client and that we | |||
# will be pulling certain config file directives | |||
# from the server. | |||
option client 1 | |||
# Use the same setting as you are using on | |||
# the server. | |||
# On most systems, the VPN will not function | |||
# unless you partially or fully disable | |||
# the firewall for the TUN/TAP interface. | |||
# option dev tap | |||
option dev tun | |||
# Are we connecting to a TCP or | |||
# UDP server? Use the same setting as | |||
# on the server. | |||
# option proto tcp | |||
option proto udp | |||
# The hostname/IP and port of the server. | |||
# You can have multiple remote entries | |||
# to load balance between the servers. | |||
list remote "my_server_1 1194" | |||
# list remote "my_server_2 1194" | |||
# Choose a random host from the remote | |||
# list for load_balancing. Otherwise | |||
# try hosts in the order specified. | |||
# option remote_random 1 | |||
# Keep trying indefinitely to resolve the | |||
# host name of the OpenVPN server. Very useful | |||
# on machines which are not permanently connected | |||
# to the internet such as laptops. | |||
option resolv_retry infinite | |||
# Most clients don't need to bind to | |||
# a specific local port number. | |||
option nobind 1 | |||
# Try to preserve some state across restarts. | |||
option persist_key 1 | |||
option persist_tun 1 | |||
option user nobody | |||
# If you are connecting through an | |||
# HTTP proxy to reach the actual OpenVPN | |||
# server, put the proxy server/IP and | |||
# port number here. See the man page | |||
# if your proxy server requires | |||
# authentication. | |||
# retry on connection failures: | |||
# option http_proxy_retry 1 | |||
# specify http proxy address and port: | |||
# option http_proxy "192.168.1.100 8080" | |||
# Wireless networks often produce a lot | |||
# of duplicate packets. Set this flag | |||
# to silence duplicate packet warnings. | |||
# option mute_replay_warnings 1 | |||
# SSL/TLS parms. | |||
# See the server config file for more | |||
# description. It's best to use | |||
# a separate .crt/.key file pair | |||
# for each client. A single ca | |||
# file can be used for all clients. | |||
option ca /etc/openvpn/ca.crt | |||
option cert /etc/openvpn/client.crt | |||
option key /etc/openvpn/client.key | |||
# Verify server certificate by checking | |||
# that the certicate has the key usage | |||
# field set to "server". This is an | |||
# important precaution to protect against | |||
# a potential attack discussed here: | |||
# http://openvpn.net/howto.html#mitm | |||
# | |||
# To use this feature, you will need to generate | |||
# your server certificates with the nsCertType | |||
# field set to "server". The build_key_server | |||
# script in the easy_rsa folder will do this. | |||
# option remote_cert_tls server | |||
# If a tls_auth key is used on the server | |||
# then every client must also have the key. | |||
# option tls_auth "/etc/openvpn/ta.key 1" | |||
# If a tls_crypt key is used on the server | |||
# every client must also have the key. | |||
# option tls_crypt "/etc/openvpn/ta.key" | |||
# Set the minimum required TLS protocol version | |||
# for all connections. | |||
# | |||
# Require at least TLS 1.1 | |||
# option tls_version_min "1.1" | |||
# Require at least TLS 1.2 | |||
# option tls_version_min "1.2" | |||
# Require TLS 1.2, or the highest version supported | |||
# on the system | |||
# option tls_version_min "1.2 'or-highest'" | |||
# Select a cryptographic cipher. | |||
# If the cipher option is used on the server | |||
# then you must also specify it here. | |||
# option cipher x | |||
# Enable compression on the VPN link. | |||
# Don't enable this unless it is also | |||
# enabled in the server config file. | |||
# | |||
# Compression is not recommended, as compression and | |||
# encryption in combination can weaken the security | |||
# of the connection. | |||
# | |||
# LZ4 requires OpenVPN 2.4+ on server and client | |||
# option compress lz4 | |||
# LZO is compatible with most OpenVPN versions | |||
# option compress lzo | |||
# Set log file verbosity. | |||
option verb 3 | |||
# Silence repeating messages | |||
# option mute 20 |
@ -0,0 +1,209 @@ | |||
#!/bin/sh /etc/rc.common | |||
# Copyright (C) 2008-2013 OpenWrt.org | |||
# Copyright (C) 2008 Jo-Philipp Wich | |||
# This is free software, licensed under the GNU General Public License v2. | |||
# See /LICENSE for more information. | |||
START=90 | |||
STOP=10 | |||
USE_PROCD=1 | |||
PROG=/usr/sbin/openvpn | |||
LIST_SEP=" | |||
" | |||
UCI_STARTED= | |||
UCI_DISABLED= | |||
append_param() { | |||
local s="$1" | |||
local v="$2" | |||
case "$v" in | |||
*_*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;; | |||
*_*_*) v=${v%%_*}-${v#*_}; v=${v%%_*}-${v#*_} ;; | |||
*_*) v=${v%%_*}-${v#*_} ;; | |||
esac | |||
echo -n "$v" >> "/var/etc/openvpn-$s.conf" | |||
return 0 | |||
} | |||
append_bools() { | |||
local p; local v; local s="$1"; shift | |||
for p in $*; do | |||
config_get_bool v "$s" "$p" | |||
[ "$v" = 1 ] && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf" | |||
done | |||
} | |||
append_params() { | |||
local p; local v; local s="$1"; shift | |||
for p in $*; do | |||
config_get v "$s" "$p" | |||
IFS="$LIST_SEP" | |||
for v in $v; do | |||
[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" | |||
[ -n "$v" ] && [ "$p" = "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf" | |||
done | |||
unset IFS | |||
done | |||
} | |||
append_list() { | |||
local p; local v; local s="$1"; shift | |||
list_cb_append() { | |||
v="${v}:$1" | |||
} | |||
for p in $*; do | |||
unset v | |||
config_list_foreach "$s" "$p" list_cb_append | |||
[ -n "$v" ] && append_param "$s" "$p" && echo " ${v:1}" >> "/var/etc/openvpn-$s.conf" | |||
done | |||
} | |||
section_enabled() { | |||
config_get_bool enable "$1" 'enable' 0 | |||
config_get_bool enabled "$1" 'enabled' 0 | |||
[ $enable -gt 0 ] || [ $enabled -gt 0 ] | |||
} | |||
openvpn_get_dev() { | |||
local dev dev_type | |||
local name="$1" | |||
local conf="$2" | |||
# Do override only for configurations with config_file | |||
config_get config_file "$name" config | |||
[ -n "$config_file" ] || return | |||
# Check there is someething to override | |||
config_get dev "$name" dev | |||
config_get dev_type "$name" dev_type | |||
[ -n "$dev" ] || return | |||
# If there is a no dev_type, try to guess it | |||
if [ -z "$dev_type" ]; then | |||
. /lib/functions/openvpn.sh | |||
local odev odev_type | |||
get_openvpn_option "$conf" odev dev | |||
get_openvpn_option "$conf" odev_type dev-type | |||
[ -n "$odev_type" ] || odev_type="$odev" | |||
case "$odev_type" in | |||
tun*) dev_type="tun" ;; | |||
tap*) dev_type="tap" ;; | |||
*) return;; | |||
esac | |||
fi | |||
# Return overrides | |||
echo "--dev-type $dev_type --dev $dev" | |||
} | |||
openvpn_add_instance() { | |||
local name="$1" | |||
local dir="$2" | |||
local conf="$3" | |||
local security="$4" | |||
procd_open_instance "$name" | |||
procd_set_param command "$PROG" \ | |||
--syslog "openvpn($name)" \ | |||
--status "/var/run/openvpn.$name.status" \ | |||
--cd "$dir" \ | |||
--config "$conf" \ | |||
--up "/usr/libexec/openvpn-hotplug up $name" \ | |||
--down "/usr/libexec/openvpn-hotplug down $name" \ | |||
--script-security "${security:-2}" \ | |||
$(openvpn_get_dev "$name" "$conf") | |||
procd_set_param file "$dir/$conf" | |||
procd_set_param term_timeout 15 | |||
procd_set_param respawn | |||
procd_append_param respawn 3600 | |||
procd_append_param respawn 5 | |||
procd_append_param respawn -1 | |||
procd_close_instance | |||
} | |||
start_instance() { | |||
local s="$1" | |||
config_get config "$s" config | |||
config="${config:+$(readlink -f "$config")}" | |||
section_enabled "$s" || { | |||
append UCI_DISABLED "$config" "$LIST_SEP" | |||
return 1 | |||
} | |||
local script_security | |||
config_get script_security "$s" script_security | |||
[ ! -d "/var/run" ] && mkdir -p "/var/run" | |||
if [ ! -z "$config" ]; then | |||
append UCI_STARTED "$config" "$LIST_SEP" | |||
openvpn_add_instance "$s" "${config%/*}" "$config" "$script_security" | |||
return | |||
fi | |||
[ ! -d "/var/etc" ] && mkdir -p "/var/etc" | |||
[ -f "/var/etc/openvpn-$s.conf" ] && rm "/var/etc/openvpn-$s.conf" | |||
append_bools "$s" $OPENVPN_BOOLS | |||
append_params "$s" $OPENVPN_PARAMS | |||
append_list "$s" $OPENVPN_LIST | |||
openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" "$script_security" | |||
} | |||
start_service() { | |||
local instance="$1" | |||
local instance_found=0 | |||
config_cb() { | |||
local type="$1" | |||
local name="$2" | |||
if [ "$type" = "openvpn" ]; then | |||
if [ -n "$instance" -a "$instance" = "$name" ]; then | |||
instance_found=1 | |||
fi | |||
fi | |||
} | |||
. /usr/share/openvpn/openvpn.options | |||
config_load 'openvpn' | |||
if [ -n "$instance" ]; then | |||
[ "$instance_found" -gt 0 ] || return | |||
start_instance "$instance" | |||
else | |||
config_foreach start_instance 'openvpn' | |||
local path name | |||
for path in /etc/openvpn/*.conf; do | |||
if [ -f "$path" ]; then | |||
name="${path##*/}"; name="${name%.conf}" | |||
# don't start configs again that are already started by uci | |||
if echo "$UCI_STARTED" | grep -qxF "$path"; then | |||
continue | |||
# don't start configs which are set to disabled in uci | |||
elif echo "$UCI_DISABLED" | grep -qxF "$path"; then | |||
logger -t openvpn "$name.conf is disabled in /etc/config/openvpn" | |||
continue | |||
fi | |||
openvpn_add_instance "$name" "${path%/*}" "$path" | |||
fi | |||
done | |||
fi | |||
} | |||
service_triggers() { | |||
procd_add_reload_trigger openvpn | |||
} |
@ -0,0 +1,194 @@ | |||
OPENVPN_PARAMS=' | |||
askpass | |||
auth | |||
auth_retry | |||
auth_user_pass | |||
auth_user_pass_verify | |||
bcast_buffers | |||
ca | |||
capath | |||
cd | |||
cert | |||
chroot | |||
cipher | |||
client_config_dir | |||
client_connect | |||
client_disconnect | |||
comp_lzo | |||
compress | |||
connect_freq | |||
connect_retry | |||
connect_retry_max | |||
connect_timeout | |||
crl_verify | |||
dev | |||
dev_node | |||
dev_type | |||
dh | |||
ecdh_curve | |||
echo | |||
engine | |||
explicit_exit_notify | |||
extra_certs | |||
fragment | |||
group | |||
hand_window | |||
hash_size | |||
http_proxy | |||
http_proxy_option | |||
http_proxy_timeout | |||
ifconfig | |||
ifconfig_ipv6 | |||
ifconfig_ipv6_pool | |||
ifconfig_ipv6_push | |||
ifconfig_pool | |||
ifconfig_pool_persist | |||
ifconfig_push | |||
inactive | |||
ipchange | |||
iroute | |||
iroute_ipv6 | |||
keepalive | |||
key | |||
key_direction | |||
key_method | |||
keysize | |||
learn_address | |||
link_mtu | |||
lladdr | |||
local | |||
log | |||
log_append | |||
lport | |||
management | |||
management_log_cache | |||
max_clients | |||
max_routes_per_client | |||
mode | |||
mssfix | |||
mtu_disc | |||
mute | |||
nice | |||
ns_cert_type | |||
ping | |||
ping_exit | |||
ping_restart | |||
pkcs12 | |||
plugin | |||
port | |||
port_share | |||
prng | |||
proto | |||
pull_filter | |||
push | |||
rcvbuf | |||
redirect_gateway | |||
remap_usr1 | |||
remote | |||
remote_cert_eku | |||
remote_cert_ku | |||
remote_cert_tls | |||
reneg_bytes | |||
reneg_pkts | |||
reneg_sec | |||
replay_persist | |||
replay_window | |||
resolv_retry | |||
route | |||
route_delay | |||
route_gateway | |||
route_ipv6 | |||
route_metric | |||
route_pre_down | |||
route_up | |||
rport | |||
secret | |||
server | |||
server_bridge | |||
server_ipv6 | |||
setenv | |||
shaper | |||
sndbuf | |||
socks_proxy | |||
status | |||
status_version | |||
syslog | |||
tcp_queue_limit | |||
tls_auth | |||
tls_crypt | |||
tls_timeout | |||
tls_verify | |||
tls_version_min | |||
tmp_dir | |||
topology | |||
tran_window | |||
tun_mtu | |||
tun_mtu_extra | |||
txqueuelen | |||
user | |||
verb | |||
verify_client_cert | |||
verify_x509_name | |||
x509_username_field | |||
' | |||
OPENVPN_BOOLS=' | |||
allow_recursive_routing | |||
auth_nocache | |||
auth_user_pass_optional | |||
bind | |||
ccd_exclusive | |||
client | |||
client_to_client | |||
comp_noadapt | |||
disable | |||
disable_occ | |||
down_pre | |||
duplicate_cn | |||
fast_io | |||
float | |||
http_proxy_retry | |||
ifconfig_noexec | |||
ifconfig_nowarn | |||
management_forget_disconnect | |||
management_hold | |||
management_query_passwords | |||
management_signal | |||
mktun | |||
mlock | |||
mtu_test | |||
multihome | |||
mute_replay_warnings | |||
ncp_disable | |||
nobind | |||
opt_verify | |||
passtos | |||
persist_key | |||
persist_local_ip | |||
persist_remote_ip | |||
persist_tun | |||
ping_timer_rem | |||
pull | |||
push_reset | |||
remote_random | |||
rmtun | |||
route_noexec | |||
route_nopull | |||
single_session | |||
socks_proxy_retry | |||
suppress_timestamps | |||
tcp_nodelay | |||
test_crypto | |||
tls_client | |||
tls_exit | |||
tls_server | |||
up_delay | |||
up_restart | |||
username_as_common_name | |||
' | |||
OPENVPN_LIST=' | |||
ncp_ciphers | |||
tls_cipher | |||
tls_ciphersuites | |||
' |
@ -0,0 +1 @@ | |||
/etc/openvpn/ |
@ -0,0 +1,10 @@ | |||
#!/bin/sh | |||
ACTION=$1 | |||
shift | |||
INSTANCE=$1 | |||
shift | |||
export ACTION=$ACTION | |||
export INSTANCE=$INSTANCE | |||
exec /sbin/hotplug-call openvpn "$@" |
@ -0,0 +1,10 @@ | |||
--- a/src/openvpn/options.c | |||
+++ b/src/openvpn/options.c | |||
@@ -106,7 +106,6 @@ const char title_string[] = | |||
#ifdef HAVE_AEAD_CIPHER_MODES | |||
" [AEAD]" | |||
#endif | |||
- " built on " __DATE__ | |||
; | |||
#ifndef ENABLE_SMALL |
@ -0,0 +1,11 @@ | |||
--- a/src/openvpn/ssl_mbedtls.c | |||
+++ b/src/openvpn/ssl_mbedtls.c | |||
@@ -1415,7 +1415,7 @@ const char * | |||
get_ssl_library_version(void) | |||
{ | |||
static char mbedtls_version[30]; | |||
- unsigned int pv = mbedtls_version_get_number(); | |||
+ unsigned int pv = MBEDTLS_VERSION_NUMBER; | |||
sprintf( mbedtls_version, "mbed TLS %d.%d.%d", | |||
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); | |||
return mbedtls_version; |
@ -0,0 +1,58 @@ | |||
From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001 | |||
From: Steffan Karger <steffan@karger.me> | |||
Date: Sun, 26 Nov 2017 16:04:00 +0100 | |||
Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols | |||
Compiling our current master against OpenSSL 1.1 with | |||
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes | |||
the errors about the deprecated SSLEAY/SSLeay symbols and defines. | |||
Signed-off-by: Steffan Karger <steffan@karger.me> | |||
Acked-by: Gert Doering <gert@greenie.muc.de> | |||
Message-Id: <20171126150401.28565-1-steffan@karger.me> | |||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html | |||
Signed-off-by: Gert Doering <gert@greenie.muc.de> | |||
--- | |||
configure.ac | 1 + | |||
src/openvpn/openssl_compat.h | 8 ++++++++ | |||
src/openvpn/ssl_openssl.c | 2 +- | |||
3 files changed, 10 insertions(+), 1 deletion(-) | |||
--- a/configure.ac | |||
+++ b/configure.ac | |||
@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$ | |||
EVP_MD_CTX_free \ | |||
EVP_MD_CTX_reset \ | |||
EVP_CIPHER_CTX_reset \ | |||
+ OpenSSL_version \ | |||
SSL_CTX_get_default_passwd_cb \ | |||
SSL_CTX_get_default_passwd_cb_userdata \ | |||
SSL_CTX_set_security_level \ | |||
--- a/src/openvpn/openssl_compat.h | |||
+++ b/src/openvpn/openssl_compat.h | |||
@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou | |||
#endif | |||
/* SSLeay symbols have been renamed in OpenSSL 1.1 */ | |||
+#ifndef OPENSSL_VERSION | |||
+#define OPENSSL_VERSION SSLEAY_VERSION | |||
+#endif | |||
+ | |||
+#ifndef HAVE_OPENSSL_VERSION | |||
+#define OpenSSL_version SSLeay_version | |||
+#endif | |||
+ | |||
#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) | |||
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT | |||
#endif | |||
--- a/src/openvpn/ssl_openssl.c | |||
+++ b/src/openvpn/ssl_openssl.c | |||
@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char * | |||
const char * | |||
get_ssl_library_version(void) | |||
{ | |||
- return SSLeay_version(SSLEAY_VERSION); | |||
+ return OpenSSL_version(OPENSSL_VERSION); | |||
} | |||
#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ |
@ -0,0 +1,65 @@ | |||
From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001 | |||
From: Steffan Karger <steffan@karger.me> | |||
Date: Sun, 26 Nov 2017 16:49:12 +0100 | |||
Subject: [PATCH] openssl: add missing #include statements | |||
Compiling our current master against OpenSSL 1.1 with | |||
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes | |||
the errors caused by missing includes. Previous openssl versions would | |||
usually include 'the rest of the world', but they're fixing that. So we | |||
should no longer rely on it. | |||
(And sneaking in alphabetic ordering of the includes while touching them.) | |||
Signed-off-by: Steffan Karger <steffan@karger.me> | |||
Acked-by: Gert Doering <gert@greenie.muc.de> | |||
Message-Id: <20171126154912.13283-1-steffan@karger.me> | |||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html | |||
Signed-off-by: Gert Doering <gert@greenie.muc.de> | |||
--- | |||
src/openvpn/openssl_compat.h | 1 + | |||
src/openvpn/ssl_openssl.c | 6 +++++- | |||
src/openvpn/ssl_verify_openssl.c | 3 ++- | |||
3 files changed, 8 insertions(+), 2 deletions(-) | |||
--- a/src/openvpn/openssl_compat.h | |||
+++ b/src/openvpn/openssl_compat.h | |||
@@ -42,6 +42,7 @@ | |||
#include "buffer.h" | |||
+#include <openssl/rsa.h> | |||
#include <openssl/ssl.h> | |||
#include <openssl/x509.h> | |||
--- a/src/openvpn/ssl_openssl.c | |||
+++ b/src/openvpn/ssl_openssl.c | |||
@@ -52,10 +52,14 @@ | |||
#include "ssl_verify_openssl.h" | |||
+#include <openssl/bn.h> | |||
+#include <openssl/crypto.h> | |||
+#include <openssl/dh.h> | |||
+#include <openssl/dsa.h> | |||
#include <openssl/err.h> | |||
#include <openssl/pkcs12.h> | |||
+#include <openssl/rsa.h> | |||
#include <openssl/x509.h> | |||
-#include <openssl/crypto.h> | |||
#ifndef OPENSSL_NO_EC | |||
#include <openssl/ec.h> | |||
#endif | |||
--- a/src/openvpn/ssl_verify_openssl.c | |||
+++ b/src/openvpn/ssl_verify_openssl.c | |||
@@ -44,8 +44,9 @@ | |||
#include "ssl_verify_backend.h" | |||
#include "openssl_compat.h" | |||
-#include <openssl/x509v3.h> | |||
+#include <openssl/bn.h> | |||
#include <openssl/err.h> | |||
+#include <openssl/x509v3.h> | |||
int | |||
verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
@ -0,0 +1,74 @@ | |||
--- a/configure.ac | |||
+++ b/configure.ac | |||
@@ -1080,68 +1080,15 @@ dnl | |||
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) | |||
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) | |||
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then | |||
- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then | |||
- # if the user did not explicitly specify flags, try to autodetect | |||
- PKG_CHECK_MODULES([LZ4], | |||
- [liblz4 >= 1.7.1 liblz4 < 100], | |||
- [have_lz4="yes"], | |||
- [LZ4_LIBS="-llz4"] # If this fails, we will do another test next. | |||
- # We also add set LZ4_LIBS otherwise the | |||
- # linker will not know about the lz4 library | |||
- ) | |||
- fi | |||
saved_CFLAGS="${CFLAGS}" | |||
saved_LIBS="${LIBS}" | |||
CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" | |||
LIBS="${LIBS} ${LZ4_LIBS}" | |||
- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars | |||
- # are used, check the version directly in the LZ4 include file | |||
- if test "${have_lz4}" != "yes"; then | |||
- AC_CHECK_HEADERS([lz4.h], | |||
- [have_lz4h="yes"], | |||
- []) | |||
- | |||
- if test "${have_lz4h}" = "yes" ; then | |||
- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1]) | |||
- AC_COMPILE_IFELSE( | |||
- [AC_LANG_PROGRAM([[ | |||
-#include <lz4.h> | |||
- ]], | |||
- [[ | |||
-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ | |||
-#if LZ4_VERSION_NUMBER < 10701L | |||
-#error LZ4 is too old | |||
-#endif | |||
- ]] | |||
- )], | |||
- [ | |||
- AC_MSG_RESULT([ok]) | |||
- have_lz4="yes" | |||
- ], | |||
- [AC_MSG_RESULT([system LZ4 library is too old])] | |||
- ) | |||
- fi | |||
- fi | |||
- | |||
- # Double check we have a few needed functions | |||
- if test "${have_lz4}" = "yes" ; then | |||
- AC_CHECK_LIB([lz4], | |||
- [LZ4_compress_default], | |||
- [], | |||
- [have_lz4="no"]) | |||
- AC_CHECK_LIB([lz4], | |||
- [LZ4_decompress_safe], | |||
- [], | |||
- [have_lz4="no"]) | |||
- fi | |||
- | |||
- if test "${have_lz4}" != "yes" ; then | |||
- AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) | |||
- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) | |||
- LZ4_LIBS="" | |||
- fi | |||
+ AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) | |||
+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) | |||
+ LZ4_LIBS="" | |||
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" | |||
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" | |||
AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library]) |
@ -0,0 +1,81 @@ | |||
--- a/src/openvpn/syshead.h | |||
+++ b/src/openvpn/syshead.h | |||
@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t | |||
/* | |||
* Should we include NTLM proxy functionality | |||
*/ | |||
-#if defined(ENABLE_CRYPTO) | |||
-#define NTLM 1 | |||
-#else | |||
+//#if defined(ENABLE_CRYPTO) | |||
+//#define NTLM 1 | |||
+//#else | |||
#define NTLM 0 | |||
-#endif | |||
+//#endif | |||
/* | |||
* Should we include proxy digest auth functionality | |||
--- a/src/openvpn/crypto_mbedtls.c | |||
+++ b/src/openvpn/crypto_mbedtls.c | |||
@@ -319,6 +319,7 @@ int | |||
key_des_num_cblocks(const mbedtls_cipher_info_t *kt) | |||
{ | |||
int ret = 0; | |||
+#ifdef MBEDTLS_DES_C | |||
if (kt->type == MBEDTLS_CIPHER_DES_CBC) | |||
{ | |||
ret = 1; | |||
@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher | |||
{ | |||
ret = 3; | |||
} | |||
+#endif | |||
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); | |||
return ret; | |||
@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher | |||
bool | |||
key_des_check(uint8_t *key, int key_len, int ndc) | |||
{ | |||
+#ifdef MBEDTLS_DES_C | |||
int i; | |||
struct buffer b; | |||
@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len, | |||
err: | |||
return false; | |||
+#else | |||
+ return true; | |||
+#endif | |||
} | |||
void | |||
key_des_fixup(uint8_t *key, int key_len, int ndc) | |||
{ | |||
+#ifdef MBEDTLS_DES_C | |||
int i; | |||
struct buffer b; | |||
@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len, | |||
} | |||
mbedtls_des_key_set_parity(key); | |||
} | |||
+#endif | |||
} | |||
/* | |||
@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch | |||
unsigned char *src, | |||
unsigned char *dst) | |||
{ | |||
+#ifdef MBEDTLS_DES_C | |||
mbedtls_des_context ctx; | |||
ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key))); | |||
ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst))); | |||
+#endif | |||
} | |||