Changeset 2179


Ignore:
Timestamp:
Sep 19, 2012, 3:27:11 PM (7 years ago)
Author:
matthijs
Message:

luci-openvpn: Allow enabling tls-auth.

This adds a bit more security to the TLS handshake during the OpenVPN
connection setup. Having it disabled does not pose a security risk in
any way, but having it enabled only adds another layer of security, just
in case.

Thanks to Jon Spriggs for most of this patch.

Closes: #1206

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/fon/openvpn/files/etc/init.d/openvpn

    r1931 r2179  
    152152        config_get enable openvpn enable
    153153        [ "$enable" = "1" ] || exit 1
    154         [ -f $KEY_DIR/dh1024.pem ] || {
     154        if [ ! -f $KEY_DIR/dh1024.pem -o ! -f $KEY_DIR/ta.key ]; then
    155155                uci -P /var/state set openvpn.openvpn.key=1
    156                 rm -rf "$KEY_DIR"
    157                 mkdir "$KEY_DIR"
    158                 chmod go-rwx "$KEY_DIR"
    159                 touch "$KEY_DIR/index.txt"
    160                 echo 01 >"$KEY_DIR/serial"
    161                 /usr/sbin/pkitool --initca Fonera
    162                 /usr/sbin/pkitool --server Fonera
    163                 /usr/bin/openssl dhparam -out $KEY_DIR/dh1024.pem 1024
     156                if [ ! -f $KEY_DIR/dh1024.pem ]; then
     157                        rm -rf "$KEY_DIR"
     158                        mkdir "$KEY_DIR"
     159                        chmod go-rwx "$KEY_DIR"
     160                        touch "$KEY_DIR/index.txt"
     161                        echo 01 >"$KEY_DIR/serial"
     162                        /usr/sbin/pkitool --initca Fonera
     163                        /usr/sbin/pkitool --server Fonera
     164                        /usr/bin/openssl dhparam -out $KEY_DIR/dh1024.pem 1024
     165                fi
     166                # Check ta.key (needed for tls-auth) separately, since
     167                # earlier versions of the firmware did not generate this
     168                # key
     169                if [ ! -f $KEY_DIR/ta.key ]; then
     170                       openvpn --genkey --secret $KEY_DIR/ta.key
     171                fi
    164172                uci -P /var/state revert openvpn.openvpn.key
    165                 config_foreach start_service openvpn
    166         }
    167         [ -f $KEY_DIR/dh1024.pem ] &&
    168                 config_foreach start_service openvpn
     173        fi
     174        config_foreach start_service openvpn
    169175}
    170176
  • trunk/fon/openvpn/files/usr/bin/openvpn-client.sh

    r2177 r2179  
    1414cp /etc/openvpn/keys/$1.key $1.key
    1515cat /etc/openvpn/client.ovpn | sed "s/%PROTO%/$PROTO/g" | sed "s/%IP%/$HOST/g" | sed "s/%PORT%/$PORT/g" | sed "s/%CLIENT%/$1/g" > ${NAME}.ovpn
     16if [ -n "`uci get openvpn.openvpn.tls_auth`" ]; then
     17    echo "tls-auth ta.key 1" >> ${NAME}.ovpn
     18    cp /etc/openvpn/keys/ta.key ta.key
     19fi
    1620rm -f /tmp/$1_ovpn.zip
    1721zip /tmp/$1_ovpn.zip *
  • trunk/luci/applications/luci-openvpn/luasrc/model/cbi/openvpn/firewall.lua

    r2176 r2179  
    4646x.default = require("luci.model.uci").cursor():get("openvpn", "openvpn", "max_clients") or 2
    4747
     48local x = s:option(ListValue, "tls_auth", translate("openvpn_tls_auth", "TLS handshake hardening (tls-auth)"))
     49x:value("", translate("disable", "Disabled"))
     50x:value("/etc/openvpn/keys/ta.key 0", translate("enable", "Enabled"))
     51x.default = require("luci.model.uci").cursor():get("openvpn", "openvpn", "tls_auth")
     52
    4853return m
  • trunk/luci/i18n/english/luasrc/i18n/default.en.lua

    r2176 r2179  
    138138openvpn_security = "Manage Security settings"
    139139openvpn_title = "OpenVPN"
     140openvpn_tls_auth = "TLS handshake hardening (tls-auth)"
    140141page_title = "FON Router GUI"
    141142passwd_desc = "Here you can change your password"
  • trunk/luci/modules/admin-fon/root/sbin/save-config.sh

    r2176 r2179  
    121121echo "uci import -m openvpn <<EOF"
    122122echo "config 'openvpn' 'openvpn'"
    123 for o in enable lan wan keepalive max_clients proto port; do
     123for o in enable lan wan keepalive max_clients proto port tls_auth; do
    124124        echo "  option '$o' '$(config_get openvpn $o)'"
    125125done
Note: See TracChangeset for help on using the changeset viewer.