diff options
Diffstat (limited to 'app/openvpn/sample')
45 files changed, 2591 insertions, 0 deletions
diff --git a/app/openvpn/sample/Makefile.am b/app/openvpn/sample/Makefile.am new file mode 100644 index 00000000..be30c88a --- /dev/null +++ b/app/openvpn/sample/Makefile.am @@ -0,0 +1,34 @@ +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> +# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com> +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +EXTRA_DIST = \ + sample-plugins \ + sample-config-files \ + sample-windows \ + sample-keys \ + sample-scripts + +if WIN32 +sample_DATA = \ + client.ovpn \ + server.ovpn \ + sample-windows/sample.ovpn + +client.ovpn: sample-config-files/client.conf + -rm -f client.ovpn + cp "$(srcdir)/sample-config-files/client.conf" client.ovpn +server.ovpn: sample-config-files/server.conf + -rm -f server.ovpn + cp "$(srcdir)/sample-config-files/server.conf" server.ovpn +endif diff --git a/app/openvpn/sample/sample-config-files/README b/app/openvpn/sample/sample-config-files/README new file mode 100644 index 00000000..d53ac79a --- /dev/null +++ b/app/openvpn/sample/sample-config-files/README @@ -0,0 +1,6 @@ +Sample OpenVPN Configuration Files. + +These files are part of the OpenVPN HOWTO +which is located at: + +http://openvpn.net/howto.html diff --git a/app/openvpn/sample/sample-config-files/client.conf b/app/openvpn/sample/sample-config-files/client.conf new file mode 100644 index 00000000..58b2038b --- /dev/null +++ b/app/openvpn/sample/sample-config-files/client.conf @@ -0,0 +1,123 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote my-server-1 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user nobody +;group nobody + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +ca ca.crt +cert client.crt +key client.key + +# Verify server certificate by checking +# that the certicate has the nsCertType +# field set to "server". This is an +# important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the nsCertType +# field set to "server". The build-key-server +# script in the easy-rsa folder will do this. +ns-cert-type server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ta.key 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +;cipher x + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/app/openvpn/sample/sample-config-files/firewall.sh b/app/openvpn/sample/sample-config-files/firewall.sh new file mode 100755 index 00000000..19d75ee9 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/firewall.sh @@ -0,0 +1,108 @@ +#!/bin/sh + +# A Sample OpenVPN-aware firewall. + +# eth0 is connected to the internet. +# eth1 is connected to a private subnet. + +# Change this subnet to correspond to your private +# ethernet subnet. Home will use HOME_NET/24 and +# Office will use OFFICE_NET/24. +PRIVATE=10.0.0.0/24 + +# Loopback address +LOOP=127.0.0.1 + +# Delete old iptables rules +# and temporarily block all traffic. +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -F + +# Set default policies +iptables -P OUTPUT ACCEPT +iptables -P INPUT DROP +iptables -P FORWARD DROP + +# Prevent external packets from using loopback addr +iptables -A INPUT -i eth0 -s $LOOP -j DROP +iptables -A FORWARD -i eth0 -s $LOOP -j DROP +iptables -A INPUT -i eth0 -d $LOOP -j DROP +iptables -A FORWARD -i eth0 -d $LOOP -j DROP + +# Anything coming from the Internet should have a real Internet address +iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP +iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP +iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP +iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP +iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP +iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP + +# Block outgoing NetBios (if you have windows machines running +# on the private subnet). This will not affect any NetBios +# traffic that flows over the VPN tunnel, but it will stop +# local windows machines from broadcasting themselves to +# the internet. +iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP +iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP +iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP +iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP + +# Check source address validity on packets going out to internet +iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP + +# Allow local loopback +iptables -A INPUT -s $LOOP -j ACCEPT +iptables -A INPUT -d $LOOP -j ACCEPT + +# Allow incoming pings (can be disabled) +iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + +# Allow services such as www and ssh (can be disabled) +iptables -A INPUT -p tcp --dport http -j ACCEPT +iptables -A INPUT -p tcp --dport ssh -j ACCEPT + +# Allow incoming OpenVPN packets +# Duplicate the line below for each +# OpenVPN tunnel, changing --dport n +# to match the OpenVPN UDP port. +# +# In OpenVPN, the port number is +# controlled by the --port n option. +# If you put this option in the config +# file, you can remove the leading '--' +# +# If you taking the stateful firewall +# approach (see the OpenVPN HOWTO), +# then comment out the line below. + +iptables -A INPUT -p udp --dport 1194 -j ACCEPT + +# Allow packets from TUN/TAP devices. +# When OpenVPN is run in a secure mode, +# it will authenticate packets prior +# to their arriving on a tun or tap +# interface. Therefore, it is not +# necessary to add any filters here, +# unless you want to restrict the +# type of packets which can flow over +# the tunnel. + +iptables -A INPUT -i tun+ -j ACCEPT +iptables -A FORWARD -i tun+ -j ACCEPT +iptables -A INPUT -i tap+ -j ACCEPT +iptables -A FORWARD -i tap+ -j ACCEPT + +# Allow packets from private subnets +iptables -A INPUT -i eth1 -j ACCEPT +iptables -A FORWARD -i eth1 -j ACCEPT + +# Keep state of connections from local machine and private subnets +iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT +iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Masquerade local subnet +iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE diff --git a/app/openvpn/sample/sample-config-files/home.up b/app/openvpn/sample/sample-config-files/home.up new file mode 100755 index 00000000..9c347cc5 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/home.up @@ -0,0 +1,2 @@ +#!/bin/sh +route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 diff --git a/app/openvpn/sample/sample-config-files/loopback-client b/app/openvpn/sample/sample-config-files/loopback-client new file mode 100644 index 00000000..d7f59e69 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/loopback-client @@ -0,0 +1,25 @@ +# Perform a TLS loopback test -- client side. +# +# This test performs a TLS negotiation once every 10 seconds, +# and will terminate after 2 minutes. +# +# From the root directory of the OpenVPN distribution, +# after openvpn has been built, run: +# +# ./openvpn --config sample-config-files/loopback-client (In one window) +# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +rport 16000 +lport 16001 +remote localhost +local localhost +dev null +verb 3 +reneg-sec 10 +tls-client +ca sample-keys/ca.crt +key sample-keys/client.key +cert sample-keys/client.crt +cipher DES-EDE3-CBC +ping 1 +inactive 120 10000000 diff --git a/app/openvpn/sample/sample-config-files/loopback-server b/app/openvpn/sample/sample-config-files/loopback-server new file mode 100644 index 00000000..9d21bcec --- /dev/null +++ b/app/openvpn/sample/sample-config-files/loopback-server @@ -0,0 +1,26 @@ +# Perform a TLS loopback test -- server side. +# +# This test performs a TLS negotiation once every 10 seconds, +# and will terminate after 2 minutes. +# +# From the root directory of the OpenVPN distribution, +# after openvpn has been built, run: +# +# ./openvpn --config sample-config-files/loopback-client (In one window) +# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +rport 16001 +lport 16000 +remote localhost +local localhost +dev null +verb 3 +reneg-sec 10 +tls-server +dh sample-keys/dh1024.pem +ca sample-keys/ca.crt +key sample-keys/server.key +cert sample-keys/server.crt +cipher DES-EDE3-CBC +ping 1 +inactive 120 10000000 diff --git a/app/openvpn/sample/sample-config-files/office.up b/app/openvpn/sample/sample-config-files/office.up new file mode 100755 index 00000000..74a71a33 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/office.up @@ -0,0 +1,2 @@ +#!/bin/sh +route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 diff --git a/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh b/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh new file mode 100755 index 00000000..8ed2d1d5 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/openvpn-shutdown.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +# stop all openvpn processes + +killall -TERM openvpn diff --git a/app/openvpn/sample/sample-config-files/openvpn-startup.sh b/app/openvpn/sample/sample-config-files/openvpn-startup.sh new file mode 100755 index 00000000..0ee006bc --- /dev/null +++ b/app/openvpn/sample/sample-config-files/openvpn-startup.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# A sample OpenVPN startup script +# for Linux. + +# openvpn config file directory +dir=/etc/openvpn + +# load the firewall +$dir/firewall.sh + +# load TUN/TAP kernel module +modprobe tun + +# enable IP forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Invoke openvpn for each VPN tunnel +# in daemon mode. Alternatively, +# you could remove "--daemon" from +# the command line and add "daemon" +# to the config file. +# +# Each tunnel should run on a separate +# UDP port. Use the "port" option +# to control this. Like all of +# OpenVPN's options, you can +# specify "--port 8000" on the command +# line or "port 8000" in the config +# file. + +openvpn --cd $dir --daemon --config vpn1.conf +openvpn --cd $dir --daemon --config vpn2.conf +openvpn --cd $dir --daemon --config vpn2.conf diff --git a/app/openvpn/sample/sample-config-files/server.conf b/app/openvpn/sample/sample-config-files/server.conf new file mode 100644 index 00000000..f483b6bb --- /dev/null +++ b/app/openvpn/sample/sample-config-files/server.conf @@ -0,0 +1,299 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port 1194 + +# TCP or UDP server? +;proto tcp +proto udp + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca ca.crt +cert server.crt +key server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh dh1024.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 10.8.0.0 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 192.168.10.0 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir ccd +;route 192.168.40.128 255.255.255.248 +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. + +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 + +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +;push "redirect-gateway def1 bypass-dhcp" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +;client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +;user nobody +;group nobody + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status openvpn-status.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log openvpn.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 3 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 diff --git a/app/openvpn/sample/sample-config-files/static-home.conf b/app/openvpn/sample/sample-config-files/static-home.conf new file mode 100644 index 00000000..c9666874 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/static-home.conf @@ -0,0 +1,72 @@ +# +# Sample OpenVPN configuration file for +# home using a pre-shared static key. +# +# '#' or ';' may be used to delimit comments. + +# Use a dynamic tun device. +# For Linux 2.2 or non-Linux OSes, +# you may want to use an explicit +# unit number such as "tun1". +# OpenVPN also supports virtual +# ethernet "tap" devices. +dev tun + +# Our OpenVPN peer is the office gateway. +remote 1.2.3.4 + +# 10.1.0.2 is our local VPN endpoint (home). +# 10.1.0.1 is our remote VPN endpoint (office). +ifconfig 10.1.0.2 10.1.0.1 + +# Our up script will establish routes +# once the VPN is alive. +up ./home.up + +# Our pre-shared static key +secret static.key + +# OpenVPN 2.0 uses UDP port 1194 by default +# (official port assignment by iana.org 11/04). +# OpenVPN 1.x uses UDP port 5000 by default. +# Each OpenVPN tunnel must use +# a different port number. +# lport or rport can be used +# to denote different ports +# for local and remote. +; port 1194 + +# Downgrade UID and GID to +# "nobody" after initialization +# for extra security. +; user nobody +; group nobody + +# If you built OpenVPN with +# LZO compression, uncomment +# out the following line. +; comp-lzo + +# Send a UDP ping to remote once +# every 15 seconds to keep +# stateful firewall connection +# alive. Uncomment this +# out if you are using a stateful +# firewall. +; ping 15 + +# Uncomment this section for a more reliable detection when a system +# loses its connection. For example, dial-ups or laptops that +# travel to other locations. +; ping 15 +; ping-restart 45 +; ping-timer-rem +; persist-tun +; persist-key + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 3 diff --git a/app/openvpn/sample/sample-config-files/static-office.conf b/app/openvpn/sample/sample-config-files/static-office.conf new file mode 100644 index 00000000..68030cc9 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/static-office.conf @@ -0,0 +1,69 @@ +# +# Sample OpenVPN configuration file for +# office using a pre-shared static key. +# +# '#' or ';' may be used to delimit comments. + +# Use a dynamic tun device. +# For Linux 2.2 or non-Linux OSes, +# you may want to use an explicit +# unit number such as "tun1". +# OpenVPN also supports virtual +# ethernet "tap" devices. +dev tun + +# 10.1.0.1 is our local VPN endpoint (office). +# 10.1.0.2 is our remote VPN endpoint (home). +ifconfig 10.1.0.1 10.1.0.2 + +# Our up script will establish routes +# once the VPN is alive. +up ./office.up + +# Our pre-shared static key +secret static.key + +# OpenVPN 2.0 uses UDP port 1194 by default +# (official port assignment by iana.org 11/04). +# OpenVPN 1.x uses UDP port 5000 by default. +# Each OpenVPN tunnel must use +# a different port number. +# lport or rport can be used +# to denote different ports +# for local and remote. +; port 1194 + +# Downgrade UID and GID to +# "nobody" after initialization +# for extra security. +; user nobody +; group nobody + +# If you built OpenVPN with +# LZO compression, uncomment +# out the following line. +; comp-lzo + +# Send a UDP ping to remote once +# every 15 seconds to keep +# stateful firewall connection +# alive. Uncomment this +# out if you are using a stateful +# firewall. +; ping 15 + +# Uncomment this section for a more reliable detection when a system +# loses its connection. For example, dial-ups or laptops that +# travel to other locations. +; ping 15 +; ping-restart 45 +; ping-timer-rem +; persist-tun +; persist-key + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 3 diff --git a/app/openvpn/sample/sample-config-files/tls-home.conf b/app/openvpn/sample/sample-config-files/tls-home.conf new file mode 100644 index 00000000..daa4ea1e --- /dev/null +++ b/app/openvpn/sample/sample-config-files/tls-home.conf @@ -0,0 +1,83 @@ +# +# Sample OpenVPN configuration file for +# home using SSL/TLS mode and RSA certificates/keys. +# +# '#' or ';' may be used to delimit comments. + +# Use a dynamic tun device. +# For Linux 2.2 or non-Linux OSes, +# you may want to use an explicit +# unit number such as "tun1". +# OpenVPN also supports virtual +# ethernet "tap" devices. +dev tun + +# Our OpenVPN peer is the office gateway. +remote 1.2.3.4 + +# 10.1.0.2 is our local VPN endpoint (home). +# 10.1.0.1 is our remote VPN endpoint (office). +ifconfig 10.1.0.2 10.1.0.1 + +# Our up script will establish routes +# once the VPN is alive. +up ./home.up + +# In SSL/TLS key exchange, Office will +# assume server role and Home +# will assume client role. +tls-client + +# Certificate Authority file +ca my-ca.crt + +# Our certificate/public key +cert home.crt + +# Our private key +key home.key + +# OpenVPN 2.0 uses UDP port 1194 by default +# (official port assignment by iana.org 11/04). +# OpenVPN 1.x uses UDP port 5000 by default. +# Each OpenVPN tunnel must use +# a different port number. +# lport or rport can be used +# to denote different ports +# for local and remote. +; port 1194 + +# Downgrade UID and GID to +# "nobody" after initialization +# for extra security. +; user nobody +; group nobody + +# If you built OpenVPN with +# LZO compression, uncomment +# out the following line. +; comp-lzo + +# Send a UDP ping to remote once +# every 15 seconds to keep +# stateful firewall connection +# alive. Uncomment this +# out if you are using a stateful +# firewall. +; ping 15 + +# Uncomment this section for a more reliable detection when a system +# loses its connection. For example, dial-ups or laptops that +# travel to other locations. +; ping 15 +; ping-restart 45 +; ping-timer-rem +; persist-tun +; persist-key + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 3 diff --git a/app/openvpn/sample/sample-config-files/tls-office.conf b/app/openvpn/sample/sample-config-files/tls-office.conf new file mode 100644 index 00000000..f790f469 --- /dev/null +++ b/app/openvpn/sample/sample-config-files/tls-office.conf @@ -0,0 +1,83 @@ +# +# Sample OpenVPN configuration file for +# office using SSL/TLS mode and RSA certificates/keys. +# +# '#' or ';' may be used to delimit comments. + +# Use a dynamic tun device. +# For Linux 2.2 or non-Linux OSes, +# you may want to use an explicit +# unit number such as "tun1". +# OpenVPN also supports virtual +# ethernet "tap" devices. +dev tun + +# 10.1.0.1 is our local VPN endpoint (office). +# 10.1.0.2 is our remote VPN endpoint (home). +ifconfig 10.1.0.1 10.1.0.2 + +# Our up script will establish routes +# once the VPN is alive. +up ./office.up + +# In SSL/TLS key exchange, Office will +# assume server role and Home +# will assume client role. +tls-server + +# Diffie-Hellman Parameters (tls-server only) +dh dh1024.pem + +# Certificate Authority file +ca my-ca.crt + +# Our certificate/public key +cert office.crt + +# Our private key +key office.key + +# OpenVPN 2.0 uses UDP port 1194 by default +# (official port assignment by iana.org 11/04). +# OpenVPN 1.x uses UDP port 5000 by default. +# Each OpenVPN tunnel must use +# a different port number. +# lport or rport can be used +# to denote different ports +# for local and remote. +; port 1194 + +# Downgrade UID and GID to +# "nobody" after initialization +# for extra security. +; user nobody +; group nobody + +# If you built OpenVPN with +# LZO compression, uncomment +# out the following line. +; comp-lzo + +# Send a UDP ping to remote once +# every 15 seconds to keep +# stateful firewall connection +# alive. Uncomment this +# out if you are using a stateful +# firewall. +; ping 15 + +# Uncomment this section for a more reliable detection when a system +# loses its connection. For example, dial-ups or laptops that +# travel to other locations. +; ping 15 +; ping-restart 45 +; ping-timer-rem +; persist-tun +; persist-key + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 3 diff --git a/app/openvpn/sample/sample-config-files/xinetd-client-config b/app/openvpn/sample/sample-config-files/xinetd-client-config new file mode 100644 index 00000000..03c5c1fa --- /dev/null +++ b/app/openvpn/sample/sample-config-files/xinetd-client-config @@ -0,0 +1,11 @@ +# This OpenVPN config file +# is the client side counterpart +# of xinetd-server-config + +dev tun +ifconfig 10.4.0.1 10.4.0.2 +remote my-server +port 1194 +user nobody +secret /root/openvpn/key +inactive 600 diff --git a/app/openvpn/sample/sample-config-files/xinetd-server-config b/app/openvpn/sample/sample-config-files/xinetd-server-config new file mode 100644 index 00000000..803a6f8f --- /dev/null +++ b/app/openvpn/sample/sample-config-files/xinetd-server-config @@ -0,0 +1,25 @@ +# An xinetd configuration file for OpenVPN. +# +# This file should be renamed to openvpn or something suitably +# descriptive and copied to the /etc/xinetd.d directory. +# xinetd can then be made aware of this file by restarting +# it or sending it a SIGHUP signal. +# +# For each potential incoming client, create a separate version +# of this configuration file on a unique port number. Also note +# that the key file and ifconfig endpoints should be unique for +# each client. This configuration assumes that the OpenVPN +# executable and key live in /root/openvpn. Change this to fit +# your environment. + +service openvpn_1 +{ + type = UNLISTED + port = 1194 + socket_type = dgram + protocol = udp + wait = yes + user = root + server = /root/openvpn/openvpn + server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody +} diff --git a/app/openvpn/sample/sample-keys/README b/app/openvpn/sample/sample-keys/README new file mode 100644 index 00000000..1cd473a1 --- /dev/null +++ b/app/openvpn/sample/sample-keys/README @@ -0,0 +1,14 @@ +Sample RSA keys. + +See the examples section of the man page +for usage examples. + +NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. + DON'T USE THEM FOR ANY REAL WORK BECAUSE + THEY ARE TOTALLY INSECURE! + +ca.{crt,key} -- sample CA key/cert +client.{crt,key} -- sample client key/cert +server.{crt,key} -- sample server key/cert (nsCertType=server) +pass.{crt,key} -- sample client key/cert with password-encrypted key + password = "password" diff --git a/app/openvpn/sample/sample-keys/ca.crt b/app/openvpn/sample/sample-keys/ca.crt new file mode 100644 index 00000000..e063ccce --- /dev/null +++ b/app/openvpn/sample/sample-keys/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBjCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL +MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t +VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy +NTE0NDA1NVoXDTE0MTEyMzE0NDA1NVowZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT +Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf +BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAqPjWJnesPu6bR/iec4FMz3opVaPdBHxg+ORKNmrnVZPh0t8/ +ZT34KXkYoI9B82scurp8UlZVXG8JdUsz+yai8ti9+g7vcuyKUtcCIjn0HLgmdPu5 +gFX25lB0pXw+XIU031dOfPvtROdG5YZN5yCErgCy7TE7zntLnkEDuRmyU6cCAwEA +AaOBwzCBwDAdBgNVHQ4EFgQUiaZg47rqPq/8ZH9MvYzSSI3gzEYwgZAGA1UdIwSB +iDCBhYAUiaZg47rqPq/8ZH9MvYzSSI3gzEahaqRoMGYxCzAJBgNVBAYTAktHMQsw +CQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQTi1U +RVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CAQAwDAYDVR0T +BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBfJoiWYrYdjM0mKPEzUQk0nLYTovBP +I0es/2rfGrin1zbcFY+4dhVBd1E/StebnG+CP8r7QeEIwu7x8gYDdOLLsZn+2vBL +e4jNU1ClI6Q0L7jrzhhunQ5mAaZztVyYwFB15odYcdN2iO0tP7jtEsvrRqxICNy3 +8itzViPTf5W4sA== +-----END CERTIFICATE----- diff --git a/app/openvpn/sample/sample-keys/ca.key b/app/openvpn/sample/sample-keys/ca.key new file mode 100644 index 00000000..b4bf792a --- /dev/null +++ b/app/openvpn/sample/sample-keys/ca.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCo+NYmd6w+7ptH+J5zgUzPeilVo90EfGD45Eo2audVk+HS3z9l +PfgpeRigj0Hzaxy6unxSVlVcbwl1SzP7JqLy2L36Du9y7IpS1wIiOfQcuCZ0+7mA +VfbmUHSlfD5chTTfV058++1E50blhk3nIISuALLtMTvOe0ueQQO5GbJTpwIDAQAB +AoGAQuVREyWp4bhhbZr2UFBOco2ws6EOLWp4kdD/uI+WSoEjlHKiDJj+GJ1CrL5K +o+4yD5MpCQf4/4FOQ0ukprfjJpDwDinTG6vzuWSLTHNiTgvksW3vy7IsNMJx97hT +4D2QOOl9HhA50Qqg70teMPYXOgLRMVsdCIV7p7zDNy4nM+ECQQDX8m5ZcQmPtUDA +38dPTfpL4U7kMB94FItJYH/Lk5kMW1/J33xymNhL+BHaG064ol9n2ubGW4XEO5t2 +qE1IOsVpAkEAyE/x/OBVSI1s75aYGlEwMd87p3qaDdtXT7WzujjRY7r8Y1ynkMU6 +GtMeneBX/lk4BY/6I+5bhAzce+hqhaXejwJBAL5Wg+c4GApf41xdogqHm7doNyYw +OHyZ9w9NDDc+uGbI30xLPSCxEe0cEXgiG6foDpm2uzRZFTWaqHPU8pFYpAkCQGNX +cpWM0/7VVK9Fqk1y8knpgfY/UWOJ4jU/0dCLGR0ywLSuYNPlXDmtdkOp3TnhGW14 +x/9F2NEWZ8pzq1B4wHUCQQC5ztD4m/rpiIpinoewUJODoeBJXYBKqx1+mdrALCq6 +ESvK1WRiusMaY3xmsdv4J2TB5iUPryELbn3jU12WGcQc +-----END RSA PRIVATE KEY----- diff --git a/app/openvpn/sample/sample-keys/client.crt b/app/openvpn/sample/sample-keys/client.crt new file mode 100644 index 00000000..c0474461 --- /dev/null +++ b/app/openvpn/sample/sample-keys/client.crt @@ -0,0 +1,65 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + Validity + Not Before: Nov 25 14:46:49 2004 GMT + Not After : Nov 23 14:46:49 2014 GMT + Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:d2:12:5c:c6:4d:13:34:ae:cf:fa:ab:fe:cb:de: + 8c:f1:4b:4a:95:28:60:87:82:2c:b8:c1:e5:8e:c6: + 5d:11:58:61:a4:a5:f1:42:d7:86:74:6c:9d:9c:7a: + f0:3a:5c:29:e6:53:3b:5e:6d:d8:f0:45:06:2c:23: + ee:09:bc:02:8f:0e:b8:d5:33:1f:c3:4a:11:02:48: + 0b:cc:4b:ad:6e:74:e0:a2:53:b1:d6:cc:89:b9:e2: + 6f:db:15:b3:19:1e:57:04:79:48:3a:da:76:31:fc: + bf:d3:34:21:e7:32:d8:9e:06:4e:be:f3:e3:79:b0: + 54:fd:d1:42:32:aa:3e:7a:c1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 17:B7:3F:C7:62:A0:A9:FD:A4:31:0E:58:D7:D9:94:7B:4B:3F:CB:56 + X509v3 Authority Key Identifier: + keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46 + DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + serial:00 + + Signature Algorithm: md5WithRSAEncryption + 61:c6:d1:fa:24:0f:c7:be:09:3b:d8:04:17:63:31:17:07:f9: + 56:99:af:4c:67:fa:db:cb:94:cf:55:a5:7b:16:20:8b:42:64: + 13:23:62:45:28:93:5e:36:f7:db:02:95:a1:e9:fd:e3:0f:8d: + 73:a1:7b:0e:55:78:4d:a5:c4:b7:22:12:a0:ee:55:e0:b8:0e: + c9:9b:12:e3:b0:ef:9b:68:93:57:6e:6c:ad:16:68:8e:8d:30: + 33:fe:2a:1b:c3:03:8f:b6:0a:2d:0c:b1:3c:bb:f9:58:3f:8c: + 81:59:6b:14:dd:62:b5:c2:93:ed:5d:c6:19:0f:9b:4b:52:b3: + 7c:78 +-----BEGIN CERTIFICATE----- +MIIDNTCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL +MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t +VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy +NTE0NDY0OVoXDTE0MTEyMzE0NDY0OVowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT +Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50 +MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANISXMZNEzSuz/qr/svejPFLSpUoYIeCLLjB5Y7GXRFY +YaSl8ULXhnRsnZx68DpcKeZTO15t2PBFBiwj7gm8Ao8OuNUzH8NKEQJIC8xLrW50 +4KJTsdbMibnib9sVsxkeVwR5SDradjH8v9M0Iecy2J4GTr7z43mwVP3RQjKqPnrB +AgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH +ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBe3P8dioKn9pDEOWNfZlHtL +P8tWMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxGoWqkaDBmMQsw +CQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNV +BAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t +YWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAGHG0fokD8e+CTvYBBdjMRcH+VaZr0xn ++tvLlM9VpXsWIItCZBMjYkUok14299sClaHp/eMPjXOhew5VeE2lxLciEqDuVeC4 +DsmbEuOw75tok1dubK0WaI6NMDP+KhvDA4+2Ci0MsTy7+Vg/jIFZaxTdYrXCk+1d +xhkPm0tSs3x4 +-----END CERTIFICATE----- diff --git a/app/openvpn/sample/sample-keys/client.key b/app/openvpn/sample/sample-keys/client.key new file mode 100644 index 00000000..17b95091 --- /dev/null +++ b/app/openvpn/sample/sample-keys/client.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDSElzGTRM0rs/6q/7L3ozxS0qVKGCHgiy4weWOxl0RWGGkpfFC +14Z0bJ2cevA6XCnmUztebdjwRQYsI+4JvAKPDrjVMx/DShECSAvMS61udOCiU7HW +zIm54m/bFbMZHlcEeUg62nYx/L/TNCHnMtieBk6+8+N5sFT90UIyqj56wQIDAQAB +AoGBAK8RoIGekCfym99DYYfTg9A/t/tQeAnWYaDj7oSrKbqf1lgZ91OGPEZgkoVr +KzLnxf9uU+bhUs8CJx+4HdO8/L9rAJA+oD9QNuMp0elN4AKuEGE1Eq3a0e3cmgPI ++VIoXM6WVAGgK9I03Zu/UerYQ/DdXWGOIsKhFe8qyQoG9pKxAkEA9ld6O9MHQt3d +JAjJkgCNn4psozxjrfLWy2huXd3H3CRqGMjLITDGzdkVSgXjHokBYroi0+TZTu4M +ulJSJaWwBQJBANpO2DAexH2zRHw5Z6QyeEVxz7B3/FzU4GgJx9BH+FSBh+F0G5Ln +ir5Vst8vZ/LGcgpYjHQLNAvZVgUjiQ4Y6I0CQGvwMJL+CHR4GmmroAblTyjU0n1D +/Lk/anZ+L73Za7U+D28ErFzCrpmLwRRKOBYtGfpUbOZDpCQ9kj4hy/TLALECQCcL +9ysUNbzt9Y/qjJkX1d9F7gn4TBEmmkTBixW76bTjvjQbGlt6Qpyso2O8DPGlgPxM +vkJ7RoHgC7y7kGYPGnkCQBVxSNGIjLx4NQBgN4HD0y4+fars1PTUGnckBcS4npb9 +onLNyerBlWdBwbARyBS7WPIbyyf5VCrn3yIqWxaARO0= +-----END RSA PRIVATE KEY----- diff --git a/app/openvpn/sample/sample-keys/dh1024.pem b/app/openvpn/sample/sample-keys/dh1024.pem new file mode 100644 index 00000000..7ce05f0c --- /dev/null +++ b/app/openvpn/sample/sample-keys/dh1024.pem @@ -0,0 +1,5 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh +1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32 +9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC +-----END DH PARAMETERS----- diff --git a/app/openvpn/sample/sample-keys/pass.crt b/app/openvpn/sample/sample-keys/pass.crt new file mode 100644 index 00000000..8bb7b17a --- /dev/null +++ b/app/openvpn/sample/sample-keys/pass.crt @@ -0,0 +1,65 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + Validity + Not Before: Nov 25 14:48:55 2004 GMT + Not After : Nov 23 14:48:55 2014 GMT + Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client-Password/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:ca:b4:05:67:7b:51:c1:d2:fe:21:57:b1:a5:57: + 5c:c0:86:38:05:a8:91:cf:e7:a4:bd:7a:76:d8:3b: + cf:fe:f3:78:65:24:d6:72:7d:1b:6d:b6:da:04:f2: + a8:f6:b4:04:78:d2:24:a7:21:2f:ca:29:46:96:0f: + 0b:91:31:66:1e:4d:22:9a:5d:05:17:99:9c:a0:7e: + e0:2a:be:78:0c:a1:b9:d4:04:c4:ec:f8:61:79:62: + b5:52:2d:f5:41:af:db:9f:8c:ab:08:1b:b7:95:b8: + c1:f0:29:d3:da:fb:00:3f:8e:5c:27:e3:8d:fa:ee: + dc:b4:3b:0b:8b:e0:ab:c1:c1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 40:57:F1:8C:9C:86:B2:DA:E0:3F:A7:B8:D7:85:43:45:07:8A:40:73 + X509v3 Authority Key Identifier: + keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46 + DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + serial:00 + + Signature Algorithm: md5WithRSAEncryption + a5:79:72:7f:a2:08:28:8e:66:da:e1:d0:be:bb:97:3d:65:9f: + ab:1e:19:ac:f1:66:44:14:8f:4e:7c:eb:ea:1e:2f:57:ea:44: + 46:4c:b9:56:5b:c0:0c:58:d2:45:87:26:6d:82:de:8c:64:b8: + 8b:22:61:61:c6:68:36:08:9d:5a:fd:2f:e5:21:e1:a2:0c:7f: + 3e:ca:e1:06:ea:9f:81:62:3d:a0:ce:f1:1e:0d:ab:86:89:ed: + 9a:89:34:32:c9:e9:6d:7d:f5:11:c3:5d:7e:a5:f7:f1:a6:83: + 77:1b:94:67:d9:0f:5c:ac:0e:08:4a:88:98:65:49:eb:66:9e: + 2d:28 +-----BEGIN CERTIFICATE----- +MIIDPjCCAqegAwIBAgIBAzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL +MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t +VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy +NTE0NDg1NVoXDTE0MTEyMzE0NDg1NVowczELMAkGA1UEBhMCS0cxCzAJBgNVBAgT +Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxHTAbBgNVBAMTFFRlc3QtQ2xpZW50 +LVBhc3N3b3JkMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8w +DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMq0BWd7UcHS/iFXsaVXXMCGOAWokc/n +pL16dtg7z/7zeGUk1nJ9G2222gTyqPa0BHjSJKchL8opRpYPC5ExZh5NIppdBReZ +nKB+4Cq+eAyhudQExOz4YXlitVIt9UGv25+Mqwgbt5W4wfAp09r7AD+OXCfjjfru +3LQ7C4vgq8HBAgMBAAGjge4wgeswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd +T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEBX8YychrLa +4D+nuNeFQ0UHikBzMIGQBgNVHSMEgYgwgYWAFImmYOO66j6v/GR/TL2M0kiN4MxG +oWqkaDBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hL +RUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlo +b3N0Lm15ZG9tYWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAKV5cn+iCCiOZtrh0L67 +lz1ln6seGazxZkQUj0586+oeL1fqREZMuVZbwAxY0kWHJm2C3oxkuIsiYWHGaDYI +nVr9L+Uh4aIMfz7K4Qbqn4FiPaDO8R4Nq4aJ7ZqJNDLJ6W199RHDXX6l9/Gmg3cb +lGfZD1ysDghKiJhlSetmni0o +-----END CERTIFICATE----- diff --git a/app/openvpn/sample/sample-keys/pass.key b/app/openvpn/sample/sample-keys/pass.key new file mode 100644 index 00000000..4916364c --- /dev/null +++ b/app/openvpn/sample/sample-keys/pass.key @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,959F7365DBBFDB77 + +nGm57l+rR/8dAZOHL/1x/6dt11zUca7rphjsgw6XRnSf3M/CWmHvHVjApWcNLEs5 +SWNMp1xfUogtGzsKoMBbnlZLDA7RVHUYD6dVMyCpc64UjzT08LmdZhtQYLAKmlUC +PT1VXS4Ae+SrqCPUqJkw1xP3kr0F1EVCXNu0nhOBAuuTGOS7PPEyW2N+k4nRHtsR +IaPp8GCuIeoR6CdymTFTq6d/GeCiEcyrUM4BNrG4GtRRrURxxOrzQFEOS5sjBPSg +Km1lwa6zBQFRLg9dKjRBL4teKuPY5Z2Nmpcml/aN4CkdkVEso4lW6/UHLE/joOMQ +0MdpdYtu8wnt1WI/Z4immQfl3MF+QcPMkqXXzCEhGG/5SbAo89KC46UXvu1Z5OhS +8XFHhvYBivOYWgZ3XUQqyZ0ulF60mFX7aE1Ph/eEbhWBHmU39hGjxzop1UoPwqLx +ahvtfvCkR3ZeqlWO9SHzCA3MlrKwQ1p1UL6nG6AJhNN9jSevH6by+8wr07NBZOqX +fJx+J/8EdVsUCFG2UJxPwM83ZSwAsvKRqph6CuWEl9ndUb7rw6khmRIoY0Iz3LbU +1MlcDoJNcJas6lYDr1UeFSk86g0SiGCHXZIqsjyUgq6HIy4YrAYiQUthnlF8tp2Q +nNQBPLo1GsHf0dC2MqKfDFASu7ST+Bl+yajHcIiUXvUJPxWbjkWYG9Q2p2ZBLzZD +uqeRr66OKxTzUS4go/QbHDNsAulXl61gQIEOdZw5uy/Jl11kyAI6EQbzmehagKdH +EshTgKp8ks62y0bBHgy3FMKyidJ5Hm58ZDhBxrwN0w+vhRoTGOepTA== +-----END RSA PRIVATE KEY----- diff --git a/app/openvpn/sample/sample-keys/pkcs12.p12 b/app/openvpn/sample/sample-keys/pkcs12.p12 Binary files differnew file mode 100644 index 00000000..253d4081 --- /dev/null +++ b/app/openvpn/sample/sample-keys/pkcs12.p12 diff --git a/app/openvpn/sample/sample-keys/server.crt b/app/openvpn/sample/sample-keys/server.crt new file mode 100644 index 00000000..28bb4d94 --- /dev/null +++ b/app/openvpn/sample/sample-keys/server.crt @@ -0,0 +1,67 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + Validity + Not Before: Nov 25 14:42:22 2004 GMT + Not After : Nov 23 14:42:22 2014 GMT + Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me@myhost.mydomain + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:cb:4e:ac:f9:83:57:f6:69:d2:32:29:b4:bc:ad: + e6:f7:26:21:89:33:30:43:40:a3:35:d9:de:26:01: + d6:b4:f0:bc:0a:19:55:99:3b:f1:4c:91:60:b6:fd: + 74:34:8d:5a:c7:62:ec:ce:f2:d6:02:ce:57:32:f4: + 35:8c:71:a0:6d:65:2a:e7:80:ae:29:59:cf:36:73: + f8:7c:4a:73:90:fc:30:28:d5:46:7d:35:a4:4e:c9: + 9f:90:7b:e2:09:21:36:c5:a8:ec:85:82:9a:32:b4: + 91:3b:c1:d6:4f:9f:d1:f8:6f:68:f4:1d:d2:06:91: + 32:cc:9a:48:fd:cd:98:7f:2f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server + Netscape Comment: + OpenSSL Generated Server Certificate + X509v3 Subject Key Identifier: + 69:11:FE:E7:9F:89:7B:71:34:69:C0:DC:82:F8:D0:5D:4D:FB:78:DF + X509v3 Authority Key Identifier: + keyid:89:A6:60:E3:BA:EA:3E:AF:FC:64:7F:4C:BD:8C:D2:48:8D:E0:CC:46 + DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain + serial:00 + + Signature Algorithm: md5WithRSAEncryption + 35:5c:75:da:57:ef:b5:79:f2:a2:db:36:e4:75:e8:c7:bc:73: + 26:cf:30:36:4b:2e:51:46:37:60:2f:4e:2b:f6:71:a2:23:db: + 8e:d8:5c:d5:af:2e:22:28:dd:30:a8:89:66:3a:cc:5b:3c:0f: + 96:12:20:de:5e:41:52:74:35:ed:4c:26:40:19:ca:73:df:54: + b1:30:96:9c:a5:14:d0:38:28:3f:ab:30:07:d7:de:98:d2:7f: + 7f:90:b2:52:1d:e5:95:88:ed:ba:8a:6a:14:85:66:76:ec:75: + 30:e8:ae:94:f4:e1:76:fa:4b:0e:f1:53:d7:95:be:fb:69:fa: + 3d:32 +-----BEGIN CERTIFICATE----- +MIIDUTCCArqgAwIBAgIBATANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJLRzEL +MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t +VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTA0MTEy +NTE0NDIyMloXDTE0MTEyMzE0NDIyMlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT +Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy +MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAMtOrPmDV/Zp0jIptLyt5vcmIYkzMENAozXZ3iYB1rTw +vAoZVZk78UyRYLb9dDSNWsdi7M7y1gLOVzL0NYxxoG1lKueArilZzzZz+HxKc5D8 +MCjVRn01pE7Jn5B74gkhNsWo7IWCmjK0kTvB1k+f0fhvaPQd0gaRMsyaSP3NmH8v +AgMBAAGjggEJMIIBBTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg +hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl +MB0GA1UdDgQWBBRpEf7nn4l7cTRpwNyC+NBdTft43zCBkAYDVR0jBIGIMIGFgBSJ +pmDjuuo+r/xkf0y9jNJIjeDMRqFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgT +Ak5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAf +BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIBADANBgkqhkiG9w0BAQQF +AAOBgQA1XHXaV++1efKi2zbkdejHvHMmzzA2Sy5RRjdgL04r9nGiI9uO2FzVry4i +KN0wqIlmOsxbPA+WEiDeXkFSdDXtTCZAGcpz31SxMJacpRTQOCg/qzAH196Y0n9/ +kLJSHeWViO26imoUhWZ27HUw6K6U9OF2+ksO8VPXlb77afo9Mg== +-----END CERTIFICATE----- diff --git a/app/openvpn/sample/sample-keys/server.key b/app/openvpn/sample/sample-keys/server.key new file mode 100644 index 00000000..976acabf --- /dev/null +++ b/app/openvpn/sample/sample-keys/server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDLTqz5g1f2adIyKbS8reb3JiGJMzBDQKM12d4mAda08LwKGVWZ +O/FMkWC2/XQ0jVrHYuzO8tYCzlcy9DWMcaBtZSrngK4pWc82c/h8SnOQ/DAo1UZ9 +NaROyZ+Qe+IJITbFqOyFgpoytJE7wdZPn9H4b2j0HdIGkTLMmkj9zZh/LwIDAQAB +AoGBAKP1ljA/iY/zNY447kZ/5NWKzd7tBk4mcbl7M9no/7O6tZtbZRoIKoi6cYoC +C1ZabUyBbkNTud5XdCFmq0zRUjOWvoFMZ9VZfd2kRPvl4TGczBtJAq65b+EYMGui +q6T9p61xPdtzu0vM+Ecj127pAMk5XcJyxu8XQK7lZWmG5UoJAkEA8CxXNZN+A3qD +bMBPI3VdwKCNSjNVEQEnygMbNgw7VLdxPpspzZziqJEGdzsM4dsnOBwKxIWFLN2h +lbGBOquAswJBANi0atGWM8VUxDjvqqHCTS9RUXWgnvYhee4/xraJBQPBSivjC9P0 +vKT7PjBHU6djtKSLKGaHn1vHqmyY7PCMjZUCQQCNVSqExqSzG1dXmdt4PErNXi2G +6qo2dX2arTVIGu6XLdQgSWLSMm5XT/CEHWW5SyPLKwVTHFeATXQXCPvJML9tAkEA +k0yXax0g1ZoXwufN4SQUmPw6Va03P/BjU/nP1ZVvbiz9gLVU/d7WN4J7tA9XomkY +idv5OzAmtxkSE70jGSNAvQJAWhCf9+iHkzOHRyKKOYlh1DHUwDfSEp+hlZYg9H03 +P2sraQzUxgWDY/DIY63KvW78ny863baFz7onz21MYGgJXg== +-----END RSA PRIVATE KEY----- diff --git a/app/openvpn/sample/sample-plugins/defer/README b/app/openvpn/sample/sample-plugins/defer/README new file mode 100644 index 00000000..d8990f8b --- /dev/null +++ b/app/openvpn/sample/sample-plugins/defer/README @@ -0,0 +1,16 @@ +OpenVPN plugin examples. + +Examples provided: + +simple.c -- using the --auth-user-pass-verify callback, + test deferred authentication. + +To build: + + ./build simple (Linux/BSD/etc.) + ./winbuild simple (MinGW on Windows) + +To use in OpenVPN, add to config file: + + plugin simple.so (Linux/BSD/etc.) + plugin simple.dll (MinGW on Windows) diff --git a/app/openvpn/sample/sample-plugins/defer/simple.c b/app/openvpn/sample/sample-plugins/defer/simple.c new file mode 100644 index 00000000..65398657 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/defer/simple.c @@ -0,0 +1,305 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * This file implements a simple OpenVPN plugin module which + * will test deferred authentication and packet filtering. + * + * Will run on Windows or *nix. + * + * Sample usage: + * + * setenv test_deferred_auth 20 + * setenv test_packet_filter 10 + * plugin plugin/defer/simple.so + * + * This will enable deferred authentication to occur 20 + * seconds after the normal TLS authentication process, + * and will cause a packet filter file to be generated 10 + * seconds after the initial TLS negotiation, using + * {common-name}.pf as the source. + * + * Sample packet filter configuration: + * + * [CLIENTS DROP] + * +otherclient + * [SUBNETS DROP] + * +10.0.0.0/8 + * -10.10.0.8 + * [END] + * + * See the README file for build instructions. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "openvpn-plugin.h" + +/* bool definitions */ +#define bool int +#define true 1 +#define false 0 + +/* + * Our context, where we keep our state. + */ + +struct plugin_context { + int test_deferred_auth; + int test_packet_filter; +}; + +struct plugin_per_client_context { + int n_calls; + bool generated_pf_file; +}; + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +/* used for safe printf of possible NULL strings */ +static const char * +np (const char *str) +{ + if (str) + return str; + else + return "[NULL]"; +} + +static int +atoi_null0 (const char *str) +{ + if (str) + return atoi (str); + else + return 0; +} + +OPENVPN_EXPORT openvpn_plugin_handle_t +openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) +{ + struct plugin_context *context; + + printf ("FUNC: openvpn_plugin_open_v1\n"); + + /* + * Allocate our context + */ + context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); + + context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp)); + printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth); + + context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp)); + printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter); + + /* + * Which callbacks to intercept. + */ + *type_mask = + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF); + + return (openvpn_plugin_handle_t) context; +} + +static int +auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) +{ + if (context->test_deferred_auth) + { + /* get username/password from envp string array */ + const char *username = get_env ("username", envp); + const char *password = get_env ("password", envp); + + /* get auth_control_file filename from envp string array*/ + const char *auth_control_file = get_env ("auth_control_file", envp); + + printf ("DEFER u='%s' p='%s' acf='%s'\n", + np(username), + np(password), + np(auth_control_file)); + + /* Authenticate asynchronously in n seconds */ + if (auth_control_file) + { + char buf[256]; + int auth = 2; + sscanf (username, "%d", &auth); + snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &", + context->test_deferred_auth, + auth_control_file, + auth, + pcc->n_calls < auth, + auth_control_file); + printf ("%s\n", buf); + system (buf); + pcc->n_calls++; + return OPENVPN_PLUGIN_FUNC_DEFERRED; + } + else + return OPENVPN_PLUGIN_FUNC_ERROR; + } + else + return OPENVPN_PLUGIN_FUNC_SUCCESS; +} + +static int +tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) +{ + if (context->test_packet_filter) + { + if (!pcc->generated_pf_file) + { + const char *pff = get_env ("pf_file", envp); + const char *cn = get_env ("username", envp); + if (pff && cn) + { + char buf[256]; + snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &", + context->test_packet_filter, cn, pff, cn, pff); + printf ("%s\n", buf); + system (buf); + pcc->generated_pf_file = true; + return OPENVPN_PLUGIN_FUNC_SUCCESS; + } + else + return OPENVPN_PLUGIN_FUNC_ERROR; + } + else + return OPENVPN_PLUGIN_FUNC_ERROR; + } + else + return OPENVPN_PLUGIN_FUNC_SUCCESS; +} + +OPENVPN_EXPORT int +openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle, + const int type, + const char *argv[], + const char *envp[], + void *per_client_context, + struct openvpn_plugin_string_list **return_list) +{ + struct plugin_context *context = (struct plugin_context *) handle; + struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context; + switch (type) + { + case OPENVPN_PLUGIN_UP: + printf ("OPENVPN_PLUGIN_UP\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_DOWN: + printf ("OPENVPN_PLUGIN_DOWN\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_ROUTE_UP: + printf ("OPENVPN_PLUGIN_ROUTE_UP\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_IPCHANGE: + printf ("OPENVPN_PLUGIN_IPCHANGE\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_TLS_VERIFY: + printf ("OPENVPN_PLUGIN_TLS_VERIFY\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: + printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); + return auth_user_pass_verify (context, pcc, argv, envp); + case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: + printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: + printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_LEARN_ADDRESS: + printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + case OPENVPN_PLUGIN_TLS_FINAL: + printf ("OPENVPN_PLUGIN_TLS_FINAL\n"); + return tls_final (context, pcc, argv, envp); + case OPENVPN_PLUGIN_ENABLE_PF: + printf ("OPENVPN_PLUGIN_ENABLE_PF\n"); + if (context->test_packet_filter) + return OPENVPN_PLUGIN_FUNC_SUCCESS; + else + return OPENVPN_PLUGIN_FUNC_ERROR; + default: + printf ("OPENVPN_PLUGIN_?\n"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } +} + +OPENVPN_EXPORT void * +openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle) +{ + printf ("FUNC: openvpn_plugin_client_constructor_v1\n"); + return calloc (1, sizeof (struct plugin_per_client_context)); +} + +OPENVPN_EXPORT void +openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context) +{ + printf ("FUNC: openvpn_plugin_client_destructor_v1\n"); + free (per_client_context); +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + printf ("FUNC: openvpn_plugin_close_v1\n"); + free (context); +} diff --git a/app/openvpn/sample/sample-plugins/defer/simple.def b/app/openvpn/sample/sample-plugins/defer/simple.def new file mode 100755 index 00000000..a87507d1 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/defer/simple.def @@ -0,0 +1,6 @@ +LIBRARY OpenVPN_PLUGIN_SAMPLE +DESCRIPTION "Sample OpenVPN plug-in module." +EXPORTS + openvpn_plugin_open_v1 @1 + openvpn_plugin_func_v1 @2 + openvpn_plugin_close_v1 @3 diff --git a/app/openvpn/sample/sample-plugins/defer/winbuild b/app/openvpn/sample/sample-plugins/defer/winbuild new file mode 100755 index 00000000..82927d96 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/defer/winbuild @@ -0,0 +1,18 @@ +# +# Build an OpenVPN plugin module on Windows/MinGW. +# The argument should be the base name of the C source file +# (without the .c). +# + +# This directory is where we will look for openvpn-plugin.h +INCLUDE="-I../../../build" + +CC_FLAGS="-O2 -Wall" + +gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c +gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o +rm junk.tmp +dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def +rm base.tmp +gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp +rm temp.exp diff --git a/app/openvpn/sample/sample-plugins/log/log.c b/app/openvpn/sample/sample-plugins/log/log.c new file mode 100644 index 00000000..1cc4650e --- /dev/null +++ b/app/openvpn/sample/sample-plugins/log/log.c @@ -0,0 +1,184 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * This plugin is similar to simple.c, except it also logs extra information + * to stdout for every plugin method called by OpenVPN. + * + * See the README file for build instructions. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "openvpn-plugin.h" + +/* + * Our context, where we keep our state. + */ +struct plugin_context { + const char *username; + const char *password; +}; + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +OPENVPN_EXPORT openvpn_plugin_handle_t +openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) +{ + struct plugin_context *context; + + /* + * Allocate our context + */ + context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); + + /* + * Set the username/password we will require. + */ + context->username = "foo"; + context->password = "bar"; + + /* + * Which callbacks to intercept. + */ + *type_mask = + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL); + + return (openvpn_plugin_handle_t) context; +} + +void +show (const int type, const char *argv[], const char *envp[]) +{ + size_t i; + switch (type) + { + case OPENVPN_PLUGIN_UP: + printf ("OPENVPN_PLUGIN_UP\n"); + break; + case OPENVPN_PLUGIN_DOWN: + printf ("OPENVPN_PLUGIN_DOWN\n"); + break; + case OPENVPN_PLUGIN_ROUTE_UP: + printf ("OPENVPN_PLUGIN_ROUTE_UP\n"); + break; + case OPENVPN_PLUGIN_IPCHANGE: + printf ("OPENVPN_PLUGIN_IPCHANGE\n"); + break; + case OPENVPN_PLUGIN_TLS_VERIFY: + printf ("OPENVPN_PLUGIN_TLS_VERIFY\n"); + break; + case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: + printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); + break; + case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: + printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); + break; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: + printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); + break; + case OPENVPN_PLUGIN_LEARN_ADDRESS: + printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); + break; + case OPENVPN_PLUGIN_TLS_FINAL: + printf ("OPENVPN_PLUGIN_TLS_FINAL\n"); + break; + default: + printf ("OPENVPN_PLUGIN_?\n"); + break; + } + + printf ("ARGV\n"); + for (i = 0; argv[i] != NULL; ++i) + printf ("%d '%s'\n", (int)i, argv[i]); + + printf ("ENVP\n"); + for (i = 0; envp[i] != NULL; ++i) + printf ("%d '%s'\n", (int)i, envp[i]); +} + +OPENVPN_EXPORT int +openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +{ + struct plugin_context *context = (struct plugin_context *) handle; + + show (type, argv, envp); + + /* check entered username/password against what we require */ + if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + { + /* get username/password from envp string array */ + const char *username = get_env ("username", envp); + const char *password = get_env ("password", envp); + + if (username && !strcmp (username, context->username) + && password && !strcmp (password, context->password)) + return OPENVPN_PLUGIN_FUNC_SUCCESS; + else + return OPENVPN_PLUGIN_FUNC_ERROR; + } + else + return OPENVPN_PLUGIN_FUNC_SUCCESS; +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + free (context); +} diff --git a/app/openvpn/sample/sample-plugins/log/log_v3.c b/app/openvpn/sample/sample-plugins/log/log_v3.c new file mode 100644 index 00000000..742c7568 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/log/log_v3.c @@ -0,0 +1,247 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * This plugin is similar to simple.c, except it also logs extra information + * to stdout for every plugin method called by OpenVPN. The only difference + * between this (log_v3.c) and log.c is that this module uses the v3 plug-in + * API. + * + * See the README file for build instructions. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#define ENABLE_SSL + +#include "openvpn-plugin.h" + +/* + * Our context, where we keep our state. + */ +struct plugin_context { + const char *username; + const char *password; +}; + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +OPENVPN_EXPORT int +openvpn_plugin_open_v3 (const int v3structver, + struct openvpn_plugin_args_open_in const *args, + struct openvpn_plugin_args_open_return *ret) +{ + struct plugin_context *context = NULL; + + /* Check that we are API compatible */ + if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + /* Which callbacks to intercept. */ + ret->type_mask = + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) | + OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL); + + + /* Allocate our context */ + context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); + + /* Set the username/password we will require. */ + context->username = "foo"; + context->password = "bar"; + + /* Point the global context handle to our newly created context */ + ret->handle = (void *) context; + + return OPENVPN_PLUGIN_FUNC_SUCCESS; +} + +void +show (const int type, const char *argv[], const char *envp[]) +{ + size_t i; + switch (type) + { + case OPENVPN_PLUGIN_UP: + printf ("OPENVPN_PLUGIN_UP\n"); + break; + case OPENVPN_PLUGIN_DOWN: + printf ("OPENVPN_PLUGIN_DOWN\n"); + break; + case OPENVPN_PLUGIN_ROUTE_UP: + printf ("OPENVPN_PLUGIN_ROUTE_UP\n"); + break; + case OPENVPN_PLUGIN_IPCHANGE: + printf ("OPENVPN_PLUGIN_IPCHANGE\n"); + break; + case OPENVPN_PLUGIN_TLS_VERIFY: + printf ("OPENVPN_PLUGIN_TLS_VERIFY\n"); + break; + case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: + printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); + break; + case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: + printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); + break; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: + printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); + break; + case OPENVPN_PLUGIN_LEARN_ADDRESS: + printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); + break; + case OPENVPN_PLUGIN_TLS_FINAL: + printf ("OPENVPN_PLUGIN_TLS_FINAL\n"); + break; + default: + printf ("OPENVPN_PLUGIN_?\n"); + break; + } + + printf ("ARGV\n"); + for (i = 0; argv[i] != NULL; ++i) + printf ("%d '%s'\n", (int)i, argv[i]); + + printf ("ENVP\n"); + for (i = 0; envp[i] != NULL; ++i) + printf ("%d '%s'\n", (int)i, envp[i]); +} + +static void +x509_print_info (X509 *x509crt) +{ + int i, n; + int fn_nid; + ASN1_OBJECT *fn; + ASN1_STRING *val; + X509_NAME *x509_name; + X509_NAME_ENTRY *ent; + const char *objbuf; + unsigned char *buf; + + x509_name = X509_get_subject_name (x509crt); + n = X509_NAME_entry_count (x509_name); + for (i = 0; i < n; ++i) + { + ent = X509_NAME_get_entry (x509_name, i); + if (!ent) + continue; + fn = X509_NAME_ENTRY_get_object (ent); + if (!fn) + continue; + val = X509_NAME_ENTRY_get_data (ent); + if (!val) + continue; + fn_nid = OBJ_obj2nid (fn); + if (fn_nid == NID_undef) + continue; + objbuf = OBJ_nid2sn (fn_nid); + if (!objbuf) + continue; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ + if (ASN1_STRING_to_UTF8 (&buf, val) <= 0) + continue; + + printf("X509 %s: %s\n", objbuf, (char *)buf); + OPENSSL_free (buf); + } +} + + + +OPENVPN_EXPORT int +openvpn_plugin_func_v3 (const int version, + struct openvpn_plugin_args_func_in const *args, + struct openvpn_plugin_args_func_return *retptr) +{ + struct plugin_context *context = (struct plugin_context *) args->handle; + + printf("\nopenvpn_plugin_func_v3() :::::>> "); + show (args->type, args->argv, args->envp); + + /* Dump some X509 information if we're in the TLS_VERIFY phase */ + if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert ) { + printf("---- X509 Subject information ----\n"); + printf("Certificate depth: %i\n", args->current_cert_depth); + x509_print_info(args->current_cert); + printf("----------------------------------\n"); + } + + /* check entered username/password against what we require */ + if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + { + /* get username/password from envp string array */ + const char *username = get_env ("username", args->envp); + const char *password = get_env ("password", args->envp); + + if (username && !strcmp (username, context->username) + && password && !strcmp (password, context->password)) + return OPENVPN_PLUGIN_FUNC_SUCCESS; + else + return OPENVPN_PLUGIN_FUNC_ERROR; + } + else + return OPENVPN_PLUGIN_FUNC_SUCCESS; +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + free (context); +} diff --git a/app/openvpn/sample/sample-plugins/log/winbuild b/app/openvpn/sample/sample-plugins/log/winbuild new file mode 100755 index 00000000..decf05f8 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/log/winbuild @@ -0,0 +1,18 @@ +# +# Build an OpenVPN plugin module on Windows/MinGW. +# The argument should be the base name of the C source file +# (without the .c). +# + +# This directory is where we will look for openvpn-plugin.h +INCLUDE="-I../../../include" + +CC_FLAGS="-O2 -Wall" + +gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c +gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o +rm junk.tmp +dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def +rm base.tmp +gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp +rm temp.exp diff --git a/app/openvpn/sample/sample-plugins/simple/README b/app/openvpn/sample/sample-plugins/simple/README new file mode 100644 index 00000000..4400cd30 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/simple/README @@ -0,0 +1,16 @@ +OpenVPN plugin examples. + +Examples provided: + +simple.c -- using the --auth-user-pass-verify callback, verify + that the username/password is "foo"/"bar". + +To build: + + ./build simple (Linux/BSD/etc.) + ./winbuild simple (MinGW on Windows) + +To use in OpenVPN, add to config file: + + plugin simple.so (Linux/BSD/etc.) + plugin simple.dll (MinGW on Windows) diff --git a/app/openvpn/sample/sample-plugins/simple/simple.c b/app/openvpn/sample/sample-plugins/simple/simple.c new file mode 100644 index 00000000..f26d89f6 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/simple/simple.c @@ -0,0 +1,120 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * This file implements a simple OpenVPN plugin module which + * will examine the username/password provided by a client, + * and make an accept/deny determination. Will run + * on Windows or *nix. + * + * See the README file for build instructions. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "openvpn-plugin.h" + +/* + * Our context, where we keep our state. + */ +struct plugin_context { + const char *username; + const char *password; +}; + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +OPENVPN_EXPORT openvpn_plugin_handle_t +openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) +{ + struct plugin_context *context; + + /* + * Allocate our context + */ + context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); + + /* + * Set the username/password we will require. + */ + context->username = "foo"; + context->password = "bar"; + + /* + * We are only interested in intercepting the + * --auth-user-pass-verify callback. + */ + *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); + + return (openvpn_plugin_handle_t) context; +} + +OPENVPN_EXPORT int +openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +{ + struct plugin_context *context = (struct plugin_context *) handle; + + /* get username/password from envp string array */ + const char *username = get_env ("username", envp); + const char *password = get_env ("password", envp); + + /* check entered username/password against what we require */ + if (username && !strcmp (username, context->username) + && password && !strcmp (password, context->password)) + return OPENVPN_PLUGIN_FUNC_SUCCESS; + else + return OPENVPN_PLUGIN_FUNC_ERROR; +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + free (context); +} diff --git a/app/openvpn/sample/sample-plugins/simple/simple.def b/app/openvpn/sample/sample-plugins/simple/simple.def new file mode 100755 index 00000000..a87507d1 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/simple/simple.def @@ -0,0 +1,6 @@ +LIBRARY OpenVPN_PLUGIN_SAMPLE +DESCRIPTION "Sample OpenVPN plug-in module." +EXPORTS + openvpn_plugin_open_v1 @1 + openvpn_plugin_func_v1 @2 + openvpn_plugin_close_v1 @3 diff --git a/app/openvpn/sample/sample-plugins/simple/winbuild b/app/openvpn/sample/sample-plugins/simple/winbuild new file mode 100755 index 00000000..decf05f8 --- /dev/null +++ b/app/openvpn/sample/sample-plugins/simple/winbuild @@ -0,0 +1,18 @@ +# +# Build an OpenVPN plugin module on Windows/MinGW. +# The argument should be the base name of the C source file +# (without the .c). +# + +# This directory is where we will look for openvpn-plugin.h +INCLUDE="-I../../../include" + +CC_FLAGS="-O2 -Wall" + +gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c +gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o +rm junk.tmp +dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def +rm base.tmp +gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp +rm temp.exp diff --git a/app/openvpn/sample/sample-scripts/auth-pam.pl b/app/openvpn/sample/sample-scripts/auth-pam.pl new file mode 100755 index 00000000..5333badc --- /dev/null +++ b/app/openvpn/sample/sample-scripts/auth-pam.pl @@ -0,0 +1,97 @@ +#!/usr/bin/perl -t + +# OpenVPN PAM AUTHENTICATON +# This script can be used to add PAM-based authentication +# to OpenVPN 2.0. The OpenVPN client must provide +# a username/password, using the --auth-user-pass directive. +# The OpenVPN server should specify --auth-user-pass-verify +# with this script as the argument and the 'via-file' method +# specified. The server can also optionally specify +# --client-cert-not-required and/or --username-as-common-name. + +# SCRIPT OPERATION +# Return success or failure status based on whether or not a +# given username/password authenticates using PAM. +# Caller should write username/password as two lines in a file +# which is passed to this script as a command line argument. + +# CAVEATS +# * Requires Authen::PAM module, which may also +# require the pam-devel package. +# * May need to be run as root in order to +# access username/password file. + +# NOTES +# * This script is provided mostly as a demonstration of the +# --auth-user-pass-verify script capability in OpenVPN. +# For real world usage, see the auth-pam module in the plugin +# folder. + +use Authen::PAM; +use POSIX; + +# This "conversation function" will pass +# $password to PAM when it asks for it. + +sub my_conv_func { + my @res; + while ( @_ ) { + my $code = shift; + my $msg = shift; + my $ans = ""; + + $ans = $password if $msg =~ /[Pp]assword/; + + push @res, (PAM_SUCCESS(),$ans); + } + push @res, PAM_SUCCESS(); + return @res; +} + +# Identify service type to PAM +$service = "login"; + +# Get username/password from file + +if ($ARG = shift @ARGV) { + if (!open (UPFILE, "<$ARG")) { + print "Could not open username/password file: $ARG\n"; + exit 1; + } +} else { + print "No username/password file specified on command line\n"; + exit 1; +} + +$username = <UPFILE>; +$password = <UPFILE>; + +if (!$username || !$password) { + print "Username/password not found in file: $ARG\n"; + exit 1; +} + +chomp $username; +chomp $password; + +close (UPFILE); + +# Initialize PAM object + +if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) { + print "Authen::PAM init failed\n"; + exit 1; +} + +# Authenticate with PAM + +$res = $pamh->pam_authenticate; + +# Return success or failure + +if ($res == PAM_SUCCESS()) { + exit 0; +} else { + print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n"; + exit 1; +} diff --git a/app/openvpn/sample/sample-scripts/bridge-start b/app/openvpn/sample/sample-scripts/bridge-start new file mode 100755 index 00000000..d20a2603 --- /dev/null +++ b/app/openvpn/sample/sample-scripts/bridge-start @@ -0,0 +1,39 @@ +#!/bin/sh + +################################# +# Set up Ethernet bridge on Linux +# Requires: bridge-utils +################################# + +# Define Bridge Interface +br="br0" + +# Define list of TAP interfaces to be bridged, +# for example tap="tap0 tap1 tap2". +tap="tap0" + +# Define physical ethernet interface to be bridged +# with TAP interface(s) above. +eth="eth0" +eth_ip="192.168.8.4" +eth_netmask="255.255.255.0" +eth_broadcast="192.168.8.255" + +for t in $tap; do + openvpn --mktun --dev $t +done + +brctl addbr $br +brctl addif $br $eth + +for t in $tap; do + brctl addif $br $t +done + +for t in $tap; do + ifconfig $t 0.0.0.0 promisc up +done + +ifconfig $eth 0.0.0.0 promisc up + +ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast diff --git a/app/openvpn/sample/sample-scripts/bridge-stop b/app/openvpn/sample/sample-scripts/bridge-stop new file mode 100755 index 00000000..81927794 --- /dev/null +++ b/app/openvpn/sample/sample-scripts/bridge-stop @@ -0,0 +1,18 @@ +#!/bin/sh + +#################################### +# Tear Down Ethernet bridge on Linux +#################################### + +# Define Bridge Interface +br="br0" + +# Define list of TAP interfaces to be bridged together +tap="tap0" + +ifconfig $br down +brctl delbr $br + +for t in $tap; do + openvpn --rmtun --dev $t +done diff --git a/app/openvpn/sample/sample-scripts/ucn.pl b/app/openvpn/sample/sample-scripts/ucn.pl new file mode 100755 index 00000000..6d708f82 --- /dev/null +++ b/app/openvpn/sample/sample-scripts/ucn.pl @@ -0,0 +1,11 @@ +#!/usr/bin/perl -t + +# OpenVPN --auth-user-pass-verify script. +# Only authenticate if username equals common_name. +# In OpenVPN config file: +# auth-user-pass-verify ./ucn.pl via-env + +$username = $ENV{'username'}; +$common_name = $ENV{'common_name'}; + +exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name); diff --git a/app/openvpn/sample/sample-scripts/verify-cn b/app/openvpn/sample/sample-scripts/verify-cn new file mode 100755 index 00000000..6e747ef1 --- /dev/null +++ b/app/openvpn/sample/sample-scripts/verify-cn @@ -0,0 +1,64 @@ +#!/usr/bin/perl + +# verify-cn -- a sample OpenVPN tls-verify script +# +# Return 0 if cn matches the common name component of +# subject, 1 otherwise. +# +# For example in OpenVPN, you could use the directive: +# +# tls-verify "./verify-cn /etc/openvpn/allowed_clients" +# +# This would cause the connection to be dropped unless +# the client common name is listed on a line in the +# allowed_clients file. + +die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); + +# Parse out arguments: +# cnfile -- The file containing the list of common names, one per +# line, which the client is required to have, +# taken from the argument to the tls-verify directive +# in the OpenVPN config file. +# The file can have blank lines and comment lines that begin +# with the # character. +# depth -- The current certificate chain depth. In a typical +# bi-level chain, the root certificate will be at level +# 1 and the client certificate will be at level 0. +# This script will be called separately for each level. +# x509 -- the X509 subject string as extracted by OpenVPN from +# the client's provided certificate. +($cnfile, $depth, $x509) = @ARGV; + +if ($depth == 0) { + # If depth is zero, we know that this is the final + # certificate in the chain (i.e. the client certificate), + # and the one we are interested in examining. + # If so, parse out the common name substring in + # the X509 subject string. + + if ($x509 =~ / CN=([^,]+)/) { + $cn = $1; + # Accept the connection if the X509 common name + # string matches the passed cn argument. + open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! + while (defined($line = <FH>)) { + if ($line !~ /^[[:space:]]*(#|$)/o) { + chop($line); + if ($line eq $cn) { + exit 0; + } + } + } + close(FH); + } + + # Authentication failed -- Either we could not parse + # the X509 subject string, or the common name in the + # subject string didn't match the passed cn argument. + exit 1; +} + +# If depth is nonzero, tell OpenVPN to continue processing +# the certificate chain. +exit 0; diff --git a/app/openvpn/sample/sample-windows/sample.ovpn b/app/openvpn/sample/sample-windows/sample.ovpn new file mode 100755 index 00000000..5accd573 --- /dev/null +++ b/app/openvpn/sample/sample-windows/sample.ovpn @@ -0,0 +1,103 @@ +# Edit this file, and save to a .ovpn extension +# so that OpenVPN will activate it when run +# as a service. + +# Change 'myremote' to be your remote host, +# or comment out to enter a listening +# server mode. +remote myremote + +# Uncomment this line to use a different +# port number than the default of 1194. +; port 1194 + +# Choose one of three protocols supported by +# OpenVPN. If left commented out, defaults +# to udp. +; proto [tcp-server | tcp-client | udp] + +# You must specify one of two possible network +# protocols, 'dev tap' or 'dev tun' to be used +# on both sides of the connection. 'tap' creates +# a VPN using the ethernet protocol while 'tun' +# uses the IP protocol. You must use 'tap' +# if you are ethernet bridging or want to route +# broadcasts. 'tun' is somewhat more efficient +# but requires configuration of client software +# to not depend on broadcasts. Some platforms +# such as Solaris, OpenBSD, and Mac OS X only +# support 'tun' interfaces, so if you are +# connecting to such a platform, you must also +# use a 'tun' interface on the Windows side. + +# Enable 'dev tap' or 'dev tun' but not both! +dev tap + +# This is a 'dev tap' ifconfig that creates +# a virtual ethernet subnet. +# 10.3.0.1 is the local VPN IP address +# and 255.255.255.0 is the VPN subnet. +# Only define this option for 'dev tap'. +ifconfig 10.3.0.1 255.255.255.0 + +# This is a 'dev tun' ifconfig that creates +# a point-to-point IP link. +# 10.3.0.1 is the local VPN IP address and +# 10.3.0.2 is the remote VPN IP address. +# Only define this option for 'dev tun'. +# Make sure to include the "tun-mtu" option +# on the remote machine, but swap the order +# of the ifconfig addresses. +;tun-mtu 1500 +;ifconfig 10.3.0.1 10.3.0.2 + +# If you have fragmentation issues or misconfigured +# routers in the path which block Path MTU discovery, +# lower the TCP MSS and internally fragment non-TCP +# protocols. +;fragment 1300 +;mssfix + +# If you have set up more than one TAP-Win32 adapter +# on your system, you must refer to it by name. +;dev-node my-tap + +# You can generate a static OpenVPN key +# by selecting the Generate Key option +# in the start menu. +# +# You can also generate key.txt manually +# with the following command: +# openvpn --genkey --secret key.txt +# +# key must match on both ends of the connection, +# so you should generate it on one machine and +# copy it to the other over a secure medium. +# Place key.txt in the same directory as this +# config file. +secret key.txt + +# Uncomment this section for a more reliable +# detection when a system loses its connection. +# For example, dial-ups or laptops that travel +# to other locations. +# +# If this section is enabled and "myremote" +# above is a dynamic DNS name (i.e. dyndns.org), +# OpenVPN will dynamically "follow" the IP +# address of "myremote" if it changes. +; ping-restart 60 +; ping-timer-rem +; persist-tun +; persist-key +; resolv-retry 86400 + +# keep-alive ping +ping 10 + +# enable LZO compression +comp-lzo + +# moderate verbosity +verb 4 +mute 10 |