diff --git a/go.mod b/go.mod index f83777c..f5aab96 100644 --- a/go.mod +++ b/go.mod @@ -5,4 +5,5 @@ require ( github.com/onsi/gomega v1.5.0 // indirect github.com/pyke369/golang-support v0.0.0-20190703174728-34ca97aa79e9 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect + gopkg.in/ldap.v2 v2.5.1 ) diff --git a/roadwarrior.conf b/roadwarrior.conf index 8fe3dc2..152346e 100644 --- a/roadwarrior.conf +++ b/roadwarrior.conf @@ -1,33 +1,43 @@ -#script-security 3 -auth-user-pass-optional -ca /usr/local/share/ca-certificates/Dailymotion.crt -cert /etc/ssl/certs/vpn.dailymotion.com-cert.pem -user openvpn -cipher aes-128-cbc -dev vpnroadwarrior -dev-type tun -dh dh2048.pem -ifconfig 192.168.200.0 192.168.207.255 -ifconfig-nowarn -keepalive 10 120 -key /etc/ssl/private/vpn.dailymotion.com-key.pem -management 127.0.0.1 4000 +# external files +tls-auth /etc/openvpn/tlsauth.key +dh /etc/openvpn/dh2048.pem +ca /usr/local/share/ca-certificates/Dailymotion.crt +cert /etc/ssl/certs/vpn.dailymotion.com-cert.pem +key /etc/ssl/private/vpn.dailymotion.com-key.pem + +# local parameters +port 41690 +tls-server +mode server +ifconfig 192.168.200.1 255.255.248.0 +topology subnet +dev vpnadmin +dev-type tun +#local 188.65.121.190 + +# security +user openvpn +group openvpn +reneg-sec 43200 +management 127.0.0.1 4000 management-client management-client-auth -mode server -group openvpn +auth-user-pass-optional +client-cert-not-required +username-as-common-name + +# push +push "dhcp-option DNS 10.190.32.2" +push "dhcp-option DNS 10.190.32.20" +push "route-gateway 192.168.200.1" +push "topology subnet" + +# crypto +cipher aes-128-cbc +keepalive 10 120 persist-key + +ifconfig-nowarn persist-remote-ip persist-tun -port 41690 -proto tcp-server -push "dhcp-option DNS 10.190.32.2" -push "dhcp-option DNS 10.190.32.20" -push "topology p2p" -reneg-sec 43200 -tls-auth tlsauth.key -tls-server -topology p2p -username-as-common-name -verb 4 -client-cert-not-required +verb 0 diff --git a/vpnsession.go b/vpnsession.go index bd8492b..a48c474 100644 --- a/vpnsession.go +++ b/vpnsession.go @@ -35,6 +35,7 @@ type vpnSession struct { kID int `json:"-"` port int `json:"-"` dev string `json:"-"` + netmask string `json:"-"` password string `json:"-"` otpCode string `json:"-"` localIP string `json:"-"` @@ -74,9 +75,9 @@ func (c *vpnSession) baseHash(salt string, i int64) string { func (c *vpnSession) AddRoute(ip string) error { var cmd *exec.Cmd if os.Geteuid() == 0 { - cmd = exec.Command("/bin/ip", "route", "replace", ip, "dev", c.dev) + cmd = exec.Command("/bin/ip", "route", "replace", ip+"/32", "dev", c.dev) } else { - cmd = exec.Command("/usr/bin/sudo", "/bin/ip", "route", "replace", ip, "dev", c.dev) + cmd = exec.Command("/usr/bin/sudo", "/bin/ip", "route", "replace", ip+"/32", "dev", c.dev) } return cmd.Run() } @@ -180,6 +181,8 @@ func (c *vpnSession) ParseEnv(s *OpenVpnMgt, infos *[]string) error { c.Login = r.ReplaceAllString(p[1], "") case "dev": c.dev = r.ReplaceAllString(p[1], "") + case "ifconfig_netmask": + c.netmask = r.ReplaceAllString(p[1], "") } } return nil @@ -208,7 +211,7 @@ func (c *vpnSession) Auth(s *OpenVpnMgt) { case ok == 0: cmd = []string{ fmt.Sprintf("client-auth %d %d", c.cID, c.kID), - fmt.Sprintf("ifconfig-push %s %s", ip, c.localIP), + fmt.Sprintf("ifconfig-push %s %s", ip, c.netmask), } for _, r := range s.ldap[c.Profile].routes { cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r))