forked from Chocobozzz/OpenVPN-Admin
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Chocobozzz
committed
Mar 21, 2014
1 parent
4b163da
commit a74ec3c
Showing
8 changed files
with
231 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
client | ||
dev tun | ||
proto tcp-client | ||
remote xxx.xxx.xxx.xxx 443 | ||
resolv-retry infinite | ||
cipher AES-256-CBC | ||
redirect-gateway | ||
|
||
# Cles | ||
# Prouver l'identité | ||
ca ca.crt | ||
tls-auth ta.key 1 | ||
key-direction 1 | ||
ns-cert-type server | ||
auth-user-pass | ||
auth-nocache | ||
|
||
# Securite | ||
nobind | ||
persist-key | ||
persist-tun | ||
comp-lzo | ||
verb 3 | ||
|
||
# DNS | ||
script-security 2 | ||
up ./update-resolv.sh | ||
down ./update-resolv.sh | ||
|
||
# Proxy ? | ||
# http-proxy cache.univ.fr 3128 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#!/bin/bash | ||
# | ||
# Parses DHCP options from openvpn to update resolv.conf | ||
# To use set as 'up' and 'down' script in your openvpn *.conf: | ||
# up /etc/openvpn/update-resolv-conf | ||
# down /etc/openvpn/update-resolv-conf | ||
# | ||
# Used snippets of resolvconf script by Thomas Hood <[email protected]> | ||
# and Chris Hanson | ||
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL. | ||
# 07/2013 [email protected] Fixed intet name | ||
# 05/2006 [email protected] | ||
# | ||
# Example envs set from openvpn: | ||
# foreign_option_1='dhcp-option DNS 193.43.27.132' | ||
# foreign_option_2='dhcp-option DNS 193.43.27.133' | ||
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch' | ||
|
||
#[ -x $(which resolvconf) ] || exit 0 | ||
[ -x /usr/bin/resolvconf ] || exit 0 | ||
|
||
case $script_type in | ||
|
||
up) | ||
for optionname in ${!foreign_option_*} ; do | ||
option="${!optionname}" | ||
echo $option | ||
part1=$(echo "$option" | cut -d " " -f 1) | ||
if [ "$part1" == "dhcp-option" ] ; then | ||
part2=$(echo "$option" | cut -d " " -f 2) | ||
part3=$(echo "$option" | cut -d " " -f 3) | ||
if [ "$part2" == "DNS" ] ; then | ||
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" | ||
fi | ||
if [ "$part2" == "DOMAIN" ] ; then | ||
IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" | ||
fi | ||
fi | ||
done | ||
R="" | ||
if [ "$IF_DNS_SEARCH" ] ; then | ||
R="${R}search $IF_DNS_SEARCH | ||
" | ||
fi | ||
for NS in $IF_DNS_NAMESERVERS ; do | ||
R="${R}nameserver $NS | ||
" | ||
done | ||
#echo -n "$R" | resolvconf -p -a "${dev}" | ||
echo -n "$R" | /usr/bin/resolvconf -a "${dev}.inet" | ||
;; | ||
down) | ||
resolvconf -d "${dev}.inet" | ||
;; | ||
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
client | ||
dev tun | ||
proto tcp-client | ||
remote xxx.xxx.xxx.xxx 443 | ||
resolv-retry infinite | ||
cipher AES-256-CBC | ||
redirect-gateway | ||
|
||
# Cles | ||
# Prouver l'identité | ||
ca ca.crt | ||
tls-auth ta.key 1 | ||
key-direction 1 | ||
ns-cert-type server | ||
auth-user-pass | ||
auth-nocache | ||
|
||
# Securite | ||
nobind | ||
persist-key | ||
persist-tun | ||
comp-lzo | ||
verb 3 | ||
|
||
# Proxy ? | ||
# http-proxy cache.univ.fr 3128 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
# Serveur | ||
HOST='localhost' | ||
# Port (par défaut : 3306) | ||
PORT='3306' | ||
# Username | ||
USER='vpn_user' | ||
# Password | ||
PASS='mdp' | ||
# Nom de la base de données | ||
DB='vpn' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
. /etc/openvpn/scripts/config.sh | ||
|
||
# On insert les données dans la table de log | ||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')" | ||
|
||
# On spécifie que l'utilisateur est en ligne | ||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
. /etc/openvpn/scripts/config.sh | ||
|
||
# On précise que l'utilisateur n'est plus en ligne | ||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'" | ||
|
||
# On insert le datetime de déconnexion | ||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(), log_received='$bytes_received', log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
. /etc/openvpn/scripts/config.sh | ||
|
||
# Authentication | ||
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_id FROM user WHERE user_id = '$username' AND user_pass = SHA1('$password') AND user_enable=1 AND (TO_DAYS(now()) >= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')") | ||
|
||
# Vérification de l'utilisateur | ||
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# Server en tcp, port 443 en écoute en créant un tunnel | ||
mode server | ||
proto tcp | ||
port 443 | ||
dev tun | ||
|
||
## CLE, CERTIFICATS ET CONFIGURATION RÉSEAU ## | ||
# Prouver l'identité | ||
ca ca.crt | ||
# Clé publique du serveur | ||
cert server.crt | ||
# Clé privée du serveur | ||
key server.key | ||
# Clé partagée (utilisé pour le chiffrement symétrique, hashage...) | ||
dh dh1024.pem | ||
# Augmente la sécurité (DDOS, port flooding...) | ||
# Deuxième paramètre à 0 sur le serveur et 1 sur le client) | ||
tls-auth ta.key 0 | ||
# Choix de la méthode de cryptographie | ||
cipher AES-256-CBC | ||
|
||
# Reseau | ||
# Sous réseau, le serveur prendra l'adresse 10.8.0.1 et le reste sera disponible pour les clients | ||
server 10.8.0.0 255.255.255.0 | ||
|
||
# Redirection du trafic via internet | ||
push "redirect-gateway def1" | ||
|
||
# Utilisation de DNS alternatifs (OpenDNS) | ||
push "dhcp-option DNS 208.67.222.222" | ||
push "dhcp-option DNS 208.67.220.220" | ||
|
||
# (DNS de Google) | ||
# push "dhcp-option DNS 8.8.8.8" | ||
# push "dhcp-option DNS 8.8.4.4" | ||
|
||
# Ping toutes les 10 secondes et si après 120 secondes le client ne répond toujours pas alors on déconnecte | ||
keepalive 10 120 | ||
# Regenerer la clé du canal toutes les 5h (implique la déconnexion du client) | ||
reneg-sec 18000 | ||
|
||
## SECURITE ## | ||
|
||
# On abaisse les privilèges du démon | ||
user nobody | ||
group nogroup | ||
|
||
# Rend les clés persistantes au démarrage | ||
# Donc, plus besoin de relire les clés cryptographiques (dont on aurait pas eu les droits car on a abaissé les privilèges du démon) | ||
persist-key | ||
# Ne pas fermer et rouvrir le périphérique TUN/TAP | ||
persist-tun | ||
# Active la compression | ||
comp-lzo | ||
|
||
## LOG ## | ||
|
||
# Quantité de log (choix entre 0 et 9) | ||
# Choisir entre 3 et 4 pour une utilisation normale | ||
verb 3 | ||
# Imprime au plus 20 messages de la même catégorie | ||
mute 20 | ||
# Fichier où on liste les connexions des clients | ||
status openvpn-status.log | ||
# Fichier de log | ||
log-append /var/log/openvpn.log | ||
# Dossier de configuration des clients | ||
client-config-dir ccd | ||
|
||
## PASS ## | ||
|
||
# Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement | ||
script-security 3 system | ||
# Utiliser le pseudo d'authentification comme nom (au lieu du nom du certificat du client) | ||
username-as-common-name | ||
# Certificat du client non requis | ||
client-cert-not-required | ||
# Utiliser le script de connexion lorsqu'un client veut s'authentifier | ||
auth-user-pass-verify scripts/login.sh via-env | ||
# Nombre maximum de clients | ||
max-clients 50 | ||
# Appeler ces scripts à la connexion et déconnexion du client | ||
client-connect scripts/connect.sh | ||
client-disconnect scripts/disconnect.sh |