From 57f8b11c0757e33ecc50524b56aa72ecccee4b68 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 22:47:19 +0100 Subject: [PATCH] Add tls wrapper to vpn --- src/freedombone-addcert | 2 +- src/freedombone-app-vpn | 230 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 226 insertions(+), 6 deletions(-) diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 701ceb53..5f729922 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -49,7 +49,7 @@ HOSTNAME= remove_cert= LETSENCRYPT_HOSTNAME= COUNTRY_CODE="US" -AREA="Free Speech Zone" +AREA="Apparent Free Speech Zone" LOCATION="Freedomville" ORGANISATION="Freedombone" UNIT="Freedombone Unit" diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 6bdc1ced..afcc601c 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -39,8 +39,23 @@ SHOW_ON_ABOUT=0 OPENVPN_SERVER_NAME="server" OPENVPN_KEY_FILENAME='client.ovpn' +VPN_COUNTRY_CODE="US" +VPN_AREA="Apparent Free Speech Zone" +VPN_LOCATION="Freedomville" +VPN_ORGANISATION="Freedombone" +VPN_UNIT="Freedombone Unit" +STUNNEL_PORT=3439 +VPN_TLS_PORT=553 + vpn_variables=(MY_EMAIL_ADDRESS - MY_USERNAME) + DEFAULT_DOMAIN_NAME + MY_USERNAME + VPN_COUNTRY_CODE + VPN_AREA + VPN_LOCATION + VPN_ORGANISATION + VPN_UNIT + VPN_TLS_PORT) function logging_on_vpn { echo -n '' @@ -51,10 +66,101 @@ function logging_off_vpn { } function install_interactive_vpn { - echo -n '' + VPN_DETAILS_COMPLETE= + while [ ! $VPN_DETAILS_COMPLETE ] + do + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Configuration" \ + --title $"VPN Configuration" \ + --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \ + $"TLS port:" 1 1 "$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')" 1 12 4 4 \ + 2> $data + sel=$? + case $sel in + 1) exit 1;; + 255) exit 1;; + esac + tlsport=$(cat $data | sed -n 1p) + if [ ${#tlsport} -gt 1 ]; then + if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then + VPN_TLS_PORT="$tlsport" + VPN_DETAILS_COMPLETE="yes" + write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT" + fi + fi + done APP_INSTALLED=1 } +function vpn_change_tls_port { + EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT + + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"VPN Configuration" \ + --backtitle $"Freedombone Control Panel" \ + --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data + sel=$? + case $sel in + 0) + tlsport=$(<$data) + if [ ${#tlsport} -gt 0 ]; then + if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then + VPN_TLS_PORT=$tlsport + write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT" + sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf + sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf + + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/stunnel-client.conf ]; then + cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf + fi + done + + if [ $VPN_TLS_PORT -eq 443 ]; then + systemctl stop nginx + systemctl disable nginx + else + systemctl enable nginx + systemctl restart nginx + fi + + systemctl restart stunnel + + dialog --title $"VPN Configuration" \ + --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60 + fi + fi + ;; + esac +} + +function configure_interactive_vpn { + read_config_param VPN_TLS_PORT + while true + do + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Control Panel" \ + --title $"VPN Configuration" \ + --radiolist $"Choose an operation:" 12 70 2 \ + 1 $"Change TLS port (currently $VPN_TLS_PORT)" off \ + 2 $"Exit" on 2> $data + sel=$? + case $sel in + 1) return;; + 255) return;; + esac + case $(cat $data) in + 1) vpn_change_tls_port;; + 2) break;; + esac + done +} + function reconfigure_vpn { echo -n '' } @@ -123,7 +229,12 @@ function restore_remote_vpn { function remove_vpn { systemctl stop openvpn - apt-get -yq remove --purge fastd openvpn easy-rsa stunnel4 + if [ $VPN_TLS_PORT -ne 443 ]; then + firewall_remove VPN-TLS $VPN_TLS_PORT + fi + + apt-get -yq remove --purge fastd openvpn easy-rsa + apt-get -yq remove stunnel4 if [ -d /etc/openvpn ]; then rm -rf /etc/openvpn fi @@ -140,9 +251,14 @@ function remove_vpn { if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME fi + rm /home/$USERNAME/stunnel* done userdel -f vpn groupdel -f vpn + + if [ -d /etc/stunnel ]; then + rm -rf /etc/stunnel + fi } function create_user_vpn_key { @@ -198,7 +314,7 @@ function create_user_vpn_key { fi cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file - sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file + sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME $STUNNEL_PORT|g" $user_vpn_cert_file sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file @@ -236,14 +352,111 @@ function add_user_vpn { new_user_password="$2" create_user_vpn_key $new_username + if [ -f /etc/stunnel/stunnel.pem ]; then + cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem + chown $new_username:$new_username /home/$new_username/stunnel.pem + fi + if [ -f /etc/stunnel/stunnel.p12 ]; then + cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12 + chown $new_username:$new_username /home/$new_username/stunnel.p12 + fi + cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf + chown $new_username:$new_username /home/$new_username/stunnel-client.conf } function remove_user_vpn { new_username="$1" } +function install_stunnel { + apt-get -yq install stunnel4 + + cd /etc/stunnel + + openssl req -x509 -nodes -days 3650 -sha256 \ + -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \ + -newkey rsa:2048 -keyout key.pem \ + -out cert.pem + if [ ! -f key.pem ]; then + echo $'stunnel key not created' + exit 793530 + fi + if [ ! -f cert.pem ]; then + echo $'stunnel cert not created' + exit 204587 + fi + chmod 400 key.pem + chmod 640 cert.pem + + cat key.pem cert.pem >> stunnel.pem + chmod 640 stunnel.pem + + openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass: + if [ ! -f stunnel.p12 ]; then + echo $'stunnel pkcs12 not created' + exit 639353 + fi + chmod 640 stunnel.p12 + + echo 'chroot = /var/lib/stunnel4' > stunnel.conf + echo 'pid = /stunnel4.pid' >> stunnel.conf + echo 'setuid = stunnel4' >> stunnel.conf + echo 'setgid = stunnel4' >> stunnel.conf + echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf + echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf + echo '[openvpn]' >> stunnel.conf + echo "accept = $VPN_TLS_PORT" >> stunnel.conf + echo 'connect = localhost:1194' >> stunnel.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf + + sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4 + + echo '[openvpn]' > stunnel-client.conf + echo 'client = yes' >> stunnel-client.conf + echo "accept = $STUNNEL_PORT" >> stunnel-client.conf + echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel-client.conf + + echo '[Unit]' > /etc/systemd/system/stunnel.service + echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service + echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service + echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service + echo 'After=network.target' >> /etc/systemd/system/stunnel.service + echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service + echo '' >> /etc/systemd/system/stunnel.service + echo '[Install]' >> /etc/systemd/system/stunnel.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service + echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service + echo '' >> /etc/systemd/system/stunnel.service + echo '[Service]' >> /etc/systemd/system/stunnel.service + echo 'Type=forking' >> /etc/systemd/system/stunnel.service + echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service + echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service + echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service + echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service + echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service + + if [ $VPN_TLS_PORT -eq 443 ]; then + systemctl stop nginx + systemctl disable nginx + else + systemctl enable nginx + systemctl restart nginx + fi + + systemctl enable stunnel + systemctl daemon-reload + systemctl start stunnel + + cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem + cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12 + cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel* +} + function install_vpn { - apt-get -yq install fastd openvpn easy-rsa stunnel4 + apt-get -yq install fastd openvpn easy-rsa if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then echo $'Example openvpn server config not found' @@ -337,8 +550,15 @@ function install_vpn { create_user_vpn_key $MY_USERNAME firewall_enable_vpn + + if [ $VPN_TLS_PORT -ne 443 ]; then + firewall_add VPN-TLS $VPN_TLS_PORT tcp + fi + systemctl start openvpn + install_stunnel + APP_INSTALLED=1 }