free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Add tls wrapper to vpn

Bob Mottram 7 years ago
parent
b738afa07a
commit
57f8b11c07
2 changed files with 226 additions and 6 deletions
Unified View Show Diff Stats
  1. 1
    1
      src/freedombone-addcert
  2. 225
    5
      src/freedombone-app-vpn

+ 1
- 1
src/freedombone-addcert View File

49 
 remove_cert=
 49 
 remove_cert=
50 
 LETSENCRYPT_HOSTNAME=
 50 
 LETSENCRYPT_HOSTNAME=
51 
 COUNTRY_CODE="US"
 51 
 COUNTRY_CODE="US"
52 
-AREA="Free Speech Zone"
52 
+AREA="Apparent Free Speech Zone"
53 
 LOCATION="Freedomville"
 53 
 LOCATION="Freedomville"
54 
 ORGANISATION="Freedombone"
 54 
 ORGANISATION="Freedombone"
55 
 UNIT="Freedombone Unit"
 55 
 UNIT="Freedombone Unit"

+ 225
- 5
src/freedombone-app-vpn View File

39 
 OPENVPN_SERVER_NAME="server"
 39 
 OPENVPN_SERVER_NAME="server"
40 
 OPENVPN_KEY_FILENAME='client.ovpn'
 40 
 OPENVPN_KEY_FILENAME='client.ovpn'
41
41
42 
+VPN_COUNTRY_CODE="US"
43 
+VPN_AREA="Apparent Free Speech Zone"
44 
+VPN_LOCATION="Freedomville"
45 
+VPN_ORGANISATION="Freedombone"
46 
+VPN_UNIT="Freedombone Unit"
47 
+STUNNEL_PORT=3439
48 
+VPN_TLS_PORT=553
49 
+
42 
 vpn_variables=(MY_EMAIL_ADDRESS
 50 
 vpn_variables=(MY_EMAIL_ADDRESS
43 
-               MY_USERNAME)
51 
+               DEFAULT_DOMAIN_NAME
52 
+               MY_USERNAME
53 
+               VPN_COUNTRY_CODE
54 
+               VPN_AREA
55 
+               VPN_LOCATION
56 
+               VPN_ORGANISATION
57 
+               VPN_UNIT
58 
+               VPN_TLS_PORT)
44
59
45 
 function logging_on_vpn {
 60 
 function logging_on_vpn {
46 
     echo -n ''
 61 
     echo -n ''
51 
 }
 66 
 }
52
67
53 
 function install_interactive_vpn {
 68 
 function install_interactive_vpn {
54 
-    echo -n ''
69 
+    VPN_DETAILS_COMPLETE=
70 
+    while [ ! $VPN_DETAILS_COMPLETE ]
71 
+    do
72 
+        data=$(tempfile 2>/dev/null)
73 
+        trap "rm -f $data" 0 1 2 5 15
74 
+        dialog --backtitle $"Freedombone Configuration" \
75 
+               --title $"VPN Configuration" \
76 
+               --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
77 
+               $"TLS port:" 1 1 "$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')" 1 12 4 4 \
78 
+               2> $data
79 
+        sel=$?
80 
+        case $sel in
81 
+            1) exit 1;;
82 
+            255) exit 1;;
83 
+        esac
84 
+        tlsport=$(cat $data | sed -n 1p)
85 
+        if [ ${#tlsport} -gt 1 ]; then
86 
+            if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
87 
+                VPN_TLS_PORT="$tlsport"
88 
+                VPN_DETAILS_COMPLETE="yes"
89 
+                write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
90 
+            fi
91 
+        fi
92 
+    done
55 
     APP_INSTALLED=1
 93 
     APP_INSTALLED=1
56 
 }
 94 
 }
57
95
96 
+function vpn_change_tls_port {
97 
+    EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT
98 
+
99 
+    data=$(tempfile 2>/dev/null)
100 
+    trap "rm -f $data" 0 1 2 5 15
101 
+    dialog --title $"VPN Configuration" \
102 
+           --backtitle $"Freedombone Control Panel" \
103 
+           --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
104 
+    sel=$?
105 
+    case $sel in
106 
+        0)
107 
+            tlsport=$(<$data)
108 
+            if [ ${#tlsport} -gt 0 ]; then
109 
+                if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
110 
+                    VPN_TLS_PORT=$tlsport
111 
+                    write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
112 
+                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
113 
+                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
114 
+
115 
+                    for d in /home/*/ ; do
116 
+                        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
117 
+                        if [ -f /home/$USERNAME/stunnel-client.conf ]; then
118 
+                            cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
119 
+                            chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
120 
+                        fi
121 
+                    done
122 
+
123 
+                    if [ $VPN_TLS_PORT -eq 443 ]; then
124 
+                        systemctl stop nginx
125 
+                        systemctl disable nginx
126 
+                    else
127 
+                        systemctl enable nginx
128 
+                        systemctl restart nginx
129 
+                    fi
130 
+
131 
+                    systemctl restart stunnel
132 
+
133 
+                    dialog --title $"VPN Configuration" \
134 
+                           --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
135 
+                fi
136 
+            fi
137 
+            ;;
138 
+    esac
139 
+}
140 
+
141 
+function configure_interactive_vpn {
142 
+    read_config_param VPN_TLS_PORT
143 
+    while true
144 
+    do
145 
+        data=$(tempfile 2>/dev/null)
146 
+        trap "rm -f $data" 0 1 2 5 15
147 
+        dialog --backtitle $"Freedombone Control Panel" \
148 
+               --title $"VPN Configuration" \
149 
+               --radiolist $"Choose an operation:" 12 70 2 \
150 
+               1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
151 
+               2 $"Exit" on 2> $data
152 
+        sel=$?
153 
+        case $sel in
154 
+            1) return;;
155 
+            255) return;;
156 
+        esac
157 
+        case $(cat $data) in
158 
+            1) vpn_change_tls_port;;
159 
+            2) break;;
160 
+        esac
161 
+    done
162 
+}
163 
+
58 
 function reconfigure_vpn {
 164 
 function reconfigure_vpn {
59 
     echo -n ''
 165 
     echo -n ''
60 
 }
 166 
 }
123
229
124 
 function remove_vpn {
 230 
 function remove_vpn {
125 
     systemctl stop openvpn
 231 
     systemctl stop openvpn
126 
-    apt-get -yq remove --purge fastd openvpn easy-rsa stunnel4
232 
+    if [ $VPN_TLS_PORT -ne 443 ]; then
233 
+        firewall_remove VPN-TLS $VPN_TLS_PORT
234 
+    fi
235 
+
236 
+    apt-get -yq remove --purge fastd openvpn easy-rsa
237 
+    apt-get -yq remove stunnel4
127 
     if [ -d /etc/openvpn ]; then
 238 
     if [ -d /etc/openvpn ]; then
128 
         rm -rf /etc/openvpn
 239 
         rm -rf /etc/openvpn
129 
     fi
 240 
     fi
140 
         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
 251 
         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
141 
             shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
 252 
             shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
142 
         fi
 253 
         fi
254 
+        rm /home/$USERNAME/stunnel*
143 
     done
 255 
     done
144 
     userdel -f vpn
 256 
     userdel -f vpn
145 
     groupdel -f vpn
 257 
     groupdel -f vpn
258 
+
259 
+    if [ -d /etc/stunnel ]; then
260 
+        rm -rf /etc/stunnel
261 
+    fi
146 
 }
 262 
 }
147
263
148 
 function create_user_vpn_key {
 264 
 function create_user_vpn_key {
198 
     fi
 314 
     fi
199
315
200 
     cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file
 316 
     cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file
201 
-    sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file
317 
+    sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME $STUNNEL_PORT|g" $user_vpn_cert_file
202 
     sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file
 318 
     sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file
203 
     sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file
 319 
     sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file
204
320
236 
     new_user_password="$2"
 352 
     new_user_password="$2"
237
353
238 
     create_user_vpn_key $new_username
 354 
     create_user_vpn_key $new_username
355 
+    if [ -f /etc/stunnel/stunnel.pem ]; then
356 
+        cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
357 
+        chown $new_username:$new_username /home/$new_username/stunnel.pem
358 
+    fi
359 
+    if [ -f /etc/stunnel/stunnel.p12 ]; then
360 
+        cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
361 
+        chown $new_username:$new_username /home/$new_username/stunnel.p12
362 
+    fi
363 
+    cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
364 
+    chown $new_username:$new_username /home/$new_username/stunnel-client.conf
239 
 }
 365 
 }
240
366
241 
 function remove_user_vpn {
 367 
 function remove_user_vpn {
242 
     new_username="$1"
 368 
     new_username="$1"
243 
 }
 369 
 }
244
370
371 
+function install_stunnel {
372 
+    apt-get -yq install stunnel4
373 
+
374 
+    cd /etc/stunnel
375 
+
376 
+    openssl req -x509 -nodes -days 3650 -sha256 \
377 
+            -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
378 
+            -newkey rsa:2048 -keyout key.pem \
379 
+            -out cert.pem
380 
+    if [ ! -f key.pem ]; then
381 
+        echo $'stunnel key not created'
382 
+        exit 793530
383 
+    fi
384 
+    if [ ! -f cert.pem ]; then
385 
+        echo $'stunnel cert not created'
386 
+        exit 204587
387 
+    fi
388 
+    chmod 400 key.pem
389 
+    chmod 640 cert.pem
390 
+
391 
+    cat key.pem cert.pem >> stunnel.pem
392 
+    chmod 640 stunnel.pem
393 
+
394 
+    openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass:
395 
+    if [ ! -f stunnel.p12 ]; then
396 
+        echo $'stunnel pkcs12 not created'
397 
+        exit 639353
398 
+    fi
399 
+    chmod 640 stunnel.p12
400 
+
401 
+    echo 'chroot = /var/lib/stunnel4' > stunnel.conf
402 
+    echo 'pid = /stunnel4.pid' >> stunnel.conf
403 
+    echo 'setuid = stunnel4' >> stunnel.conf
404 
+    echo 'setgid = stunnel4' >> stunnel.conf
405 
+    echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf
406 
+    echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf
407 
+    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
408 
+    echo '[openvpn]' >> stunnel.conf
409 
+    echo "accept = $VPN_TLS_PORT" >> stunnel.conf
410 
+    echo 'connect = localhost:1194' >> stunnel.conf
411 
+    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
412 
+
413 
+    sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4
414 
+
415 
+    echo '[openvpn]' > stunnel-client.conf
416 
+    echo 'client = yes' >> stunnel-client.conf
417 
+    echo "accept = $STUNNEL_PORT" >> stunnel-client.conf
418 
+    echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf
419 
+    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel-client.conf
420 
+
421 
+    echo '[Unit]' > /etc/systemd/system/stunnel.service
422 
+    echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service
423 
+    echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service
424 
+    echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service
425 
+    echo 'After=network.target' >> /etc/systemd/system/stunnel.service
426 
+    echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service
427 
+    echo '' >> /etc/systemd/system/stunnel.service
428 
+    echo '[Install]' >> /etc/systemd/system/stunnel.service
429 
+    echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service
430 
+    echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service
431 
+    echo '' >> /etc/systemd/system/stunnel.service
432 
+    echo '[Service]' >> /etc/systemd/system/stunnel.service
433 
+    echo 'Type=forking' >> /etc/systemd/system/stunnel.service
434 
+    echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service
435 
+    echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
436 
+    echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
437 
+    echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service
438 
+    echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service
439 
+
440 
+    if [ $VPN_TLS_PORT -eq 443 ]; then
441 
+        systemctl stop nginx
442 
+        systemctl disable nginx
443 
+    else
444 
+        systemctl enable nginx
445 
+        systemctl restart nginx
446 
+    fi
447 
+
448 
+    systemctl enable stunnel
449 
+    systemctl daemon-reload
450 
+    systemctl start stunnel
451 
+
452 
+    cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
453 
+    cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
454 
+    cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
455 
+    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
456 
+}
457 
+
245 
 function install_vpn {
 458 
 function install_vpn {
246 
-    apt-get -yq install fastd openvpn easy-rsa stunnel4
459 
+    apt-get -yq install fastd openvpn easy-rsa
247
460
248 
     if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then
 461 
     if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then
249 
         echo $'Example openvpn server config not found'
 462 
         echo $'Example openvpn server config not found'
337 
     create_user_vpn_key $MY_USERNAME
 550 
     create_user_vpn_key $MY_USERNAME
338
551
339 
     firewall_enable_vpn
 552 
     firewall_enable_vpn
553 
+
554 
+    if [ $VPN_TLS_PORT -ne 443 ]; then
555 
+        firewall_add VPN-TLS $VPN_TLS_PORT tcp
556 
+    fi
557 
+
340 
     systemctl start openvpn
 558 
     systemctl start openvpn
341
559
560 
+    install_stunnel
561 
+
342 
     APP_INSTALLED=1
 562 
     APP_INSTALLED=1
343 
 }
 563 
 }
344
564