Provide the correct client configuration based on whether the server is
using RSA or ECC.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Debian Buster has easyrsa 3. Since we're nearing Bullseye now, it is
safe to asssume that most users are already using easyrsa 3.
The code to do the upgrade is 2 years old already. Removing it.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This enables clients to connect to servers on IPv6 networks. After the
connection, the tunnel works just like before.
- Make sure that after upgrading the server configuration, if the server is
running (which means it was enabled), restart the server to reflect the new
configuration.
- Don't increment the app version number as it has already been incremented in
this release cycle.
Tests:
- Check that the listen address before the change is 0.0.0.0:1194 and after
upgrade (temporarily increment app version number again) the listen address
automatically changes to *:1194.
- Download the new client profile and use it connect to the server on IPv4
network and observe that there is error during connection.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Instead of using a wildcard tun+ interface, use a fixed number of tun
interfaces and hope OpenVPN will use one of them.
Fixes: #1438.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Set permissions properly as if they are created newly.
- Ensure that configuration file is rewritten so that new certificate paths are
used.
- Run easyrsa init-pki to ensure that configuration file is present.
- Create necessary empty directories as per new structure.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Change file and directory structure from easy-rsa 2's flat format to easy-rsa
3's format.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This takes care of the case where a user has tried the "setup" step and
failed. The new configuration will overwrite the old one.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Earlier only openvpn@.service file was available. Currently, Debian is using
openvpn-server@.service and openvpn-client@.service. Start using this and
upgrade our current users to this approach. This fixes the problem with
incorrect enabling/disabling of OpenVPN app in Plinth.
Tested primarily three cases:
- Install version 2 of the app directly. Make sure daemon runs,
enabling/disabling the app works.
- Install version 1 of the app. Disable it. Upgrade to version 2 make sure
everything is upgraded but disabled. Enabling make the app work properly.
- Install version 1 of the app. Enable it. Upgrade to version 2 make sure
everything is upgraded, app is enabled and running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Set unique_subject attribute to no in index.txt.attr file. This
allows regenerating a certificate for a user.
Signed-off-by: Hemanth Kumar Veeranki <hemanthveeranki@gmail.com>
The Service object now offers handling services on a system level,
and gathering information whether it's enabled or running.
New methods: enable, disable, is_enabled, is_running;
For this it needs the correct (system-level) service name.
All of the methods can be overridden/customized.
This changes all modules to the new Service object and deletes
action scripts that are not required anymore.
- Authentication using client certificates. Extra password based
authentication for later.
- Auto setup of CA, server and client certificates.
- Provides a .ovpn profile for each user for easy setup.
- Use 4096 bit Diffie-Hellman parameters for better security. If this
takes to much time, reduce it to 2048 or 1024, at least during
debugging.
