From 686badc86db067131f2d2c9f1c371560788f324f Mon Sep 17 00:00:00 2001 From: Antanas Masevicius Date: Tue, 20 Feb 2018 13:34:01 +0200 Subject: [PATCH 1/2] limit openvpn client reconnects --- bin/server_package/config/ca.crt | 19 ------- bin/server_package/config/crl.pem | 10 ---- bin/server_package/config/dh.pem | 8 --- bin/server_package/config/server.crt | 83 ---------------------------- bin/server_package/config/server.key | 28 ---------- bin/server_package/config/ta.key | 21 ------- location/detector_test.go | 1 + openvpn/config.go | 7 +++ openvpn/factory.go | 1 + 9 files changed, 9 insertions(+), 169 deletions(-) delete mode 100644 bin/server_package/config/ca.crt delete mode 100644 bin/server_package/config/crl.pem delete mode 100644 bin/server_package/config/dh.pem delete mode 100644 bin/server_package/config/server.crt delete mode 100644 bin/server_package/config/server.key delete mode 100644 bin/server_package/config/ta.key diff --git a/bin/server_package/config/ca.crt b/bin/server_package/config/ca.crt deleted file mode 100644 index dd3b4b753..000000000 --- a/bin/server_package/config/ca.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDKzCCAhOgAwIBAgIJAPC+VNKRhJ84MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV -BAMTCENoYW5nZU1lMB4XDTE3MDIwMjEwMjA1M1oXDTI3MDEzMTEwMjA1M1owEzER -MA8GA1UEAxMIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQDHI/U0wgV6jktmD3LyswqLghsPexFex1bQGLCYtqRr+eplOF3ABHwJyDu5t8MB -+ufS8KXIVxBkysUXrh+fj2zT6FGoiWf2TTNOj9udJHMVPRxcJp/JcZJ4AbFjTinS -qWOclVoex8k2xjM7OvKGRaGkpU1kKYX/d9BMdLY4avAI5vwSt6Upfdn69J7gG1Gz -1/BG6kP3RGMPLXSVDiwyJb7sQAvgTUA+NaVtY4CcNo/dypA74IIdkGV7I2jRRkxY -6q3hZX9kW5nSIRMWhZz+wX298oGZES0c7l3/48dsU1XoSbAzPcF6bSeMtBazzS2t -kNw78dxMeNmnDlvgzZP2kpXxAgMBAAGjgYEwfzAdBgNVHQ4EFgQUuflKoDm/WQoD -zE6K/fMkNq0H43EwQwYDVR0jBDwwOoAUuflKoDm/WQoDzE6K/fMkNq0H43GhF6QV -MBMxETAPBgNVBAMTCENoYW5nZU1lggkA8L5U0pGEnzgwDAYDVR0TBAUwAwEB/zAL -BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAMDLpxeq8p/0q9tyToxBWOQs -r1OYa18BsKaRbcGs1v1cvdqIV3i0bnz/Lq+226OJhujlKjWF3oWZudiSGzAQgWMp -MiLSi/iW+rykgCzEJvaFBiJaK5R+sE6ACkVQ8QmcV+SqbgNhm5g5b00YNkHJ1Kbx -j2iy1S1HTPVz1s46qILbO27PaLEPLTErE72GOvaxhRUSyVdRGHvhjEzwZizNBTSi -kx9gXnzq8HMXxetyPGaQnwMNifIQh3UYyFtvpkwI/g9MmX9CeSUml/HlCLQU12qH -UGNg8js5gyxFF62geJHXgRVeQQ5twogBbVHkE3jqTYedsAPCM3ZY9zYQrRNzqDM= ------END CERTIFICATE----- \ No newline at end of file diff --git a/bin/server_package/config/crl.pem b/bin/server_package/config/crl.pem deleted file mode 100644 index b5acb694e..000000000 --- a/bin/server_package/config/crl.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN X509 CRL----- -MIIBbDBWAgEBMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNVBAMTCENoYW5nZU1lFw0x -NzEyMTkxMTIxMzZaFw0xODAxMTgxMTIxMzZaoA8wDTALBgNVHRQEBAICEAAwDQYJ -KoZIhvcNAQEFBQADggEBAAISTQo4va6l95eZ5zGIpTR79yfpfqJURpJHDdbYMpXZ -e1xga87gA+a9tu3/BXKTytRgUXJTxc6PeAYSbkVVv50WcjRbWAqhqsdAN2oYsD2V -A/TQNvH+kP+RkXfFWd3bwthhHvJfiro/sV4EqjJaFie1I6UY5G/IB7+pVDfTPFs9 -cJn38VucHI33m4KUc+n8powfbvqGYzaX+UCulGZu8B18tUy2bM5ThXmfokuLlexM -GI8JsmsNAI++HM/XTwyWAH2pmxx5J2I4HEoLfeSnJ+r2HLc8QEVGRtBozensjrdf -perC89H6IfHD3h2ZwQqthooA0DEN2sf43zV1hreSyE4= ------END X509 CRL----- diff --git a/bin/server_package/config/dh.pem b/bin/server_package/config/dh.pem deleted file mode 100644 index 33903a26c..000000000 --- a/bin/server_package/config/dh.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAyKLHs6DCAA6+h1nIfuyz59Ahd2ti35/DZqhYshLBnrtrmKc9EcgU -JuDWVXSf5wHWg/j/TJkfctPLsP73UyeWsmMQ6m5wZm+NRRkbbA5I3LgN7fm1mtMD -T3US5zGhdROQqN24u9QTAXGdUcjpEYOlhlOEqKj7PH/umZaL4lSJ9PIpGcAYA4nB -dSKQB520UAMHBgv8ZhGmkl2VzvhnzcwuW6lqwl69tglLnoLPzyBg448GHlMsxU7m -+tx0+aJ1cXJ/F5hwyCybRoie3raUkvBWCywn4CxXbNHrT+guRGO2WMi7/YKG9teN -5em49uc6EM5Z6Rpm/PeNWdt/oH5DX9qhOwIBAg== ------END DH PARAMETERS----- \ No newline at end of file diff --git a/bin/server_package/config/server.crt b/bin/server_package/config/server.crt deleted file mode 100644 index b4b69a99f..000000000 --- a/bin/server_package/config/server.crt +++ /dev/null @@ -1,83 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=ChangeMe - Validity - Not Before: Feb 2 10:21:39 2017 GMT - Not After : Jan 31 10:21:39 2027 GMT - Subject: CN=server - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:be:f1:a9:f3:18:36:2a:27:4b:9d:ee:56:b1:0a: - 8f:fa:ee:25:12:fd:f2:98:f1:b9:b3:c1:5b:8f:18: - 28:e5:b1:c7:01:22:3e:86:c6:37:6a:ac:1c:82:c5: - bc:61:28:08:b3:53:93:9d:20:97:35:8b:0e:c2:30: - 39:5b:3b:75:03:82:3f:ef:ea:0d:8b:1b:70:fe:fb: - 41:5c:ab:cc:cc:a9:bc:70:ec:87:9b:4f:be:6e:99: - c3:c0:25:4e:cd:e0:48:a4:a3:51:bc:1b:fb:e3:2a: - 28:ac:f2:62:9b:1a:2d:a4:b4:17:16:bb:9d:35:d1: - 3e:a7:0b:03:3b:a0:40:ca:a3:66:84:e5:78:5c:62: - 36:75:f7:1d:1b:ad:24:d0:c3:b9:e6:78:25:d6:99: - 05:57:0c:04:7e:fd:45:88:e2:1d:ee:8b:24:de:ce: - e3:11:14:9c:ea:70:2b:ab:44:d8:15:d1:a7:ac:15: - 8b:d8:85:bf:00:e2:76:58:e3:fc:72:56:7b:ce:76: - bb:85:f9:88:4b:d2:b2:0e:7d:e1:e9:78:c0:3d:f7: - 1f:ca:ae:48:86:ef:95:96:61:04:f2:7d:21:bf:2b: - 62:31:9e:fe:88:c9:68:41:b3:70:78:ad:5e:05:b5: - fd:ec:61:75:6f:57:42:e9:17:54:d3:c0:19:c2:60: - e0:bb - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Subject Key Identifier: - 40:89:FC:FB:64:F7:28:35:47:11:32:15:06:A8:B0:75:F1:EB:CB:FF - X509v3 Authority Key Identifier: - keyid:B9:F9:4A:A0:39:BF:59:0A:03:CC:4E:8A:FD:F3:24:36:AD:07:E3:71 - DirName:/CN=ChangeMe - serial:F0:BE:54:D2:91:84:9F:38 - - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha256WithRSAEncryption - 09:36:54:75:9c:62:d9:c9:77:bb:5a:da:55:45:6b:9d:38:d2: - 0b:86:9a:9f:4d:50:34:79:0c:5c:eb:cb:fc:54:f3:5a:f7:85: - 38:c9:59:d3:40:7d:73:ce:87:61:c6:d9:9a:14:24:5c:55:51: - 55:c6:32:6c:b1:66:d0:a3:6b:11:d7:1a:d8:1c:89:07:23:53: - 20:d1:3e:05:16:91:f2:80:b1:a1:57:14:1d:e8:b8:44:bb:46: - 23:6d:1c:b6:8d:ae:5a:98:53:c4:08:4c:3c:cc:2d:12:a9:93: - 21:c1:9f:97:dd:cb:8a:69:1a:13:75:a5:f4:8f:40:45:ce:f0: - 05:ff:3d:c6:e7:48:8e:fe:db:28:a9:46:f6:62:ed:d7:37:82: - 3b:8f:48:4b:4e:f0:71:ae:df:05:72:5a:ad:92:d1:71:a4:ab: - f7:c6:ef:bc:81:10:02:62:dd:ec:96:7b:61:13:7c:24:3a:57: - 8d:bd:c0:75:08:b2:1f:ad:14:e9:c0:0e:db:3f:14:d7:be:f5: - 88:cf:04:f0:f6:82:d0:8d:5c:79:21:f6:fe:be:24:ad:06:37: - ed:4c:31:38:6a:96:1c:4c:1d:fa:12:bd:7a:0a:a9:c3:4c:6c: - 53:0e:cc:7a:6c:0c:d3:1b:93:a6:7a:c3:f0:ee:f9:1c:dd:64: - 87:49:83:2e ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDaGFu -Z2VNZTAeFw0xNzAyMDIxMDIxMzlaFw0yNzAxMzExMDIxMzlaMBExDzANBgNVBAMT -BnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7xqfMYNion -S53uVrEKj/ruJRL98pjxubPBW48YKOWxxwEiPobGN2qsHILFvGEoCLNTk50glzWL -DsIwOVs7dQOCP+/qDYsbcP77QVyrzMypvHDsh5tPvm6Zw8AlTs3gSKSjUbwb++Mq -KKzyYpsaLaS0Fxa7nTXRPqcLAzugQMqjZoTleFxiNnX3HRutJNDDueZ4JdaZBVcM -BH79RYjiHe6LJN7O4xEUnOpwK6tE2BXRp6wVi9iFvwDidljj/HJWe852u4X5iEvS -sg594el4wD33H8quSIbvlZZhBPJ9Ib8rYjGe/ojJaEGzcHitXgW1/exhdW9XQukX -VNPAGcJg4LsCAwEAAaOBlDCBkTAJBgNVHRMEAjAAMB0GA1UdDgQWBBRAifz7ZPco -NUcRMhUGqLB18evL/zBDBgNVHSMEPDA6gBS5+UqgOb9ZCgPMTor98yQ2rQfjcaEX -pBUwEzERMA8GA1UEAxMIQ2hhbmdlTWWCCQDwvlTSkYSfODATBgNVHSUEDDAKBggr -BgEFBQcDATALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAAk2VHWcYtnJ -d7ta2lVFa5040guGmp9NUDR5DFzry/xU81r3hTjJWdNAfXPOh2HG2ZoUJFxVUVXG -MmyxZtCjaxHXGtgciQcjUyDRPgUWkfKAsaFXFB3ouES7RiNtHLaNrlqYU8QITDzM -LRKpkyHBn5fdy4ppGhN1pfSPQEXO8AX/PcbnSI7+2yipRvZi7dc3gjuPSEtO8HGu -3wVyWq2S0XGkq/fG77yBEAJi3eyWe2ETfCQ6V429wHUIsh+tFOnADts/FNe+9YjP -BPD2gtCNXHkh9v6+JK0GN+1MMThqlhxMHfoSvXoKqcNMbFMOzHpsDNMbk6Z6w/Du -+RzdZIdJgy4= ------END CERTIFICATE----- \ No newline at end of file diff --git a/bin/server_package/config/server.key b/bin/server_package/config/server.key deleted file mode 100644 index b0ff6d5ad..000000000 --- a/bin/server_package/config/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+8anzGDYqJ0ud -7laxCo/67iUS/fKY8bmzwVuPGCjlsccBIj6GxjdqrByCxbxhKAizU5OdIJc1iw7C -MDlbO3UDgj/v6g2LG3D++0Fcq8zMqbxw7IebT75umcPAJU7N4Eiko1G8G/vjKiis -8mKbGi2ktBcWu5010T6nCwM7oEDKo2aE5XhcYjZ19x0brSTQw7nmeCXWmQVXDAR+ -/UWI4h3uiyTezuMRFJzqcCurRNgV0aesFYvYhb8A4nZY4/xyVnvOdruF+YhL0rIO -feHpeMA99x/KrkiG75WWYQTyfSG/K2Ixnv6IyWhBs3B4rV4Ftf3sYXVvV0LpF1TT -wBnCYOC7AgMBAAECggEBALs3tEz4VlNqiAfn4vRfyOBek9dVS4KOsGgBlEZvh9n/ -P4JrEyeOPlPHQYUvYA9a83zw23FavSfwmp3oLrS3TXoNQad4s6LLWzWHIYU9peae -HngSUrwDqlJDTd2eNvBBkrhqsf9g6M7JTWyVk/1D47D0KxdNCU31Rhr+/0J9VEnZ -zpfDkYwXpLiPBj66Ag2BEIgceuiSMiYjyeb6vmFm1bQJ1uB8tKVJGMv3/CkZnqlt -HZEYGGLRm22DSASvZl0YbLZgGAOSlI7QuslhWWTvri3MJWI+/BGq84s2dKis/ceP -4FCLVVyOMHRNxGKqXwUBMbirJzkcTBc9uQ2D07APsaECgYEA6tX5zqEbabAHFirO -PhP6FsAHDACklmbRw43aLOFZa31IOqAos5n72Vbl+7+rKmZQjoywfa6oUfdGUNyl -+gp63sGKKmc88BAHvynAINwebxXln9SYH3nhaFPD/0UiNy6ZNZSBGQHFcW7IfAve -oomhMvIbNZsX7+ZOVsF7hX93jYMCgYEA0CcJI5Ha0uxwfXK67mN4or02xaCEj7ub -oQP8jN2JES9cYnqNp+A3znbUEqRaNxp5VV3vnGDqQNPIuoREqIzJLTPBnlL82N0K -pUco8WJZkEe3Kc2Tjr4Q00Uz80RQ5A+MafsNMDX1xPNzI5fY1j5KGmLVWlZRIro0 -2jwgq8yG8mkCgYA2/9ha2YanERAH1Ayro1gePekomXnys7ALIczoV/ruXtAs0tfV -gInolB6XAIPhEUdqq26mcOKBF+3DAHpq/ktaom9ukPFHtClsTyXtTEBgeftmnI7o -SE5PddbgkVt7GxHM57P4nF6Wu4B+9PS2ko9LdEKFIobPq9vLG9OHJ5xjawKBgQCG -QddcMPSCfWylDX5SyqgB16dfWwSFrM1Z0rdvqGiDRBgDkOaTdESqj+yDxaxGxHWk -QT2OkNgnTjK3Ux7x1DTiSfLFiuN5gUEfj8FxyCzaqdcTSHy3YhJ6IrW6X8MJBppb -tUkxYmyORzRprcR3k5+6Wysf5HLawl3asVOlW/timQKBgD12TvBJhtTLoR237j4L -RF8m4rwSvShqvt033gMpc5LYzXJxTOrffD2HDccxl6x3G5W+1z0KEvaFbFX/fLP3 -UgHCa5wIdTMjuBcmo9FdOI9NKIuGMi67Wa9oDMa2Zq4QMt+HF3Wd5g/O1+kX/hJf -ZRt0G7bts2U67jL0dOkHHA/9 ------END PRIVATE KEY----- \ No newline at end of file diff --git a/bin/server_package/config/ta.key b/bin/server_package/config/ta.key deleted file mode 100644 index e22e91c58..000000000 --- a/bin/server_package/config/ta.key +++ /dev/null @@ -1,21 +0,0 @@ -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -2aea2e594a11b2ef4066fd4f3ccef881 -4f581a5a8211a942bbea585bd15a45e6 -626e04cd9f11e2e321d9b35b14544b00 -47c59ef4de24dece3b201d7978c4b691 -b623fc067029dbf1a2c4762946973696 -58b69e4a9253ffa3b9764bbc5e529af5 -6366b82ead478dbf3cfd1536a484a19b -55bb731fabff03ed560c67539828a3b8 -0dc5f6ca76d39eab10fbaa9cb513107d -e383d56d10a61ced12d4d47318c5c0fc -0ec7647063995e6e44781ea72f3555ed -df0633b265985e8cf967d9a9ac04621f -c2adfc59b6a18ac29a98767c06165411 -eba37a414c9ea7390f9b7a2cdb275659 -8ecb46ae5f5cf986b9c70391b9445356 -476d137320142f451d722fd8f18cdcaa ------END OpenVPN Static key V1----- \ No newline at end of file diff --git a/location/detector_test.go b/location/detector_test.go index 738e2d9ab..aee427091 100644 --- a/location/detector_test.go +++ b/location/detector_test.go @@ -16,6 +16,7 @@ func TestDetectorDetectCountry(t *testing.T) { {"95.85.39.36", "NL", ""}, {"127.0.0.1", "", ""}, {"8.8.8.8.8", "", "failed to parse IP"}, + {"185.243.112.225", "", ""}, {"asd", "", "failed to parse IP"}, } diff --git a/openvpn/config.go b/openvpn/config.go index 19199154c..e0c8aca93 100644 --- a/openvpn/config.go +++ b/openvpn/config.go @@ -60,6 +60,13 @@ func (c *Config) SetTLSCrypt(cryptFile string) { c.AddOptions(OptionFile("tls-crypt", cryptFile)) } +func (c *Config) SetReconnectLimits() { + c.setParam("connect-retry-max", "2") + c.setParam("remap-usr1", "SIGTERM") + c.setFlag("single-session") + c.setFlag("tls-exit") +} + func (c *Config) SetKeepAlive(interval, timeout int) { c.setParam("keepalive", strconv.Itoa(interval)+" "+strconv.Itoa(timeout)) } diff --git a/openvpn/factory.go b/openvpn/factory.go index afc24102c..fa9856ebd 100644 --- a/openvpn/factory.go +++ b/openvpn/factory.go @@ -40,6 +40,7 @@ func NewClientConfig( config.SetClientMode(remote, 1194) config.SetTLSCACertificate(caCertPath) config.SetTLSCrypt(tlsCryptKeyPath) + config.SetReconnectLimits() config.SetDevice("tun") config.setParam("cipher", "AES-256-GCM") From 0039575c7dd69b4c3a8c2bb9420d0ef1402cda0d Mon Sep 17 00:00:00 2001 From: Antanas Masevicius Date: Wed, 21 Feb 2018 10:41:00 +0200 Subject: [PATCH 2/2] renamed SetReconnectLimits to RestrictReconnects --- openvpn/config.go | 3 ++- openvpn/factory.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn/config.go b/openvpn/config.go index e0c8aca93..f8b06884a 100644 --- a/openvpn/config.go +++ b/openvpn/config.go @@ -60,7 +60,8 @@ func (c *Config) SetTLSCrypt(cryptFile string) { c.AddOptions(OptionFile("tls-crypt", cryptFile)) } -func (c *Config) SetReconnectLimits() { +// RestrictReconnects describes conditions which enforces client to close a session in case of failed authentication +func (c *Config) RestrictReconnects() { c.setParam("connect-retry-max", "2") c.setParam("remap-usr1", "SIGTERM") c.setFlag("single-session") diff --git a/openvpn/factory.go b/openvpn/factory.go index fa9856ebd..053b2bae2 100644 --- a/openvpn/factory.go +++ b/openvpn/factory.go @@ -40,7 +40,7 @@ func NewClientConfig( config.SetClientMode(remote, 1194) config.SetTLSCACertificate(caCertPath) config.SetTLSCrypt(tlsCryptKeyPath) - config.SetReconnectLimits() + config.RestrictReconnects() config.SetDevice("tun") config.setParam("cipher", "AES-256-GCM")