diff --git a/.github/workflows/misspell.yml b/.github/workflows/misspell.yml index 5c9f5751..140cf622 100644 --- a/.github/workflows/misspell.yml +++ b/.github/workflows/misspell.yml @@ -1,34 +1,16 @@ name: Misspells on: - push: - branches: - - master pull_request: - branches: - - master + branches: [master] + push: + branches: [master] jobs: misspell: runs-on: ubuntu-latest steps: - - name: Checkout on push - if: github.event_name == 'push' - uses: actions/checkout@v2 - - name: Checkout on pull_request - if: github.event_name == 'pull_request' - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - name: reviewdog fixer - uses: reviewdog/action-misspell@v1 + - uses: actions/checkout@v2 + - uses: reviewdog/action-misspell@v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} locale: "US" - - name: sobolevn fixer - uses: sobolevn/misspell-fixer-action@master - - uses: peter-evans/create-pull-request@v2.4.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: 'Typos fixes' - title: "Typos fixes" - branch: typos - branch-suffix: timestamp + level: error diff --git a/Dockerfile b/Dockerfile index 6bab3033..be4a0c15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,6 +40,8 @@ ENV VPNSP=pia \ PASSWORD= \ REGION="CA Montreal" \ PIA_ENCRYPTION=strong \ + OPENVPN_CIPHER= \ + OPENVPN_AUTH= \ PORT_FORWARDING=off \ PORT_FORWARDING_STATUS_FILE="/forwarded_port" \ # Mullvad only diff --git a/README.md b/README.md index af50567a..1a1cdb6d 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,7 @@ docker run --rm --network=container:pia alpine:3.11 wget -qO- https://ipinfo.io | `OPENVPN_ROOT` | `no` | Run OpenVPN as root, `yes` or `no` | | `OPENVPN_TARGET_IP` | | Specify a target VPN server IP address to use, valid for Mullvad and Private Internet Access | | `OPENVPN_CIPHER` | | Specify a custom cipher to use, use at your own risk. It will also set `ncp-disable` if using AES GCM for PIA | +| `OPENVPN_AUTH` | | Specify a custom auth algorithm to use (i.e. `sha256`) *for pia only* | ## Connect to it diff --git a/cmd/main.go b/cmd/main.go index e4eeb0f2..d8bcc504 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -132,7 +132,7 @@ func main() { case "pia": connections, err = piaConf.GetOpenVPNConnections(allSettings.PIA.Region, allSettings.OpenVPN.NetworkProtocol, allSettings.PIA.Encryption, allSettings.OpenVPN.TargetIP) e.FatalOnError(err) - err = piaConf.BuildConf(connections, allSettings.PIA.Encryption, allSettings.OpenVPN.Verbosity, uid, gid, allSettings.OpenVPN.Root, allSettings.OpenVPN.Cipher) + err = piaConf.BuildConf(connections, allSettings.PIA.Encryption, allSettings.OpenVPN.Verbosity, uid, gid, allSettings.OpenVPN.Root, allSettings.OpenVPN.Cipher, allSettings.OpenVPN.Auth) e.FatalOnError(err) case "mullvad": connections, err = mullvadConf.GetOpenVPNConnections(allSettings.Mullvad.Country, allSettings.Mullvad.City, allSettings.Mullvad.ISP, allSettings.OpenVPN.NetworkProtocol, allSettings.Mullvad.Port, allSettings.OpenVPN.TargetIP) diff --git a/docker-compose.yml b/docker-compose.yml index 3f5c8fcd..fa89efdd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,6 +27,8 @@ services: - PASSWORD=8fd9s239G - PIA_ENCRYPTION=strong - PORT_FORWARDING=off + - OPENVPN_CIPHER= + - OPENVPN_AUTH= # Mullvad only - COUNTRY=Sweden diff --git a/internal/params/openvpn.go b/internal/params/openvpn.go index 4b26a451..b72b11c1 100644 --- a/internal/params/openvpn.go +++ b/internal/params/openvpn.go @@ -71,3 +71,10 @@ func (p *paramsReader) GetOpenVPNCipher() (cipher string, err error) { cipher, err = p.envParams.GetEnv("OPENVPN_CIPHER") return strings.ToLower(cipher), err } + +// GetOpenVPNAuth obtains a custom auth algorithm to use with OpenVPN +// from the environment variable OPENVPN_AUTH +func (p *paramsReader) GetOpenVPNAuth() (auth string, err error) { + auth, err = p.envParams.GetEnv("OPENVPN_AUTH") + return strings.ToLower(auth), err +} diff --git a/internal/params/params.go b/internal/params/params.go index 472833c2..350e3859 100644 --- a/internal/params/params.go +++ b/internal/params/params.go @@ -39,6 +39,7 @@ type ParamsReader interface { GetOpenVPNRoot() (root bool, err error) GetTargetIP() (ip net.IP, err error) GetOpenVPNCipher() (cipher string, err error) + GetOpenVPNAuth() (auth string, err error) // PIA getters GetPortForwarding() (activated bool, err error) diff --git a/internal/pia/conf.go b/internal/pia/conf.go index 099fdec9..9907b3d0 100644 --- a/internal/pia/conf.go +++ b/internal/pia/conf.go @@ -66,20 +66,24 @@ func (c *configurator) GetOpenVPNConnections(region models.PIARegion, protocol m return connections, nil } -func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher string) (err error) { - var X509CRL, certificate, authAlgo string +func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher, auth string) (err error) { + var X509CRL, certificate string if encryption == constants.PIAEncryptionNormal { if len(cipher) == 0 { cipher = "aes-128-cbc" } - authAlgo = "sha1" + if len(auth) == 0 { + auth = "sha1" + } X509CRL = constants.PIAX509CRL_NORMAL certificate = constants.PIACertificate_NORMAL } else { // strong encryption if len(cipher) == 0 { cipher = "aes-256-cbc" } - authAlgo = "sha256" + if len(auth) == 0 { + auth = "sha256" + } X509CRL = constants.PIAX509CRL_STRONG certificate = constants.PIACertificate_STRONG } @@ -109,7 +113,7 @@ func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encrypt fmt.Sprintf("auth-user-pass %s", constants.OpenVPNAuthConf), fmt.Sprintf("proto %s", string(connections[0].Protocol)), fmt.Sprintf("cipher %s", cipher), - fmt.Sprintf("auth %s", authAlgo), + fmt.Sprintf("auth %s", auth), } if strings.HasSuffix(cipher, "-gcm") { lines = append(lines, "ncp-disable") diff --git a/internal/pia/pia.go b/internal/pia/pia.go index db077a3b..23f0e200 100644 --- a/internal/pia/pia.go +++ b/internal/pia/pia.go @@ -18,7 +18,7 @@ const logPrefix = "PIA configurator" type Configurator interface { GetOpenVPNConnections(region models.PIARegion, protocol models.NetworkProtocol, encryption models.PIAEncryption, targetIP net.IP) (connections []models.OpenVPNConnection, err error) - BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher string) (err error) + BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher, auth string) (err error) GetPortForward() (port uint16, err error) WritePortForward(filepath models.Filepath, port uint16) (err error) AllowPortForwardFirewall(device models.VPNDevice, port uint16) (err error) diff --git a/internal/settings/openvpn.go b/internal/settings/openvpn.go index 457f16a5..338d2225 100644 --- a/internal/settings/openvpn.go +++ b/internal/settings/openvpn.go @@ -16,6 +16,7 @@ type OpenVPN struct { Root bool TargetIP net.IP Cipher string + Auth string } // GetOpenVPNSettings obtains the OpenVPN settings using the params functions @@ -40,6 +41,10 @@ func GetOpenVPNSettings(params params.ParamsReader) (settings OpenVPN, err error if err != nil { return settings, err } + settings.Auth, err = params.GetOpenVPNAuth() + if err != nil { + return settings, err + } return settings, nil } @@ -55,6 +60,7 @@ func (o *OpenVPN) String() string { "Run as root: " + runAsRoot, "Target IP address: " + o.TargetIP.String(), "Custom cipher: " + o.Cipher, + "Custom auth algorithm: " + o.Auth, } return strings.Join(settingsList, "\n|--") } diff --git a/internal/settings/settings.go b/internal/settings/settings.go index da5d754b..00b4a079 100644 --- a/internal/settings/settings.go +++ b/internal/settings/settings.go @@ -57,6 +57,11 @@ func GetAllSettings(params params.ParamsReader) (settings Settings, err error) { default: return settings, fmt.Errorf("cipher %q is not supported by Private Internet Access", settings.OpenVPN.Cipher) } + switch settings.OpenVPN.Auth { + case "", "sha1", "sha256": + default: + return settings, fmt.Errorf("auth algorithm %q is not supported by Private Internet Access", settings.OpenVPN.Auth) + } settings.PIA, err = GetPIASettings(params) case "mullvad": switch settings.OpenVPN.Cipher { @@ -64,6 +69,11 @@ func GetAllSettings(params params.ParamsReader) (settings Settings, err error) { default: return settings, fmt.Errorf("cipher %q is not supported by Mullvad", settings.OpenVPN.Cipher) } + switch settings.OpenVPN.Auth { + case "": + default: + return settings, fmt.Errorf("auth algorithm %q is not supported by Mullvad (not using auth at all)", settings.OpenVPN.Auth) + } settings.Mullvad, err = GetMullvadSettings(params) default: return settings, fmt.Errorf("VPN service provider %q is not valid", settings.VPNSP)