OPENVPN_AUTH variable, refers to #94

2020-03-29 16:22:21 -04:00
parent 3d6a580102
commit 643745d33e
11 changed files with 46 additions and 31 deletions
--- a/internal/params/openvpn.go
+++ b/internal/params/openvpn.go
@@ -71,3 +71,10 @@ func (p *paramsReader) GetOpenVPNCipher() (cipher string, err error) {
 	cipher, err = p.envParams.GetEnv("OPENVPN_CIPHER")
 	return strings.ToLower(cipher), err
 }
+
+// GetOpenVPNAuth obtains a custom auth algorithm to use with OpenVPN
+// from the environment variable OPENVPN_AUTH
+func (p *paramsReader) GetOpenVPNAuth() (auth string, err error) {
+	auth, err = p.envParams.GetEnv("OPENVPN_AUTH")
+	return strings.ToLower(auth), err
+}
--- a/internal/params/params.go
+++ b/internal/params/params.go
@@ -39,6 +39,7 @@ type ParamsReader interface {
 	GetOpenVPNRoot() (root bool, err error)
 	GetTargetIP() (ip net.IP, err error)
 	GetOpenVPNCipher() (cipher string, err error)
+	GetOpenVPNAuth() (auth string, err error)

 	// PIA getters
 	GetPortForwarding() (activated bool, err error)
--- a/internal/pia/conf.go
+++ b/internal/pia/conf.go
@@ -66,20 +66,24 @@ func (c *configurator) GetOpenVPNConnections(region models.PIARegion, protocol m
 	return connections, nil
 }

-func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher string) (err error) {
-	var X509CRL, certificate, authAlgo string
+func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher, auth string) (err error) {
+	var X509CRL, certificate string
 	if encryption == constants.PIAEncryptionNormal {
 		if len(cipher) == 0 {
 			cipher = "aes-128-cbc"
 		}
-		authAlgo = "sha1"
+		if len(auth) == 0 {
+			auth = "sha1"
+		}
 		X509CRL = constants.PIAX509CRL_NORMAL
 		certificate = constants.PIACertificate_NORMAL
 	} else { // strong encryption
 		if len(cipher) == 0 {
 			cipher = "aes-256-cbc"
 		}
-		authAlgo = "sha256"
+		if len(auth) == 0 {
+			auth = "sha256"
+		}
 		X509CRL = constants.PIAX509CRL_STRONG
 		certificate = constants.PIACertificate_STRONG
 	}
@@ -109,7 +113,7 @@ func (c *configurator) BuildConf(connections []models.OpenVPNConnection, encrypt
 		fmt.Sprintf("auth-user-pass %s", constants.OpenVPNAuthConf),
 		fmt.Sprintf("proto %s", string(connections[0].Protocol)),
 		fmt.Sprintf("cipher %s", cipher),
-		fmt.Sprintf("auth %s", authAlgo),
+		fmt.Sprintf("auth %s", auth),
 	}
 	if strings.HasSuffix(cipher, "-gcm") {
 		lines = append(lines, "ncp-disable")
--- a/internal/pia/pia.go
+++ b/internal/pia/pia.go
@@ -18,7 +18,7 @@ const logPrefix = "PIA configurator"
 type Configurator interface {
 	GetOpenVPNConnections(region models.PIARegion, protocol models.NetworkProtocol,
 		encryption models.PIAEncryption, targetIP net.IP) (connections []models.OpenVPNConnection, err error)
-	BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher string) (err error)
+	BuildConf(connections []models.OpenVPNConnection, encryption models.PIAEncryption, verbosity, uid, gid int, root bool, cipher, auth string) (err error)
 	GetPortForward() (port uint16, err error)
 	WritePortForward(filepath models.Filepath, port uint16) (err error)
 	AllowPortForwardFirewall(device models.VPNDevice, port uint16) (err error)
--- a/internal/settings/openvpn.go
+++ b/internal/settings/openvpn.go
@@ -16,6 +16,7 @@ type OpenVPN struct {
 	Root            bool
 	TargetIP        net.IP
 	Cipher          string
+	Auth            string
 }

 // GetOpenVPNSettings obtains the OpenVPN settings using the params functions
@@ -40,6 +41,10 @@ func GetOpenVPNSettings(params params.ParamsReader) (settings OpenVPN, err error
 	if err != nil {
 		return settings, err
 	}
+	settings.Auth, err = params.GetOpenVPNAuth()
+	if err != nil {
+		return settings, err
+	}
 	return settings, nil
 }

@@ -55,6 +60,7 @@ func (o *OpenVPN) String() string {
 		"Run as root: " + runAsRoot,
 		"Target IP address: " + o.TargetIP.String(),
 		"Custom cipher: " + o.Cipher,
+		"Custom auth algorithm: " + o.Auth,
 	}
 	return strings.Join(settingsList, "\n|--")
 }
--- a/internal/settings/settings.go
+++ b/internal/settings/settings.go
@@ -57,6 +57,11 @@ func GetAllSettings(params params.ParamsReader) (settings Settings, err error) {
 		default:
 			return settings, fmt.Errorf("cipher %q is not supported by Private Internet Access", settings.OpenVPN.Cipher)
 		}
+		switch settings.OpenVPN.Auth {
+		case "", "sha1", "sha256":
+		default:
+			return settings, fmt.Errorf("auth algorithm %q is not supported by Private Internet Access", settings.OpenVPN.Auth)
+		}
 		settings.PIA, err = GetPIASettings(params)
 	case "mullvad":
 		switch settings.OpenVPN.Cipher {
@@ -64,6 +69,11 @@ func GetAllSettings(params params.ParamsReader) (settings Settings, err error) {
 		default:
 			return settings, fmt.Errorf("cipher %q is not supported by Mullvad", settings.OpenVPN.Cipher)
 		}
+		switch settings.OpenVPN.Auth {
+		case "":
+		default:
+			return settings, fmt.Errorf("auth algorithm %q is not supported by Mullvad (not using auth at all)", settings.OpenVPN.Auth)
+		}
 		settings.Mullvad, err = GetMullvadSettings(params)
 	default:
 		return settings, fmt.Errorf("VPN service provider %q is not valid", settings.VPNSP)