From 26f748e24bc40518d27cc936211f09e5077f51b9 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Thu, 2 May 2024 07:57:11 +0000 Subject: [PATCH] Use Openvpn 2.4 only --- Dockerfile | 11 +++++------ cmd/gluetun/main.go | 3 +-- internal/configuration/settings/openvpn.go | 6 +++--- internal/configuration/settings/settings.go | 14 -------------- internal/configuration/settings/settings_test.go | 2 +- internal/constants/openvpn/versions.go | 3 +-- internal/openvpn/start.go | 9 +++------ internal/openvpn/version.go | 8 ++------ internal/provider/airvpn/openvpnconf.go | 7 ++----- internal/provider/custom/openvpnconf_test.go | 4 ++-- internal/provider/slickvpn/openvpnconf.go | 6 ------ internal/provider/utils/cipher.go | 4 ++-- internal/provider/utils/cipher_test.go | 12 ++++++------ 13 files changed, 28 insertions(+), 61 deletions(-) diff --git a/Dockerfile b/Dockerfile index de18c8269..bf92dd7de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -85,7 +85,7 @@ ENV VPN_SERVICE_PROVIDER=pia \ OPENVPN_PASSWORD= \ OPENVPN_USER_SECRETFILE=/run/secrets/openvpn_user \ OPENVPN_PASSWORD_SECRETFILE=/run/secrets/openvpn_password \ - OPENVPN_VERSION=2.5 \ + OPENVPN_VERSION=2.4 \ OPENVPN_VERBOSITY=1 \ OPENVPN_FLAGS= \ OPENVPN_CIPHERS= \ @@ -215,11 +215,10 @@ EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=1 CMD /gluetun-entrypoint healthcheck ARG TARGETPLATFORM RUN apk add --no-cache --update -l wget && \ - apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \ - mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \ - apk del openvpn && \ - apk add --no-cache --update openvpn ca-certificates iptables ip6tables unbound tzdata && \ - mv /usr/sbin/openvpn /usr/sbin/openvpn2.6 && \ + apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.12/main" openvpn\~2.4 && \ + apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.16/main" openssl\~1.1 && \ + mv /usr/sbin/openvpn /usr/sbin/openvpn2.4 && \ + apk add --no-cache --update ca-certificates iptables ip6tables unbound tzdata && \ # Fix vulnerability issue apk add --no-cache --update busybox && \ rm -rf /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-* /etc/openvpn/*.sh /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so && \ diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go index bdddd6e8c..5c4d6ac08 100644 --- a/cmd/gluetun/main.go +++ b/cmd/gluetun/main.go @@ -276,8 +276,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation, err = printVersions(ctx, logger, []printVersionElement{ {name: "Alpine", getVersion: alpineConf.Version}, - {name: "OpenVPN 2.5", getVersion: ovpnConf.Version25}, - {name: "OpenVPN 2.6", getVersion: ovpnConf.Version26}, + {name: "OpenVPN 2.4", getVersion: ovpnConf.Version24}, {name: "Unbound", getVersion: dnsConf.Version}, {name: "IPtables", getVersion: func(ctx context.Context) (version string, err error) { return firewall.Version(ctx, cmder) diff --git a/internal/configuration/settings/openvpn.go b/internal/configuration/settings/openvpn.go index 52ce17e11..4a0823107 100644 --- a/internal/configuration/settings/openvpn.go +++ b/internal/configuration/settings/openvpn.go @@ -19,7 +19,7 @@ import ( // OpenVPN contains settings to configure the OpenVPN client. type OpenVPN struct { // Version is the OpenVPN version to run. - // It can only be "2.5" or "2.6". + // It can only be "2.4". Version string `json:"version"` // User is the OpenVPN authentication username. // It cannot be nil in the internal state if OpenVPN is used. @@ -90,7 +90,7 @@ var ivpnAccountID = regexp.MustCompile(`^(i|ivpn)\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4 func (o OpenVPN) validate(vpnProvider string) (err error) { // Validate version - validVersions := []string{openvpn.Openvpn25, openvpn.Openvpn26} + validVersions := []string{openvpn.Openvpn24} if err = validate.IsOneOf(o.Version, validVersions...); err != nil { return fmt.Errorf("%w: %w", ErrOpenVPNVersionIsNotValid, err) } @@ -286,7 +286,7 @@ func (o *OpenVPN) overrideWith(other OpenVPN) { } func (o *OpenVPN) setDefaults(vpnProvider string) { - o.Version = gosettings.DefaultComparable(o.Version, openvpn.Openvpn25) + o.Version = gosettings.DefaultComparable(o.Version, openvpn.Openvpn24) o.User = gosettings.DefaultPointer(o.User, "") if vpnProvider == providers.Mullvad { o.Password = gosettings.DefaultPointer(o.Password, "m") diff --git a/internal/configuration/settings/settings.go b/internal/configuration/settings/settings.go index 988d95daa..f0448ead7 100644 --- a/internal/configuration/settings/settings.go +++ b/internal/configuration/settings/settings.go @@ -4,9 +4,7 @@ import ( "fmt" "net/netip" - "github.com/qdm12/gluetun/internal/configuration/settings/helpers" "github.com/qdm12/gluetun/internal/constants/providers" - "github.com/qdm12/gluetun/internal/constants/vpn" "github.com/qdm12/gluetun/internal/models" "github.com/qdm12/gluetun/internal/pprof" "github.com/qdm12/gosettings/reader" @@ -153,18 +151,6 @@ func (s Settings) Warnings() (warnings []string) { " so this will likely not work anymore. See https://github.com/qdm12/gluetun/issues/1498.") } - if helpers.IsOneOf(s.VPN.Provider.Name, providers.SlickVPN) && - s.VPN.Type == vpn.OpenVPN { - warnings = append(warnings, "OpenVPN 2.5 uses OpenSSL 3 "+ - "which prohibits the usage of weak security in today's standards. "+ - s.VPN.Provider.Name+" uses weak security which is out "+ - "of Gluetun's control so the only workaround is to allow such weaknesses "+ - `using the OpenVPN option tls-cipher "DEFAULT:@SECLEVEL=0". `+ - "You might want to reach to your provider so they upgrade their certificates. "+ - "Once this is done, you will have to let the Gluetun maintainers know "+ - "by creating an issue, attaching the new certificate and we will update Gluetun.") - } - // TODO remove in v4 if s.DNS.ServerAddress.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 { warnings = append(warnings, "DNS address is set to "+s.DNS.ServerAddress.String()+ diff --git a/internal/configuration/settings/settings_test.go b/internal/configuration/settings/settings_test.go index c86947b0a..f700fd374 100644 --- a/internal/configuration/settings/settings_test.go +++ b/internal/configuration/settings/settings_test.go @@ -30,7 +30,7 @@ func Test_Settings_String(t *testing.T) { | | ├── Protocol: UDP | | └── Private Internet Access encryption preset: strong | └── OpenVPN settings: -| ├── OpenVPN version: 2.5 +| ├── OpenVPN version: 2.4 | ├── User: [not set] | ├── Password: [not set] | ├── Private Internet Access encryption preset: strong diff --git a/internal/constants/openvpn/versions.go b/internal/constants/openvpn/versions.go index 0b734c1d8..4e50bb362 100644 --- a/internal/constants/openvpn/versions.go +++ b/internal/constants/openvpn/versions.go @@ -1,6 +1,5 @@ package openvpn const ( - Openvpn25 = "2.5" - Openvpn26 = "2.6" + Openvpn24 = "2.4" ) diff --git a/internal/openvpn/start.go b/internal/openvpn/start.go index 8ff7b99a2..bc1e9de18 100644 --- a/internal/openvpn/start.go +++ b/internal/openvpn/start.go @@ -14,18 +14,15 @@ import ( var ErrVersionUnknown = errors.New("OpenVPN version is unknown") const ( - binOpenvpn25 = "openvpn2.5" - binOpenvpn26 = "openvpn2.6" + binOpenvpn24 = "openvpn2.4" ) func start(ctx context.Context, starter command.Starter, version string, flags []string) ( stdoutLines, stderrLines chan string, waitError chan error, err error) { var bin string switch version { - case openvpn.Openvpn25: - bin = binOpenvpn25 - case openvpn.Openvpn26: - bin = binOpenvpn26 + case openvpn.Openvpn24: + bin = binOpenvpn24 default: return nil, nil, nil, fmt.Errorf("%w: %s", ErrVersionUnknown, version) } diff --git a/internal/openvpn/version.go b/internal/openvpn/version.go index dd9d5493d..338c1d3ae 100644 --- a/internal/openvpn/version.go +++ b/internal/openvpn/version.go @@ -8,12 +8,8 @@ import ( "strings" ) -func (c *Configurator) Version25(ctx context.Context) (version string, err error) { - return c.version(ctx, binOpenvpn25) -} - -func (c *Configurator) Version26(ctx context.Context) (version string, err error) { - return c.version(ctx, binOpenvpn26) +func (c *Configurator) Version24(ctx context.Context) (version string, err error) { + return c.version(ctx, binOpenvpn24) } var ErrVersionTooShort = errors.New("version output is too short") diff --git a/internal/provider/airvpn/openvpnconf.go b/internal/provider/airvpn/openvpnconf.go index 6c4658d1c..8eb6fbb28 100644 --- a/internal/provider/airvpn/openvpnconf.go +++ b/internal/provider/airvpn/openvpnconf.go @@ -27,11 +27,8 @@ func (p *Provider) OpenVPNConfig(connection models.Connection, } switch settings.Version { - case openvpn.Openvpn25, openvpn.Openvpn26: - providerSettings.Ciphers = []string{ - openvpn.AES256gcm, openvpn.AES256cbc, openvpn.AES192gcm, - openvpn.AES192cbc, openvpn.AES128gcm, openvpn.AES128cbc, - openvpn.Chacha20Poly1305} + case openvpn.Openvpn24: + providerSettings.Ciphers = []string{openvpn.AES256cbc} default: panic(fmt.Sprintf("openvpn version %q is not implemented", settings.Version)) } diff --git a/internal/provider/custom/openvpnconf_test.go b/internal/provider/custom/openvpnconf_test.go index e3d7178ce..a6bc59678 100644 --- a/internal/provider/custom/openvpnconf_test.go +++ b/internal/provider/custom/openvpnconf_test.go @@ -64,8 +64,8 @@ func Test_modifyConfig(t *testing.T) { "suppress-timestamps", "auth-user-pass /etc/openvpn/auth.conf", "verb 0", - "data-ciphers-fallback cipher", - "data-ciphers cipher", + "cipher cipher", //nolint:dupword + "ncp-ciphers cipher", "auth sha512", "mssfix 1000", "pull-filter ignore \"route-ipv6\"", diff --git a/internal/provider/slickvpn/openvpnconf.go b/internal/provider/slickvpn/openvpnconf.go index c984b4b48..c51a68808 100644 --- a/internal/provider/slickvpn/openvpnconf.go +++ b/internal/provider/slickvpn/openvpnconf.go @@ -28,11 +28,5 @@ func (p *Provider) OpenVPNConfig(connection models.Connection, }, } - // SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now - // rejected by openssl 3.x.x which is used by OpenVPN >= 2.5. - // We lower the security level to 3 to allow this algorithm, - // see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html - providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0" - return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported) } diff --git a/internal/provider/utils/cipher.go b/internal/provider/utils/cipher.go index f407403c2..9efb2220f 100644 --- a/internal/provider/utils/cipher.go +++ b/internal/provider/utils/cipher.go @@ -10,7 +10,7 @@ func CipherLines(ciphers []string) (lines []string) { } return []string{ - "data-ciphers-fallback " + ciphers[0], - "data-ciphers " + strings.Join(ciphers, ":"), + "cipher " + ciphers[0], + "ncp-ciphers " + strings.Join(ciphers, ":"), } } diff --git a/internal/provider/utils/cipher_test.go b/internal/provider/utils/cipher_test.go index a48d06ed7..e9b4b683d 100644 --- a/internal/provider/utils/cipher_test.go +++ b/internal/provider/utils/cipher_test.go @@ -16,16 +16,16 @@ func Test_CipherLines(t *testing.T) { "empty version": { ciphers: []string{"AES"}, lines: []string{ - "data-ciphers-fallback AES", - "data-ciphers AES", + "cipher AES", + "ncp-ciphers AES", }, }, - "2.5": { + "2.4": { ciphers: []string{"AES", "CBC"}, - version: "2.5", + version: "2.4", lines: []string{ - "data-ciphers-fallback AES", - "data-ciphers AES:CBC", + "cipher AES", + "ncp-ciphers AES:CBC", }, }, }