client/configurators/openvpn_configurator.cpp

#include "openvpn_configurator.h"

#include <QDebug>
#include <QJsonDocument>
#include <QJsonObject>
#include <QProcess>
#include <QString>
#include <QTemporaryDir>
#include <QTemporaryFile>
#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
    #include <QGuiApplication>
#else
    #include <QApplication>
#endif

#include "containers/containers_defs.h"
#include "core/controllers/serverController.h"
#include "core/scripts_registry.h"
#include "core/server_defs.h"
#include "settings.h"
#include "utilities.h"

#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>

OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
                                         QObject *parent)
    : ConfiguratorBase(settings, serverController, parent)
{
}

OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(const ServerCredentials &credentials,
                                                                              DockerContainer container, ErrorCode &errorCode)
{
    OpenVpnConfigurator::ConnectionData connData = OpenVpnConfigurator::createCertRequest();
    connData.host = credentials.hostName;

    if (connData.privKey.isEmpty() || connData.request.isEmpty()) {
        errorCode = ErrorCode::OpenSslFailed;
        return connData;
    }

    QString reqFileName = QString("%1/%2.req").arg(amnezia::protocols::openvpn::clientsDirPath).arg(connData.clientId);

    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

    errorCode = signCert(container, credentials, connData.clientId);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

    connData.caCert =
            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
    connData.clientCert = m_serverController->getTextFileFromContainer(
            container, credentials, QString("%1/%2.crt").arg(amnezia::protocols::openvpn::clientCertPath).arg(connData.clientId), errorCode);

    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

    connData.taKey = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);

    if (connData.caCert.isEmpty() || connData.clientCert.isEmpty() || connData.taKey.isEmpty()) {
        errorCode = ErrorCode::SshScpFailureError;
    }

    return connData;
}

QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
                                          const QJsonObject &containerConfig, ErrorCode &errorCode)
{
    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container),
                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));

    ConnectionData connData = prepareOpenVpnConfig(credentials, container, errorCode);
    if (errorCode != ErrorCode::NoError) {
        return "";
    }

    config.replace("$OPENVPN_CA_CERT", connData.caCert);
    config.replace("$OPENVPN_CLIENT_CERT", connData.clientCert);
    config.replace("$OPENVPN_PRIV_KEY", connData.privKey);

    if (config.contains("$OPENVPN_TA_KEY")) {
        config.replace("$OPENVPN_TA_KEY", connData.taKey);
    } else {
        config.replace("<tls-auth>", "");
        config.replace("</tls-auth>", "");
    }

#ifndef MZ_WINDOWS
    config.replace("block-outside-dns", "");
#endif

    QJsonObject jConfig;
    jConfig[config_key::config] = config;

    jConfig[config_key::clientId] = connData.clientId;

    return QJsonDocument(jConfig).toJson();
}

QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
                                                            QString &protocolConfigString)
{
    processConfigWithDnsSettings(dns, protocolConfigString);

    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
    QString config = json[config_key::config].toString();

    if (!isApiConfig) {
        QRegularExpression regex("redirect-gateway.*");
        config.replace(regex, "");
        
        if (!m_settings->isSitesSplitTunnelingEnabled()) {
            config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");

#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
            // Prevent ipv6 leak
            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
#endif
            config.append("block-ipv6\n");
        } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {

            // no redirect-gateway
        } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
            config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
            // Prevent ipv6 leak
            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
#endif
            config.append("block-ipv6\n");
        }
    }

#ifndef MZ_WINDOWS
    config.replace("block-outside-dns", "");
#endif

#if (defined(MZ_MACOS) || defined(MZ_LINUX))
    QString dnsConf = QString("\nscript-security 2\n"
                              "up %1/update-resolv-conf.sh\n"
                              "down %1/update-resolv-conf.sh\n")
                              .arg(qApp->applicationDirPath());

    config.append(dnsConf);
#endif

    json[config_key::config] = config;
    return QJsonDocument(json).toJson();
}

QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
                                                             QString &protocolConfigString)
{
    processConfigWithDnsSettings(dns, protocolConfigString);

    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
    QString config = json[config_key::config].toString();

    QRegularExpression regex("redirect-gateway.*");
    config.replace(regex, "");

    config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");

    // Prevent ipv6 leak
    config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
    config.append("block-ipv6\n");

    // remove block-outside-dns for all exported configs
    config.replace("block-outside-dns", "");

    json[config_key::config] = config;
    return QJsonDocument(json).toJson();
}

ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId)
{
    QString script_import = QString("sudo docker exec -i %1 bash -c \"cd /opt/amnezia/openvpn && "
                                    "easyrsa import-req %2/%3.req %3\"")
                                    .arg(ContainerProps::containerToString(container))
                                    .arg(amnezia::protocols::openvpn::clientsDirPath)
                                    .arg(clientId);

    QString script_sign = QString("sudo docker exec -i %1 bash -c \"export EASYRSA_BATCH=1; cd /opt/amnezia/openvpn && "
                                  "easyrsa sign-req client %2\"")
                                  .arg(ContainerProps::containerToString(container))
                                  .arg(clientId);

    QStringList scriptList { script_import, script_sign };
    QString script = m_serverController->replaceVars(scriptList.join("\n"), m_serverController->genVarsForScript(credentials, container));

    return m_serverController->runScript(credentials, script);
}

OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
{
    ConnectionData connData;
    connData.clientId = Utils::getRandomString(32);

    int ret = 0;
    int nVersion = 1;

    QByteArray clientIdUtf8 = connData.clientId.toUtf8();

    EVP_PKEY *pKey = EVP_PKEY_new();
    q_check_ptr(pKey);
    RSA *rsa = RSA_generate_key(2048, RSA_F4, nullptr, nullptr);
    q_check_ptr(rsa);
    EVP_PKEY_assign_RSA(pKey, rsa);

    // 2. set version of x509 req
    X509_REQ *x509_req = X509_REQ_new();
    ret = X509_REQ_set_version(x509_req, nVersion);
    if (ret != 1) {
        qWarning() << "Could not get X509!";
        X509_REQ_free(x509_req);
        EVP_PKEY_free(pKey);
        return connData;
    }

    // 3. set subject of x509 req
    X509_NAME *x509_name = X509_REQ_get_subject_name(x509_req);

    X509_NAME_add_entry_by_txt(x509_name, "C", MBSTRING_ASC, (unsigned char *)"ORG", -1, -1, 0);
    X509_NAME_add_entry_by_txt(x509_name, "O", MBSTRING_ASC, (unsigned char *)"", -1, -1, 0);
    X509_NAME_add_entry_by_txt(x509_name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char const *>(clientIdUtf8.data()),
                               clientIdUtf8.size(), -1, 0);

    // 4. set public key of x509 req
    ret = X509_REQ_set_pubkey(x509_req, pKey);
    if (ret != 1) {
        qWarning() << "Could not set pubkey!";
        X509_REQ_free(x509_req);
        EVP_PKEY_free(pKey);
        return connData;
    }

    // 5. set sign key of x509 req
    ret = X509_REQ_sign(x509_req, pKey, EVP_sha256()); // return x509_req->signature->length
    if (ret <= 0) {
        qWarning() << "Could not sign request!";
        X509_REQ_free(x509_req);
        EVP_PKEY_free(pKey);
        return connData;
    }

    // save private key
    BIO *bp_private = BIO_new(BIO_s_mem());
    q_check_ptr(bp_private);
    if (PEM_write_bio_PrivateKey(bp_private, pKey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {
        qFatal("PEM_write_bio_PrivateKey");
        EVP_PKEY_free(pKey);
        BIO_free_all(bp_private);
        X509_REQ_free(x509_req);
        return connData;
    }

    const char *buffer = nullptr;
    size_t size = BIO_get_mem_data(bp_private, &buffer);
    q_check_ptr(buffer);
    connData.privKey = QByteArray(buffer, size);
    if (connData.privKey.isEmpty()) {
        qFatal("Failed to generate a random private key");
        EVP_PKEY_free(pKey);
        BIO_free_all(bp_private);
        X509_REQ_free(x509_req);
        return connData;
    }
    BIO_free_all(bp_private);

    // save req
    BIO *bio_req = BIO_new(BIO_s_mem());
    PEM_write_bio_X509_REQ(bio_req, x509_req);

    BUF_MEM *bio_buf;
    BIO_get_mem_ptr(bio_req, &bio_buf);
    connData.request = QByteArray(bio_buf->data, bio_buf->length);
    BIO_free(bio_req);

    EVP_PKEY_free(pKey); // this will also free the rsa key

    return connData;
}
- no dockerhub 2021-04-04 23:12:36 +03:00			`#include "openvpn_configurator.h"`
removed old ui files 2023-08-31 16:00:41 +05:00
			`#include <QDebug>`
			`#include <QJsonDocument>`
			`#include <QJsonObject>`
openvpnconfigurator 2020-12-18 14:57:22 +03:00			`#include <QProcess>`
			`#include <QString>`
			`#include <QTemporaryDir>`
Ssh key auth support added 2021-03-14 21:19:11 +03:00			`#include <QTemporaryFile>`
added missing include files 2023-08-31 21:49:36 +05:00			`#if defined(Q_OS_ANDROID) \|\| defined(Q_OS_IOS)`
			`#include <QGuiApplication>`
			`#else`
			`#include <QApplication>`
			`#endif`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
NewServerSettings qml rework 2021-09-09 20:15:44 +03:00			`#include "containers/containers_defs.h"`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`#include "core/controllers/serverController.h"`
removed old ui files 2023-08-31 16:00:41 +05:00			`#include "core/scripts_registry.h"`
App refactoring finished 2022-08-25 17:35:28 +03:00			`#include "core/server_defs.h"`
			`#include "settings.h"`
removed old ui files 2023-08-31 16:00:41 +05:00			`#include "utilities.h"`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
removed old ui files 2023-08-31 16:00:41 +05:00			`#include <openssl/pem.h>`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`#include <openssl/rsa.h>`
			`#include <openssl/x509.h>`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,`
			`QObject *parent)`
			`: ConfiguratorBase(settings, serverController, parent)`
App refactoring finished 2022-08-25 17:35:28 +03:00			`{`
			`}`

shadowsocks impl 2021-01-15 23:36:35 +03:00			`OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(const ServerCredentials &credentials,`
pass errorCode by reference in configurators 2024-05-09 20:56:52 +03:00			`DockerContainer container, ErrorCode &errorCode)`
openvpnconfigurator 2020-12-18 14:57:22 +03:00			`{`
			`OpenVpnConfigurator::ConnectionData connData = OpenVpnConfigurator::createCertRequest();`
Refactoring 2021-01-06 17:12:24 +03:00			`connData.host = credentials.hostName;`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
Openvpn scripts fixes 2021-01-07 20:53:42 +03:00			`if (connData.privKey.isEmpty() \|\| connData.request.isEmpty()) {`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`errorCode = ErrorCode::OpenSslFailed;`
Openvpn scripts fixes 2021-01-07 20:53:42 +03:00			`return connData;`
			`}`

removed old ui files 2023-08-31 16:00:41 +05:00			`QString reqFileName = QString("%1/%2.req").arg(amnezia::protocols::openvpn::clientsDirPath).arg(connData.clientId);`
shadowsocks impl 2021-01-15 23:36:35 +03:00
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`errorCode = m_serverController->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`if (errorCode != ErrorCode::NoError) {`
Refactoring 2021-01-06 17:12:24 +03:00			`return connData;`
			`}`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`errorCode = signCert(container, credentials, connData.clientId);`
			`if (errorCode != ErrorCode::NoError) {`
shadowsocks impl 2021-01-15 23:36:35 +03:00			`return connData;`
			`}`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`connData.caCert =`
			`m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);`
			`connData.clientCert = m_serverController->getTextFileFromContainer(`
			`container, credentials, QString("%1/%2.crt").arg(amnezia::protocols::openvpn::clientCertPath).arg(connData.clientId), errorCode);`
- no dockerhub 2021-04-04 23:12:36 +03:00
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`if (errorCode != ErrorCode::NoError) {`
Refactoring 2021-01-06 17:12:24 +03:00			`return connData;`
			`}`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`connData.taKey = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);`
shadowsocks impl 2021-01-15 23:36:35 +03:00
			`if (connData.caCert.isEmpty() \|\| connData.clientCert.isEmpty() \|\| connData.taKey.isEmpty()) {`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`errorCode = ErrorCode::SshScpFailureError;`
shadowsocks impl 2021-01-15 23:36:35 +03:00			`}`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
			`return connData;`
			`}`

moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,`
pass errorCode by reference in configurators 2024-05-09 20:56:52 +03:00			`const QJsonObject &containerConfig, ErrorCode &errorCode)`
openvpnconfigurator 2020-12-18 14:57:22 +03:00			`{`
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container),`
			`m_serverController->genVarsForScript(credentials, container, containerConfig));`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
refactoring 2021-04-26 23:19:19 +03:00			`ConnectionData connData = prepareOpenVpnConfig(credentials, container, errorCode);`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`if (errorCode != ErrorCode::NoError) {`
- no dockerhub 2021-04-04 23:12:36 +03:00			`return "";`
			`}`
shadowsocks impl 2021-01-15 23:36:35 +03:00
Multiprotocol support 2021-05-07 23:28:37 +03:00			`config.replace("$OPENVPN_CA_CERT", connData.caCert);`
			`config.replace("$OPENVPN_CLIENT_CERT", connData.clientCert);`
			`config.replace("$OPENVPN_PRIV_KEY", connData.privKey);`
win7 support fixes 2021-05-18 15:50:52 +03:00
			`if (config.contains("$OPENVPN_TA_KEY")) {`
			`config.replace("$OPENVPN_TA_KEY", connData.taKey);`
removed old ui files 2023-08-31 16:00:41 +05:00			`} else {`
win7 support fixes 2021-05-18 15:50:52 +03:00			`config.replace("<tls-auth>", "");`
			`config.replace("</tls-auth>", "");`
			`}`
openvpnconfigurator 2020-12-18 14:57:22 +03:00
WireGuard for MacOS (#248 ) 2023-07-15 14:19:48 -07:00			`#ifndef MZ_WINDOWS`
ShadowSocks fixes for MacOS 2021-02-21 09:44:53 -08:00			`config.replace("block-outside-dns", "");`
			`#endif`
Config export 2021-05-10 02:33:31 +03:00
Refactoring 2021-10-05 12:22:13 +03:00			`QJsonObject jConfig;`
			`jConfig[config_key::config] = config;`

moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`jConfig[config_key::clientId] = connData.clientId;`
added selection of default server and container on the sharing page 2023-11-26 21:15:58 +07:00
Refactoring 2021-10-05 12:22:13 +03:00			`return QJsonDocument(jConfig).toJson();`
Config export 2021-05-10 02:33:31 +03:00			`}`

moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,`
			`QString &protocolConfigString)`
Config export 2021-05-10 02:33:31 +03:00			`{`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`processConfigWithDnsSettings(dns, protocolConfigString);`

			`QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();`
OpenVpnConfigurator fix 2021-10-14 12:01:14 +03:00			`QString config = json[config_key::config].toString();`

moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`if (!isApiConfig) {`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`QRegularExpression regex("redirect-gateway.*");`
			`config.replace(regex, "");`
added killSwitch switcher (#746 ) 2024-04-25 20:01:00 +07:00
			`if (!m_settings->isSitesSplitTunnelingEnabled()) {`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");`
Update OpenVPN to last version (#837 ) 2024-07-27 10:38:55 -07:00
			`#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`// Prevent ipv6 leak`
			`config.append("ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1\n");`
Update OpenVPN to last version (#837 ) 2024-07-27 10:38:55 -07:00			`#endif`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`config.append("block-ipv6\n");`
fixed adding/removing routes when split tunneling is disabled 2024-04-08 16:13:26 +05:00			`} else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00
			`// no redirect-gateway`
fixed adding/removing routes when split tunneling is disabled 2024-04-08 16:13:26 +05:00			`} else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {`
Update OpenVPN to last version (#837 ) 2024-07-27 10:38:55 -07:00			`#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");`
			`// Prevent ipv6 leak`
			`config.append("ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1\n");`
Update OpenVPN to last version (#837 ) 2024-07-27 10:38:55 -07:00			`#endif`
for servers received via api, ignore the split tunneling settings 2024-01-17 00:34:23 +07:00			`config.append("block-ipv6\n");`
			`}`
win7 support fixes 2021-05-18 15:50:52 +03:00			`}`
Config export 2021-05-10 02:33:31 +03:00
WireGuard for MacOS (#248 ) 2023-07-15 14:19:48 -07:00			`#ifndef MZ_WINDOWS`
macos fix 2021-05-11 09:36:43 -07:00			`config.replace("block-outside-dns", "");`
WireGuard for MacOS (#248 ) 2023-07-15 14:19:48 -07:00			`#endif`

removed old ui files 2023-08-31 16:00:41 +05:00			`#if (defined(MZ_MACOS) \|\| defined(MZ_LINUX))`
			`QString dnsConf = QString("\nscript-security 2\n"`
			`"up %1/update-resolv-conf.sh\n"`
			`"down %1/update-resolv-conf.sh\n")`
			`.arg(qApp->applicationDirPath());`
macos dns setup fixed 2021-05-13 08:23:56 -07:00
			`config.append(dnsConf);`
macos fix 2021-05-11 09:36:43 -07:00			`#endif`

OpenVpnConfigurator fix 2021-10-14 12:01:14 +03:00			`json[config_key::config] = config;`
			`return QJsonDocument(json).toJson();`
openvpnconfigurator 2020-12-18 14:57:22 +03:00			`}`
Ssh key auth support added 2021-03-14 21:19:11 +03:00
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,`
			`QString &protocolConfigString)`
- Crash fix if service not connected 2021-05-20 15:59:58 +03:00			`{`
moved protocol config generation to VpnConfigirationsController (#665 ) 2024-04-01 20:20:02 +07:00			`processConfigWithDnsSettings(dns, protocolConfigString);`

			`QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();`
OpenVpnConfigurator fix 2021-10-14 12:01:14 +03:00			`QString config = json[config_key::config].toString();`

Fixes for split tunneling (#272 ) 2023-08-08 16:41:00 -07:00			`QRegularExpression regex("redirect-gateway.*");`
			`config.replace(regex, "");`

			`config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");`

			`// Prevent ipv6 leak`
			`config.append("ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1\n");`
			`config.append("block-ipv6\n");`
- Crash fix if service not connected 2021-05-20 15:59:58 +03:00
WireGuard for MacOS (#248 ) 2023-07-15 14:19:48 -07:00			`// remove block-outside-dns for all exported configs`
- Crash fix if service not connected 2021-05-20 15:59:58 +03:00			`config.replace("block-outside-dns", "");`

OpenVpnConfigurator fix 2021-10-14 12:01:14 +03:00			`json[config_key::config] = config;`
			`return QJsonDocument(json).toJson();`
- Crash fix if service not connected 2021-05-20 15:59:58 +03:00			`}`

removed old ui files 2023-08-31 16:00:41 +05:00			`ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId)`
- no dockerhub 2021-04-04 23:12:36 +03:00			`{`
			`QString script_import = QString("sudo docker exec -i %1 bash -c \"cd /opt/amnezia/openvpn && "`
removed old ui files 2023-08-31 16:00:41 +05:00			`"easyrsa import-req %2/%3.req %3\"")`
			`.arg(ContainerProps::containerToString(container))`
			`.arg(amnezia::protocols::openvpn::clientsDirPath)`
			`.arg(clientId);`
- no dockerhub 2021-04-04 23:12:36 +03:00
			`QString script_sign = QString("sudo docker exec -i %1 bash -c \"export EASYRSA_BATCH=1; cd /opt/amnezia/openvpn && "`
removed old ui files 2023-08-31 16:00:41 +05:00			`"easyrsa sign-req client %2\"")`
			`.arg(ContainerProps::containerToString(container))`
			`.arg(clientId);`
- no dockerhub 2021-04-04 23:12:36 +03:00
removed old ui files 2023-08-31 16:00:41 +05:00			`QStringList scriptList { script_import, script_sign };`
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`QString script = m_serverController->replaceVars(scriptList.join("\n"), m_serverController->genVarsForScript(credentials, container));`
- no dockerhub 2021-04-04 23:12:36 +03:00
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`return m_serverController->runScript(credentials, script);`
- no dockerhub 2021-04-04 23:12:36 +03:00			`}`
Easyrsa removed 2021-10-17 13:03:03 +03:00
			`OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()`
			`{`
			`ConnectionData connData;`
			`connData.clientId = Utils::getRandomString(32);`

removed old ui files 2023-08-31 16:00:41 +05:00			`int ret = 0;`
			`int nVersion = 1;`
Easyrsa removed 2021-10-17 13:03:03 +03:00
			`QByteArray clientIdUtf8 = connData.clientId.toUtf8();`

removed old ui files 2023-08-31 16:00:41 +05:00			`EVP_PKEY *pKey = EVP_PKEY_new();`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`q_check_ptr(pKey);`
removed old ui files 2023-08-31 16:00:41 +05:00			`RSA *rsa = RSA_generate_key(2048, RSA_F4, nullptr, nullptr);`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`q_check_ptr(rsa);`
			`EVP_PKEY_assign_RSA(pKey, rsa);`

			`// 2. set version of x509 req`
			`X509_REQ *x509_req = X509_REQ_new();`
			`ret = X509_REQ_set_version(x509_req, nVersion);`
			`if (ret != 1) {`
			`qWarning() << "Could not get X509!";`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`X509_REQ_free(x509_req);`
			`EVP_PKEY_free(pKey);`
			`return connData;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`}`

			`// 3. set subject of x509 req`
			`X509_NAME *x509_name = X509_REQ_get_subject_name(x509_req);`

removed old ui files 2023-08-31 16:00:41 +05:00			`X509_NAME_add_entry_by_txt(x509_name, "C", MBSTRING_ASC, (unsigned char *)"ORG", -1, -1, 0);`
			`X509_NAME_add_entry_by_txt(x509_name, "O", MBSTRING_ASC, (unsigned char *)"", -1, -1, 0);`
ssh client now reuses an existing session instead of opening a new one 2024-04-12 20:00:21 +05:00			`X509_NAME_add_entry_by_txt(x509_name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char const *>(clientIdUtf8.data()),`
			`clientIdUtf8.size(), -1, 0);`
Easyrsa removed 2021-10-17 13:03:03 +03:00
			`// 4. set public key of x509 req`
			`ret = X509_REQ_set_pubkey(x509_req, pKey);`
removed old ui files 2023-08-31 16:00:41 +05:00			`if (ret != 1) {`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`qWarning() << "Could not set pubkey!";`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`X509_REQ_free(x509_req);`
			`EVP_PKEY_free(pKey);`
			`return connData;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`}`

			`// 5. set sign key of x509 req`
removed old ui files 2023-08-31 16:00:41 +05:00			`ret = X509_REQ_sign(x509_req, pKey, EVP_sha256()); // return x509_req->signature->length`
			`if (ret <= 0) {`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`qWarning() << "Could not sign request!";`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`X509_REQ_free(x509_req);`
			`EVP_PKEY_free(pKey);`
			`return connData;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`}`

			`// save private key`
removed old ui files 2023-08-31 16:00:41 +05:00			`BIO *bp_private = BIO_new(BIO_s_mem());`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`q_check_ptr(bp_private);`
removed old ui files 2023-08-31 16:00:41 +05:00			`if (PEM_write_bio_PrivateKey(bp_private, pKey, nullptr, nullptr, 0, nullptr, nullptr) != 1) {`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`qFatal("PEM_write_bio_PrivateKey");`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`EVP_PKEY_free(pKey);`
			`BIO_free_all(bp_private);`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`X509_REQ_free(x509_req);`
			`return connData;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`}`

removed old ui files 2023-08-31 16:00:41 +05:00			`const char *buffer = nullptr;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`size_t size = BIO_get_mem_data(bp_private, &buffer);`
			`q_check_ptr(buffer);`
			`connData.privKey = QByteArray(buffer, size);`
			`if (connData.privKey.isEmpty()) {`
			`qFatal("Failed to generate a random private key");`
OpenSSL libs added for Linux 2021-10-17 07:00:00 -07:00			`EVP_PKEY_free(pKey);`
			`BIO_free_all(bp_private);`
			`X509_REQ_free(x509_req);`
			`return connData;`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`}`
			`BIO_free_all(bp_private);`

			`// save req`
removed old ui files 2023-08-31 16:00:41 +05:00			`BIO *bio_req = BIO_new(BIO_s_mem());`
Easyrsa removed 2021-10-17 13:03:03 +03:00			`PEM_write_bio_X509_REQ(bio_req, x509_req);`

			`BUF_MEM *bio_buf;`
			`BIO_get_mem_ptr(bio_req, &bio_buf);`
			`connData.request = QByteArray(bio_buf->data, bio_buf->length);`
			`BIO_free(bio_req);`

			`EVP_PKEY_free(pKey); // this will also free the rsa key`

			`return connData;`
			`}`