github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/services/openvpn/service/server_config.go

github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/services/openvpn/service/server_config.go (about)

     1  /*
     2   * Copyright (C) 2017 The "MysteriumNetwork/node" Authors.
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License as published by
     6   * the Free Software Foundation, either version 3 of the License, or
     7   * (at your option) any later version.
     8   *
     9   * This program is distributed in the hope that it will be useful,
    10   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    11   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12   * GNU General Public License for more details.
    13   *
    14   * You should have received a copy of the GNU General Public License
    15   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16   */
    17  
    18  package service
    19  
    20  import (
    21  	"github.com/mysteriumnetwork/go-openvpn/openvpn/config"
    22  	"github.com/mysteriumnetwork/go-openvpn/openvpn/tls"
    23  )
    24  
    25  // ServerConfig defines openvpn in server mode configuration structure
    26  type ServerConfig struct {
    27  	*config.GenericConfig
    28  }
    29  
    30  // SetServerMode sets a set of options for openvpn to act as server
    31  func (c *ServerConfig) SetServerMode(port int, network, netmask string) {
    32  	c.SetPort(port)
    33  	c.SetParam("server", network, netmask)
    34  	c.SetParam("topology", "subnet")
    35  }
    36  
    37  // SetTLSServer add tls-server option to config, also sets dh to none
    38  func (c *ServerConfig) SetTLSServer() {
    39  	c.SetFlag("tls-server")
    40  	c.AddOptions(config.OptionParam("dh", "none"))
    41  }
    42  
    43  // SetProtocol adds protocol option (tcp or udp)
    44  func (c *ServerConfig) SetProtocol(protocol string) {
    45  	if protocol == "tcp" {
    46  		c.SetParam("proto", "tcp-server")
    47  	} else if protocol == "udp" {
    48  		c.SetFlag("explicit-exit-notify")
    49  	}
    50  }
    51  
    52  // NewServerConfig creates server configuration structure from given basic parameters
    53  func NewServerConfig(
    54  	runtimeDir string,
    55  	scriptDir string,
    56  	network, netmask string,
    57  	secPrimitives *tls.Primitives,
    58  	bindAddress string,
    59  	port int,
    60  	protocol string,
    61  ) *ServerConfig {
    62  	serverConfig := ServerConfig{config.NewConfig(runtimeDir, scriptDir)}
    63  	serverConfig.SetServerMode(port, network, netmask)
    64  	serverConfig.SetTLSServer()
    65  	serverConfig.SetProtocol(protocol)
    66  	serverConfig.SetTLSCACertificate(secPrimitives.CertificateAuthority.ToPEMFormat())
    67  	serverConfig.SetTLSPrivatePubKeys(
    68  		secPrimitives.ServerCertificate.ToPEMFormat(),
    69  		secPrimitives.ServerCertificate.KeyToPEMFormat(),
    70  	)
    71  	serverConfig.SetTLSCrypt(secPrimitives.PresharedKey.ToPEMFormat())
    72  
    73  	serverConfig.SetParam("cipher", "AES-256-GCM")
    74  	serverConfig.SetParam("verb", "3")
    75  	serverConfig.SetParam("tls-version-min", "1.2")
    76  	serverConfig.SetFlag("management-client-pf")
    77  	serverConfig.SetFlag("management-client-auth")
    78  	serverConfig.SetParam("verify-client-cert", "none")
    79  	serverConfig.SetParam("tls-cipher", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384")
    80  	serverConfig.SetParam("reneg-sec", "3600")
    81  	serverConfig.SetKeepAlive(10, 60)
    82  	serverConfig.SetPingTimerRemote()
    83  	serverConfig.SetPersistKey()
    84  
    85  	serverConfig.SetParam("auth", "none")
    86  	serverConfig.SetParam("local", bindAddress)
    87  	return &serverConfig
    88  }