From: David Date: Sun, 9 Mar 2014 19:25:36 +0000 (+0000) Subject: Options are taken from the configuration dialogue and passed through to X-Git-Url: https://www.flypig.org.uk/git/?p=openvpnui.git;a=commitdiff_plain;h=23fb3768d515e0e901298d2b030561b9a98ffb33 Options are taken from the configuration dialogue and passed through to the OpenVPN command line. --- diff --git a/OpenVPN-help.txt b/OpenVPN-help.txt new file mode 100644 index 0000000..48d3fdb --- /dev/null +++ b/OpenVPN-help.txt @@ -0,0 +1,458 @@ +--dev tun +--proto udp +--remote www.flypig.org.uk 1194 +--resolv-retry infinite +--nobind +--user nemo +--group nemo +--persist-key +--persist-tun +--ca "/home/flypig/Documents/Configure/OpenVPN/ca.crt" +--cert "/home/flypig/Documents/Configure/OpenVPN/Montefalco.crt" +--key "/home/flypig/Documents/Configure/OpenVPN/Montefalco.key" +--tls-auth "/home/flypig/Documents/Configure/OpenVPN/ta.key" 1 +--comp-lzo +--mute 20 + + +OpenVPN 2.2.2 armv7l-unknown-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jan 20 2014 + +General Options: +--config file : Read configuration options from file. +--help : Show options. +--version : Show copyright and version information. + +Tunnel Options: +--local host : Local host name or ip address. Implies --bind. +--remote host [port] : Remote host name or ip address. +--remote-random : If multiple --remote options specified, choose one randomly. +--remote-random-hostname : Add a random string to remote DNS name. +--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'. +--proto p : Use protocol p for communicating with peer. + p = udp (default), tcp-server, or tcp-client +--proto-force p : only consider protocol p in list of connection profiles. +--connect-retry n : For --proto tcp-client, number of seconds to wait + between connection retries (default=5). +--connect-timeout n : For --proto tcp-client, connection timeout (in seconds). +--connect-retry-max n : Maximum connection attempt retries, default infinite. +--auto-proxy : Try to sense proxy settings (or lack thereof) automatically. +--show-proxy-settings : Show sensed proxy settings. +--http-proxy s p [up] [auth] : Connect to remote host + through an HTTP proxy at address s and port p. + If proxy authentication is required, + up is a file containing username/password on 2 lines, or + 'stdin' to prompt from console. Add auth='ntlm' if + the proxy requires NTLM authentication. +--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically + determine auth method and query for username/password + if needed. auto-nct disables weak proxy auth methods. +--http-proxy-retry : Retry indefinitely on HTTP proxy errors. +--http-proxy-timeout n : Proxy timeout in seconds, default=5. +--http-proxy-option type [parm] : Set extended HTTP proxy options. + Repeat to set multiple options. + VERSION version (default=1.0) + AGENT user-agent +--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at + address s and port p (default port = 1080). + If proxy authentication is required, + up is a file containing username/password on 2 lines, or + 'stdin' to prompt for console. +--socks-proxy-retry : Retry indefinitely on Socks proxy errors. +--resolv-retry n: If hostname resolve fails for --remote, retry + resolve for n seconds before failing (disabled by default). + Set n="infinite" to retry indefinitely. +--float : Allow remote to change its IP address/port, such as through + DHCP (this is the default if --remote is not used). +--ipchange cmd : Execute shell command cmd on remote ip address initial + setting or change -- execute as: cmd ip-address port# +--port port : TCP/UDP port # for both local and remote. +--lport port : TCP/UDP port # for local (default=1194). Implies --bind. +--rport port : TCP/UDP port # for remote (default=1194). +--bind : Bind to local address and port. (This is the default unless + --proto tcp-client or --http-proxy or --socks-proxy is used). +--nobind : Do not bind to local address and port. +--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device. +--dev-type dt : Which device type are we using? (dt = tun or tap) Use + this option only if the tun/tap device used with --dev + does not begin with "tun" or "tap". +--dev-node node : Explicitly set the device node rather than using + /dev/net/tun, /dev/tun, /dev/tap, etc. +--lladdr hw : Set the link layer address of the tap device. +--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'. +--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic. +--iproute cmd : Use this command instead of default /sbin/ip. +--ifconfig l rn : TUN: configure device to use IP address l as a local + endpoint and rn as a remote endpoint. l & rn should be + swapped on the other peer. l & rn must be private + addresses outside of the subnets used by either peer. + TAP: configure device to use IP address l as a local + endpoint and rn as a subnet mask. +--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead + pass --ifconfig parms by environment to scripts. +--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the + connection doesn't match the remote side. +--route network [netmask] [gateway] [metric] : + Add route to routing table after connection + is established. Multiple routes can be specified. + netmask default: 255.255.255.255 + gateway default: taken from --route-gateway or --ifconfig + Specify default by leaving blank or setting to "nil". +--max-routes n : Specify the maximum number of routes that may be defined + or pulled from a server. +--route-gateway gw|'dhcp' : Specify a default gateway for use with --route. +--route-metric m : Specify a default metric for use with --route. +--route-delay n [w] : Delay n seconds after connection initiation before + adding routes (may be 0). If not specified, routes will + be added immediately after tun/tap open. On Windows, wait + up to w seconds for TUN/TAP adapter to come up. +--route-up cmd : Execute shell cmd after routes are added. +--route-noexec : Don't add routes automatically. Instead pass routes to + --route-up script using environmental variables. +--route-nopull : When used with --client or --pull, accept options pushed + by server EXCEPT for routes. +--allow-pull-fqdn : Allow client to pull DNS names from server for + --ifconfig, --route, and --route-gateway. +--redirect-gateway [flags]: Automatically execute routing + commands to redirect all outgoing IP traffic through the + VPN. Add 'local' flag if both OpenVPN servers are directly + connected via a common subnet, such as with WiFi. + Add 'def1' flag to set default route using using 0.0.0.0/1 + and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp' + flag to add a direct route to DHCP server, bypassing tunnel. + Add 'bypass-dns' flag to similarly bypass tunnel for DNS. +--redirect-private [flags]: Like --redirect-gateway, but omit actually changing + the default gateway. Useful when pushing private subnets. +--push-peer-info : (client only) push client info to server. +--setenv name value : Set a custom environmental variable to pass to script. +--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow + directives for future OpenVPN versions to be ignored. +--script-security level mode : mode='execve' (default) or 'system', level= + 0 -- strictly no calling of external programs + 1 -- (default) only call built-ins such as ifconfig + 2 -- allow calling of built-ins and scripts + 3 -- allow password to be passed to scripts via env +--shaper n : Restrict output to peer to n bytes per second. +--keepalive n m : Helper option for setting timeouts in server mode. Send + ping once every n seconds, restart if ping not received + for m seconds. +--inactive n [bytes] : Exit after n seconds of activity on tun/tap device + produces a combined in/out byte count < bytes. +--ping-exit n : Exit if n seconds pass without reception of remote ping. +--ping-restart n: Restart if n seconds pass without reception of remote ping. +--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a + remote address. +--ping n : Ping remote once every n seconds over TCP/UDP port. +--multihome : Configure a multi-homed UDP server. +--fast-io : (experimental) Optimize TUN/TAP/UDP writes. +--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM'). +--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart. +--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart. +--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart. +--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart. +--passtos : TOS passthrough (applies to IPv4 only). +--tun-mtu n : Take the tun/tap device MTU to be n and derive the + TCP/UDP MTU from it (default=1500). +--tun-mtu-extra n : Assume that tun/tap device might return as many + as n bytes more than the tun-mtu size on read + (default TUN=0 TAP=32). +--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU + from it. +--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel? + 'no' -- Never send DF (Don't Fragment) frames + 'maybe' -- Use per-route hints + 'yes' -- Always DF (Don't Fragment) +--mtu-test : Empirically measure and report MTU. +--fragment max : Enable internal datagram fragmentation so that no UDP + datagrams are sent which are larger than max bytes. + Adds 4 bytes of overhead per datagram. +--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size + or --fragment max value, whichever is lower. +--sndbuf size : Set the TCP/UDP send buffer size. +--rcvbuf size : Set the TCP/UDP receive buffer size. +--txqueuelen n : Set the tun/tap TX queue length to n (Linux only). +--mlock : Disable Paging -- ensures key material and tunnel + data will never be written to disk. +--up cmd : Shell cmd to execute after successful tun device open. + Execute as: cmd tun/tap-dev tun-mtu link-mtu \ + ifconfig-local-ip ifconfig-remote-ip + (pre --user or --group UID/GID change) +--up-delay : Delay tun/tap open and possible --up script execution + until after TCP/UDP connection establishment with peer. +--down cmd : Shell cmd to run after tun device close. + (post --user/--group UID/GID change and/or --chroot) + (script parameters are same as --up option) +--down-pre : Call --down cmd/script before TUN/TAP close. +--up-restart : Run up/down scripts for all restarts including those + caused by --ping-restart or SIGUSR1 +--user user : Set UID to user after initialization. +--group group : Set GID to group after initialization. +--chroot dir : Chroot to this directory after initialization. +--cd dir : Change to this directory before initialization. +--daemon [name] : Become a daemon after initialization. + The optional 'name' parameter will be passed + as the program name to the system logger. +--syslog [name] : Output to syslog, but do not become a daemon. + See --daemon above for a description of the 'name' parm. +--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server. + See --daemon above for a description of the 'name' parm. +--log file : Output log to file which is created/truncated on open. +--log-append file : Append log to file, or create file if nonexistent. +--suppress-timestamps : Don't log timestamps to stdout/stderr. +--writepid file : Write main process ID to file. +--nice n : Change process priority (>0 = lower, <0 = higher). +--echo [parms ...] : Echo parameters to log output. +--verb n : Set output verbosity to n (default=1): + (Level 3 is recommended if you want a good summary + of what's happening without being swamped by output). + : 0 -- no output except fatal errors + : 1 -- startup info + connection initiated messages + + non-fatal encryption & net errors + : 2,3 -- show TLS negotiations & route info + : 4 -- show parameters + : 5 -- show 'RrWw' chars on console for each packet sent + and received from TCP/UDP (caps) or tun/tap (lc) + : 6 to 11 -- debug messages of increasing verbosity +--mute n : Log at most n consecutive messages in the same category. +--status file n : Write operational status to file every n seconds. +--status-version [n] : Choose the status file format version number. + Currently, n can be 1, 2, or 3 (default=1). +--disable-occ : Disable options consistency check between peers. +--gremlin mask : Special stress testing mode (for debugging only). +--comp-lzo : Use fast LZO compression -- may add up to 1 byte per + packet for uncompressible data. +--comp-noadapt : Don't use adaptive compression when --comp-lzo + is specified. +--management ip port [pass] : Enable a TCP server on ip:port to handle + management functions. pass is a password file + or 'stdin' to prompt from console. + To listen on a unix domain socket, specific the pathname + in place of ip and use 'unix' as the port number. +--management-client : Management interface will connect as a TCP client to + ip/port rather than listen as a TCP server. +--management-query-passwords : Query management channel for private key + and auth-user-pass passwords. +--management-hold : Start OpenVPN in a hibernating state, until a client + of the management interface explicitly starts it. +--management-signal : Issue SIGUSR1 when management disconnect event occurs. +--management-forget-disconnect : Forget passwords when management disconnect + event occurs. +--management-log-cache n : Cache n lines of log file history for usage + by the management channel. +--management-client-user u : When management interface is a unix socket, only + allow connections from user u. +--management-client-group g : When management interface is a unix socket, only + allow connections from group g. +--management-client-auth : gives management interface client the responsibility + to authenticate clients after their client certificate + has been verified. +--management-client-pf : management interface clients must specify a packet + filter file for each connecting client. +--plugin m [str]: Load plug-in module m passing str as an argument + to its initialization function. + +Multi-Client Server options (when --mode server is used): +--server network netmask : Helper option to easily configure server mode. +--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to + easily configure ethernet bridging server mode. +--push "option" : Push a config file option back to the peer for remote + execution. Peer must specify --pull in its config file. +--push-reset : Don't inherit global push list for specific + client instance. +--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets + to be dynamically allocated to connecting clients. +--ifconfig-pool-linear : Use individual addresses rather than /30 subnets + in tun mode. Not compatible with Windows clients. +--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool + data to file, at seconds intervals (default=600). + If seconds=0, file will be treated as read-only. +--ifconfig-push local remote-netmask : Push an ifconfig option to remote, + overrides --ifconfig-pool dynamic allocation. + Only valid in a client-specific config file. +--iroute network [netmask] : Route subnet to client. +Sets up internal routes only. +Only valid in a client-specific config file. +--disable : Client is disabled. +Only valid in a client-specific config file. +--client-cert-not-required : Don't require client certificate, client +will authenticate using username/password. +--username-as-common-name : For auth-user-pass authentication, use +the authenticated username as the common name, +rather than the common name from the client cert. +--auth-user-pass-verify cmd method: Query client for username/password and +run script cmd to verify. If method='via-env', pass +user/pass via environment, if method='via-file', pass +user/pass via temporary file. +--opt-verify : Clients that connect with options that are incompatible +with those of the server will be disconnected. +--auth-user-pass-optional : Allow connections by clients that don't +specify a username/password. +--no-name-remapping : Allow Common Name and X509 Subject to include + any printable character. +--client-to-client : Internally route client-to-client traffic. +--duplicate-cn : Allow multiple clients with the same common name to +concurrently connect. +--client-connect cmd : Run script cmd on client connection. +--client-disconnect cmd : Run script cmd on client disconnection. +--client-config-dir dir : Directory for custom client config files. +--ccd-exclusive : Refuse connection unless custom client config is found. +--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication. +--hash-size r v : Set the size of the real address hash table to r and the +virtual address table to v. +--bcast-buffers n : Allocate n broadcast buffers. +--tcp-queue-limit n : Maximum number of queued TCP output packets. +--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server +as well as pushes it to connecting clients. +--learn-address cmd : Run script cmd to validate client virtual addresses. +--connect-freq n s : Allow a maximum of n new connections per s seconds. +--max-clients n : Allow a maximum of n simultaneously connected clients. +--max-routes-per-client n : Allow a maximum of n internal routes per client. +--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions +to a web server at host:port. + +Client options (when connecting to a multi-client server): +--client : Helper option to easily configure client mode. +--auth-user-pass [up] : Authenticate with server using username/password. +up is a file containing username/password on 2 lines, +or omit to prompt from console. +--pull : Accept certain config file options from the peer as if they +were part of the local config file. Must be specified +when connecting to a '--mode server' remote host. +--auth-retry t : How to handle auth failures. Set t to +none (default), interact, or nointeract. +--server-poll-timeout n : when polling possible remote servers to connect to +in a round-robin fashion, spend no more than n seconds +waiting for a response before trying the next server. +--explicit-exit-notify [n] : On exit/restart, send exit signal to +server/remote. n = # of retries, default=1. + +Data Channel Encryption Options (must be compatible between peers): +(These options are meaningful for both Static Key & TLS-mode) +--secret f [d] : Enable Static Key encryption mode (non-TLS). +Use shared secret file f, generate with --genkey. +The optional d parameter controls key directionality. +If d is specified, use separate keys for each +direction, set d=0 on one side of the connection, +and d=1 on the other side. +--auth alg : Authenticate packets with HMAC using message +digest algorithm alg (default=SHA1). +(usually adds 16 or 20 bytes per packet) +Set alg=none to disable authentication. +--cipher alg : Encrypt packets with cipher algorithm alg +(default=BF-CBC). +Set alg=none to disable encryption. +--prng alg [nsl] : For PRNG, use digest algorithm alg, and + nonce_secret_len=nsl. Set alg=none to disable PRNG. +--keysize n : Size of cipher key in bits (optional). +If unspecified, defaults to cipher-specific default. +--engine [name] : Enable OpenSSL hardware crypto engine functionality. +--no-replay : Disable replay protection. +--mute-replay-warnings : Silence the output of replay warnings to log file. +--replay-window n [t] : Use a replay protection sliding window of size n + and a time window of t seconds. + Default n=64 t=15 +--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers. +--replay-persist file : Persist replay-protection state across sessions +using file. +--test-crypto : Run a self-test of crypto features enabled. +For debugging only. + +TLS Key Negotiation Options: +(These options are meaningful only for TLS-mode) +--tls-server : Enable TLS and assume server role during TLS handshake. +--tls-client : Enable TLS and assume client role during TLS handshake. +--key-method m : Data channel key exchange method. m should be a method +number, such as 1 (default), 2, etc. +--ca file : Certificate authority file in .pem format containing +root certificate. +--capath dir : A directory of trusted certificates (CAs and CRLs). +--dh file : File containing Diffie Hellman parameters +in .pem format (for --tls-server only). +Use "openssl dhparam -out dh1024.pem 1024" to generate. +--cert file : Local certificate in .pem format -- must be signed +by a Certificate Authority in --ca file. +--key file : Local private key in .pem format. +--pkcs12 file : PKCS#12 file containing local private key, local certificate +and optionally the root CA certificate. +--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional). +: Use --show-tls to see a list of supported TLS ciphers. +--tls-timeout n : Packet retransmit timeout on TLS control channel +if no ACK from remote within n seconds (default=2). +--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd. +--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd. +--reneg-sec n : Renegotiate data chan. key after n seconds (default=3600). +--hand-window n : Data channel key exchange must finalize within n seconds +of handshake initiation by any peer (default=60). +--tran-window n : Transition window -- old key can live this many seconds +after new key renegotiation begins (default=3600). +--single-session: Allow only one session (reset state on restart). +--tls-exit : Exit on TLS negotiation failure. +--tls-auth f [d]: Add an additional layer of authentication on top of the TLS +control channel to protect against DoS attacks. +f (required) is a shared-secret passphrase file. +The optional d parameter controls key directionality, +see --secret option for more info. +--askpass [file]: Get PEM password from controlling tty before we daemonize. +--auth-nocache : Don't cache --askpass or --auth-user-pass passwords. +--crl-verify crl: Check peer certificate against a CRL. +--tls-verify cmd: Execute shell command cmd to verify the X509 name of a +pending TLS connection that has otherwise passed all other +tests of certification. cmd should return 0 to allow +TLS handshake to proceed, or 1 to fail. (cmd is +executed as 'cmd certificate_depth X509_NAME_oneline') +--tls-export-cert [directory] : Get peer cert in PEM format and store it +in an openvpn temporary file in [directory]. Peer cert is +stored before tls-verify script execution and deleted after. +--tls-remote x509name: Accept connections only from a host with X509 name +x509name. The remote host must also pass all other tests +of verification. +--ns-cert-type t: Require that peer certificate was signed with an explicit +nsCertType designation t = 'client' | 'server'. +--remote-cert-ku v ... : Require that the peer certificate was signed with +explicit key usage, you can specify more than one value. +value should be given in hex format. +--remote-cert-eku oid : Require that the peer certificate was signed with +explicit extended key usage. Extended key usage can be encoded +as an object identifier or OpenSSL string representation. +--remote-cert-tls t: Require that peer certificate was signed with explicit +key usage and extended key usage based on RFC3280 TLS rules. +t = 'client' | 'server'. + +PKCS#11 Options: +--pkcs11-providers provider ... : PKCS#11 provider to load. +--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication + path. Set for each provider. +--pkcs11-private-mode hex ... : PKCS#11 private key mode mask. + 0 : Try to determind automatically (default). + 1 : Use Sign. + 2 : Use SignRecover. + 4 : Use Decrypt. + 8 : Use Unwrap. +--pkcs11-cert-private [0|1] ... : Set if login should be performed before + certificate can be accessed. Set for each provider. +--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1 + cache until token is removed. +--pkcs11-id-management : Acquire identity from management interface. +--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids + +SSL Library information: +--show-ciphers : Show cipher algorithms to use with --cipher option. +--show-digests : Show message digest algorithms to use with --auth option. +--show-engines : Show hardware crypto accelerator engines (if available). +--show-tls : Show all TLS ciphers (TLS used only as a control channel). + +Generate a random key (only for non-TLS static key encryption mode): +--genkey : Generate a random key to be used as a shared secret, +for use with the --secret option. +--secret file : Write key to file. + +Tun/tap config mode (available with linux 2.4+): +--mktun : Create a persistent tunnel. +--rmtun : Remove a persistent tunnel. +--dev tunX|tapX : tun/tap device +--dev-type dt : Device type. See tunnel options above for details. +--user user : User to set privilege to. +--group group : Group to set privilege to. + +PKCS#11 standalone options: +--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids. + --verb option can be added *BEFORE* this. diff --git a/OpenVPNUI.pro b/OpenVPNUI.pro index b0f1141..90c7f7f 100644 --- a/OpenVPNUI.pro +++ b/OpenVPNUI.pro @@ -19,7 +19,9 @@ OTHER_FILES += qml/OpenVPNUI.qml \ rpm/OpenVPNUI.yaml \ OpenVPNUI.desktop \ qml/pages/ConnectPage.qml \ - qml/pages/ConfigurePage.qml + qml/pages/ConfigurePage.qml \ + OpenVPN-help.txt \ + client.ovpn HEADERS += \ src/vpncontrol.h diff --git a/OpenVPNUI.pro.user b/OpenVPNUI.pro.user index 4b46986..b84568c 100644 --- a/OpenVPNUI.pro.user +++ b/OpenVPNUI.pro.user @@ -1,6 +1,6 @@ - + ProjectExplorer.Project.ActiveTarget diff --git a/client.ovpn b/client.ovpn new file mode 100644 index 0000000..4151e71 --- /dev/null +++ b/client.ovpn @@ -0,0 +1,125 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +;remote 80.175.155.5 1194 +remote www.flypig.org.uk 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user nobody +;group nobody + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +ca "/home/flypig/Documents/Configure/OpenVPN/ca.crt" +cert "/home/flypig/Documents/Configure/OpenVPN/Montefalco.crt" +key "/home/flypig/Documents/Configure/OpenVPN/Montefalco.key" + +# Verify server certificate by checking +# that the certicate has the nsCertType +# field set to "server". This is an +# important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the nsCertType +# field set to "server". The build-key-server +# script in the easy-rsa folder will do this. +ns-cert-type server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ta.key 1 +tls-auth "/home/flypig/Documents/Configure/OpenVPN/ta.key" 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +;cipher x + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/qml/pages/ConfigurePage.qml b/qml/pages/ConfigurePage.qml index 0db890a..ecb75da 100644 --- a/qml/pages/ConfigurePage.qml +++ b/qml/pages/ConfigurePage.qml @@ -34,7 +34,7 @@ import QtQuick 2.0 import Sailfish.Silica 1.0 - +import QtQuick.Dialogs 1.0 Dialog { id: configurePage @@ -116,6 +116,13 @@ Dialog { } } + Button { + id: connect + text: "Select key" + enabled: true + onClicked: VpnControl.vpnConnect() + } + Label { text: "Place key files on SD card:" color: Theme.secondaryColor diff --git a/src/vpncontrol.cpp b/src/vpncontrol.cpp index a519dce..1935194 100644 --- a/src/vpncontrol.cpp +++ b/src/vpncontrol.cpp @@ -86,7 +86,6 @@ void VPNControl::setServer(const QString &value) emit serverChanged(server); } - void VPNControl::vpnConnect() { if (vpnProcess != NULL) { printf ("Process already running.\n"); @@ -95,11 +94,8 @@ void VPNControl::vpnConnect() { printf ("Connect\n"); vpnProcess = new QProcess(); - //QString program = "/home/nemo/Documents/Development/Projects/Stooge/stooge"; QString program = "openvpn"; - QStringList arguments; - arguments << "/home/nemo/Documents/Configure/OpenVPN/client.ovpn"; - + collectArguments (); vpnProcess->setReadChannel(QProcess::StandardOutput); connect(vpnProcess, SIGNAL(error(QProcess::ProcessError)), this, SLOT(readError(QProcess::ProcessError))); connect(vpnProcess, SIGNAL(readyRead()), this, SLOT(readData())); @@ -109,9 +105,53 @@ void VPNControl::vpnConnect() { vpnProcess->start(program, arguments); vpnProcess->closeWriteChannel(); setStatus(VPNSTATUS_INITIALISING); + arguments.clear(); + } +} + +void VPNControl::collectArguments () { + arguments.clear(); + + addArgument("config", "/home/nemo/Documents/Configure/OpenVPN/config.ovpn"); + addArgument("remote", server); + addArgument("port", QString::number(port)); + addOption("comp-lzo", compressed); + if (useTLS) { + addArgument("tls-auth", "/home/nemo/Documents/Configure/OpenVPN/ta.key"); + addValue(QString::number(tlsDirection)); + } + addArgument("ca", "/home/nemo/Documents/Configure/OpenVPN/ca.crt"); + addArgument("cert", "/home/nemo/Documents/Configure/OpenVPN/Jolla.crt"); + addArgument("key", "/home/nemo/Documents/Configure/OpenVPN/Jolla.key"); +} + +void VPNControl::addArgument (QString key, QString value) { + QString argument; + + argument = "--" + key; + arguments.append(argument); + if (value != "") { + arguments.append(value); } } +void VPNControl::addArgument (QString key) { + QString argument; + + argument = "--" + key; + arguments.append(argument); +} + +void VPNControl::addOption (QString key, bool add) { + if (add) { + addArgument (key); + } +} + +void VPNControl::addValue (QString key) { + arguments.append(key); +} + void VPNControl::vpnDisconnect() { if (vpnProcess != NULL) { printf ("Disconnect\n"); diff --git a/src/vpncontrol.h b/src/vpncontrol.h index e994b83..909f3b2 100644 --- a/src/vpncontrol.h +++ b/src/vpncontrol.h @@ -29,12 +29,18 @@ class VPNControl : public QObject private: QProcess * vpnProcess; VPNSTATUS vpnStatus; - void setStatus (VPNSTATUS newStatus); + QStringList arguments; QString server; unsigned int port; bool compressed; bool useTLS; int tlsDirection; + void collectArguments (); + void setStatus (VPNSTATUS newStatus); + void addArgument (QString key, QString value); + void addArgument (QString key); + void addOption (QString key, bool add); + void addValue (QString key); public: explicit VPNControl(QObject *parent = 0);