openvpn

#!/bin/sh
#
# openvpn wrapper script to execute openvpn binary with the supplied
# command options but potentially apply certain modifications beforehand.
#

OPENVPN=/usr/sbin/openvpn
OPENVPN_ARGS=$*
CLIENT_CONF=/var/etc/cloudmatic_openvpn_client.conf
CLIENT_CRT=/etc/config/addons/mh/client.crt
CLIENT_KEY=/etc/config/addons/mh/client.key

# extract supplied --config from command args and copy it to the
# client conf under /var/etc
CONF=$(echo "${OPENVPN_ARGS}" | sed 's/.* --config \(.*\.conf\) .*/\1/g')
cp "${CONF}" ${CLIENT_CONF}

# To temporary workaround the still existing security flaw in the CloudMatic
# infrastructure that SHA1 hashed certificates are still used we make sure the
# supplied openvpn client conf will contain the 'tls-cipher "DEFAULT:@SECLEVEL=0"'
# option for the time being. (cf. https://github.com/jens-maus/RaspberryMatic/issues/2442)
if openssl x509 -in ${CLIENT_CRT} -noout -text | grep -qm1 "sha1WithRSAEncryption"; then
  # adding SECLEVEL=0 is only supported since openssl 1.1.0, thus check if the
  # system uses openssl >= 1.1.0 or skip accordingly.
  if openssl version | awk '$2 ~ /(^0\.)|(^1\.(0\.|0\.0))/ { exit 1 }'; then
    if ! grep 'tls-cipher "DEFAULT:@SECLEVEL=0"' ${CLIENT_CONF}; then
      echo 'tls-cipher "DEFAULT:@SECLEVEL=0"' >>${CLIENT_CONF}
    fi
  fi
fi

# modify args to contain the new client conf from /var
OPENVPN_ARGS=$(echo "${OPENVPN_ARGS}" | sed "s|${CONF}|${CLIENT_CONF}|g")

# make sure that the obsolete ns-cert-type option is replaced by remote-cert-tls
sed -i 's/ns-cert-type/remote-cert-tls/g' ${CLIENT_CONF}

# disable comp-lzo as compression is discouraged for security reasons
# (cf. https://community.openvpn.net/openvpn/wiki/DeprecatedOptions)
#sed -i 's/comp-lzo/#comp-lzo/g' ${CLIENT_CONF}

# make sure client.key has the right (safe) permissions before using it
chmod 600 ${CLIENT_KEY}

# start openvpn
# shellcheck disable=SC2086
${OPENVPN} ${OPENVPN_ARGS}