From a6b4b0b8a4ceb1d00e74a5cdbba7f0903082c1bb Mon Sep 17 00:00:00 2001
From: Ycarus <ycarus@zugaina.org>
Date: Thu, 2 Jul 2020 18:12:31 +0200
Subject: [PATCH] OpenVPN cipher can be changed

---
 omr-admin.py | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/omr-admin.py b/omr-admin.py
index 3121667..fb74eec 100755
--- a/omr-admin.py
+++ b/omr-admin.py
@@ -1020,11 +1020,14 @@ async def config(userid: Optional[int] = Query(None),current_user: User = Depend
     else:
         openvpn_client_ca = ''
     openvpn_port = '65301'
+    openvpn_cipher = 'AES-256-CBC'
     if os.path.isfile('/etc/openvpn/openvpn-tun0.conf'):
         with open('/etc/openvpn/openvpn-tun0.conf', "r") as openvpn_file:
             for line in openvpn_file:
                 if 'port ' in line:
                     openvpn_port = line.replace(line[:5], '').rstrip()
+                if 'cipher ' in line:
+                    openvpn_cipher = line.replace(line[:7], '').rstrip()
     openvpn_host_ip = '10.255.252.1'
     #openvpn_client_ip = '10.255.252.2'
     openvpn_client_ip = 'dhcp'
@@ -1183,7 +1186,7 @@ async def config(userid: Optional[int] = Query(None),current_user: User = Depend
             if '#DNAT		net		vpn:$OMR_ADDR	tcp	1-64999' in line:
                 shorewall_redirect = "disable"
     LOG.debug('Get config: done')
-    return {'vps': {'kernel': vps_kernel, 'machine': vps_machine, 'omr_version': vps_omr_version, 'loadavg': vps_loadavg, 'uptime': vps_uptime, 'aes': vps_aes}, 'shadowsocks': {'traffic': ss_traffic, 'key': shadowsocks_key, 'port': shadowsocks_port, 'method': shadowsocks_method, 'fast_open': shadowsocks_fast_open, 'reuse_port': shadowsocks_reuse_port, 'no_delay': shadowsocks_no_delay, 'mptcp': shadowsocks_mptcp, 'ebpf': shadowsocks_ebpf, 'obfs': shadowsocks_obfs, 'obfs_plugin': shadowsocks_obfs_plugin, 'obfs_type': shadowsocks_obfs_type}, 'glorytun': {'key': glorytun_key, 'udp': {'host_ip': glorytun_udp_host_ip, 'client_ip': glorytun_udp_client_ip}, 'tcp': {'host_ip': glorytun_tcp_host_ip, 'client_ip': glorytun_tcp_client_ip}, 'port': glorytun_port, 'chacha': glorytun_chacha}, 'dsvpn': {'key': dsvpn_key, 'host_ip': dsvpn_host_ip, 'client_ip': dsvpn_client_ip, 'port': dsvpn_port}, 'openvpn': {'key': openvpn_key, 'client_key': openvpn_client_key, 'client_crt': openvpn_client_crt, 'client_ca': openvpn_client_ca, 'host_ip': openvpn_host_ip, 'client_ip': openvpn_client_ip, 'port': openvpn_port}, 'mlvpn': {'key': mlvpn_key, 'host_ip': mlvpn_host_ip, 'client_ip': mlvpn_client_ip}, 'shorewall': {'redirect_ports': shorewall_redirect}, 'mptcp': {'enabled': mptcp_enabled, 'checksum': mptcp_checksum, 'path_manager': mptcp_path_manager, 'scheduler': mptcp_scheduler, 'syn_retries': mptcp_syn_retries}, 'network': {'congestion_control': congestion_control, 'ipv6_network': ipv6_network, 'ipv6': ipv6_addr, 'ipv4': ipv4_addr, 'domain': vps_domain, 'internet': internet}, 'vpn': {'available': available_vpn, 'current': vpn, 'remoteip': vpn_remote_ip, 'localip': vpn_local_ip, 'rx': vpn_traffic_rx, 'tx': vpn_traffic_tx}, 'iperf': {'user': 'openmptcprouter', 'password': 'openmptcprouter', 'key': iperf3_key}, 'pihole': {'state': pihole}, 'user': {'name': username, 'permission': user_permissions}, 'ip6in4': {'localip': localip6, 'remoteip': remoteip6, 'ula': ula}, 'client2client': {'enabled': client2client, 'lanips': alllanips}, 'gre_tunnel': {'enabled': gre_tunnel, 'config': gre_tunnel_conf}}
+    return {'vps': {'kernel': vps_kernel, 'machine': vps_machine, 'omr_version': vps_omr_version, 'loadavg': vps_loadavg, 'uptime': vps_uptime, 'aes': vps_aes}, 'shadowsocks': {'traffic': ss_traffic, 'key': shadowsocks_key, 'port': shadowsocks_port, 'method': shadowsocks_method, 'fast_open': shadowsocks_fast_open, 'reuse_port': shadowsocks_reuse_port, 'no_delay': shadowsocks_no_delay, 'mptcp': shadowsocks_mptcp, 'ebpf': shadowsocks_ebpf, 'obfs': shadowsocks_obfs, 'obfs_plugin': shadowsocks_obfs_plugin, 'obfs_type': shadowsocks_obfs_type}, 'glorytun': {'key': glorytun_key, 'udp': {'host_ip': glorytun_udp_host_ip, 'client_ip': glorytun_udp_client_ip}, 'tcp': {'host_ip': glorytun_tcp_host_ip, 'client_ip': glorytun_tcp_client_ip}, 'port': glorytun_port, 'chacha': glorytun_chacha}, 'dsvpn': {'key': dsvpn_key, 'host_ip': dsvpn_host_ip, 'client_ip': dsvpn_client_ip, 'port': dsvpn_port}, 'openvpn': {'key': openvpn_key, 'client_key': openvpn_client_key, 'client_crt': openvpn_client_crt, 'client_ca': openvpn_client_ca, 'host_ip': openvpn_host_ip, 'client_ip': openvpn_client_ip, 'port': openvpn_port, 'cipher': openvpn_cipher}, 'mlvpn': {'key': mlvpn_key, 'host_ip': mlvpn_host_ip, 'client_ip': mlvpn_client_ip}, 'shorewall': {'redirect_ports': shorewall_redirect}, 'mptcp': {'enabled': mptcp_enabled, 'checksum': mptcp_checksum, 'path_manager': mptcp_path_manager, 'scheduler': mptcp_scheduler, 'syn_retries': mptcp_syn_retries}, 'network': {'congestion_control': congestion_control, 'ipv6_network': ipv6_network, 'ipv6': ipv6_addr, 'ipv4': ipv4_addr, 'domain': vps_domain, 'internet': internet}, 'vpn': {'available': available_vpn, 'current': vpn, 'remoteip': vpn_remote_ip, 'localip': vpn_local_ip, 'rx': vpn_traffic_rx, 'tx': vpn_traffic_tx}, 'iperf': {'user': 'openmptcprouter', 'password': 'openmptcprouter', 'key': iperf3_key}, 'pihole': {'state': pihole}, 'user': {'name': username, 'permission': user_permissions}, 'ip6in4': {'localip': localip6, 'remoteip': remoteip6, 'ula': ula}, 'client2client': {'enabled': client2client, 'lanips': alllanips}, 'gre_tunnel': {'enabled': gre_tunnel, 'config': gre_tunnel_conf}}
 
 # Set shadowsocks config
 class ShadowsocksConfigparams(BaseModel):
@@ -1620,23 +1623,32 @@ def dsvpn(*, params: DSVPN, current_user: User = Depends(get_current_user)):
 
 # Set OpenVPN config
 class OpenVPN(BaseModel):
-    key: str
+    port: int = 65301
+    cipher: str = "AES-256-CBC"
 
 @app.post('/openvpn', summary="Modify OpenVPN TCP configuration")
-def openvpn(*, ovpn: OpenVPN, current_user: User = Depends(get_current_user)):
+def openvpn(*, params: OpenVPN, current_user: User = Depends(get_current_user)):
     if current_user.permissions == "ro":
         set_lastchange(10)
         return {'result': 'permission', 'reason': 'Read only user', 'route': 'openvpn'}
-    key = ovpn.key
-    if not key:
-        return {'result': 'error', 'reason': 'Invalid parameters', 'route': 'openvpn'}
-    initial_md5 = hashlib.md5(file_as_bytes(open('/etc/openvpn/server/static.key', 'rb'))).hexdigest()
-    with open('/etc/openvpn/server/static.key', 'w') as outfile:
-        outfile.write(base64.b64decode(key))
-    final_md5 = hashlib.md5(file_as_bytes(open('/etc/openvpn/server/static.key', 'rb'))).hexdigest()
+    initial_md5 = hashlib.md5(file_as_bytes(open('/etc/openvpn/tun0', 'rb'))).hexdigest()
+    fd, tmpfile = mkstemp()
+    with open('/etc/openvpn/tun0', 'r') as f, open(tmpfile, 'a+') as n:
+        for line in f:
+            if 'cipher ' in line:
+                n.write('cipher ' + params.cipher + '\n')
+            elif 'port ' in line:
+                n.write('port ' + str(params.port) + '\n')
+            else:
+                n.write(line)
+    os.close(fd)
+    move(tmpfile, '/etc/openvpn/tun0')
+    final_md5 = hashlib.md5(file_as_bytes(open('/etc/openvpn/tun0', 'rb'))).hexdigest()
+
     if not initial_md5 == final_md5:
         os.system("systemctl -q restart openvpn@tun0")
-    set_lastchange()
+        shorewall_add_port(current_user, str(port), 'tcp', 'openvpn')
+        set_lastchange()
     return {'result': 'done'}
 
 class Wanips(BaseModel):