openvpn: Initial commit of matcher (#251)

mholt · Oct 12, 2024 · 5764d70 · 5764d70
1 parent 31af7cd
commit 5764d70
Show file tree

Hide file tree

Showing 7 changed files with 2,792 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -34,6 +34,7 @@ Current matchers:
 - **layer4.matchers.http** - matches connections that start with HTTP requests. In addition, any [`http.matchers` modules](https://caddyserver.com/docs/modules/) can be used for matching on HTTP-specific properties of requests, such as header or path. Note that only the first request of each connection can be used for matching.
 - **layer4.matchers.local_ip** - matches connections based on local IP (or CIDR range).
 - **layer4.matchers.not** - matches connections that aren't matched by inner matcher sets.
+- **layer4.matchers.openvpn** - matches connections that look like [OpenVPN](https://openvpn.net/community-resources/openvpn-protocol/) connections.
 - **layer4.matchers.postgres** - matches connections that look like Postgres connections.
 - **layer4.matchers.proxy_protocol** - matches connections that start with [HAPROXY proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
 - **layer4.matchers.rdp** - matches connections that look like [RDP](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RDPBCGR/%5BMS-RDPBCGR%5D.pdf).

diff --git a/imports.go b/imports.go
@@ -21,6 +21,7 @@ import (
 	_ "github.com/mholt/caddy-l4/modules/l4dns"
 	_ "github.com/mholt/caddy-l4/modules/l4echo"
 	_ "github.com/mholt/caddy-l4/modules/l4http"
+	_ "github.com/mholt/caddy-l4/modules/l4openvpn"
 	_ "github.com/mholt/caddy-l4/modules/l4postgres"
 	_ "github.com/mholt/caddy-l4/modules/l4proxy"
 	_ "github.com/mholt/caddy-l4/modules/l4proxyprotocol"

diff --git a/integration/caddyfile_adapt/gd_matcher_openvpn.caddytest b/integration/caddyfile_adapt/gd_matcher_openvpn.caddytest
@@ -0,0 +1,169 @@
+{
+	layer4 {
+		:8843 {
+			@plain openvpn {
+				modes plain
+			}
+			route @plain {
+				proxy localhost:1194
+			}
+			@auth openvpn {
+				modes auth
+				auth_digest sha256
+				group_key_direction normal
+				group_key_file /etc/openvpn/ta.key
+			}
+			route @auth {
+				proxy localhost:1195
+			}
+			@crypt openvpn {
+				modes crypt
+				group_key 21d94830510107f8753d3b6f3145e01ded37075115afcb0538ecdd8503ee96637218c9ed38d908d594231d7d143c73da5055310f89d336da99c8b3dcb18909c79dd44f540670ebc0f120beb7211e96839cb542572c48bfa7ffaa9a22cb8304b7869b92f4442918e598745bb78ac8877f02b00a7cdef3f2446c130d39a7c451269ef399fd6029cdfc80a7c604041312ab0a969bc906bdee6e6d707afdcbe8c7fb97beb66049c3d328340775025433ceba1e38008a826cf92443d903106199373bdadd9c2c735cf481e580db4e81b99f12e3f46b6159c687cd1b9e689f7712573c0f02735a45573dfb5cd55cf4649423892c7e91f439bdd7337a8ceebd302cfbfa
+			}
+			route @crypt {
+				proxy localhost:1196
+			}
+			@crypt2 openvpn {
+				modes crypt2
+				server_key_file /etc/openvpn/v2-server.key
+			}
+			route @crypt2 {
+				proxy localhost:1197
+			}
+			route {
+				tls
+				proxy localhost:8080
+			}
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"layer4": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":8843"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"openvpn": {
+										"modes": [
+											"plain"
+										]
+									}
+								}
+							],
+							"handle": [
+								{
+									"handler": "proxy",
+									"upstreams": [
+										{
+											"dial": [
+												"localhost:1194"
+											]
+										}
+									]
+								}
+							]
+						},
+						{
+							"match": [
+								{
+									"openvpn": {
+										"modes": [
+											"auth"
+										],
+										"group_key_file": "/etc/openvpn/ta.key",
+										"auth_digest": "sha256",
+										"group_key_direction": "normal"
+									}
+								}
+							],
+							"handle": [
+								{
+									"handler": "proxy",
+									"upstreams": [
+										{
+											"dial": [
+												"localhost:1195"
+											]
+										}
+									]
+								}
+							]
+						},
+						{
+							"match": [
+								{
+									"openvpn": {
+										"modes": [
+											"crypt"
+										],
+										"group_key": "21d94830510107f8753d3b6f3145e01ded37075115afcb0538ecdd8503ee96637218c9ed38d908d594231d7d143c73da5055310f89d336da99c8b3dcb18909c79dd44f540670ebc0f120beb7211e96839cb542572c48bfa7ffaa9a22cb8304b7869b92f4442918e598745bb78ac8877f02b00a7cdef3f2446c130d39a7c451269ef399fd6029cdfc80a7c604041312ab0a969bc906bdee6e6d707afdcbe8c7fb97beb66049c3d328340775025433ceba1e38008a826cf92443d903106199373bdadd9c2c735cf481e580db4e81b99f12e3f46b6159c687cd1b9e689f7712573c0f02735a45573dfb5cd55cf4649423892c7e91f439bdd7337a8ceebd302cfbfa"
+									}
+								}
+							],
+							"handle": [
+								{
+									"handler": "proxy",
+									"upstreams": [
+										{
+											"dial": [
+												"localhost:1196"
+											]
+										}
+									]
+								}
+							]
+						},
+						{
+							"match": [
+								{
+									"openvpn": {
+										"modes": [
+											"crypt2"
+										],
+										"server_key_file": "/etc/openvpn/v2-server.key"
+									}
+								}
+							],
+							"handle": [
+								{
+									"handler": "proxy",
+									"upstreams": [
+										{
+											"dial": [
+												"localhost:1197"
+											]
+										}
+									]
+								}
+							]
+						},
+						{
+							"handle": [
+								{
+									"handler": "tls"
+								},
+								{
+									"handler": "proxy",
+									"upstreams": [
+										{
+											"dial": [
+												"localhost:8080"
+											]
+										}
+									]
+								}
+							]
+						}
+					]
+				}
+			}
+		}
+	}
+}