private function writeProcess($instanceId, $poolId, PoolConfig $poolConfig, array $processConfig) { $tlsDir = sprintf('/etc/openvpn/tls/%s', $instanceId); $rangeIp = new IP($processConfig['range']); $range6Ip = new IP($processConfig['range6']); // static options $serverConfig = ['# OpenVPN Server Configuration', 'verb 3', 'dev-type tun', 'user openvpn', 'group openvpn', 'topology subnet', 'persist-key', 'persist-tun', 'keepalive 10 60', 'comp-lzo no', 'remote-cert-tls client', 'tls-version-min 1.2', 'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA', 'auth SHA256', 'cipher AES-256-CBC', 'client-connect /usr/sbin/vpn-server-api-client-connect', 'client-disconnect /usr/sbin/vpn-server-api-client-disconnect', 'push "comp-lzo no"', 'push "explicit-exit-notify 3"', sprintf('ca %s/ca.crt', $tlsDir), sprintf('cert %s/server.crt', $tlsDir), sprintf('key %s/server.key', $tlsDir), sprintf('dh %s/dh.pem', $tlsDir), sprintf('tls-auth %s/ta.key 0', $tlsDir), sprintf('server %s %s', $rangeIp->getNetwork(), $rangeIp->getNetmask()), sprintf('server-ipv6 %s', $range6Ip->getAddressPrefix()), sprintf('max-clients %d', $rangeIp->getNumberOfHosts() - 1), sprintf('script-security %d', $poolConfig->v('twoFactor') ? 3 : 2), sprintf('dev %s', $processConfig['dev']), sprintf('port %d', $processConfig['port']), sprintf('management %s %d', $processConfig['managementIp'], $processConfig['managementPort']), sprintf('setenv INSTANCE_ID %s', $instanceId), sprintf('setenv POOL_ID %s', $poolId), sprintf('proto %s', 'tcp' === $processConfig['proto'] ? 'tcp-server' : 'udp'), sprintf('local %s', 'tcp' === $processConfig['proto'] ? $processConfig['managementIp'] : $poolConfig->v('listen')), sprintf('reneg-sec %d', $poolConfig->v('twoFactor') ? 28800 : 3600)]; if (!$poolConfig->v('enableLog')) { $serverConfig[] = 'log /dev/null'; } if ('tcp' === $processConfig['proto']) { $serverConfig[] = 'tcp-nodelay'; } if ($poolConfig->v('twoFactor')) { $serverConfig[] = 'auth-user-pass-verify /usr/sbin/vpn-server-api-verify-otp via-env'; } // Routes $serverConfig = array_merge($serverConfig, self::getRoutes($poolConfig)); // DNS $serverConfig = array_merge($serverConfig, self::getDns($poolConfig)); // Client-to-client $serverConfig = array_merge($serverConfig, self::getClientToClient($poolConfig)); sort($serverConfig, SORT_STRING); $configFile = sprintf('%s/%s', $this->vpnConfigDir, $processConfig['configName']); FileIO::writeFile($configFile, implode(PHP_EOL, $serverConfig), 0600); }