def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa")
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
x("mkdir -p /etc/openvpn/easy-rsa")
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
general.set_config_property("/etc/sysctl.conf", '[\s]*net.ipv4.ip_forward[\s]*[=].*', "net.ipv4.ip_forward = 1")
x("echo 1 > /proc/sys/net/ipv4/ip_forward")
ldapconf = scOpen("/etc/openvpn/auth/ldap.conf")
ldapconf.replace("^\\s*URL\s*.*","\\tURL\\tldaps://%s" % config.general.get_ldap_hostname())
ldapconf.replace("^\s*# Password\s*.*","\\tPassword\\t%s" % app.get_ldap_admin_password())
ldapconf.replace("^\s*# BindDN\s*.*","\\tBindDN\\tcn=Manager,%s" % config.general.get_ldap_dn())
ldapconf.replace("^\s*TLSEnable\s*.*","\\t# TLSEnable\\t YES")
#Deal with certs
ldapconf.replace("^\s*TLSCACertFile\s*.*","\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt")
ldapconf.replace("^\s*TLSCACertDir\s*.*","\\tTLSCACertDir\\t /etc/openldap/cacerts/")
ldapconf.replace("^\s*TLSCertFile\s*.*","\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt")
ldapconf.replace("^\s*TLSKeyFile\s*.*","\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key")
#Auth
ldapconf.replace("^\s*BaseDN\s*.*","\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn() )
ldapconf.replace("^\s*SearchFilter\s*.*","\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"")
x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ')
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
app.get_ldap_sssd_password()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa")
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
if len(args) != 2:
raise Exception("syco install-openvpn-server 2.3.7")
# Initialize all passwords
enable_ldap = config.general.get_option("openvpn.ldap.enable", "false")
build_openvpn(args)
x('mkdir /etc/openvpn')
if enable_ldap:
app.get_ldap_sssd_password()
x("yum -y install openvpn-auth-ldap")
if not os.access("/etc/openvpn/easy-rsa", os.F_OK):
copy_easy_rsa()
# Install server.conf
server_conf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf)
scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(server_conf).replace('${OPENVPN_NETWORK}',
config.general.get_openvpn_network())
scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes())
ccd_enabled = config.general.get_option("openvpn.ccd.enable",
"false").lower()
ccd_dir = ""
client_routes = ""
c2c = ""
if ccd_enabled:
ccd_dir = "client-config-dir ccd"
client_routes = _get_client_routes()
c2c = "client-to-client"
x('mkdir /etc/openvpn/ccd')
scOpen(server_conf).replace('${CCD_DIR}', ccd_dir)
scOpen(server_conf).replace('${CLIENT_ROUTES}', str(client_routes))
scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c)
scOpen(server_conf).replace('${DHCP_DNS_SERVERS}',
_get_dhcp_dns_servers())
scOpen(server_conf).replace('^dh.*dh1024.pem', 'dh dh4096.pem')
scOpen(server_conf).add('\n')
scOpen(server_conf).add('tls-version-min 1.2')
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace(
'[\s]*export KEY_COUNTRY.*',
'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_PROVINCE.*',
'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace(
'[\s]*export KEY_CITY.*',
'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace(
'[\s]*export KEY_ORG.*',
'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_OU.*', 'export KEY_OU="' +
config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_EMAIL.*',
'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
scOpen(fn).replace('[\s]*export HASH_ALGO.*',
'export HASH_ALGO=sha256')
scOpen(fn).replace('[\s]*export KEY_SIZE.*', 'export KEY_SIZE=4096')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace(
"\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh"
)
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh4096.pem} /etc/openvpn/"
)
#Generation TLS key
os.chdir("/etc/openvpn/")
x("/usr/local/sbin/openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace(
"unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
if enable_ldap:
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
enable_ldap = config.general.get_option("openvpn.ldap.enable", "false")
x("yum -y install openvpn")
if enable_ldap:
app.get_ldap_sssd_password()
x("yum -y install openvpn-auth-ldap")
if not os.access("/etc/openvpn/easy-rsa", os.F_OK):
copy_easy_rsa()
# Install server.conf
server_conf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf)
scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network())
scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes())
ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower()
ccd_dir = ""
client_routes = ""
c2c = ""
if ccd_enabled:
ccd_dir = "client-config-dir ccd"
client_routes = _get_client_routes()
c2c = "client-to-client"
scOpen(server_conf).replace('${CCD_DIR}', ccd_dir)
scOpen(server_conf).replace('${CLIENT_ROUTES}', client_routes)
scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c)
scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
#Generation TLS key
os.chdir("/etc/openvpn/")
x("openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
if enable_ldap:
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
app.get_ldap_sssd_password()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
copy_easy_rsa()
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}',
config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}',
config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}',
config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}',
config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}',
config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace(
'[\s]*export KEY_COUNTRY.*',
'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_PROVINCE.*',
'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace(
'[\s]*export KEY_CITY.*',
'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace(
'[\s]*export KEY_ORG.*',
'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_OU.*', 'export KEY_OU="' +
config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_EMAIL.*',
'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace(
"\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh"
)
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/"
)
#Generation TLS key
os.chdir("/etc/openvpn/")
x("openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace(
"unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
