def check_network_private(test_network):
test_net = ipaddress.ip_network(test_network)
test_start = test_net.network_address
test_end = test_net.broadcast_address
for network in settings.vpn.safe_priv_subnets:
network = ipaddress.ip_network(network)
net_start = network.network_address
net_end = network.broadcast_address
if test_start >= net_start and test_end <= net_end:
return True
return False
def add_network_link(self, network, force=False):
from pritunl import server
if not force:
for svr in self.iter_servers(('status', 'groups')):
if svr.status == ONLINE:
raise ServerOnlineError('Server online')
network = str(ipaddress.ip_network(network))
self.net_link_collection.update(
{
'user_id': self.id,
'org_id': self.org_id,
'network': network,
}, {
'user_id': self.id,
'org_id': self.org_id,
'network': network,
},
upsert=True)
if force:
for svr in self.iter_servers(server.operation_fields):
if svr.status == ONLINE:
logger.info(
'Restarting running server to add network link',
'user',
)
svr.restart()
def find_interface(network):
network = ipaddress.ip_network(network, strict=False)
for interface, data in list(get_interfaces().items()):
try:
address = ipaddress.ip_address(data['address'])
except ValueError:
continue
if address in network and data['netmask'] == str(network.netmask):
return data
def add_route(self, network):
try:
network = str(ipaddress.ip_network(network))
except ValueError:
raise NetworkInvalid('Network address is invalid')
network_id = hashlib.md5(network.encode()).hexdigest()
self.routes[network_id] = {
'network': network,
}
return network_id
def check_network_range(test_network, start_addr, end_addr):
test_net = ipaddress.ip_network(test_network)
start_addr = ipaddress.ip_address(start_addr)
end_addr = ipaddress.ip_address(end_addr)
return all((
start_addr != test_net.network_address,
end_addr != test_net.broadcast_address,
start_addr < end_addr,
start_addr in test_net,
end_addr in test_net,
))
def _check_whitelist(self):
if settings.app.sso_whitelist:
remote_ip = ipaddress.ip_address(self.remote_ip)
for network_str in settings.app.sso_whitelist:
try:
network = ipaddress.ip_network(network_str)
except (ipaddress.AddressValueError, ValueError):
logger.warning(
'Invalid whitelist network',
'authorize',
network=network_str,
)
continue
if remote_ip in network:
self.whitelisted = True
break
def check_network_overlap(test_network, networks):
test_net = ipaddress.ip_network(test_network)
test_start = test_net.network_address
test_end = test_net.broadcast_address
for network in networks:
net_start = network.network_address
net_end = network.broadcast_address
if test_start >= net_start and test_start <= net_end:
return True
elif test_end >= net_start and test_end <= net_end:
return True
elif net_start >= test_start and net_start <= test_end:
return True
elif net_end >= test_start and net_end <= test_end:
return True
return False
def multi_get_ip_addr(org_id, user_ids):
spec = {
'user_id': {'$in': user_ids},
}
project = {
'_id': False,
'user_id': True,
'server_id': True,
'address': True,
}
for doc in ServerIpPool.collection.find(spec, project):
network = ipaddress.ip_network(doc['address'], strict=False)
network = str(network.network_address) + '/' + str(network.prefixlen)
addr6 = utils.ip4to6x64(settings.vpn.ipv6_prefix,
network, doc['address'])
yield doc['user_id'], doc['server_id'], \
doc['address'].split('/')[0], addr6.split('/')[0]
def get_used_resources(ignore_server_id):
response = Server.collection.aggregate(([
{
'$match': {
'_id': {
'$ne': ignore_server_id
},
}
},
] if ignore_server_id else []) + [
{
'$project': {
'network': True,
'network_wg': True,
'interface': True,
'port_protocol': {
'$concat': [
{
'$substr': ['$port', 0, 5]
},
'$protocol',
]
},
'port_protocol_wg': {
'$concat': [
{
'$substr': ['$port_wg', 0, 5]
},
'udp',
]
},
}
},
{
'$group': {
'_id': None,
'networks': {
'$addToSet': '$network'
},
'networks_wg': {
'$addToSet': '$network_wg'
},
'interfaces': {
'$addToSet': '$interface'
},
'ports': {
'$addToSet': '$port_protocol'
},
'ports_wg': {
'$addToSet': '$port_protocol_wg'
},
}
},
])
used_resources = None
for used_resources in response:
break
if used_resources:
used_resources.pop('_id')
else:
used_resources = {
'networks': set(),
'networks_wg': set(),
'interfaces': set(),
'ports': set(),
'ports_wg': set(),
}
ports = set(used_resources['ports'] or [])
ports_wg = set([_f for _f in used_resources['ports_wg'] if _f])
try:
ports_wg.remove('udp')
except KeyError:
pass
ports = ports.union(ports_wg)
networks = set(used_resources['networks'] or [])
networks_wg = set([_f for _f in used_resources['networks_wg'] if _f])
networks = networks.union(networks_wg)
return {
'networks': {ipaddress.ip_network(x, strict=False)
for x in networks},
'interfaces': set(used_resources['interfaces'] or []),
'ports': ports,
}
def user_put(org_id, user_id):
if settings.app.demo_mode:
return utils.demo_blocked()
org = organization.get_by_id(org_id)
user = org.get_user(user_id)
reset_user = False
reset_user_cache = False
port_forwarding_event = False
remote_addr = utils.get_remote_addr()
if 'name' in flask.request.json:
name = utils.filter_str(flask.request.json['name']) or 'undefined'
if name != user.name:
user.audit_event(
'user_updated',
'User name changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User name changed',
remote_address=remote_addr,
)
user.name = name
if 'email' in flask.request.json:
email = utils.filter_str(flask.request.json['email']) or None
if email != user.email:
user.audit_event(
'user_updated',
'User email changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User email changed',
remote_address=remote_addr,
)
user.email = email
if 'auth_type' in flask.request.json:
auth_type = utils.filter_str(flask.request.json['auth_type']) or None
if auth_type in AUTH_TYPES:
if auth_type != user.auth_type:
reset_user = True
reset_user_cache = True
user.auth_type = auth_type
if 'yubico_id' in flask.request.json:
yubico_id = utils.filter_str(flask.request.json['yubico_id']) or None
yubico_id = yubico_id[:12] if yubico_id else None
if yubico_id != user.yubico_id:
reset_user = True
reset_user_cache = True
user.yubico_id = yubico_id
if 'groups' in flask.request.json:
groups = flask.request.json['groups'] or []
for i, group in enumerate(groups):
groups[i] = utils.filter_str(group)
groups = set(groups)
if groups != set(user.groups or []):
user.audit_event(
'user_updated',
'User groups changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User groups changed',
remote_address=remote_addr,
)
user.groups = list(groups)
if 'pin' in flask.request.json:
pin = flask.request.json['pin'] or None
if pin is not True:
if pin:
if settings.user.pin_mode == PIN_DISABLED:
return utils.jsonify(
{
'error': PIN_IS_DISABLED,
'error_msg': PIN_IS_DISABLED_MSG,
}, 400)
if RADIUS_AUTH in user.auth_type:
return utils.jsonify(
{
'error': PIN_RADIUS,
'error_msg': PIN_RADIUS_MSG,
}, 400)
if settings.user.pin_digits_only and not pin.isdigit():
return utils.jsonify(
{
'error': PIN_NOT_DIGITS,
'error_msg': PIN_NOT_DIGITS_MSG,
}, 400)
if len(pin) < settings.user.pin_min_length:
return utils.jsonify(
{
'error': PIN_TOO_SHORT,
'error_msg': PIN_TOO_SHORT_MSG,
}, 400)
if user.set_pin(pin):
reset_user = True
reset_user_cache = True
user.audit_event(
'user_updated',
'User pin changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User pin changed',
remote_address=remote_addr,
)
if 'network_links' in flask.request.json:
network_links_cur = set(user.get_network_links())
network_links_new = set()
for network_link in flask.request.json['network_links'] or []:
try:
network_link = str(ipaddress.ip_network(network_link))
except (ipaddress.AddressValueError, ValueError):
return _network_link_invalid()
network_links_new.add(network_link)
network_links_add = network_links_new - network_links_cur
network_links_rem = network_links_cur - network_links_new
if len(network_links_add) or len(network_links_rem):
reset_user = True
user.audit_event(
'user_updated',
'User network links updated',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User network links updated',
remote_address=remote_addr,
)
try:
for network_link in network_links_add:
user.add_network_link(network_link)
except ServerOnlineError:
return utils.jsonify(
{
'error': NETWORK_LINK_NOT_OFFLINE,
'error_msg': NETWORK_LINK_NOT_OFFLINE_MSG,
}, 400)
for network_link in network_links_rem:
user.remove_network_link(network_link)
if 'port_forwarding' in flask.request.json:
port_forwarding = []
for data in flask.request.json['port_forwarding'] or []:
port_forwarding.append({
'protocol':
utils.filter_str(data.get('protocol')),
'port':
utils.filter_str(data.get('port')),
'dport':
utils.filter_str(data.get('dport')),
})
if port_forwarding != user.port_forwarding:
port_forwarding_event = True
user.audit_event(
'user_updated',
'User port forwarding changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User port forwarding changed',
remote_address=remote_addr,
)
user.port_forwarding = port_forwarding
disabled = True if flask.request.json.get('disabled') else False
if disabled != user.disabled:
user.audit_event(
'user_updated',
'User %s' % ('disabled' if disabled else 'enabled'),
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User %s' % ('disabled' if disabled else 'enabled'),
remote_address=remote_addr,
)
if disabled:
reset_user = True
reset_user_cache = True
user.disabled = disabled
user.bypass_secondary = True if flask.request.json.get(
'bypass_secondary') else False
user.client_to_client = True if flask.request.json.get(
'client_to_client') else False
if user.bypass_secondary:
if user.pin:
return utils.jsonify(
{
'error': PIN_BYPASS_SECONDARY,
'error_msg': PIN_BYPASS_SECONDARY_MSG,
}, 400)
if user.yubico_id:
return utils.jsonify(
{
'error': YUBIKEY_BYPASS_SECONDARY,
'error_msg': YUBIKEY_BYPASS_SECONDARY_MSG,
}, 400)
if 'mac_addresses' in flask.request.json:
mac_addresses = flask.request.json['mac_addresses'] or None
if user.mac_addresses != mac_addresses:
user.audit_event(
'user_updated',
'User mac addresses changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User mac addresses changed',
remote_address=remote_addr,
)
reset_user = True
user.mac_addresses = mac_addresses
if 'dns_servers' in flask.request.json:
dns_servers = flask.request.json['dns_servers'] or None
if user.dns_servers != dns_servers:
user.audit_event(
'user_updated',
'User dns servers changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User dns servers changed',
remote_address=remote_addr,
)
reset_user = True
user.dns_servers = dns_servers
if 'dns_suffix' in flask.request.json:
dns_suffix = utils.filter_str(flask.request.json['dns_suffix']) or None
if user.dns_suffix != dns_suffix:
user.audit_event(
'user_updated',
'User dns suffix changed',
remote_addr=remote_addr,
)
journal.entry(
journal.USER_UPDATE,
user.journal_data,
event_long='User dns suffix changed',
remote_address=remote_addr,
)
reset_user = True
user.dns_suffix = dns_suffix
user.commit()
event.Event(type=USERS_UPDATED, resource_id=user.org.id)
if port_forwarding_event:
messenger.publish('port_forwarding', {
'org_id': org.id,
'user_id': user.id,
})
if reset_user_cache:
user.clear_auth_cache()
if reset_user:
user.disconnect()
send_key_email = flask.request.json.get('send_key_email')
if send_key_email and user.email:
user.audit_event(
'user_emailed',
'User key email sent to "%s"' % user.email,
remote_addr=remote_addr,
)
journal.entry(
journal.USER_PROFILE_EMAIL,
user.journal_data,
event_long='User key email sent to "%s"' % user.email,
remote_address=remote_addr,
)
try:
user.send_key_email(utils.get_url_root())
except EmailNotConfiguredError:
return utils.jsonify(
{
'error': EMAIL_NOT_CONFIGURED,
'error_msg': EMAIL_NOT_CONFIGURED_MSG,
}, 400)
except EmailFromInvalid:
return utils.jsonify(
{
'error': EMAIL_FROM_INVALID,
'error_msg': EMAIL_FROM_INVALID_MSG,
}, 400)
except EmailAuthInvalid:
return utils.jsonify(
{
'error': EMAIL_AUTH_INVALID,
'error_msg': EMAIL_AUTH_INVALID_MSG,
}, 400)
return utils.jsonify(user.dict())
def get_network_gateway_cidr(network):
network = ipaddress.ip_network(network, strict=False)
cidr = network.prefixlen
return str(next(network.hosts())) + '/' + str(cidr)
def get_network_gateway(network):
return str(next(ipaddress.ip_network(network).hosts()))
def parse_network(network):
address = ipaddress.ip_network(network, strict=False)
return str(address.network_address), str(address.netmask)
def server_put_post(server_id=None):
if settings.app.demo_mode:
return utils.demo_blocked()
used_resources = server.get_used_resources(server_id)
network_used = used_resources['networks']
port_used = used_resources['ports']
name = None
name_def = False
if 'name' in flask.request.json:
name_def = True
name = utils.filter_str(flask.request.json['name'])
network = None
network_def = False
if 'network' in flask.request.json and \
flask.request.json['network'] != '':
network_def = True
network = flask.request.json['network'].strip()
try:
if not _check_network_private(network):
return _network_invalid()
except (ipaddress.AddressValueError, ValueError):
return _network_invalid()
wg = None
wg_def = False
if 'wg' in flask.request.json:
wg_def = True
wg = True if flask.request.json['wg'] else False
network_wg = None
network_wg_def = False
if wg and 'network_wg' in flask.request.json and \
flask.request.json['network_wg'] != '':
network_wg_def = True
network_wg = flask.request.json['network_wg'].strip()
try:
if not _check_network_private(network_wg):
return _network_wg_invalid()
except (ipaddress.AddressValueError, ValueError):
return _network_wg_invalid()
elif not wg:
network_wg_def = True
network_mode = None
network_mode_def = False
if 'network_mode' in flask.request.json:
network_mode_def = True
network_mode = flask.request.json['network_mode']
network_start = None
network_start_def = False
if 'network_start' in flask.request.json:
network_start_def = True
network_start = flask.request.json['network_start']
network_end = None
network_end_def = False
if 'network_end' in flask.request.json:
network_end_def = True
network_end = flask.request.json['network_end']
restrict_routes = None
restrict_routes_def = False
if 'restrict_routes' in flask.request.json:
restrict_routes_def = True
restrict_routes = True if flask.request.json['restrict_routes'] \
else False
ipv6 = None
ipv6_def = False
if 'ipv6' in flask.request.json:
ipv6_def = True
ipv6 = True if flask.request.json['ipv6'] else False
ipv6_firewall = None
ipv6_firewall_def = False
if 'ipv6_firewall' in flask.request.json:
ipv6_firewall_def = True
ipv6_firewall = True if flask.request.json['ipv6_firewall'] else False
bind_address = None
bind_address_def = False
if 'bind_address' in flask.request.json:
bind_address_def = True
bind_address = utils.filter_str(flask.request.json['bind_address'])
protocol = 'udp'
protocol_def = False
if 'protocol' in flask.request.json:
protocol_def = True
protocol = flask.request.json['protocol'].lower()
if protocol not in ('udp', 'tcp'):
return utils.jsonify(
{
'error': PROTOCOL_INVALID,
'error_msg': PROTOCOL_INVALID_MSG,
}, 400)
port = None
port_def = False
if 'port' in flask.request.json and flask.request.json['port'] != 0:
port_def = True
port = flask.request.json['port']
try:
port = int(port)
except ValueError:
return _port_invalid()
if port < 1 or port > 65535:
return _port_invalid()
port_wg = None
port_wg_def = False
if wg and 'port_wg' in flask.request.json and \
flask.request.json['port_wg'] != 0:
port_wg_def = True
port_wg = flask.request.json['port_wg']
try:
port_wg = int(port_wg)
except ValueError:
return _port_wg_invalid()
if port_wg < 1 or port_wg > 65535:
return _port_wg_invalid()
elif not wg:
port_wg_def = True
dh_param_bits = None
dh_param_bits_def = False
if flask.request.json.get('dh_param_bits'):
dh_param_bits_def = True
dh_param_bits = flask.request.json['dh_param_bits']
try:
dh_param_bits = int(dh_param_bits)
except ValueError:
return _dh_param_bits_invalid()
if dh_param_bits not in VALID_DH_PARAM_BITS:
return _dh_param_bits_invalid()
groups = None
groups_def = False
if 'groups' in flask.request.json:
groups_def = True
groups = flask.request.json['groups'] or []
for i, group in enumerate(groups):
groups[i] = utils.filter_str(group)
groups = list(set(groups))
multi_device = False
multi_device_def = False
if 'multi_device' in flask.request.json:
multi_device_def = True
multi_device = True if flask.request.json['multi_device'] else False
dns_servers = None
dns_servers_def = False
if 'dns_servers' in flask.request.json:
dns_servers_def = True
dns_servers = flask.request.json['dns_servers'] or []
for dns_server in dns_servers:
try:
ipaddress.ip_address(dns_server)
except (ipaddress.AddressValueError, ValueError):
return _dns_server_invalid()
search_domain = None
search_domain_def = False
if 'search_domain' in flask.request.json:
search_domain_def = True
search_domain = flask.request.json['search_domain']
if search_domain:
search_domain = ', '.join([
utils.filter_str(x.strip()) for x in search_domain.split(',')
])
else:
search_domain = None
inter_client = True
inter_client_def = False
if 'inter_client' in flask.request.json:
inter_client_def = True
inter_client = True if flask.request.json['inter_client'] else False
ping_interval = None
ping_interval_def = False
if 'ping_interval' in flask.request.json:
ping_interval_def = True
ping_interval = int(flask.request.json['ping_interval'] or 10)
ping_timeout = None
ping_timeout_def = False
if 'ping_timeout' in flask.request.json:
ping_timeout_def = True
ping_timeout = int(flask.request.json['ping_timeout'] or 60)
link_ping_interval = None
link_ping_interval_def = False
if 'link_ping_interval' in flask.request.json:
link_ping_interval_def = True
link_ping_interval = int(flask.request.json['link_ping_interval'] or 1)
link_ping_timeout = None
link_ping_timeout_def = False
if 'link_ping_timeout' in flask.request.json:
link_ping_timeout_def = True
link_ping_timeout = int(flask.request.json['link_ping_timeout'] or 5)
inactive_timeout = None
inactive_timeout_def = False
if 'inactive_timeout' in flask.request.json:
inactive_timeout_def = True
inactive_timeout = int(flask.request.json['inactive_timeout']
or 0) or None
session_timeout = None
session_timeout_def = False
if 'session_timeout' in flask.request.json:
session_timeout_def = True
session_timeout = int(flask.request.json['session_timeout']
or 0) or None
allowed_devices = None
allowed_devices_def = False
if 'allowed_devices' in flask.request.json:
allowed_devices_def = True
allowed_devices = flask.request.json['allowed_devices'] or None
max_clients = None
max_clients_def = False
if 'max_clients' in flask.request.json:
max_clients_def = True
max_clients = flask.request.json['max_clients']
if max_clients:
max_clients = int(max_clients)
else:
max_clients = 2000
max_devices = None
max_devices_def = False
if 'max_devices' in flask.request.json:
max_devices_def = True
max_devices = flask.request.json['max_devices']
if max_devices:
max_devices = int(max_devices)
else:
max_devices = 0
replica_count = None
replica_count_def = False
if 'replica_count' in flask.request.json:
replica_count_def = True
replica_count = flask.request.json['replica_count']
if replica_count:
replica_count = int(replica_count)
if not replica_count:
replica_count = 1
vxlan = True
vxlan_def = False
if 'vxlan' in flask.request.json:
vxlan_def = True
vxlan = True if flask.request.json['vxlan'] else False
dns_mapping = False
dns_mapping_def = False
if 'dns_mapping' in flask.request.json:
dns_mapping_def = True
dns_mapping = True if flask.request.json['dns_mapping'] else False
debug = False
debug_def = False
if 'debug' in flask.request.json:
debug_def = True
debug = True if flask.request.json['debug'] else False
pre_connect_msg = None
pre_connect_msg_def = False
if 'pre_connect_msg' in flask.request.json:
pre_connect_msg_def = True
if flask.request.json['pre_connect_msg']:
pre_connect_msg = flask.request.json['pre_connect_msg'].strip()
otp_auth = False
otp_auth_def = False
if 'otp_auth' in flask.request.json:
otp_auth_def = True
otp_auth = True if flask.request.json['otp_auth'] else False
mss_fix = None
mss_fix_def = False
if 'mss_fix' in flask.request.json:
mss_fix_def = True
mss_fix = flask.request.json['mss_fix'] or None
if mss_fix:
mss_fix = int(mss_fix) or None
lzo_compression = False
lzo_compression_def = False
if 'lzo_compression' in flask.request.json:
lzo_compression_def = True
lzo_compression = True if flask.request.json[
'lzo_compression'] else False
cipher = None
cipher_def = False
if 'cipher' in flask.request.json:
cipher_def = True
cipher = flask.request.json['cipher']
if cipher not in CIPHERS:
return utils.jsonify(
{
'error': CIPHER_INVALID,
'error_msg': CIPHER_INVALID_MSG,
}, 400)
hash = None
hash_def = False
if 'hash' in flask.request.json:
hash_def = True
hash = flask.request.json['hash']
if hash not in HASHES:
return utils.jsonify(
{
'error': HASH_INVALID,
'error_msg': HASH_INVALID_MSG,
}, 400)
block_outside_dns = False
block_outside_dns_def = False
if 'block_outside_dns' in flask.request.json:
block_outside_dns_def = True
block_outside_dns = True if flask.request.json[
'block_outside_dns'] else False
jumbo_frames = False
jumbo_frames_def = False
if 'jumbo_frames' in flask.request.json:
jumbo_frames_def = True
jumbo_frames = True if flask.request.json['jumbo_frames'] else False
if not server_id:
if not name_def:
return utils.jsonify(
{
'error': MISSING_PARAMS,
'error_msg': MISSING_PARAMS_MSG,
}, 400)
if not network_def:
network_def = True
rand_range = list(range(215, 250))
rand_range_low = list(range(15, 215))
random.shuffle(rand_range)
random.shuffle(rand_range_low)
rand_range += rand_range_low
for i in rand_range:
rand_network = '192.168.%s.0/24' % i
if not _check_network_overlap(rand_network, network_used):
network = rand_network
break
if not network:
return utils.jsonify(
{
'error': NETWORK_IN_USE,
'error_msg': NETWORK_IN_USE_MSG,
}, 400)
if wg and not network_wg_def:
network_used.add(ipaddress.ip_network(network))
network_wg_def = True
rand_range = list(range(215, 250))
rand_range_low = list(range(15, 215))
random.shuffle(rand_range)
random.shuffle(rand_range_low)
rand_range += rand_range_low
for i in rand_range:
rand_network_wg = '192.168.%s.0/24' % i
if not _check_network_overlap(rand_network_wg, network_used):
network_wg = rand_network_wg
break
if not network_wg:
return utils.jsonify(
{
'error': NETWORK_WG_IN_USE,
'error_msg': NETWORK_WG_IN_USE_MSG,
}, 400)
if not port_def:
port_def = True
rand_ports = list(range(10000, 19999))
random.shuffle(rand_ports)
for rand_port in rand_ports:
if '%s%s' % (rand_port, protocol) not in port_used:
port = rand_port
break
if not port:
return utils.jsonify(
{
'error': PORT_PROTOCOL_IN_USE,
'error_msg': PORT_PROTOCOL_IN_USE_MSG,
}, 400)
if wg and not port_wg_def:
port_used.add(port)
port_wg_def = True
rand_port_wgs = list(range(10000, 19999))
random.shuffle(rand_port_wgs)
for rand_port_wg in rand_port_wgs:
if '%s%s' % (rand_port_wg, protocol) not in port_used:
port_wg = rand_port_wg
break
if not port_wg:
return utils.jsonify(
{
'error': PORT_WG_IN_USE,
'error_msg': PORT_WG_IN_USE_MSG,
}, 400)
if not dh_param_bits_def:
dh_param_bits_def = True
dh_param_bits = settings.vpn.default_dh_param_bits
changed = None
if not server_id:
svr = server.new_server(
name=name,
network=network,
network_wg=network_wg,
groups=groups,
network_mode=network_mode,
network_start=network_start,
network_end=network_end,
restrict_routes=restrict_routes,
wg=wg,
ipv6=ipv6,
ipv6_firewall=ipv6_firewall,
bind_address=bind_address,
port=port,
port_wg=port_wg,
protocol=protocol,
dh_param_bits=dh_param_bits,
multi_device=multi_device,
dns_servers=dns_servers,
search_domain=search_domain,
otp_auth=otp_auth,
cipher=cipher,
hash=hash,
block_outside_dns=block_outside_dns,
jumbo_frames=jumbo_frames,
lzo_compression=lzo_compression,
inter_client=inter_client,
ping_interval=ping_interval,
ping_timeout=ping_timeout,
link_ping_interval=link_ping_interval,
link_ping_timeout=link_ping_timeout,
inactive_timeout=inactive_timeout,
session_timeout=session_timeout,
allowed_devices=allowed_devices,
max_clients=max_clients,
max_devices=max_devices,
replica_count=replica_count,
vxlan=vxlan,
dns_mapping=dns_mapping,
debug=debug,
pre_connect_msg=pre_connect_msg,
mss_fix=mss_fix,
)
svr.add_host(settings.local.host_id)
else:
svr = server.get_by_id(server_id)
if name_def:
svr.name = name
if network_def:
svr.network = network
if network_wg_def:
svr.network_wg = network_wg
if groups_def:
svr.groups = groups
if network_start_def:
svr.network_start = network_start
if network_end_def:
svr.network_end = network_end
if restrict_routes_def:
svr.restrict_routes = restrict_routes
if wg_def:
svr.wg = wg
if ipv6_def:
svr.ipv6 = ipv6
if ipv6_firewall_def:
svr.ipv6_firewall = ipv6_firewall
if network_mode_def:
svr.network_mode = network_mode
if bind_address_def:
svr.bind_address = bind_address
if port_def:
svr.port = port
if port_wg_def:
svr.port_wg = port_wg
if protocol_def:
svr.protocol = protocol
if dh_param_bits_def and svr.dh_param_bits != dh_param_bits:
svr.dh_param_bits = dh_param_bits
svr.generate_dh_param()
if multi_device_def:
svr.multi_device = multi_device
if dns_servers_def:
svr.dns_servers = dns_servers
if search_domain_def:
svr.search_domain = search_domain
if otp_auth_def:
svr.otp_auth = otp_auth
if cipher_def:
svr.cipher = cipher
if hash_def:
svr.hash = hash
if block_outside_dns_def:
svr.block_outside_dns = block_outside_dns
if jumbo_frames_def:
svr.jumbo_frames = jumbo_frames
if lzo_compression_def:
svr.lzo_compression = lzo_compression
if inter_client_def:
svr.inter_client = inter_client
if ping_interval_def:
svr.ping_interval = ping_interval
if ping_timeout_def:
svr.ping_timeout = ping_timeout
if link_ping_interval_def:
svr.link_ping_interval = link_ping_interval
if link_ping_timeout_def:
svr.link_ping_timeout = link_ping_timeout
if inactive_timeout_def:
svr.inactive_timeout = inactive_timeout
if session_timeout_def:
svr.session_timeout = session_timeout
if allowed_devices_def:
svr.allowed_devices = allowed_devices
if max_clients_def:
svr.max_clients = max_clients
if max_devices_def:
svr.max_devices = max_devices
if replica_count_def:
svr.replica_count = replica_count
if vxlan_def:
svr.vxlan = vxlan
if dns_mapping_def:
svr.dns_mapping = dns_mapping
if debug_def:
svr.debug = debug
if pre_connect_msg_def:
svr.pre_connect_msg = pre_connect_msg
if mss_fix_def:
svr.mss_fix = mss_fix
changed = svr.changed
svr.generate_auth_key()
err, err_msg = svr.validate_conf()
if err:
return utils.jsonify({
'error': err,
'error_msg': err_msg,
}, 400)
svr.commit(changed)
if not server_id:
logger.LogEntry(message='Created server "%s".' % svr.name)
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_ROUTES_UPDATED, resource_id=svr.id)
for org in svr.iter_orgs():
event.Event(type=USERS_UPDATED, resource_id=org.id)
return utils.jsonify(svr.dict())