def generate_ovpn_conf(self): if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue metric = route.get('metric') if metric: metric_def = ' default %s' % metric metric = ' %s' % metric else: metric_def = '' metric = '' network = route['network'] if route['net_gateway']: if ':' in network: push += 'push "route-ipv6 %s net_gateway%s"\n' % (network, metric) else: push += 'push "route %s %s net_gateway%s"\n' % ( utils.parse_network(network) + (metric, )) elif not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s%s"\n' % (network, metric_def) else: push += 'push "route %s %s%s"\n' % ( utils.parse_network(network) + (metric_def, )) else: if ':' in network: push += 'route-ipv6 %s %s%s\n' % (network, gateway6, metric) else: push += 'route %s %s %s%s\n' % ( utils.parse_network(network) + (gateway, metric)) for link_svr in self.server.iter_links( fields=('_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6', 'replica_count', 'network_mode')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] metric = route.get('metric') if metric: metric = ' %s' % metric else: metric = '' if route['net_gateway']: continue if ':' in network: push += 'route-ipv6 %s %s%s\n' % (network, gateway6, metric) else: push += 'route %s %s %s%s\n' % ( utils.parse_network(network) + (gateway, metric)) if self.vxlan: push += 'push "route %s %s"\n' % utils.parse_network( self.vxlan.vxlan_net) if self.server.ipv6: push += 'push "route-ipv6 %s"\n' % self.vxlan.vxlan_net6 if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') if utils.check_openvpn_ver(): server_ciphers = SERVER_CIPHERS server_conf_template = OVPN_INLINE_SERVER_CONF else: server_ciphers = SERVER_CIPHERS_OLD server_conf_template = OVPN_INLINE_SERVER_CONF_OLD server_conf = server_conf_template % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, server_ciphers[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' if self.server.mss_fix: server_conf += 'mssfix %s\n' % self.server.mss_fix # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=None, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '\n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += \ 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id( self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user( self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue metric = route.get('metric') if metric: metric_def = ' default %s' % metric metric = ' %s' % metric else: metric_def = '' metric = '' network = route['network'] netmap = route.get('nat_netmap') if netmap: network = netmap if route['net_gateway']: if ':' in network: push += 'push "route-ipv6 %s net_gateway%s"\n' % ( network, metric) else: push += 'push "route %s %s net_gateway%s"\n' % ( utils.parse_network(network) + (metric,)) elif not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s%s"\n' % ( network, metric_def) else: push += 'push "route %s %s%s"\n' % ( utils.parse_network(network) + (metric_def,)) else: if ':' in network: push += 'route-ipv6 %s %s%s\n' % ( network, gateway6, metric) else: push += 'route %s %s %s%s\n' % ( utils.parse_network(network) + (gateway, metric)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6', 'replica_count', 'network_mode')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] metric = route.get('metric') if metric: metric = ' %s' % metric else: metric = '' if route['net_gateway']: continue netmap = route.get('nat_netmap') if netmap: network = netmap if ':' in network: push += 'route-ipv6 %s %s%s\n' % ( network, gateway6, metric) else: push += 'route %s %s %s%s\n' % ( utils.parse_network(network) + (gateway, metric) ) if self.vxlan: push += 'push "route %s %s"\n' % utils.parse_network( self.vxlan.vxlan_net) if self.server.ipv6: push += 'push "route-ipv6 %s"\n' % self.vxlan.vxlan_net6 if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') if utils.check_openvpn_ver(): server_ciphers = SERVER_CIPHERS server_conf_template = OVPN_INLINE_SERVER_CONF else: server_ciphers = SERVER_CIPHERS_OLD server_conf_template = OVPN_INLINE_SERVER_CONF_OLD server_conf = server_conf_template % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, server_ciphers[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' if self.server.mss_fix: server_conf += 'mssfix %s\n' % self.server.mss_fix # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=None, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '\n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += \ 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)