def build_onc_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.zip' % self.id) try: os.makedirs(temp_path) zip_file = zipfile.ZipFile(key_archive_path, 'w') try: user_cert_path = os.path.join(temp_path, '%s.crt' % self.id) user_key_path = os.path.join(temp_path, '%s.key' % self.id) user_p12_path = os.path.join(temp_path, '%s.p12' % self.id) with open(user_cert_path, 'w') as user_cert: user_cert.write(self.certificate) with open(user_key_path, 'w') as user_key: os.chmod(user_key_path, 0600) user_key.write(self.private_key) utils.check_output_logged([ 'openssl', 'pkcs12', '-export', '-nodes', '-password', 'pass:'******'-inkey', user_key_path, '-in', user_cert_path, '-out', user_p12_path, ]) zip_file.write(user_p12_path, arcname='%s.p12' % self.name) os.remove(user_cert_path) os.remove(user_key_path) os.remove(user_p12_path) for svr in self.iter_servers(): server_conf_path = os.path.join( temp_path, '%s_%s.onc' % (self.id, svr.id)) conf_name, client_conf = self._generate_onc(svr) if not client_conf: continue with open(server_conf_path, 'w') as ovpn_conf: ovpn_conf.write(client_conf) zip_file.write(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: zip_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def build_key_zip_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.zip' % self.id) try: os.makedirs(temp_path) zip_file = zipfile.ZipFile(key_archive_path, 'w') try: for svr in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, '%s_%s.ovpn' % (self.id, svr.id)) conf_name, client_conf, conf_hash = self._generate_conf( svr) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) zip_file.write(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: zip_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def build_key_tar_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, "%s.tar" % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, "w") try: for svr in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, "%s_%s.ovpn" % (self.id, svr.id)) conf_name, client_conf, conf_hash = self._generate_conf(svr) with open(server_conf_path, "w") as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, "r") as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def build_key_tar_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.tar' % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, 'w') try: for svr in self.iter_servers(): server_conf_path = os.path.join( temp_path, '%s_%s.ovpn' % (self.id, svr.id)) conf_name, client_conf, conf_hash = self._generate_conf( svr) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def build_key_zip_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.zip' % self.id) try: os.makedirs(temp_path) zip_file = zipfile.ZipFile(key_archive_path, 'w') try: for svr in self.iter_servers(): if not svr.check_groups(self.groups): continue server_conf_path = os.path.join( temp_path, '%s_%s.ovpn' % (self.id, svr.id)) conf_name, client_conf, conf_hash = self._generate_conf( svr) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) zip_file.write(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: zip_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def generate_tls_auth_wait(self): try: return_code = self.tls_auth_process.wait() if return_code: raise ValueError("Popen returned " + "error exit code %r" % return_code) self.read_file("tls_auth_key", self.tls_auth_path) finally: utils.rmtree(self.tls_auth_temp_path)
def generate_tls_auth_wait(self): try: return_code = self.tls_auth_process.wait() if return_code: raise ValueError('Popen returned ' + 'error exit code %r' % return_code) self.read_file('tls_auth_key', self.tls_auth_path) finally: utils.rmtree(self.tls_auth_temp_path)
def build_onc_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.zip' % self.id) try: os.makedirs(temp_path) zip_file = zipfile.ZipFile(key_archive_path, 'w') try: user_cert_path = os.path.join(temp_path, '%s.crt' % self.id) user_key_path = os.path.join(temp_path, '%s.key' % self.id) user_p12_path = os.path.join(temp_path, '%s.p12' % self.id) with open(user_cert_path, 'w') as user_cert: user_cert.write(self.certificate) with open(user_key_path, 'w') as user_key: os.chmod(user_key_path, 0600) user_key.write(self.private_key) utils.check_output_logged([ 'openssl', 'pkcs12', '-export', '-nodes', '-password', 'pass:'******'-inkey', user_key_path, '-in', user_cert_path, '-out', user_p12_path ]) zip_file.write(user_p12_path, arcname='%s.p12' % self.name) os.remove(user_cert_path) os.remove(user_key_path) os.remove(user_p12_path) for svr in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, '%s_%s.onc' % (self.id, svr.id)) conf_name, client_conf = self._generate_onc(svr) if not client_conf: continue with open(server_conf_path, 'w') as ovpn_conf: ovpn_conf.write(client_conf) zip_file.write(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: zip_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def task(self): logger.debug('Generating server dh params', 'server', queue_id=self.id, dh_param_bits=self.dh_param_bits, ) self.queue_com.wait_status() temp_path = utils.get_temp_path() dh_param_path = os.path.join(temp_path, DH_PARAM_NAME) try: os.makedirs(temp_path) args = [ 'openssl', 'dhparam', '-out', dh_param_path, str(self.dh_param_bits), ] self.queue_com.popen(args) self.read_file('dh_params', dh_param_path) finally: utils.rmtree(temp_path) self.queue_com.wait_status() if not self.server_id: self.load() if self.reserve_data: self.server_id = self.reserve_data['server_id'] if self.server_id: response = self.server_collection.update({ '_id': self.server_id, 'dh_param_bits': self.dh_param_bits, }, {'$set': { 'dh_params': self.dh_params, }}) if response['updatedExisting']: logger.debug('Set queued server dh params', 'server', queue_id=self.id, dh_param_bits=self.dh_param_bits, ) event.Event(type=SERVERS_UPDATED) return logger.debug('Adding pooled dh params', 'server', queue_id=self.id, dh_param_bits=self.dh_param_bits, ) self.dh_params_collection.insert({ 'dh_param_bits': self.dh_param_bits, 'dh_params': self.dh_params, })
def generate_tls_auth_start(self): self.tls_auth_temp_path = utils.get_temp_path() self.tls_auth_path = os.path.join(self.tls_auth_temp_path, TLS_AUTH_NAME) os.makedirs(self.tls_auth_temp_path) args = ["openvpn", "--genkey", "--secret", self.tls_auth_path] try: self.tls_auth_process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) except: utils.rmtree(self.tls_auth_temp_path) raise
def openvpn_watch(self): try: while True: while True: line = self.process.stdout.readline() if not line: if self.process.poll() is not None: break else: time.sleep(0.05) continue yield try: self.server.output_link.push_output( line, label=self.output_label, link_server_id=self.linked_server.id, ) except: logger.exception( 'Failed to push link vpn ' + 'output', 'server', server_id=self.server.id, ) yield if self.stop_event.is_set(): break else: logger.error( 'Server instance link stopped ' + 'unexpectedly, restarting link', 'server', server_id=self.server.id, link_server_id=self.linked_server.id, ) self.openvpn_start() yield interrupter_sleep(1) yield finally: if self.interface: utils.interface_release( 'tap' if self.linked_server.network_mode == BRIDGE \ else 'tun', self.interface) self.interface = None utils.rmtree(self._temp_path)
def openvpn_watch(self): try: while True: while True: line = self.process.stdout.readline() if not line: if self.process.poll() is not None: break else: time.sleep(0.05) continue yield try: self.server.output_link.push_output( line, label=self.output_label, link_server_id=self.linked_server.id, ) except: logger.exception('Failed to push link vpn ' + 'output', 'server', server_id=self.server.id, ) yield if self.stop_event.is_set(): break else: logger.error('Server instance link stopped ' + 'unexpectedly, restarting link', 'server', server_id=self.server.id, link_server_id=self.linked_server.id, ) self.openvpn_start() yield interrupter_sleep(1) yield finally: if self.interface: utils.interface_release( 'tap' if self.linked_server.network_mode == BRIDGE \ else 'tun', self.interface) self.interface = None utils.rmtree(self._temp_path)
def generate_tls_auth_start(self): self.tls_auth_temp_path = utils.get_temp_path() self.tls_auth_path = os.path.join( self.tls_auth_temp_path, TLS_AUTH_NAME) os.makedirs(self.tls_auth_temp_path) args = [ 'openvpn', '--genkey', '--secret', self.tls_auth_path, ] try: self.tls_auth_process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) except: utils.rmtree(self.tls_auth_temp_path) raise
def build_key_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.tar' % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, 'w') try: for server in self.org.iter_servers(): server_conf_path = os.path.join( temp_path, '%s_%s.ovpn' % (self.id, server.id)) server_conf_arcname = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_certificate) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.private_key.strip()) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=server_conf_arcname) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def build_key_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.tar' % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, 'w') try: for server in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, '%s_%s.ovpn' % (self.id, server.id)) server_conf_arcname = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str( self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_certificate) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.private_key.strip()) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=server_conf_arcname) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def archive_log(self, archive_path): temp_path = utils.get_temp_path() if os.path.isdir(archive_path): archive_path = os.path.join( archive_path, LOG_ARCHIVE_NAME + '.tar') output_path = os.path.join(temp_path, LOG_ARCHIVE_NAME) try: os.makedirs(temp_path) tar_file = tarfile.open(archive_path, 'w') try: with open(output_path, 'w') as log_file: log_file.write(self.get_log_lines(False)) tar_file.add(output_path, arcname=LOG_ARCHIVE_NAME) finally: tar_file.close() finally: utils.rmtree(temp_path) return archive_path
def archive_log(self, archive_path, limit): temp_path = utils.get_temp_path() if os.path.isdir(archive_path): archive_path = os.path.join(archive_path, LOG_ARCHIVE_NAME + '.tar') output_path = os.path.join(temp_path, LOG_ARCHIVE_NAME) try: os.makedirs(temp_path) tar_file = tarfile.open(archive_path, 'w') try: with open(output_path, 'w') as log_file: log_file.write(self.get_log_lines(limit, False)) tar_file.add(output_path, arcname=LOG_ARCHIVE_NAME) finally: tar_file.close() finally: utils.rmtree(temp_path) return archive_path
def task(self): logger.debug("Generating server dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits) self.queue_com.wait_status() temp_path = utils.get_temp_path() dh_param_path = os.path.join(temp_path, DH_PARAM_NAME) try: os.makedirs(temp_path) args = ["openssl", "dhparam", "-out", dh_param_path, str(self.dh_param_bits)] self.queue_com.popen(args) self.read_file("dh_params", dh_param_path) finally: utils.rmtree(temp_path) self.queue_com.wait_status() if not self.server_id: self.load() if self.reserve_data: self.server_id = self.reserve_data["server_id"] if self.server_id: response = self.server_collection.update( {"_id": self.server_id, "dh_param_bits": self.dh_param_bits}, {"$set": {"dh_params": self.dh_params}} ) if response["updatedExisting"]: logger.debug( "Set queued server dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits ) event.Event(type=SERVERS_UPDATED) return logger.debug("Adding pooled dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits) self.dh_params_collection.insert({"dh_param_bits": self.dh_param_bits, "dh_params": self.dh_params})
def _run_thread(self, send_events): from pritunl.server.utils import get_by_id logger.info('Starting vpn server', 'server', server_id=self.server.id, instance_id=self.id, network=self.server.network, network6=self.server.network6, host_address=settings.local.host.local_addr, host_address6=settings.local.host.local_addr6, host_networks=settings.local.host.local_networks, cur_timestamp=utils.now(), ) self.resources_acquire() try: cursor_id = self.get_cursor_id() os.makedirs(self._temp_path) self.enable_ip_forwarding() self.bridge_start() if self.server.replicating and self.server.vxlan: try: self.vxlan = vxlan.get_vxlan(self.server.id) self.vxlan.start() except: logger.exception('Failed to setup server vxlan', 'vxlan', server_id=self.server.id, instance_id=self.id, ) self.generate_ovpn_conf() self.generate_iptables_rules() self.iptables.upsert_rules() self.init_route_advertisements() self.process = self.openvpn_start() self.start_threads(cursor_id) self.instance_com = ServerInstanceCom(self.server, self) self.instance_com.start() self.publish('started') if send_events: event.Event(type=SERVERS_UPDATED) event.Event(type=SERVER_HOSTS_UPDATED, resource_id=self.server.id) for org_id in self.server.organizations: event.Event(type=USERS_UPDATED, resource_id=org_id) for link_doc in self.server.links: if self.server.id > link_doc['server_id']: instance_link = ServerInstanceLink( server=self.server, linked_server=get_by_id(link_doc['server_id']), ) self.server_links.append(instance_link) instance_link.start() plugins.caller( 'server_start', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) try: self.openvpn_watch() finally: plugins.caller( 'server_stop', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) self.interrupt = True self.bridge_stop() self.iptables.clear_rules() self.resources_release() if not self.clean_exit: event.Event(type=SERVERS_UPDATED) self.server.send_link_events() logger.LogEntry( message='Server stopped unexpectedly "%s".' % ( self.server.name)) except: logger.exception('Server error occurred while running', 'server', server_id=self.server.id, ) try: self.interrupt = True self.stop_process() except: logger.exception('Server stop error', 'server', server_id=self.server.id, ) finally: try: if self.resource_lock: self.bridge_stop() self.iptables.clear_rules() except: logger.exception('Server resource error', 'server', server_id=self.server.id, ) try: self.resources_release() self.stop_threads() self.collection.update({ '_id': self.server.id, 'instances.instance_id': self.id, }, { '$pull': { 'instances': { 'instance_id': self.id, }, }, '$inc': { 'instances_count': -1, }, }) utils.rmtree(self._temp_path) except: logger.exception('Server clean up error', 'server', server_id=self.server.id, )
def build_onc(self): temp_path = utils.get_temp_path() try: os.makedirs(temp_path) user_cert_path = os.path.join(temp_path, '%s.crt' % self.id) user_key_path = os.path.join(temp_path, '%s.key' % self.id) user_p12_path = os.path.join(temp_path, '%s.p12' % self.id) with open(user_cert_path, 'w') as user_cert: user_cert.write(self.certificate) with open(user_key_path, 'w') as user_key: os.chmod(user_key_path, 0600) user_key.write(self.private_key) utils.check_output_logged([ 'openssl', 'pkcs12', '-export', '-nodes', '-password', 'pass:'******'-inkey', user_key_path, '-in', user_cert_path, '-out', user_p12_path, ]) with open(user_p12_path, 'r') as user_key_p12: user_key_base64 = base64.b64encode(user_key_p12.read()) user_cert_id = '{%s}' % hashlib.md5( user_key_base64).hexdigest() os.remove(user_cert_path) os.remove(user_key_path) os.remove(user_p12_path) onc_nets = '' onc_certs_store = {} for svr in self.iter_servers(): onc_net, onc_certs = self._generate_onc(svr, user_cert_id) if not onc_net: continue onc_certs_store.update(onc_certs) onc_nets += onc_net + ',\n' onc_nets = onc_nets[:-2] if onc_nets == '': return None onc_certs = '' for cert_id, cert in onc_certs_store.items(): onc_certs += OVPN_ONC_CA_CERT % (cert_id, cert) + ',\n' onc_certs += OVPN_ONC_CLIENT_CERT % (user_cert_id, user_key_base64) onc_conf = OVPN_ONC_CLIENT_CONF % (onc_nets, onc_certs) finally: utils.rmtree(temp_path) return onc_conf
def build_onc(self): temp_path = utils.get_temp_path() try: os.makedirs(temp_path) user_cert_path = os.path.join(temp_path, '%s.crt' % self.id) user_key_path = os.path.join(temp_path, '%s.key' % self.id) user_p12_path = os.path.join(temp_path, '%s.p12' % self.id) with open(user_cert_path, 'w') as user_cert: user_cert.write(self.certificate) with open(user_key_path, 'w') as user_key: os.chmod(user_key_path, 0600) user_key.write(self.private_key) utils.check_output_logged([ 'openssl', 'pkcs12', '-export', '-nodes', '-password', 'pass:'******'-inkey', user_key_path, '-in', user_cert_path, '-out', user_p12_path, ]) with open(user_p12_path, 'r') as user_key_p12: user_key_base64 = base64.b64encode(user_key_p12.read()) user_cert_id = '{%s}' % hashlib.md5( user_key_base64).hexdigest() os.remove(user_cert_path) os.remove(user_key_path) os.remove(user_p12_path) onc_nets = '' onc_certs_store = {} for svr in self.iter_servers(): onc_net, onc_certs = self._generate_onc( svr, user_cert_id) if not onc_net: continue onc_certs_store.update(onc_certs) onc_nets += onc_net + ',\n' onc_nets = onc_nets[:-2] if onc_nets == '': return None onc_certs = '' for cert_id, cert in onc_certs_store.items(): onc_certs += OVPN_ONC_CA_CERT % (cert_id, cert) + ',\n' onc_certs += OVPN_ONC_CLIENT_CERT % ( user_cert_id, user_key_base64) onc_conf = OVPN_ONC_CLIENT_CONF % (onc_nets, onc_certs) finally: utils.rmtree(temp_path) return onc_conf
def _run_thread(self, send_events): from pritunl.server.utils import get_by_id logger.debug('Starting ovpn process', 'server', server_id=self.server.id, ) self.resources_acquire() try: cursor_id = self.get_cursor_id() os.makedirs(self._temp_path) self.generate_ovpn_conf() self.enable_ip_forwarding() self.set_iptables_rules() self.process = self.openvpn_start() if not self.process: return self.start_threads(cursor_id) self.instance_com = ServerInstanceCom(self.server, self) self.instance_com.start() self.publish('started') if send_events: event.Event(type=SERVERS_UPDATED) event.Event(type=SERVER_HOSTS_UPDATED, resource_id=self.server.id) for org_id in self.server.organizations: event.Event(type=USERS_UPDATED, resource_id=org_id) for link_doc in self.server.links: if self.server.id > link_doc['server_id']: instance_link = ServerInstanceLink( server=self.server, linked_server=get_by_id(link_doc['server_id']), ) self.server_links.append(instance_link) instance_link.start() self.openvpn_watch() self.interrupt = True self.clear_iptables_rules() self.resources_release() if not self.clean_exit: event.Event(type=SERVERS_UPDATED) self.server.send_link_events() logger.LogEntry(message='Server stopped unexpectedly "%s".' % ( self.server.name)) except: self.interrupt = True if self.resource_lock: self.clear_iptables_rules() self.resources_release() logger.exception('Server error occurred while running', 'server', server_id=self.server.id, ) finally: self.stop_threads() self.collection.update({ '_id': self.server.id, 'instances.instance_id': self.id, }, { '$pull': { 'instances': { 'instance_id': self.id, }, }, '$inc': { 'instances_count': -1, }, }) utils.rmtree(self._temp_path)
def initialize(self): temp_path = utils.get_temp_path() index_path = os.path.join(temp_path, INDEX_NAME) index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME) serial_path = os.path.join(temp_path, SERIAL_NAME) ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME) reqs_path = os.path.join(temp_path, '%s.csr' % self.id) key_path = os.path.join(temp_path, '%s.key' % self.id) cert_path = os.path.join(temp_path, '%s.crt' % self.id) ca_name = self.id if self.type == CERT_CA else 'ca' ca_cert_path = os.path.join(temp_path, '%s.crt' % ca_name) ca_key_path = os.path.join(temp_path, '%s.key' % ca_name) self.org.queue_com.wait_status() try: os.makedirs(temp_path) with open(index_path, 'a'): os.utime(index_path, None) with open(index_attr_path, 'a'): os.utime(index_attr_path, None) with open(serial_path, 'w') as serial_file: serial_hex = ('%x' % utils.fnv64a(str(self.id))).upper() if len(serial_hex) % 2: serial_hex = '0' + serial_hex serial_file.write('%s\n' % serial_hex) with open(ssl_conf_path, 'w') as conf_file: conf_file.write(CERT_CONF % ( settings.user.cert_key_bits, settings.user.cert_message_digest, self.org.id, self.id, index_path, serial_path, temp_path, ca_cert_path, ca_key_path, settings.user.cert_message_digest, )) self.org.queue_com.wait_status() if self.type != CERT_CA: self.org.write_file('ca_certificate', ca_cert_path, chmod=0600) self.org.write_file('ca_private_key', ca_key_path, chmod=0600) self.generate_otp_secret() try: args = [ 'openssl', 'req', '-new', '-batch', '-config', ssl_conf_path, '-out', reqs_path, '-keyout', key_path, '-reqexts', '%s_req_ext' % self.type.replace('_pool', ''), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception( 'Failed to create user cert requests', 'user', org_id=self.org.id, user_id=self.id, ) raise self.read_file('private_key', key_path) try: args = ['openssl', 'ca', '-batch'] if self.type == CERT_CA: args += ['-selfsign'] args += [ '-config', ssl_conf_path, '-in', reqs_path, '-out', cert_path, '-extensions', '%s_ext' % self.type.replace('_pool', ''), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception( 'Failed to create user cert', 'user', org_id=self.org.id, user_id=self.id, ) raise self.read_file('certificate', cert_path) finally: try: utils.rmtree(temp_path) except subprocess.CalledProcessError: pass self.org.queue_com.wait_status() # If assign ip addr fails it will be corrected in ip sync task try: self.assign_ip_addr() except: logger.exception( 'Failed to assign users ip address', 'user', org_id=self.org.id, user_id=self.id, )
def _run_thread(self, send_events): from pritunl.server.utils import get_by_id logger.debug( 'Starting ovpn process', 'server', server_id=self.server.id, ) self.resources_acquire() try: cursor_id = self.get_cursor_id() os.makedirs(self._temp_path) self.generate_ovpn_conf() self.enable_ip_forwarding() self.set_iptables_rules() self.process = self.openvpn_start() if not self.process: return self.start_threads(cursor_id) self.instance_com = ServerInstanceCom(self.server, self) self.instance_com.start() self.publish('started') if send_events: event.Event(type=SERVERS_UPDATED) event.Event(type=SERVER_HOSTS_UPDATED, resource_id=self.server.id) for org_id in self.server.organizations: event.Event(type=USERS_UPDATED, resource_id=org_id) for link_doc in self.server.links: if self.server.id > link_doc['server_id']: instance_link = ServerInstanceLink( server=self.server, linked_server=get_by_id(link_doc['server_id']), ) self.server_links.append(instance_link) instance_link.start() self.openvpn_watch() self.interrupt = True self.clear_iptables_rules() self.resources_release() if not self.clean_exit: event.Event(type=SERVERS_UPDATED) self.server.send_link_events() logger.LogEntry(message='Server stopped unexpectedly "%s".' % (self.server.name)) except: self.interrupt = True if self.resource_lock: self.clear_iptables_rules() self.resources_release() logger.exception( 'Server error occurred while running', 'server', server_id=self.server.id, ) finally: self.stop_threads() self.collection.update( { '_id': self.server.id, 'instances.instance_id': self.id, }, { '$pull': { 'instances': { 'instance_id': self.id, }, }, '$inc': { 'instances_count': -1, }, }) utils.rmtree(self._temp_path)
def initialize(self): temp_path = utils.get_temp_path() index_path = os.path.join(temp_path, INDEX_NAME) index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME) serial_path = os.path.join(temp_path, SERIAL_NAME) ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME) reqs_path = os.path.join(temp_path, '%s.csr' % self.id) key_path = os.path.join(temp_path, '%s.key' % self.id) cert_path = os.path.join(temp_path, '%s.crt' % self.id) ca_name = self.id if self.type == CERT_CA else 'ca' ca_cert_path = os.path.join(temp_path, '%s.crt' % ca_name) ca_key_path = os.path.join(temp_path, '%s.key' % ca_name) self.org.queue_com.wait_status() try: os.makedirs(temp_path) with open(index_path, 'a'): os.utime(index_path, None) with open(index_attr_path, 'a'): os.utime(index_attr_path, None) with open(serial_path, 'w') as serial_file: serial_hex = ('%x' % utils.fnv64a(str(self.id))).upper() if len(serial_hex) % 2: serial_hex = '0' + serial_hex serial_file.write('%s\n' % serial_hex) with open(ssl_conf_path, 'w') as conf_file: conf_file.write(CERT_CONF % ( settings.user.cert_key_bits, settings.user.cert_message_digest, self.org.id, self.id, index_path, serial_path, temp_path, ca_cert_path, ca_key_path, settings.user.cert_message_digest, )) self.org.queue_com.wait_status() if self.type != CERT_CA: self.org.write_file('ca_certificate', ca_cert_path, chmod=0600) self.org.write_file('ca_private_key', ca_key_path, chmod=0600) self.generate_otp_secret() try: args = [ 'openssl', 'req', '-new', '-batch', '-config', ssl_conf_path, '-out', reqs_path, '-keyout', key_path, '-reqexts', '%s_req_ext' % self.type.replace('_pool', ''), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception('Failed to create user cert requests', 'user', org_id=self.org.id, user_id=self.id, ) raise self.read_file('private_key', key_path) try: args = ['openssl', 'ca', '-batch'] if self.type == CERT_CA: args += ['-selfsign'] args += [ '-config', ssl_conf_path, '-in', reqs_path, '-out', cert_path, '-extensions', '%s_ext' % self.type.replace('_pool', ''), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception('Failed to create user cert', 'user', org_id=self.org.id, user_id=self.id, ) raise self.read_file('certificate', cert_path) finally: try: utils.rmtree(temp_path) except subprocess.CalledProcessError: pass self.org.queue_com.wait_status() # If assign ip addr fails it will be corrected in ip sync task try: self.assign_ip_addr() except: logger.exception('Failed to assign users ip address', 'user', org_id=self.org.id, user_id=self.id, )
def build_onc_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, "%s.zip" % self.id) try: os.makedirs(temp_path) zip_file = zipfile.ZipFile(key_archive_path, "w") try: user_cert_path = os.path.join(temp_path, "%s.crt" % self.id) user_key_path = os.path.join(temp_path, "%s.key" % self.id) user_p12_path = os.path.join(temp_path, "%s.p12" % self.id) with open(user_cert_path, "w") as user_cert: user_cert.write(self.certificate) with open(user_key_path, "w") as user_key: os.chmod(user_key_path, 0600) user_key.write(self.private_key) utils.check_output_logged( [ "openssl", "pkcs12", "-export", "-nodes", "-password", "pass:"******"-inkey", user_key_path, "-in", user_cert_path, "-out", user_p12_path, ] ) zip_file.write(user_p12_path, arcname="%s.p12" % self.name) os.remove(user_cert_path) os.remove(user_key_path) os.remove(user_p12_path) for svr in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, "%s_%s.onc" % (self.id, svr.id)) conf_name, client_conf = self._generate_onc(svr) if not client_conf: continue with open(server_conf_path, "w") as ovpn_conf: ovpn_conf.write(client_conf) zip_file.write(server_conf_path, arcname=conf_name) os.remove(server_conf_path) finally: zip_file.close() with open(key_archive_path, "r") as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def _run_thread(self, send_events): from pritunl.server.utils import get_by_id logger.info( 'Starting vpn server', 'server', server_id=self.server.id, instance_id=self.id, network=self.server.network, network6=self.server.network6, host_address=settings.local.host.local_addr, host_address6=settings.local.host.local_addr6, host_networks=settings.local.host.local_networks, cur_timestamp=utils.now(), ) self.resources_acquire() try: cursor_id = self.get_cursor_id() os.makedirs(self._temp_path) self.enable_ip_forwarding() self.bridge_start() if self.server.replicating and self.server.vxlan: try: self.vxlan = vxlan.get_vxlan(self.server.id) self.vxlan.start() except: logger.exception( 'Failed to setup server vxlan', 'vxlan', server_id=self.server.id, instance_id=self.id, ) self.generate_ovpn_conf() self.generate_iptables_rules() self.iptables.upsert_rules() self.init_route_advertisements() self.process = self.openvpn_start() self.start_threads(cursor_id) self.instance_com = ServerInstanceCom(self.server, self) self.instance_com.start() self.publish('started') if send_events: event.Event(type=SERVERS_UPDATED) event.Event(type=SERVER_HOSTS_UPDATED, resource_id=self.server.id) for org_id in self.server.organizations: event.Event(type=USERS_UPDATED, resource_id=org_id) for link_doc in self.server.links: if self.server.id > link_doc['server_id']: instance_link = ServerInstanceLink( server=self.server, linked_server=get_by_id(link_doc['server_id']), ) self.server_links.append(instance_link) instance_link.start() plugins.caller( 'server_start', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) try: self.openvpn_watch() finally: plugins.caller( 'server_stop', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) self.interrupt = True self.bridge_stop() self.iptables.clear_rules() if not self.clean_exit: event.Event(type=SERVERS_UPDATED) self.server.send_link_events() logger.LogEntry(message='Server stopped unexpectedly "%s".' % (self.server.name)) except: try: self.interrupt = True self.stop_process() except: logger.exception( 'Server stop error', 'server', server_id=self.server.id, instance_id=self.id, ) logger.exception( 'Server error occurred while running', 'server', server_id=self.server.id, instance_id=self.id, ) finally: try: if self.resource_lock: self.bridge_stop() self.iptables.clear_rules() except: logger.exception( 'Server resource error', 'server', server_id=self.server.id, instance_id=self.id, ) try: self.stop_threads() self.collection.update( { '_id': self.server.id, 'instances.instance_id': self.id, }, { '$pull': { 'instances': { 'instance_id': self.id, }, }, '$inc': { 'instances_count': -1, }, }) utils.rmtree(self._temp_path) except: logger.exception( 'Server clean up error', 'server', server_id=self.server.id, instance_id=self.id, ) try: self.resources_release() except: logger.exception( 'Failed to release resources', 'server', server_id=self.server.id, instance_id=self.id, )
def initialize(self): temp_path = utils.get_temp_path() index_path = os.path.join(temp_path, INDEX_NAME) index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME) serial_path = os.path.join(temp_path, SERIAL_NAME) ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME) reqs_path = os.path.join(temp_path, "%s.csr" % self.id) key_path = os.path.join(temp_path, "%s.key" % self.id) cert_path = os.path.join(temp_path, "%s.crt" % self.id) ca_name = self.id if self.type == CERT_CA else "ca" ca_cert_path = os.path.join(temp_path, "%s.crt" % ca_name) ca_key_path = os.path.join(temp_path, "%s.key" % ca_name) self.org.queue_com.wait_status() try: os.makedirs(temp_path) with open(index_path, "a"): os.utime(index_path, None) with open(index_attr_path, "a"): os.utime(index_attr_path, None) with open(serial_path, "w") as serial_file: serial_hex = ("%x" % utils.fnv64a(str(self.id))).upper() if len(serial_hex) % 2: serial_hex = "0" + serial_hex serial_file.write("%s\n" % serial_hex) with open(ssl_conf_path, "w") as conf_file: conf_file.write( CERT_CONF % ( settings.user.cert_key_bits, settings.user.cert_message_digest, self.org.id, self.id, index_path, serial_path, temp_path, ca_cert_path, ca_key_path, settings.user.cert_message_digest, ) ) self.org.queue_com.wait_status() if self.type != CERT_CA: self.org.write_file("ca_certificate", ca_cert_path, chmod=0600) self.org.write_file("ca_private_key", ca_key_path, chmod=0600) self.generate_otp_secret() try: args = [ "openssl", "req", "-new", "-batch", "-config", ssl_conf_path, "-out", reqs_path, "-keyout", key_path, "-reqexts", "%s_req_ext" % self.type.replace("_pool", ""), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception("Failed to create user cert requests", "user", org_id=self.org.id, user_id=self.id) raise self.read_file("private_key", key_path) try: args = ["openssl", "ca", "-batch"] if self.type == CERT_CA: args += ["-selfsign"] args += [ "-config", ssl_conf_path, "-in", reqs_path, "-out", cert_path, "-extensions", "%s_ext" % self.type.replace("_pool", ""), ] self.org.queue_com.popen(args) except (OSError, ValueError): logger.exception("Failed to create user cert", "user", org_id=self.org.id, user_id=self.id) raise self.read_file("certificate", cert_path) finally: try: utils.rmtree(temp_path) except subprocess.CalledProcessError: pass self.org.queue_com.wait_status() # If assign ip addr fails it will be corrected in ip sync task try: self.assign_ip_addr() except: logger.exception("Failed to assign users ip address", "user", org_id=self.org.id, user_id=self.id)