def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords app.get_ldap_sssd_password() x("yum -y install openvpn openvpn-auth-ldap") if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)): x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa") # Install server.conf serverConf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf) scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network()) scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network()) scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask()) scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network()) scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh") x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 2: raise Exception("syco install-openvpn-server 2.3.7") # Initialize all passwords enable_ldap = config.general.get_option("openvpn.ldap.enable", "false") build_openvpn(args) x('mkdir /etc/openvpn') if enable_ldap: app.get_ldap_sssd_password() x("yum -y install openvpn-auth-ldap") if not os.access("/etc/openvpn/easy-rsa", os.F_OK): copy_easy_rsa() # Install server.conf server_conf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf) scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network()) scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes()) ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower() ccd_dir = "" client_routes = "" c2c = "" if ccd_enabled: ccd_dir = "client-config-dir ccd" client_routes = _get_client_routes() c2c = "client-to-client" x('mkdir /etc/openvpn/ccd') scOpen(server_conf).replace('${CCD_DIR}', ccd_dir) scOpen(server_conf).replace('${CLIENT_ROUTES}', str(client_routes)) scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c) scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers()) scOpen(server_conf).replace('^dh.*dh1024.pem', 'dh dh4096.pem') scOpen(server_conf).add('\n') scOpen(server_conf).add('tls-version-min 1.2') # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace( '[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace( '[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace( '[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace( '[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace( '[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace( '[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') scOpen(fn).replace('[\s]*export HASH_ALGO.*', 'export HASH_ALGO=sha256') scOpen(fn).replace('[\s]*export KEY_SIZE.*', 'export KEY_SIZE=4096') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace( "\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh" ) x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh4096.pem} /etc/openvpn/" ) #Generation TLS key os.chdir("/etc/openvpn/") x("/usr/local/sbin/openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace( "unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() if enable_ldap: _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords enable_ldap = config.general.get_option("openvpn.ldap.enable", "false") x("yum -y install openvpn") if enable_ldap: app.get_ldap_sssd_password() x("yum -y install openvpn-auth-ldap") if not os.access("/etc/openvpn/easy-rsa", os.F_OK): copy_easy_rsa() # Install server.conf server_conf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf) scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network()) scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes()) ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower() ccd_dir = "" client_routes = "" c2c = "" if ccd_enabled: ccd_dir = "client-config-dir ccd" client_routes = _get_client_routes() c2c = "client-to-client" scOpen(server_conf).replace('${CCD_DIR}', ccd_dir) scOpen(server_conf).replace('${CLIENT_ROUTES}', client_routes) scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c) scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh") x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/") #Generation TLS key os.chdir("/etc/openvpn/") x("openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() if enable_ldap: _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords app.get_ldap_sssd_password() x("yum -y install openvpn openvpn-auth-ldap") if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)): copy_easy_rsa() # Install server.conf serverConf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf) scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network()) scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network()) scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask()) scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network()) scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace( '[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace( '[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace( '[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace( '[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace( '[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace( '[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace( "\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh" ) x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/" ) #Generation TLS key os.chdir("/etc/openvpn/") x("openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace( "unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()