def generate_client_conf(self, user):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network',
'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
client_conf += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_svr in self.server.iter_links(fields=('_id', 'network',
'local_networks')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
def generate_client_conf(self, user):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network', 'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
client_conf += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
def generate_client_conf(self, user):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network', 'network_start',
'network_end', 'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
client_conf += 'push "ip-win32 dynamic 0 3600"\n'
for network_link in user.get_network_links():
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
network_link)
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(fields=('_id', 'network',
'local_networks',
'network_start',
'network_end')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
if ':' in local_network:
client_conf += 'push "route-ipv6 %s"\n' % local_network
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
def generate_client_conf(self, user):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network', 'network_start',
'network_end', 'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
client_conf += 'push "ip-win32 dynamic 0 3600"\n'
for network_link in user.get_network_links():
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
network_link)
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
if ':' in local_network:
client_conf += 'push "route-ipv6 %s"\n' % local_network
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.debug('Starting ovpn process', 'server',
server_id=self.server.id,
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.generate_ovpn_conf()
self.enable_ip_forwarding()
self.set_iptables_rules()
self.process = self.openvpn_start()
if not self.process:
return
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
self.openvpn_watch()
self.interrupt = True
self.clear_iptables_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' % (
self.server.name))
except:
self.interrupt = True
if self.resource_lock:
self.clear_iptables_rules()
self.resources_release()
logger.exception('Server error occurred while running', 'server',
server_id=self.server.id,
)
finally:
self.stop_threads()
self.collection.update({
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.debug(
'Starting ovpn process',
'server',
server_id=self.server.id,
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.generate_ovpn_conf()
self.enable_ip_forwarding()
self.set_iptables_rules()
self.process = self.openvpn_start()
if not self.process:
return
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
self.openvpn_watch()
self.interrupt = True
self.clear_iptables_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' %
(self.server.name))
except:
self.interrupt = True
if self.resource_lock:
self.clear_iptables_rules()
self.resources_release()
logger.exception(
'Server error occurred while running',
'server',
server_id=self.server.id,
)
finally:
self.stop_threads()
self.collection.update(
{
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info(
'Starting vpn server',
'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception(
'Failed to setup server vxlan',
'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' %
(self.server.name))
except:
try:
self.interrupt = True
self.stop_process()
except:
logger.exception(
'Server stop error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
logger.exception(
'Server error occurred while running',
'server',
server_id=self.server.id,
instance_id=self.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception(
'Server resource error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.stop_threads()
self.collection.update(
{
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception(
'Server clean up error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.resources_release()
except:
logger.exception(
'Failed to release resources',
'server',
server_id=self.server.id,
instance_id=self.id,
)
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.server.id,
})
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
with open(self.auth_log_path, 'w') as auth_log:
os.chmod(self.auth_log_path, 0600)
auth_host = settings.conf.bind_addr
if auth_host == '0.0.0.0':
auth_host = 'localhost'
for script, script_path in (
(TLS_VERIFY_SCRIPT, self.tls_verify_path),
(USER_PASS_VERIFY_SCRIPT, self.user_pass_verify_path),
(CLIENT_CONNECT_SCRIPT, self.client_connect_path),
(CLIENT_DISCONNECT_SCRIPT, self.client_disconnect_path),
):
with open(script_path, 'w') as script_file:
os.chmod(script_path, 0755) # TODO
script_file.write(script % (
settings.app.server_api_key,
self.auth_log_path,
'https' if settings.conf.ssl else 'http',
auth_host,
settings.conf.port,
self.server.id,
))
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
self.tls_verify_path,
self.client_connect_path,
self.client_disconnect_path,
'%s %s' % utils.parse_network(self.server.network),
CIPHERS[self.server.cipher],
self.ovpn_status_path,
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
if self.server.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.server.ca_certificate)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info('Starting vpn server', 'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception('Failed to setup server vxlan', 'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(
message='Server stopped unexpectedly "%s".' % (
self.server.name))
except:
logger.exception('Server error occurred while running', 'server',
server_id=self.server.id,
)
try:
self.interrupt = True
self.stop_process()
except:
logger.exception('Server stop error', 'server',
server_id=self.server.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception('Server resource error', 'server',
server_id=self.server.id,
)
try:
self.resources_release()
self.stop_threads()
self.collection.update({
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception('Server clean up error', 'server',
server_id=self.server.id,
)
def generate_client_conf(self, platform, client_id, virt_address,
user, reauth):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network', 'network_start',
'network_end', 'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
if ':' in local_network:
client_conf += 'iroute-ipv6 %s\n' % local_network
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
if platform == 'ios':
client_conf += 'push "route 0.0.0.0 128.0.0.0"\n'
client_conf += 'push "route 128.0.0.0 128.0.0.0"\n'
else:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
if platform != 'ios':
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
if self.server.dns_mapping:
client_conf += 'push "dhcp-option DNS %s"\n' % (
utils.get_network_gateway(self.server.network))
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
client_conf += 'push "ip-win32 dynamic 0 3600"\n'
network_links = user.get_network_links()
for network_link in network_links:
if self.reserve_iroute(client_id, network_link, True):
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % \
utils.parse_network(network_link)
if network_links and not reauth:
thread = threading.Thread(target=self.iroute_ping_thread,
args=(client_id, virt_address.split('/')[0]))
thread.daemon = True
thread.start()
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
if ':' in local_network:
client_conf += 'push "route-ipv6 %s"\n' % (
local_network)
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug(
'Generating server ovpn conf',
'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def client_connect(self, client):
from pritunl.server.utils import get_by_id
try:
client_id = client['client_id']
org_id = bson.ObjectId(client['org_id'])
user_id = bson.ObjectId(client['user_id'])
device_id = client.get('device_id')
device_name = client.get('device_name')
platform = client.get('platform')
mac_addr = client.get('mac_addr')
otp_code = client.get('otp_code')
remote_ip = client.get('remote_ip')
devices = self.client_devices[user_id]
if not _limiter.validate(remote_ip):
self.send_client_deny(client, 'Too many connect requests')
return
org = self.server.get_org(org_id, fields=['_id'])
if not org:
self.send_client_deny(client, 'Organization is not valid')
return
user = org.get_user(user_id, fields=[
'_id', 'name', 'type', 'disabled', 'otp_secret'])
if not user:
self.send_client_deny(client, 'User is not valid')
return
if self.server.otp_auth and user.type == CERT_CLIENT and \
not user.verify_otp_code(otp_code, remote_ip):
logger.LogEntry(message='User failed two-step ' +
'authentication "%s".' % user.name)
self.send_client_deny(client, 'Invalid OTP code')
return
client_conf = ''
link_svr_id = None
for link_doc in self.server.links:
if link_doc['user_id'] == user.id:
link_svr_id = link_doc['server_id']
break
if link_svr_id:
link_svr = get_by_id(link_svr_id,
fields=['_id', 'network', 'local_networks'])
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
if not self.server.multi_device:
virt_address = self.server.get_ip_addr(org.id, user_id)
if virt_address and virt_address in self.client_ips:
for i, device in enumerate(devices):
if device['virt_address'] == virt_address:
self.client_kill(device)
if virt_address in self.client_ips:
self.client_ips.remove(virt_address)
del devices[i]
else:
virt_address = None
if devices and device_id:
for i, device in enumerate(devices):
if device['device_id'] == device_id:
virt_address = device['virt_address']
self.client_kill(device)
if virt_address in self.client_ips:
self.client_ips.remove(virt_address)
del devices[i]
if not virt_address:
virt_address = self.server.get_ip_addr(org.id, user_id)
if virt_address and virt_address in self.client_ips:
virt_address = None
if not virt_address:
while True:
try:
ip_addr = self.ip_pool.pop()
except IndexError:
break
ip_addr = '%s/%s' % (
ip_addr, self.ip_network.prefixlen)
if ip_addr not in self.client_ips:
virt_address = ip_addr
self.client_dyn_ips.add(virt_address)
break
if virt_address:
self.client_ips.add(virt_address)
devices.append({
'user_id': user_id,
'org_id': org_id,
'client_id': client_id,
'device_id': device_id,
'device_name': device_name,
'type': user.type,
'platform': platform,
'mac_addr': mac_addr,
'otp_code': otp_code,
'virt_address': virt_address,
'real_address': remote_ip,
})
client_conf += 'ifconfig-push %s %s\n' % utils.parse_network(
virt_address)
self.send_client_auth(client, client_conf)
else:
self.send_client_deny(client, 'Unable to assign ip address')
except:
logger.exception('Error parsing client connect', 'server',
server_id=self.server.id,
instance_id=self.instance.id,
)
self.send_client_deny(client, 'Error parsing client connect')
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)