def generate_client_conf(self, platform, client_id, virt_address, user,
reauth):
client_conf = ''
if user.link_server_id:
link_usr_svr = self.server.get_link_server(
user.link_server_id,
fields=('_id', 'network', 'network_start', 'network_end',
'local_networks', 'organizations', 'routes', 'links',
'ipv6'))
for route in link_usr_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
client_conf += 'iroute-ipv6 %s\n' % network
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
network)
else:
if self.server.is_route_all():
if platform == 'ios':
client_conf += 'push "route 0.0.0.0 128.0.0.0"\n'
client_conf += 'push "route 128.0.0.0 128.0.0.0"\n'
else:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
if platform != 'ios':
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
if self.server.dns_mapping:
client_conf += 'push "dhcp-option DNS %s"\n' % (
utils.get_network_gateway(self.server.network))
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
network_links = user.get_network_links()
for network_link in network_links:
if self.reserve_iroute(client_id, network_link, True):
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % \
utils.parse_network(network_link)
if network_links and not reauth:
thread = threading.Thread(target=self.iroute_ping_thread,
args=(client_id,
virt_address.split('/')[0]))
thread.daemon = True
thread.start()
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(
fields=('_id', 'network', 'local_networks',
'network_start', 'network_end', 'organizations',
'routes', 'links', 'ipv6')):
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
client_conf += 'push "route-ipv6 %s"\n' % (network)
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network))
return client_conf
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks')):
if self.server.id < link_svr.id:
gateway = utils.get_network_gateway(self.server.network)
push += 'route %s %s %s\n' % (utils.parse_network(
link_svr.network) + (gateway,))
for local_network in link_svr.local_networks:
push += 'route %s %s %s\n' % (utils.parse_network(
local_network) + (gateway,))
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_client_conf(self, platform, client_id, virt_address,
user, reauth):
client_conf = ''
if user.link_server_id:
link_usr_svr = self.server.get_link_server(user.link_server_id,
fields=('_id', 'network', 'network_start', 'network_end',
'local_networks', 'organizations', 'routes', 'links',
'ipv6'))
for route in link_usr_svr.get_routes(
include_default=False):
network = route['network']
if ':' in network:
client_conf += 'iroute-ipv6 %s\n' % network
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
network)
else:
if self.server.is_route_all():
if platform == 'ios':
client_conf += 'push "route 0.0.0.0 128.0.0.0"\n'
client_conf += 'push "route 128.0.0.0 128.0.0.0"\n'
else:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
if platform != 'ios':
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
if self.server.dns_mapping:
client_conf += 'push "dhcp-option DNS %s"\n' % (
utils.get_network_gateway(self.server.network))
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
network_links = user.get_network_links()
for network_link in network_links:
if self.reserve_iroute(client_id, network_link, True):
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % \
utils.parse_network(network_link)
if network_links and not reauth:
thread = threading.Thread(target=self.iroute_ping_thread,
args=(client_id, virt_address.split('/')[0]))
thread.daemon = True
thread.start()
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links',
'ipv6')):
for route in link_svr.get_routes(
include_default=False):
network = route['network']
if ':' in network:
client_conf += 'push "route-ipv6 %s"\n' % (network)
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network))
return client_conf
def generate_ovpn_conf(self):
logger.debug(
'Generating server ovpn conf',
'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
for link_svr in self.server.iter_links(fields=('_id', 'network',
'local_networks')):
if self.server.id < link_svr.id:
gateway = utils.get_network_gateway(self.server.network)
push += 'route %s %s %s\n' % (
utils.parse_network(link_svr.network) + (gateway, ))
for local_network in link_svr.local_networks:
push += 'route %s %s %s\n' % (
utils.parse_network(local_network) + (gateway, ))
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if route['net_gateway']:
if ':' in network:
push += 'push "route-ipv6 %s net_gateway"\n' % network
else:
push += 'push "route %s %s net_gateway"\n' % \
utils.parse_network(network)
elif not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s"\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
for link_svr in self.server.iter_links(
fields=('_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links',
'ipv6', 'replica_count', 'network_mode')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if route['net_gateway']:
continue
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
if self.vxlan:
push += 'push "route %s %s"\n' % utils.parse_network(
self.vxlan.vxlan_net)
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
SERVER_CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_iptables_rules(self):
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
ipv6_firewall = self.server.ipv6_firewall and \
settings.local.host.routed_subnet6
self.iptables.id = self.server.id
self.iptables.ipv6 = self.server.ipv6
self.iptables.server_addr = server_addr
self.iptables.server_addr6 = server_addr6
self.iptables.virt_interface = self.interface
self.iptables.virt_network = self.server.network
self.iptables.virt_network6 = self.server.network6
self.iptables.ipv6_firewall = ipv6_firewall
self.iptables.inter_client = self.server.inter_client
self.iptables.restrict_routes = self.server.restrict_routes
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception(
'Failed to get IP routes',
'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
if default_interface:
continue
default_interface = line_split[7]
routes.append((ipaddress.IPNetwork(
'%s/%s' %
(line_split[0], utils.subnet_to_cidr(line_split[2]))),
line_split[7]))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception(
'Failed to get IPv6 routes',
'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if line_split[0] == '::/0':
if default_interface6:
continue
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6],
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error(
'Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
interfaces = set()
interfaces6 = set()
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=True,
):
if route['virtual_network'] or route['link_virtual_network']:
self.iptables.add_nat_network(route['network'])
if route['virtual_network'] or route['net_gateway']:
continue
network = route['network']
is6 = ':' in network
network_obj = ipaddress.IPNetwork(network)
interface = route['nat_interface']
if is6:
if not interface:
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
if not interface:
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
self.iptables.add_route(
network,
nat=route['nat'],
nat_interface=interface,
)
if self.vxlan:
self.iptables.add_route(self.vxlan.vxlan_net)
self.iptables.generate()
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
for route in self.server.get_routes(include_default=False):
if route['virtual_network']:
continue
network = route['network']
if not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s "\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
push += 'route-ipv6 %s %s\n' % (
network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol + ('6' if self.server.ipv6 else ''),
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_iptables_rules(self):
rules = []
rules6 = []
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IP routes', 'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
default_interface = line_split[7]
routes.append((
ipaddress.IPNetwork('%s/%s' % (line_split[0],
utils.subnet_to_cidr(line_split[2]))),
line_split[7]
))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IPv6 routes', 'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if not default_interface6 and line_split[0] == '::/0':
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6]
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error('Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
route_all = self.server.is_route_all()
if route_all:
rules.append([
'INPUT',
'-i', self.interface,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT',
'-o', self.interface,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-j', 'ACCEPT',
])
if self.server.ipv6:
if self.server.ipv6_firewall and \
settings.local.host.routed_subnet6:
rules6.append([
'INPUT',
'-d', self.server.network6,
'-m', 'conntrack',
'--ctstate','RELATED,ESTABLISHED',
'-j', 'ACCEPT',
])
rules6.append([
'INPUT',
'-d', self.server.network6,
'-p', 'icmpv6',
'-m', 'conntrack',
'--ctstate', 'NEW',
'-j', 'ACCEPT',
])
rules6.append([
'INPUT',
'-d', self.server.network6,
'-j', 'DROP',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-p', 'icmpv6',
'-m', 'conntrack',
'--ctstate', 'NEW',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-j', 'DROP',
])
else:
rules6.append([
'INPUT',
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-j', 'ACCEPT',
])
elif self.server.restrict_routes:
if self.server.inter_client:
rules.append([
'INPUT', '-i', self.interface,
'-d', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'INPUT', '-i', self.interface,
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT', '-o', self.interface,
'-s', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT', '-o', self.interface,
'-s', self.server.network6,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD', '-i', self.interface,
'-d', self.server.network,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD', '-o', self.interface,
'-s', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD', '-i', self.interface,
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD', '-o', self.interface,
'-s', self.server.network6,
'-j', 'ACCEPT',
])
else:
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
rules.append([
'INPUT', '-i', self.interface,
'-d', server_addr,
'-j', 'ACCEPT',
])
rules6.append([
'INPUT', '-i', self.interface,
'-d', server_addr6,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT', '-o', self.interface,
'-s', server_addr,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT', '-o', self.interface,
'-s', server_addr6,
'-j', 'ACCEPT',
])
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=False,
):
network_address = route['network']
is6 = ':' in network_address
is_nat = route['nat']
if route['virtual_network']:
continue
if self.server.restrict_routes:
if is6:
rules6.append([
'INPUT',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
if is_nat:
rules6.append([
'FORWARD',
'-o', self.interface,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules6.append([
'FORWARD',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules.append([
'INPUT',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
if is_nat:
rules.append([
'FORWARD',
'-o', self.interface,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules.append([
'FORWARD',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
interfaces = set()
interfaces6 = set()
link_svr_networks = []
for link_svr in self.server.iter_links(fields=('_id', 'network',
'network_start', 'network_end', 'organizations', 'routes',
'links')):
link_svr_networks.append(link_svr.network)
for route in self.server.get_routes(include_hidden=True):
if route['virtual_network'] or not route['nat']:
continue
network_address = route['network']
args_base = ['POSTROUTING', '-t', 'nat']
is6 = ':' in network_address
if is6:
network = network_address
else:
network = utils.parse_network(network_address)[0]
network_obj = ipaddress.IPNetwork(network_address)
if is6:
interface = None
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
interface = None
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
if network != '0.0.0.0' and network != '::/0':
args_base += ['-d', network_address]
args_base += [
'-o', interface,
'-j', 'MASQUERADE',
]
if is6:
rules6.append(args_base + ['-s', self.server.network6])
else:
rules.append(args_base + ['-s', self.server.network])
for link_svr_net in link_svr_networks:
if ':' in link_svr_net:
rules6.append(args_base + ['-s', link_svr_net])
else:
rules.append(args_base + ['-s', link_svr_net])
if route_all:
for interface in interfaces:
rules.append([
'FORWARD',
'-i', interface,
'-o', self.interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-o', interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
for interface in interfaces6:
if self.server.ipv6 and self.server.ipv6_firewall and \
settings.local.host.routed_subnet6 and \
interface == default_interface6:
continue
rules6.append([
'FORWARD',
'-i', interface,
'-o', self.interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-i', self.interface,
'-o', interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
extra_args = [
'-m', 'comment',
'--comment', 'pritunl_%s' % self.server.id,
]
if settings.local.iptables_wait:
extra_args.append('--wait')
rules = [x + extra_args for x in rules]
rules6 = [x + extra_args for x in rules6]
return rules, rules6
def generate_iptables_rules(self):
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
ipv6_firewall = self.server.ipv6_firewall and \
settings.local.host.routed_subnet6
self.iptables.id = self.server.id
self.iptables.ipv6 = self.server.ipv6
self.iptables.server_addr = server_addr
self.iptables.server_addr6 = server_addr6
self.iptables.virt_interface = self.interface
self.iptables.virt_network = self.server.network
self.iptables.virt_network6 = self.server.network6
self.iptables.ipv6_firewall = ipv6_firewall
self.iptables.inter_client = self.server.inter_client
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IP routes', 'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
if default_interface:
continue
default_interface = line_split[7]
routes.append((
ipaddress.IPNetwork('%s/%s' % (line_split[0],
utils.subnet_to_cidr(line_split[2]))),
line_split[7]
))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IPv6 routes', 'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if line_split[0] == '::/0':
if default_interface6:
continue
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6],
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error('Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
interfaces = set()
interfaces6 = set()
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=True,
):
if route['virtual_network'] or route['link_virtual_network']:
self.iptables.add_nat_network(route['network'])
if route['virtual_network']:
continue
network = route['network']
is6 = ':' in network
network_obj = ipaddress.IPNetwork(network)
interface = route['nat_interface']
if is6:
if not interface:
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
if not interface:
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
self.iptables.add_route(
network,
nat=route['nat'],
nat_interface=interface,
)
self.iptables.generate()
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s "\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links', 'ipv6')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
push += 'route-ipv6 %s %s\n' % (
network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan == 'enterprise':
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_client_conf(self, platform, client_id, virt_address,
user, reauth):
from pritunl.server.utils import get_by_id
client_conf = ''
if user.link_server_id:
link_usr_svr = get_by_id(user.link_server_id,
fields=('_id', 'network', 'network_start',
'network_end', 'local_networks'))
client_conf += 'iroute %s %s\n' % utils.parse_network(
link_usr_svr.network)
for local_network in link_usr_svr.local_networks:
if ':' in local_network:
client_conf += 'iroute-ipv6 %s\n' % local_network
else:
client_conf += 'iroute %s %s\n' % utils.parse_network(
local_network)
else:
if self.server.mode == ALL_TRAFFIC:
if platform == 'ios':
client_conf += 'push "route 0.0.0.0 128.0.0.0"\n'
client_conf += 'push "route 128.0.0.0 128.0.0.0"\n'
else:
client_conf += 'push "redirect-gateway def1"\n'
if self.server.ipv6:
if platform != 'ios':
client_conf += 'push "redirect-gateway-ipv6 def1"\n'
client_conf += 'push "route-ipv6 2000::/3"\n'
if self.server.dns_mapping:
client_conf += 'push "dhcp-option DNS %s"\n' % (
utils.get_network_gateway(self.server.network))
for dns_server in self.server.dns_servers:
client_conf += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
client_conf += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
client_conf += 'push "ip-win32 dynamic 0 3600"\n'
network_links = user.get_network_links()
for network_link in network_links:
if self.reserve_iroute(client_id, network_link, True):
if ':' in network_link:
client_conf += 'iroute-ipv6 %s\n' % network_link
else:
client_conf += 'iroute %s %s\n' % \
utils.parse_network(network_link)
if network_links and not reauth:
thread = threading.Thread(target=self.iroute_ping_thread,
args=(client_id, virt_address.split('/')[0]))
thread.daemon = True
thread.start()
for network_link in self.server.network_links:
if ':' in network_link:
client_conf += 'push "route-ipv6 %s"\n' % network_link
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(network_link))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end')):
client_conf += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
if ':' in local_network:
client_conf += 'push "route-ipv6 %s"\n' % (
local_network)
else:
client_conf += 'push "route %s %s"\n' % (
utils.parse_network(local_network))
return client_conf
