def generate_client_conf(self): if not os.path.exists(self._temp_path): os.makedirs(self._temp_path) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) self.interface = utils.tun_interface_acquire() if self.linked_host: remotes = 'remote %s %s' % ( self.host.link_addr, self.linked_server.port, ) else: remotes = self.linked_server.get_key_remotes(True) client_conf = OVPN_INLINE_LINK_CONF % ( uuid.uuid4().hex, utils.random_name(), self.interface, self.linked_server.protocol, remotes, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, self.linked_server.ping_interval, self.linked_server.ping_timeout, ) if self.linked_server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if self.server.debug: self.server.output_link.push_message( 'Server conf:', label=self.output_label, link_server_id=self.linked_server.id, ) for conf_line in client_conf.split('\n'): if conf_line: self.server.output_link.push_message( ' ' + conf_line, label=self.output_label, link_server_id=self.linked_server.id, ) client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate if self.linked_server.tls_auth: client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.linked_server.tls_auth_key) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.user.certificate) client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip()) with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(client_conf) return ovpn_conf_path
def _generate_conf(self, server, include_user_cert=True): if not self.sync_token or not self.sync_secret: self.sync_token = utils.generate_secret() self.sync_secret = utils.generate_secret() self.commit(('sync_token', 'sync_secret')) file_name = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) if not server.ca_certificate: server.generate_ca_cert() key_remotes = server.get_key_remotes() ca_certificate = server.ca_certificate certificate = utils.get_cert_block(self.certificate) private_key = self.private_key.strip() conf_hash = hashlib.md5() conf_hash.update(self.name.encode('utf-8')) conf_hash.update(self.org.name.encode('utf-8')) conf_hash.update(server.name.encode('utf-8')) conf_hash.update(server.protocol) for key_remote in sorted(key_remotes): conf_hash.update(key_remote) conf_hash.update(CIPHERS[server.cipher]) conf_hash.update(str(server.lzo_compression)) conf_hash.update(str(server.otp_auth)) conf_hash.update(JUMBO_FRAMES[server.jumbo_frames]) conf_hash.update(ca_certificate) conf_hash = conf_hash.hexdigest() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(server, conf_hash), uuid.uuid4().hex, utils.random_name(), server.protocol, server.get_key_remotes(), CIPHERS[server.cipher], server.ping_interval, server.ping_timeout, ) if server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if server.otp_auth: client_conf += 'auth-user-pass\n' if server.tls_auth: client_conf += 'key-direction 1\n' client_conf += JUMBO_FRAMES[server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate if include_user_cert: if server.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( server.tls_auth_key) client_conf += '<cert>\n%s\n</cert>\n' % certificate client_conf += '<key>\n%s\n</key>\n' % private_key return file_name, client_conf, conf_hash
def generate_client_conf(self): if not os.path.exists(self._temp_path): os.makedirs(self._temp_path) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) self.interface = utils.tun_interface_acquire() if self.linked_host: remotes = 'remote %s %s' % ( self.host.link_address or self.host.public_address, self.linked_server.port, ) else: remotes = self.linked_server.get_key_remotes(True) client_conf = OVPN_INLINE_LINK_CONF % ( self.interface, self.linked_server.protocol, remotes, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if self.server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += JUMBO_FRAMES[self.server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.server.ca_certificate) if self.server.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.user.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.user.private_key.strip()) with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(client_conf) return ovpn_conf_path
def build_key_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.tar' % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, 'w') try: for server in self.org.iter_servers(): server_conf_path = os.path.join( temp_path, '%s_%s.ovpn' % (self.id, server.id)) server_conf_arcname = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_certificate) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.private_key.strip()) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=server_conf_arcname) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def _generate_conf(self, server, include_user_cert=True): file_name = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() key_remotes = server.get_key_remotes() ca_certificate = utils.get_cert_block(server.ca_certificate) certificate = utils.get_cert_block(self.certificate) private_key = self.private_key.strip() conf_hash = hashlib.md5() conf_hash.update(self.name) conf_hash.update(self.org.name) conf_hash.update(server.name) conf_hash.update(server.protocol) for key_remote in sorted(key_remotes): conf_hash.update(key_remote) conf_hash.update(CIPHERS[server.cipher]) conf_hash.update(str(server.lzo_compression)) conf_hash.update(str(server.otp_auth)) conf_hash.update(JUMBO_FRAMES[server.jumbo_frames]) conf_hash.update(ca_certificate) conf_hash = conf_hash.hexdigest() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(server.name, conf_hash), server.protocol, server.get_key_remotes(), CIPHERS[server.cipher], ) if server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += JUMBO_FRAMES[server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate if include_user_cert: if server.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( server.tls_auth_key) client_conf += '<cert>\n%s\n</cert>\n' % certificate client_conf += '<key>\n%s\n</key>\n' % private_key return file_name, client_conf, conf_hash
def _generate_conf(self, server, include_user_cert=True): if not self.sync_token or not self.sync_secret: self.sync_token = utils.generate_secret() self.sync_secret = utils.generate_secret() self.commit(('sync_token', 'sync_secret')) file_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, server.name) if not server.ca_certificate: server.generate_ca_cert() key_remotes = server.get_key_remotes() ca_certificate = server.ca_certificate certificate = utils.get_cert_block(self.certificate) private_key = self.private_key.strip() conf_hash = hashlib.md5() conf_hash.update(self.name) conf_hash.update(self.org.name) conf_hash.update(server.name) conf_hash.update(server.protocol) for key_remote in sorted(key_remotes): conf_hash.update(key_remote) conf_hash.update(CIPHERS[server.cipher]) conf_hash.update(str(server.lzo_compression)) conf_hash.update(str(server.otp_auth)) conf_hash.update(JUMBO_FRAMES[server.jumbo_frames]) conf_hash.update(ca_certificate) conf_hash = conf_hash.hexdigest() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(server, conf_hash), uuid.uuid4().hex, utils.random_name(), server.protocol, server.get_key_remotes(), CIPHERS[server.cipher], server.ping_interval, server.ping_timeout, ) if server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if server.otp_auth: client_conf += 'auth-user-pass\n' if server.tls_auth: client_conf += 'key-direction 1\n' client_conf += JUMBO_FRAMES[server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate if include_user_cert: if server.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( server.tls_auth_key) client_conf += '<cert>\n%s\n</cert>\n' % certificate client_conf += '<key>\n%s\n</key>\n' % private_key return file_name, client_conf, conf_hash
def generate_client_conf(self): if not os.path.exists(self._temp_path): os.makedirs(self._temp_path) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) self.interface = utils.tun_interface_acquire() if self.linked_host: remotes = 'remote %s %s' % ( self.host.link_addr, self.linked_server.port, ) else: remotes = self.linked_server.get_key_remotes(True) client_conf = OVPN_INLINE_LINK_CONF % ( uuid.uuid4().hex, utils.random_name(), self.interface, self.linked_server.protocol, remotes, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.linked_server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if self.server.debug: self.server.output_link.push_message( 'Server conf:', label=self.output_label, link_server_id=self.linked_server.id, ) for conf_line in client_conf.split('\n'): if conf_line: self.server.output_link.push_message( ' ' + conf_line, label=self.output_label, link_server_id=self.linked_server.id, ) client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate if self.linked_server.tls_auth: client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.linked_server.tls_auth_key) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.user.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.user.private_key.strip()) with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(client_conf) return ovpn_conf_path
def build_key_archive(self): temp_path = utils.get_temp_path() key_archive_path = os.path.join(temp_path, '%s.tar' % self.id) try: os.makedirs(temp_path) tar_file = tarfile.open(key_archive_path, 'w') try: for server in self.org.iter_servers(): server_conf_path = os.path.join(temp_path, '%s_%s.ovpn' % (self.id, server.id)) server_conf_arcname = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str( self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_certificate) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.certificate) client_conf += '<key>\n%s\n</key>\n' % ( self.private_key.strip()) with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=server_conf_arcname) os.remove(server_conf_path) finally: tar_file.close() with open(key_archive_path, 'r') as archive_file: key_archive = archive_file.read() finally: utils.rmtree(temp_path) return key_archive
def generate_client_conf(self): if not os.path.exists(self._temp_path): os.makedirs(self._temp_path) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) self.interface = utils.interface_acquire( self.linked_server.adapter_type) remotes = self.linked_server.get_key_remotes(True) client_conf = OVPN_INLINE_LINK_CONF % ( uuid.uuid4().hex, utils.random_name(), self.interface, self.linked_server.adapter_type, remotes, CIPHERS[self.linked_server.cipher], HASHES[self.linked_server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, settings.app.host_ping, settings.app.host_ping_ttl, ) if self.server.debug: self.server.output_link.push_message( 'Server conf:', label=self.output_label, link_server_id=self.linked_server.id, ) for conf_line in client_conf.split('\n'): if conf_line: self.server.output_link.push_message( ' ' + conf_line, label=self.output_label, link_server_id=self.linked_server.id, ) client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate if self.linked_server.tls_auth: client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.linked_server.tls_auth_key) client_conf += ('<cert>\n%s\n' + '</cert>\n') % utils.get_cert_block( self.user.certificate) client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip()) with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(client_conf) return ovpn_conf_path
def build_key_conf(self, server_id): server = self.org.get_server(server_id) conf_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_certificate) client_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.certificate) client_conf += '<key>\n%s\n</key>\n' % self.private_key.strip() return { 'name': conf_name, 'conf': client_conf, }
def generate_client_conf(self): if not os.path.exists(self._temp_path): os.makedirs(self._temp_path) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) self.interface = utils.tun_interface_acquire() if self.linked_host: remotes = 'remote %s %s' % ( self.host.link_address or self.host.public_address, self.linked_server.port, ) else: remotes = self.linked_server.get_key_remotes(True) client_conf = OVPN_INLINE_LINK_CONF % ( uuid.uuid4().hex, utils.random_name(), self.interface, self.linked_server.protocol, remotes, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.linked_server.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if self.linked_server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames] client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate if self.linked_server.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( self.linked_server.tls_auth_key) client_conf += ('<cert>\n%s\n' + \ '</cert>\n') % utils.get_cert_block(self.user.certificate) client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip()) with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(client_conf) return ovpn_conf_path
def generate_ovpn_conf(self): from pritunl.server.utils import get_by_id logger.debug('Generating server ovpn conf. %r' % { 'server_id': self.server.id, }) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) with open(self.auth_log_path, 'w') as auth_log: os.chmod(self.auth_log_path, 0600) auth_host = settings.conf.bind_addr if auth_host == '0.0.0.0': auth_host = 'localhost' for script, script_path in ( (TLS_VERIFY_SCRIPT, self.tls_verify_path), (USER_PASS_VERIFY_SCRIPT, self.user_pass_verify_path), (CLIENT_CONNECT_SCRIPT, self.client_connect_path), (CLIENT_DISCONNECT_SCRIPT, self.client_disconnect_path), ): with open(script_path, 'w') as script_file: os.chmod(script_path, 0755) # TODO script_file.write(script % ( settings.app.server_api_key, self.auth_log_path, 'https' if settings.conf.ssl else 'http', auth_host, settings.conf.port, self.server.id, )) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.server.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) for link_doc in self.server.links: link_svr = get_by_id(link_doc['server_id']) push += 'push "route %s %s"\n' % utils.parse_network( link_svr.network) for local_network in link_svr.local_networks: push += 'push "route %s %s"\n' % utils.parse_network( local_network) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, self.tls_verify_path, self.client_connect_path, self.client_disconnect_path, '%s %s' % utils.parse_network(self.server.network), CIPHERS[self.server.cipher], self.ovpn_status_path, 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( self.user_pass_verify_path) # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' if self.server.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC): server_conf += 'client-to-client\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.server.ca_certificate) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def _generate_ovpn_conf(self): logger.debug('Generating server ovpn conf. %r' % { 'server_id': self.id, }) if not self.primary_organization or not self.primary_user: self._create_primary_user() primary_org = organization.get_org(id=self.primary_organization) if not primary_org: self._create_primary_user() primary_org = organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) if not primary_user: self._create_primary_user() primary_org = organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) tls_verify_path = os.path.join(self._temp_path, TLS_VERIFY_NAME) user_pass_verify_path = os.path.join(self._temp_path, USER_PASS_VERIFY_NAME) client_connect_path = os.path.join(self._temp_path, CLIENT_CONNECT_NAME) client_disconnect_path = os.path.join(self._temp_path, CLIENT_DISCONNECT_NAME) ovpn_status_path = os.path.join(self._temp_path, OVPN_STATUS_NAME) ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME) auth_host = settings.conf.bind_addr if auth_host == '0.0.0.0': auth_host = 'localhost' for script, script_path in ( (TLS_VERIFY_SCRIPT, tls_verify_path), (USER_PASS_VERIFY_SCRIPT, user_pass_verify_path), (CLIENT_CONNECT_SCRIPT, client_connect_path), (CLIENT_DISCONNECT_SCRIPT, client_disconnect_path), ): with open(script_path, 'w') as script_file: os.chmod(script_path, 0755) # TODO script_file.write(script % ( settings.app.server_api_key, '/dev/null', # TODO 'https' if settings.conf.ssl else 'http', auth_host, settings.conf.port, self.id, )) push = '' if self.mode == LOCAL_TRAFFIC: for network in self.local_networks: push += 'push "route %s %s"\n' % self._parse_network(network) elif self.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain server_conf = OVPN_INLINE_SERVER_CONF % ( self.port, self.protocol, self.interface, tls_verify_path, client_connect_path, client_disconnect_path, '%s %s' % self._parse_network(self.network), ovpn_status_path, 4 if self.debug else 1, 8 if self.debug else 3, ) if self.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( user_pass_verify_path) if self.lzo_compression: server_conf += 'comp-lzo\npush "comp-lzo"\n' if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC): server_conf += 'client-to-client\n' if push: server_conf += push server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.ca_certificate) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.dh_params with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def _generate_conf(self, svr, include_user_cert=True): if not self.sync_token or not self.sync_secret: self.sync_token = utils.generate_secret() self.sync_secret = utils.generate_secret() self.commit(('sync_token', 'sync_secret')) file_name = '%s_%s_%s.ovpn' % ( self.org.name, self.name, svr.name) if not svr.ca_certificate: svr.generate_ca_cert() key_remotes = svr.get_key_remotes() ca_certificate = svr.ca_certificate certificate = utils.get_cert_block(self.certificate) private_key = self.private_key.strip() conf_hash = hashlib.md5() conf_hash.update(self.name.encode('utf-8')) conf_hash.update(self.org.name.encode('utf-8')) conf_hash.update(svr.name.encode('utf-8')) conf_hash.update(svr.protocol) for key_remote in sorted(key_remotes): conf_hash.update(key_remote) conf_hash.update(CIPHERS[svr.cipher]) conf_hash.update(str(svr.lzo_compression)) conf_hash.update(str(svr.block_outside_dns)) conf_hash.update(str(svr.otp_auth)) conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames]) conf_hash.update(ca_certificate) conf_hash.update(self._get_key_info_str(svr, None, False)) plugin_config = '' if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'user_config', host_id=settings.local.host_id, host_name=settings.local.host.name, org_id=self.org_id, user_id=self.id, user_name=self.name, server_id=svr.id, server_name=svr.name, server_port=svr.port, server_protocol=svr.protocol, server_ipv6=svr.ipv6, server_ipv6_firewall=svr.ipv6_firewall, server_network=svr.network, server_network6=svr.network6, server_network_mode=svr.network_mode, server_network_start=svr.network_start, server_network_stop=svr.network_end, server_restrict_routes=svr.restrict_routes, server_bind_address=svr.bind_address, server_onc_hostname=None, server_dh_param_bits=svr.dh_param_bits, server_multi_device=svr.multi_device, server_dns_servers=svr.dns_servers, server_search_domain=svr.search_domain, server_otp_auth=svr.otp_auth, server_cipher=svr.cipher, server_hash=svr.hash, server_inter_client=svr.inter_client, server_ping_interval=svr.ping_interval, server_ping_timeout=svr.ping_timeout, server_link_ping_interval=svr.link_ping_interval, server_link_ping_timeout=svr.link_ping_timeout, server_allowed_devices=svr.allowed_devices, server_max_clients=svr.max_clients, server_replica_count=svr.replica_count, server_dns_mapping=svr.dns_mapping, server_debug=svr.debug, ) if returns: for return_val in returns: if not return_val: continue val = return_val.strip() conf_hash.update(val) plugin_config += val + '\n' conf_hash = conf_hash.hexdigest() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(svr, conf_hash, include_user_cert), uuid.uuid4().hex, utils.random_name(), svr.adapter_type, svr.adapter_type, svr.get_key_remotes(), CIPHERS[svr.cipher], HASHES[svr.hash], svr.ping_interval, svr.ping_timeout, ) if svr.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if svr.block_outside_dns: client_conf += 'ignore-unknown-option block-outside-dns\n' client_conf += 'block-outside-dns\n' if self.has_password(svr): client_conf += 'auth-user-pass\n' if svr.tls_auth: client_conf += 'key-direction 1\n' client_conf += JUMBO_FRAMES[svr.jumbo_frames] client_conf += plugin_config client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate if include_user_cert: if svr.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( svr.tls_auth_key) client_conf += '<cert>\n%s\n</cert>\n' % certificate client_conf += '<key>\n%s\n</key>\n' % private_key return file_name, client_conf, conf_hash
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks')): if self.server.id < link_svr.id: gateway = utils.get_network_gateway(self.server.network) push += 'route %s %s %s\n' % (utils.parse_network( link_svr.network) + (gateway,)) for local_network in link_svr.local_networks: push += 'route %s %s %s\n' % (utils.parse_network( local_network) + (gateway,)) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ca_cert(self): ca_certificate = '' for org in self.iter_orgs(): ca_certificate += utils.get_cert_block(org.ca_certificate) + '\n' self.ca_certificate = ca_certificate.rstrip('\n')
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' for route in self.server.get_routes(include_default=False): if route['virtual_network']: continue network = route['network'] if not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s "\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if ':' in network: push += 'route-ipv6 %s %s\n' % ( network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol + ('6' if self.server.ipv6 else ''), self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue network = route['network'] if route['net_gateway']: if ':' in network: push += 'push "route-ipv6 %s net_gateway"\n' % network else: push += 'push "route %s %s net_gateway"\n' % \ utils.parse_network(network) elif not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s"\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % ( utils.parse_network(network) + (gateway, )) for link_svr in self.server.iter_links( fields=('_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6', 'replica_count', 'network_mode')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if route['net_gateway']: continue if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % ( utils.parse_network(network) + (gateway, )) if self.vxlan: push += 'push "route %s %s"\n' % utils.parse_network( self.vxlan.vxlan_net) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, SERVER_CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '/n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): from pritunl.server.utils import get_by_id logger.debug( 'Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.server.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) for link_doc in self.server.links: link_svr = get_by_id(link_doc['server_id']) push += 'push "route %s %s"\n' % utils.parse_network( link_svr.network) for local_network in link_svr.local_networks: push += 'push "route %s %s"\n' % utils.parse_network( local_network) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( self.user_pass_verify_path) # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): logger.debug( 'Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass for link_svr in self.server.iter_links(fields=('_id', 'network', 'local_networks')): if self.server.id < link_svr.id: gateway = utils.get_network_gateway(self.server.network) push += 'route %s %s %s\n' % ( utils.parse_network(link_svr.network) + (gateway, )) for local_network in link_svr.local_networks: push += 'route %s %s %s\n' % ( utils.parse_network(local_network) + (gateway, )) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.multi_device: server_conf += 'duplicate-cn\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def _generate_conf(self, svr, include_user_cert=True): if not self.sync_token or not self.sync_secret: self.sync_token = utils.generate_secret() self.sync_secret = utils.generate_secret() self.commit(('sync_token', 'sync_secret')) file_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, svr.name) if not svr.ca_certificate: svr.generate_ca_cert() key_remotes = svr.get_key_remotes() ca_certificate = svr.ca_certificate certificate = utils.get_cert_block(self.certificate) private_key = self.private_key.strip() conf_hash = hashlib.md5() conf_hash.update(self.name.encode('utf-8')) conf_hash.update(self.org.name.encode('utf-8')) conf_hash.update(svr.name.encode('utf-8')) conf_hash.update(svr.protocol) for key_remote in sorted(key_remotes): conf_hash.update(key_remote) conf_hash.update(CIPHERS[svr.cipher]) conf_hash.update(str(svr.lzo_compression)) conf_hash.update(str(svr.block_outside_dns)) conf_hash.update(str(svr.otp_auth)) conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames]) conf_hash.update(ca_certificate) conf_hash.update(self._get_key_info_str(svr, None, False)) plugin_config = '' if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'user_config', host_id=settings.local.host_id, host_name=settings.local.host.name, org_id=self.org_id, user_id=self.id, user_name=self.name, server_id=svr.id, server_name=svr.name, server_port=svr.port, server_protocol=svr.protocol, server_ipv6=svr.ipv6, server_ipv6_firewall=svr.ipv6_firewall, server_network=svr.network, server_network6=svr.network6, server_network_mode=svr.network_mode, server_network_start=svr.network_start, server_network_stop=svr.network_end, server_restrict_routes=svr.restrict_routes, server_bind_address=svr.bind_address, server_onc_hostname=None, server_dh_param_bits=svr.dh_param_bits, server_multi_device=svr.multi_device, server_dns_servers=svr.dns_servers, server_search_domain=svr.search_domain, server_otp_auth=svr.otp_auth, server_cipher=svr.cipher, server_hash=svr.hash, server_inter_client=svr.inter_client, server_ping_interval=svr.ping_interval, server_ping_timeout=svr.ping_timeout, server_link_ping_interval=svr.link_ping_interval, server_link_ping_timeout=svr.link_ping_timeout, server_allowed_devices=svr.allowed_devices, server_max_clients=svr.max_clients, server_replica_count=svr.replica_count, server_dns_mapping=svr.dns_mapping, server_debug=svr.debug, ) if returns: for return_val in returns: if not return_val: continue val = return_val.strip() conf_hash.update(val) plugin_config += val + '\n' conf_hash = conf_hash.hexdigest() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(svr, conf_hash, include_user_cert), uuid.uuid4().hex, utils.random_name(), svr.adapter_type, svr.adapter_type, svr.get_key_remotes(), CIPHERS[svr.cipher], HASHES[svr.hash], svr.ping_interval, svr.ping_timeout, ) if svr.lzo_compression != ADAPTIVE: client_conf += 'comp-lzo no\n' if svr.block_outside_dns: client_conf += 'ignore-unknown-option block-outside-dns\n' client_conf += 'block-outside-dns\n' if self.has_password(svr): client_conf += 'auth-user-pass\n' if svr.tls_auth: client_conf += 'key-direction 1\n' client_conf += JUMBO_FRAMES[svr.jumbo_frames] client_conf += plugin_config client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate if include_user_cert: if svr.tls_auth: client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( svr.tls_auth_key) client_conf += '<cert>\n%s\n</cert>\n' % certificate client_conf += '<key>\n%s\n</key>\n' % private_key return file_name, client_conf, conf_hash
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue network = route['network'] if not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s "\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if ':' in network: push += 'route-ipv6 %s %s\n' % ( network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if self.server.ipv6 or settings.vpn.ipv6: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if self.server.ipv6 or settings.vpn.ipv6: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan == 'enterprise': returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '/n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): from pritunl.server.utils import get_by_id logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.server.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) for link_doc in self.server.links: link_svr = get_by_id(link_doc['server_id']) push += 'push "route %s %s"\n' % utils.parse_network( link_svr.network) for local_network in link_svr.local_networks: push += 'push "route %s %s"\n' % utils.parse_network( local_network) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( self.user_pass_verify_path) # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ca_cert(self): ca_certificate = "" for org in self.iter_orgs(): ca_certificate += utils.get_cert_block(org.ca_certificate) + "\n" self.ca_certificate = ca_certificate.rstrip("\n")