def build_key_conf(self, server_id): server = self.org.get_server(server_id) conf_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( self._get_key_info_str(self.name, self.org.name, server.name), server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_cert_path) client_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.cert_path) client_conf += '<key>\n%s\n</key>\n' % open( self.key_path).read().strip() return { 'name': conf_name, 'conf': client_conf, }
def _build_inline_key_archive(self): tar_file = tarfile.open(self.temp_key_archive_path, 'w') try: for server in self.org.iter_servers(): server_conf_path = os.path.join(self.org.path, TEMP_DIR, '%s_%s.ovpn' % (self.id, server.id)) server_conf_arcname = '%s_%s_%s.ovpn' % ( self.org.name, self.name, server.name) server.generate_ca_cert() client_conf = OVPN_INLINE_CLIENT_CONF % ( server.protocol, server.public_address, server.port, ) if server.otp_auth: client_conf += 'auth-user-pass\n' client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( server.ca_cert_path) client_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.cert_path) client_conf += '<key>\n%s\n</key>\n' % open( self.key_path).read().strip() with open(server_conf_path, 'w') as ovpn_conf: os.chmod(server_conf_path, 0600) ovpn_conf.write(client_conf) tar_file.add(server_conf_path, arcname=server_conf_arcname) os.remove(server_conf_path) finally: tar_file.close() return self.temp_key_archive_path
def _generate_ovpn_conf(self): if not self.org_count: raise ServerMissingOrg('Ovpn conf cannot be generated without ' + \ 'any organizations', { 'server_id': self.id, }) logger.debug('Generating node server ovpn conf. %r' % { 'server_id': self.id, }) if not self.primary_organization or not self.primary_user: self._create_primary_user() if not os.path.isfile(self.dh_param_path): self._generate_dh_param() primary_org = Organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) self.generate_ca_cert() push = '' if self.local_networks: for network in self.local_networks: push += 'push "route %s %s"\n' % self._parse_network(network) else: push += 'push "redirect-gateway"\n' for dns_server in self.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server push = push.rstrip() server_conf = OVPN_INLINE_SERVER_CONF % ( self.port, self.protocol, self.interface, '%s', '%s', '%s', '%s %s' % self._parse_network(self.network), '%s', push, '%s', 4 if self.debug else 1, 8 if self.debug else 3, ) if self.otp_auth: server_conf += 'auth-user-pass-verify ' + \ '<%= user_pass_verify_path %> via-file\n' if self.lzo_compression: server_conf += 'comp-lzo\npush "comp-lzo"\n' if self.local_networks: server_conf += 'client-to-client\n' server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.ca_cert_path) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( primary_user.cert_path) server_conf += '<key>\n%s\n</key>\n' % open( primary_user.key_path).read().strip() server_conf += '<dh>\n%s\n</dh>\n' % open( self.dh_param_path).read().strip() return server_conf
def _generate_ovpn_conf(self, temp_path): logger.debug('Generating server ovpn conf. %r' % { 'server_id': self.id, }) if not self.primary_organization or not self.primary_user: self._create_primary_user() primary_org = Organization.get_org(id=self.primary_organization) if not primary_org: self._create_primary_user() primary_org = Organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) if not primary_user: self._create_primary_user() primary_org = Organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) tls_verify_path = os.path.join(temp_path, TLS_VERIFY_NAME) user_pass_verify_path = os.path.join(temp_path, USER_PASS_VERIFY_NAME) client_connect_path = os.path.join(temp_path, CLIENT_CONNECT_NAME) client_disconnect_path = os.path.join(temp_path, CLIENT_DISCONNECT_NAME) ovpn_status_path = os.path.join(temp_path, OVPN_STATUS_NAME) ovpn_conf_path = os.path.join(temp_path, OVPN_CONF_NAME) auth_host = app_server.bind_addr if auth_host == '0.0.0.0': auth_host = 'localhost' for script, script_path in ( (TLS_VERIFY_SCRIPT, tls_verify_path), (USER_PASS_VERIFY_SCRIPT, user_pass_verify_path), (CLIENT_CONNECT_SCRIPT, client_connect_path), (CLIENT_DISCONNECT_SCRIPT, client_disconnect_path), ): with open(script_path, 'w') as script_file: os.chmod(script_path, 0755) # TODO script_file.write(script % ( app_server.local_api_key, '/dev/null', # TODO app_server.web_protocol, auth_host, app_server.port, self.id, )) push = '' if self.mode == LOCAL_TRAFFIC: for network in self.local_networks: push += 'push "route %s %s"\n' % self._parse_network(network) elif self.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain server_conf = OVPN_INLINE_SERVER_CONF % ( self.port, self.protocol, self.interface, tls_verify_path, client_connect_path, client_disconnect_path, '%s %s' % self._parse_network(self.network), ovpn_status_path, 4 if self.debug else 1, 8 if self.debug else 3, ) if self.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( user_pass_verify_path) if self.lzo_compression: server_conf += 'comp-lzo\npush "comp-lzo"\n' if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC): server_conf += 'client-to-client\n' if push: server_conf += push server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.ca_certificate) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.dh_params with open(ovpn_conf_path, 'w') as ovpn_conf: os.chmod(ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def _generate_ovpn_conf(self, inline=False): if not self.org_count: raise ServerMissingOrg('Ovpn conf cannot be generated without ' + \ 'any organizations', { 'server_id': self.id, }) logger.debug('Generating server ovpn conf. %r' % { 'server_id': self.id, }) if not self.primary_organization or not self.primary_user: self._create_primary_user() if not os.path.isfile(self.dh_param_path): self._generate_dh_param() primary_org = Organization.get_org(id=self.primary_organization) if not primary_org: self._create_primary_user() primary_org = Organization.get_org(id=self.primary_organization) primary_user = primary_org.get_user(self.primary_user) if not primary_user: self._create_primary_user() primary_user = primary_org.get_user(self.primary_user) self.generate_ca_cert() self._generate_scripts() push = '' if self.mode == LOCAL_TRAFFIC: for network in self.local_networks: push += 'push "route %s %s"\n' % self._parse_network(network) elif self.mode == VPN_TRAFFIC: pass else: push += 'push "redirect-gateway"\n' for dns_server in self.dns_servers: push += 'push "dhcp-option DNS %s"\n' % dns_server if self.search_domain: push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain if not inline: server_conf = OVPN_SERVER_CONF % ( self.port, self.protocol, self.interface, self.ca_cert_path, primary_user.cert_path, primary_user.key_path, self.tls_verify_path, self.client_connect_path, self.client_disconnect_path, self.dh_param_path, '%s %s' % self._parse_network(self.network), self.ovpn_status_path, 4 if self.debug else 1, 8 if self.debug else 3, ) else: server_conf = OVPN_INLINE_SERVER_CONF % ( self.port, self.protocol, self.interface, self.tls_verify_path, self.client_connect_path, self.client_disconnect_path, '%s %s' % self._parse_network(self.network), self.ovpn_status_path, 4 if self.debug else 1, 8 if self.debug else 3, ) if self.otp_auth: server_conf += 'auth-user-pass-verify %s via-file\n' % ( self.user_pass_verify_path) if self.lzo_compression: server_conf += 'comp-lzo\npush "comp-lzo"\n' if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC): server_conf += 'client-to-client\n' if push: server_conf += push if inline: server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block( self.ca_cert_path) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( primary_user.cert_path) server_conf += '<key>\n%s\n</key>\n' % open( primary_user.key_path).read().strip() server_conf += '<dh>\n%s\n</dh>\n' % open( self.dh_param_path).read().strip() with open(self.ovpn_conf_path, 'w') as ovpn_conf: if inline: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)