def disconnect(self): self.restore_default_dns() for i in self.pid_list: self.kill_pid(i) if self.wg_connect == 1: try: wg_down = Popen( ["wg-quick", "down", "%s/wg_qomui.conf" % ROOTDIR], stdout=PIPE, stderr=STDOUT) for line in wg_down.stdout: logging.info(line) except CalledProcessError: pass wg_rules = [["-D", "INPUT", "-i", "wg_qomui", "-j", "ACCEPT"], ["-D", "OUTPUT", "-o", "wg_qomui", "-j", "ACCEPT"]] for rule in wg_rules: firewall.add_rule_6(rule) firewall.add_rule(rule) self.wg_connect = 0
def wg(self, wg_file): name = self.ovpn_dict["name"] self.logger.info("Establishing connection to %s" % name) wg_rules = [["-I", "INPUT", "1", "-i", "wg_qomui", "-j", "ACCEPT"], ["-I", "OUTPUT", "1", "-o", "wg_qomui", "-j", "ACCEPT"]] for rule in wg_rules: firewall.add_rule_6(rule) firewall.add_rule(rule) time.sleep(1) try: self.tun = "wg_qomui" cmd_wg = Popen(['wg-quick', 'up', '%s' % wg_file], stdout=PIPE, stderr=STDOUT) for line in cmd_wg.stdout: logging.info(line) self.wg_connect = 1 self.reply("success") except (CalledProcessError, FileNotFoundError): self.reply("fail1")
def delete_cgroup(default_interface): cgroup_iptables_del = [[ "-t", "mangle", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "MARK", "--set-mark", "11" ], [ "-t", "nat", "-D", "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", "%s" % default_interface, "-j", "MASQUERADE" ], [ "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-D", "INPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-t", "nat", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ], [ "-t", "nat", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "udp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ]] with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all: rp_edit_all.write("1") with open("/proc/sys/net/ipv4/conf/%s/rp_filter" % default_interface, 'w') as rp_edit_int: rp_edit_int.write("1") try: check_call( ["ip", "rule", "del", "fwmark", "11", "table", "bypass_qomui"]) check_call(["ip", "route", "flush", "table", "bypass_qomui"]) except CalledProcessError: pass for rule in cgroup_iptables_del: firewall.add_rule(rule) try: os.rmdir(cgroup_path) except (OSError, FileNotFoundError): logging.debug( "Could not delete %s - resource does not exist or is busy" % cgroup_path) logging.info("Deleted cgroup")
def allow_ip(self, ip, rule): try: if len(ip.split(".")) == 4: firewall.add_rule(rule) elif len(ip.split(":")) >= 4: firewall.add_rule_6(rule) except: pass
def delete_cgroup(interface): cgroup_iptables_del = [[ "-t", "mangle", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "MARK", "--set-mark", "11" ], [ "-t", "nat", "-D", "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", "{}".format(interface), "-j", "MASQUERADE" ], [ "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-D", "INPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-t", "nat", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ], [ "-t", "nat", "-D", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "udp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ]] try: check_call( ["ip", "rule", "del", "fwmark", "11", "table", "bypass_qomui"]) except CalledProcessError: pass for rule in cgroup_iptables_del: firewall.add_rule(rule) for rule in cgroup_iptables_del: firewall.add_rule_6(rule) try: os.rmdir(cgroup_path) except (OSError, FileNotFoundError): logging.debug( "Bypass: Could not delete {} - resource does not exist or is busy". format(cgroup_path)) logging.info("Deleted cgroup")
def set_bypass_vpn(interface, interface_cmd, tun, tun_cmd): postroutes = [[ "-t", "nat", tun_cmd, "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", tun, "-j", "MASQUERADE" ], [ "-t", "nat", interface_cmd, "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", interface, "-j", "MASQUERADE" ]] for rule in postroutes: firewall.add_rule(rule) firewall.add_rule_6(rule)
def allow_provider_ip(self, provider): server = None if provider == "Airvpn": server = "www.airvpn.org" elif provider == "Mullvad": server = "www.mullvad.net" elif provider == "PIA": server = "www.privateinternetaccess.com" self.allow_dns() if server is not None: self.logger.info( "iptables: Temporarily creating rule to allow access to %s" % server) try: dig_cmd = [ "dig", "+time=2", "+tries=1", "%s" % (server), "+short" ] answer = check_output(dig_cmd).decode("utf-8") parse = answer.split("\n") ip = parse[len(parse) - 2] allow = firewall.add_rule( ['-I', 'OUTPUT', '1', '-d', '%s' % (ip), '-j', 'ACCEPT']) except CalledProcessError as e: self.logger.error("%s: Could not resolve %s" % (e, server))
def allow_provider_ip(self, provider): server = [] if provider == "Airvpn": server.append("www.airvpn.org") elif provider == "Mullvad": server.append("www.mullvad.net") server.append("api.mullvad.net") elif provider == "PIA": server.append("www.privateinternetaccess.com") elif provider == "Windscribe": server.append("www.windscribe.com") elif provider == "ProtonVPN": server.append("account.protonvpn.com") self.allow_dns() if len(server) > 0: for s in server: self.logger.info( "iptables: Temporarily creating rule to allow access to %s" % s) try: dig_cmd = [ "dig", "+time=2", "+tries=1", "%s" % s, "+short" ] answer = check_output(dig_cmd).decode("utf-8") parse = answer.split("\n") ip = parse[len(parse) - 2] allow = firewall.add_rule([ '-I', 'OUTPUT', '1', '-d', '%s' % (ip), '-j', 'ACCEPT' ]) except CalledProcessError as e: self.logger.error("%s: Could not resolve %s" % (e, server))
def dns_request_exception(action, dns_1, dns_2, port): rules = [] protocols = ["udp", "tcp"] if action == "-I": logging.info("iptables: adding exception for DNS requests") elif action == "-D": logging.info("iptables: removing exception for DNS requests") for p in protocols: rules.append([action, 'OUTPUT', '-p', p, '--dport', port, '-j', 'ACCEPT']) rules.append([action, 'INPUT', '-p', p, '--sport', port, '-j', 'ACCEPT']) for rule in rules: firewall.add_rule(rule) firewall.add_rule(rule, ipt="ip6")
def block_dns(self): self.logger.debug("iptables: deleting exception for DNS requests") ipt_dns_out_del = firewall.add_rule([ '-D', 'OUTPUT', '-p', 'udp', '-d', self.config["alt_dns1"], '--dport', '53', '-j', 'ACCEPT' ]) ipt_dns_in_del = firewall.add_rule([ '-D', 'INPUT', '-p', 'udp', '-s', self.config["alt_dns1"], '--sport', '53', '-j', 'ACCEPT' ]) ipt_dns_out_del_alt = firewall.add_rule([ '-D', 'OUTPUT', '-p', 'udp', '-d', self.config["alt_dns2"], '--dport', '53', '-j', 'ACCEPT' ]) ipt_dns_in_del_alt = firewall.add_rule([ '-D', 'INPUT', '-p', 'udp', '-s', self.config["alt_dns2"], '--sport', '53', '-j', 'ACCEPT' ])
def allow_dns(self): self.logger.debug("iptables: temporarily allowing DNS requests") ipt_dns_out_add = firewall.add_rule([ '-I', 'OUTPUT', '1', '-p', 'udp', '-d', self.config["alt_dns1"], '--dport', '53', '-j', 'ACCEPT' ]) ipt_dns_in_add = firewall.add_rule([ '-I', 'INPUT', '2', '-p', 'udp', '-s', self.config["alt_dns1"], '--sport', '53', '-j', 'ACCEPT' ]) ipt_dns_out_add_alt = firewall.add_rule([ '-I', 'OUTPUT', '3', '-p', 'udp', '-d', self.config["alt_dns2"], '--dport', '53', '-j', 'ACCEPT' ]) ipt_dns_in_add_alt = firewall.add_rule([ '-I', 'INPUT', '4', '-p', 'udp', '-s', self.config["alt_dns2"], '--sport', '53', '-j', 'ACCEPT' ]) self.update_dns()
def allow_provider_ip(self, provider): server = [] if provider == "Airvpn": server.append("www.airvpn.org") elif provider == "Mullvad": server.append("www.mullvad.net") server.append("api.mullvad.net") elif provider == "PIA": server.append("www.privateinternetaccess.com") elif provider == "Windscribe": server.append("www.windscribe.com") server.append("assets.windscribe.com") elif provider == "ProtonVPN": server.append("api.protonmail.ch") dns_manager.dns_request_exception("-I", self.config["alt_dns1"], self.config["alt_dns2"], "53") if len(server) > 0: for s in server: try: dig_cmd = [ "dig", "+time=2", "+tries=1", "{}".format(s), "+short" ] answer = check_output(dig_cmd).decode("utf-8") parse = answer.split("\n") ip = parse[len(parse) - 2] firewall.add_rule([ '-I', 'OUTPUT', '1', '-d', '{}'.format(ip), '-j', 'ACCEPT' ]) self.logger.info( "iptables: Allowing access to {}".format(s)) except CalledProcessError as e: self.logger.error("{}: Could not resolve {}".format(e, s))
def disconnect(self, env): if env == "main": self.restore_default_dns() self.tun is None for i in self.pid_list: if i[1] != "OpenVPN_bypass": self.kill_pid(i) if self.wg_connect == 1: try: wg_down = Popen([ "wg-quick", "down", "{}/wg_qomui.conf".format(ROOTDIR) ], stdout=PIPE, stderr=STDOUT) for line in wg_down.stdout: self.logger.info( "WireGuard: " + line.decode("utf-8").replace("\n", "")) except CalledProcessError: pass #as WireGuard is down we can remove those rules wg_rules = [["-D", "INPUT", "-i", "wg_qomui", "-j", "ACCEPT"], ["-D", "OUTPUT", "-o", "wg_qomui", "-j", "ACCEPT"]] for rule in wg_rules: firewall.add_rule_6(rule) firewall.add_rule(rule) tunnel.exe_custom_scripts("down", self.wg_provider, self.config) self.wg_connect = 0 elif env == "bypass": for i in self.pid_list: if i[1] == "OpenVPN_bypass": self.kill_pid(i)
def create_cgroup(user, group, interface, gw=None, gw_6=None, default_int=None): logging.info("Creating bypass for {}".format(interface)) delete_cgroup(default_int) cgroup_iptables = [[ "-t", "mangle", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "MARK", "--set-mark", "11" ], [ "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", "{}".format(interface), "-j", "MASQUERADE" ], [ "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-I", "INPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-t", "nat", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ], [ "-t", "nat", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "udp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ]] if not os.path.exists(cgroup_path): os.makedirs(cgroup_path) with open("{}/net_cls.classid".format(cgroup_path), 'w') as setcid: setcid.write(cls_id) setcid.close() logging.debug("Bypass: Created cgroup 'net_cls:bypass_qomui'") try: check_call(["ip", "route", "show", "table", "bypass_qomui"]) logging.debug( "Bypass: No routing table added - table bypass_qomui already exists" ) except CalledProcessError: with open("/etc/iproute2/rt_tables", "a") as rt_tables: rt_tables.write("11 bypass_qomui\n") logging.debug("Bypass: Created new routing table") for rule in cgroup_iptables: firewall.add_rule(rule) if gw_6 != "None" and default_int == interface: for rule in cgroup_iptables: firewall.add_rule_6(rule) else: logging.debug("Blocking ipv6 via bypass_qomui") cgroup_iptables.pop(1) cgroup_iptables.insert(1, [ "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", "{}".format(interface), "-j", "MASQUERADE" ]) cgroup_iptables.pop(2) cgroup_iptables.insert(2, [ "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "DROP" ]) cgroup_iptables.pop(3) cgroup_iptables.insert(3, [ "-I", "INPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "DROP" ]) for rule in cgroup_iptables: firewall.add_rule_6(rule) try: check_call( ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"]) if interface == default_int: check_call(["ip", "route", "flush", "table", "bypass_qomui"]) check_call( ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"]) check_call([ "ip", "route", "add", "default", "via", "{}".format(gw), "dev", "{}".format(interface), "table", "bypass_qomui" ]) logging.debug( "Bypass: Set ipv4 route 'default via {} dev {}'".format( gw, interface)) except CalledProcessError: logging.error( "Bypass: Setting ipv4 route 'default via {} dev {}'".format( gw, interface)) try: check_call([ "ip", "-6", "rule", "add", "fwmark", "11", "table", "bypass_qomui" ]) if interface == default_int: check_call(["ip", "-6", "route", "flush", "table", "bypass_qomui"]) check_call([ "ip", "-6", "route", "add", "default", "via", "{}".format(gw_6), "dev", "{}".format(interface), "table", "bypass_qomui" ]) logging.debug( "Bypass: Set ipv6 route 'default via {} dev {}'".format( gw_6, interface)) except CalledProcessError: logging.error( "Bypass: Setting ipv6 route 'default via {} dev {}' failed".format( gw, interface)) with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all: rp_edit_all.write("2") with open("/proc/sys/net/ipv4/conf/{}/rp_filter".format(interface), 'w') as rp_edit_int: rp_edit_int.write("2") logging.debug( "Disabled reverse path filtering for {}".format(interface)) try: check_call([ "cgcreate", "-t", "{}:{}".format(user, group), "-a" "{}:{}".format(user, group), "-g", "net_cls:bypass_qomui" ]) logging.debug("Bypass: Configured cgroup access for {}".format(user)) logging.info("Successfully created cgroup for {}".format(interface)) except (CalledProcessError, FileNotFoundError) as e: logging.error("Creating cgroup failed - is libcgroup installed?")
def create_cgroup(user, group, default_interface, default_gateway): cleanup = delete_cgroup(default_interface) cgroup_iptables = [[ "-t", "mangle", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "MARK", "--set-mark", "11" ], [ "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup", "--cgroup", "0x00110011", "-o", "%s" % default_interface, "-j", "MASQUERADE" ], [ "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-I", "INPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j", "ACCEPT" ], [ "-t", "nat", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ], [ "-t", "nat", "-A", "OUTPUT", "-m", "cgroup", "--cgroup", "0x00110011", "-p", "udp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5354" ]] if not os.path.exists(cgroup_path): os.makedirs(cgroup_path) with open("%s/net_cls.classid" % cgroup_path, 'w') as setcid: setcid.write(cls_id) setcid.close() try: check_call(["ip", "route", "show", "table", "bypass_qomui"]) logging.debug( "No routing table added - table bypass_qomui already exists") except CalledProcessError: with open("/etc/iproute2/rt_tables", "a") as rt_tables: rt_tables.write("11 bypass_qomui\n") logging.debug("Created new routing table - bypass_qomui") for rule in cgroup_iptables: firewall.add_rule(rule) try: check_call(["ip", "route", "flush", "table", "bypass_qomui"]) check_call( ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"]) check_call([ "ip", "route", "add", "default", "via", "%s" % default_gateway, "table", "bypass_qomui" ]) check_call([ "cgcreate", "-t", "%s:%s" % (user, group), "-a" "%s:%s" % (user, group), "-g", "net_cls:bypass_qomui" ]) except CalledProcessError: self.logger.error("Configuration of cgroup failed") with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all: rp_edit_all.write("2") with open("/proc/sys/net/ipv4/conf/%s/rp_filter" % default_interface, 'w') as rp_edit_int: rp_edit_int.write("2") logging.info("Succesfully create cgroup to bypass OpenVPN tunnel") try: dnsmasq = Popen( ["dnsmasq", "--port=5354", "--interface=%s" % default_interface]) return dnsmasq.pid + 2 except CalledProcessError: logging.error("Failed to start dnsmasq for cgroup qomui_bypass") return None
def wg(self, wg_file): name = self.server_dict["name"] self.log.emit(("info", "Establishing connection to {}".format(name))) #allow traffic via wg interface wg_rules = [["-I", "INPUT", "2", "-i", "wg_qomui", "-j", "ACCEPT"], ["-I", "OUTPUT", "2", "-o", "wg_qomui", "-j", "ACCEPT"]] for rule in wg_rules: firewall.add_rule_6(rule) firewall.add_rule(rule) time.sleep(1) try: self.dev.emit(("tun", "wg_qomui")) cmd_wg = Popen(['wg-quick', 'up', '{}'.format(wg_file)], stdout=PIPE, stderr=STDOUT) for line in cmd_wg.stdout: self.log.emit( ("info", "WireGuard: " + line.decode("utf-8").replace("\n", ""))) with open("{}/wg_qomui.conf".format(ROOTDIR), "r") as dns_check: lines = dns_check.readlines() for line in lines: if line.startswith("DNS ="): dns_servers = line.split("=")[1].replace(" ", "").split(",") self.dns = dns_servers[0].split("\n")[0] try: self.dns_2 = dns_servers[1].split("\n")[0] except IndexError: self.dns_2 = None dns_manager.set_dns(self.dns, self.dns_2) self.dnsserver.emit(("", self.dns, self.dns_2)) #Necessary, otherwise bypass mode breaks - need to investigate if self.config["bypass"] == 1: try: check_call([ "ip", "rule", "del", "fwmark", "11", "table", "bypass_qomui" ]) check_call([ "ip", "-6", "rule", "del", "fwmark", "11", "table", "bypass_qomui" ]) except CalledProcessError: pass try: check_call([ "ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui" ]) check_call([ "ip", "-6", "rule", "add", "fwmark", "11", "table", "bypass_qomui" ]) self.log.emit( ("debug", "Packet classification for bypass table reset")) except CalledProcessError: self.log.emit(( "warning", "Could not reset packet classification for bypass table" )) self.bypass.emit() #we can't be sure of that self.status.emit("connection_established") except (CalledProcessError, FileNotFoundError): self.status.emit("fail")
def vpn_thread(self): self.connect_status = 0 provider = self.ovpn_dict["provider"] ip = self.ovpn_dict["ip"] firewall.add_rule( ['-I', 'OUTPUT', '1', '-d', '%s' % ip, '-j', 'ACCEPT']) self.logger.info("iptables: created rule for %s" % ip) path = "%s/temp.ovpn" % ROOTDIR cwd_ovpn = None try: port = self.ovpn_dict["port"] protocol = self.ovpn_dict["protocol"] except KeyError: pass if provider == "Airvpn": if protocol == "SSL": with open("%s/ssl_config" % ROOTDIR, "r") as ssl_edit: ssl_config = ssl_edit.readlines() for line, value in enumerate(ssl_config): if value.startswith("connect") is True: ssl_config[line] = "connect = %s:443\n" % (ip) with open("%s/temp.ssl" % ROOTDIR, "w") as ssl_dump: ssl_dump.writelines(ssl_config) ssl_dump.close() ssl_edit.close() self.write_config(provider, ip, port, protocol) self.ssl_thread = threading.Thread(target=self.ssl, args=(ip, )) self.ssl_thread.start() logging.info("Started Stunnel process in new thread") elif protocol == "SSH": self.write_config(provider, ip, port, protocol) self.ssh_thread = threading.Thread(target=self.ssh, args=( ip, port, )) self.ssh_thread.start() logging.info("Started SSH process in new thread") time.sleep(2) else: self.write_config(provider, ip, port, protocol) elif provider == "Mullvad": self.write_config(provider, ip, port, protocol) elif provider == "PIA": self.write_config(provider, ip, port, protocol) else: config_file = "%s/%s" % (ROOTDIR, self.ovpn_dict["path"]) try: edit = "%s/temp" % (provider) self.write_config(provider, ip, port, protocol, edit=edit, path=config_file) path = "%s/%s/temp.ovpn" % (ROOTDIR, provider) except UnboundLocalError: path = config_file cwd_ovpn = os.path.dirname(config_file) if self.hop == "2": firewall_hop_add = firewall.add_rule([ '-I', 'OUTPUT', '1', '-d', '%s' % (self.hop_dict["ip"]), '-j', 'ACCEPT' ]) if self.hop_dict["provider"] in SUPPORTED_PROVIDERS: hop_path = "%s/hop.ovpn" % ROOTDIR self.write_config(self.hop_dict["provider"], self.hop_dict["ip"], self.hop_dict["port"], self.hop_dict["protocol"], edit="hop") else: config_file = "%s/%s" % (ROOTDIR, self.hop_dict["path"]) try: edit = "%s/hop" % self.hop_dict["provider"] self.write_config(self.hop_dict["provider"], self.hop_dict["ip"], self.hop_dict["port"], self.hop_dict["protocol"], edit=edit, path=config_file) hop_path = "%s/%s/temp.ovpn" % (ROOTDIR, self.hop_dict["provider"]) except (UnboundLocalError, KeyError): hop_path = config_file cwd_ovpn = os.path.dirname(config_file) self.hop_thread = threading.Thread(target=self.ovpn, args=( hop_path, "1", cwd_ovpn, )) self.hop_thread.start() while self.connect_status == 0: time.sleep(1) self.ovpn(path, self.hop, cwd_ovpn)
def ovpn(self, ovpn_file, h, cwd_ovpn): self.dns_found = 0 logging.info("Establishing new OpenVPN tunnel") name = self.ovpn_dict["name"] last_ip = self.ovpn_dict["ip"] if h == "1": name = self.hop_dict["name"] self.logger.info("Establishing connection to %s - first hop" % name) last_ip = self.hop_dict["ip"] cmd_ovpn = [ 'openvpn', '--config', '%s' % (ovpn_file), '--route-nopull', '--script-security', '2', '--up', '/usr/share/qomui/hop.sh -f %s %s' % (self.hop_dict["ip"], self.ovpn_dict["ip"]), '--down', '/usr/share/qomui/hop_down.sh %s' % (self.hop_dict["ip"]) ] elif h == "2": self.logger.info("Establishing connection to %s - second hop" % name) cmd_ovpn = [ 'openvpn', '--config', '%s' % (ovpn_file), '--route-nopull', '--script-security', '2', '--up', '%s/hop.sh -s' % (ROOTDIR) ] else: self.logger.info("Establishing connection to %s" % name) cmd_ovpn = ['openvpn', '%s' % ovpn_file] ovpn_exe = Popen(cmd_ovpn, stdout=PIPE, stderr=STDOUT, cwd=cwd_ovpn, bufsize=1, universal_newlines=True) self.add_pid((ovpn_exe.pid, "OpenVPN")) line = ovpn_exe.stdout.readline() while line.find("SIGTERM[hard,] received, process exiting") == -1: line_format = ( "OpenVPN:" + line.replace('%s' % (time.asctime()), '').replace('\n', '')) logging.info(line_format) if line.find("Initialization Sequence Completed") != -1: self.connect_status = 1 self.reply("success") self.logger.info("Successfully connected to %s" % name) if self.dns_found == 0: self.update_dns() elif line.find('TUN/TAP device') != -1: self.tun = line_format.split(" ")[3] elif line.find('PUSH: Received control message:') != -1: dns_option_1 = line_format.find('dhcp-option') if dns_option_1 != -1: option = line_format[dns_option_1:].split(",")[0] self.dns = option.split(" ")[2] self.dns_found = 1 dns_option_2 = line_format.find('dhcp-option', dns_option_1 + 20) if dns_option_2 != -1: option = line_format[dns_option_2:].split(",")[0] self.dns_2 = option.split(" ")[2] self.update_dns(dns1=self.dns, dns2=self.dns_2) else: self.update_dns(dns1=self.dns) elif line.find("Restart pause, 10 second(s)") != -1: self.reply("fail1") self.logger.info("Connection attempt failed") elif line.find('SIGTERM[soft,auth-failure]') != -1: self.reply("fail2") self.logger.info( "Authentication error while trying to connect") elif line == '': break line = ovpn_exe.stdout.readline() logging.info("OpenVPN:" + line.replace('%s' % (time.asctime()), '').replace('\n', '')) ovpn_exe.stdout.close() self.reply("kill") self.logger.info("OpenVPN - process killed") firewall_del = firewall.add_rule( ['-D', 'OUTPUT', '-d', '%s' % (last_ip), '-j', 'ACCEPT'])