Exemplo n.º 1
0
    def disconnect(self):
        self.restore_default_dns()
        for i in self.pid_list:
            self.kill_pid(i)

        if self.wg_connect == 1:
            try:
                wg_down = Popen(
                    ["wg-quick", "down",
                     "%s/wg_qomui.conf" % ROOTDIR],
                    stdout=PIPE,
                    stderr=STDOUT)
                for line in wg_down.stdout:
                    logging.info(line)
            except CalledProcessError:
                pass

            wg_rules = [["-D", "INPUT", "-i", "wg_qomui", "-j", "ACCEPT"],
                        ["-D", "OUTPUT", "-o", "wg_qomui", "-j", "ACCEPT"]]

            for rule in wg_rules:
                firewall.add_rule_6(rule)
                firewall.add_rule(rule)

            self.wg_connect = 0
Exemplo n.º 2
0
    def wg(self, wg_file):
        name = self.ovpn_dict["name"]
        self.logger.info("Establishing connection to %s" % name)

        wg_rules = [["-I", "INPUT", "1", "-i", "wg_qomui", "-j", "ACCEPT"],
                    ["-I", "OUTPUT", "1", "-o", "wg_qomui", "-j", "ACCEPT"]]

        for rule in wg_rules:
            firewall.add_rule_6(rule)
            firewall.add_rule(rule)

        time.sleep(1)

        try:
            self.tun = "wg_qomui"
            cmd_wg = Popen(['wg-quick', 'up', '%s' % wg_file],
                           stdout=PIPE,
                           stderr=STDOUT)
            for line in cmd_wg.stdout:
                logging.info(line)
            self.wg_connect = 1
            self.reply("success")

        except (CalledProcessError, FileNotFoundError):
            self.reply("fail1")
Exemplo n.º 3
0
def delete_cgroup(default_interface):

    cgroup_iptables_del = [[
        "-t", "mangle", "-D", "OUTPUT", "-m", "cgroup", "--cgroup",
        "0x00110011", "-j", "MARK", "--set-mark", "11"
    ],
                           [
                               "-t", "nat", "-D", "POSTROUTING", "-m",
                               "cgroup", "--cgroup", "0x00110011", "-o",
                               "%s" % default_interface, "-j", "MASQUERADE"
                           ],
                           [
                               "-D", "OUTPUT", "-m", "cgroup", "--cgroup",
                               "0x00110011", "-j", "ACCEPT"
                           ],
                           [
                               "-D", "INPUT", "-m", "cgroup", "--cgroup",
                               "0x00110011", "-j", "ACCEPT"
                           ],
                           [
                               "-t", "nat", "-D", "OUTPUT", "-m", "cgroup",
                               "--cgroup", "0x00110011", "-p", "tcp",
                               "--dport", "53", "-j", "REDIRECT", "--to-ports",
                               "5354"
                           ],
                           [
                               "-t", "nat", "-D", "OUTPUT", "-m", "cgroup",
                               "--cgroup", "0x00110011", "-p", "udp",
                               "--dport", "53", "-j", "REDIRECT", "--to-ports",
                               "5354"
                           ]]

    with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all:
        rp_edit_all.write("1")
    with open("/proc/sys/net/ipv4/conf/%s/rp_filter" % default_interface,
              'w') as rp_edit_int:
        rp_edit_int.write("1")

    try:
        check_call(
            ["ip", "rule", "del", "fwmark", "11", "table", "bypass_qomui"])
        check_call(["ip", "route", "flush", "table", "bypass_qomui"])
    except CalledProcessError:
        pass

    for rule in cgroup_iptables_del:
        firewall.add_rule(rule)

    try:
        os.rmdir(cgroup_path)
    except (OSError, FileNotFoundError):
        logging.debug(
            "Could not delete %s - resource does not exist or is busy" %
            cgroup_path)

    logging.info("Deleted cgroup")
Exemplo n.º 4
0
    def allow_ip(self, ip, rule):

        try:
            if len(ip.split(".")) == 4:
                firewall.add_rule(rule)

            elif len(ip.split(":")) >= 4:
                firewall.add_rule_6(rule)
        except:
            pass
Exemplo n.º 5
0
def delete_cgroup(interface):

    cgroup_iptables_del = [[
        "-t", "mangle", "-D", "OUTPUT", "-m", "cgroup", "--cgroup",
        "0x00110011", "-j", "MARK", "--set-mark", "11"
    ],
                           [
                               "-t", "nat", "-D", "POSTROUTING", "-m",
                               "cgroup", "--cgroup", "0x00110011", "-o",
                               "{}".format(interface), "-j", "MASQUERADE"
                           ],
                           [
                               "-D", "OUTPUT", "-m", "cgroup", "--cgroup",
                               "0x00110011", "-j", "ACCEPT"
                           ],
                           [
                               "-D", "INPUT", "-m", "cgroup", "--cgroup",
                               "0x00110011", "-j", "ACCEPT"
                           ],
                           [
                               "-t", "nat", "-D", "OUTPUT", "-m", "cgroup",
                               "--cgroup", "0x00110011", "-p", "tcp",
                               "--dport", "53", "-j", "REDIRECT", "--to-ports",
                               "5354"
                           ],
                           [
                               "-t", "nat", "-D", "OUTPUT", "-m", "cgroup",
                               "--cgroup", "0x00110011", "-p", "udp",
                               "--dport", "53", "-j", "REDIRECT", "--to-ports",
                               "5354"
                           ]]

    try:
        check_call(
            ["ip", "rule", "del", "fwmark", "11", "table", "bypass_qomui"])
    except CalledProcessError:
        pass

    for rule in cgroup_iptables_del:
        firewall.add_rule(rule)

    for rule in cgroup_iptables_del:
        firewall.add_rule_6(rule)

    try:
        os.rmdir(cgroup_path)

    except (OSError, FileNotFoundError):
        logging.debug(
            "Bypass: Could not delete {} - resource does not exist or is busy".
            format(cgroup_path))

    logging.info("Deleted cgroup")
Exemplo n.º 6
0
def set_bypass_vpn(interface, interface_cmd, tun, tun_cmd):
    postroutes = [[
        "-t", "nat", tun_cmd, "POSTROUTING", "-m", "cgroup", "--cgroup",
        "0x00110011", "-o", tun, "-j", "MASQUERADE"
    ],
                  [
                      "-t", "nat", interface_cmd, "POSTROUTING", "-m",
                      "cgroup", "--cgroup", "0x00110011", "-o", interface,
                      "-j", "MASQUERADE"
                  ]]

    for rule in postroutes:
        firewall.add_rule(rule)
        firewall.add_rule_6(rule)
Exemplo n.º 7
0
 def allow_provider_ip(self, provider):
     server = None
     if provider == "Airvpn":
         server = "www.airvpn.org"
     elif provider == "Mullvad":
         server = "www.mullvad.net"
     elif provider == "PIA":
         server = "www.privateinternetaccess.com"
     self.allow_dns()
     if server is not None:
         self.logger.info(
             "iptables: Temporarily creating rule to allow access to %s" %
             server)
         try:
             dig_cmd = [
                 "dig", "+time=2", "+tries=1",
                 "%s" % (server), "+short"
             ]
             answer = check_output(dig_cmd).decode("utf-8")
             parse = answer.split("\n")
             ip = parse[len(parse) - 2]
             allow = firewall.add_rule(
                 ['-I', 'OUTPUT', '1', '-d',
                  '%s' % (ip), '-j', 'ACCEPT'])
         except CalledProcessError as e:
             self.logger.error("%s: Could not resolve %s" % (e, server))
Exemplo n.º 8
0
 def allow_provider_ip(self, provider):
     server = []
     if provider == "Airvpn":
         server.append("www.airvpn.org")
     elif provider == "Mullvad":
         server.append("www.mullvad.net")
         server.append("api.mullvad.net")
     elif provider == "PIA":
         server.append("www.privateinternetaccess.com")
     elif provider == "Windscribe":
         server.append("www.windscribe.com")
     elif provider == "ProtonVPN":
         server.append("account.protonvpn.com")
     self.allow_dns()
     if len(server) > 0:
         for s in server:
             self.logger.info(
                 "iptables: Temporarily creating rule to allow access to %s"
                 % s)
             try:
                 dig_cmd = [
                     "dig", "+time=2", "+tries=1",
                     "%s" % s, "+short"
                 ]
                 answer = check_output(dig_cmd).decode("utf-8")
                 parse = answer.split("\n")
                 ip = parse[len(parse) - 2]
                 allow = firewall.add_rule([
                     '-I', 'OUTPUT', '1', '-d',
                     '%s' % (ip), '-j', 'ACCEPT'
                 ])
             except CalledProcessError as e:
                 self.logger.error("%s: Could not resolve %s" % (e, server))
Exemplo n.º 9
0
def dns_request_exception(action, dns_1, dns_2, port):
    rules = []
    protocols = ["udp", "tcp"]

    if action == "-I":
        logging.info("iptables: adding exception for DNS requests")

    elif action == "-D":
        logging.info("iptables: removing exception for DNS requests")

    for p in protocols:
        rules.append([action, 'OUTPUT',  '-p', p, '--dport', port, '-j', 'ACCEPT'])
        rules.append([action, 'INPUT', '-p', p, '--sport', port, '-j', 'ACCEPT'])

    for rule in rules:
        firewall.add_rule(rule)
        firewall.add_rule(rule, ipt="ip6")
Exemplo n.º 10
0
 def block_dns(self):
     self.logger.debug("iptables: deleting exception for DNS requests")
     ipt_dns_out_del = firewall.add_rule([
         '-D', 'OUTPUT', '-p', 'udp', '-d', self.config["alt_dns1"],
         '--dport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_in_del = firewall.add_rule([
         '-D', 'INPUT', '-p', 'udp', '-s', self.config["alt_dns1"],
         '--sport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_out_del_alt = firewall.add_rule([
         '-D', 'OUTPUT', '-p', 'udp', '-d', self.config["alt_dns2"],
         '--dport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_in_del_alt = firewall.add_rule([
         '-D', 'INPUT', '-p', 'udp', '-s', self.config["alt_dns2"],
         '--sport', '53', '-j', 'ACCEPT'
     ])
Exemplo n.º 11
0
 def allow_dns(self):
     self.logger.debug("iptables: temporarily allowing DNS requests")
     ipt_dns_out_add = firewall.add_rule([
         '-I', 'OUTPUT', '1', '-p', 'udp', '-d', self.config["alt_dns1"],
         '--dport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_in_add = firewall.add_rule([
         '-I', 'INPUT', '2', '-p', 'udp', '-s', self.config["alt_dns1"],
         '--sport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_out_add_alt = firewall.add_rule([
         '-I', 'OUTPUT', '3', '-p', 'udp', '-d', self.config["alt_dns2"],
         '--dport', '53', '-j', 'ACCEPT'
     ])
     ipt_dns_in_add_alt = firewall.add_rule([
         '-I', 'INPUT', '4', '-p', 'udp', '-s', self.config["alt_dns2"],
         '--sport', '53', '-j', 'ACCEPT'
     ])
     self.update_dns()
Exemplo n.º 12
0
    def allow_provider_ip(self, provider):
        server = []

        if provider == "Airvpn":
            server.append("www.airvpn.org")

        elif provider == "Mullvad":
            server.append("www.mullvad.net")
            server.append("api.mullvad.net")

        elif provider == "PIA":
            server.append("www.privateinternetaccess.com")

        elif provider == "Windscribe":
            server.append("www.windscribe.com")
            server.append("assets.windscribe.com")

        elif provider == "ProtonVPN":
            server.append("api.protonmail.ch")

        dns_manager.dns_request_exception("-I", self.config["alt_dns1"],
                                          self.config["alt_dns2"], "53")

        if len(server) > 0:
            for s in server:

                try:
                    dig_cmd = [
                        "dig", "+time=2", "+tries=1", "{}".format(s), "+short"
                    ]
                    answer = check_output(dig_cmd).decode("utf-8")
                    parse = answer.split("\n")
                    ip = parse[len(parse) - 2]
                    firewall.add_rule([
                        '-I', 'OUTPUT', '1', '-d', '{}'.format(ip), '-j',
                        'ACCEPT'
                    ])
                    self.logger.info(
                        "iptables: Allowing access to {}".format(s))

                except CalledProcessError as e:
                    self.logger.error("{}: Could not resolve {}".format(e, s))
Exemplo n.º 13
0
    def disconnect(self, env):

        if env == "main":
            self.restore_default_dns()
            self.tun is None
            for i in self.pid_list:
                if i[1] != "OpenVPN_bypass":
                    self.kill_pid(i)

            if self.wg_connect == 1:
                try:
                    wg_down = Popen([
                        "wg-quick", "down", "{}/wg_qomui.conf".format(ROOTDIR)
                    ],
                                    stdout=PIPE,
                                    stderr=STDOUT)
                    for line in wg_down.stdout:
                        self.logger.info(
                            "WireGuard: " +
                            line.decode("utf-8").replace("\n", ""))

                except CalledProcessError:
                    pass

                #as WireGuard is down we can remove those rules
                wg_rules = [["-D", "INPUT", "-i", "wg_qomui", "-j", "ACCEPT"],
                            ["-D", "OUTPUT", "-o", "wg_qomui", "-j", "ACCEPT"]]

                for rule in wg_rules:
                    firewall.add_rule_6(rule)
                    firewall.add_rule(rule)

                tunnel.exe_custom_scripts("down", self.wg_provider,
                                          self.config)

                self.wg_connect = 0

        elif env == "bypass":
            for i in self.pid_list:
                if i[1] == "OpenVPN_bypass":
                    self.kill_pid(i)
Exemplo n.º 14
0
def create_cgroup(user,
                  group,
                  interface,
                  gw=None,
                  gw_6=None,
                  default_int=None):
    logging.info("Creating bypass for {}".format(interface))
    delete_cgroup(default_int)
    cgroup_iptables = [[
        "-t", "mangle", "-A", "OUTPUT", "-m", "cgroup", "--cgroup",
        "0x00110011", "-j", "MARK", "--set-mark", "11"
    ],
                       [
                           "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-o",
                           "{}".format(interface), "-j", "MASQUERADE"
                       ],
                       [
                           "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup",
                           "0x00110011", "-j", "ACCEPT"
                       ],
                       [
                           "-I", "INPUT", "1", "-m", "cgroup", "--cgroup",
                           "0x00110011", "-j", "ACCEPT"
                       ],
                       [
                           "-t", "nat", "-A", "OUTPUT", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-p", "tcp", "--dport",
                           "53", "-j", "REDIRECT", "--to-ports", "5354"
                       ],
                       [
                           "-t", "nat", "-A", "OUTPUT", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-p", "udp", "--dport",
                           "53", "-j", "REDIRECT", "--to-ports", "5354"
                       ]]

    if not os.path.exists(cgroup_path):
        os.makedirs(cgroup_path)
        with open("{}/net_cls.classid".format(cgroup_path), 'w') as setcid:
            setcid.write(cls_id)
            setcid.close()
            logging.debug("Bypass: Created cgroup 'net_cls:bypass_qomui'")

    try:
        check_call(["ip", "route", "show", "table", "bypass_qomui"])
        logging.debug(
            "Bypass: No routing table added - table bypass_qomui already exists"
        )

    except CalledProcessError:
        with open("/etc/iproute2/rt_tables", "a") as rt_tables:
            rt_tables.write("11 bypass_qomui\n")
        logging.debug("Bypass: Created new routing table")

    for rule in cgroup_iptables:
        firewall.add_rule(rule)

    if gw_6 != "None" and default_int == interface:
        for rule in cgroup_iptables:
            firewall.add_rule_6(rule)

    else:
        logging.debug("Blocking ipv6 via bypass_qomui")
        cgroup_iptables.pop(1)
        cgroup_iptables.insert(1, [
            "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup", "--cgroup",
            "0x00110011", "-o", "{}".format(interface), "-j", "MASQUERADE"
        ])
        cgroup_iptables.pop(2)
        cgroup_iptables.insert(2, [
            "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011",
            "-j", "DROP"
        ])
        cgroup_iptables.pop(3)
        cgroup_iptables.insert(3, [
            "-I", "INPUT", "1", "-m", "cgroup", "--cgroup", "0x00110011", "-j",
            "DROP"
        ])

        for rule in cgroup_iptables:
            firewall.add_rule_6(rule)

    try:
        check_call(
            ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"])
        if interface == default_int:
            check_call(["ip", "route", "flush", "table", "bypass_qomui"])
            check_call(
                ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"])
            check_call([
                "ip", "route", "add", "default", "via", "{}".format(gw), "dev",
                "{}".format(interface), "table", "bypass_qomui"
            ])
            logging.debug(
                "Bypass: Set ipv4 route 'default via {} dev {}'".format(
                    gw, interface))
    except CalledProcessError:
        logging.error(
            "Bypass: Setting ipv4 route 'default via {} dev {}'".format(
                gw, interface))

    try:
        check_call([
            "ip", "-6", "rule", "add", "fwmark", "11", "table", "bypass_qomui"
        ])
        if interface == default_int:
            check_call(["ip", "-6", "route", "flush", "table", "bypass_qomui"])
            check_call([
                "ip", "-6", "route", "add", "default", "via",
                "{}".format(gw_6), "dev", "{}".format(interface), "table",
                "bypass_qomui"
            ])
            logging.debug(
                "Bypass: Set ipv6 route 'default via {} dev {}'".format(
                    gw_6, interface))
    except CalledProcessError:
        logging.error(
            "Bypass: Setting ipv6 route 'default via {} dev {}' failed".format(
                gw, interface))

    with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all:
        rp_edit_all.write("2")

    with open("/proc/sys/net/ipv4/conf/{}/rp_filter".format(interface),
              'w') as rp_edit_int:
        rp_edit_int.write("2")
        logging.debug(
            "Disabled reverse path filtering for {}".format(interface))

    try:
        check_call([
            "cgcreate", "-t", "{}:{}".format(user, group), "-a"
            "{}:{}".format(user, group), "-g", "net_cls:bypass_qomui"
        ])
        logging.debug("Bypass: Configured cgroup access for {}".format(user))
        logging.info("Successfully created cgroup for {}".format(interface))

    except (CalledProcessError, FileNotFoundError) as e:
        logging.error("Creating cgroup failed - is libcgroup installed?")
Exemplo n.º 15
0
def create_cgroup(user, group, default_interface, default_gateway):

    cleanup = delete_cgroup(default_interface)

    cgroup_iptables = [[
        "-t", "mangle", "-A", "OUTPUT", "-m", "cgroup", "--cgroup",
        "0x00110011", "-j", "MARK", "--set-mark", "11"
    ],
                       [
                           "-t", "nat", "-A", "POSTROUTING", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-o",
                           "%s" % default_interface, "-j", "MASQUERADE"
                       ],
                       [
                           "-I", "OUTPUT", "1", "-m", "cgroup", "--cgroup",
                           "0x00110011", "-j", "ACCEPT"
                       ],
                       [
                           "-I", "INPUT", "1", "-m", "cgroup", "--cgroup",
                           "0x00110011", "-j", "ACCEPT"
                       ],
                       [
                           "-t", "nat", "-A", "OUTPUT", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-p", "tcp", "--dport",
                           "53", "-j", "REDIRECT", "--to-ports", "5354"
                       ],
                       [
                           "-t", "nat", "-A", "OUTPUT", "-m", "cgroup",
                           "--cgroup", "0x00110011", "-p", "udp", "--dport",
                           "53", "-j", "REDIRECT", "--to-ports", "5354"
                       ]]

    if not os.path.exists(cgroup_path):
        os.makedirs(cgroup_path)
        with open("%s/net_cls.classid" % cgroup_path, 'w') as setcid:
            setcid.write(cls_id)
            setcid.close()

    try:
        check_call(["ip", "route", "show", "table", "bypass_qomui"])
        logging.debug(
            "No routing table added - table bypass_qomui already exists")
    except CalledProcessError:
        with open("/etc/iproute2/rt_tables", "a") as rt_tables:
            rt_tables.write("11 bypass_qomui\n")
        logging.debug("Created new routing table - bypass_qomui")

    for rule in cgroup_iptables:
        firewall.add_rule(rule)

    try:
        check_call(["ip", "route", "flush", "table", "bypass_qomui"])
        check_call(
            ["ip", "rule", "add", "fwmark", "11", "table", "bypass_qomui"])
        check_call([
            "ip", "route", "add", "default", "via",
            "%s" % default_gateway, "table", "bypass_qomui"
        ])
        check_call([
            "cgcreate", "-t",
            "%s:%s" % (user, group),
            "-a"
            "%s:%s" % (user, group), "-g", "net_cls:bypass_qomui"
        ])
    except CalledProcessError:
        self.logger.error("Configuration of cgroup failed")

    with open("/proc/sys/net/ipv4/conf/all/rp_filter", 'w') as rp_edit_all:
        rp_edit_all.write("2")
    with open("/proc/sys/net/ipv4/conf/%s/rp_filter" % default_interface,
              'w') as rp_edit_int:
        rp_edit_int.write("2")

    logging.info("Succesfully create cgroup to bypass OpenVPN tunnel")

    try:
        dnsmasq = Popen(
            ["dnsmasq", "--port=5354",
             "--interface=%s" % default_interface])

        return dnsmasq.pid + 2
    except CalledProcessError:
        logging.error("Failed to start dnsmasq for cgroup qomui_bypass")
        return None
Exemplo n.º 16
0
    def wg(self, wg_file):
        name = self.server_dict["name"]
        self.log.emit(("info", "Establishing connection to {}".format(name)))

        #allow traffic via wg interface
        wg_rules = [["-I", "INPUT", "2", "-i", "wg_qomui", "-j", "ACCEPT"],
                    ["-I", "OUTPUT", "2", "-o", "wg_qomui", "-j", "ACCEPT"]]

        for rule in wg_rules:
            firewall.add_rule_6(rule)
            firewall.add_rule(rule)

        time.sleep(1)

        try:
            self.dev.emit(("tun", "wg_qomui"))
            cmd_wg = Popen(['wg-quick', 'up', '{}'.format(wg_file)],
                           stdout=PIPE,
                           stderr=STDOUT)

            for line in cmd_wg.stdout:
                self.log.emit(
                    ("info",
                     "WireGuard: " + line.decode("utf-8").replace("\n", "")))

            with open("{}/wg_qomui.conf".format(ROOTDIR), "r") as dns_check:
                lines = dns_check.readlines()

                for line in lines:
                    if line.startswith("DNS ="):
                        dns_servers = line.split("=")[1].replace(" ",
                                                                 "").split(",")
                        self.dns = dns_servers[0].split("\n")[0]

                        try:
                            self.dns_2 = dns_servers[1].split("\n")[0]

                        except IndexError:
                            self.dns_2 = None

                dns_manager.set_dns(self.dns, self.dns_2)
                self.dnsserver.emit(("", self.dns, self.dns_2))

            #Necessary, otherwise bypass mode breaks - need to investigate
            if self.config["bypass"] == 1:

                try:
                    check_call([
                        "ip", "rule", "del", "fwmark", "11", "table",
                        "bypass_qomui"
                    ])
                    check_call([
                        "ip", "-6", "rule", "del", "fwmark", "11", "table",
                        "bypass_qomui"
                    ])

                except CalledProcessError:
                    pass

                try:
                    check_call([
                        "ip", "rule", "add", "fwmark", "11", "table",
                        "bypass_qomui"
                    ])
                    check_call([
                        "ip", "-6", "rule", "add", "fwmark", "11", "table",
                        "bypass_qomui"
                    ])
                    self.log.emit(
                        ("debug",
                         "Packet classification for bypass table reset"))

                except CalledProcessError:
                    self.log.emit((
                        "warning",
                        "Could not reset packet classification for bypass table"
                    ))

            self.bypass.emit()

            #we can't be sure of that
            self.status.emit("connection_established")

        except (CalledProcessError, FileNotFoundError):
            self.status.emit("fail")
Exemplo n.º 17
0
    def vpn_thread(self):
        self.connect_status = 0
        provider = self.ovpn_dict["provider"]
        ip = self.ovpn_dict["ip"]
        firewall.add_rule(
            ['-I', 'OUTPUT', '1', '-d',
             '%s' % ip, '-j', 'ACCEPT'])
        self.logger.info("iptables: created rule for %s" % ip)
        path = "%s/temp.ovpn" % ROOTDIR
        cwd_ovpn = None
        try:
            port = self.ovpn_dict["port"]
            protocol = self.ovpn_dict["protocol"]
        except KeyError:
            pass

        if provider == "Airvpn":
            if protocol == "SSL":
                with open("%s/ssl_config" % ROOTDIR, "r") as ssl_edit:
                    ssl_config = ssl_edit.readlines()
                    for line, value in enumerate(ssl_config):
                        if value.startswith("connect") is True:
                            ssl_config[line] = "connect = %s:443\n" % (ip)
                    with open("%s/temp.ssl" % ROOTDIR, "w") as ssl_dump:
                        ssl_dump.writelines(ssl_config)
                        ssl_dump.close()
                    ssl_edit.close()
                self.write_config(provider, ip, port, protocol)
                self.ssl_thread = threading.Thread(target=self.ssl,
                                                   args=(ip, ))
                self.ssl_thread.start()
                logging.info("Started Stunnel process in new thread")
            elif protocol == "SSH":
                self.write_config(provider, ip, port, protocol)
                self.ssh_thread = threading.Thread(target=self.ssh,
                                                   args=(
                                                       ip,
                                                       port,
                                                   ))
                self.ssh_thread.start()
                logging.info("Started SSH process in new thread")
                time.sleep(2)
            else:
                self.write_config(provider, ip, port, protocol)

        elif provider == "Mullvad":
            self.write_config(provider, ip, port, protocol)

        elif provider == "PIA":
            self.write_config(provider, ip, port, protocol)

        else:
            config_file = "%s/%s" % (ROOTDIR, self.ovpn_dict["path"])
            try:
                edit = "%s/temp" % (provider)
                self.write_config(provider,
                                  ip,
                                  port,
                                  protocol,
                                  edit=edit,
                                  path=config_file)

                path = "%s/%s/temp.ovpn" % (ROOTDIR, provider)
            except UnboundLocalError:
                path = config_file
            cwd_ovpn = os.path.dirname(config_file)

        if self.hop == "2":
            firewall_hop_add = firewall.add_rule([
                '-I', 'OUTPUT', '1', '-d',
                '%s' % (self.hop_dict["ip"]), '-j', 'ACCEPT'
            ])

            if self.hop_dict["provider"] in SUPPORTED_PROVIDERS:
                hop_path = "%s/hop.ovpn" % ROOTDIR
                self.write_config(self.hop_dict["provider"],
                                  self.hop_dict["ip"],
                                  self.hop_dict["port"],
                                  self.hop_dict["protocol"],
                                  edit="hop")
            else:
                config_file = "%s/%s" % (ROOTDIR, self.hop_dict["path"])
                try:
                    edit = "%s/hop" % self.hop_dict["provider"]
                    self.write_config(self.hop_dict["provider"],
                                      self.hop_dict["ip"],
                                      self.hop_dict["port"],
                                      self.hop_dict["protocol"],
                                      edit=edit,
                                      path=config_file)
                    hop_path = "%s/%s/temp.ovpn" % (ROOTDIR,
                                                    self.hop_dict["provider"])

                except (UnboundLocalError, KeyError):
                    hop_path = config_file

                cwd_ovpn = os.path.dirname(config_file)
            self.hop_thread = threading.Thread(target=self.ovpn,
                                               args=(
                                                   hop_path,
                                                   "1",
                                                   cwd_ovpn,
                                               ))
            self.hop_thread.start()
            while self.connect_status == 0:
                time.sleep(1)

        self.ovpn(path, self.hop, cwd_ovpn)
Exemplo n.º 18
0
    def ovpn(self, ovpn_file, h, cwd_ovpn):
        self.dns_found = 0
        logging.info("Establishing new OpenVPN tunnel")
        name = self.ovpn_dict["name"]
        last_ip = self.ovpn_dict["ip"]
        if h == "1":
            name = self.hop_dict["name"]
            self.logger.info("Establishing connection to %s - first hop" %
                             name)
            last_ip = self.hop_dict["ip"]
            cmd_ovpn = [
                'openvpn', '--config',
                '%s' % (ovpn_file), '--route-nopull', '--script-security', '2',
                '--up',
                '/usr/share/qomui/hop.sh -f %s %s' %
                (self.hop_dict["ip"], self.ovpn_dict["ip"]), '--down',
                '/usr/share/qomui/hop_down.sh %s' % (self.hop_dict["ip"])
            ]

        elif h == "2":
            self.logger.info("Establishing connection to %s - second hop" %
                             name)
            cmd_ovpn = [
                'openvpn', '--config',
                '%s' % (ovpn_file), '--route-nopull', '--script-security', '2',
                '--up',
                '%s/hop.sh -s' % (ROOTDIR)
            ]

        else:
            self.logger.info("Establishing connection to %s" % name)
            cmd_ovpn = ['openvpn', '%s' % ovpn_file]

        ovpn_exe = Popen(cmd_ovpn,
                         stdout=PIPE,
                         stderr=STDOUT,
                         cwd=cwd_ovpn,
                         bufsize=1,
                         universal_newlines=True)

        self.add_pid((ovpn_exe.pid, "OpenVPN"))
        line = ovpn_exe.stdout.readline()
        while line.find("SIGTERM[hard,] received, process exiting") == -1:
            line_format = (
                "OpenVPN:" +
                line.replace('%s' % (time.asctime()), '').replace('\n', ''))
            logging.info(line_format)
            if line.find("Initialization Sequence Completed") != -1:
                self.connect_status = 1
                self.reply("success")
                self.logger.info("Successfully connected to %s" % name)
                if self.dns_found == 0:
                    self.update_dns()
            elif line.find('TUN/TAP device') != -1:
                self.tun = line_format.split(" ")[3]
            elif line.find('PUSH: Received control message:') != -1:
                dns_option_1 = line_format.find('dhcp-option')
                if dns_option_1 != -1:
                    option = line_format[dns_option_1:].split(",")[0]
                    self.dns = option.split(" ")[2]
                    self.dns_found = 1
                    dns_option_2 = line_format.find('dhcp-option',
                                                    dns_option_1 + 20)
                    if dns_option_2 != -1:
                        option = line_format[dns_option_2:].split(",")[0]
                        self.dns_2 = option.split(" ")[2]
                        self.update_dns(dns1=self.dns, dns2=self.dns_2)
                    else:
                        self.update_dns(dns1=self.dns)
            elif line.find("Restart pause, 10 second(s)") != -1:
                self.reply("fail1")
                self.logger.info("Connection attempt failed")
            elif line.find('SIGTERM[soft,auth-failure]') != -1:
                self.reply("fail2")
                self.logger.info(
                    "Authentication error while trying to connect")
            elif line == '':
                break
            line = ovpn_exe.stdout.readline()

        logging.info("OpenVPN:" +
                     line.replace('%s' %
                                  (time.asctime()), '').replace('\n', ''))
        ovpn_exe.stdout.close()
        self.reply("kill")
        self.logger.info("OpenVPN - process killed")
        firewall_del = firewall.add_rule(
            ['-D', 'OUTPUT', '-d',
             '%s' % (last_ip), '-j', 'ACCEPT'])