def plugin_login_authenticate(user_name, password, remote_ip):
from pritunl import organization
returns = plugins.caller(
'user_authenticate',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_name=user_name,
password=password,
remote_ip=remote_ip,
)
if not returns:
return False, None, None
org_name = None
groups = set()
for return_val in returns:
if not return_val[0]:
return False, None
if return_val[1]:
org_name = return_val[1]
if len(return_val) > 2:
for val in return_val[2]:
groups.add(val)
org_id = None
if org_name:
org = organization.get_by_name(org_name, fields=('_id'))
if org:
org_id = org.id
return True, org_id, groups or None
def plugin_login_authenticate(user_name, password, remote_ip):
from pritunl import organization
returns = plugins.caller(
'user_authenticate',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_name=user_name,
password=password,
remote_ip=remote_ip,
)
if not returns:
return False, False, None, None
org_name = None
groups = set()
for return_val in returns:
if not return_val[0]:
return True, False, None, None
if return_val[1]:
org_name = return_val[1]
if len(return_val) > 2:
for val in return_val[2]:
groups.add(val)
org_id = None
if org_name:
org = organization.get_by_name(org_name, fields=('_id'))
if org:
org_id = org.id
return True, True, org_id, groups or None
def _auth_plugins(self):
if not self.user.link_server_id and self.user.type == CERT_CLIENT:
returns = plugins.caller(
'user_connect',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=self.user.org.id,
user_id=self.user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=self.user.org.name,
user_name=self.user.name,
remote_ip=self.remote_ip,
mac_addr=self.mac_addr,
platform=self.platform,
device_id=self.device_id,
device_name=self.device_name,
password=self.password,
)
if not returns:
return
for return_val in returns:
if not return_val[0]:
raise AuthError(return_val[1])
def plugin_sso_authenticate(sso_type, user_name, user_email, remote_ip,
sso_org_names=None):
from pritunl import organization
returns = plugins.caller(
'sso_authenticate',
sso_type=sso_type,
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_name=user_name,
user_email=user_email,
remote_ip=remote_ip,
sso_org_names=sso_org_names or [],
)
if not returns:
return True, None
org_name = None
for return_val in returns:
if not return_val[0]:
return False, None
if return_val[1]:
org_name = return_val[1]
org_id = None
if org_name:
org = organization.get_by_name(org_name, fields=('_id'))
if org:
org_id = org.id
return True, org_id
def plugin_sso_authenticate(sso_type,
user_name,
user_email,
remote_ip,
sso_org_names=None):
from pritunl import organization
returns = plugins.caller(
'sso_authenticate',
sso_type=sso_type,
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_name=user_name,
user_email=user_email,
remote_ip=remote_ip,
sso_org_names=sso_org_names or [],
)
if not returns:
return True, None
org_name = None
for return_val in returns:
if not return_val[0]:
return False, None
if return_val[1]:
org_name = return_val[1]
org_id = None
if org_name:
org = organization.get_by_name(org_name, fields=('_id'))
if org:
org_id = org.id
return True, org_id
def _auth_plugins(self):
if self.user.type == CERT_CLIENT:
returns = plugins.caller(
'user_connect',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=self.user.org.id,
user_id=self.user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=self.user.org.name,
user_name=self.user.name,
remote_ip=self.remote_ip,
platform=self.platform,
device_name=self.device_name,
password=self.password,
)
if not returns:
return
for return_val in returns:
if not return_val[0]:
raise AuthError(return_val[1])
def _generate_conf(self, svr, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, svr.name)
if not svr.ca_certificate:
svr.generate_ca_cert()
key_remotes = svr.get_key_remotes()
ca_certificate = svr.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name.encode('utf-8'))
conf_hash.update(self.org.name.encode('utf-8'))
conf_hash.update(svr.name.encode('utf-8'))
conf_hash.update(svr.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[svr.cipher])
conf_hash.update(str(svr.lzo_compression))
conf_hash.update(str(svr.block_outside_dns))
conf_hash.update(str(svr.otp_auth))
conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash.update(self._get_key_info_str(svr, None, False))
plugin_config = ''
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'user_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
org_id=self.org_id,
user_id=self.id,
user_name=self.name,
server_id=svr.id,
server_name=svr.name,
server_port=svr.port,
server_protocol=svr.protocol,
server_ipv6=svr.ipv6,
server_ipv6_firewall=svr.ipv6_firewall,
server_network=svr.network,
server_network6=svr.network6,
server_network_mode=svr.network_mode,
server_network_start=svr.network_start,
server_network_stop=svr.network_end,
server_restrict_routes=svr.restrict_routes,
server_bind_address=svr.bind_address,
server_onc_hostname=None,
server_dh_param_bits=svr.dh_param_bits,
server_multi_device=svr.multi_device,
server_dns_servers=svr.dns_servers,
server_search_domain=svr.search_domain,
server_otp_auth=svr.otp_auth,
server_cipher=svr.cipher,
server_hash=svr.hash,
server_inter_client=svr.inter_client,
server_ping_interval=svr.ping_interval,
server_ping_timeout=svr.ping_timeout,
server_link_ping_interval=svr.link_ping_interval,
server_link_ping_timeout=svr.link_ping_timeout,
server_allowed_devices=svr.allowed_devices,
server_max_clients=svr.max_clients,
server_replica_count=svr.replica_count,
server_dns_mapping=svr.dns_mapping,
server_debug=svr.debug,
)
if returns:
for return_val in returns:
if not return_val:
continue
val = return_val.strip()
conf_hash.update(val)
plugin_config += val + '\n'
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(svr, conf_hash, include_user_cert),
uuid.uuid4().hex,
utils.random_name(),
svr.adapter_type,
svr.adapter_type,
svr.get_key_remotes(),
CIPHERS[svr.cipher],
HASHES[svr.hash],
svr.ping_interval,
svr.ping_timeout,
)
if svr.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if svr.block_outside_dns:
client_conf += 'ignore-unknown-option block-outside-dns\n'
client_conf += 'block-outside-dns\n'
if self.has_password(svr):
client_conf += 'auth-user-pass\n'
if svr.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[svr.jumbo_frames]
client_conf += plugin_config
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if svr.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
svr.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info(
'Starting vpn server',
'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception(
'Failed to setup server vxlan',
'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' %
(self.server.name))
except:
try:
self.interrupt = True
self.stop_process()
except:
logger.exception(
'Server stop error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
logger.exception(
'Server error occurred while running',
'server',
server_id=self.server.id,
instance_id=self.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception(
'Server resource error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.stop_threads()
self.collection.update(
{
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception(
'Server clean up error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.resources_release()
except:
logger.exception(
'Failed to release resources',
'server',
server_id=self.server.id,
instance_id=self.id,
)
def generate_ovpn_conf(self):
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if route['net_gateway']:
if ':' in network:
push += 'push "route-ipv6 %s net_gateway"\n' % network
else:
push += 'push "route %s %s net_gateway"\n' % \
utils.parse_network(network)
elif not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s"\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
for link_svr in self.server.iter_links(
fields=('_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links',
'ipv6', 'replica_count', 'network_mode')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if route['net_gateway']:
continue
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
if self.vxlan:
push += 'push "route %s %s"\n' % utils.parse_network(
self.vxlan.vxlan_net)
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
SERVER_CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _generate_conf(self, svr, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (
self.org.name, self.name, svr.name)
if not svr.ca_certificate:
svr.generate_ca_cert()
key_remotes = svr.get_key_remotes()
ca_certificate = svr.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name.encode('utf-8'))
conf_hash.update(self.org.name.encode('utf-8'))
conf_hash.update(svr.name.encode('utf-8'))
conf_hash.update(svr.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[svr.cipher])
conf_hash.update(str(svr.lzo_compression))
conf_hash.update(str(svr.block_outside_dns))
conf_hash.update(str(svr.otp_auth))
conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash.update(self._get_key_info_str(svr, None, False))
plugin_config = ''
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'user_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
org_id=self.org_id,
user_id=self.id,
user_name=self.name,
server_id=svr.id,
server_name=svr.name,
server_port=svr.port,
server_protocol=svr.protocol,
server_ipv6=svr.ipv6,
server_ipv6_firewall=svr.ipv6_firewall,
server_network=svr.network,
server_network6=svr.network6,
server_network_mode=svr.network_mode,
server_network_start=svr.network_start,
server_network_stop=svr.network_end,
server_restrict_routes=svr.restrict_routes,
server_bind_address=svr.bind_address,
server_onc_hostname=None,
server_dh_param_bits=svr.dh_param_bits,
server_multi_device=svr.multi_device,
server_dns_servers=svr.dns_servers,
server_search_domain=svr.search_domain,
server_otp_auth=svr.otp_auth,
server_cipher=svr.cipher,
server_hash=svr.hash,
server_inter_client=svr.inter_client,
server_ping_interval=svr.ping_interval,
server_ping_timeout=svr.ping_timeout,
server_link_ping_interval=svr.link_ping_interval,
server_link_ping_timeout=svr.link_ping_timeout,
server_allowed_devices=svr.allowed_devices,
server_max_clients=svr.max_clients,
server_replica_count=svr.replica_count,
server_dns_mapping=svr.dns_mapping,
server_debug=svr.debug,
)
if returns:
for return_val in returns:
if not return_val:
continue
val = return_val.strip()
conf_hash.update(val)
plugin_config += val + '\n'
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(svr, conf_hash, include_user_cert),
uuid.uuid4().hex,
utils.random_name(),
svr.adapter_type,
svr.adapter_type,
svr.get_key_remotes(),
CIPHERS[svr.cipher],
HASHES[svr.hash],
svr.ping_interval,
svr.ping_timeout,
)
if svr.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if svr.block_outside_dns:
client_conf += 'ignore-unknown-option block-outside-dns\n'
client_conf += 'block-outside-dns\n'
if self.has_password(svr):
client_conf += 'auth-user-pass\n'
if svr.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[svr.jumbo_frames]
client_conf += plugin_config
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if svr.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
svr.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s "\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links', 'ipv6')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
push += 'route-ipv6 %s %s\n' % (
network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan == 'enterprise':
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info('Starting vpn server', 'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception('Failed to setup server vxlan', 'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(
message='Server stopped unexpectedly "%s".' % (
self.server.name))
except:
logger.exception('Server error occurred while running', 'server',
server_id=self.server.id,
)
try:
self.interrupt = True
self.stop_process()
except:
logger.exception('Server stop error', 'server',
server_id=self.server.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception('Server resource error', 'server',
server_id=self.server.id,
)
try:
self.resources_release()
self.stop_threads()
self.collection.update({
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception('Server clean up error', 'server',
server_id=self.server.id,
)