def generate_client_conf(self):
if not os.path.exists(self._temp_path):
os.makedirs(self._temp_path)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
self.interface = utils.tun_interface_acquire()
if self.linked_host:
remotes = 'remote %s %s' % (
self.host.link_addr,
self.linked_server.port,
)
else:
remotes = self.linked_server.get_key_remotes(True)
client_conf = OVPN_INLINE_LINK_CONF % (
uuid.uuid4().hex,
utils.random_name(),
self.interface,
self.linked_server.protocol,
remotes,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
self.linked_server.ping_interval,
self.linked_server.ping_timeout,
)
if self.linked_server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if self.server.debug:
self.server.output_link.push_message(
'Server conf:',
label=self.output_label,
link_server_id=self.linked_server.id,
)
for conf_line in client_conf.split('\n'):
if conf_line:
self.server.output_link.push_message(
' ' + conf_line,
label=self.output_label,
link_server_id=self.linked_server.id,
)
client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate
if self.linked_server.tls_auth:
client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.linked_server.tls_auth_key)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.user.certificate)
client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip())
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(client_conf)
return ovpn_conf_path
def _generate_conf(self, server, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
if not server.ca_certificate:
server.generate_ca_cert()
key_remotes = server.get_key_remotes()
ca_certificate = server.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name.encode('utf-8'))
conf_hash.update(self.org.name.encode('utf-8'))
conf_hash.update(server.name.encode('utf-8'))
conf_hash.update(server.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[server.cipher])
conf_hash.update(str(server.lzo_compression))
conf_hash.update(str(server.otp_auth))
conf_hash.update(JUMBO_FRAMES[server.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(server, conf_hash),
uuid.uuid4().hex,
utils.random_name(),
server.protocol,
server.get_key_remotes(),
CIPHERS[server.cipher],
server.ping_interval,
server.ping_timeout,
)
if server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if server.otp_auth:
client_conf += 'auth-user-pass\n'
if server.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if server.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
server.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def generate_client_conf(self):
if not os.path.exists(self._temp_path):
os.makedirs(self._temp_path)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
self.interface = utils.tun_interface_acquire()
if self.linked_host:
remotes = 'remote %s %s' % (
self.host.link_address or self.host.public_address,
self.linked_server.port,
)
else:
remotes = self.linked_server.get_key_remotes(True)
client_conf = OVPN_INLINE_LINK_CONF % (
self.interface,
self.linked_server.protocol,
remotes,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if self.server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += JUMBO_FRAMES[self.server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.server.ca_certificate)
if self.server.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.user.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.user.private_key.strip())
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(client_conf)
return ovpn_conf_path
def build_key_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.tar' % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, 'w')
try:
for server in self.org.iter_servers():
server_conf_path = os.path.join(
temp_path, '%s_%s.ovpn' % (self.id, server.id))
server_conf_arcname = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
server.generate_ca_cert()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(self.name, self.org.name,
server.name),
server.protocol,
server.public_address,
server.port,
)
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
server.ca_certificate)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.private_key.strip())
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=server_conf_arcname)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def _generate_conf(self, server, include_user_cert=True):
file_name = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
server.generate_ca_cert()
key_remotes = server.get_key_remotes()
ca_certificate = utils.get_cert_block(server.ca_certificate)
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name)
conf_hash.update(self.org.name)
conf_hash.update(server.name)
conf_hash.update(server.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[server.cipher])
conf_hash.update(str(server.lzo_compression))
conf_hash.update(str(server.otp_auth))
conf_hash.update(JUMBO_FRAMES[server.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(server.name, conf_hash),
server.protocol,
server.get_key_remotes(),
CIPHERS[server.cipher],
)
if server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += JUMBO_FRAMES[server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if server.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
server.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def _generate_conf(self, server, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, server.name)
if not server.ca_certificate:
server.generate_ca_cert()
key_remotes = server.get_key_remotes()
ca_certificate = server.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name)
conf_hash.update(self.org.name)
conf_hash.update(server.name)
conf_hash.update(server.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[server.cipher])
conf_hash.update(str(server.lzo_compression))
conf_hash.update(str(server.otp_auth))
conf_hash.update(JUMBO_FRAMES[server.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(server, conf_hash),
uuid.uuid4().hex,
utils.random_name(),
server.protocol,
server.get_key_remotes(),
CIPHERS[server.cipher],
server.ping_interval,
server.ping_timeout,
)
if server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if server.otp_auth:
client_conf += 'auth-user-pass\n'
if server.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if server.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
server.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def generate_client_conf(self):
if not os.path.exists(self._temp_path):
os.makedirs(self._temp_path)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
self.interface = utils.tun_interface_acquire()
if self.linked_host:
remotes = 'remote %s %s' % (
self.host.link_addr,
self.linked_server.port,
)
else:
remotes = self.linked_server.get_key_remotes(True)
client_conf = OVPN_INLINE_LINK_CONF % (
uuid.uuid4().hex,
utils.random_name(),
self.interface,
self.linked_server.protocol,
remotes,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.linked_server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if self.server.debug:
self.server.output_link.push_message(
'Server conf:',
label=self.output_label,
link_server_id=self.linked_server.id,
)
for conf_line in client_conf.split('\n'):
if conf_line:
self.server.output_link.push_message(
' ' + conf_line,
label=self.output_label,
link_server_id=self.linked_server.id,
)
client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate
if self.linked_server.tls_auth:
client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.linked_server.tls_auth_key)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.user.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.user.private_key.strip())
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(client_conf)
return ovpn_conf_path
def build_key_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.tar' % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, 'w')
try:
for server in self.org.iter_servers():
server_conf_path = os.path.join(temp_path,
'%s_%s.ovpn' % (self.id, server.id))
server_conf_arcname = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
server.generate_ca_cert()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(
self.name, self.org.name, server.name),
server.protocol,
server.public_address, server.port,
)
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
server.ca_certificate)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.private_key.strip())
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=server_conf_arcname)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def generate_client_conf(self):
if not os.path.exists(self._temp_path):
os.makedirs(self._temp_path)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
self.interface = utils.interface_acquire(
self.linked_server.adapter_type)
remotes = self.linked_server.get_key_remotes(True)
client_conf = OVPN_INLINE_LINK_CONF % (
uuid.uuid4().hex,
utils.random_name(),
self.interface,
self.linked_server.adapter_type,
remotes,
CIPHERS[self.linked_server.cipher],
HASHES[self.linked_server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
settings.app.host_ping,
settings.app.host_ping_ttl,
)
if self.server.debug:
self.server.output_link.push_message(
'Server conf:',
label=self.output_label,
link_server_id=self.linked_server.id,
)
for conf_line in client_conf.split('\n'):
if conf_line:
self.server.output_link.push_message(
' ' + conf_line,
label=self.output_label,
link_server_id=self.linked_server.id,
)
client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate
if self.linked_server.tls_auth:
client_conf += 'key-direction 1\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.linked_server.tls_auth_key)
client_conf += ('<cert>\n%s\n' + '</cert>\n') % utils.get_cert_block(
self.user.certificate)
client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip())
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(client_conf)
return ovpn_conf_path
def build_key_conf(self, server_id):
server = self.org.get_server(server_id)
conf_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, server.name)
server.generate_ca_cert()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(self.name, self.org.name, server.name),
server.protocol,
server.public_address, server.port,
)
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
server.ca_certificate)
client_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.certificate)
client_conf += '<key>\n%s\n</key>\n' % self.private_key.strip()
return {
'name': conf_name,
'conf': client_conf,
}
def generate_client_conf(self):
if not os.path.exists(self._temp_path):
os.makedirs(self._temp_path)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
self.interface = utils.tun_interface_acquire()
if self.linked_host:
remotes = 'remote %s %s' % (
self.host.link_address or self.host.public_address,
self.linked_server.port,
)
else:
remotes = self.linked_server.get_key_remotes(True)
client_conf = OVPN_INLINE_LINK_CONF % (
uuid.uuid4().hex,
utils.random_name(),
self.interface,
self.linked_server.protocol,
remotes,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.linked_server.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if self.linked_server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += JUMBO_FRAMES[self.linked_server.jumbo_frames]
client_conf += '<ca>\n%s\n</ca>\n' % self.linked_server.ca_certificate
if self.linked_server.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.linked_server.tls_auth_key)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.user.certificate)
client_conf += '<key>\n%s\n</key>\n' % (self.user.private_key.strip())
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(client_conf)
return ovpn_conf_path
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.server.id,
})
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
with open(self.auth_log_path, 'w') as auth_log:
os.chmod(self.auth_log_path, 0600)
auth_host = settings.conf.bind_addr
if auth_host == '0.0.0.0':
auth_host = 'localhost'
for script, script_path in (
(TLS_VERIFY_SCRIPT, self.tls_verify_path),
(USER_PASS_VERIFY_SCRIPT, self.user_pass_verify_path),
(CLIENT_CONNECT_SCRIPT, self.client_connect_path),
(CLIENT_DISCONNECT_SCRIPT, self.client_disconnect_path),
):
with open(script_path, 'w') as script_file:
os.chmod(script_path, 0755) # TODO
script_file.write(script % (
settings.app.server_api_key,
self.auth_log_path,
'https' if settings.conf.ssl else 'http',
auth_host,
settings.conf.port,
self.server.id,
))
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
self.tls_verify_path,
self.client_connect_path,
self.client_disconnect_path,
'%s %s' % utils.parse_network(self.server.network),
CIPHERS[self.server.cipher],
self.ovpn_status_path,
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
if self.server.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.server.ca_certificate)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
if not primary_org:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
if not primary_user:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
tls_verify_path = os.path.join(self._temp_path, TLS_VERIFY_NAME)
user_pass_verify_path = os.path.join(self._temp_path,
USER_PASS_VERIFY_NAME)
client_connect_path = os.path.join(self._temp_path,
CLIENT_CONNECT_NAME)
client_disconnect_path = os.path.join(self._temp_path,
CLIENT_DISCONNECT_NAME)
ovpn_status_path = os.path.join(self._temp_path, OVPN_STATUS_NAME)
ovpn_conf_path = os.path.join(self._temp_path, OVPN_CONF_NAME)
auth_host = settings.conf.bind_addr
if auth_host == '0.0.0.0':
auth_host = 'localhost'
for script, script_path in (
(TLS_VERIFY_SCRIPT, tls_verify_path),
(USER_PASS_VERIFY_SCRIPT, user_pass_verify_path),
(CLIENT_CONNECT_SCRIPT, client_connect_path),
(CLIENT_DISCONNECT_SCRIPT, client_disconnect_path),
):
with open(script_path, 'w') as script_file:
os.chmod(script_path, 0755) # TODO
script_file.write(script % (
settings.app.server_api_key,
'/dev/null', # TODO
'https' if settings.conf.ssl else 'http',
auth_host,
settings.conf.port,
self.id,
))
push = ''
if self.mode == LOCAL_TRAFFIC:
for network in self.local_networks:
push += 'push "route %s %s"\n' % self._parse_network(network)
elif self.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain
server_conf = OVPN_INLINE_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
tls_verify_path,
client_connect_path,
client_disconnect_path,
'%s %s' % self._parse_network(self.network),
ovpn_status_path,
4 if self.debug else 1,
8 if self.debug else 3,
)
if self.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
user_pass_verify_path)
if self.lzo_compression:
server_conf += 'comp-lzo\npush "comp-lzo"\n'
if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.ca_certificate)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.dh_params
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _generate_conf(self, svr, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (
self.org.name, self.name, svr.name)
if not svr.ca_certificate:
svr.generate_ca_cert()
key_remotes = svr.get_key_remotes()
ca_certificate = svr.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name.encode('utf-8'))
conf_hash.update(self.org.name.encode('utf-8'))
conf_hash.update(svr.name.encode('utf-8'))
conf_hash.update(svr.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[svr.cipher])
conf_hash.update(str(svr.lzo_compression))
conf_hash.update(str(svr.block_outside_dns))
conf_hash.update(str(svr.otp_auth))
conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash.update(self._get_key_info_str(svr, None, False))
plugin_config = ''
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'user_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
org_id=self.org_id,
user_id=self.id,
user_name=self.name,
server_id=svr.id,
server_name=svr.name,
server_port=svr.port,
server_protocol=svr.protocol,
server_ipv6=svr.ipv6,
server_ipv6_firewall=svr.ipv6_firewall,
server_network=svr.network,
server_network6=svr.network6,
server_network_mode=svr.network_mode,
server_network_start=svr.network_start,
server_network_stop=svr.network_end,
server_restrict_routes=svr.restrict_routes,
server_bind_address=svr.bind_address,
server_onc_hostname=None,
server_dh_param_bits=svr.dh_param_bits,
server_multi_device=svr.multi_device,
server_dns_servers=svr.dns_servers,
server_search_domain=svr.search_domain,
server_otp_auth=svr.otp_auth,
server_cipher=svr.cipher,
server_hash=svr.hash,
server_inter_client=svr.inter_client,
server_ping_interval=svr.ping_interval,
server_ping_timeout=svr.ping_timeout,
server_link_ping_interval=svr.link_ping_interval,
server_link_ping_timeout=svr.link_ping_timeout,
server_allowed_devices=svr.allowed_devices,
server_max_clients=svr.max_clients,
server_replica_count=svr.replica_count,
server_dns_mapping=svr.dns_mapping,
server_debug=svr.debug,
)
if returns:
for return_val in returns:
if not return_val:
continue
val = return_val.strip()
conf_hash.update(val)
plugin_config += val + '\n'
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(svr, conf_hash, include_user_cert),
uuid.uuid4().hex,
utils.random_name(),
svr.adapter_type,
svr.adapter_type,
svr.get_key_remotes(),
CIPHERS[svr.cipher],
HASHES[svr.hash],
svr.ping_interval,
svr.ping_timeout,
)
if svr.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if svr.block_outside_dns:
client_conf += 'ignore-unknown-option block-outside-dns\n'
client_conf += 'block-outside-dns\n'
if self.has_password(svr):
client_conf += 'auth-user-pass\n'
if svr.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[svr.jumbo_frames]
client_conf += plugin_config
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if svr.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
svr.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def _generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
if not primary_org:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
if not primary_user:
self._create_primary_user()
primary_org = organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
tls_verify_path = os.path.join(self._temp_path,
TLS_VERIFY_NAME)
user_pass_verify_path = os.path.join(self._temp_path,
USER_PASS_VERIFY_NAME)
client_connect_path = os.path.join(self._temp_path,
CLIENT_CONNECT_NAME)
client_disconnect_path = os.path.join(self._temp_path,
CLIENT_DISCONNECT_NAME)
ovpn_status_path = os.path.join(self._temp_path,
OVPN_STATUS_NAME)
ovpn_conf_path = os.path.join(self._temp_path,
OVPN_CONF_NAME)
auth_host = settings.conf.bind_addr
if auth_host == '0.0.0.0':
auth_host = 'localhost'
for script, script_path in (
(TLS_VERIFY_SCRIPT, tls_verify_path),
(USER_PASS_VERIFY_SCRIPT, user_pass_verify_path),
(CLIENT_CONNECT_SCRIPT, client_connect_path),
(CLIENT_DISCONNECT_SCRIPT, client_disconnect_path),
):
with open(script_path, 'w') as script_file:
os.chmod(script_path, 0755) # TODO
script_file.write(script % (
settings.app.server_api_key,
'/dev/null', # TODO
'https' if settings.conf.ssl else 'http',
auth_host,
settings.conf.port,
self.id,
))
push = ''
if self.mode == LOCAL_TRAFFIC:
for network in self.local_networks:
push += 'push "route %s %s"\n' % self._parse_network(network)
elif self.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain
server_conf = OVPN_INLINE_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
tls_verify_path,
client_connect_path,
client_disconnect_path,
'%s %s' % self._parse_network(self.network),
ovpn_status_path,
4 if self.debug else 1,
8 if self.debug else 3,
)
if self.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
user_pass_verify_path)
if self.lzo_compression:
server_conf += 'comp-lzo\npush "comp-lzo"\n'
if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.ca_certificate)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.dh_params
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks')):
if self.server.id < link_svr.id:
gateway = utils.get_network_gateway(self.server.network)
push += 'route %s %s %s\n' % (utils.parse_network(
link_svr.network) + (gateway,))
for local_network in link_svr.local_networks:
push += 'route %s %s %s\n' % (utils.parse_network(
local_network) + (gateway,))
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ca_cert(self):
ca_certificate = ''
for org in self.iter_orgs():
ca_certificate += utils.get_cert_block(org.ca_certificate) + '\n'
self.ca_certificate = ca_certificate.rstrip('\n')
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
for route in self.server.get_routes(include_default=False):
if route['virtual_network']:
continue
network = route['network']
if not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s "\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
push += 'route-ipv6 %s %s\n' % (
network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol + ('6' if self.server.ipv6 else ''),
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if route['net_gateway']:
if ':' in network:
push += 'push "route-ipv6 %s net_gateway"\n' % network
else:
push += 'push "route %s %s net_gateway"\n' % \
utils.parse_network(network)
elif not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s"\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
for link_svr in self.server.iter_links(
fields=('_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links',
'ipv6', 'replica_count', 'network_mode')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if route['net_gateway']:
continue
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (
utils.parse_network(network) + (gateway, ))
if self.vxlan:
push += 'push "route %s %s"\n' % utils.parse_network(
self.vxlan.vxlan_net)
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if (self.server.ipv6 or settings.vpn.ipv6) and \
not self.server.bind_address:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
SERVER_CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug(
'Generating server ovpn conf',
'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
logger.debug(
'Generating server ovpn conf',
'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
for link_svr in self.server.iter_links(fields=('_id', 'network',
'local_networks')):
if self.server.id < link_svr.id:
gateway = utils.get_network_gateway(self.server.network)
push += 'route %s %s %s\n' % (
utils.parse_network(link_svr.network) + (gateway, ))
for local_network in link_svr.local_networks:
push += 'route %s %s %s\n' % (
utils.parse_network(local_network) + (gateway, ))
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def _generate_conf(self, svr, include_user_cert=True):
if not self.sync_token or not self.sync_secret:
self.sync_token = utils.generate_secret()
self.sync_secret = utils.generate_secret()
self.commit(('sync_token', 'sync_secret'))
file_name = '%s_%s_%s.ovpn' % (self.org.name, self.name, svr.name)
if not svr.ca_certificate:
svr.generate_ca_cert()
key_remotes = svr.get_key_remotes()
ca_certificate = svr.ca_certificate
certificate = utils.get_cert_block(self.certificate)
private_key = self.private_key.strip()
conf_hash = hashlib.md5()
conf_hash.update(self.name.encode('utf-8'))
conf_hash.update(self.org.name.encode('utf-8'))
conf_hash.update(svr.name.encode('utf-8'))
conf_hash.update(svr.protocol)
for key_remote in sorted(key_remotes):
conf_hash.update(key_remote)
conf_hash.update(CIPHERS[svr.cipher])
conf_hash.update(str(svr.lzo_compression))
conf_hash.update(str(svr.block_outside_dns))
conf_hash.update(str(svr.otp_auth))
conf_hash.update(JUMBO_FRAMES[svr.jumbo_frames])
conf_hash.update(ca_certificate)
conf_hash.update(self._get_key_info_str(svr, None, False))
plugin_config = ''
if settings.local.sub_plan and \
'enterprise' in settings.local.sub_plan:
returns = plugins.caller(
'user_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
org_id=self.org_id,
user_id=self.id,
user_name=self.name,
server_id=svr.id,
server_name=svr.name,
server_port=svr.port,
server_protocol=svr.protocol,
server_ipv6=svr.ipv6,
server_ipv6_firewall=svr.ipv6_firewall,
server_network=svr.network,
server_network6=svr.network6,
server_network_mode=svr.network_mode,
server_network_start=svr.network_start,
server_network_stop=svr.network_end,
server_restrict_routes=svr.restrict_routes,
server_bind_address=svr.bind_address,
server_onc_hostname=None,
server_dh_param_bits=svr.dh_param_bits,
server_multi_device=svr.multi_device,
server_dns_servers=svr.dns_servers,
server_search_domain=svr.search_domain,
server_otp_auth=svr.otp_auth,
server_cipher=svr.cipher,
server_hash=svr.hash,
server_inter_client=svr.inter_client,
server_ping_interval=svr.ping_interval,
server_ping_timeout=svr.ping_timeout,
server_link_ping_interval=svr.link_ping_interval,
server_link_ping_timeout=svr.link_ping_timeout,
server_allowed_devices=svr.allowed_devices,
server_max_clients=svr.max_clients,
server_replica_count=svr.replica_count,
server_dns_mapping=svr.dns_mapping,
server_debug=svr.debug,
)
if returns:
for return_val in returns:
if not return_val:
continue
val = return_val.strip()
conf_hash.update(val)
plugin_config += val + '\n'
conf_hash = conf_hash.hexdigest()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(svr, conf_hash, include_user_cert),
uuid.uuid4().hex,
utils.random_name(),
svr.adapter_type,
svr.adapter_type,
svr.get_key_remotes(),
CIPHERS[svr.cipher],
HASHES[svr.hash],
svr.ping_interval,
svr.ping_timeout,
)
if svr.lzo_compression != ADAPTIVE:
client_conf += 'comp-lzo no\n'
if svr.block_outside_dns:
client_conf += 'ignore-unknown-option block-outside-dns\n'
client_conf += 'block-outside-dns\n'
if self.has_password(svr):
client_conf += 'auth-user-pass\n'
if svr.tls_auth:
client_conf += 'key-direction 1\n'
client_conf += JUMBO_FRAMES[svr.jumbo_frames]
client_conf += plugin_config
client_conf += '<ca>\n%s\n</ca>\n' % ca_certificate
if include_user_cert:
if svr.tls_auth:
client_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
svr.tls_auth_key)
client_conf += '<cert>\n%s\n</cert>\n' % certificate
client_conf += '<key>\n%s\n</key>\n' % private_key
return file_name, client_conf, conf_hash
def generate_ovpn_conf(self):
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
gateway = utils.get_network_gateway(self.server.network)
gateway6 = utils.get_network_gateway(self.server.network6)
push = ''
routes = []
for route in self.server.get_routes(include_default=False):
routes.append(route['network'])
if route['virtual_network']:
continue
network = route['network']
if not route.get('network_link'):
if ':' in network:
push += 'push "route-ipv6 %s "\n' % network
else:
push += 'push "route %s %s"\n' % utils.parse_network(
network)
else:
if ':' in network:
push += 'route-ipv6 %s %s\n' % (network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
for link_svr in self.server.iter_links(fields=(
'_id', 'network', 'local_networks', 'network_start',
'network_end', 'organizations', 'routes', 'links', 'ipv6')):
if self.server.id < link_svr.id:
for route in link_svr.get_routes(include_default=False):
network = route['network']
if ':' in network:
push += 'route-ipv6 %s %s\n' % (
network, gateway6)
else:
push += 'route %s %s %s\n' % (utils.parse_network(
network) + (gateway,))
if self.server.network_mode == BRIDGE:
host_int_data = self.host_interface_data
host_address = host_int_data['address']
host_netmask = host_int_data['netmask']
server_line = 'server-bridge %s %s %s %s' % (
host_address,
host_netmask,
self.server.network_start,
self.server.network_end,
)
else:
server_line = 'server %s %s' % utils.parse_network(
self.server.network)
if self.server.ipv6:
server_line += '\nserver-ipv6 ' + self.server.network6
if self.server.protocol == 'tcp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'tcp6-server'
else:
protocol = 'tcp-server'
elif self.server.protocol == 'udp':
if self.server.ipv6 or settings.vpn.ipv6:
protocol = 'udp6'
else:
protocol = 'udp'
else:
raise ValueError('Unknown protocol')
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
protocol,
self.interface,
server_line,
self.management_socket_path,
self.server.max_clients,
self.server.ping_interval,
self.server.ping_timeout + 20,
self.server.ping_interval,
self.server.ping_timeout,
CIPHERS[self.server.cipher],
HASHES[self.server.hash],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.inter_client:
server_conf += 'client-to-client\n'
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.protocol == 'udp':
server_conf += 'replay-window 128\n'
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
if self.server.debug:
self.server.output.push_message('Server conf:')
for conf_line in server_conf.split('\n'):
if conf_line:
self.server.output.push_message(' ' + conf_line)
if settings.local.sub_plan == 'enterprise':
returns = plugins.caller(
'server_config',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
routes=routes,
)
if returns:
for return_val in returns:
if not return_val:
continue
server_conf += return_val.strip() + '/n'
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ovpn_conf(self):
from pritunl.server.utils import get_by_id
logger.debug('Generating server ovpn conf', 'server',
server_id=self.server.id,
)
if not self.server.primary_organization or \
not self.server.primary_user:
self.server.create_primary_user()
if self.server.primary_organization not in self.server.organizations:
self.server.remove_primary_user()
self.server.create_primary_user()
primary_org = organization.get_by_id(self.server.primary_organization)
if not primary_org:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
if not self.primary_user:
self.server.create_primary_user()
primary_org = organization.get_by_id(
id=self.server.primary_organization)
self.primary_user = primary_org.get_user(self.server.primary_user)
push = ''
if self.server.mode == LOCAL_TRAFFIC:
for network in self.server.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(network)
elif self.server.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.server.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.server.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % (
self.server.search_domain)
for link_doc in self.server.links:
link_svr = get_by_id(link_doc['server_id'])
push += 'push "route %s %s"\n' % utils.parse_network(
link_svr.network)
for local_network in link_svr.local_networks:
push += 'push "route %s %s"\n' % utils.parse_network(
local_network)
server_conf = OVPN_INLINE_SERVER_CONF % (
self.server.port,
self.server.protocol,
self.interface,
'%s %s' % utils.parse_network(self.server.network),
self.management_socket_path,
CIPHERS[self.server.cipher],
4 if self.server.debug else 1,
8 if self.server.debug else 3,
)
if self.server.bind_address:
server_conf += 'local %s\n' % self.server.bind_address
if self.server.multi_device:
server_conf += 'duplicate-cn\n'
if self.server.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
# Pritunl v0.10.x did not include comp-lzo in client conf
# if lzo_compression is adaptive dont include comp-lzo in server conf
if self.server.lzo_compression == ADAPTIVE:
pass
elif self.server.lzo_compression:
server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n'
else:
server_conf += 'comp-lzo no\npush "comp-lzo no"\n'
server_conf += JUMBO_FRAMES[self.server.jumbo_frames]
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate
if self.server.tls_auth:
server_conf += '<tls-auth>\n%s\n</tls-auth>\n' % (
self.server.tls_auth_key)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
self.primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def generate_ca_cert(self):
ca_certificate = ''
for org in self.iter_orgs():
ca_certificate += utils.get_cert_block(org.ca_certificate) + '\n'
self.ca_certificate = ca_certificate.rstrip('\n')
def generate_ca_cert(self):
ca_certificate = ""
for org in self.iter_orgs():
ca_certificate += utils.get_cert_block(org.ca_certificate) + "\n"
self.ca_certificate = ca_certificate.rstrip("\n")
