def generate_client_conf(self, platform, client_id, virt_address, user, reauth): client_conf = '' if user.link_server_id: link_usr_svr = self.server.get_link_server( user.link_server_id, fields=('_id', 'network', 'network_start', 'network_end', 'local_networks', 'organizations', 'routes', 'links', 'ipv6')) for route in link_usr_svr.get_routes(include_default=False): network = route['network'] if ':' in network: client_conf += 'iroute-ipv6 %s\n' % network else: client_conf += 'iroute %s %s\n' % utils.parse_network( network) else: if self.server.is_route_all(): if platform == 'ios': client_conf += 'push "route 0.0.0.0 128.0.0.0"\n' client_conf += 'push "route 128.0.0.0 128.0.0.0"\n' else: client_conf += 'push "redirect-gateway def1"\n' if self.server.ipv6: if platform != 'ios': client_conf += 'push "redirect-gateway-ipv6 def1"\n' client_conf += 'push "route-ipv6 2000::/3"\n' if self.server.dns_mapping: client_conf += 'push "dhcp-option DNS %s"\n' % ( utils.get_network_gateway(self.server.network)) for dns_server in self.server.dns_servers: client_conf += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: client_conf += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) network_links = user.get_network_links() for network_link in network_links: if self.reserve_iroute(client_id, network_link, True): if ':' in network_link: client_conf += 'iroute-ipv6 %s\n' % network_link else: client_conf += 'iroute %s %s\n' % \ utils.parse_network(network_link) if network_links and not reauth: thread = threading.Thread(target=self.iroute_ping_thread, args=(client_id, virt_address.split('/')[0])) thread.daemon = True thread.start() for network_link in self.server.network_links: if ':' in network_link: client_conf += 'push "route-ipv6 %s"\n' % network_link else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(network_link)) for link_svr in self.server.iter_links( fields=('_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6')): for route in link_svr.get_routes(include_default=False): network = route['network'] if ':' in network: client_conf += 'push "route-ipv6 %s"\n' % (network) else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(network)) return client_conf
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks')): if self.server.id < link_svr.id: gateway = utils.get_network_gateway(self.server.network) push += 'route %s %s %s\n' % (utils.parse_network( link_svr.network) + (gateway,)) for local_network in link_svr.local_networks: push += 'route %s %s %s\n' % (utils.parse_network( local_network) + (gateway,)) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_client_conf(self, platform, client_id, virt_address, user, reauth): client_conf = '' if user.link_server_id: link_usr_svr = self.server.get_link_server(user.link_server_id, fields=('_id', 'network', 'network_start', 'network_end', 'local_networks', 'organizations', 'routes', 'links', 'ipv6')) for route in link_usr_svr.get_routes( include_default=False): network = route['network'] if ':' in network: client_conf += 'iroute-ipv6 %s\n' % network else: client_conf += 'iroute %s %s\n' % utils.parse_network( network) else: if self.server.is_route_all(): if platform == 'ios': client_conf += 'push "route 0.0.0.0 128.0.0.0"\n' client_conf += 'push "route 128.0.0.0 128.0.0.0"\n' else: client_conf += 'push "redirect-gateway def1"\n' if self.server.ipv6: if platform != 'ios': client_conf += 'push "redirect-gateway-ipv6 def1"\n' client_conf += 'push "route-ipv6 2000::/3"\n' if self.server.dns_mapping: client_conf += 'push "dhcp-option DNS %s"\n' % ( utils.get_network_gateway(self.server.network)) for dns_server in self.server.dns_servers: client_conf += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: client_conf += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) network_links = user.get_network_links() for network_link in network_links: if self.reserve_iroute(client_id, network_link, True): if ':' in network_link: client_conf += 'iroute-ipv6 %s\n' % network_link else: client_conf += 'iroute %s %s\n' % \ utils.parse_network(network_link) if network_links and not reauth: thread = threading.Thread(target=self.iroute_ping_thread, args=(client_id, virt_address.split('/')[0])) thread.daemon = True thread.start() for network_link in self.server.network_links: if ':' in network_link: client_conf += 'push "route-ipv6 %s"\n' % network_link else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(network_link)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6')): for route in link_svr.get_routes( include_default=False): network = route['network'] if ':' in network: client_conf += 'push "route-ipv6 %s"\n' % (network) else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(network)) return client_conf
def generate_ovpn_conf(self): logger.debug( 'Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) push = '' if self.server.mode == LOCAL_TRAFFIC: for network in self.server.local_networks: push += 'push "route %s %s"\n' % utils.parse_network(network) elif self.server.mode == VPN_TRAFFIC: pass for link_svr in self.server.iter_links(fields=('_id', 'network', 'local_networks')): if self.server.id < link_svr.id: gateway = utils.get_network_gateway(self.server.network) push += 'route %s %s %s\n' % ( utils.parse_network(link_svr.network) + (gateway, )) for local_network in link_svr.local_networks: push += 'route %s %s %s\n' % ( utils.parse_network(local_network) + (gateway, )) server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol, self.interface, '%s %s' % utils.parse_network(self.server.network), self.management_socket_path, CIPHERS[self.server.cipher], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.multi_device: server_conf += 'duplicate-cn\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_ovpn_conf(self): if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue network = route['network'] if route['net_gateway']: if ':' in network: push += 'push "route-ipv6 %s net_gateway"\n' % network else: push += 'push "route %s %s net_gateway"\n' % \ utils.parse_network(network) elif not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s"\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % ( utils.parse_network(network) + (gateway, )) for link_svr in self.server.iter_links( fields=('_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6', 'replica_count', 'network_mode')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if route['net_gateway']: continue if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % ( utils.parse_network(network) + (gateway, )) if self.vxlan: push += 'push "route %s %s"\n' % utils.parse_network( self.vxlan.vxlan_net) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if (self.server.ipv6 or settings.vpn.ipv6) and \ not self.server.bind_address: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, SERVER_CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan and \ 'enterprise' in settings.local.sub_plan: returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, allowed_devices=self.server.allowed_devices, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, interface=self.interface, bridge_interface=self.bridge_interface, vxlan=self.vxlan, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '/n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_iptables_rules(self): server_addr = utils.get_network_gateway(self.server.network) server_addr6 = utils.get_network_gateway(self.server.network6) ipv6_firewall = self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 self.iptables.id = self.server.id self.iptables.ipv6 = self.server.ipv6 self.iptables.server_addr = server_addr self.iptables.server_addr6 = server_addr6 self.iptables.virt_interface = self.interface self.iptables.virt_network = self.server.network self.iptables.virt_network6 = self.server.network6 self.iptables.ipv6_firewall = ipv6_firewall self.iptables.inter_client = self.server.inter_client self.iptables.restrict_routes = self.server.restrict_routes try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception( 'Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = [] default_interface = None for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: if line_split[0] == '0.0.0.0': if default_interface: continue default_interface = line_split[7] routes.append((ipaddress.IPNetwork( '%s/%s' % (line_split[0], utils.subnet_to_cidr(line_split[2]))), line_split[7])) routes.reverse() if not default_interface: raise IptablesError('Failed to find default network interface') routes6 = [] default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception( 'Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: route_network = ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if line_split[0] == '::/0': if default_interface6: continue default_interface6 = line_split[6] routes6.append(( route_network, line_split[6], )) if not default_interface6: raise IptablesError( 'Failed to find default IPv6 network interface') if default_interface6 == 'lo': logger.error( 'Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) routes6.reverse() interfaces = set() interfaces6 = set() for route in self.server.get_routes( include_hidden=True, include_server_links=True, include_default=True, ): if route['virtual_network'] or route['link_virtual_network']: self.iptables.add_nat_network(route['network']) if route['virtual_network'] or route['net_gateway']: continue network = route['network'] is6 = ':' in network network_obj = ipaddress.IPNetwork(network) interface = route['nat_interface'] if is6: if not interface: for route_net, route_intf in routes6: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 interfaces6.add(interface) else: if not interface: for route_net, route_intf in routes: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface interfaces.add(interface) self.iptables.add_route( network, nat=route['nat'], nat_interface=interface, ) if self.vxlan: self.iptables.add_route(self.vxlan.vxlan_net) self.iptables.generate()
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' for route in self.server.get_routes(include_default=False): if route['virtual_network']: continue network = route['network'] if not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s "\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if ':' in network: push += 'route-ipv6 %s %s\n' % ( network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, self.server.protocol + ('6' if self.server.ipv6 else ''), self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_iptables_rules(self): rules = [] rules6 = [] try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception('Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = [] default_interface = None for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: if line_split[0] == '0.0.0.0': default_interface = line_split[7] routes.append(( ipaddress.IPNetwork('%s/%s' % (line_split[0], utils.subnet_to_cidr(line_split[2]))), line_split[7] )) routes.reverse() if not default_interface: raise IptablesError('Failed to find default network interface') routes6 = [] default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception('Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: route_network = ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if not default_interface6 and line_split[0] == '::/0': default_interface6 = line_split[6] routes6.append(( route_network, line_split[6] )) if not default_interface6: raise IptablesError( 'Failed to find default IPv6 network interface') if default_interface6 == 'lo': logger.error('Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) routes6.reverse() route_all = self.server.is_route_all() if route_all: rules.append([ 'INPUT', '-i', self.interface, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-j', 'ACCEPT', ]) if self.server.ipv6: if self.server.ipv6_firewall and \ settings.local.host.routed_subnet6: rules6.append([ 'INPUT', '-d', self.server.network6, '-m', 'conntrack', '--ctstate','RELATED,ESTABLISHED', '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-d', self.server.network6, '-j', 'DROP', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-j', 'DROP', ]) else: rules6.append([ 'INPUT', '-d', self.server.network6, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-j', 'ACCEPT', ]) elif self.server.restrict_routes: if self.server.inter_client: rules.append([ 'INPUT', '-i', self.interface, '-d', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-i', self.interface, '-d', self.server.network6, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', self.server.network6, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-d', self.server.network, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-o', self.interface, '-s', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-d', self.server.network6, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-o', self.interface, '-s', self.server.network6, '-j', 'ACCEPT', ]) else: server_addr = utils.get_network_gateway(self.server.network) server_addr6 = utils.get_network_gateway(self.server.network6) rules.append([ 'INPUT', '-i', self.interface, '-d', server_addr, '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-i', self.interface, '-d', server_addr6, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', server_addr, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', server_addr6, '-j', 'ACCEPT', ]) for route in self.server.get_routes( include_hidden=True, include_server_links=True, include_default=False, ): network_address = route['network'] is6 = ':' in network_address is_nat = route['nat'] if route['virtual_network']: continue if self.server.restrict_routes: if is6: rules6.append([ 'INPUT', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) if is_nat: rules6.append([ 'FORWARD', '-o', self.interface, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-s', network_address, '-j', 'ACCEPT', ]) else: rules6.append([ 'FORWARD', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) else: rules.append([ 'INPUT', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) if is_nat: rules.append([ 'FORWARD', '-o', self.interface, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-s', network_address, '-j', 'ACCEPT', ]) else: rules.append([ 'FORWARD', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) interfaces = set() interfaces6 = set() link_svr_networks = [] for link_svr in self.server.iter_links(fields=('_id', 'network', 'network_start', 'network_end', 'organizations', 'routes', 'links')): link_svr_networks.append(link_svr.network) for route in self.server.get_routes(include_hidden=True): if route['virtual_network'] or not route['nat']: continue network_address = route['network'] args_base = ['POSTROUTING', '-t', 'nat'] is6 = ':' in network_address if is6: network = network_address else: network = utils.parse_network(network_address)[0] network_obj = ipaddress.IPNetwork(network_address) if is6: interface = None for route_net, route_intf in routes6: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 interfaces6.add(interface) else: interface = None for route_net, route_intf in routes: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface interfaces.add(interface) if network != '0.0.0.0' and network != '::/0': args_base += ['-d', network_address] args_base += [ '-o', interface, '-j', 'MASQUERADE', ] if is6: rules6.append(args_base + ['-s', self.server.network6]) else: rules.append(args_base + ['-s', self.server.network]) for link_svr_net in link_svr_networks: if ':' in link_svr_net: rules6.append(args_base + ['-s', link_svr_net]) else: rules.append(args_base + ['-s', link_svr_net]) if route_all: for interface in interfaces: rules.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) for interface in interfaces6: if self.server.ipv6 and self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 and \ interface == default_interface6: continue rules6.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) extra_args = [ '-m', 'comment', '--comment', 'pritunl_%s' % self.server.id, ] if settings.local.iptables_wait: extra_args.append('--wait') rules = [x + extra_args for x in rules] rules6 = [x + extra_args for x in rules6] return rules, rules6
def generate_iptables_rules(self): server_addr = utils.get_network_gateway(self.server.network) server_addr6 = utils.get_network_gateway(self.server.network6) ipv6_firewall = self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 self.iptables.id = self.server.id self.iptables.ipv6 = self.server.ipv6 self.iptables.server_addr = server_addr self.iptables.server_addr6 = server_addr6 self.iptables.virt_interface = self.interface self.iptables.virt_network = self.server.network self.iptables.virt_network6 = self.server.network6 self.iptables.ipv6_firewall = ipv6_firewall self.iptables.inter_client = self.server.inter_client try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception('Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = [] default_interface = None for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: if line_split[0] == '0.0.0.0': if default_interface: continue default_interface = line_split[7] routes.append(( ipaddress.IPNetwork('%s/%s' % (line_split[0], utils.subnet_to_cidr(line_split[2]))), line_split[7] )) routes.reverse() if not default_interface: raise IptablesError('Failed to find default network interface') routes6 = [] default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception('Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: route_network = ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if line_split[0] == '::/0': if default_interface6: continue default_interface6 = line_split[6] routes6.append(( route_network, line_split[6], )) if not default_interface6: raise IptablesError( 'Failed to find default IPv6 network interface') if default_interface6 == 'lo': logger.error('Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) routes6.reverse() interfaces = set() interfaces6 = set() for route in self.server.get_routes( include_hidden=True, include_server_links=True, include_default=True, ): if route['virtual_network'] or route['link_virtual_network']: self.iptables.add_nat_network(route['network']) if route['virtual_network']: continue network = route['network'] is6 = ':' in network network_obj = ipaddress.IPNetwork(network) interface = route['nat_interface'] if is6: if not interface: for route_net, route_intf in routes6: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 interfaces6.add(interface) else: if not interface: for route_net, route_intf in routes: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface interfaces.add(interface) self.iptables.add_route( network, nat=route['nat'], nat_interface=interface, ) self.iptables.generate()
def generate_ovpn_conf(self): logger.debug('Generating server ovpn conf', 'server', server_id=self.server.id, ) if not self.server.primary_organization or \ not self.server.primary_user: self.server.create_primary_user() if self.server.primary_organization not in self.server.organizations: self.server.remove_primary_user() self.server.create_primary_user() primary_org = organization.get_by_id(self.server.primary_organization) if not primary_org: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) if not self.primary_user: self.server.create_primary_user() primary_org = organization.get_by_id( id=self.server.primary_organization) self.primary_user = primary_org.get_user(self.server.primary_user) gateway = utils.get_network_gateway(self.server.network) gateway6 = utils.get_network_gateway(self.server.network6) push = '' routes = [] for route in self.server.get_routes(include_default=False): routes.append(route['network']) if route['virtual_network']: continue network = route['network'] if not route.get('network_link'): if ':' in network: push += 'push "route-ipv6 %s "\n' % network else: push += 'push "route %s %s"\n' % utils.parse_network( network) else: if ':' in network: push += 'route-ipv6 %s %s\n' % (network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end', 'organizations', 'routes', 'links', 'ipv6')): if self.server.id < link_svr.id: for route in link_svr.get_routes(include_default=False): network = route['network'] if ':' in network: push += 'route-ipv6 %s %s\n' % ( network, gateway6) else: push += 'route %s %s %s\n' % (utils.parse_network( network) + (gateway,)) if self.server.network_mode == BRIDGE: host_int_data = self.host_interface_data host_address = host_int_data['address'] host_netmask = host_int_data['netmask'] server_line = 'server-bridge %s %s %s %s' % ( host_address, host_netmask, self.server.network_start, self.server.network_end, ) else: server_line = 'server %s %s' % utils.parse_network( self.server.network) if self.server.ipv6: server_line += '\nserver-ipv6 ' + self.server.network6 if self.server.protocol == 'tcp': if self.server.ipv6 or settings.vpn.ipv6: protocol = 'tcp6-server' else: protocol = 'tcp-server' elif self.server.protocol == 'udp': if self.server.ipv6 or settings.vpn.ipv6: protocol = 'udp6' else: protocol = 'udp' else: raise ValueError('Unknown protocol') server_conf = OVPN_INLINE_SERVER_CONF % ( self.server.port, protocol, self.interface, server_line, self.management_socket_path, self.server.max_clients, self.server.ping_interval, self.server.ping_timeout + 20, self.server.ping_interval, self.server.ping_timeout, CIPHERS[self.server.cipher], HASHES[self.server.hash], 4 if self.server.debug else 1, 8 if self.server.debug else 3, ) if self.server.bind_address: server_conf += 'local %s\n' % self.server.bind_address if self.server.inter_client: server_conf += 'client-to-client\n' if self.server.multi_device: server_conf += 'duplicate-cn\n' if self.server.protocol == 'udp': server_conf += 'replay-window 128\n' # Pritunl v0.10.x did not include comp-lzo in client conf # if lzo_compression is adaptive dont include comp-lzo in server conf if self.server.lzo_compression == ADAPTIVE: pass elif self.server.lzo_compression: server_conf += 'comp-lzo yes\npush "comp-lzo yes"\n' else: server_conf += 'comp-lzo no\npush "comp-lzo no"\n' server_conf += JUMBO_FRAMES[self.server.jumbo_frames] if push: server_conf += push if self.server.debug: self.server.output.push_message('Server conf:') for conf_line in server_conf.split('\n'): if conf_line: self.server.output.push_message(' ' + conf_line) if settings.local.sub_plan == 'enterprise': returns = plugins.caller( 'server_config', host_id=settings.local.host_id, host_name=settings.local.host.name, server_id=self.server.id, server_name=self.server.name, port=self.server.port, protocol=self.server.protocol, ipv6=self.server.ipv6, ipv6_firewall=self.server.ipv6_firewall, network=self.server.network, network6=self.server.network6, network_mode=self.server.network_mode, network_start=self.server.network_start, network_stop=self.server.network_end, restrict_routes=self.server.restrict_routes, bind_address=self.server.bind_address, onc_hostname=self.server.onc_hostname, dh_param_bits=self.server.dh_param_bits, multi_device=self.server.multi_device, dns_servers=self.server.dns_servers, search_domain=self.server.search_domain, otp_auth=self.server.otp_auth, cipher=self.server.cipher, hash=self.server.hash, inter_client=self.server.inter_client, ping_interval=self.server.ping_interval, ping_timeout=self.server.ping_timeout, link_ping_interval=self.server.link_ping_interval, link_ping_timeout=self.server.link_ping_timeout, max_clients=self.server.max_clients, replica_count=self.server.replica_count, dns_mapping=self.server.dns_mapping, debug=self.server.debug, routes=routes, ) if returns: for return_val in returns: if not return_val: continue server_conf += return_val.strip() + '/n' server_conf += '<ca>\n%s\n</ca>\n' % self.server.ca_certificate if self.server.tls_auth: server_conf += 'key-direction 0\n<tls-auth>\n%s\n</tls-auth>\n' % ( self.server.tls_auth_key) server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block( self.primary_user.certificate) server_conf += '<key>\n%s\n</key>\n' % self.primary_user.private_key server_conf += '<dh>\n%s\n</dh>\n' % self.server.dh_params with open(self.ovpn_conf_path, 'w') as ovpn_conf: os.chmod(self.ovpn_conf_path, 0600) ovpn_conf.write(server_conf)
def generate_client_conf(self, platform, client_id, virt_address, user, reauth): from pritunl.server.utils import get_by_id client_conf = '' if user.link_server_id: link_usr_svr = get_by_id(user.link_server_id, fields=('_id', 'network', 'network_start', 'network_end', 'local_networks')) client_conf += 'iroute %s %s\n' % utils.parse_network( link_usr_svr.network) for local_network in link_usr_svr.local_networks: if ':' in local_network: client_conf += 'iroute-ipv6 %s\n' % local_network else: client_conf += 'iroute %s %s\n' % utils.parse_network( local_network) else: if self.server.mode == ALL_TRAFFIC: if platform == 'ios': client_conf += 'push "route 0.0.0.0 128.0.0.0"\n' client_conf += 'push "route 128.0.0.0 128.0.0.0"\n' else: client_conf += 'push "redirect-gateway def1"\n' if self.server.ipv6: if platform != 'ios': client_conf += 'push "redirect-gateway-ipv6 def1"\n' client_conf += 'push "route-ipv6 2000::/3"\n' if self.server.dns_mapping: client_conf += 'push "dhcp-option DNS %s"\n' % ( utils.get_network_gateway(self.server.network)) for dns_server in self.server.dns_servers: client_conf += 'push "dhcp-option DNS %s"\n' % dns_server if self.server.search_domain: client_conf += 'push "dhcp-option DOMAIN %s"\n' % ( self.server.search_domain) client_conf += 'push "ip-win32 dynamic 0 3600"\n' network_links = user.get_network_links() for network_link in network_links: if self.reserve_iroute(client_id, network_link, True): if ':' in network_link: client_conf += 'iroute-ipv6 %s\n' % network_link else: client_conf += 'iroute %s %s\n' % \ utils.parse_network(network_link) if network_links and not reauth: thread = threading.Thread(target=self.iroute_ping_thread, args=(client_id, virt_address.split('/')[0])) thread.daemon = True thread.start() for network_link in self.server.network_links: if ':' in network_link: client_conf += 'push "route-ipv6 %s"\n' % network_link else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(network_link)) for link_svr in self.server.iter_links(fields=( '_id', 'network', 'local_networks', 'network_start', 'network_end')): client_conf += 'push "route %s %s"\n' % utils.parse_network( link_svr.network) for local_network in link_svr.local_networks: if ':' in local_network: client_conf += 'push "route-ipv6 %s"\n' % ( local_network) else: client_conf += 'push "route %s %s"\n' % ( utils.parse_network(local_network)) return client_conf