def build_onc_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.zip' % self.id)
try:
os.makedirs(temp_path)
zip_file = zipfile.ZipFile(key_archive_path, 'w')
try:
user_cert_path = os.path.join(temp_path, '%s.crt' % self.id)
user_key_path = os.path.join(temp_path, '%s.key' % self.id)
user_p12_path = os.path.join(temp_path, '%s.p12' % self.id)
with open(user_cert_path, 'w') as user_cert:
user_cert.write(self.certificate)
with open(user_key_path, 'w') as user_key:
os.chmod(user_key_path, 0600)
user_key.write(self.private_key)
utils.check_output_logged([
'openssl',
'pkcs12',
'-export',
'-nodes',
'-password',
'pass:'******'-inkey',
user_key_path,
'-in',
user_cert_path,
'-out',
user_p12_path,
])
zip_file.write(user_p12_path, arcname='%s.p12' % self.name)
os.remove(user_cert_path)
os.remove(user_key_path)
os.remove(user_p12_path)
for svr in self.iter_servers():
server_conf_path = os.path.join(
temp_path, '%s_%s.onc' % (self.id, svr.id))
conf_name, client_conf = self._generate_onc(svr)
if not client_conf:
continue
with open(server_conf_path, 'w') as ovpn_conf:
ovpn_conf.write(client_conf)
zip_file.write(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
zip_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def build_key_zip_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.zip' % self.id)
try:
os.makedirs(temp_path)
zip_file = zipfile.ZipFile(key_archive_path, 'w')
try:
for svr in self.org.iter_servers():
server_conf_path = os.path.join(temp_path,
'%s_%s.ovpn' % (self.id, svr.id))
conf_name, client_conf, conf_hash = self._generate_conf(
svr)
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
zip_file.write(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
zip_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def build_key_tar_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, "%s.tar" % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, "w")
try:
for svr in self.org.iter_servers():
server_conf_path = os.path.join(temp_path, "%s_%s.ovpn" % (self.id, svr.id))
conf_name, client_conf, conf_hash = self._generate_conf(svr)
with open(server_conf_path, "w") as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, "r") as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def build_key_tar_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.tar' % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, 'w')
try:
for svr in self.iter_servers():
server_conf_path = os.path.join(
temp_path, '%s_%s.ovpn' % (self.id, svr.id))
conf_name, client_conf, conf_hash = self._generate_conf(
svr)
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def build_key_zip_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.zip' % self.id)
try:
os.makedirs(temp_path)
zip_file = zipfile.ZipFile(key_archive_path, 'w')
try:
for svr in self.iter_servers():
if not svr.check_groups(self.groups):
continue
server_conf_path = os.path.join(
temp_path, '%s_%s.ovpn' % (self.id, svr.id))
conf_name, client_conf, conf_hash = self._generate_conf(
svr)
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
zip_file.write(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
zip_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def generate_tls_auth_wait(self):
try:
return_code = self.tls_auth_process.wait()
if return_code:
raise ValueError("Popen returned " + "error exit code %r" % return_code)
self.read_file("tls_auth_key", self.tls_auth_path)
finally:
utils.rmtree(self.tls_auth_temp_path)
def generate_tls_auth_wait(self):
try:
return_code = self.tls_auth_process.wait()
if return_code:
raise ValueError('Popen returned ' +
'error exit code %r' % return_code)
self.read_file('tls_auth_key', self.tls_auth_path)
finally:
utils.rmtree(self.tls_auth_temp_path)
def build_onc_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.zip' % self.id)
try:
os.makedirs(temp_path)
zip_file = zipfile.ZipFile(key_archive_path, 'w')
try:
user_cert_path = os.path.join(temp_path, '%s.crt' % self.id)
user_key_path = os.path.join(temp_path, '%s.key' % self.id)
user_p12_path = os.path.join(temp_path, '%s.p12' % self.id)
with open(user_cert_path, 'w') as user_cert:
user_cert.write(self.certificate)
with open(user_key_path, 'w') as user_key:
os.chmod(user_key_path, 0600)
user_key.write(self.private_key)
utils.check_output_logged([
'openssl',
'pkcs12',
'-export',
'-nodes',
'-password', 'pass:'******'-inkey', user_key_path,
'-in', user_cert_path,
'-out', user_p12_path
])
zip_file.write(user_p12_path, arcname='%s.p12' % self.name)
os.remove(user_cert_path)
os.remove(user_key_path)
os.remove(user_p12_path)
for svr in self.org.iter_servers():
server_conf_path = os.path.join(temp_path,
'%s_%s.onc' % (self.id, svr.id))
conf_name, client_conf = self._generate_onc(svr)
if not client_conf:
continue
with open(server_conf_path, 'w') as ovpn_conf:
ovpn_conf.write(client_conf)
zip_file.write(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
zip_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def task(self):
logger.debug('Generating server dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
self.queue_com.wait_status()
temp_path = utils.get_temp_path()
dh_param_path = os.path.join(temp_path, DH_PARAM_NAME)
try:
os.makedirs(temp_path)
args = [
'openssl', 'dhparam',
'-out', dh_param_path,
str(self.dh_param_bits),
]
self.queue_com.popen(args)
self.read_file('dh_params', dh_param_path)
finally:
utils.rmtree(temp_path)
self.queue_com.wait_status()
if not self.server_id:
self.load()
if self.reserve_data:
self.server_id = self.reserve_data['server_id']
if self.server_id:
response = self.server_collection.update({
'_id': self.server_id,
'dh_param_bits': self.dh_param_bits,
}, {'$set': {
'dh_params': self.dh_params,
}})
if response['updatedExisting']:
logger.debug('Set queued server dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
event.Event(type=SERVERS_UPDATED)
return
logger.debug('Adding pooled dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
self.dh_params_collection.insert({
'dh_param_bits': self.dh_param_bits,
'dh_params': self.dh_params,
})
def task(self):
logger.debug('Generating server dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
self.queue_com.wait_status()
temp_path = utils.get_temp_path()
dh_param_path = os.path.join(temp_path, DH_PARAM_NAME)
try:
os.makedirs(temp_path)
args = [
'openssl', 'dhparam',
'-out', dh_param_path,
str(self.dh_param_bits),
]
self.queue_com.popen(args)
self.read_file('dh_params', dh_param_path)
finally:
utils.rmtree(temp_path)
self.queue_com.wait_status()
if not self.server_id:
self.load()
if self.reserve_data:
self.server_id = self.reserve_data['server_id']
if self.server_id:
response = self.server_collection.update({
'_id': self.server_id,
'dh_param_bits': self.dh_param_bits,
}, {'$set': {
'dh_params': self.dh_params,
}})
if response['updatedExisting']:
logger.debug('Set queued server dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
event.Event(type=SERVERS_UPDATED)
return
logger.debug('Adding pooled dh params', 'server',
queue_id=self.id,
dh_param_bits=self.dh_param_bits,
)
self.dh_params_collection.insert({
'dh_param_bits': self.dh_param_bits,
'dh_params': self.dh_params,
})
def generate_tls_auth_start(self):
self.tls_auth_temp_path = utils.get_temp_path()
self.tls_auth_path = os.path.join(self.tls_auth_temp_path, TLS_AUTH_NAME)
os.makedirs(self.tls_auth_temp_path)
args = ["openvpn", "--genkey", "--secret", self.tls_auth_path]
try:
self.tls_auth_process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except:
utils.rmtree(self.tls_auth_temp_path)
raise
def openvpn_watch(self):
try:
while True:
while True:
line = self.process.stdout.readline()
if not line:
if self.process.poll() is not None:
break
else:
time.sleep(0.05)
continue
yield
try:
self.server.output_link.push_output(
line,
label=self.output_label,
link_server_id=self.linked_server.id,
)
except:
logger.exception(
'Failed to push link vpn ' + 'output',
'server',
server_id=self.server.id,
)
yield
if self.stop_event.is_set():
break
else:
logger.error(
'Server instance link stopped ' +
'unexpectedly, restarting link',
'server',
server_id=self.server.id,
link_server_id=self.linked_server.id,
)
self.openvpn_start()
yield interrupter_sleep(1)
yield
finally:
if self.interface:
utils.interface_release(
'tap' if self.linked_server.network_mode == BRIDGE \
else 'tun',
self.interface)
self.interface = None
utils.rmtree(self._temp_path)
def openvpn_watch(self):
try:
while True:
while True:
line = self.process.stdout.readline()
if not line:
if self.process.poll() is not None:
break
else:
time.sleep(0.05)
continue
yield
try:
self.server.output_link.push_output(
line,
label=self.output_label,
link_server_id=self.linked_server.id,
)
except:
logger.exception('Failed to push link vpn ' +
'output', 'server',
server_id=self.server.id,
)
yield
if self.stop_event.is_set():
break
else:
logger.error('Server instance link stopped ' +
'unexpectedly, restarting link', 'server',
server_id=self.server.id,
link_server_id=self.linked_server.id,
)
self.openvpn_start()
yield interrupter_sleep(1)
yield
finally:
if self.interface:
utils.interface_release(
'tap' if self.linked_server.network_mode == BRIDGE \
else 'tun',
self.interface)
self.interface = None
utils.rmtree(self._temp_path)
def generate_tls_auth_start(self):
self.tls_auth_temp_path = utils.get_temp_path()
self.tls_auth_path = os.path.join(
self.tls_auth_temp_path, TLS_AUTH_NAME)
os.makedirs(self.tls_auth_temp_path)
args = [
'openvpn', '--genkey',
'--secret', self.tls_auth_path,
]
try:
self.tls_auth_process = subprocess.Popen(args,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except:
utils.rmtree(self.tls_auth_temp_path)
raise
def build_key_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.tar' % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, 'w')
try:
for server in self.org.iter_servers():
server_conf_path = os.path.join(
temp_path, '%s_%s.ovpn' % (self.id, server.id))
server_conf_arcname = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
server.generate_ca_cert()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(self.name, self.org.name,
server.name),
server.protocol,
server.public_address,
server.port,
)
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
server.ca_certificate)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.private_key.strip())
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=server_conf_arcname)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def build_key_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, '%s.tar' % self.id)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(key_archive_path, 'w')
try:
for server in self.org.iter_servers():
server_conf_path = os.path.join(temp_path,
'%s_%s.ovpn' % (self.id, server.id))
server_conf_arcname = '%s_%s_%s.ovpn' % (
self.org.name, self.name, server.name)
server.generate_ca_cert()
client_conf = OVPN_INLINE_CLIENT_CONF % (
self._get_key_info_str(
self.name, self.org.name, server.name),
server.protocol,
server.public_address, server.port,
)
if server.otp_auth:
client_conf += 'auth-user-pass\n'
client_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
server.ca_certificate)
client_conf += ('<cert>\n%s\n' + \
'</cert>\n') % utils.get_cert_block(self.certificate)
client_conf += '<key>\n%s\n</key>\n' % (
self.private_key.strip())
with open(server_conf_path, 'w') as ovpn_conf:
os.chmod(server_conf_path, 0600)
ovpn_conf.write(client_conf)
tar_file.add(server_conf_path, arcname=server_conf_arcname)
os.remove(server_conf_path)
finally:
tar_file.close()
with open(key_archive_path, 'r') as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def archive_log(self, archive_path):
temp_path = utils.get_temp_path()
if os.path.isdir(archive_path):
archive_path = os.path.join(
archive_path, LOG_ARCHIVE_NAME + '.tar')
output_path = os.path.join(temp_path, LOG_ARCHIVE_NAME)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(archive_path, 'w')
try:
with open(output_path, 'w') as log_file:
log_file.write(self.get_log_lines(False))
tar_file.add(output_path, arcname=LOG_ARCHIVE_NAME)
finally:
tar_file.close()
finally:
utils.rmtree(temp_path)
return archive_path
def archive_log(self, archive_path, limit):
temp_path = utils.get_temp_path()
if os.path.isdir(archive_path):
archive_path = os.path.join(archive_path,
LOG_ARCHIVE_NAME + '.tar')
output_path = os.path.join(temp_path, LOG_ARCHIVE_NAME)
try:
os.makedirs(temp_path)
tar_file = tarfile.open(archive_path, 'w')
try:
with open(output_path, 'w') as log_file:
log_file.write(self.get_log_lines(limit, False))
tar_file.add(output_path, arcname=LOG_ARCHIVE_NAME)
finally:
tar_file.close()
finally:
utils.rmtree(temp_path)
return archive_path
def task(self):
logger.debug("Generating server dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits)
self.queue_com.wait_status()
temp_path = utils.get_temp_path()
dh_param_path = os.path.join(temp_path, DH_PARAM_NAME)
try:
os.makedirs(temp_path)
args = ["openssl", "dhparam", "-out", dh_param_path, str(self.dh_param_bits)]
self.queue_com.popen(args)
self.read_file("dh_params", dh_param_path)
finally:
utils.rmtree(temp_path)
self.queue_com.wait_status()
if not self.server_id:
self.load()
if self.reserve_data:
self.server_id = self.reserve_data["server_id"]
if self.server_id:
response = self.server_collection.update(
{"_id": self.server_id, "dh_param_bits": self.dh_param_bits}, {"$set": {"dh_params": self.dh_params}}
)
if response["updatedExisting"]:
logger.debug(
"Set queued server dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits
)
event.Event(type=SERVERS_UPDATED)
return
logger.debug("Adding pooled dh params", "server", queue_id=self.id, dh_param_bits=self.dh_param_bits)
self.dh_params_collection.insert({"dh_param_bits": self.dh_param_bits, "dh_params": self.dh_params})
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info('Starting vpn server', 'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception('Failed to setup server vxlan', 'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(
message='Server stopped unexpectedly "%s".' % (
self.server.name))
except:
logger.exception('Server error occurred while running', 'server',
server_id=self.server.id,
)
try:
self.interrupt = True
self.stop_process()
except:
logger.exception('Server stop error', 'server',
server_id=self.server.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception('Server resource error', 'server',
server_id=self.server.id,
)
try:
self.resources_release()
self.stop_threads()
self.collection.update({
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception('Server clean up error', 'server',
server_id=self.server.id,
)
def build_onc(self):
temp_path = utils.get_temp_path()
try:
os.makedirs(temp_path)
user_cert_path = os.path.join(temp_path, '%s.crt' % self.id)
user_key_path = os.path.join(temp_path, '%s.key' % self.id)
user_p12_path = os.path.join(temp_path, '%s.p12' % self.id)
with open(user_cert_path, 'w') as user_cert:
user_cert.write(self.certificate)
with open(user_key_path, 'w') as user_key:
os.chmod(user_key_path, 0600)
user_key.write(self.private_key)
utils.check_output_logged([
'openssl',
'pkcs12',
'-export',
'-nodes',
'-password',
'pass:'******'-inkey',
user_key_path,
'-in',
user_cert_path,
'-out',
user_p12_path,
])
with open(user_p12_path, 'r') as user_key_p12:
user_key_base64 = base64.b64encode(user_key_p12.read())
user_cert_id = '{%s}' % hashlib.md5(
user_key_base64).hexdigest()
os.remove(user_cert_path)
os.remove(user_key_path)
os.remove(user_p12_path)
onc_nets = ''
onc_certs_store = {}
for svr in self.iter_servers():
onc_net, onc_certs = self._generate_onc(svr, user_cert_id)
if not onc_net:
continue
onc_certs_store.update(onc_certs)
onc_nets += onc_net + ',\n'
onc_nets = onc_nets[:-2]
if onc_nets == '':
return None
onc_certs = ''
for cert_id, cert in onc_certs_store.items():
onc_certs += OVPN_ONC_CA_CERT % (cert_id, cert) + ',\n'
onc_certs += OVPN_ONC_CLIENT_CERT % (user_cert_id, user_key_base64)
onc_conf = OVPN_ONC_CLIENT_CONF % (onc_nets, onc_certs)
finally:
utils.rmtree(temp_path)
return onc_conf
def build_onc(self):
temp_path = utils.get_temp_path()
try:
os.makedirs(temp_path)
user_cert_path = os.path.join(temp_path, '%s.crt' % self.id)
user_key_path = os.path.join(temp_path, '%s.key' % self.id)
user_p12_path = os.path.join(temp_path, '%s.p12' % self.id)
with open(user_cert_path, 'w') as user_cert:
user_cert.write(self.certificate)
with open(user_key_path, 'w') as user_key:
os.chmod(user_key_path, 0600)
user_key.write(self.private_key)
utils.check_output_logged([
'openssl',
'pkcs12',
'-export',
'-nodes',
'-password', 'pass:'******'-inkey', user_key_path,
'-in', user_cert_path,
'-out', user_p12_path,
])
with open(user_p12_path, 'r') as user_key_p12:
user_key_base64 = base64.b64encode(user_key_p12.read())
user_cert_id = '{%s}' % hashlib.md5(
user_key_base64).hexdigest()
os.remove(user_cert_path)
os.remove(user_key_path)
os.remove(user_p12_path)
onc_nets = ''
onc_certs_store = {}
for svr in self.iter_servers():
onc_net, onc_certs = self._generate_onc(
svr, user_cert_id)
if not onc_net:
continue
onc_certs_store.update(onc_certs)
onc_nets += onc_net + ',\n'
onc_nets = onc_nets[:-2]
if onc_nets == '':
return None
onc_certs = ''
for cert_id, cert in onc_certs_store.items():
onc_certs += OVPN_ONC_CA_CERT % (cert_id, cert) + ',\n'
onc_certs += OVPN_ONC_CLIENT_CERT % (
user_cert_id, user_key_base64)
onc_conf = OVPN_ONC_CLIENT_CONF % (onc_nets, onc_certs)
finally:
utils.rmtree(temp_path)
return onc_conf
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.debug('Starting ovpn process', 'server',
server_id=self.server.id,
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.generate_ovpn_conf()
self.enable_ip_forwarding()
self.set_iptables_rules()
self.process = self.openvpn_start()
if not self.process:
return
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
self.openvpn_watch()
self.interrupt = True
self.clear_iptables_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' % (
self.server.name))
except:
self.interrupt = True
if self.resource_lock:
self.clear_iptables_rules()
self.resources_release()
logger.exception('Server error occurred while running', 'server',
server_id=self.server.id,
)
finally:
self.stop_threads()
self.collection.update({
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
def initialize(self):
temp_path = utils.get_temp_path()
index_path = os.path.join(temp_path, INDEX_NAME)
index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME)
serial_path = os.path.join(temp_path, SERIAL_NAME)
ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME)
reqs_path = os.path.join(temp_path, '%s.csr' % self.id)
key_path = os.path.join(temp_path, '%s.key' % self.id)
cert_path = os.path.join(temp_path, '%s.crt' % self.id)
ca_name = self.id if self.type == CERT_CA else 'ca'
ca_cert_path = os.path.join(temp_path, '%s.crt' % ca_name)
ca_key_path = os.path.join(temp_path, '%s.key' % ca_name)
self.org.queue_com.wait_status()
try:
os.makedirs(temp_path)
with open(index_path, 'a'):
os.utime(index_path, None)
with open(index_attr_path, 'a'):
os.utime(index_attr_path, None)
with open(serial_path, 'w') as serial_file:
serial_hex = ('%x' % utils.fnv64a(str(self.id))).upper()
if len(serial_hex) % 2:
serial_hex = '0' + serial_hex
serial_file.write('%s\n' % serial_hex)
with open(ssl_conf_path, 'w') as conf_file:
conf_file.write(CERT_CONF % (
settings.user.cert_key_bits,
settings.user.cert_message_digest,
self.org.id,
self.id,
index_path,
serial_path,
temp_path,
ca_cert_path,
ca_key_path,
settings.user.cert_message_digest,
))
self.org.queue_com.wait_status()
if self.type != CERT_CA:
self.org.write_file('ca_certificate', ca_cert_path, chmod=0600)
self.org.write_file('ca_private_key', ca_key_path, chmod=0600)
self.generate_otp_secret()
try:
args = [
'openssl',
'req',
'-new',
'-batch',
'-config',
ssl_conf_path,
'-out',
reqs_path,
'-keyout',
key_path,
'-reqexts',
'%s_req_ext' % self.type.replace('_pool', ''),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception(
'Failed to create user cert requests',
'user',
org_id=self.org.id,
user_id=self.id,
)
raise
self.read_file('private_key', key_path)
try:
args = ['openssl', 'ca', '-batch']
if self.type == CERT_CA:
args += ['-selfsign']
args += [
'-config',
ssl_conf_path,
'-in',
reqs_path,
'-out',
cert_path,
'-extensions',
'%s_ext' % self.type.replace('_pool', ''),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception(
'Failed to create user cert',
'user',
org_id=self.org.id,
user_id=self.id,
)
raise
self.read_file('certificate', cert_path)
finally:
try:
utils.rmtree(temp_path)
except subprocess.CalledProcessError:
pass
self.org.queue_com.wait_status()
# If assign ip addr fails it will be corrected in ip sync task
try:
self.assign_ip_addr()
except:
logger.exception(
'Failed to assign users ip address',
'user',
org_id=self.org.id,
user_id=self.id,
)
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.debug(
'Starting ovpn process',
'server',
server_id=self.server.id,
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.generate_ovpn_conf()
self.enable_ip_forwarding()
self.set_iptables_rules()
self.process = self.openvpn_start()
if not self.process:
return
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
self.openvpn_watch()
self.interrupt = True
self.clear_iptables_rules()
self.resources_release()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' %
(self.server.name))
except:
self.interrupt = True
if self.resource_lock:
self.clear_iptables_rules()
self.resources_release()
logger.exception(
'Server error occurred while running',
'server',
server_id=self.server.id,
)
finally:
self.stop_threads()
self.collection.update(
{
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
def initialize(self):
temp_path = utils.get_temp_path()
index_path = os.path.join(temp_path, INDEX_NAME)
index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME)
serial_path = os.path.join(temp_path, SERIAL_NAME)
ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME)
reqs_path = os.path.join(temp_path, '%s.csr' % self.id)
key_path = os.path.join(temp_path, '%s.key' % self.id)
cert_path = os.path.join(temp_path, '%s.crt' % self.id)
ca_name = self.id if self.type == CERT_CA else 'ca'
ca_cert_path = os.path.join(temp_path, '%s.crt' % ca_name)
ca_key_path = os.path.join(temp_path, '%s.key' % ca_name)
self.org.queue_com.wait_status()
try:
os.makedirs(temp_path)
with open(index_path, 'a'):
os.utime(index_path, None)
with open(index_attr_path, 'a'):
os.utime(index_attr_path, None)
with open(serial_path, 'w') as serial_file:
serial_hex = ('%x' % utils.fnv64a(str(self.id))).upper()
if len(serial_hex) % 2:
serial_hex = '0' + serial_hex
serial_file.write('%s\n' % serial_hex)
with open(ssl_conf_path, 'w') as conf_file:
conf_file.write(CERT_CONF % (
settings.user.cert_key_bits,
settings.user.cert_message_digest,
self.org.id,
self.id,
index_path,
serial_path,
temp_path,
ca_cert_path,
ca_key_path,
settings.user.cert_message_digest,
))
self.org.queue_com.wait_status()
if self.type != CERT_CA:
self.org.write_file('ca_certificate', ca_cert_path, chmod=0600)
self.org.write_file('ca_private_key', ca_key_path, chmod=0600)
self.generate_otp_secret()
try:
args = [
'openssl', 'req', '-new', '-batch',
'-config', ssl_conf_path,
'-out', reqs_path,
'-keyout', key_path,
'-reqexts', '%s_req_ext' % self.type.replace('_pool', ''),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception('Failed to create user cert requests', 'user',
org_id=self.org.id,
user_id=self.id,
)
raise
self.read_file('private_key', key_path)
try:
args = ['openssl', 'ca', '-batch']
if self.type == CERT_CA:
args += ['-selfsign']
args += [
'-config', ssl_conf_path,
'-in', reqs_path,
'-out', cert_path,
'-extensions', '%s_ext' % self.type.replace('_pool', ''),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception('Failed to create user cert', 'user',
org_id=self.org.id,
user_id=self.id,
)
raise
self.read_file('certificate', cert_path)
finally:
try:
utils.rmtree(temp_path)
except subprocess.CalledProcessError:
pass
self.org.queue_com.wait_status()
# If assign ip addr fails it will be corrected in ip sync task
try:
self.assign_ip_addr()
except:
logger.exception('Failed to assign users ip address', 'user',
org_id=self.org.id,
user_id=self.id,
)
def build_onc_archive(self):
temp_path = utils.get_temp_path()
key_archive_path = os.path.join(temp_path, "%s.zip" % self.id)
try:
os.makedirs(temp_path)
zip_file = zipfile.ZipFile(key_archive_path, "w")
try:
user_cert_path = os.path.join(temp_path, "%s.crt" % self.id)
user_key_path = os.path.join(temp_path, "%s.key" % self.id)
user_p12_path = os.path.join(temp_path, "%s.p12" % self.id)
with open(user_cert_path, "w") as user_cert:
user_cert.write(self.certificate)
with open(user_key_path, "w") as user_key:
os.chmod(user_key_path, 0600)
user_key.write(self.private_key)
utils.check_output_logged(
[
"openssl",
"pkcs12",
"-export",
"-nodes",
"-password",
"pass:"******"-inkey",
user_key_path,
"-in",
user_cert_path,
"-out",
user_p12_path,
]
)
zip_file.write(user_p12_path, arcname="%s.p12" % self.name)
os.remove(user_cert_path)
os.remove(user_key_path)
os.remove(user_p12_path)
for svr in self.org.iter_servers():
server_conf_path = os.path.join(temp_path, "%s_%s.onc" % (self.id, svr.id))
conf_name, client_conf = self._generate_onc(svr)
if not client_conf:
continue
with open(server_conf_path, "w") as ovpn_conf:
ovpn_conf.write(client_conf)
zip_file.write(server_conf_path, arcname=conf_name)
os.remove(server_conf_path)
finally:
zip_file.close()
with open(key_archive_path, "r") as archive_file:
key_archive = archive_file.read()
finally:
utils.rmtree(temp_path)
return key_archive
def _run_thread(self, send_events):
from pritunl.server.utils import get_by_id
logger.info(
'Starting vpn server',
'server',
server_id=self.server.id,
instance_id=self.id,
network=self.server.network,
network6=self.server.network6,
host_address=settings.local.host.local_addr,
host_address6=settings.local.host.local_addr6,
host_networks=settings.local.host.local_networks,
cur_timestamp=utils.now(),
)
self.resources_acquire()
try:
cursor_id = self.get_cursor_id()
os.makedirs(self._temp_path)
self.enable_ip_forwarding()
self.bridge_start()
if self.server.replicating and self.server.vxlan:
try:
self.vxlan = vxlan.get_vxlan(self.server.id)
self.vxlan.start()
except:
logger.exception(
'Failed to setup server vxlan',
'vxlan',
server_id=self.server.id,
instance_id=self.id,
)
self.generate_ovpn_conf()
self.generate_iptables_rules()
self.iptables.upsert_rules()
self.init_route_advertisements()
self.process = self.openvpn_start()
self.start_threads(cursor_id)
self.instance_com = ServerInstanceCom(self.server, self)
self.instance_com.start()
self.publish('started')
if send_events:
event.Event(type=SERVERS_UPDATED)
event.Event(type=SERVER_HOSTS_UPDATED,
resource_id=self.server.id)
for org_id in self.server.organizations:
event.Event(type=USERS_UPDATED, resource_id=org_id)
for link_doc in self.server.links:
if self.server.id > link_doc['server_id']:
instance_link = ServerInstanceLink(
server=self.server,
linked_server=get_by_id(link_doc['server_id']),
)
self.server_links.append(instance_link)
instance_link.start()
plugins.caller(
'server_start',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
try:
self.openvpn_watch()
finally:
plugins.caller(
'server_stop',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
server_id=self.server.id,
server_name=self.server.name,
port=self.server.port,
protocol=self.server.protocol,
ipv6=self.server.ipv6,
ipv6_firewall=self.server.ipv6_firewall,
network=self.server.network,
network6=self.server.network6,
network_mode=self.server.network_mode,
network_start=self.server.network_start,
network_stop=self.server.network_end,
restrict_routes=self.server.restrict_routes,
bind_address=self.server.bind_address,
onc_hostname=self.server.onc_hostname,
dh_param_bits=self.server.dh_param_bits,
multi_device=self.server.multi_device,
dns_servers=self.server.dns_servers,
search_domain=self.server.search_domain,
otp_auth=self.server.otp_auth,
cipher=self.server.cipher,
hash=self.server.hash,
inter_client=self.server.inter_client,
ping_interval=self.server.ping_interval,
ping_timeout=self.server.ping_timeout,
link_ping_interval=self.server.link_ping_interval,
link_ping_timeout=self.server.link_ping_timeout,
allowed_devices=self.server.allowed_devices,
max_clients=self.server.max_clients,
replica_count=self.server.replica_count,
dns_mapping=self.server.dns_mapping,
debug=self.server.debug,
interface=self.interface,
bridge_interface=self.bridge_interface,
vxlan=self.vxlan,
)
self.interrupt = True
self.bridge_stop()
self.iptables.clear_rules()
if not self.clean_exit:
event.Event(type=SERVERS_UPDATED)
self.server.send_link_events()
logger.LogEntry(message='Server stopped unexpectedly "%s".' %
(self.server.name))
except:
try:
self.interrupt = True
self.stop_process()
except:
logger.exception(
'Server stop error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
logger.exception(
'Server error occurred while running',
'server',
server_id=self.server.id,
instance_id=self.id,
)
finally:
try:
if self.resource_lock:
self.bridge_stop()
self.iptables.clear_rules()
except:
logger.exception(
'Server resource error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.stop_threads()
self.collection.update(
{
'_id': self.server.id,
'instances.instance_id': self.id,
}, {
'$pull': {
'instances': {
'instance_id': self.id,
},
},
'$inc': {
'instances_count': -1,
},
})
utils.rmtree(self._temp_path)
except:
logger.exception(
'Server clean up error',
'server',
server_id=self.server.id,
instance_id=self.id,
)
try:
self.resources_release()
except:
logger.exception(
'Failed to release resources',
'server',
server_id=self.server.id,
instance_id=self.id,
)
def initialize(self):
temp_path = utils.get_temp_path()
index_path = os.path.join(temp_path, INDEX_NAME)
index_attr_path = os.path.join(temp_path, INDEX_ATTR_NAME)
serial_path = os.path.join(temp_path, SERIAL_NAME)
ssl_conf_path = os.path.join(temp_path, OPENSSL_NAME)
reqs_path = os.path.join(temp_path, "%s.csr" % self.id)
key_path = os.path.join(temp_path, "%s.key" % self.id)
cert_path = os.path.join(temp_path, "%s.crt" % self.id)
ca_name = self.id if self.type == CERT_CA else "ca"
ca_cert_path = os.path.join(temp_path, "%s.crt" % ca_name)
ca_key_path = os.path.join(temp_path, "%s.key" % ca_name)
self.org.queue_com.wait_status()
try:
os.makedirs(temp_path)
with open(index_path, "a"):
os.utime(index_path, None)
with open(index_attr_path, "a"):
os.utime(index_attr_path, None)
with open(serial_path, "w") as serial_file:
serial_hex = ("%x" % utils.fnv64a(str(self.id))).upper()
if len(serial_hex) % 2:
serial_hex = "0" + serial_hex
serial_file.write("%s\n" % serial_hex)
with open(ssl_conf_path, "w") as conf_file:
conf_file.write(
CERT_CONF
% (
settings.user.cert_key_bits,
settings.user.cert_message_digest,
self.org.id,
self.id,
index_path,
serial_path,
temp_path,
ca_cert_path,
ca_key_path,
settings.user.cert_message_digest,
)
)
self.org.queue_com.wait_status()
if self.type != CERT_CA:
self.org.write_file("ca_certificate", ca_cert_path, chmod=0600)
self.org.write_file("ca_private_key", ca_key_path, chmod=0600)
self.generate_otp_secret()
try:
args = [
"openssl",
"req",
"-new",
"-batch",
"-config",
ssl_conf_path,
"-out",
reqs_path,
"-keyout",
key_path,
"-reqexts",
"%s_req_ext" % self.type.replace("_pool", ""),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception("Failed to create user cert requests", "user", org_id=self.org.id, user_id=self.id)
raise
self.read_file("private_key", key_path)
try:
args = ["openssl", "ca", "-batch"]
if self.type == CERT_CA:
args += ["-selfsign"]
args += [
"-config",
ssl_conf_path,
"-in",
reqs_path,
"-out",
cert_path,
"-extensions",
"%s_ext" % self.type.replace("_pool", ""),
]
self.org.queue_com.popen(args)
except (OSError, ValueError):
logger.exception("Failed to create user cert", "user", org_id=self.org.id, user_id=self.id)
raise
self.read_file("certificate", cert_path)
finally:
try:
utils.rmtree(temp_path)
except subprocess.CalledProcessError:
pass
self.org.queue_com.wait_status()
# If assign ip addr fails it will be corrected in ip sync task
try:
self.assign_ip_addr()
except:
logger.exception("Failed to assign users ip address", "user", org_id=self.org.id, user_id=self.id)
