Hopefully make the VPN work with certificates, automatically pick ports, and have user privleges
diff --git a/xos/core/xoslib/methods/vpnview.py b/xos/core/xoslib/methods/vpnview.py
index 21d97e1..ccd2141 100644
--- a/xos/core/xoslib/methods/vpnview.py
+++ b/xos/core/xoslib/methods/vpnview.py
@@ -1,9 +1,5 @@
-from django.core.exceptions import PermissionDenied
from plus import PlusSerializerMixin
from rest_framework import serializers
-from rest_framework.response import Response
-from rest_framework.status import HTTP_200_OK
-from rest_framework.views import APIView
from services.vpn.models import VPNService, VPNTenant
from xos.apibase import XOSListCreateAPIView
@@ -14,12 +10,14 @@
# rest_framework 2.x
ReadOnlyField = serializers.Field
+
def get_default_vpn_service():
vpn_services = VPNService.get_service_objects().all()
if vpn_services:
return vpn_services[0].id
return None
+
class VPNTenantSerializer(serializers.ModelSerializer, PlusSerializerMixin):
id = ReadOnlyField()
service_specific_attribute = ReadOnlyField()
@@ -56,6 +54,7 @@
return None
return instance.node.name
+
class VPNTenantList(XOSListCreateAPIView):
serializer_class = VPNTenantSerializer
method_kind = "list"
@@ -63,7 +62,7 @@
def get_queryset(self):
queryset = VPNTenant.get_tenant_objects().all()
- queryset = [ tenant for tenant in queryset if self.request.user.can_update_tenant(tenant, ['access','Access'])]
+ queryset = [ tenant for tenant in queryset if self.request.user.can_update_tenant(tenant, ['access', 'Access'])]
for tenant in queryset:
- tenant.script_text = tenant.create_client_script()
+ tenant.script_text = tenant.create_client_script(self.request.user.email + "-" + tenant.id)
return queryset
diff --git a/xos/services/vpn/admin.py b/xos/services/vpn/admin.py
index 8adb28f..10a1e9a 100644
--- a/xos/services/vpn/admin.py
+++ b/xos/services/vpn/admin.py
@@ -6,10 +6,60 @@
from django.core import serializers
from services.vpn.models import VPN_KIND, VPNService, VPNTenant
from subprocess import Popen, PIPE
+from xos.exceptions import XOSValidationError
+
+
+class VPNServiceForm(forms.ModelForm):
+
+ def save(self, commit=True):
+ if self.instance.slices.all().count() == 0:
+ raise XOSValidationError("Service must have a slice.")
+ if not self.instance.slices.all()[0].exposed_ports:
+ raise XOSValidationError("Slice assoicated with service must have at least one exposed port.")
+ self.instance.exposed_ports = self.parse_ports(self.instance.slices.all()[0].exposed_ports)
+ return super(VPNServiceForm, self).save(commit=commit)
+
+ def parse_ports(self, exposed_ports):
+ port_mapping = {"udp": [], "tcp": []}
+ parts = exposed_ports.split(",")
+ for part in parts:
+ part = part.strip()
+ if "/" in part:
+ (protocol, ports) = part.split("/", 1)
+ elif " " in part:
+ (protocol, ports) = part.split(None, 1)
+ else:
+ raise XOSValidationError('malformed port specifier %s, format example: "tcp 123, tcp 201:206, udp 333"' % part)
+
+ protocol = protocol.strip()
+ ports = ports.strip()
+
+ if not (protocol in ["udp", "tcp"]):
+ raise XOSValidationError('unknown protocol %s' % protocol)
+
+ if "-" in ports:
+ port_mapping[protocol].extend(self.parse_port_range(ports, "-"))
+ elif ":" in ports:
+ port_mapping[protocol].extend(self.parse_port_range(ports, ":"))
+ else:
+ port_mapping[protocol].append(int(ports))
+
+ return port_mapping
+
+ def parse_port_range(self, port_str, split_str):
+ (first, last) = port_str.split(split_str)
+ first = int(first.strip())
+ last = int(last.strip())
+ return list(range(first, last))
+
+ class Meta:
+ model = VPNService
+
class VPNServiceAdmin(ReadOnlyAwareAdmin):
"""Defines the admin for the VPNService."""
model = VPNService
+ form = VPNServiceForm
verbose_name = "VPN Service"
list_display = ("backend_status_icon", "name", "enabled")
@@ -49,8 +99,6 @@
server_address (forms.GenericIPAddressField): The ip address on the VPN of this Tenant.
client_address (forms.GenericIPAddressField): The ip address on the VPN of the client.
is_persistent (forms.BooleanField): Determines if this Tenant keeps this connection alive through failures.
- can_view_subnet (forms.BooleanField): Determines if this Tenant makes it's subnet available to the client.
- port_number (forms.IntegerField): The port to use for this Tenant.
"""
creator = forms.ModelChoiceField(queryset=User.objects.all())
server_network = forms.GenericIPAddressField(
@@ -59,6 +107,7 @@
is_persistent = forms.BooleanField(required=False)
clients_can_see_each_other = forms.BooleanField(required=False)
failover_servers = forms.ModelMultipleChoiceField(queryset=VPNTenant.get_tenant_objects(), required=False)
+ protocol = forms.ChoiceField(required=True, choices=[("udp", "udp"), ("tcp", "tcp")])
def __init__(self, *args, **kwargs):
super(VPNTenantForm, self).__init__(*args, **kwargs)
@@ -77,8 +126,9 @@
self.fields[
'clients_can_see_each_other'].initial = self.instance.clients_can_see_each_other
self.fields['is_persistent'].initial = self.instance.is_persistent
+ self.fields['protocol'].initial = self.instance.protocol
if (self.instance.failover_servers):
- self.fields['failover_servers'].initial = [model.pk for model in list(serializers.deserialize('json', self.instance.failover_servers))]
+ self.initial['failover_servers'] = [model.pk for model in list(serializers.deserialize('json', self.instance.failover_servers))]
if (not self.instance) or (not self.instance.pk):
self.fields['creator'].initial = get_request().user
@@ -99,13 +149,8 @@
'clients_can_see_each_other')
self.instance.failover_servers = serializers.serialize("json", self.cleaned_data.get('failover_servers'))
- sorted_tenants = sorted(VPNTenant.get_tenant_objects().all(), key=lambda tenant: tenant.port_number)
- prev = 1000
- for tenant in sorted_tenants:
- if (tenant.port_number != prev):
- break
- prev += 1
- self.instance.port_number = prev
+ self.instance.port_number = self.instance.provider_service.get_next_available_port(self.instance.protocol)
+ self.instance.protocol = self.cleaned_data.get("protocol")
if (not self.instance.ca_crt):
self.instance.ca_crt = self.generate_ca_crt()
@@ -130,15 +175,13 @@
fieldsets = [(None, {'fields': ['backend_status_text', 'kind',
'provider_service', 'instance', 'creator',
'server_network', 'vpn_subnet', 'is_persistent',
- 'clients_can_see_each_other', 'failover_servers'],
+ 'clients_can_see_each_other', 'failover_servers', "protocol"],
'classes': ['suit-tab suit-tab-general']})]
readonly_fields = ('backend_status_text', 'instance')
form = VPNTenantForm
inlines = [TenantPrivilegeInline]
- suit_form_tabs = (('general', 'Details'),
- ('tenantprivileges','Privileges')
- )
+ suit_form_tabs = (('general', 'Details'), ('tenantprivileges', 'Privileges'))
def queryset(self, request):
return VPNTenant.get_tenant_objects_by_user(request.user)
diff --git a/xos/services/vpn/models.py b/xos/services/vpn/models.py
index 1c7af1b..6b7872c 100644
--- a/xos/services/vpn/models.py
+++ b/xos/services/vpn/models.py
@@ -1,5 +1,6 @@
from core.models import Service, TenantWithContainer
from django.db import transaction
+from xos.exceptions import XOSConfigurationError, XOSValidationError
VPN_KIND = "vpn"
@@ -14,6 +15,28 @@
app_label = "vpn"
verbose_name = "VPN Service"
+ default_attributes = {'exposed_ports': None}
+
+ @property
+ def exposed_ports(self):
+ return self.get_attribute("exposed_ports",
+ self.default_attributes["exposed_ports"])
+
+ @exposed_ports.setter
+ def exposed_ports(self, value):
+ self.set_attribute("exposed_ports", value)
+
+ def get_next_available_port(self, protocol):
+ if protocol != "udp" and protocol != "tcp":
+ raise XOSConfigurationError("Port protocol must be udp or tcp")
+ if not self.ports[protocol]:
+ raise XOSValidationError("No availble ports for protocol: " + protocol)
+ tenants = [tenant for tenant in VPNTenant.get_tenant_objects.all() if tenant.protocol == protocol]
+ port_numbers = self.exposed_ports[protocol]
+ for port_number in port_numbers:
+ if [tenant for tenant in tenants if tenant.port_number == port_number].count() == 0:
+ return port_number
+
class VPNTenant(TenantWithContainer):
"""Defines the Tenant for creating VPN servers."""
@@ -33,7 +56,8 @@
'ca_crt': None,
'port': None,
'script_text': None,
- 'failover_servers': []}
+ 'failover_servers': [],
+ 'protocol': None}
def __init__(self, *args, **kwargs):
vpn_services = VPNService.get_service_objects().all()
@@ -51,6 +75,14 @@
super(VPNTenant, self).delete(*args, **kwargs)
@property
+ def protocol(self):
+ return self.get_attribute("protocol", self.default_attributes["protocol"])
+
+ @protocol.setter
+ def protocol(self, value):
+ self.set_attribute("protocol", value)
+
+ @property
def addresses(self):
"""Mapping[str, str]: The ip, mac address, and subnet of the NAT network of this Tenant."""
if (not self.id) or (not self.instance):
@@ -155,50 +187,50 @@
def script_text(self, value):
self.set_attribute("script_text", value)
- def create_client_script(self, client_certificate):
+ def create_client_script(self, client_name):
script = ""
# write the configuration portion
script += ("printf \"%b\" \"")
- script += self.generate_client_conf(client_certificate)
+ script += self.generate_client_conf(client_name)
script += ("\" > client.conf\n")
script += ("printf \"%b\" \"")
for line in self.ca_crt:
script += (line.rstrip() + r"\n")
script += ("\" > ca.crt\n")
script += ("printf \"%b\" \"")
- for line in self.generate_client_cert(client_certificate):
+ for line in self.generate_client_cert(client_name):
script += (line.rstrip() + r"\n")
- script += ("\" > " + client_certificate + ".crt\n")
- for line in self.generate_client_key(client_certificate):
+ script += ("\" > " + client_name + ".crt\n")
+ for line in self.generate_client_key(client_name):
script += (line.rstrip() + r"\n")
- script += ("\" > " + client_certificate + ".key\n")
+ script += ("\" > " + client_name + ".key\n")
# make sure openvpn is installed
script += ("apt-get update\n")
script += ("apt-get install openvpn\n")
script += ("openvpn client.conf &\n")
# close the script
- return script;
+ return script
- def generate_client_cert(self, client_certificate):
- return open("/opt/openvpn/easyrsa3/pki/issued/" + client_certificate + ".crt").readlines()
+ def generate_client_cert(self, client_name):
+ return open("/opt/openvpn/easyrsa3/pki/issued/" + client_name + ".crt").readlines()
- def generate_client_key(self, client_certificate):
- return open("/opt/openvpn/easyrsa3/pki/private/" + client_certificate + ".key").readlines()
+ def generate_client_key(self, client_name):
+ return open("/opt/openvpn/easyrsa3/pki/private/" + client_name + ".key").readlines()
- def generate_client_conf(self, client_certificate):
+ def generate_client_conf(self, client_name):
"""str: Generates the client configuration to use to connect to this VPN server.
"""
conf = ("client\n" +
- "dev tun\n" +
- "proto udp\n" +
- "remote " + str(self.nat_ip) + " " + str(self.port_number) + "\n" +
- "resolv-retry infinite\n" +
- "nobind\n" +
- "ca ca.crt\n" +
- "cert " + client_certificate + ".crt\n" +
- "key " + client_certificate + ".key\n" +
- "comp-lzo\n" +
- "verb 3\n")
+ "dev tun\n" +
+ "proto " + self.protocol + "\n" +
+ "remote " + str(self.nat_ip) + " " + str(self.port_number) + "\n" +
+ "resolv-retry infinite\n" +
+ "nobind\n" +
+ "ca ca.crt\n" +
+ "cert " + client_name + ".crt\n" +
+ "key " + client_name + ".key\n" +
+ "comp-lzo\n" +
+ "verb 3\n")
if self.is_persistent:
conf += "persist-tun\n"
@@ -207,7 +239,6 @@
return conf
-
def model_policy_vpn_tenant(pk):
"""Manages the contain for the VPN Tenant."""
# This section of code is atomic to prevent race conditions
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.py b/xos/synchronizers/vpn/steps/sync_vpntenant.py
index 2e1fc1a..d90f40f 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.py
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.py
@@ -36,12 +36,14 @@
"vpn_subnet": tenant.vpn_subnet,
"server_network": tenant.server_network,
"clients_can_see_each_other": tenant.clients_can_see_each_other,
- "tenant_id": tenant.id
+ "tenant_id": tenant.id,
+ "port_number": tenant.port_number,
+ "protocol": tenant.protocol
}
def run_playbook(self, o, fields):
# Generate the server files
- (stdout, stderr) = Popen("/opt/openvpn/easyrsa3/easyrsa --batch build-server-full server-" + o.id + " nopass",shell=True, stdout=PIPE).communicate()
+ (stdout, stderr) = Popen("/opt/openvpn/easyrsa3/easyrsa --batch build-server-full server-" + o.id + " nopass", shell=True, stdout=PIPE).communicate()
print(str(stdout))
print(str(stderr))
super(SyncVPNTenant, self).run_playbook(o, fields)
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
index a886523..2ab32c3 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
@@ -10,6 +10,8 @@
vpn_subnet: {{ vpn_subnet }}
clients_can_see_each_other: {{ clients_can_see_each_other }}
tenant_id: {{ tenant_id }}
+ port_number: {{ port_number }}
+ protocol: {{ protocol }}
tasks:
- name: install openvpn
@@ -52,8 +54,8 @@
shell:
|
printf "script-security 3 system
- port 1194
- proto udp
+ port {{ port_number }}
+ proto {{ protocol }}
dev tun
ca /opt/openvpn/ca.crt
cert /opt/openvpn/server-{{ tenant_id }}/server.crt
@@ -64,9 +66,6 @@
comp-lzo
status /opt/openvpn/server-{{ tenant_id }}/openvpn-status.log
verb 3
- auth-user-pass-verify /opt/openvpn/server-{{ tenant_id }}/auth.sh via-file
- client-cert-not-required
- username-as-common-name
" > /opt/openvpn/server-{{ tenant_id }}/server.conf
- name: write persistent config