Maybe correctly use templates for VPNTenant server and client configurations
diff --git a/xos/core/xoslib/methods/vpnview.py b/xos/core/xoslib/methods/vpnview.py
index 8cb745c..be8d7fc 100644
--- a/xos/core/xoslib/methods/vpnview.py
+++ b/xos/core/xoslib/methods/vpnview.py
@@ -1,3 +1,4 @@
+import jinja2
from core.models import TenantPrivilege
from plus import PlusSerializerMixin
from rest_framework import serializers
@@ -48,8 +49,20 @@
Returns:
str: The client script as a str.
"""
- return obj.create_client_script(
- self.context['request'].user.email + "-" + str(obj.id))
+ env = jinja2.Environment(loader=jinja2.FileSystemLoader("/opt/xos/services/vpn/templates"))
+ template = env.get_template("connect.vpn.j2")
+ client_name = self.context['request'].user.email + "-" + str(obj.id)
+ remotes = VPNTenant.get_tenant_objects().filter(pk__in=obj.failover_server_ids)
+ remotes.insert(0, obj)
+ pki_dir = VPNService.get_pki_dir(obj)
+ fields = {"client_name": client_name,
+ "remotes": remotes,
+ "is_persistent": obj.is_persistent,
+ "ca_crt": obj.get_ca_crt(pki_dir),
+ "client_crt": obj.get_client_cert(client_name, pki_dir),
+ "client_key": obj.get_client_key(client_name, pki_dir)
+ }
+ return template.render(fields)
class VPNTenantList(XOSListCreateAPIView):
diff --git a/xos/services/vpn/models.py b/xos/services/vpn/models.py
index 8479e44..6123288 100644
--- a/xos/services/vpn/models.py
+++ b/xos/services/vpn/models.py
@@ -259,40 +259,6 @@
def port_number(self, value):
self.set_attribute("port", value)
- def create_client_script(self, client_name):
- """Create a script that a client can use to access this VPNTenant.
-
- Parameters:
- client_name (str): The name of the client to use when creating the cerificate.
-
- Returns:
- str: A str representing the client script.
- """
- pki_dir = VPNService.get_pki_dir(self)
- script = ""
- # write the configuration portion
- script += ("printf \"%b\" \"")
- script += self.generate_client_conf(client_name)
- script += ("\" > client.conf\n")
- script += ("printf \"%b\" \"")
- for line in self.get_ca_crt(pki_dir):
- script += (line.rstrip() + r"\n")
- script += ("\" > ca.crt\n")
- script += ("printf \"%b\" \"")
- for line in self.get_client_cert(client_name, pki_dir):
- script += (line.rstrip() + r"\n")
- script += ("\" > " + client_name + ".crt\n")
- script += ("printf \"%b\" \"")
- for line in self.get_client_key(client_name, pki_dir):
- script += (line.rstrip() + r"\n")
- script += ("\" > " + client_name + ".key\n")
- # make sure openvpn is installed
- script += ("apt-get update\n")
- script += ("apt-get install openvpn -y\n")
- script += ("openvpn client.conf\n")
- # close the script
- return script
-
def get_ca_crt(self, pki_dir):
"""Gets the lines fo the ca.crt file for this VPNTenant.
@@ -331,41 +297,6 @@
with open(pki_dir + "/private/" + client_name + ".key", 'r') as f:
return f.readlines()
- def generate_client_conf(self, client_name):
- """Returns the conf file for the given client.
-
- Parameters:
- client_name (str): The client name to use.
-
- Returns:
- str: Generates the client configuration to use to connect to this VPN server.
- """
- conf = ("client\n" +
- "dev tun\n" +
- "remote-cert-tls server\n" +
- "resolv-retry 60\n" +
- "nobind\n" +
- "ca ca.crt\n" +
- "cert " + client_name + ".crt\n" +
- "key " + client_name + ".key\n" +
- "verb 3\n" +
- self.get_remote_line(
- self.nat_ip, self.port_number, self.protocol))
- for remote in self.failover_server_ids:
- tenant = VPNTenant.get_tenant_objects().filter(pk=remote)[0]
- conf += self.get_remote_line(
- tenant.nat_ip, tenant.port_number, tenant.protocol)
-
- if self.is_persistent:
- conf += "persist-tun\n"
- conf += "persist-key\n"
-
- return conf
-
- def get_remote_line(self, host, port_number, protocol):
- return ("remote " + str(host) + " " + str(port_number) + " " +
- str(protocol) + "\n")
-
def model_policy_vpn_tenant(pk):
"""Manages the container for the VPN Tenant.
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
index 556212c..1b9f338 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
@@ -41,40 +41,8 @@
- name: get dh
copy: src={{ pki_dir }}/dh.pem dest={{ pki_dir }}/dh.pem
- - name: erase config
- shell: rm -f {{ pki_dir }}/server.conf
-
- - name: write base config
- shell:
- |
- printf "script-security 3 system
- port {{ port_number }}
- proto {{ protocol }}
- dev tun
- writepid {{ pki_dir }}/pid
- ca {{ pki_dir }}/ca.crt
- cert {{ pki_dir }}/server.crt
- key {{ pki_dir }}/server.key
- dh {{ pki_dir }}/dh.pem
- crl-verify {{ pki_dir }}/crl.pem
- server {{ server_network }} {{ vpn_subnet }}
- ifconfig-pool-persist {{ pki_dir }}/ipp.txt
- status {{ pki_dir }}/openvpn-status.log
- verb 3
- " > {{ pki_dir }}/server.conf
-
- - name: write persistent config
- shell:
- |
- printf "keepalive 10 60
- persist-tun
- persist-key
- " >> {{ pki_dir }}/server.conf
- when: {{ is_persistent }}
-
- - name: write client-to-client config
- shell: printf "client-to-client\n" >> {{ pki_dir }}/server.conf
- when: {{ clients_can_see_each_other }}
+ - name: write config
+ template: src=/opt/xos/synchronizers/vpn/templates/server.conf.j2 dest={{ pki_dir }}/server.conf owner=root group=root
- name: start openvpn
shell: openvpn {{ pki_dir }}/server.conf &