Cleanup old code and attempt to generate server credentials per tenant
diff --git a/containers/xos/Dockerfile.devel b/containers/xos/Dockerfile.devel
index 049494d..2bc6094 100644
--- a/containers/xos/Dockerfile.devel
+++ b/containers/xos/Dockerfile.devel
@@ -95,6 +95,7 @@
# for OpenVPN
RUN mkdir -p /opt/openvpn
+RUN chmod 777 /opt/openvpn
RUN git clone https://github.com/OpenVPN/easy-rsa.git /opt/openvpn
RUN git -C /opt/openvpn pull origin master
RUN echo "set_var EASYRSA /opt/openvpn/easyrsa3" | tee /opt/openvpn/easyrsa3/vars
diff --git a/xos/services/vpn/admin.py b/xos/services/vpn/admin.py
index 63ad0e4..caa9540 100644
--- a/xos/services/vpn/admin.py
+++ b/xos/services/vpn/admin.py
@@ -6,6 +6,7 @@
from django import forms
from django.contrib import admin
from services.vpn.models import VPN_KIND, VPNService, VPNTenant
+from subprocess import Popen, PIPE
class VPNServiceAdmin(ReadOnlyAwareAdmin):
@@ -102,9 +103,6 @@
if (not self.instance.ca_crt):
self.instance.ca_crt = self.generate_ca_crt()
- if ((not self.instance.server_crt) or (not self.instance.server_key)):
- self.generate_server_credentials()
-
return super(VPNTenantForm, self).save(commit=commit)
def generate_ca_crt(self):
@@ -112,16 +110,6 @@
with open("/opt/openvpn/easyrsa3/pki/ca.crt") as crt:
return crt.readlines()
- def generate_server_credentials(self):
- with open("/opt/openvpn/easyrsa3/pki/issued/server.crt") as crt:
- self.instance.server_crt = crt.readlines()
-
- with open("/opt/openvpn/easyrsa3/pki/private/server.key") as key:
- self.instance.server_key = key.readlines()
-
- with open("/opt/openvpn/easyrsa3/pki/dh.pem") as dh:
- self.instance.dh = dh.readlines()
-
class Meta:
model = VPNTenant
diff --git a/xos/services/vpn/models.py b/xos/services/vpn/models.py
index ad85b88..65e04e7 100644
--- a/xos/services/vpn/models.py
+++ b/xos/services/vpn/models.py
@@ -26,16 +26,12 @@
sync_attributes = ("nat_ip", "nat_mac",)
- default_attributes = {'server_key': None,
- 'vpn_subnet': None,
+ default_attributes = {'vpn_subnet': None,
'server_network': None,
'clients_can_see_each_other': True,
'is_persistent': True,
'script': None,
- 'ca_crt': None,
- 'server_crt': None,
- 'server_key': None,
- 'dh': None}
+ 'ca_crt': None}
def __init__(self, *args, **kwargs):
vpn_services = VPNService.get_service_objects().all()
@@ -53,17 +49,6 @@
super(VPNTenant, self).delete(*args, **kwargs)
@property
- def server_key(self):
- """str: The server_key used to connect to the VPN server."""
- return self.get_attribute(
- "server_key",
- self.default_attributes['server_key'])
-
- @server_key.setter
- def server_key(self, value):
- self.set_attribute("server_key", value)
-
- @property
def addresses(self):
"""Mapping[str, str]: The ip, mac address, and subnet of the NAT network of this Tenant."""
if (not self.id) or (not self.instance):
@@ -74,7 +59,6 @@
if "nat" in ns.network.name.lower():
addresses["ip"] = ns.ip
addresses["mac"] = ns.mac
- addresses["subnet"] = ns.network.subnet
break
return addresses
@@ -92,11 +76,6 @@
return self.addresses.get("mac", None)
@property
- def subnet(self):
- """str: The subnet of this Tenant on the NAT network."""
- return self.addresses.get("subnet", None)
-
- @property
def server_network(self):
"""str: The IP address of the server on the VPN."""
return self.get_attribute(
@@ -158,33 +137,6 @@
def ca_crt(self, value):
self.set_attribute("ca_crt", value)
- @property
- def server_crt(self):
- """str: the string for the server certificate"""
- return self.get_attribute("server_crt", self.default_attributes['server_crt'])
-
- @server_crt.setter
- def server_crt(self, value):
- self.set_attribute("server_crt", value)
-
- @property
- def server_key(self):
- """str: the string for the server certificate"""
- return self.get_attribute("server_key", self.default_attributes['server_key'])
-
- @server_key.setter
- def server_key(self, value):
- self.set_attribute("server_key", value)
-
- @property
- def dh(self):
- """str: the string for the server certificate"""
- return self.get_attribute("dh", self.default_attributes['dh'])
-
- @dh.setter
- def dh(self, value):
- self.set_attribute("dh", value)
-
def model_policy_vpn_tenant(pk):
"""Manages the contain for the VPN Tenant."""
diff --git a/xos/services/vpn/vars b/xos/services/vpn/vars
deleted file mode 100644
index baec6e5..0000000
--- a/xos/services/vpn/vars
+++ /dev/null
@@ -1,29 +0,0 @@
-export EASY_RSA="/opt/openvpn"
-
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
-
-export KEY_DIR="$EASY_RSA/keys"
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-export KEY_SIZE=2048
-
-export CA_EXPIRE=3650
-
-export KEY_EXPIRE=3650
-
-export KEY_COUNTRY="US"
-export KEY_PROVINCE="AZ"
-export KEY_CITY="Tucson"
-export KEY_ORG="XOS"
-export KEY_EMAIL="devel@xosproject.org"
-export KEY_OU="Development"
-
-# X509 Subject Field
-export KEY_NAME="server"
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.py b/xos/synchronizers/vpn/steps/sync_vpntenant.py
index a62c07c..7e44f95 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.py
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.py
@@ -32,22 +32,20 @@
return objs
def get_extra_attributes(self, tenant):
- return {"server_key": tenant.server_key,
- "is_persistent": tenant.is_persistent,
+ return {"is_persistent": tenant.is_persistent,
"vpn_subnet": tenant.vpn_subnet,
"server_network": tenant.server_network,
"clients_can_see_each_other": tenant.clients_can_see_each_other,
- "ca_crt": tenant.ca_crt,
- "server_crt": self.get_escaped_ca_crt(tenant),
- "dh": tenant.dh
+ "instnace_id": tenant.instance.instnace_id
}
- def get_escaped_ca_crt(self, tenant):
- result = list()
- for line in tenant.server_crt:
- result.append("\"" + line + "\"")
-
- return result
+ def run_playbook(self, o, fields):
+ self.create_client_script(o)
+ # Generate the server files
+ (stdout, stderr) = Popen("/opt/openvpn/easyrsa3/easyrsa --batch build-server-full server" + o.instance.instance_id + " nopass",shell=True, stdout=PIPE).communicate()
+ print(str(stdout))
+ print(str(stderr))
+ super(SyncVPNTenant, self).run_playbook(o, fields)
def create_client_script(self, tenant):
script = open("/opt/xos/core/static/vpn/" + str(tenant.script), 'w')
@@ -71,10 +69,6 @@
# close the script
script.close()
- def run_playbook(self, o, fields):
- self.create_client_script(o)
- super(SyncVPNTenant, self).run_playbook(o, fields)
-
def generate_login(self):
return str(time.time()) + "\npassword\n"
diff --git a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
index 54bdcf1..d7c7b8d 100644
--- a/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
+++ b/xos/synchronizers/vpn/steps/sync_vpntenant.yaml
@@ -9,6 +9,7 @@
is_persistent: {{ is_persistent }}
vpn_subnet: {{ vpn_subnet }}
clients_can_see_each_other: {{ clients_can_see_each_other }}
+ instance_id: {{ instance_id }}
tasks:
- name: install openvpn
@@ -21,10 +22,10 @@
file: path=/opt/openvpn state=directory
- name: get server key
- copy: src=/opt/openvpn/easyrsa3/pki/private/server.key dest=/opt/openvpn/server.key
+ copy: src=/opt/openvpn/easyrsa3/pki/private/server{{ instance_id }}.key dest=/opt/openvpn/server.key
- name: get server crt
- copy: src=/opt/openvpn/easyrsa3/pki/issued/server.crt dest=/opt/openvpn/server.crt
+ copy: src=/opt/openvpn/easyrsa3/pki/issued/server{{ instance_id }}.crt dest=/opt/openvpn/server.crt
- name: get ca crt
copy: src=/opt/openvpn/easyrsa3/pki/ca.crt dest=/opt/openvpn/ca.crt
@@ -73,5 +74,9 @@
persist-key" >> server.conf
when: {{ is_persistent }}
+ - name: write client-to-client config
+ shell: printf "client-to-client" >> server.conf
+ when: {{ clients_can_see_each_other }}
+
- name: start openvpn
shell: openvpn server.conf &