851 lines
25 KiB
Text
851 lines
25 KiB
Text
|
comments {
|
||
|
Sample scenario showing VPNClient and VPNServer service configuration.
|
||
|
|
||
|
This topology features an OpenVPN client and server for virtual private
|
||
|
networking. The client can access the private 10.0.6.0/24 network via the VPN
|
||
|
server. First wait until routing converges in the center routers (try using the
|
||
|
Adjacency Widget and wait for blue lines, meaning full adjacencies), then open
|
||
|
a shell on the vpnclient and try pinging the private address of the vpnserver:
|
||
|
|
||
|
vpnclient> ping 10.0.6.1
|
||
|
|
||
|
You can also access the other 10.0.6.* hosts behind the server. Try running
|
||
|
tcpudmp on one of the center routers, e.g. the n2 eth1/10.0.5.2 interface, and
|
||
|
you'll see UDP packets with TLS encrypted data instead of ICMP packets.
|
||
|
|
||
|
Keys are included as extra files in the VPNClient and VPNServer service
|
||
|
configuration.
|
||
|
}
|
||
|
|
||
|
node n1 {
|
||
|
type router
|
||
|
model router
|
||
|
network-config {
|
||
|
hostname n1
|
||
|
!
|
||
|
interface eth2
|
||
|
ip address 10.0.4.2/24
|
||
|
ipv6 address 2001:4::2/64
|
||
|
!
|
||
|
interface eth1
|
||
|
ip address 10.0.2.1/24
|
||
|
ipv6 address 2001:2::1/64
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.0.1/24
|
||
|
ipv6 address 2001:0::1/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {297.0 236.0}
|
||
|
labelcoords {297.0 264.0}
|
||
|
interface-peer {eth0 n6}
|
||
|
interface-peer {eth1 n2}
|
||
|
interface-peer {eth2 n3}
|
||
|
}
|
||
|
|
||
|
node n2 {
|
||
|
type router
|
||
|
model router
|
||
|
network-config {
|
||
|
hostname n2
|
||
|
!
|
||
|
interface eth1
|
||
|
ip address 10.0.5.2/24
|
||
|
ipv6 address 2001:5::2/64
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.2.2/24
|
||
|
ipv6 address 2001:2::2/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {298.0 432.0}
|
||
|
labelcoords {298.0 460.0}
|
||
|
interface-peer {eth0 n1}
|
||
|
interface-peer {eth1 n4}
|
||
|
}
|
||
|
|
||
|
node n3 {
|
||
|
type router
|
||
|
model router
|
||
|
network-config {
|
||
|
hostname n3
|
||
|
!
|
||
|
interface eth1
|
||
|
ip address 10.0.4.1/24
|
||
|
ipv6 address 2001:4::1/64
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.3.1/24
|
||
|
ipv6 address 2001:3::1/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {573.0 233.0}
|
||
|
labelcoords {573.0 261.0}
|
||
|
interface-peer {eth0 n4}
|
||
|
interface-peer {eth1 n1}
|
||
|
}
|
||
|
|
||
|
node n4 {
|
||
|
type router
|
||
|
model router
|
||
|
network-config {
|
||
|
hostname n4
|
||
|
!
|
||
|
interface eth2
|
||
|
ip address 10.0.5.1/24
|
||
|
ipv6 address 2001:5::1/64
|
||
|
!
|
||
|
interface eth1
|
||
|
ip address 10.0.3.2/24
|
||
|
ipv6 address 2001:3::2/64
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.1.1/24
|
||
|
ipv6 address 2001:1::1/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {574.0 429.0}
|
||
|
labelcoords {574.0 457.0}
|
||
|
interface-peer {eth0 n5}
|
||
|
interface-peer {eth1 n3}
|
||
|
interface-peer {eth2 n2}
|
||
|
}
|
||
|
|
||
|
node n5 {
|
||
|
type router
|
||
|
model host
|
||
|
network-config {
|
||
|
hostname vpnserver
|
||
|
!
|
||
|
interface eth1
|
||
|
ipv6 address 2001:6::10/64
|
||
|
ip address 10.0.6.1/24
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.1.10/24
|
||
|
ipv6 address 2001:1::10/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {726.0 511.0}
|
||
|
labelcoords {726.0 543.0}
|
||
|
interface-peer {eth0 n4}
|
||
|
interface-peer {eth1 n7}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:copycerts.sh
|
||
|
custom-command copycerts.sh
|
||
|
config {
|
||
|
#!/bin/sh
|
||
|
|
||
|
FILES="vpnserver.pem vpnserver.key ca-cert.pem dh1024.pem"
|
||
|
|
||
|
mkdir -p /tmp/certs
|
||
|
|
||
|
for f in $FILES; do
|
||
|
cp $f /tmp/certs
|
||
|
done
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:dh1024.pem
|
||
|
custom-command dh1024.pem
|
||
|
config {
|
||
|
-----BEGIN DH PARAMETERS-----
|
||
|
MIGHAoGBAIYQUzZ+2aYWFfdRWRL/Tc8bFqK8ve/0ihW1BPhe0z3b5D5+2/r9HAsG
|
||
|
u7oMkyM2oWp5N1DlzKgTizCRPRno5vgTz01kw4h6Y9ux496+huOHJGZXiCZlkZvM
|
||
|
daP8CC8z1naCC9MZLImQTkb1d1sH9BDRZAyfQYiXVYrHdqtNtqQjAgEC
|
||
|
-----END DH PARAMETERS-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:ca-cert.pem
|
||
|
custom-command ca-cert.pem
|
||
|
config {
|
||
|
Certificate:
|
||
|
Data:
|
||
|
Version: 3 (0x2)
|
||
|
Serial Number:
|
||
|
df:69:1f:ef:e5:af:bf:0f
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
|
||
|
Validity
|
||
|
Not Before: Mar 20 16:16:08 2012 GMT
|
||
|
Not After : Mar 20 16:16:08 2015 GMT
|
||
|
Subject: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
|
||
|
Subject Public Key Info:
|
||
|
Public Key Algorithm: rsaEncryption
|
||
|
Public-Key: (1024 bit)
|
||
|
Modulus:
|
||
|
00:c4:d7:fc:c3:bc:a0:ee:76:7b:58:5c:96:6d:1f:
|
||
|
74:26:c2:93:c1:a4:94:95:13:5e:4f:8b:3f:00:27:
|
||
|
e5:1b:b1:3b:70:3e:72:71:4d:c9:67:54:33:29:49:
|
||
|
1e:de:a6:91:d9:00:ec:84:b8:64:f8:06:51:82:f4:
|
||
|
84:9b:a2:fe:16:34:5c:e1:2f:3d:ad:34:b9:8e:ad:
|
||
|
8e:ea:8a:e9:40:56:5b:f5:09:2c:bf:a0:08:db:81:
|
||
|
7f:fb:d8:b9:6c:a6:be:4c:1f:b1:4e:b3:b0:8d:8d:
|
||
|
e4:04:8e:f8:8e:e9:c7:aa:e7:4a:b4:87:89:a7:25:
|
||
|
72:38:74:bb:e5:b6:7f:86:7b
|
||
|
Exponent: 65537 (0x10001)
|
||
|
X509v3 extensions:
|
||
|
X509v3 Subject Key Identifier:
|
||
|
98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
|
||
|
X509v3 Authority Key Identifier:
|
||
|
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
|
||
|
|
||
|
X509v3 Basic Constraints:
|
||
|
CA:TRUE
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
39:7e:99:fd:40:44:0a:20:4c:3c:9a:bf:01:aa:94:c8:76:bb:
|
||
|
80:53:4f:cd:28:2f:5b:7f:0b:52:09:14:cb:ac:ee:74:7f:17:
|
||
|
4b:79:21:db:e1:a3:9b:e5:b1:72:83:f7:88:02:20:d6:23:33:
|
||
|
e4:ff:50:58:c6:88:e0:22:d7:2b:96:b3:dd:31:1a:80:52:0d:
|
||
|
61:4f:47:72:63:39:1e:7f:a1:ad:f0:2b:82:53:05:ca:3d:0a:
|
||
|
8f:3c:72:58:74:57:ae:8b:66:16:d9:a4:50:99:bc:d3:a7:c5:
|
||
|
54:63:f0:87:cd:06:1a:d4:61:ed:d3:b8:33:5d:5a:d6:a4:f0:
|
||
|
a4:96
|
||
|
-----BEGIN CERTIFICATE-----
|
||
|
MIICijCCAfOgAwIBAgIJAN9pH+/lr78PMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
|
||
|
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
|
||
|
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDMy
|
||
|
MDE2MTYwOFoXDTE1MDMyMDE2MTYwOFowXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
|
||
|
AldBMREwDwYDVQQKDAhjb3JlLWRldjEQMA4GA1UEAwwHQ09SRSBDQTEdMBsGCSqG
|
||
|
SIb3DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
||
|
AoGBAMTX/MO8oO52e1hclm0fdCbCk8GklJUTXk+LPwAn5RuxO3A+cnFNyWdUMylJ
|
||
|
Ht6mkdkA7IS4ZPgGUYL0hJui/hY0XOEvPa00uY6tjuqK6UBWW/UJLL+gCNuBf/vY
|
||
|
uWymvkwfsU6zsI2N5ASO+I7px6rnSrSHiaclcjh0u+W2f4Z7AgMBAAGjUDBOMB0G
|
||
|
A1UdDgQWBBSYDscKdF37Vlu3kYAqOtSJrWy5UTAfBgNVHSMEGDAWgBSYDscKdF37
|
||
|
Vlu3kYAqOtSJrWy5UTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADl+
|
||
|
mf1ARAogTDyavwGqlMh2u4BTT80oL1t/C1IJFMus7nR/F0t5Idvho5vlsXKD94gC
|
||
|
INYjM+T/UFjGiOAi1yuWs90xGoBSDWFPR3JjOR5/oa3wK4JTBco9Co88clh0V66L
|
||
|
ZhbZpFCZvNOnxVRj8IfNBhrUYe3TuDNdWtak8KSW
|
||
|
-----END CERTIFICATE-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:vpnserver.pem
|
||
|
custom-command vpnserver.pem
|
||
|
config {
|
||
|
Certificate:
|
||
|
Data:
|
||
|
Version: 3 (0x2)
|
||
|
Serial Number:
|
||
|
df:69:1f:ef:e5:af:bf:14
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
|
||
|
Validity
|
||
|
Not Before: Apr 12 15:09:45 2012 GMT
|
||
|
Not After : Apr 10 15:09:45 2022 GMT
|
||
|
Subject: C=US, ST=WA, O=core-dev, CN=vpnserver
|
||
|
Subject Public Key Info:
|
||
|
Public Key Algorithm: rsaEncryption
|
||
|
Public-Key: (1024 bit)
|
||
|
Modulus:
|
||
|
00:af:da:e2:fb:f7:e1:ca:97:bb:94:1b:8f:f7:70:
|
||
|
2f:c5:dc:71:22:b6:d2:f3:8b:fc:3a:d1:ef:65:60:
|
||
|
21:0f:e5:49:ed:71:45:1c:e9:f7:b9:f7:00:74:05:
|
||
|
a3:ab:63:05:5c:be:23:fd:18:c6:b7:17:52:21:3a:
|
||
|
86:5f:68:07:a6:1b:2f:fc:df:ce:ac:45:55:cd:2a:
|
||
|
d4:8a:66:d1:46:99:e4:b2:57:49:53:df:d0:c0:1e:
|
||
|
0f:84:6f:52:8d:2c:6e:4b:cb:f7:7e:c4:27:51:72:
|
||
|
cd:db:68:54:fd:4d:c4:42:1a:27:be:9f:03:03:d8:
|
||
|
ff:11:58:46:2f:58:13:2c:37
|
||
|
Exponent: 65537 (0x10001)
|
||
|
X509v3 extensions:
|
||
|
X509v3 Basic Constraints:
|
||
|
CA:FALSE
|
||
|
Netscape Comment:
|
||
|
OpenSSL Generated Certificate
|
||
|
X509v3 Subject Key Identifier:
|
||
|
56:F2:E8:73:73:76:FD:14:13:1C:1A:AB:F2:8F:30:D4:91:7D:83:62
|
||
|
X509v3 Authority Key Identifier:
|
||
|
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
|
||
|
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
29:62:f5:4a:40:ce:65:e0:73:ff:d1:80:ca:89:a3:29:4e:d8:
|
||
|
63:52:f0:76:21:b7:83:49:a4:fa:54:f7:0d:58:eb:af:fb:59:
|
||
|
61:63:02:57:de:4d:c1:8d:f1:de:d6:00:40:53:12:25:3c:9b:
|
||
|
48:9a:a7:3b:95:5d:67:83:11:b2:b2:ef:c2:71:95:23:e5:42:
|
||
|
88:09:ac:95:c9:cf:e8:5c:d8:14:9e:d8:4f:6f:af:10:4f:f5:
|
||
|
19:a2:71:f3:96:5f:1b:19:53:e9:16:4d:4e:be:e5:8a:83:57:
|
||
|
0a:93:7a:a4:53:05:1a:64:bf:25:69:fc:3c:3b:9b:aa:43:f4:
|
||
|
1d:fc
|
||
|
-----BEGIN CERTIFICATE-----
|
||
|
MIICmDCCAgGgAwIBAgIJAN9pH+/lr78UMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
|
||
|
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
|
||
|
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDQx
|
||
|
MjE1MDk0NVoXDTIyMDQxMDE1MDk0NVowQTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
|
||
|
AldBMREwDwYDVQQKDAhjb3JlLWRldjESMBAGA1UEAwwJdnBuc2VydmVyMIGfMA0G
|
||
|
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv2uL79+HKl7uUG4/3cC/F3HEittLzi/w6
|
||
|
0e9lYCEP5UntcUUc6fe59wB0BaOrYwVcviP9GMa3F1IhOoZfaAemGy/8386sRVXN
|
||
|
KtSKZtFGmeSyV0lT39DAHg+Eb1KNLG5Ly/d+xCdRcs3baFT9TcRCGie+nwMD2P8R
|
||
|
WEYvWBMsNwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
|
||
|
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVvLoc3N2/RQTHBqr
|
||
|
8o8w1JF9g2IwHwYDVR0jBBgwFoAUmA7HCnRd+1Zbt5GAKjrUia1suVEwDQYJKoZI
|
||
|
hvcNAQEFBQADgYEAKWL1SkDOZeBz/9GAyomjKU7YY1LwdiG3g0mk+lT3DVjrr/tZ
|
||
|
YWMCV95NwY3x3tYAQFMSJTybSJqnO5VdZ4MRsrLvwnGVI+VCiAmslcnP6FzYFJ7Y
|
||
|
T2+vEE/1GaJx85ZfGxlT6RZNTr7lioNXCpN6pFMFGmS/JWn8PDubqkP0Hfw=
|
||
|
-----END CERTIFICATE-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:vpnserver.key
|
||
|
custom-command vpnserver.key
|
||
|
config {
|
||
|
-----BEGIN PRIVATE KEY-----
|
||
|
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAK/a4vv34cqXu5Qb
|
||
|
j/dwL8XccSK20vOL/DrR72VgIQ/lSe1xRRzp97n3AHQFo6tjBVy+I/0YxrcXUiE6
|
||
|
hl9oB6YbL/zfzqxFVc0q1Ipm0UaZ5LJXSVPf0MAeD4RvUo0sbkvL937EJ1Fyzdto
|
||
|
VP1NxEIaJ76fAwPY/xFYRi9YEyw3AgMBAAECgYBcUveOP5KsUULqvBm2V5DNOTGw
|
||
|
fvl7Ycf3fZZIy9IvzTolzazyRCeJ25LCVt+ZsC/1g+HTE/nnz/ePeHFpj21LuVWJ
|
||
|
uWsV9qmdO0K5WxfXM4M08df+EVRrOh4rmgnHZp7jBW6srwGSSJxsvRAe0cRlZcCW
|
||
|
JsgJcyLJfZk0ypsSgQJBAOTtkUfJvqdU0CslBSmDY6skxjneS6kLQGvrELHRTZgd
|
||
|
K31E5WDYJgkpVGhWur19kUYIj7Fs3/Z1Q0KC0bRWokECQQDEpp52u4ilaP9nJsMm
|
||
|
5l/JVEO5gIzbqStVTmU64wLgx3mapL6P8Sa1gbJMlc5NMyayjRP0PoN0cvz+V9t4
|
||
|
3cB3AkEAxhLHINXtn9pCQxJE5SZJlkq7OFaeICUcGEPKrg/qkzKp7jkuPhzGzCZ2
|
||
|
YdCowkti5rWBnoIVRakwCNwnlWFgAQJAEhyWc7EKANIO091KFAcbw1szcZ5ZWtHV
|
||
|
3+F8iVPnK/SzSn7p3jADtKvhVBRoD8wqQD+mGtS3Hr6IdpR47kTeOQJBAJhd4vi6
|
||
|
LxbQZlS009DamuSrqgwsmTcfylu58bhFN4YkWCw8CPk3iKJXH6beomDvYEIQl8C5
|
||
|
jWe+PqSX6XcwnTk=
|
||
|
-----END PRIVATE KEY-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer:vpnserver.sh
|
||
|
custom-command vpnserver.sh
|
||
|
config {
|
||
|
#!/bin/sh
|
||
|
# custom VPN Server Configuration for service (security.py)
|
||
|
# -------- CUSTOMIZATION REQUIRED --------
|
||
|
#
|
||
|
# The VPNServer service sets up the OpenVPN server for building VPN tunnels
|
||
|
# that allow access via TUN/TAP device to private networks.
|
||
|
#
|
||
|
# note that the IPForward and DefaultRoute services should be enabled
|
||
|
|
||
|
# directory containing the certificate and key described below, in addition to
|
||
|
# a CA certificate and DH key
|
||
|
keydir=/tmp/certs
|
||
|
|
||
|
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
|
||
|
keyname=vpnserver
|
||
|
|
||
|
# the VPN subnet address from which the client VPN IP (for the TUN/TAP)
|
||
|
# will be allocated
|
||
|
vpnsubnet=10.0.200.0
|
||
|
|
||
|
# public IP address of this vpn server (same as VPNClient vpnserver= setting)
|
||
|
vpnserver=10.0.1.10
|
||
|
|
||
|
# optional list of private subnets reachable behind this VPN server
|
||
|
# each subnet and next hop is separated by a space
|
||
|
# "<subnet1>,<nexthop1> <subnet2>,<nexthop2> ..."
|
||
|
privatenets="10.0.6.0,10.0.1.10"
|
||
|
|
||
|
# optional list of VPN clients, for statically assigning IP addresses to
|
||
|
# clients; also, an optional client subnet can be specified for adding static
|
||
|
# routes via the client
|
||
|
# Note: VPN addresses x.x.x.0-3 are reserved
|
||
|
# "<keyname>,<vpnIP>,<subnetIP> <keyname>,<vpnIP>,<subnetIP> ..."
|
||
|
#vpnclients="client1KeyFilename,10.0.200.5,10.0.0.0 client2KeyFilename,,"
|
||
|
vpnclients=""
|
||
|
|
||
|
# NOTE: you may need to enable the StaticRoutes service on nodes within the
|
||
|
# private subnet, in order to have routes back to the client.
|
||
|
# /sbin/ip ro add <vpnsubnet>/24 via <vpnServerRemoteInterface>
|
||
|
# /sbin/ip ro add <vpnClientSubnet>/24 via <vpnServerRemoteInterface>
|
||
|
|
||
|
# -------- END CUSTOMIZATION --------
|
||
|
|
||
|
echo > $PWD/vpnserver.log
|
||
|
rm -f -r $PWD/ccd
|
||
|
|
||
|
# validate key and certification files
|
||
|
if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.pem ] \
|
||
|
|| [ ! -e $keydir\/ca-cert.pem ] || [ ! -e $keydir\/dh1024.pem ]; then
|
||
|
echo "ERROR: missing certification or key files under $keydir \
|
||
|
$keyname.key or $keyname.pem or ca-cert.pem or dh1024.pem" >> $PWD/vpnserver.log
|
||
|
fi
|
||
|
|
||
|
# validate configuration IP addresses
|
||
|
checkip=0
|
||
|
if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
|
||
|
echo "WARNING: ip validation disabled because package sipcalc not installed\
|
||
|
" >> $PWD/vpnserver.log
|
||
|
checkip=1
|
||
|
else
|
||
|
if [ "$(sipcalc "$vpnsubnet" "$vpnserver" | grep ERR)" != "" ]; then
|
||
|
echo "ERROR: invalid vpn subnet or server address \
|
||
|
$vpnsubnet or $vpnserver " >> $PWD/vpnserver.log
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
# create client vpn ip pool file
|
||
|
(
|
||
|
cat << EOF
|
||
|
EOF
|
||
|
)> $PWD/ippool.txt
|
||
|
|
||
|
# create server.conf file
|
||
|
(
|
||
|
cat << EOF
|
||
|
# openvpn server config
|
||
|
local $vpnserver
|
||
|
server $vpnsubnet 255.255.255.0
|
||
|
push redirect-gateway def1
|
||
|
EOF
|
||
|
)> $PWD/server.conf
|
||
|
|
||
|
# add routes to VPN server private subnets, and push these routes to clients
|
||
|
for privatenet in $privatenets; do
|
||
|
if [ $privatenet != "" ]; then
|
||
|
net=${privatenet%%,*}
|
||
|
nexthop=${privatenet##*,}
|
||
|
if [ $checkip = "0" ] &&
|
||
|
[ "$(sipcalc "$net" "$nexthop" | grep ERR)" != "" ]; then
|
||
|
echo "ERROR: invalid vpn server private net address \
|
||
|
$net or $nexthop " >> $PWD/vpnserver.log
|
||
|
fi
|
||
|
echo push route $net 255.255.255.0 >> $PWD/server.conf
|
||
|
/sbin/ip ro add $net/24 via $nexthop
|
||
|
/sbin/ip ro add $vpnsubnet/24 via $nexthop
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
# allow subnet through this VPN, one route for each client subnet
|
||
|
for client in $vpnclients; do
|
||
|
if [ $client != "" ]; then
|
||
|
cSubnetIP=${client##*,}
|
||
|
cVpnIP=${client#*,}
|
||
|
cVpnIP=${cVpnIP%%,*}
|
||
|
cKeyFilename=${client%%,*}
|
||
|
if [ "$cSubnetIP" != "" ]; then
|
||
|
if [ $checkip = "0" ] &&
|
||
|
[ "$(sipcalc "$cSubnetIP" "$cVpnIP" | grep ERR)" != "" ]; then
|
||
|
echo "ERROR: invalid vpn client and subnet address \
|
||
|
$cSubnetIP or $cVpnIP " >> $PWD/vpnserver.log
|
||
|
fi
|
||
|
echo route $cSubnetIP 255.255.255.0 >> $PWD/server.conf
|
||
|
if ! test -d $PWD/ccd; then
|
||
|
mkdir -p $PWD/ccd
|
||
|
echo client-config-dir $PWD/ccd >> $PWD/server.conf
|
||
|
fi
|
||
|
if test -e $PWD/ccd/$cKeyFilename; then
|
||
|
echo iroute $cSubnetIP 255.255.255.0 >> $PWD/ccd/$cKeyFilename
|
||
|
else
|
||
|
echo iroute $cSubnetIP 255.255.255.0 > $PWD/ccd/$cKeyFilename
|
||
|
fi
|
||
|
fi
|
||
|
if [ "$cVpnIP" != "" ]; then
|
||
|
echo $cKeyFilename,$cVpnIP >> $PWD/ippool.txt
|
||
|
fi
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
(
|
||
|
cat << EOF
|
||
|
keepalive 10 120
|
||
|
ca $keydir/ca-cert.pem
|
||
|
cert $keydir/$keyname.pem
|
||
|
key $keydir/$keyname.key
|
||
|
dh $keydir/dh1024.pem
|
||
|
cipher AES-256-CBC
|
||
|
status /var/log/openvpn-status.log
|
||
|
log /var/log/openvpn-server.log
|
||
|
ifconfig-pool-linear
|
||
|
ifconfig-pool-persist $PWD/ippool.txt
|
||
|
port 1194
|
||
|
proto udp
|
||
|
dev tun
|
||
|
verb 4
|
||
|
daemon
|
||
|
EOF
|
||
|
)>> $PWD/server.conf
|
||
|
|
||
|
# start vpn server
|
||
|
openvpn --config server.conf
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNServer
|
||
|
custom-command VPNServer
|
||
|
config {
|
||
|
|
||
|
('vpnserver.sh', 'vpnserver.key', 'vpnserver.pem', 'ca-cert.pem', 'dh1024.pem', 'copycerts.sh', )
|
||
|
50
|
||
|
('sh copycerts.sh', 'sh vpnserver.sh', )
|
||
|
('killall openvpn', )
|
||
|
('pidof openvpn', )
|
||
|
|
||
|
}
|
||
|
}
|
||
|
services {IPForward DefaultRoute SSH VPNServer}
|
||
|
}
|
||
|
|
||
|
node n6 {
|
||
|
type router
|
||
|
model PC
|
||
|
network-config {
|
||
|
hostname vpnclient
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.0.20/24
|
||
|
ipv6 address 2001:0::20/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {120.0 133.0}
|
||
|
labelcoords {120.0 165.0}
|
||
|
interface-peer {eth0 n1}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNClient:vpnclient.key
|
||
|
custom-command vpnclient.key
|
||
|
config {
|
||
|
-----BEGIN PRIVATE KEY-----
|
||
|
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM49tCuXw4Wjt8iY
|
||
|
84nU+fdOCw5M9RXXDfwHOxd1ILSP4KDLB7FfqVo9/DZOMlqNHYBeeF0WXLnr+zda
|
||
|
kKQUWpWHJQGQ4qHIJ+xCsBRCVbTPsRngeQMCCQw5ekW7NZKpKj6ANWkIm4dhiuTr
|
||
|
ZshR5Q6idNFG/b/ksNQsARK8vlJlAgMBAAECgYEAoKeKMKcAxJpasGUM2OJRcWaW
|
||
|
0CX8iG3EU/2h90zjFCQ7m6VsMaxN9KDyVa8mJElmoLd2VTT1OFLtlxnyMA423Hro
|
||
|
0tlKGErCH2yWMnrcjO30w7pmWSONn0yU/iAbzYAsmLNwYKCPAX2tJ9FZKsfVhctd
|
||
|
MEDMf/skhYL6CFe4XwECQQD1pV7C9lj0vsno22WoVg8n6/7OZu/ZBtCXoAQKAo14
|
||
|
bUqknK+SDMgqnexDQjarkQFrq4yxrPmp3Mv4a6M9vKglAkEA1u8i+1m4VMAARe9N
|
||
|
3qiFA0hk9v3Nm7f/ZVrkddoZNChV8CQW9y3Caltrlrjj0ugTAaWKdOhOcWeRcDo9
|
||
|
EMrNQQJAbXwpgkf+Wgd3QrwW0TKaSrbauPAUUuzAp/QAGN4OY/CCZmAXuMbNqID+
|
||
|
vvOSHmHg+jZZ3Q81r8njd3OyLGAbqQJAURqn3qT6c7CH6dvlTHHWz2hQAQvAvFPw
|
||
|
IbTspLQJ8q6NzzIvIFK6HBwnOxbFkV5VXbezyW2nvA9SyECRrnZ4gQJAfV2In/xB
|
||
|
qxyrHHInJPtwzsKjfgw9787ulXeDa+gYQrmwfrqYvPo6NtfJ9i2ahl8tr3LIFWIH
|
||
|
NavHWA5NKc4GVw==
|
||
|
-----END PRIVATE KEY-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNClient:vpnclient.pem
|
||
|
custom-command vpnclient.pem
|
||
|
config {
|
||
|
Certificate:
|
||
|
Data:
|
||
|
Version: 3 (0x2)
|
||
|
Serial Number:
|
||
|
df:69:1f:ef:e5:af:bf:13
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
|
||
|
Validity
|
||
|
Not Before: Apr 12 15:09:01 2012 GMT
|
||
|
Not After : Apr 10 15:09:01 2022 GMT
|
||
|
Subject: C=US, ST=WA, O=core-dev, CN=vpnclient
|
||
|
Subject Public Key Info:
|
||
|
Public Key Algorithm: rsaEncryption
|
||
|
Public-Key: (1024 bit)
|
||
|
Modulus:
|
||
|
00:ce:3d:b4:2b:97:c3:85:a3:b7:c8:98:f3:89:d4:
|
||
|
f9:f7:4e:0b:0e:4c:f5:15:d7:0d:fc:07:3b:17:75:
|
||
|
20:b4:8f:e0:a0:cb:07:b1:5f:a9:5a:3d:fc:36:4e:
|
||
|
32:5a:8d:1d:80:5e:78:5d:16:5c:b9:eb:fb:37:5a:
|
||
|
90:a4:14:5a:95:87:25:01:90:e2:a1:c8:27:ec:42:
|
||
|
b0:14:42:55:b4:cf:b1:19:e0:79:03:02:09:0c:39:
|
||
|
7a:45:bb:35:92:a9:2a:3e:80:35:69:08:9b:87:61:
|
||
|
8a:e4:eb:66:c8:51:e5:0e:a2:74:d1:46:fd:bf:e4:
|
||
|
b0:d4:2c:01:12:bc:be:52:65
|
||
|
Exponent: 65537 (0x10001)
|
||
|
X509v3 extensions:
|
||
|
X509v3 Basic Constraints:
|
||
|
CA:FALSE
|
||
|
Netscape Comment:
|
||
|
OpenSSL Generated Certificate
|
||
|
X509v3 Subject Key Identifier:
|
||
|
A0:59:F2:02:46:86:A3:2A:BD:C0:33:DA:31:71:1F:78:88:16:43:CE
|
||
|
X509v3 Authority Key Identifier:
|
||
|
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
|
||
|
|
||
|
Signature Algorithm: sha1WithRSAEncryption
|
||
|
0a:39:71:f3:9f:50:68:f9:de:3e:47:eb:73:6b:4e:d8:6c:ff:
|
||
|
d5:38:0a:a0:8f:52:8f:cb:7e:6f:95:62:b6:04:2f:1d:3f:42:
|
||
|
32:26:38:c5:89:ea:ef:fc:27:ab:f0:81:39:e2:58:d6:fd:f8:
|
||
|
3e:f8:db:22:ce:39:dd:13:49:6a:7b:eb:90:8a:cc:bc:7d:87:
|
||
|
c5:d4:25:5f:f5:9a:0a:8f:1e:28:86:50:46:e2:fd:4e:ff:5d:
|
||
|
b8:0e:48:2d:bd:0f:38:b4:85:0f:4e:05:c6:60:cf:5a:d9:d0:
|
||
|
5c:32:ed:70:3c:72:28:fd:75:c5:38:d5:52:cb:57:f9:4b:86:
|
||
|
0a:74
|
||
|
-----BEGIN CERTIFICATE-----
|
||
|
MIICmDCCAgGgAwIBAgIJAN9pH+/lr78TMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
|
||
|
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
|
||
|
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDQx
|
||
|
MjE1MDkwMVoXDTIyMDQxMDE1MDkwMVowQTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
|
||
|
AldBMREwDwYDVQQKDAhjb3JlLWRldjESMBAGA1UEAwwJdnBuY2xpZW50MIGfMA0G
|
||
|
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOPbQrl8OFo7fImPOJ1Pn3TgsOTPUV1w38
|
||
|
BzsXdSC0j+CgywexX6laPfw2TjJajR2AXnhdFly56/s3WpCkFFqVhyUBkOKhyCfs
|
||
|
QrAUQlW0z7EZ4HkDAgkMOXpFuzWSqSo+gDVpCJuHYYrk62bIUeUOonTRRv2/5LDU
|
||
|
LAESvL5SZQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
|
||
|
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUoFnyAkaGoyq9wDPa
|
||
|
MXEfeIgWQ84wHwYDVR0jBBgwFoAUmA7HCnRd+1Zbt5GAKjrUia1suVEwDQYJKoZI
|
||
|
hvcNAQEFBQADgYEACjlx859QaPnePkfrc2tO2Gz/1TgKoI9Sj8t+b5VitgQvHT9C
|
||
|
MiY4xYnq7/wnq/CBOeJY1v34PvjbIs453RNJanvrkIrMvH2HxdQlX/WaCo8eKIZQ
|
||
|
RuL9Tv9duA5ILb0POLSFD04FxmDPWtnQXDLtcDxyKP11xTjVUstX+UuGCnQ=
|
||
|
-----END CERTIFICATE-----
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNClient:copycerts.sh
|
||
|
custom-command copycerts.sh
|
||
|
config {
|
||
|
#!/bin/sh
|
||
|
|
||
|
FILES="vpnclient.pem vpnclient.key"
|
||
|
|
||
|
mkdir -p /tmp/certs
|
||
|
|
||
|
for f in $FILES; do
|
||
|
cp $f /tmp/certs
|
||
|
done
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNClient:vpnclient.sh
|
||
|
custom-command vpnclient.sh
|
||
|
config {
|
||
|
#!/bin/sh
|
||
|
# custom VPN Client configuration for service (security.py)
|
||
|
# -------- CUSTOMIZATION REQUIRED --------
|
||
|
#
|
||
|
# The VPNClient service builds a VPN tunnel to the specified VPN server using
|
||
|
# OpenVPN software and a virtual TUN/TAP device.
|
||
|
|
||
|
# directory containing the certificate and key described below
|
||
|
keydir=/tmp/certs
|
||
|
|
||
|
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
|
||
|
keyname=vpnclient
|
||
|
|
||
|
# the public IP address of the VPN server this client should connect with
|
||
|
vpnserver="10.0.1.10"
|
||
|
|
||
|
# optional next hop for adding a static route to reach the VPN server
|
||
|
nexthop=""
|
||
|
|
||
|
# --------- END CUSTOMIZATION --------
|
||
|
|
||
|
# validate addresses
|
||
|
if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
|
||
|
echo "WARNING: ip validation disabled because package sipcalc not installed
|
||
|
" > $PWD/vpnclient.log
|
||
|
else
|
||
|
if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then
|
||
|
echo "ERROR: invalide address $vpnserver or $nexthop \
|
||
|
" > $PWD/vpnclient.log
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
# validate key and certification files
|
||
|
if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.pem ] \
|
||
|
|| [ ! -e $keydir\/ca-cert.pem ] || [ ! -e $keydir\/dh1024.pem ]; then
|
||
|
echo "ERROR: missing certification or key files under $keydir \
|
||
|
$keyname.key or $keyname.pem or ca-cert.pem or dh1024.pem" >> $PWD/vpnclient.log
|
||
|
fi
|
||
|
|
||
|
# if necessary, add a static route for reaching the VPN server IP via the IF
|
||
|
vpnservernet=${vpnserver%.*}.0/24
|
||
|
if [ "$nexthop" != "" ]; then
|
||
|
/sbin/ip route add $vpnservernet via $nexthop
|
||
|
fi
|
||
|
|
||
|
# create openvpn client.conf
|
||
|
(
|
||
|
cat << EOF
|
||
|
client
|
||
|
dev tun
|
||
|
proto udp
|
||
|
remote $vpnserver 1194
|
||
|
nobind
|
||
|
ca $keydir/ca-cert.pem
|
||
|
cert $keydir/$keyname.pem
|
||
|
key $keydir/$keyname.key
|
||
|
dh $keydir/dh1024.pem
|
||
|
cipher AES-256-CBC
|
||
|
log /var/log/openvpn-client.log
|
||
|
verb 4
|
||
|
daemon
|
||
|
EOF
|
||
|
) > client.conf
|
||
|
|
||
|
openvpn --config client.conf
|
||
|
|
||
|
}
|
||
|
}
|
||
|
custom-config {
|
||
|
custom-config-id service:VPNClient
|
||
|
custom-command VPNClient
|
||
|
config {
|
||
|
|
||
|
('vpnclient.sh', 'copycerts.sh', 'vpnclient.pem', 'vpnclient.key', )
|
||
|
60
|
||
|
('sh copycerts.sh', 'sh vpnclient.sh', )
|
||
|
('killall openvpn', )
|
||
|
('pidof openvpn', )
|
||
|
|
||
|
}
|
||
|
}
|
||
|
services {DefaultRoute VPNClient}
|
||
|
}
|
||
|
|
||
|
node n7 {
|
||
|
type lanswitch
|
||
|
network-config {
|
||
|
hostname n7
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {824.0 458.0}
|
||
|
labelcoords {824.0 482.0}
|
||
|
interface-peer {e0 n5}
|
||
|
interface-peer {e1 n8}
|
||
|
interface-peer {e2 n9}
|
||
|
interface-peer {e3 n10}
|
||
|
}
|
||
|
|
||
|
node n8 {
|
||
|
type router
|
||
|
model PC
|
||
|
network-config {
|
||
|
hostname n8
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.6.20/24
|
||
|
ipv6 address 2001:6::20/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {801.0 264.0}
|
||
|
labelcoords {801.0 296.0}
|
||
|
interface-peer {eth0 n7}
|
||
|
}
|
||
|
|
||
|
node n9 {
|
||
|
type router
|
||
|
model PC
|
||
|
network-config {
|
||
|
hostname n9
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.6.21/24
|
||
|
ipv6 address 2001:6::21/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {885.0 305.0}
|
||
|
labelcoords {885.0 337.0}
|
||
|
interface-peer {eth0 n7}
|
||
|
}
|
||
|
|
||
|
node n10 {
|
||
|
type router
|
||
|
model PC
|
||
|
network-config {
|
||
|
hostname n10
|
||
|
!
|
||
|
interface eth0
|
||
|
ip address 10.0.6.22/24
|
||
|
ipv6 address 2001:6::22/64
|
||
|
!
|
||
|
}
|
||
|
canvas c1
|
||
|
iconcoords {954.0 353.0}
|
||
|
labelcoords {954.0 385.0}
|
||
|
interface-peer {eth0 n7}
|
||
|
}
|
||
|
|
||
|
link l1 {
|
||
|
nodes {n6 n1}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l2 {
|
||
|
nodes {n4 n5}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l3 {
|
||
|
nodes {n1 n2}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l4 {
|
||
|
nodes {n3 n4}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l5 {
|
||
|
nodes {n3 n1}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l6 {
|
||
|
nodes {n4 n2}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l7 {
|
||
|
nodes {n5 n7}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l8 {
|
||
|
nodes {n8 n7}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l9 {
|
||
|
nodes {n9 n7}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
link l10 {
|
||
|
nodes {n10 n7}
|
||
|
bandwidth 0
|
||
|
}
|
||
|
|
||
|
annotation a1 {
|
||
|
iconcoords {661.0 187.0 997.0 579.0}
|
||
|
type rectangle
|
||
|
label {private network}
|
||
|
labelcolor black
|
||
|
fontfamily {Arial}
|
||
|
fontsize 12
|
||
|
color #e9e9fe
|
||
|
width 0
|
||
|
border black
|
||
|
rad 25
|
||
|
effects {bold}
|
||
|
canvas c1
|
||
|
}
|
||
|
|
||
|
canvas c1 {
|
||
|
name {Canvas1}
|
||
|
}
|
||
|
|
||
|
option global {
|
||
|
interface_names no
|
||
|
ip_addresses yes
|
||
|
ipv6_addresses no
|
||
|
node_labels yes
|
||
|
link_labels yes
|
||
|
ipsec_configs yes
|
||
|
exec_errors yes
|
||
|
show_api no
|
||
|
background_images no
|
||
|
annotations yes
|
||
|
grid yes
|
||
|
traffic_start 0
|
||
|
}
|
||
|
|