comments { Sample scenario showing VPNClient and VPNServer service configuration. This topology features an OpenVPN client and server for virtual private networking. The client can access the private 10.0.6.0/24 network via the VPN server. First wait until routing converges in the center routers (try using the Adjacency Widget and wait for blue lines, meaning full adjacencies), then open a shell on the vpnclient and try pinging the private address of the vpnserver: vpnclient> ping 10.0.6.1 You can also access the other 10.0.6.* hosts behind the server. Try running tcpudmp on one of the center routers, e.g. the n2 eth1/10.0.5.2 interface, and you'll see UDP packets with TLS encrypted data instead of ICMP packets. Keys are included as extra files in the VPNClient and VPNServer service configuration. } node n1 { type router model router network-config { hostname n1 ! interface eth2 ip address 10.0.4.2/24 ipv6 address 2001:4::2/64 ! interface eth1 ip address 10.0.2.1/24 ipv6 address 2001:2::1/64 ! interface eth0 ip address 10.0.0.1/24 ipv6 address 2001:0::1/64 ! } canvas c1 iconcoords {297.0 236.0} labelcoords {297.0 264.0} interface-peer {eth0 n6} interface-peer {eth1 n2} interface-peer {eth2 n3} } node n2 { type router model router network-config { hostname n2 ! interface eth1 ip address 10.0.5.2/24 ipv6 address 2001:5::2/64 ! interface eth0 ip address 10.0.2.2/24 ipv6 address 2001:2::2/64 ! } canvas c1 iconcoords {298.0 432.0} labelcoords {298.0 460.0} interface-peer {eth0 n1} interface-peer {eth1 n4} } node n3 { type router model router network-config { hostname n3 ! interface eth1 ip address 10.0.4.1/24 ipv6 address 2001:4::1/64 ! interface eth0 ip address 10.0.3.1/24 ipv6 address 2001:3::1/64 ! } canvas c1 iconcoords {573.0 233.0} labelcoords {573.0 261.0} interface-peer {eth0 n4} interface-peer {eth1 n1} } node n4 { type router model router network-config { hostname n4 ! interface eth2 ip address 10.0.5.1/24 ipv6 address 2001:5::1/64 ! interface eth1 ip address 10.0.3.2/24 ipv6 address 2001:3::2/64 ! interface eth0 ip address 10.0.1.1/24 ipv6 address 2001:1::1/64 ! } canvas c1 iconcoords {574.0 429.0} labelcoords {574.0 457.0} interface-peer {eth0 n5} interface-peer {eth1 n3} interface-peer {eth2 n2} } node n5 { type router model host network-config { hostname vpnserver ! interface eth1 ipv6 address 2001:6::10/64 ip address 10.0.6.1/24 ! interface eth0 ip address 10.0.1.10/24 ipv6 address 2001:1::10/64 ! } canvas c1 iconcoords {726.0 511.0} labelcoords {726.0 543.0} interface-peer {eth0 n4} interface-peer {eth1 n7} custom-config { custom-config-id service:VPNServer:vpnserver.pem custom-command vpnserver.pem config { Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, O=core-dev/emailAddress=root@localhost Validity Not Before: May 19 02:09:57 2015 GMT Not After : Apr 25 02:09:57 2115 GMT Subject: C=US, ST=WA, O=core-dev, CN=vpnserver/emailAddress=root@localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d2:88:b2:9b:32:ac:38:ca:45:e0:6b:db:1c:92: 5d:9a:42:23:df:64:a0:3b:c2:c4:f2:3a:75:bb:d6: 54:12:61:6e:aa:ac:0f:a6:2e:d9:3b:63:dc:3d:48: 02:f1:36:c8:97:d3:ef:24:6f:7f:dd:b7:9a:9d:6d: c1:c9:e2:11:49:1c:e0:67:d6:b0:b7:62:84:9a:f8: c3:af:4f:f7:77:29:74:01:81:47:49:84:d6:1c:0c: 36:41:42:a2:3e:92:28:83:50:7a:9c:fd:f3:66:7c: f8:d9:c7:f6:63:d2:59:d2:fd:9a:a4:9b:75:a6:16: ec:37:de:05:dd:05:a2:31:65:79:66:eb:b3:82:41: af:b9:e8:4a:bc:02:d6:a1:68:49:6c:09:e1:c5:9f: 3e:cf:52:76:d9:63:65:7a:a5:34:75:ee:ce:a3:c6: 92:f3:0d:2f:7f:b0:b4:12:fe:44:5f:77:10:25:98: b2:45:af:69:c8:9b:13:fc:f9:de:c6:be:b5:cf:62: 06:01:32:71:d5:84:1d:14:b9:28:46:80:f6:98:35: 12:e4:c8:e4:7a:94:e5:99:a3:6b:34:de:be:33:fe: 63:21:a3:cc:c4:64:15:49:e0:9d:57:84:b9:11:e5: 05:79:ba:22:6e:e4:24:b0:64:f0:54:13:1a:f4:73: 8a:ff Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: A5:A6:80:4D:3C:CD:E2:FE:AD:32:FD:9D:B2:7C:B6:00:76:16:C0:41 X509v3 Authority Key Identifier: keyid:DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8 DirName:/C=US/ST=WA/O=core-dev/emailAddress=root@localhost serial:CE:78:96:91:DB:9B:84:FD X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 3b:40:af:3a:c0:95:10:bc:d4:63:4a:1b:0f:9d:af:9c:27:29: 34:c9:80:dc:c2:2d:72:40:0e:50:15:fe:b4:87:bc:59:56:de: 81:96:1f:4f:ec:1a:44:ce:23:ba:69:b1:f5:ed:4b:1a:22:cf: 16:17:29:f9:bb:69:12:3c:42:87:09:48:26:a2:b3:88:40:3e: 3c:06:92:e1:65:6e:c0:62:50:55:08:5d:a0:4b:3a:0f:ff:9d: 65:91:b9:bf:d3:69:b9:ac:27:83:2c:fd:5a:bd:58:d3:75:a0: 70:e6:21:e9:f0:0d:19:a6:5f:2b:2d:1f:c9:fb:72:73:06:40: 32:5a:f8:81:30:59:b7:cb:3a:a7:3e:6f:af:4c:4b:57:eb:4a: d8:24:65:13:c3:86:fd:35:d3:6d:a0:3a:4b:63:40:9e:b4:98: e0:a2:c7:f2:71:42:d5:08:72:95:fd:df:8f:05:e9:68:a8:f8: 13:db:e6:0a:ec:c2:df:29:65:33:52:57:52:e5:7e:1d:09:2c: 56:0b:cc:d3:2d:dd:46:72:f0:cb:8b:2d:53:c4:d3:9d:63:a6: 6e:9f:dd:1a:7c:b2:87:d1:9e:4e:a0:b2:36:85:4a:5e:89:f9: 01:82:94:3d:3a:86:17:84:48:d4:0c:c4:25:25:54:3f:d7:65: 6b:85:c2:44:b3:6a:f5:74:69:f4:be:b2:13:68:a0:99:82:88: 07:23:8e:a3:67:e0:88:07:fe:fd:ba:85:f8:8a:1f:ac:1e:7d: ac:1e:f9:d1:3d:a8:fd:d9:91:9e:b2:3d:4f:f1:b4:80:9e:0b: aa:bb:44:6a:20:08:68:a4:45:0e:21:21:4d:d1:5f:ab:a8:96: 5a:29:e1:0f:9a:ff:a4:58:c6:80:15:51:98:ac:3c:23:4e:9e: 8f:a2:34:c1:f6:4c:26:f0:33:8d:db:15:b9:30:03:a7:b3:17: 31:9f:9a:5a:e7:a1:10:5e:61:57:04:bf:9a:6f:ec:87:15:4e: 33:2a:0c:e4:4a:b0:66:ab:04:7a:32:4d:66:44:af:d9:ad:41: a9:b1:05:c4:7d:2a:ba:2b:bb:c9:1e:5a:ff:cd:e0:e3:54:39: b6:be:e2:70:6c:db:e6:71:dc:27:7e:ef:e9:11:1f:cb:fa:cd: e1:57:a9:b9:ba:d6:69:fc:c0:d7:57:b0:51:4d:c4:2a:2f:1b: 99:fc:b7:65:11:99:fe:0b:58:4e:11:aa:06:c6:e1:53:20:c7: 56:0a:de:a6:65:c1:a6:41:e1:7b:1d:d7:17:45:b0:e4:66:50: 26:d8:85:c3:c3:93:2d:df:b0:35:6d:29:9a:6b:cc:cc:75:de: cf:72:37:8b:2d:24:b2:45 -----BEGIN CERTIFICATE----- MIIFQTCCAymgAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5y b290QGxvY2FsaG9zdDAgFw0xNTA1MTkwMjA5NTdaGA8yMTE1MDQyNTAyMDk1N1ow YDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjES MBAGA1UEAxMJdnBuc2VydmVyMR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9z dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKIspsyrDjKReBr2xyS XZpCI99koDvCxPI6dbvWVBJhbqqsD6Yu2Ttj3D1IAvE2yJfT7yRvf923mp1twcni EUkc4GfWsLdihJr4w69P93cpdAGBR0mE1hwMNkFCoj6SKINQepz982Z8+NnH9mPS WdL9mqSbdaYW7DfeBd0FojFleWbrs4JBr7noSrwC1qFoSWwJ4cWfPs9SdtljZXql NHXuzqPGkvMNL3+wtBL+RF93ECWYskWvacibE/z53sa+tc9iBgEycdWEHRS5KEaA 9pg1EuTI5HqU5ZmjazTevjP+YyGjzMRkFUngnVeEuRHlBXm6Im7kJLBk8FQTGvRz iv8CAwEAAaOCARYwggESMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG CWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNh dGUwHQYDVR0OBBYEFKWmgE08zeL+rTL9nbJ8tgB2FsBBMHwGA1UdIwR1MHOAFNvS nI0i2dfiOKCNbDu+M86NKr7IoVCkTjBMMQswCQYDVQQGEwJVUzELMAkGA1UECBMC V0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2Fs aG9zdIIJAM54lpHbm4T9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIF oDANBgkqhkiG9w0BAQsFAAOCAgEAO0CvOsCVELzUY0obD52vnCcpNMmA3MItckAO UBX+tIe8WVbegZYfT+waRM4jummx9e1LGiLPFhcp+btpEjxChwlIJqKziEA+PAaS 4WVuwGJQVQhdoEs6D/+dZZG5v9Npuawngyz9Wr1Y03WgcOYh6fANGaZfKy0fyfty cwZAMlr4gTBZt8s6pz5vr0xLV+tK2CRlE8OG/TXTbaA6S2NAnrSY4KLH8nFC1Qhy lf3fjwXpaKj4E9vmCuzC3yllM1JXUuV+HQksVgvM0y3dRnLwy4stU8TTnWOmbp/d Gnyyh9GeTqCyNoVKXon5AYKUPTqGF4RI1AzEJSVUP9dla4XCRLNq9XRp9L6yE2ig mYKIByOOo2fgiAf+/bqF+IofrB59rB750T2o/dmRnrI9T/G0gJ4LqrtEaiAIaKRF DiEhTdFfq6iWWinhD5r/pFjGgBVRmKw8I06ej6I0wfZMJvAzjdsVuTADp7MXMZ+a WuehEF5hVwS/mm/shxVOMyoM5EqwZqsEejJNZkSv2a1BqbEFxH0quiu7yR5a/83g 41Q5tr7icGzb5nHcJ37v6REfy/rN4VepubrWafzA11ewUU3EKi8bmfy3ZRGZ/gtY ThGqBsbhUyDHVgrepmXBpkHhex3XF0Ww5GZQJtiFw8OTLd+wNW0pmmvMzHXez3I3 iy0kskU= -----END CERTIFICATE----- } } custom-config { custom-config-id service:VPNServer:vpnserver.key custom-command vpnserver.key config { -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDSiLKbMqw4ykXg a9sckl2aQiPfZKA7wsTyOnW71lQSYW6qrA+mLtk7Y9w9SALxNsiX0+8kb3/dt5qd bcHJ4hFJHOBn1rC3YoSa+MOvT/d3KXQBgUdJhNYcDDZBQqI+kiiDUHqc/fNmfPjZ x/Zj0lnS/Zqkm3WmFuw33gXdBaIxZXlm67OCQa+56Eq8AtahaElsCeHFnz7PUnbZ Y2V6pTR17s6jxpLzDS9/sLQS/kRfdxAlmLJFr2nImxP8+d7GvrXPYgYBMnHVhB0U uShGgPaYNRLkyOR6lOWZo2s03r4z/mMho8zEZBVJ4J1XhLkR5QV5uiJu5CSwZPBU Exr0c4r/AgMBAAECggEATaktMUC09NHwisNedSCstI13TB2DWegT3EKiUWLTamBU gVKtByE68sR4ZoacxzvtLMx555fVtATZXP8yv/TLaYvkX4l7cHo/7iabkJzP7T32 U+PLVxxQGtKKZPJehPRHS4ExaZ3n3kN1TGiNw+7BQapZFCVgdZ75DfaxdQFx/gQD 4htDr7SZL/jG1Sn08Cf7DRQ9U0rISecmm9nG9LV1LXMfnbdWTwvmm/z0a6wjDZ4n Byfd5jOOI4cpgetHhAQCH+ksComY0GBf21MOsfQT/NzfuW/KFGag992Yub8tBUFa AG+SlaNZBiLAPYfMegjCxR1jZeUCthlB2kdzYKcmyQKBgQD4lgbktGO/VKjnKnGD SR8oJT82HvkfB16M/pSlTNOTmAAbbY9yMNj/zKPJDOhxHLhFxmXqVnvs70Ye+pfT 3o3v0NkAfdIhzNzqbFlUA15QqELhrXHaTtpU3/nyw+/lQhoiEof9yj9vuGBy4iDf GdP1R8G7OWqJIDXwZd3s99XujQKBgQDY0CPvCe1j43wfG8MjI/bLeDWmxjGaLWJu IKbMepEbqcaz9x+25Ey3E35DYtfLjeAQ+qRc5T4Cj6L9iG/mS89/ShPGj91xyFzQ qoZf4lGB0/A80aTgmDiF4FxHFzWpXKaJPS1gTfWZ9Qs7r0LP8Uwni9dhO8LGPNAr 9Ky3jaHyuwKBgQDxml74yZpoyw+eHVJWFyuBCTJ2l4Po9HCg+I3gWtsICCOShNl2 UqOVen91WGZSCWfP6RQEvimUDrpIQaZu9U9eVc2S/LbOwx2zebsYPG3eVqsqTDjr xNfOxiFYIbd3Ste7ZedmcrtVCg4zmjP4olGvgx53qUYyIGxMSbV4KyhxwQKBgQCQ ba7SSLGrrdl8O5k1Knr3tb8/tp1KUFtWc0fJxQgu/lzQe5nT0qdL+Z9NsmWAQqV1 ihG9lDRHrnlsHNw19GBoMeeUiTeB2XACzOWwr+mN66oISbtkpeJZREkUTmC/zmld 2LQGiEhIY9U00B5YuSv62AwEyLOKLO6bqWT47U9piwKBgQDm2+ufGU+ZBr0qpyCf TiZFngJ1fGK0tyVrERm1y83vWzbqaW9nX5hJilqYDB3jpHARvbY56+jWVSm4ADwG dlqEpmPHBgDRYBkdLUl50TN5vINcXQCGlA0zOHAueAUESyL5nLnO7NsK/McSRDd5 XonR43XumudHzs3R6BwBTKv1gw== -----END PRIVATE KEY----- } } custom-config { custom-config-id service:VPNServer:vpnserver.sh custom-command vpnserver.sh config { #!/bin/sh # custom VPN Server Configuration for service (security.py) # -------- CUSTOMIZATION REQUIRED -------- # # The VPNServer service sets up the OpenVPN server for building VPN tunnels # that allow access via TUN/TAP device to private networks. # # note that the IPForward and DefaultRoute services should be enabled # directory containing the certificate and key described below, in addition to # a CA certificate and DH key certdir=$SESSION_DIR/certs keydir=$PWD # the name used for a "$keyname.pem" certificate and "$keyname.key" private key. keyname=vpnserver # the VPN subnet address from which the client VPN IP (for the TUN/TAP) # will be allocated vpnsubnet=10.0.200.0 # public IP address of this vpn server (same as VPNClient vpnserver= setting) vpnserver=10.0.1.10 # optional list of private subnets reachable behind this VPN server # each subnet and next hop is separated by a space # ", , ..." privatenets="10.0.6.0,10.0.1.10" # optional list of VPN clients, for statically assigning IP addresses to # clients; also, an optional client subnet can be specified for adding static # routes via the client # Note: VPN addresses x.x.x.0-3 are reserved # ",, ,, ..." #vpnclients="client1KeyFilename,10.0.200.5,10.0.0.0 client2KeyFilename,," vpnclients="" # NOTE: you may need to enable the StaticRoutes service on nodes within the # private subnet, in order to have routes back to the client. # /sbin/ip ro add /24 via # /sbin/ip ro add /24 via # -------- END CUSTOMIZATION -------- echo > $PWD/vpnserver.log rm -f -r $PWD/ccd # validate key and certification files check-key-file() { if [ ! -e $1 ]; then echo "ERROR: missing certification or key file: $1" >> $PWD/vpnserver.log fi } check-key-file $keydir/$keyname.key check-key-file $keydir/$keyname.pem check-key-file $certdir/ca-cert.pem check-key-file $certdir/dh2048.pem # validate configuration IP addresses checkip=0 if [ "$(dpkg -l | grep sipcalc)" = "" ]; then echo "WARNING: ip validation disabled because package sipcalc not installed\ " >> $PWD/vpnserver.log checkip=1 else if [ "$(sipcalc "$vpnsubnet" "$vpnserver" | grep ERR)" != "" ]; then echo "ERROR: invalid vpn subnet or server address \ $vpnsubnet or $vpnserver " >> $PWD/vpnserver.log fi fi # create client vpn ip pool file ( cat << EOF EOF )> $PWD/ippool.txt # create server.conf file ( cat << EOF # openvpn server config local $vpnserver server $vpnsubnet 255.255.255.0 push redirect-gateway def1 EOF )> $PWD/server.conf # add routes to VPN server private subnets, and push these routes to clients for privatenet in $privatenets; do if [ $privatenet != "" ]; then net=${privatenet%%,*} nexthop=${privatenet##*,} if [ $checkip = "0" ] && [ "$(sipcalc "$net" "$nexthop" | grep ERR)" != "" ]; then echo "ERROR: invalid vpn server private net address \ $net or $nexthop " >> $PWD/vpnserver.log fi echo push route $net 255.255.255.0 >> $PWD/server.conf fi done # allow subnet through this VPN, one route for each client subnet for client in $vpnclients; do if [ $client != "" ]; then cSubnetIP=${client##*,} cVpnIP=${client#*,} cVpnIP=${cVpnIP%%,*} cKeyFilename=${client%%,*} if [ "$cSubnetIP" != "" ]; then if [ $checkip = "0" ] && [ "$(sipcalc "$cSubnetIP" "$cVpnIP" | grep ERR)" != "" ]; then echo "ERROR: invalid vpn client and subnet address \ $cSubnetIP or $cVpnIP " >> $PWD/vpnserver.log fi echo route $cSubnetIP 255.255.255.0 >> $PWD/server.conf if ! test -d $PWD/ccd; then mkdir -p $PWD/ccd echo client-config-dir $PWD/ccd >> $PWD/server.conf fi if test -e $PWD/ccd/$cKeyFilename; then echo iroute $cSubnetIP 255.255.255.0 >> $PWD/ccd/$cKeyFilename else echo iroute $cSubnetIP 255.255.255.0 > $PWD/ccd/$cKeyFilename fi fi if [ "$cVpnIP" != "" ]; then echo $cKeyFilename,$cVpnIP >> $PWD/ippool.txt fi fi done ( cat << EOF keepalive 10 120 ca $certdir/ca-cert.pem cert $keydir/$keyname.pem key $keydir/$keyname.key dh $certdir/dh2048.pem cipher AES-256-CBC status /var/log/openvpn-status.log log /var/log/openvpn-server.log ifconfig-pool-linear ifconfig-pool-persist $PWD/ippool.txt port 1194 proto udp dev tun verb 4 daemon EOF )>> $PWD/server.conf # start vpn server openvpn --config server.conf } } custom-config { custom-config-id service:VPNServer custom-command VPNServer config { ('vpnserver.sh', 'vpnserver.key', 'vpnserver.pem', ) 50 ('bash vpnserver.sh', ) ('killall openvpn', ) ('pidof openvpn', ) } } services {IPForward DefaultRoute SSH VPNServer} } node n6 { type router model PC network-config { hostname vpnclient ! interface eth0 ip address 10.0.0.20/24 ipv6 address 2001:0::20/64 ! } canvas c1 iconcoords {120.0 133.0} labelcoords {120.0 165.0} interface-peer {eth0 n1} custom-config { custom-config-id service:VPNClient:vpnclient.key custom-command vpnclient.key config { -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6T+1XG/EQX8pj vGSq5QMS6G8sqozjDPInZz8hSukeJCueE9Ib/nbg9wXLST6fAVA/VsY4eGXZzQNB vl6BxVXjjj/UkY4R+RXchKjg85fq+I37uZnzUL3S2jIalswB4LsLSGusBbTTfe8v 0rMCPVUzojMSXhkOVJs1gzusmdNnqEg7TZ+W4Ov12jzACbRdGMA572sXvnXRPhdR BI4CSfrsPRueWPO317oLDCECMrxzza9y65UFS3oPFvf2s6oR7FlAIEq0Z1YUQayx LDH0kE1ZjhLxBmaqNO7hD0gCjYYX8XSHOpiq045N+OGmKcI3Th8ZsGkXKMMyQ1yN a1c2PuehAgMBAAECggEAVVqYmPesEJxR1C9SzxfruJXTmNrpgHtF1NdwDIiNE8nu UZUzBLAnNhj1BpSfo6iuYtYWKXi+8HEDtPLJyRnmp0Fb7L5iH8nFQilkVOpEBtmn 8lKtPNMYo6him9vJynJyPlEHQt+6X8mp8nbMm5INnoIIc7m4MOCB2poslH5EY4/j /WTohzXVdx3nhYAJ5v5uVi/i6jeNHfY+6sj6pBKDq82OrfxgjrtABRj3/K5UcVd0 UBsaqXXObHxSvJkHFOSxK+qhVivuT3svZZlaYaleRB1oDmMx3uRNvtxdkhVz5zZY zeEddu5/BQzHPpIwKR/HScpFes92fiQ639bJxIzGAQKBgQDtNoE7V2CVpvMVgTsX 3WsqjTZZOnH8jWfWrOMPgRWmDWSA7P7SNSL7dCIftqdMv3pPxCoYVzH7Skp18HGD 8EVRqrBUupfj7NXOWlG624qtlilWQsNwPkpjXWciQQapdAhEX+T+1/d5UrVR/mY9 gP4M6rnT87ShcPPi/Otvr/B6SQKBgQDJEWj0wR5GyCfDA0L8ez3OzAwkiWB3K+8b usc0Cs/+ZFOjQd4Qxahoo6lL8G17TaIcSvdrULaWsQ/oeJ40M2xzsdlwrrtr6ueL 7q/mqsJeGLIN0h0I0i6DTUYWwzTR5CXCox967FZV46FQ8Jof3c7fsXCNUajHzcUh zxqp+AdCmQKBgHeV5bqTxzZKrvtlZfQXBOKzw/VhuHs4kmOwTtvPGKnY0JUKZUB1 10fq+RUB0P+o/DFgVFRnCOSFRFqGt8NrCpcsNK7STqZyDCt2bwODkDsIm5hIGhzo 2jmTqd2j6Ibe3xgRO/GZ0MHSB2TpmoNhFzJN1xbaInLM7ba+CLcKfHI5AoGBAIaS b3O4uSHYnrwnt7KybXi2Gr5tb7HzJrKhfOf5AKKb1VqkIBOLpx55wzp/LVdka0aS aixaNgp/cU0/RWtcq453jzeayvf8nYKLexFgYnyF/M3BPguEWPsqQenENtrv3tH5 SX2FJnePxY0dq5n+Y5JV+SWsbNFliDYLniX6SimpAoGAR9ABECd9DMnhgi+WkhZs 55YBE8P8jFuSUASBIKVmke60nDn4oot0YD74kykb6TxasGXX5lC1vCje/olNBIGM y687YmrudDfXWxEUwlHMoec5wrHDGIGCnBRAlt4whDoCREH1H+fp/9BgAThcjv58 NyNDfW+vGpDlkbwFvyhc4pY= -----END PRIVATE KEY----- } } custom-config { custom-config-id service:VPNClient:vpnclient.pem custom-command vpnclient.pem config { Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, O=core-dev/emailAddress=root@localhost Validity Not Before: May 19 02:09:57 2015 GMT Not After : Apr 25 02:09:57 2115 GMT Subject: C=US, ST=WA, O=core-dev, CN=vpnclient/emailAddress=root@localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:4f:ed:57:1b:f1:10:5f:ca:63:bc:64:aa:e5: 03:12:e8:6f:2c:aa:8c:e3:0c:f2:27:67:3f:21:4a: e9:1e:24:2b:9e:13:d2:1b:fe:76:e0:f7:05:cb:49: 3e:9f:01:50:3f:56:c6:38:78:65:d9:cd:03:41:be: 5e:81:c5:55:e3:8e:3f:d4:91:8e:11:f9:15:dc:84: a8:e0:f3:97:ea:f8:8d:fb:b9:99:f3:50:bd:d2:da: 32:1a:96:cc:01:e0:bb:0b:48:6b:ac:05:b4:d3:7d: ef:2f:d2:b3:02:3d:55:33:a2:33:12:5e:19:0e:54: 9b:35:83:3b:ac:99:d3:67:a8:48:3b:4d:9f:96:e0: eb:f5:da:3c:c0:09:b4:5d:18:c0:39:ef:6b:17:be: 75:d1:3e:17:51:04:8e:02:49:fa:ec:3d:1b:9e:58: f3:b7:d7:ba:0b:0c:21:02:32:bc:73:cd:af:72:eb: 95:05:4b:7a:0f:16:f7:f6:b3:aa:11:ec:59:40:20: 4a:b4:67:56:14:41:ac:b1:2c:31:f4:90:4d:59:8e: 12:f1:06:66:aa:34:ee:e1:0f:48:02:8d:86:17:f1: 74:87:3a:98:aa:d3:8e:4d:f8:e1:a6:29:c2:37:4e: 1f:19:b0:69:17:28:c3:32:43:5c:8d:6b:57:36:3e: e7:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 55:33:21:40:42:B6:63:7F:EA:A5:20:FA:18:21:C7:27:5B:6F:65:68 X509v3 Authority Key Identifier: keyid:DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8 DirName:/C=US/ST=WA/O=core-dev/emailAddress=root@localhost serial:CE:78:96:91:DB:9B:84:FD Signature Algorithm: sha256WithRSAEncryption 33:e5:aa:b3:19:63:ce:24:c7:ee:2f:11:18:5b:7b:1d:6b:4c: 71:2d:0b:ea:6f:9b:5e:43:11:45:50:a6:00:fc:19:11:50:46: 6a:d8:1d:38:eb:9f:3a:81:09:6e:dc:ae:b3:df:71:85:e2:16: 7e:b8:bf:4c:ec:36:97:ae:58:a6:d9:d1:64:47:cf:8b:e8:0e: 8c:41:2e:c3:a7:32:ef:a0:90:c2:5c:e5:6f:aa:03:ca:15:7f: fb:ef:42:b1:22:28:47:fe:0a:df:58:b5:88:5b:a6:15:f8:13: 3f:7e:19:da:ec:3f:63:72:0b:e5:c6:94:9f:53:1c:99:60:48: 25:b5:b4:60:9a:4a:94:ab:68:be:5a:08:67:4c:c8:b5:7e:12: 32:2c:e9:e7:fb:d1:a2:40:a8:e6:68:0e:37:a1:48:99:17:b6: 40:f6:50:0a:f7:16:d1:90:e6:8a:3e:b0:c7:21:aa:9a:b9:79: 6a:69:5c:25:9b:4b:29:b7:0e:13:80:ea:e8:5c:6d:95:cd:5c: 69:de:20:69:d7:df:20:ec:6f:7b:9f:1d:61:c2:d1:59:6f:1e: 0a:45:01:f6:25:02:e5:be:fb:91:a9:82:08:c8:42:2a:3e:2c: 75:bb:4e:9c:0a:b6:07:24:52:e5:4f:f5:81:45:7b:77:ca:19: 38:56:7f:17:63:5e:1f:a4:be:03:7d:d3:48:fc:e9:43:5c:2b: b1:d5:da:44:c0:0c:56:23:4a:7d:bf:c0:ac:c6:9c:93:6d:69: 9a:b9:02:3e:aa:1b:27:3e:b1:c8:6a:39:96:09:1d:c0:08:c8: 1c:a4:82:ea:d2:72:e7:e1:47:66:7f:76:ac:d5:8c:99:59:02: 25:ee:ec:ad:76:65:0f:8a:ba:5f:a7:33:ef:8e:34:71:d2:f5: 3c:63:b0:c4:b2:65:c2:55:2d:35:d7:13:04:9c:87:d2:76:6b: af:37:ba:58:d2:63:e0:fb:9c:a4:3a:97:e4:e6:79:0f:ca:d4: 07:8c:39:80:4d:5e:d4:09:3a:09:1f:16:1a:58:c0:96:58:19: e8:f7:56:bc:bd:fd:23:f4:4b:93:eb:a4:f2:22:7d:7c:d2:f3: 6b:5a:13:24:a6:b8:1a:33:0c:fa:cd:77:36:12:c8:c6:ac:e9: 0f:29:1a:4f:c3:3c:92:53:8c:af:80:04:ac:9b:2a:73:af:a8: 0f:ef:7d:9f:5e:7c:52:d3:03:2e:19:6f:25:b0:f7:17:ef:c9: 37:b9:50:ad:60:b0:c7:d9:ba:8f:9e:93:27:ba:52:27:70:b8: ae:2b:9a:f7:33:2a:fd:a6:51:f5:e2:42:1a:e9:e6:08:5e:62: 75:e9:b2:1b:ca:ce:cd:d1 -----BEGIN CERTIFICATE----- MIIE1TCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5y b290QGxvY2FsaG9zdDAgFw0xNTA1MTkwMjA5NTdaGA8yMTE1MDQyNTAyMDk1N1ow YDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjES MBAGA1UEAxMJdnBuY2xpZW50MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9z dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpP7Vcb8RBfymO8ZKrl AxLobyyqjOMM8idnPyFK6R4kK54T0hv+duD3BctJPp8BUD9Wxjh4ZdnNA0G+XoHF VeOOP9SRjhH5FdyEqODzl+r4jfu5mfNQvdLaMhqWzAHguwtIa6wFtNN97y/SswI9 VTOiMxJeGQ5UmzWDO6yZ02eoSDtNn5bg6/XaPMAJtF0YwDnvaxe+ddE+F1EEjgJJ +uw9G55Y87fXugsMIQIyvHPNr3LrlQVLeg8W9/azqhHsWUAgSrRnVhRBrLEsMfSQ TVmOEvEGZqo07uEPSAKNhhfxdIc6mKrTjk344aYpwjdOHxmwaRcowzJDXI1rVzY+ 56ECAwEAAaOBqzCBqDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRVMyFAQrZjf+qlIPoY IccnW29laDB8BgNVHSMEdTBzgBTb0pyNItnX4jigjWw7vjPOjSq+yKFQpE4wTDEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjEdMBsG CSqGSIb3DQEJARYOcm9vdEBsb2NhbGhvc3SCCQDOeJaR25uE/TANBgkqhkiG9w0B AQsFAAOCAgEAM+WqsxljziTH7i8RGFt7HWtMcS0L6m+bXkMRRVCmAPwZEVBGatgd OOufOoEJbtyus99xheIWfri/TOw2l65YptnRZEfPi+gOjEEuw6cy76CQwlzlb6oD yhV/++9CsSIoR/4K31i1iFumFfgTP34Z2uw/Y3IL5caUn1McmWBIJbW0YJpKlKto vloIZ0zItX4SMizp5/vRokCo5mgON6FImRe2QPZQCvcW0ZDmij6wxyGqmrl5amlc JZtLKbcOE4Dq6Fxtlc1cad4gadffIOxve58dYcLRWW8eCkUB9iUC5b77kamCCMhC Kj4sdbtOnAq2ByRS5U/1gUV7d8oZOFZ/F2NeH6S+A33TSPzpQ1wrsdXaRMAMViNK fb/ArMack21pmrkCPqobJz6xyGo5lgkdwAjIHKSC6tJy5+FHZn92rNWMmVkCJe7s rXZlD4q6X6cz7440cdL1PGOwxLJlwlUtNdcTBJyH0nZrrze6WNJj4PucpDqX5OZ5 D8rUB4w5gE1e1Ak6CR8WGljAllgZ6PdWvL39I/RLk+uk8iJ9fNLza1oTJKa4GjMM +s13NhLIxqzpDykaT8M8klOMr4AErJsqc6+oD+99n158UtMDLhlvJbD3F+/JN7lQ rWCwx9m6j56TJ7pSJ3C4riua9zMq/aZR9eJCGunmCF5idemyG8rOzdE= -----END CERTIFICATE----- } } custom-config { custom-config-id service:VPNClient:vpnclient.sh custom-command vpnclient.sh config { #!/bin/sh # custom VPN Client configuration for service (security.py) # -------- CUSTOMIZATION REQUIRED -------- # # The VPNClient service builds a VPN tunnel to the specified VPN server using # OpenVPN software and a virtual TUN/TAP device. # directory containing the certificate and key described below certdir=$SESSION_DIR/certs keydir=$PWD # the name used for a "$keyname.pem" certificate and "$keyname.key" private key. keyname=vpnclient # the public IP address of the VPN server this client should connect with vpnserver="10.0.1.10" # optional next hop for adding a static route to reach the VPN server nexthop="" # --------- END CUSTOMIZATION -------- # validate addresses if [ "$(dpkg -l | grep sipcalc)" = "" ]; then echo "WARNING: ip validation disabled because package sipcalc not installed " > $PWD/vpnclient.log else if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then echo "ERROR: invalide address $vpnserver or $nexthop \ " > $PWD/vpnclient.log fi fi # validate key and certification files check-key-file() { if [ ! -e $1 ]; then echo "ERROR: missing certification or key file: $1" >> $PWD/vpnserver.log fi } check-key-file $keydir/$keyname.key check-key-file $keydir/$keyname.pem check-key-file $certdir/ca-cert.pem check-key-file $certdir/dh2048.pem # if necessary, add a static route for reaching the VPN server IP via the IF vpnservernet=${vpnserver%.*}.0/24 if [ "$nexthop" != "" ]; then /sbin/ip route add $vpnservernet via $nexthop fi # create openvpn client.conf ( cat << EOF client dev tun proto udp remote $vpnserver 1194 nobind ca $certdir/ca-cert.pem cert $keydir/$keyname.pem key $keydir/$keyname.key dh $certdir/dh2048.pem cipher AES-256-CBC log /var/log/openvpn-client.log verb 4 daemon EOF ) > client.conf openvpn --config client.conf } } custom-config { custom-config-id service:VPNClient custom-command VPNClient config { ('vpnclient.sh', 'vpnclient.pem', 'vpnclient.key', ) 60 ('bash vpnclient.sh', ) ('killall openvpn', ) ('pidof openvpn', ) } } services {DefaultRoute VPNClient} } node n7 { type lanswitch network-config { hostname n7 ! } canvas c1 iconcoords {824.0 458.0} labelcoords {824.0 482.0} interface-peer {e0 n5} interface-peer {e1 n8} interface-peer {e2 n9} interface-peer {e3 n10} } node n8 { type router model PC network-config { hostname n8 ! interface eth0 ip address 10.0.6.20/24 ipv6 address 2001:6::20/64 ! } canvas c1 iconcoords {801.0 264.0} labelcoords {801.0 296.0} interface-peer {eth0 n7} } node n9 { type router model PC network-config { hostname n9 ! interface eth0 ip address 10.0.6.21/24 ipv6 address 2001:6::21/64 ! } canvas c1 iconcoords {885.0 305.0} labelcoords {885.0 337.0} interface-peer {eth0 n7} } node n10 { type router model PC network-config { hostname n10 ! interface eth0 ip address 10.0.6.22/24 ipv6 address 2001:6::22/64 ! } canvas c1 iconcoords {954.0 353.0} labelcoords {954.0 385.0} interface-peer {eth0 n7} } link l1 { nodes {n6 n1} bandwidth 0 } link l2 { nodes {n4 n5} bandwidth 0 } link l3 { nodes {n1 n2} bandwidth 0 } link l4 { nodes {n3 n4} bandwidth 0 } link l5 { nodes {n3 n1} bandwidth 0 } link l6 { nodes {n4 n2} bandwidth 0 } link l7 { nodes {n5 n7} bandwidth 0 } link l8 { nodes {n8 n7} bandwidth 0 } link l9 { nodes {n9 n7} bandwidth 0 } link l10 { nodes {n10 n7} bandwidth 0 } annotation a1 { iconcoords {661.0 187.0 997.0 579.0} type rectangle label {private network} labelcolor black fontfamily {Arial} fontsize 12 color #e9e9fe width 0 border black rad 25 effects {bold} canvas c1 } canvas c1 { name {Canvas1} } hook 3:instantiation_hook.sh { #!/bin/sh # session hook script; write commands here to execute on the host at the # specified state CERT_DIR=$SESSION_DIR/certs mkdir $CERT_DIR cat > $CERT_DIR/dh2048.pem < $CERT_DIR/ca-cert.pem <