comments {
Sample scenario showing VPNClient and VPNServer service configuration.
This topology features an OpenVPN client and server for virtual private
networking. The client can access the private 10.0.6.0/24 network via the VPN
server. First wait until routing converges in the center routers (try using the
Adjacency Widget and wait for blue lines, meaning full adjacencies), then open
a shell on the vpnclient and try pinging the private address of the vpnserver:
vpnclient> ping 10.0.6.1
You can also access the other 10.0.6.* hosts behind the server. Try running
tcpudmp on one of the center routers, e.g. the n2 eth1/10.0.5.2 interface, and
you'll see UDP packets with TLS encrypted data instead of ICMP packets.
Keys are included as extra files in the VPNClient and VPNServer service
configuration.
}
node n1 {
type router
model router
network-config {
hostname n1
!
interface eth2
ip address 10.0.4.2/24
ipv6 address 2001:4::2/64
!
interface eth1
ip address 10.0.2.1/24
ipv6 address 2001:2::1/64
!
interface eth0
ip address 10.0.0.1/24
ipv6 address 2001:0::1/64
!
}
canvas c1
iconcoords {297.0 236.0}
labelcoords {297.0 264.0}
interface-peer {eth0 n6}
interface-peer {eth1 n2}
interface-peer {eth2 n3}
}
node n2 {
type router
model router
network-config {
hostname n2
!
interface eth1
ip address 10.0.5.2/24
ipv6 address 2001:5::2/64
!
interface eth0
ip address 10.0.2.2/24
ipv6 address 2001:2::2/64
!
}
canvas c1
iconcoords {298.0 432.0}
labelcoords {298.0 460.0}
interface-peer {eth0 n1}
interface-peer {eth1 n4}
}
node n3 {
type router
model router
network-config {
hostname n3
!
interface eth1
ip address 10.0.4.1/24
ipv6 address 2001:4::1/64
!
interface eth0
ip address 10.0.3.1/24
ipv6 address 2001:3::1/64
!
}
canvas c1
iconcoords {573.0 233.0}
labelcoords {573.0 261.0}
interface-peer {eth0 n4}
interface-peer {eth1 n1}
}
node n4 {
type router
model router
network-config {
hostname n4
!
interface eth2
ip address 10.0.5.1/24
ipv6 address 2001:5::1/64
!
interface eth1
ip address 10.0.3.2/24
ipv6 address 2001:3::2/64
!
interface eth0
ip address 10.0.1.1/24
ipv6 address 2001:1::1/64
!
}
canvas c1
iconcoords {574.0 429.0}
labelcoords {574.0 457.0}
interface-peer {eth0 n5}
interface-peer {eth1 n3}
interface-peer {eth2 n2}
}
node n5 {
type router
model host
network-config {
hostname vpnserver
!
interface eth1
ipv6 address 2001:6::10/64
ip address 10.0.6.1/24
!
interface eth0
ip address 10.0.1.10/24
ipv6 address 2001:1::10/64
!
}
canvas c1
iconcoords {726.0 511.0}
labelcoords {726.0 543.0}
interface-peer {eth0 n4}
interface-peer {eth1 n7}
custom-config {
custom-config-id service:VPNServer:copycerts.sh
custom-command copycerts.sh
config {
#!/bin/sh
FILES="vpnserver.pem vpnserver.key ca-cert.pem dh1024.pem"
mkdir -p /tmp/certs
for f in $FILES; do
cp $f /tmp/certs
done
}
}
custom-config {
custom-config-id service:VPNServer:dh1024.pem
custom-command dh1024.pem
config {
-----BEGIN DH PARAMETERS-----
MIGHAoGBAIYQUzZ+2aYWFfdRWRL/Tc8bFqK8ve/0ihW1BPhe0z3b5D5+2/r9HAsG
u7oMkyM2oWp5N1DlzKgTizCRPRno5vgTz01kw4h6Y9ux496+huOHJGZXiCZlkZvM
daP8CC8z1naCC9MZLImQTkb1d1sH9BDRZAyfQYiXVYrHdqtNtqQjAgEC
-----END DH PARAMETERS-----
}
}
custom-config {
custom-config-id service:VPNServer:ca-cert.pem
custom-command ca-cert.pem
config {
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:69:1f:ef:e5:af:bf:0f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
Validity
Not Before: Mar 20 16:16:08 2012 GMT
Not After : Mar 20 16:16:08 2015 GMT
Subject: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c4:d7:fc:c3:bc:a0:ee:76:7b:58:5c:96:6d:1f:
74:26:c2:93:c1:a4:94:95:13:5e:4f:8b:3f:00:27:
e5:1b:b1:3b:70:3e:72:71:4d:c9:67:54:33:29:49:
1e:de:a6:91:d9:00:ec:84:b8:64:f8:06:51:82:f4:
84:9b:a2:fe:16:34:5c:e1:2f:3d:ad:34:b9:8e:ad:
8e:ea:8a:e9:40:56:5b:f5:09:2c:bf:a0:08:db:81:
7f:fb:d8:b9:6c:a6:be:4c:1f:b1:4e:b3:b0:8d:8d:
e4:04:8e:f8:8e:e9:c7:aa:e7:4a:b4:87:89:a7:25:
72:38:74:bb:e5:b6:7f:86:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
X509v3 Authority Key Identifier:
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
39:7e:99:fd:40:44:0a:20:4c:3c:9a:bf:01:aa:94:c8:76:bb:
80:53:4f:cd:28:2f:5b:7f:0b:52:09:14:cb:ac:ee:74:7f:17:
4b:79:21:db:e1:a3:9b:e5:b1:72:83:f7:88:02:20:d6:23:33:
e4:ff:50:58:c6:88:e0:22:d7:2b:96:b3:dd:31:1a:80:52:0d:
61:4f:47:72:63:39:1e:7f:a1:ad:f0:2b:82:53:05:ca:3d:0a:
8f:3c:72:58:74:57:ae:8b:66:16:d9:a4:50:99:bc:d3:a7:c5:
54:63:f0:87:cd:06:1a:d4:61:ed:d3:b8:33:5d:5a:d6:a4:f0:
a4:96
-----BEGIN CERTIFICATE-----
MIICijCCAfOgAwIBAgIJAN9pH+/lr78PMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDMy
MDE2MTYwOFoXDTE1MDMyMDE2MTYwOFowXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
AldBMREwDwYDVQQKDAhjb3JlLWRldjEQMA4GA1UEAwwHQ09SRSBDQTEdMBsGCSqG
SIb3DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMTX/MO8oO52e1hclm0fdCbCk8GklJUTXk+LPwAn5RuxO3A+cnFNyWdUMylJ
Ht6mkdkA7IS4ZPgGUYL0hJui/hY0XOEvPa00uY6tjuqK6UBWW/UJLL+gCNuBf/vY
uWymvkwfsU6zsI2N5ASO+I7px6rnSrSHiaclcjh0u+W2f4Z7AgMBAAGjUDBOMB0G
A1UdDgQWBBSYDscKdF37Vlu3kYAqOtSJrWy5UTAfBgNVHSMEGDAWgBSYDscKdF37
Vlu3kYAqOtSJrWy5UTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADl+
mf1ARAogTDyavwGqlMh2u4BTT80oL1t/C1IJFMus7nR/F0t5Idvho5vlsXKD94gC
INYjM+T/UFjGiOAi1yuWs90xGoBSDWFPR3JjOR5/oa3wK4JTBco9Co88clh0V66L
ZhbZpFCZvNOnxVRj8IfNBhrUYe3TuDNdWtak8KSW
-----END CERTIFICATE-----
}
}
custom-config {
custom-config-id service:VPNServer:vpnserver.pem
custom-command vpnserver.pem
config {
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:69:1f:ef:e5:af:bf:14
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
Validity
Not Before: Apr 12 15:09:45 2012 GMT
Not After : Apr 10 15:09:45 2022 GMT
Subject: C=US, ST=WA, O=core-dev, CN=vpnserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:af:da:e2:fb:f7:e1:ca:97:bb:94:1b:8f:f7:70:
2f:c5:dc:71:22:b6:d2:f3:8b:fc:3a:d1:ef:65:60:
21:0f:e5:49:ed:71:45:1c:e9:f7:b9:f7:00:74:05:
a3:ab:63:05:5c:be:23:fd:18:c6:b7:17:52:21:3a:
86:5f:68:07:a6:1b:2f:fc:df:ce:ac:45:55:cd:2a:
d4:8a:66:d1:46:99:e4:b2:57:49:53:df:d0:c0:1e:
0f:84:6f:52:8d:2c:6e:4b:cb:f7:7e:c4:27:51:72:
cd:db:68:54:fd:4d:c4:42:1a:27:be:9f:03:03:d8:
ff:11:58:46:2f:58:13:2c:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:F2:E8:73:73:76:FD:14:13:1C:1A:AB:F2:8F:30:D4:91:7D:83:62
X509v3 Authority Key Identifier:
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
Signature Algorithm: sha1WithRSAEncryption
29:62:f5:4a:40:ce:65:e0:73:ff:d1:80:ca:89:a3:29:4e:d8:
63:52:f0:76:21:b7:83:49:a4:fa:54:f7:0d:58:eb:af:fb:59:
61:63:02:57:de:4d:c1:8d:f1:de:d6:00:40:53:12:25:3c:9b:
48:9a:a7:3b:95:5d:67:83:11:b2:b2:ef:c2:71:95:23:e5:42:
88:09:ac:95:c9:cf:e8:5c:d8:14:9e:d8:4f:6f:af:10:4f:f5:
19:a2:71:f3:96:5f:1b:19:53:e9:16:4d:4e:be:e5:8a:83:57:
0a:93:7a:a4:53:05:1a:64:bf:25:69:fc:3c:3b:9b:aa:43:f4:
1d:fc
-----BEGIN CERTIFICATE-----
MIICmDCCAgGgAwIBAgIJAN9pH+/lr78UMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDQx
MjE1MDk0NVoXDTIyMDQxMDE1MDk0NVowQTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
AldBMREwDwYDVQQKDAhjb3JlLWRldjESMBAGA1UEAwwJdnBuc2VydmVyMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv2uL79+HKl7uUG4/3cC/F3HEittLzi/w6
0e9lYCEP5UntcUUc6fe59wB0BaOrYwVcviP9GMa3F1IhOoZfaAemGy/8386sRVXN
KtSKZtFGmeSyV0lT39DAHg+Eb1KNLG5Ly/d+xCdRcs3baFT9TcRCGie+nwMD2P8R
WEYvWBMsNwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVvLoc3N2/RQTHBqr
8o8w1JF9g2IwHwYDVR0jBBgwFoAUmA7HCnRd+1Zbt5GAKjrUia1suVEwDQYJKoZI
hvcNAQEFBQADgYEAKWL1SkDOZeBz/9GAyomjKU7YY1LwdiG3g0mk+lT3DVjrr/tZ
YWMCV95NwY3x3tYAQFMSJTybSJqnO5VdZ4MRsrLvwnGVI+VCiAmslcnP6FzYFJ7Y
T2+vEE/1GaJx85ZfGxlT6RZNTr7lioNXCpN6pFMFGmS/JWn8PDubqkP0Hfw=
-----END CERTIFICATE-----
}
}
custom-config {
custom-config-id service:VPNServer:vpnserver.key
custom-command vpnserver.key
config {
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAK/a4vv34cqXu5Qb
j/dwL8XccSK20vOL/DrR72VgIQ/lSe1xRRzp97n3AHQFo6tjBVy+I/0YxrcXUiE6
hl9oB6YbL/zfzqxFVc0q1Ipm0UaZ5LJXSVPf0MAeD4RvUo0sbkvL937EJ1Fyzdto
VP1NxEIaJ76fAwPY/xFYRi9YEyw3AgMBAAECgYBcUveOP5KsUULqvBm2V5DNOTGw
fvl7Ycf3fZZIy9IvzTolzazyRCeJ25LCVt+ZsC/1g+HTE/nnz/ePeHFpj21LuVWJ
uWsV9qmdO0K5WxfXM4M08df+EVRrOh4rmgnHZp7jBW6srwGSSJxsvRAe0cRlZcCW
JsgJcyLJfZk0ypsSgQJBAOTtkUfJvqdU0CslBSmDY6skxjneS6kLQGvrELHRTZgd
K31E5WDYJgkpVGhWur19kUYIj7Fs3/Z1Q0KC0bRWokECQQDEpp52u4ilaP9nJsMm
5l/JVEO5gIzbqStVTmU64wLgx3mapL6P8Sa1gbJMlc5NMyayjRP0PoN0cvz+V9t4
3cB3AkEAxhLHINXtn9pCQxJE5SZJlkq7OFaeICUcGEPKrg/qkzKp7jkuPhzGzCZ2
YdCowkti5rWBnoIVRakwCNwnlWFgAQJAEhyWc7EKANIO091KFAcbw1szcZ5ZWtHV
3+F8iVPnK/SzSn7p3jADtKvhVBRoD8wqQD+mGtS3Hr6IdpR47kTeOQJBAJhd4vi6
LxbQZlS009DamuSrqgwsmTcfylu58bhFN4YkWCw8CPk3iKJXH6beomDvYEIQl8C5
jWe+PqSX6XcwnTk=
-----END PRIVATE KEY-----
}
}
custom-config {
custom-config-id service:VPNServer:vpnserver.sh
custom-command vpnserver.sh
config {
#!/bin/sh
# custom VPN Server Configuration for service (security.py)
# -------- CUSTOMIZATION REQUIRED --------
#
# The VPNServer service sets up the OpenVPN server for building VPN tunnels
# that allow access via TUN/TAP device to private networks.
#
# note that the IPForward and DefaultRoute services should be enabled
# directory containing the certificate and key described below, in addition to
# a CA certificate and DH key
keydir=/tmp/certs
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
keyname=vpnserver
# the VPN subnet address from which the client VPN IP (for the TUN/TAP)
# will be allocated
vpnsubnet=10.0.200.0
# public IP address of this vpn server (same as VPNClient vpnserver= setting)
vpnserver=10.0.1.10
# optional list of private subnets reachable behind this VPN server
# each subnet and next hop is separated by a space
# "<subnet1>,<nexthop1> <subnet2>,<nexthop2> ..."
privatenets="10.0.6.0,10.0.1.10"
# optional list of VPN clients, for statically assigning IP addresses to
# clients; also, an optional client subnet can be specified for adding static
# routes via the client
# Note: VPN addresses x.x.x.0-3 are reserved
# "<keyname>,<vpnIP>,<subnetIP> <keyname>,<vpnIP>,<subnetIP> ..."
#vpnclients="client1KeyFilename,10.0.200.5,10.0.0.0 client2KeyFilename,,"
vpnclients=""
# NOTE: you may need to enable the StaticRoutes service on nodes within the
# private subnet, in order to have routes back to the client.
# /sbin/ip ro add <vpnsubnet>/24 via <vpnServerRemoteInterface>
# /sbin/ip ro add <vpnClientSubnet>/24 via <vpnServerRemoteInterface>
# -------- END CUSTOMIZATION --------
echo > $PWD/vpnserver.log
rm -f -r $PWD/ccd
# validate key and certification files
if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.pem ] \
|| [ ! -e $keydir\/ca-cert.pem ] || [ ! -e $keydir\/dh1024.pem ]; then
echo "ERROR: missing certification or key files under $keydir \
$keyname.key or $keyname.pem or ca-cert.pem or dh1024.pem" >> $PWD/vpnserver.log
fi
# validate configuration IP addresses
checkip=0
if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
echo "WARNING: ip validation disabled because package sipcalc not installed\
" >> $PWD/vpnserver.log
checkip=1
else
if [ "$(sipcalc "$vpnsubnet" "$vpnserver" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn subnet or server address \
$vpnsubnet or $vpnserver " >> $PWD/vpnserver.log
fi
fi
# create client vpn ip pool file
(
cat << EOF
EOF
)> $PWD/ippool.txt
# create server.conf file
(
cat << EOF
# openvpn server config
local $vpnserver
server $vpnsubnet 255.255.255.0
push redirect-gateway def1
EOF
)> $PWD/server.conf
# add routes to VPN server private subnets, and push these routes to clients
for privatenet in $privatenets; do
if [ $privatenet != "" ]; then
net=${privatenet%%,*}
nexthop=${privatenet##*,}
if [ $checkip = "0" ] &&
[ "$(sipcalc "$net" "$nexthop" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn server private net address \
$net or $nexthop " >> $PWD/vpnserver.log
fi
echo push route $net 255.255.255.0 >> $PWD/server.conf
/sbin/ip ro add $net/24 via $nexthop
/sbin/ip ro add $vpnsubnet/24 via $nexthop
fi
done
# allow subnet through this VPN, one route for each client subnet
for client in $vpnclients; do
if [ $client != "" ]; then
cSubnetIP=${client##*,}
cVpnIP=${client#*,}
cVpnIP=${cVpnIP%%,*}
cKeyFilename=${client%%,*}
if [ "$cSubnetIP" != "" ]; then
if [ $checkip = "0" ] &&
[ "$(sipcalc "$cSubnetIP" "$cVpnIP" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn client and subnet address \
$cSubnetIP or $cVpnIP " >> $PWD/vpnserver.log
fi
echo route $cSubnetIP 255.255.255.0 >> $PWD/server.conf
if ! test -d $PWD/ccd; then
mkdir -p $PWD/ccd
echo client-config-dir $PWD/ccd >> $PWD/server.conf
fi
if test -e $PWD/ccd/$cKeyFilename; then
echo iroute $cSubnetIP 255.255.255.0 >> $PWD/ccd/$cKeyFilename
else
echo iroute $cSubnetIP 255.255.255.0 > $PWD/ccd/$cKeyFilename
fi
fi
if [ "$cVpnIP" != "" ]; then
echo $cKeyFilename,$cVpnIP >> $PWD/ippool.txt
fi
fi
done
(
cat << EOF
keepalive 10 120
ca $keydir/ca-cert.pem
cert $keydir/$keyname.pem
key $keydir/$keyname.key
dh $keydir/dh1024.pem
cipher AES-256-CBC
status /var/log/openvpn-status.log
log /var/log/openvpn-server.log
ifconfig-pool-linear
ifconfig-pool-persist $PWD/ippool.txt
port 1194
proto udp
dev tun
verb 4
daemon
EOF
)>> $PWD/server.conf
# start vpn server
openvpn --config server.conf
}
}
custom-config {
custom-config-id service:VPNServer
custom-command VPNServer
config {
('vpnserver.sh', 'vpnserver.key', 'vpnserver.pem', 'ca-cert.pem', 'dh1024.pem', 'copycerts.sh', )
50
('sh copycerts.sh', 'sh vpnserver.sh', )
('killall openvpn', )
('pidof openvpn', )
}
}
services {IPForward DefaultRoute SSH VPNServer}
}
node n6 {
type router
model PC
network-config {
hostname vpnclient
!
interface eth0
ip address 10.0.0.20/24
ipv6 address 2001:0::20/64
!
}
canvas c1
iconcoords {120.0 133.0}
labelcoords {120.0 165.0}
interface-peer {eth0 n1}
custom-config {
custom-config-id service:VPNClient:vpnclient.key
custom-command vpnclient.key
config {
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM49tCuXw4Wjt8iY
84nU+fdOCw5M9RXXDfwHOxd1ILSP4KDLB7FfqVo9/DZOMlqNHYBeeF0WXLnr+zda
kKQUWpWHJQGQ4qHIJ+xCsBRCVbTPsRngeQMCCQw5ekW7NZKpKj6ANWkIm4dhiuTr
ZshR5Q6idNFG/b/ksNQsARK8vlJlAgMBAAECgYEAoKeKMKcAxJpasGUM2OJRcWaW
0CX8iG3EU/2h90zjFCQ7m6VsMaxN9KDyVa8mJElmoLd2VTT1OFLtlxnyMA423Hro
0tlKGErCH2yWMnrcjO30w7pmWSONn0yU/iAbzYAsmLNwYKCPAX2tJ9FZKsfVhctd
MEDMf/skhYL6CFe4XwECQQD1pV7C9lj0vsno22WoVg8n6/7OZu/ZBtCXoAQKAo14
bUqknK+SDMgqnexDQjarkQFrq4yxrPmp3Mv4a6M9vKglAkEA1u8i+1m4VMAARe9N
3qiFA0hk9v3Nm7f/ZVrkddoZNChV8CQW9y3Caltrlrjj0ugTAaWKdOhOcWeRcDo9
EMrNQQJAbXwpgkf+Wgd3QrwW0TKaSrbauPAUUuzAp/QAGN4OY/CCZmAXuMbNqID+
vvOSHmHg+jZZ3Q81r8njd3OyLGAbqQJAURqn3qT6c7CH6dvlTHHWz2hQAQvAvFPw
IbTspLQJ8q6NzzIvIFK6HBwnOxbFkV5VXbezyW2nvA9SyECRrnZ4gQJAfV2In/xB
qxyrHHInJPtwzsKjfgw9787ulXeDa+gYQrmwfrqYvPo6NtfJ9i2ahl8tr3LIFWIH
NavHWA5NKc4GVw==
-----END PRIVATE KEY-----
}
}
custom-config {
custom-config-id service:VPNClient:vpnclient.pem
custom-command vpnclient.pem
config {
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:69:1f:ef:e5:af:bf:13
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev, CN=CORE CA/emailAddress=root@localhost
Validity
Not Before: Apr 12 15:09:01 2012 GMT
Not After : Apr 10 15:09:01 2022 GMT
Subject: C=US, ST=WA, O=core-dev, CN=vpnclient
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ce:3d:b4:2b:97:c3:85:a3:b7:c8:98:f3:89:d4:
f9:f7:4e:0b:0e:4c:f5:15:d7:0d:fc:07:3b:17:75:
20:b4:8f:e0:a0:cb:07:b1:5f:a9:5a:3d:fc:36:4e:
32:5a:8d:1d:80:5e:78:5d:16:5c:b9:eb:fb:37:5a:
90:a4:14:5a:95:87:25:01:90:e2:a1:c8:27:ec:42:
b0:14:42:55:b4:cf:b1:19:e0:79:03:02:09:0c:39:
7a:45:bb:35:92:a9:2a:3e:80:35:69:08:9b:87:61:
8a:e4:eb:66:c8:51:e5:0e:a2:74:d1:46:fd:bf:e4:
b0:d4:2c:01:12:bc:be:52:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:59:F2:02:46:86:A3:2A:BD:C0:33:DA:31:71:1F:78:88:16:43:CE
X509v3 Authority Key Identifier:
keyid:98:0E:C7:0A:74:5D:FB:56:5B:B7:91:80:2A:3A:D4:89:AD:6C:B9:51
Signature Algorithm: sha1WithRSAEncryption
0a:39:71:f3:9f:50:68:f9:de:3e:47:eb:73:6b:4e:d8:6c:ff:
d5:38:0a:a0:8f:52:8f:cb:7e:6f:95:62:b6:04:2f:1d:3f:42:
32:26:38:c5:89:ea:ef:fc:27:ab:f0:81:39:e2:58:d6:fd:f8:
3e:f8:db:22:ce:39:dd:13:49:6a:7b:eb:90:8a:cc:bc:7d:87:
c5:d4:25:5f:f5:9a:0a:8f:1e:28:86:50:46:e2:fd:4e:ff:5d:
b8:0e:48:2d:bd:0f:38:b4:85:0f:4e:05:c6:60:cf:5a:d9:d0:
5c:32:ed:70:3c:72:28:fd:75:c5:38:d5:52:cb:57:f9:4b:86:
0a:74
-----BEGIN CERTIFICATE-----
MIICmDCCAgGgAwIBAgIJAN9pH+/lr78TMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJXQTERMA8GA1UECgwIY29yZS1kZXYxEDAOBgNVBAMM
B0NPUkUgQ0ExHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MB4XDTEyMDQx
MjE1MDkwMVoXDTIyMDQxMDE1MDkwMVowQTELMAkGA1UEBhMCVVMxCzAJBgNVBAgM
AldBMREwDwYDVQQKDAhjb3JlLWRldjESMBAGA1UEAwwJdnBuY2xpZW50MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOPbQrl8OFo7fImPOJ1Pn3TgsOTPUV1w38
BzsXdSC0j+CgywexX6laPfw2TjJajR2AXnhdFly56/s3WpCkFFqVhyUBkOKhyCfs
QrAUQlW0z7EZ4HkDAgkMOXpFuzWSqSo+gDVpCJuHYYrk62bIUeUOonTRRv2/5LDU
LAESvL5SZQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUoFnyAkaGoyq9wDPa
MXEfeIgWQ84wHwYDVR0jBBgwFoAUmA7HCnRd+1Zbt5GAKjrUia1suVEwDQYJKoZI
hvcNAQEFBQADgYEACjlx859QaPnePkfrc2tO2Gz/1TgKoI9Sj8t+b5VitgQvHT9C
MiY4xYnq7/wnq/CBOeJY1v34PvjbIs453RNJanvrkIrMvH2HxdQlX/WaCo8eKIZQ
RuL9Tv9duA5ILb0POLSFD04FxmDPWtnQXDLtcDxyKP11xTjVUstX+UuGCnQ=
-----END CERTIFICATE-----
}
}
custom-config {
custom-config-id service:VPNClient:copycerts.sh
custom-command copycerts.sh
config {
#!/bin/sh
FILES="vpnclient.pem vpnclient.key"
mkdir -p /tmp/certs
for f in $FILES; do
cp $f /tmp/certs
done
}
}
custom-config {
custom-config-id service:VPNClient:vpnclient.sh
custom-command vpnclient.sh
config {
#!/bin/sh
# custom VPN Client configuration for service (security.py)
# -------- CUSTOMIZATION REQUIRED --------
#
# The VPNClient service builds a VPN tunnel to the specified VPN server using
# OpenVPN software and a virtual TUN/TAP device.
# directory containing the certificate and key described below
keydir=/tmp/certs
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
keyname=vpnclient
# the public IP address of the VPN server this client should connect with
vpnserver="10.0.1.10"
# optional next hop for adding a static route to reach the VPN server
nexthop=""
# --------- END CUSTOMIZATION --------
# validate addresses
if [ "$(dpkg -l | grep " sipcalc ")" = "" ]; then
echo "WARNING: ip validation disabled because package sipcalc not installed
" > $PWD/vpnclient.log
else
if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then
echo "ERROR: invalide address $vpnserver or $nexthop \
" > $PWD/vpnclient.log
fi
fi
# validate key and certification files
if [ ! -e $keydir\/$keyname.key ] || [ ! -e $keydir\/$keyname.pem ] \
|| [ ! -e $keydir\/ca-cert.pem ] || [ ! -e $keydir\/dh1024.pem ]; then
echo "ERROR: missing certification or key files under $keydir \
$keyname.key or $keyname.pem or ca-cert.pem or dh1024.pem" >> $PWD/vpnclient.log
fi
# if necessary, add a static route for reaching the VPN server IP via the IF
vpnservernet=${vpnserver%.*}.0/24
if [ "$nexthop" != "" ]; then
/sbin/ip route add $vpnservernet via $nexthop
fi
# create openvpn client.conf
(
cat << EOF
client
dev tun
proto udp
remote $vpnserver 1194
nobind
ca $keydir/ca-cert.pem
cert $keydir/$keyname.pem
key $keydir/$keyname.key
dh $keydir/dh1024.pem
cipher AES-256-CBC
log /var/log/openvpn-client.log
verb 4
daemon
EOF
) > client.conf
openvpn --config client.conf
}
}
custom-config {
custom-config-id service:VPNClient
custom-command VPNClient
config {
('vpnclient.sh', 'copycerts.sh', 'vpnclient.pem', 'vpnclient.key', )
60
('sh copycerts.sh', 'sh vpnclient.sh', )
('killall openvpn', )
('pidof openvpn', )
}
}
services {DefaultRoute VPNClient}
}
node n7 {
type lanswitch
network-config {
hostname n7
!
}
canvas c1
iconcoords {824.0 458.0}
labelcoords {824.0 482.0}
interface-peer {e0 n5}
interface-peer {e1 n8}
interface-peer {e2 n9}
interface-peer {e3 n10}
}
node n8 {
type router
model PC
network-config {
hostname n8
!
interface eth0
ip address 10.0.6.20/24
ipv6 address 2001:6::20/64
!
}
canvas c1
iconcoords {801.0 264.0}
labelcoords {801.0 296.0}
interface-peer {eth0 n7}
}
node n9 {
type router
model PC
network-config {
hostname n9
!
interface eth0
ip address 10.0.6.21/24
ipv6 address 2001:6::21/64
!
}
canvas c1
iconcoords {885.0 305.0}
labelcoords {885.0 337.0}
interface-peer {eth0 n7}
}
node n10 {
type router
model PC
network-config {
hostname n10
!
interface eth0
ip address 10.0.6.22/24
ipv6 address 2001:6::22/64
!
}
canvas c1
iconcoords {954.0 353.0}
labelcoords {954.0 385.0}
interface-peer {eth0 n7}
}
link l1 {
nodes {n6 n1}
bandwidth 0
}
link l2 {
nodes {n4 n5}
bandwidth 0
}
link l3 {
nodes {n1 n2}
bandwidth 0
}
link l4 {
nodes {n3 n4}
bandwidth 0
}
link l5 {
nodes {n3 n1}
bandwidth 0
}
link l6 {
nodes {n4 n2}
bandwidth 0
}
link l7 {
nodes {n5 n7}
bandwidth 0
}
link l8 {
nodes {n8 n7}
bandwidth 0
}
link l9 {
nodes {n9 n7}
bandwidth 0
}
link l10 {
nodes {n10 n7}
bandwidth 0
}
annotation a1 {
iconcoords {661.0 187.0 997.0 579.0}
type rectangle
label {private network}
labelcolor black
fontfamily {Arial}
fontsize 12
color #e9e9fe
width 0
border black
rad 25
effects {bold}
canvas c1
}
canvas c1 {
name {Canvas1}
}
option global {
interface_names no
ip_addresses yes
ipv6_addresses no
node_labels yes
link_labels yes
ipsec_configs yes
exec_errors yes
show_api no
background_images no
annotations yes
grid yes
traffic_start 0
}