From abcd7026efd8cbeb1c4db828788eda9a6dd2be41 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 12:01:44 +0200 Subject: vpn: l2tp: pptp: sstp: rename files to common pattern --- interface-definitions/vpn-l2tp.xml.in | 562 ---------------------------------- interface-definitions/vpn-pptp.xml.in | 254 --------------- interface-definitions/vpn-sstp.xml.in | 410 ------------------------- interface-definitions/vpn_l2tp.xml.in | 562 ++++++++++++++++++++++++++++++++++ interface-definitions/vpn_pptp.xml.in | 254 +++++++++++++++ interface-definitions/vpn_sstp.xml.in | 410 +++++++++++++++++++++++++ src/conf_mode/vpn-pptp.py | 257 ---------------- src/conf_mode/vpn_pptp.py | 257 ++++++++++++++++ 8 files changed, 1483 insertions(+), 1483 deletions(-) delete mode 100644 interface-definitions/vpn-l2tp.xml.in delete mode 100644 interface-definitions/vpn-pptp.xml.in delete mode 100644 interface-definitions/vpn-sstp.xml.in create mode 100644 interface-definitions/vpn_l2tp.xml.in create mode 100644 interface-definitions/vpn_pptp.xml.in create mode 100644 interface-definitions/vpn_sstp.xml.in delete mode 100755 src/conf_mode/vpn-pptp.py create mode 100755 src/conf_mode/vpn_pptp.py diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in deleted file mode 100644 index d4286a810..000000000 --- a/interface-definitions/vpn-l2tp.xml.in +++ /dev/null @@ -1,562 +0,0 @@ - - - - - - - L2TP Virtual Private Network (VPN) - - - - - Remote access L2TP VPN - - - - - Maximum Transmission Unit (MTU) - - - - - - - - External IP address to which VPN clients will connect - - - - - - - - Gatway address uses as client tunnel termination point - - - - - - - - Domain Name Server (DNS) propagated to client - - ipv4 - Domain Name Server (DNS) IPv4 address - - - ipv6 - Domain Name Server (DNS) IPv6 address - - - - - - - - - - - L2TP Network Server (LNS) - - - - - Tunnel password used to authenticate the client (LAC) - - - - - - - Disable Compression Control Protocol (CCP) - - - - - - Internet Protocol Security (IPsec) for remote access L2TP VPN - - - - - IPsec authentication settings - - - - - Authentication mode for IPsec - - pre-shared-secret - Use pre-shared secret for IPsec authentication - - - x509 - Use X.509 certificate for IPsec authentication - - - (pre-shared-secret|x509) - - - pre-shared-secret x509 - - - - - - Pre-shared secret for IPsec - - - - - X.509 certificate - - - - - File containing the X.509 certificate for the Certificate Authority (CA) - - <text> - File in /config/auth - - - - - - File containing the X.509 Certificate Revocation List (CRL) - - <text> - File in /config/auth - - - - - - File containing the X.509 certificate for the remote access VPN server (this host) - - <text> - File in /config/auth - - - - - - File containing the private key for the X.509 certificate for the remote access VPN server (this host) - - <text> - File in /config/auth - - - - - - Password that protects the private key - - - - - - - - - IKE lifetime - - <30-86400> - IKE lifetime in seconds (default 3600) - - - - - - - - - ESP lifetime - - <30-86400> - IKE lifetime in seconds (default 3600) - - - - - - - - - - - Windows Internet Name Service (WINS) servers propagated to client - - ipv4 - Domain Name Server (DNS) IPv4 address - - - - - - - - - - Pool of client IP addresses (must be within a /24) - - - - - First IP address in the pool (will be used as gateway address) - - - - - - - - Last IP address in the pool - - - - - - - - Client IP subnet (CIDR notation) - - - - Not a valid CIDR formatted prefix - - ipv4net - IPv4 subnet address - - - - - - - - - Pool of client IPv6 addresses - - - - - Pool of addresses used to assign to clients - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length used for individual client - - <48-128> - Client prefix length (default: 64) - - - - - - - - - - - Subnet used to delegate prefix through DHCPv6-PD (RFC3633) - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length delegated to client - - <32-64> - Delegated prefix length - - - - - - - - - - - - - Description for L2TP remote-access settings - - - - - DHCP interface to listen on - - - - - PPP idle timeout - - <30-86400> - PPP idle timeout in seconds (default 1800) - - - - - - - - - Authentication for remote access L2TP VPN - - - - - Authentication protocol for remote access peer L2TP VPN - - pap - Require the peer to authenticate itself using PAP [Password Authentication Protocol]. - - - chap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap-v2 - Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. - - - (pap|chap|mschap|mschap-v2) - - - pap chap mschap mschap-v2 - - - - - - - Specifies mppe negotioation preference. (default require mppe 128-bit stateless - - deny - deny mppe - - - prefer - Ask client for mppe, if it rejects do not fail - - - require - ask client for mppe, if it rejects drop connection - - - (deny|prefer|require) - - - deny prefer require - - - - - - Authentication mode for remote access L2TP VPN - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Local user authentication for remote access L2TP VPN - - - - - User name for authentication - - - - - Option to disable a L2TP Server user - - - - - - Password for authentication - - - - - Static client IP address - - - - - Upload/Download speed limits - - - - - Upload bandwidth limit in kbits/sec - - - - - - - - Download bandwidth limit in kbits/sec - - - - - - - - - - - - #include - - - - - - - Mark server unavailable for <n> seconds on failure - - 0-600 - Fail time penalty - - - - - Fail time must be between 0 and 600 seconds - - - - - - - Timeout to wait response from server (seconds) - - - - - Timeout to wait reply for Interim-Update packets. (default 3 seconds) - - - - - Maximum number of tries to send Access-Request/Accounting-Request queries - - - - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. - - - - - IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) - - - - - IP address for Dynamic Authorization Extension server (DM/CoA) - - - - - Port for Dynamic Authorization Extension server (DM/CoA) - - - - - Secret for Dynamic Authorization Extension server (DM/CoA) - - - - - - - Upload/Download speed limits - - - - - Specifies which radius attribute contains rate information. (default is Filter-Id) - - - - - Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) - - - - - Enables Bandwidth shaping via RADIUS - - - - - - - - - - - - Advanced protocol options - - - - - LCP echo-requests/sec - - - - - - - - Maximum number of Echo-Requests may be sent without valid reply - - - - - - - - - - - - - - diff --git a/interface-definitions/vpn-pptp.xml.in b/interface-definitions/vpn-pptp.xml.in deleted file mode 100644 index 9636c3b39..000000000 --- a/interface-definitions/vpn-pptp.xml.in +++ /dev/null @@ -1,254 +0,0 @@ - - - - - - - Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) - - - - - Remote access PPTP VPN - - - - - Maximum Transmission Unit (MTU) - - - - - - - - External IP address to which VPN clients will connect - - - - - - - - IPv4 Domain Name Service (DNS) server - - - - - Primary DNS server - - ipv4 - IPv4 address - - - - - - - - - Secondary DNS server - - ipv4 - IPv4 address - - - - - - - - - - - Windows Internet Name Service (WINS) server settings - - - - - Primary WINS server - - - - - - - - Secondary WINS server - - - - - - - - - - Pool of client IP addresses (must be within a /24) - - - - - First IP address in the pool (will be used as gateway address) - - - - - - - - Last IP address in the pool - - - - - - - - - - Gatway address uses as client tunnel termination point - - - - - - - - Authentication for remote access PPTP VPN - - - - - Authentication protocol for remote access peer PPTP VPN - - pap - Require the peer to authenticate itself using PAP [Password Authentication Protocol]. - - - chap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap-v2 - Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. - - - - - - Specifies mppe negotioation preference. (default require mppe 128-bit stateless - - deny - deny mppe - - - prefer - ask client for mppe, if it rejects do not fail - - - require - ask client for mppe, if it rejects drop connection - - - (deny|prefer|require) - - - deny prefer require - - - - - - Authentication mode for remote access PPTP VPN - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Local user authentication for remote access PPTP VPN - - - - - User name for authentication - - - - - Option to disable a PPTP Server user - - - - - Password for authentication - - - - - Static client IP address - - - - - - - - - RADIUS specific configuration - - - - - IP address of radius server - - ipv4 - IP address of RADIUS server - - - - - - Key for accessing the specified server - - - - - Maximum number of simultaneous requests to server (default: unlimited) - - - - - If server does not responds mark it as unavailable for this time (seconds) - - - - - - - - - - - - - - - diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in deleted file mode 100644 index b026417b3..000000000 --- a/interface-definitions/vpn-sstp.xml.in +++ /dev/null @@ -1,410 +0,0 @@ - - - - - - - Secure Socket Tunneling Protocol (SSTP) server - 901 - - - - - Authentication for remote access SSTP Server - - - - - Local user authentication for SSTP server - - - - - User name for authentication - - - - - Option to disable a SSTP Server user - - - - - - Password for authentication - - - - - Static client IP address - - - - - Upload/Download speed limits - - - - - Upload bandwidth limit in kbits/sec - - - - - - - - Download bandwidth limit in kbits/sec - - - - - - - - - - - - - - Authentication mode for SSTP Server - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Authentication protocol for remote access peer SSTP VPN - - pap chap mschap mschap-v2 - - - pap - Authentication via PAP (Password Authentication Protocol) - - - chap - Authentication via CHAP (Challenge Handshake Authentication Protocol) - - - mschap - Authentication via MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) - - - mschap-v2 - Authentication via MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2) - - - (pap|chap|mschap|mschap-v2) - - - - - #include - - - - - - - Mark server unavailable for <n> seconds on failure - - 0-600 - Fail time penalty - - - - - Fail time must be between 0 and 600 seconds - - - - - - - Timeout in seconds to wait response from RADIUS server - - 1-60 - Timeout in seconds - - - - - Timeout must be between 1 and 60 seconds - - - - - Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds) - - 0-60 - Timeout in seconds, 0 to keep active - - - - - Timeout must be between 0 and 60 seconds - - - - - Number of tries to send Access-Request/Accounting-Request queries - - 1-20 - Maximum tries - - - - - Maximum tries must be between 1 and 20 - - - - - NAS-Identifier attribute sent to RADIUS - - - - - NAS-IP-Address attribute sent to RADIUS - - - - - ipv4 - NAS-IP-Address attribute - - - - - - Dynamic Authorization Extension/Change of Authorization server - - - - - IP address for Dynamic Authorization Extension server (DM/CoA) - - - - - ipv4 - IPv4 address for aynamic authorization server - - - - - - Port for Dynamic Authorization Extension server (DM/CoA) - - number - TCP port - - - - - - - - - Shared secret for Dynamic Authorization Extension server - - - - - - - Upload/Download speed limits - - - - - Specifies RADIUS attribute containing rate information (default 'Filter-Id') - - - - - Specifies vendor dictionary (needs to be in /usr/share/accel-ppp/radius) - - - - - Enable RADIUS bandwidth shaping - - - - - - - - - - - - SSL Certificate, SSL Key and CA (/config/user-data/sstp) - - - - - Certificate Authority certificate - - file - File in /config/auth directory - - - - - - - - - Server Certificate - - - - - - - - - - - Privat Key of the Server Certificate - - file - File in /config/auth directory - - - - - - - - - - - Network settings - - - - - Client IP pools and gateway setting - - - - - Client IP subnet (CIDR notation) - - ipv4net - IPv4 address and prefix length - - - - - Not a valid CIDR formatted prefix - - - - - - Gateway IP address - - - - invalid IPv4 address - - ipv4 - Default Gateway send to the client - - - - - - - - DNS servers propagated to clients - - ipv4 - IPv4 address - - - - - - - - #include - - - - - PPP (Point-to-Point Protocol) settings - - - - - Specifies mppe negotiation preferences - - require prefer deny - - - (^require|prefer|deny) - - - require - send mppe request, if client rejects, drop the connection - - - prefer - send mppe request, if client rejects continue - - - deny - drop all mppe - - - - - - LCP echo-requests/sec - - - - - - - - Maximum number of Echo-Requests may be sent without valid reply - - - - - - - - Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. - - - - - - - - - - - - diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in new file mode 100644 index 000000000..d4286a810 --- /dev/null +++ b/interface-definitions/vpn_l2tp.xml.in @@ -0,0 +1,562 @@ + + + + + + + L2TP Virtual Private Network (VPN) + + + + + Remote access L2TP VPN + + + + + Maximum Transmission Unit (MTU) + + + + + + + + External IP address to which VPN clients will connect + + + + + + + + Gatway address uses as client tunnel termination point + + + + + + + + Domain Name Server (DNS) propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + + + + + + L2TP Network Server (LNS) + + + + + Tunnel password used to authenticate the client (LAC) + + + + + + + Disable Compression Control Protocol (CCP) + + + + + + Internet Protocol Security (IPsec) for remote access L2TP VPN + + + + + IPsec authentication settings + + + + + Authentication mode for IPsec + + pre-shared-secret + Use pre-shared secret for IPsec authentication + + + x509 + Use X.509 certificate for IPsec authentication + + + (pre-shared-secret|x509) + + + pre-shared-secret x509 + + + + + + Pre-shared secret for IPsec + + + + + X.509 certificate + + + + + File containing the X.509 certificate for the Certificate Authority (CA) + + <text> + File in /config/auth + + + + + + File containing the X.509 Certificate Revocation List (CRL) + + <text> + File in /config/auth + + + + + + File containing the X.509 certificate for the remote access VPN server (this host) + + <text> + File in /config/auth + + + + + + File containing the private key for the X.509 certificate for the remote access VPN server (this host) + + <text> + File in /config/auth + + + + + + Password that protects the private key + + + + + + + + + IKE lifetime + + <30-86400> + IKE lifetime in seconds (default 3600) + + + + + + + + + ESP lifetime + + <30-86400> + IKE lifetime in seconds (default 3600) + + + + + + + + + + + Windows Internet Name Service (WINS) servers propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + + + + + + + + Pool of client IP addresses (must be within a /24) + + + + + First IP address in the pool (will be used as gateway address) + + + + + + + + Last IP address in the pool + + + + + + + + Client IP subnet (CIDR notation) + + + + Not a valid CIDR formatted prefix + + ipv4net + IPv4 subnet address + + + + + + + + + Pool of client IPv6 addresses + + + + + Pool of addresses used to assign to clients + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length used for individual client + + <48-128> + Client prefix length (default: 64) + + + + + + + + + + + Subnet used to delegate prefix through DHCPv6-PD (RFC3633) + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length delegated to client + + <32-64> + Delegated prefix length + + + + + + + + + + + + + Description for L2TP remote-access settings + + + + + DHCP interface to listen on + + + + + PPP idle timeout + + <30-86400> + PPP idle timeout in seconds (default 1800) + + + + + + + + + Authentication for remote access L2TP VPN + + + + + Authentication protocol for remote access peer L2TP VPN + + pap + Require the peer to authenticate itself using PAP [Password Authentication Protocol]. + + + chap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap-v2 + Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. + + + (pap|chap|mschap|mschap-v2) + + + pap chap mschap mschap-v2 + + + + + + + Specifies mppe negotioation preference. (default require mppe 128-bit stateless + + deny + deny mppe + + + prefer + Ask client for mppe, if it rejects do not fail + + + require + ask client for mppe, if it rejects drop connection + + + (deny|prefer|require) + + + deny prefer require + + + + + + Authentication mode for remote access L2TP VPN + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Local user authentication for remote access L2TP VPN + + + + + User name for authentication + + + + + Option to disable a L2TP Server user + + + + + + Password for authentication + + + + + Static client IP address + + + + + Upload/Download speed limits + + + + + Upload bandwidth limit in kbits/sec + + + + + + + + Download bandwidth limit in kbits/sec + + + + + + + + + + + + #include + + + + + + + Mark server unavailable for <n> seconds on failure + + 0-600 + Fail time penalty + + + + + Fail time must be between 0 and 600 seconds + + + + + + + Timeout to wait response from server (seconds) + + + + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + + + + + Maximum number of tries to send Access-Request/Accounting-Request queries + + + + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. + + + + + IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) + + + + + IP address for Dynamic Authorization Extension server (DM/CoA) + + + + + Port for Dynamic Authorization Extension server (DM/CoA) + + + + + Secret for Dynamic Authorization Extension server (DM/CoA) + + + + + + + Upload/Download speed limits + + + + + Specifies which radius attribute contains rate information. (default is Filter-Id) + + + + + Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) + + + + + Enables Bandwidth shaping via RADIUS + + + + + + + + + + + + Advanced protocol options + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + + + + + + + + diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in new file mode 100644 index 000000000..5d8ead2aa --- /dev/null +++ b/interface-definitions/vpn_pptp.xml.in @@ -0,0 +1,254 @@ + + + + + + + Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) + + + + + Remote access PPTP VPN + + + + + Maximum Transmission Unit (MTU) + + + + + + + + External IP address to which VPN clients will connect + + + + + + + + IPv4 Domain Name Service (DNS) server + + + + + Primary DNS server + + ipv4 + IPv4 address + + + + + + + + + Secondary DNS server + + ipv4 + IPv4 address + + + + + + + + + + + Windows Internet Name Service (WINS) server settings + + + + + Primary WINS server + + + + + + + + Secondary WINS server + + + + + + + + + + Pool of client IP addresses (must be within a /24) + + + + + First IP address in the pool (will be used as gateway address) + + + + + + + + Last IP address in the pool + + + + + + + + + + Gatway address uses as client tunnel termination point + + + + + + + + Authentication for remote access PPTP VPN + + + + + Authentication protocol for remote access peer PPTP VPN + + pap + Require the peer to authenticate itself using PAP [Password Authentication Protocol]. + + + chap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap-v2 + Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. + + + + + + Specifies mppe negotioation preference. (default require mppe 128-bit stateless + + deny + deny mppe + + + prefer + ask client for mppe, if it rejects do not fail + + + require + ask client for mppe, if it rejects drop connection + + + (deny|prefer|require) + + + deny prefer require + + + + + + Authentication mode for remote access PPTP VPN + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Local user authentication for remote access PPTP VPN + + + + + User name for authentication + + + + + Option to disable a PPTP Server user + + + + + Password for authentication + + + + + Static client IP address + + + + + + + + + RADIUS specific configuration + + + + + IP address of radius server + + ipv4 + IP address of RADIUS server + + + + + + Key for accessing the specified server + + + + + Maximum number of simultaneous requests to server (default: unlimited) + + + + + If server does not responds mark it as unavailable for this time (seconds) + + + + + + + + + + + + + + + diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in new file mode 100644 index 000000000..b026417b3 --- /dev/null +++ b/interface-definitions/vpn_sstp.xml.in @@ -0,0 +1,410 @@ + + + + + + + Secure Socket Tunneling Protocol (SSTP) server + 901 + + + + + Authentication for remote access SSTP Server + + + + + Local user authentication for SSTP server + + + + + User name for authentication + + + + + Option to disable a SSTP Server user + + + + + + Password for authentication + + + + + Static client IP address + + + + + Upload/Download speed limits + + + + + Upload bandwidth limit in kbits/sec + + + + + + + + Download bandwidth limit in kbits/sec + + + + + + + + + + + + + + Authentication mode for SSTP Server + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Authentication protocol for remote access peer SSTP VPN + + pap chap mschap mschap-v2 + + + pap + Authentication via PAP (Password Authentication Protocol) + + + chap + Authentication via CHAP (Challenge Handshake Authentication Protocol) + + + mschap + Authentication via MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) + + + mschap-v2 + Authentication via MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2) + + + (pap|chap|mschap|mschap-v2) + + + + + #include + + + + + + + Mark server unavailable for <n> seconds on failure + + 0-600 + Fail time penalty + + + + + Fail time must be between 0 and 600 seconds + + + + + + + Timeout in seconds to wait response from RADIUS server + + 1-60 + Timeout in seconds + + + + + Timeout must be between 1 and 60 seconds + + + + + Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds) + + 0-60 + Timeout in seconds, 0 to keep active + + + + + Timeout must be between 0 and 60 seconds + + + + + Number of tries to send Access-Request/Accounting-Request queries + + 1-20 + Maximum tries + + + + + Maximum tries must be between 1 and 20 + + + + + NAS-Identifier attribute sent to RADIUS + + + + + NAS-IP-Address attribute sent to RADIUS + + + + + ipv4 + NAS-IP-Address attribute + + + + + + Dynamic Authorization Extension/Change of Authorization server + + + + + IP address for Dynamic Authorization Extension server (DM/CoA) + + + + + ipv4 + IPv4 address for aynamic authorization server + + + + + + Port for Dynamic Authorization Extension server (DM/CoA) + + number + TCP port + + + + + + + + + Shared secret for Dynamic Authorization Extension server + + + + + + + Upload/Download speed limits + + + + + Specifies RADIUS attribute containing rate information (default 'Filter-Id') + + + + + Specifies vendor dictionary (needs to be in /usr/share/accel-ppp/radius) + + + + + Enable RADIUS bandwidth shaping + + + + + + + + + + + + SSL Certificate, SSL Key and CA (/config/user-data/sstp) + + + + + Certificate Authority certificate + + file + File in /config/auth directory + + + + + + + + + Server Certificate + + + + + + + + + + + Privat Key of the Server Certificate + + file + File in /config/auth directory + + + + + + + + + + + Network settings + + + + + Client IP pools and gateway setting + + + + + Client IP subnet (CIDR notation) + + ipv4net + IPv4 address and prefix length + + + + + Not a valid CIDR formatted prefix + + + + + + Gateway IP address + + + + invalid IPv4 address + + ipv4 + Default Gateway send to the client + + + + + + + + DNS servers propagated to clients + + ipv4 + IPv4 address + + + + + + + + #include + + + + + PPP (Point-to-Point Protocol) settings + + + + + Specifies mppe negotiation preferences + + require prefer deny + + + (^require|prefer|deny) + + + require + send mppe request, if client rejects, drop the connection + + + prefer + send mppe request, if client rejects continue + + + deny + drop all mppe + + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + + Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. + + + + + + + + + + + + diff --git a/src/conf_mode/vpn-pptp.py b/src/conf_mode/vpn-pptp.py deleted file mode 100755 index 15b80f984..000000000 --- a/src/conf_mode/vpn-pptp.py +++ /dev/null @@ -1,257 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from socket import socket, AF_INET, SOCK_STREAM -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos import ConfigError -from vyos.util import run -from vyos.template import render - - -pidfile = r'/var/run/accel_pptp.pid' -pptp_cnf_dir = r'/etc/accel-ppp/pptp' -chap_secrets = pptp_cnf_dir + '/chap-secrets' -pptp_conf = pptp_cnf_dir + '/pptp.config' - -# config path creation -if not os.path.exists(pptp_cnf_dir): - os.makedirs(pptp_cnf_dir) - -def _chk_con(): - cnt = 0 - s = socket(AF_INET, SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", 2003)) - break - except ConnectionRefusedError: - sleep(0.5) - cnt += 1 - if cnt == 100: - raise("failed to start pptp server") - break - - -def _accel_cmd(command): - return run('/usr/bin/accel-cmd -p 2003 {command}') - -### -# inline helper functions end -### - - -def get_config(): - c = Config() - if not c.exists(['vpn', 'pptp', 'remote-access']): - return None - - c.set_level(['vpn', 'pptp', 'remote-access']) - config_data = { - 'authentication': { - 'mode': 'local', - 'local-users': { - }, - 'radiussrv': {}, - 'auth_proto': 'auth_mschap_v2', - 'mppe': 'require' - }, - 'outside_addr': '', - 'dns': [], - 'wins': [], - 'client_ip_pool': '', - 'mtu': '1436', - } - - ### general options ### - - if c.exists(['dns-servers', 'server-1']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-1'])) - if c.exists(['dns-servers', 'server-2']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-2'])) - if c.exists(['wins-servers', 'server-1']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-1'])) - if c.exists(['wins-servers', 'server-2']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-2'])) - if c.exists(['outside-address']): - config_data['outside_addr'] = c.return_value(['outside-address']) - - # auth local - if c.exists(['authentication', 'mode', 'local']): - if c.exists(['authentication', 'local-users', 'username']): - for usr in c.list_nodes(['authentication', 'local-users', 'username']): - config_data['authentication']['local-users'].update( - { - usr: { - 'passwd': '', - 'state': 'enabled', - 'ip': '' - } - } - ) - - if c.exists(['authentication', 'local-users', 'username', usr, 'password']): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'password']) - if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): - config_data['authentication']['local-users'][usr]['state'] = 'disable' - if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'static-ip']) - - # authentication mode radius servers and settings - - if c.exists(['authentication', 'mode', 'radius']): - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes(['authentication', 'radius', 'server']) - for rsrv in rsrvs: - if not c.return_value(['authentication', 'radius', 'server', rsrv, 'fail-time']): - ftime = '0' - else: - ftime = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'fail-time']) - if not c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']): - reql = '0' - else: - reql = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'req-limit']) - - config_data['authentication']['radiussrv'].update( - { - rsrv: { - 'secret': c.return_value(['authentication', 'radius', 'server', rsrv, 'key']), - 'fail-time': ftime, - 'req-limit': reql - } - } - ) - - if c.exists(['client-ip-pool']): - if c.exists(['client-ip-pool', 'start']): - config_data['client_ip_pool'] = c.return_value( - ['client-ip-pool', 'start']) - if c.exists(['client-ip-pool', 'stop']): - config_data['client_ip_pool'] += '-' + \ - re.search( - '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) - if c.exists(['mtu']): - config_data['mtu'] = c.return_value(['mtu']) - - # gateway address - if c.exists(['gateway-address']): - config_data['gw_ip'] = c.return_value(['gateway-address']) - else: - config_data['gw_ip'] = re.sub( - '[0-9]+$', '1', config_data['client_ip_pool']) - - if c.exists(['authentication', 'require']): - if c.return_value(['authentication', 'require']) == 'pap': - config_data['authentication']['auth_proto'] = 'auth_pap' - if c.return_value(['authentication', 'require']) == 'chap': - config_data['authentication']['auth_proto'] = 'auth_chap_md5' - if c.return_value(['authentication', 'require']) == 'mschap': - config_data['authentication']['auth_proto'] = 'auth_mschap_v1' - if c.return_value(['authentication', 'require']) == 'mschap-v2': - config_data['authentication']['auth_proto'] = 'auth_mschap_v2' - - if c.exists(['authentication', 'mppe']): - config_data['authentication']['mppe'] = c.return_value( - ['authentication', 'mppe']) - - return config_data - - -def verify(c): - if c == None: - return None - - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: - raise ConfigError( - 'pptp-server authentication local-users required') - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: - raise ConfigError('user ' + usr + ' requires a password') - - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: - raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: - raise ConfigError('radius server ' + rsrv + - ' needs a secret configured') - - -def generate(c): - if c == None: - return None - - # accel-cmd reload doesn't work so any change results in a restart of the daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - - render(pptp_conf, 'pptp/pptp.config.tmpl', c, trim_blocks=True) - - if c['authentication']['local-users']: - old_umask = os.umask(0o077) - render(chap_secrets, 'pptp/chap-secrets.tmpl', c, trim_blocks=True) - os.umask(old_umask) - # return c ?? - return c - - -def apply(c): - if c == None: - if os.path.exists(pidfile): - _accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) - return None - - if not os.path.exists(pidfile): - ret = run(f'/usr/sbin/accel-pppd -c {pptp_conf} -p {pidfile} -d') - _chk_con() - if ret != 0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') - else: - # if gw ip changes, only restart doesn't work - _accel_cmd('restart') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py new file mode 100755 index 000000000..15b80f984 --- /dev/null +++ b/src/conf_mode/vpn_pptp.py @@ -0,0 +1,257 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from socket import socket, AF_INET, SOCK_STREAM +from sys import exit +from time import sleep + +from vyos.config import Config +from vyos import ConfigError +from vyos.util import run +from vyos.template import render + + +pidfile = r'/var/run/accel_pptp.pid' +pptp_cnf_dir = r'/etc/accel-ppp/pptp' +chap_secrets = pptp_cnf_dir + '/chap-secrets' +pptp_conf = pptp_cnf_dir + '/pptp.config' + +# config path creation +if not os.path.exists(pptp_cnf_dir): + os.makedirs(pptp_cnf_dir) + +def _chk_con(): + cnt = 0 + s = socket(AF_INET, SOCK_STREAM) + while True: + try: + s.connect(("127.0.0.1", 2003)) + break + except ConnectionRefusedError: + sleep(0.5) + cnt += 1 + if cnt == 100: + raise("failed to start pptp server") + break + + +def _accel_cmd(command): + return run('/usr/bin/accel-cmd -p 2003 {command}') + +### +# inline helper functions end +### + + +def get_config(): + c = Config() + if not c.exists(['vpn', 'pptp', 'remote-access']): + return None + + c.set_level(['vpn', 'pptp', 'remote-access']) + config_data = { + 'authentication': { + 'mode': 'local', + 'local-users': { + }, + 'radiussrv': {}, + 'auth_proto': 'auth_mschap_v2', + 'mppe': 'require' + }, + 'outside_addr': '', + 'dns': [], + 'wins': [], + 'client_ip_pool': '', + 'mtu': '1436', + } + + ### general options ### + + if c.exists(['dns-servers', 'server-1']): + config_data['dns'].append(c.return_value(['dns-servers', 'server-1'])) + if c.exists(['dns-servers', 'server-2']): + config_data['dns'].append(c.return_value(['dns-servers', 'server-2'])) + if c.exists(['wins-servers', 'server-1']): + config_data['wins'].append( + c.return_value(['wins-servers', 'server-1'])) + if c.exists(['wins-servers', 'server-2']): + config_data['wins'].append( + c.return_value(['wins-servers', 'server-2'])) + if c.exists(['outside-address']): + config_data['outside_addr'] = c.return_value(['outside-address']) + + # auth local + if c.exists(['authentication', 'mode', 'local']): + if c.exists(['authentication', 'local-users', 'username']): + for usr in c.list_nodes(['authentication', 'local-users', 'username']): + config_data['authentication']['local-users'].update( + { + usr: { + 'passwd': '', + 'state': 'enabled', + 'ip': '' + } + } + ) + + if c.exists(['authentication', 'local-users', 'username', usr, 'password']): + config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( + ['authentication', 'local-users', 'username', usr, 'password']) + if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): + config_data['authentication']['local-users'][usr]['state'] = 'disable' + if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): + config_data['authentication']['local-users'][usr]['ip'] = c.return_value( + ['authentication', 'local-users', 'username', usr, 'static-ip']) + + # authentication mode radius servers and settings + + if c.exists(['authentication', 'mode', 'radius']): + config_data['authentication']['mode'] = 'radius' + rsrvs = c.list_nodes(['authentication', 'radius', 'server']) + for rsrv in rsrvs: + if not c.return_value(['authentication', 'radius', 'server', rsrv, 'fail-time']): + ftime = '0' + else: + ftime = c.return_value( + ['authentication', 'radius', 'server', rsrv, 'fail-time']) + if not c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']): + reql = '0' + else: + reql = c.return_value( + ['authentication', 'radius', 'server', rsrv, 'req-limit']) + + config_data['authentication']['radiussrv'].update( + { + rsrv: { + 'secret': c.return_value(['authentication', 'radius', 'server', rsrv, 'key']), + 'fail-time': ftime, + 'req-limit': reql + } + } + ) + + if c.exists(['client-ip-pool']): + if c.exists(['client-ip-pool', 'start']): + config_data['client_ip_pool'] = c.return_value( + ['client-ip-pool', 'start']) + if c.exists(['client-ip-pool', 'stop']): + config_data['client_ip_pool'] += '-' + \ + re.search( + '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) + if c.exists(['mtu']): + config_data['mtu'] = c.return_value(['mtu']) + + # gateway address + if c.exists(['gateway-address']): + config_data['gw_ip'] = c.return_value(['gateway-address']) + else: + config_data['gw_ip'] = re.sub( + '[0-9]+$', '1', config_data['client_ip_pool']) + + if c.exists(['authentication', 'require']): + if c.return_value(['authentication', 'require']) == 'pap': + config_data['authentication']['auth_proto'] = 'auth_pap' + if c.return_value(['authentication', 'require']) == 'chap': + config_data['authentication']['auth_proto'] = 'auth_chap_md5' + if c.return_value(['authentication', 'require']) == 'mschap': + config_data['authentication']['auth_proto'] = 'auth_mschap_v1' + if c.return_value(['authentication', 'require']) == 'mschap-v2': + config_data['authentication']['auth_proto'] = 'auth_mschap_v2' + + if c.exists(['authentication', 'mppe']): + config_data['authentication']['mppe'] = c.return_value( + ['authentication', 'mppe']) + + return config_data + + +def verify(c): + if c == None: + return None + + if c['authentication']['mode'] == 'local': + if not c['authentication']['local-users']: + raise ConfigError( + 'pptp-server authentication local-users required') + for usr in c['authentication']['local-users']: + if not c['authentication']['local-users'][usr]['passwd']: + raise ConfigError('user ' + usr + ' requires a password') + + if c['authentication']['mode'] == 'radius': + if len(c['authentication']['radiussrv']) == 0: + raise ConfigError('radius server required') + for rsrv in c['authentication']['radiussrv']: + if c['authentication']['radiussrv'][rsrv]['secret'] == None: + raise ConfigError('radius server ' + rsrv + + ' needs a secret configured') + + +def generate(c): + if c == None: + return None + + # accel-cmd reload doesn't work so any change results in a restart of the daemon + try: + if os.cpu_count() == 1: + c['thread_cnt'] = 1 + else: + c['thread_cnt'] = int(os.cpu_count()/2) + except KeyError: + if os.cpu_count() == 1: + c['thread_cnt'] = 1 + else: + c['thread_cnt'] = int(os.cpu_count()/2) + + render(pptp_conf, 'pptp/pptp.config.tmpl', c, trim_blocks=True) + + if c['authentication']['local-users']: + old_umask = os.umask(0o077) + render(chap_secrets, 'pptp/chap-secrets.tmpl', c, trim_blocks=True) + os.umask(old_umask) + # return c ?? + return c + + +def apply(c): + if c == None: + if os.path.exists(pidfile): + _accel_cmd('shutdown hard') + if os.path.exists(pidfile): + os.remove(pidfile) + return None + + if not os.path.exists(pidfile): + ret = run(f'/usr/sbin/accel-pppd -c {pptp_conf} -p {pidfile} -d') + _chk_con() + if ret != 0 and os.path.exists(pidfile): + os.remove(pidfile) + raise ConfigError('accel-pppd failed to start') + else: + # if gw ip changes, only restart doesn't work + _accel_cmd('restart') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3