#!/usr/bin/env python3 # # Copyright (C) 2022-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import argparse from jinja2 import Template from textwrap import fill from vyos.configquery import ConfigTreeQuery from vyos.ifconfig import Section client_config = """ client nobind remote {{ remote_host }} {{ port }} remote-cert-tls server proto {{ 'tcp-client' if protocol == 'tcp-active' else 'udp' }} dev {{ device }} dev-type {{ device }} persist-key persist-tun verb 3 # Encryption options {% if encryption is defined and encryption is not none %} {% if encryption.cipher is defined and encryption.cipher is not none %} cipher {{ encryption.cipher }} {% if encryption.cipher == 'bf128' %} keysize 128 {% elif encryption.cipher == 'bf256' %} keysize 256 {% endif %} {% endif %} {% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} data-ciphers {{ encryption.ncp_ciphers }} {% endif %} {% endif %} {% if hash is defined and hash is not none %} auth {{ hash }} {% endif %} keysize 256 comp-lzo {{ '' if use_lzo_compression is defined else 'no' }} <ca> -----BEGIN CERTIFICATE----- {{ ca }} -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- {{ cert }} -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- {{ key }} -----END PRIVATE KEY----- </key> """ config = ConfigTreeQuery() base = ['interfaces', 'openvpn'] if not config.exists(base): print('OpenVPN not configured') exit(0) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-i", "--interface", type=str, help='OpenVPN interface the client is connecting to', required=True) parser.add_argument("-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True) parser.add_argument("-c", "--cert", type=str, help='OpenVPN client cerificate', required=True) parser.add_argument("-k", "--key", type=str, help='OpenVPN client cerificate key', action="store") args = parser.parse_args() interface = args.interface ca = args.ca cert = args.cert key = args.key if not key: key = args.cert if interface not in Section.interfaces('openvpn'): exit(f'OpenVPN interface "{interface}" does not exist!') if not config.exists(['pki', 'ca', ca, 'certificate']): exit(f'OpenVPN CA certificate "{ca}" does not exist!') if not config.exists(['pki', 'certificate', cert, 'certificate']): exit(f'OpenVPN certificate "{cert}" does not exist!') if not config.exists(['pki', 'certificate', cert, 'private', 'key']): exit(f'OpenVPN certificate key "{key}" does not exist!') ca = config.value(['pki', 'ca', ca, 'certificate']) ca = fill(ca, width=64) cert = config.value(['pki', 'certificate', cert, 'certificate']) cert = fill(cert, width=64) key = config.value(['pki', 'certificate', key, 'private', 'key']) key = fill(key, width=64) remote_host = config.value(base + [interface, 'local-host']) ovpn_conf = config.get_config_dict(base + [interface], key_mangling=('-', '_'), get_first_key=True) port = '1194' if 'local_port' not in ovpn_conf else ovpn_conf['local_port'] proto = 'udp' if 'protocol' not in ovpn_conf else ovpn_conf['protocol'] device = 'tun' if 'device_type' not in ovpn_conf else ovpn_conf['device_type'] config = { 'interface' : interface, 'ca' : ca, 'cert' : cert, 'key' : key, 'device' : device, 'port' : port, 'proto' : proto, 'remote_host' : remote_host, 'address' : [], } # Clear out terminal first print('\x1b[2J\x1b[H') client = Template(client_config, trim_blocks=True).render(config) print(client)