diff options
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | scripts/vyos-openvpn-remoteconfig.pl | 122 | ||||
-rw-r--r-- | templates/show/remote-config/node.def | 1 | ||||
-rw-r--r-- | templates/show/remote-config/openvpn/node.def | 1 | ||||
-rw-r--r-- | templates/show/remote-config/openvpn/node.tag/node.def | 5 | ||||
-rw-r--r-- | templates/show/remote-config/openvpn/node.tag/remote-platform/node.def | 1 | ||||
-rw-r--r-- | templates/show/remote-config/openvpn/node.tag/remote-platform/node.tag/node.def | 9 |
7 files changed, 140 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 8212b02..2554bb3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -57,6 +57,7 @@ bin_SCRIPTS += scripts/limericks.py sbin_SCRIPTS = scripts/dhcpv6-client-show-leases.pl sbin_SCRIPTS += scripts/vyatta-image-tools.pl sbin_SCRIPTS += scripts/vyatta-regen-unpriv-commands.sh +sbin_SCRIPTS += scripts/vyos-openvpn-remoteconfig.pl bin_sudo_users_SCRIPTS = scripts/vyatta-identify-interface.pl bin_sudo_users_SCRIPTS += scripts/vyatta-delete-log-file.sh diff --git a/scripts/vyos-openvpn-remoteconfig.pl b/scripts/vyos-openvpn-remoteconfig.pl new file mode 100644 index 0000000..1777d08 --- /dev/null +++ b/scripts/vyos-openvpn-remoteconfig.pl @@ -0,0 +1,122 @@ +#!/usr/bin/perl +# +# Copyright (C) 2017 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; + +use warnings; +use strict; + +sub auth_warning +{ + print("NOTE: authentication options are deliberately left out,\n"); + print("since we cannot know file paths on a remote system\n\n"); +} + +my $config = new Vyatta::Config; + +my $intf = $ARGV[0]; +if(!defined($intf)) +{ + print("OpenVPN interface is not specified!\n"); + exit(1); +} + +my $remote = $ARGV[1]; +if(!defined($remote)) +{ + print("Remote side platform is not specified!\n"); + exit(1); +} + +if(!$config->exists("interfaces openvpn $intf")) +{ + print("OpenVPN interface $intf does not exist!\n"); + exit(1); +} + +$config->setLevel("interfaces openvpn $intf"); + +my $mode = $config->returnValue('mode'); + +my $localhost = $config->returnValue("local-host"); +my $localport = $config->returnValue("local-port"); +my $remotehost = $config->returnValue("remote-host"); +my $remoteaddr = $config->returnValue("remote-address"); +my $remoteport = $config->returnValue("remote-port"); +my $cipher = $config->returnValue("encryption"); +my $hash = $config->returnValue("hash"); +my $protocol = $config->returnValue("protocol"); +my $persist = $config->exists("persistent-tunnel"); +my $tlsrole = $config->returnValue("tls role"); +my $devtype = $config->returnValue("device-type"); +my @options = $config->returnValues("openvpn-option"); + +# local-addr is a tag node... +# Let's limit it to only the first address for now, +# since remote-address is limited to only one address anyway! +my @localaddrs = $config->listNodes('local-address'); +my $localaddr = undef; +if(@localaddrs) { + $localaddr = $localaddrs[0]; +} + +if($mode eq 'client') +{ + print("It is impossible to produce a complete server config from a client config!\n"); + exit(1); +} +elsif($mode eq 'site-to-site') +{ + if($remote eq 'vyos') + { + auth_warning; + + print("edit interfaces openvpn $intf\n"); + print("set mode site-to-site\n"); + print("set device-type $devtype\n") if defined($devtype); + print("set remote-host $localhost\n") if defined($localhost); + print("set remote-address $localaddr\n") if defined($localaddr); + print("set remote-port $localport\n") if defined($localport); + print("set local-host $remotehost\n") if defined($remotehost); + print("set local-address $remoteaddr\n") if defined($remoteaddr); + print("set local-port $remoteport\n") if defined($remoteport); + print("set protocol $protocol\n") if defined($protocol); + print("set encryption $cipher\n") if defined($cipher); + print("set hash $hash\n") if defined($hash); + + for my $o (@options) { print("set openvpn-option \"$o\"\n"); } + + print "tls role passive\n" if (defined($tlsrole) && ($tlsrole eq 'active')); + print "tls role active\n" if (defined($tlsrole) && ($tlsrole eq 'passive')); + print("top\n"); + } +} +elsif($mode eq 'server') +{ + if($remote eq 'vyos') + { + auth_warning; + + print("edit interfaces openvpn $intf\n"); + print("set mode client"); + print("set device-type $devtype\n") if defined($devtype); + print("set remote-host $localhost\n") if defined($localhost); + print("set remote-port $localport\n") if defined($localport); + print("set protocol $protocol\n") if defined($protocol); + print("top\n"); + } +} diff --git a/templates/show/remote-config/node.def b/templates/show/remote-config/node.def new file mode 100644 index 0000000..1675abd --- /dev/null +++ b/templates/show/remote-config/node.def @@ -0,0 +1 @@ +help: Show remote side config diff --git a/templates/show/remote-config/openvpn/node.def b/templates/show/remote-config/openvpn/node.def new file mode 100644 index 0000000..d417cb6 --- /dev/null +++ b/templates/show/remote-config/openvpn/node.def @@ -0,0 +1 @@ +help: Show remote side config for OpenVPN diff --git a/templates/show/remote-config/openvpn/node.tag/node.def b/templates/show/remote-config/openvpn/node.tag/node.def new file mode 100644 index 0000000..afb8cfb --- /dev/null +++ b/templates/show/remote-config/openvpn/node.tag/node.def @@ -0,0 +1,5 @@ +help: Show remote side OpenVPN config + +allowed: local -a array ; + eval "array=( $(cli-shell-api listEffectiveNodes interfaces openvpn) )" ; + echo -n '<vtunN>' ${array[@]##*/} diff --git a/templates/show/remote-config/openvpn/node.tag/remote-platform/node.def b/templates/show/remote-config/openvpn/node.tag/remote-platform/node.def new file mode 100644 index 0000000..15502c9 --- /dev/null +++ b/templates/show/remote-config/openvpn/node.tag/remote-platform/node.def @@ -0,0 +1 @@ +help: Show remote side OpenVPN config for specified platform diff --git a/templates/show/remote-config/openvpn/node.tag/remote-platform/node.tag/node.def b/templates/show/remote-config/openvpn/node.tag/remote-platform/node.tag/node.def new file mode 100644 index 0000000..66f334c --- /dev/null +++ b/templates/show/remote-config/openvpn/node.tag/remote-platform/node.tag/node.def @@ -0,0 +1,9 @@ +help: Show remote side OpenVPN config for specified platform +allowed: echo -n "vyos openvpn" + +run: if [ "$VYATTA_USER_LEVEL_DIR" == "/opt/vyatta/etc/shell/level/admin" ]; + then + sudo ${vyatta_sbindir}/vyos-openvpn-remoteconfig.pl $4 $6 + else + echo Must be an admin user to run this command. + fi |