summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-08-01 15:37:47 +0100
committerGitHub <noreply@github.com>2024-08-01 15:37:47 +0100
commit08bf14aaac204003ffc001ff092a781db08df164 (patch)
tree63eef962b299aca6a286f5bb5d673e90dfbd2647
parentc6e611b7a47c0409282e61186501762b12c6edc1 (diff)
parentcf1f11c5336801784cc5f3ce7112318bcf60d4e5 (diff)
downloadvyos-1x-08bf14aaac204003ffc001ff092a781db08df164.tar.gz
vyos-1x-08bf14aaac204003ffc001ff092a781db08df164.zip
Merge pull request #3925 from vyos/mergify/bp/circinus/pr-3747
T6486: T6379: Rewrite generate openvpn client-config (backport #3747)
-rwxr-xr-xsrc/op_mode/generate_ovpn_client_file.py113
1 files changed, 64 insertions, 49 deletions
diff --git a/src/op_mode/generate_ovpn_client_file.py b/src/op_mode/generate_ovpn_client_file.py
index 2d96fe217..974f7d9b6 100755
--- a/src/op_mode/generate_ovpn_client_file.py
+++ b/src/op_mode/generate_ovpn_client_file.py
@@ -19,42 +19,53 @@ import argparse
from jinja2 import Template
from textwrap import fill
-from vyos.configquery import ConfigTreeQuery
+from vyos.config import Config
from vyos.ifconfig import Section
client_config = """
client
nobind
-remote {{ remote_host }} {{ port }}
+remote {{ local_host if local_host else 'x.x.x.x' }} {{ port }}
remote-cert-tls server
-proto {{ 'tcp-client' if protocol == 'tcp-active' else 'udp' }}
-dev {{ device }}
-dev-type {{ device }}
+proto {{ 'tcp-client' if protocol == 'tcp-passive' else 'udp' }}
+dev {{ device_type }}
+dev-type {{ device_type }}
persist-key
persist-tun
verb 3
# Encryption options
+{# Define the encryption map #}
+{% set encryption_map = {
+ 'des': 'DES-CBC',
+ '3des': 'DES-EDE3-CBC',
+ 'bf128': 'BF-CBC',
+ 'bf256': 'BF-CBC',
+ 'aes128gcm': 'AES-128-GCM',
+ 'aes128': 'AES-128-CBC',
+ 'aes192gcm': 'AES-192-GCM',
+ 'aes192': 'AES-192-CBC',
+ 'aes256gcm': 'AES-256-GCM',
+ 'aes256': 'AES-256-CBC'
+} %}
+
{% if encryption is defined and encryption is not none %}
-{% if encryption.cipher is defined and encryption.cipher is not none %}
-cipher {{ encryption.cipher }}
-{% if encryption.cipher == 'bf128' %}
-keysize 128
-{% elif encryption.cipher == 'bf256' %}
-keysize 256
+{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
+cipher {% for algo in encryption.ncp_ciphers %}
+{{ encryption_map[algo] if algo in encryption_map.keys() else algo }}{% if not loop.last %}:{% endif %}
+{% endfor %}
+
+data-ciphers {% for algo in encryption.ncp_ciphers %}
+{{ encryption_map[algo] if algo in encryption_map.keys() else algo }}{% if not loop.last %}:{% endif %}
+{% endfor %}
{% endif %}
-{% endif %}
-{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
-data-ciphers {{ encryption.ncp_ciphers }}
-{% endif %}
{% endif %}
{% if hash is defined and hash is not none %}
auth {{ hash }}
{% endif %}
-keysize 256
-comp-lzo {{ '' if use_lzo_compression is defined else 'no' }}
+{{ 'comp-lzo' if use_lzo_compression is defined else '' }}
<ca>
-----BEGIN CERTIFICATE-----
@@ -79,7 +90,7 @@ comp-lzo {{ '' if use_lzo_compression is defined else 'no' }}
"""
-config = ConfigTreeQuery()
+config = Config()
base = ['interfaces', 'openvpn']
if not config.exists(base):
@@ -89,10 +100,22 @@ if not config.exists(base):
if __name__ == '__main__':
parser = argparse.ArgumentParser()
- parser.add_argument("-i", "--interface", type=str, help='OpenVPN interface the client is connecting to', required=True)
- parser.add_argument("-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True)
- parser.add_argument("-c", "--cert", type=str, help='OpenVPN client cerificate', required=True)
- parser.add_argument("-k", "--key", type=str, help='OpenVPN client cerificate key', action="store")
+ parser.add_argument(
+ "-i",
+ "--interface",
+ type=str,
+ help='OpenVPN interface the client is connecting to',
+ required=True,
+ )
+ parser.add_argument(
+ "-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True
+ )
+ parser.add_argument(
+ "-c", "--cert", type=str, help='OpenVPN client cerificate', required=True
+ )
+ parser.add_argument(
+ "-k", "--key", type=str, help='OpenVPN client cerificate key', action="store"
+ )
args = parser.parse_args()
interface = args.interface
@@ -114,33 +137,25 @@ if __name__ == '__main__':
if not config.exists(['pki', 'certificate', cert, 'private', 'key']):
exit(f'OpenVPN certificate key "{key}" does not exist!')
- ca = config.value(['pki', 'ca', ca, 'certificate'])
+ config = config.get_config_dict(
+ base + [interface],
+ key_mangling=('-', '_'),
+ get_first_key=True,
+ with_recursive_defaults=True,
+ with_pki=True,
+ )
+
+ ca = config['pki']['ca'][ca]['certificate']
ca = fill(ca, width=64)
- cert = config.value(['pki', 'certificate', cert, 'certificate'])
+ cert = config['pki']['certificate'][cert]['certificate']
cert = fill(cert, width=64)
- key = config.value(['pki', 'certificate', key, 'private', 'key'])
+ key = config['pki']['certificate'][key]['private']['key']
key = fill(key, width=64)
- remote_host = config.value(base + [interface, 'local-host'])
-
- ovpn_conf = config.get_config_dict(base + [interface], key_mangling=('-', '_'), get_first_key=True)
-
- port = '1194' if 'local_port' not in ovpn_conf else ovpn_conf['local_port']
- proto = 'udp' if 'protocol' not in ovpn_conf else ovpn_conf['protocol']
- device = 'tun' if 'device_type' not in ovpn_conf else ovpn_conf['device_type']
-
- config = {
- 'interface' : interface,
- 'ca' : ca,
- 'cert' : cert,
- 'key' : key,
- 'device' : device,
- 'port' : port,
- 'proto' : proto,
- 'remote_host' : remote_host,
- 'address' : [],
- }
-
-# Clear out terminal first
-print('\x1b[2J\x1b[H')
-client = Template(client_config, trim_blocks=True).render(config)
-print(client)
+
+ config['ca'] = ca
+ config['cert'] = cert
+ config['key'] = key
+ config['port'] = '1194' if 'local_port' not in config else config['local_port']
+
+ client = Template(client_config, trim_blocks=True).render(config)
+ print(client)