diff options
author | Daniil Baturin <daniil@vyos.io> | 2024-08-01 15:37:47 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-08-01 15:37:47 +0100 |
commit | 08bf14aaac204003ffc001ff092a781db08df164 (patch) | |
tree | 63eef962b299aca6a286f5bb5d673e90dfbd2647 | |
parent | c6e611b7a47c0409282e61186501762b12c6edc1 (diff) | |
parent | cf1f11c5336801784cc5f3ce7112318bcf60d4e5 (diff) | |
download | vyos-1x-08bf14aaac204003ffc001ff092a781db08df164.tar.gz vyos-1x-08bf14aaac204003ffc001ff092a781db08df164.zip |
Merge pull request #3925 from vyos/mergify/bp/circinus/pr-3747
T6486: T6379: Rewrite generate openvpn client-config (backport #3747)
-rwxr-xr-x | src/op_mode/generate_ovpn_client_file.py | 113 |
1 files changed, 64 insertions, 49 deletions
diff --git a/src/op_mode/generate_ovpn_client_file.py b/src/op_mode/generate_ovpn_client_file.py index 2d96fe217..974f7d9b6 100755 --- a/src/op_mode/generate_ovpn_client_file.py +++ b/src/op_mode/generate_ovpn_client_file.py @@ -19,42 +19,53 @@ import argparse from jinja2 import Template from textwrap import fill -from vyos.configquery import ConfigTreeQuery +from vyos.config import Config from vyos.ifconfig import Section client_config = """ client nobind -remote {{ remote_host }} {{ port }} +remote {{ local_host if local_host else 'x.x.x.x' }} {{ port }} remote-cert-tls server -proto {{ 'tcp-client' if protocol == 'tcp-active' else 'udp' }} -dev {{ device }} -dev-type {{ device }} +proto {{ 'tcp-client' if protocol == 'tcp-passive' else 'udp' }} +dev {{ device_type }} +dev-type {{ device_type }} persist-key persist-tun verb 3 # Encryption options +{# Define the encryption map #} +{% set encryption_map = { + 'des': 'DES-CBC', + '3des': 'DES-EDE3-CBC', + 'bf128': 'BF-CBC', + 'bf256': 'BF-CBC', + 'aes128gcm': 'AES-128-GCM', + 'aes128': 'AES-128-CBC', + 'aes192gcm': 'AES-192-GCM', + 'aes192': 'AES-192-CBC', + 'aes256gcm': 'AES-256-GCM', + 'aes256': 'AES-256-CBC' +} %} + {% if encryption is defined and encryption is not none %} -{% if encryption.cipher is defined and encryption.cipher is not none %} -cipher {{ encryption.cipher }} -{% if encryption.cipher == 'bf128' %} -keysize 128 -{% elif encryption.cipher == 'bf256' %} -keysize 256 +{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} +cipher {% for algo in encryption.ncp_ciphers %} +{{ encryption_map[algo] if algo in encryption_map.keys() else algo }}{% if not loop.last %}:{% endif %} +{% endfor %} + +data-ciphers {% for algo in encryption.ncp_ciphers %} +{{ encryption_map[algo] if algo in encryption_map.keys() else algo }}{% if not loop.last %}:{% endif %} +{% endfor %} {% endif %} -{% endif %} -{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} -data-ciphers {{ encryption.ncp_ciphers }} -{% endif %} {% endif %} {% if hash is defined and hash is not none %} auth {{ hash }} {% endif %} -keysize 256 -comp-lzo {{ '' if use_lzo_compression is defined else 'no' }} +{{ 'comp-lzo' if use_lzo_compression is defined else '' }} <ca> -----BEGIN CERTIFICATE----- @@ -79,7 +90,7 @@ comp-lzo {{ '' if use_lzo_compression is defined else 'no' }} """ -config = ConfigTreeQuery() +config = Config() base = ['interfaces', 'openvpn'] if not config.exists(base): @@ -89,10 +100,22 @@ if not config.exists(base): if __name__ == '__main__': parser = argparse.ArgumentParser() - parser.add_argument("-i", "--interface", type=str, help='OpenVPN interface the client is connecting to', required=True) - parser.add_argument("-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True) - parser.add_argument("-c", "--cert", type=str, help='OpenVPN client cerificate', required=True) - parser.add_argument("-k", "--key", type=str, help='OpenVPN client cerificate key', action="store") + parser.add_argument( + "-i", + "--interface", + type=str, + help='OpenVPN interface the client is connecting to', + required=True, + ) + parser.add_argument( + "-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True + ) + parser.add_argument( + "-c", "--cert", type=str, help='OpenVPN client cerificate', required=True + ) + parser.add_argument( + "-k", "--key", type=str, help='OpenVPN client cerificate key', action="store" + ) args = parser.parse_args() interface = args.interface @@ -114,33 +137,25 @@ if __name__ == '__main__': if not config.exists(['pki', 'certificate', cert, 'private', 'key']): exit(f'OpenVPN certificate key "{key}" does not exist!') - ca = config.value(['pki', 'ca', ca, 'certificate']) + config = config.get_config_dict( + base + [interface], + key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True, + with_pki=True, + ) + + ca = config['pki']['ca'][ca]['certificate'] ca = fill(ca, width=64) - cert = config.value(['pki', 'certificate', cert, 'certificate']) + cert = config['pki']['certificate'][cert]['certificate'] cert = fill(cert, width=64) - key = config.value(['pki', 'certificate', key, 'private', 'key']) + key = config['pki']['certificate'][key]['private']['key'] key = fill(key, width=64) - remote_host = config.value(base + [interface, 'local-host']) - - ovpn_conf = config.get_config_dict(base + [interface], key_mangling=('-', '_'), get_first_key=True) - - port = '1194' if 'local_port' not in ovpn_conf else ovpn_conf['local_port'] - proto = 'udp' if 'protocol' not in ovpn_conf else ovpn_conf['protocol'] - device = 'tun' if 'device_type' not in ovpn_conf else ovpn_conf['device_type'] - - config = { - 'interface' : interface, - 'ca' : ca, - 'cert' : cert, - 'key' : key, - 'device' : device, - 'port' : port, - 'proto' : proto, - 'remote_host' : remote_host, - 'address' : [], - } - -# Clear out terminal first -print('\x1b[2J\x1b[H') -client = Template(client_config, trim_blocks=True).render(config) -print(client) + + config['ca'] = ca + config['cert'] = cert + config['key'] = key + config['port'] = '1194' if 'local_port' not in config else config['local_port'] + + client = Template(client_config, trim_blocks=True).render(config) + print(client) |