diff options
| -rw-r--r-- | interface-definitions/sstp.xml | 416 | ||||
| -rwxr-xr-x | src/conf_mode/accel_sstp.py | 469 | 
2 files changed, 885 insertions, 0 deletions
| diff --git a/interface-definitions/sstp.xml b/interface-definitions/sstp.xml new file mode 100644 index 000000000..d944baaad --- /dev/null +++ b/interface-definitions/sstp.xml @@ -0,0 +1,416 @@ +<?xml version="1.0"?> +<interfaceDefinition> +  <node name="service"> +    <children> +      <node name="sstp-server" owner="${vyos_conf_scripts_dir}/accel_sstp.py"> +        <properties> +          <help>Secure Socket Tunneling Protocol (SSTP) Server</help> +          <priority>900</priority> +        </properties> +        <children> +          <node name="authentication"> +            <properties> +              <help>Authentication for remote access SSTP Server</help> +            </properties> +            <children> +              <node name="local-users"> +                <properties> +                  <help>Local user authentication for SSTP server</help> +                </properties> +                <children> +                  <tagNode name="username"> +                    <properties> +                      <help>User name for authentication</help> +                    </properties> +                    <children> +                      <leafNode name="disable"> +                        <properties> +                          <help>Option to disable a SSTP Server user</help> +                          <valueless /> +                        </properties> +                      </leafNode> +                      <leafNode name="password"> +                        <properties> +                          <help>Password for authentication</help> +                        </properties> +                      </leafNode> +                      <leafNode name="static-ip"> +                        <properties> +                          <help>Static client IP address</help> +                        </properties> +                      </leafNode> +                      <node name="rate-limit"> +                        <properties> +                          <help>Upload/Download speed limits</help> +                        </properties> +                        <children> +                          <leafNode name="upload"> +                            <properties> +                              <help>Upload bandwidth limit in kbits/sec</help> +                              <constraint> +                                <validator name="numeric" argument="--range 1-65535"/> +                              </constraint> +                            </properties> +                          </leafNode> +                          <leafNode name="download"> +                            <properties> +                              <help>Download bandwidth limit in kbits/sec</help> +                              <constraint> +                                <validator name="numeric" argument="--range 1-65535"/> +                              </constraint> +                            </properties> +                          </leafNode> +                        </children> +                      </node> +                    </children> +                  </tagNode> +                </children> +              </node> +              <leafNode name="mode"> +                <properties> +                  <help>Authentication mode for SSTP Server</help> +                  <valueHelp> +                    <format>local</format> +                    <description>Use local username/password configuration</description> +                  </valueHelp> +                  <valueHelp> +                    <format>radius</format> +                    <description>Use a RADIUS server to autenticate users</description> +                  </valueHelp> +                  <constraint> +                    <regex>^(local|radius)</regex> +                  </constraint> +                  <completionHelp> +                    <list>local radius</list> +                  </completionHelp> +                </properties> +              </leafNode> +              <leafNode name="protocols"> +                <properties> +                  <help>Authentication protocol for remote access peer SSTP VPN</help> +                  <valueHelp> +                    <format>pap</format> +                    <description>Require the peer to authenticate itself using PAP [Password Authentication Protocol].</description> +                  </valueHelp> +                  <valueHelp> +                    <format>chap</format> +                    <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description> +                  </valueHelp> +                  <valueHelp> +                    <format>mschap</format> +                    <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description> +                  </valueHelp> +                  <valueHelp> +                    <format>mschap-v2</format> +                    <description>Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].</description> +                  </valueHelp> +                  <constraint> +                    <regex>^(pap|chap|mschap|mschap-v2)</regex> +                  </constraint> +                  <completionHelp> +                    <list>pap chap mschap mschap-v2</list> +                  </completionHelp> +                    <multi /> +                </properties> +              </leafNode> +              <tagNode name="radius-server"> +                <properties> +                  <help>IP address of RADIUS server</help> +                  <valueHelp> +                    <format>ipv4</format> +                      <description>IP address of RADIUS server</description> +                  </valueHelp> +                </properties> +                <children> +                  <leafNode name="secret"> +                    <properties> +                      <help>Key for accessing the specified server</help> +                    </properties> +                  </leafNode> +                  <leafNode name="req-limit"> +                    <properties> +                      <help>Maximum number of simultaneous requests to server (default: unlimited)</help> +                    </properties> +                  </leafNode> +                  <leafNode name="fail-time"> +                    <properties> +                      <help>If server doesn't responds mark it as unavailable for this amount of time in seconds</help> +                    </properties> +                  </leafNode> +                </children> +              </tagNode> +              <node name="radius-settings"> +                <properties> +                  <help>RADIUS settings</help> +                </properties> +                <children> +                  <leafNode name="timeout"> +                    <properties> +                      <help>Timeout to wait response from server (seconds)</help> +                    </properties> +                  </leafNode> +                  <leafNode name="acct-timeout"> +                    <properties> +                      <help>Timeout to wait reply for Interim-Update packets. (default 3 seconds)</help> +                    </properties> +                  </leafNode> +                  <leafNode name="max-try"> +                    <properties> +                      <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help> +                    </properties> +                  </leafNode> +                  <leafNode name="nas-identifier"> +                    <properties> +                      <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help> +                    </properties> +                  </leafNode> +                  <leafNode name="nas-ip-address"> +                    <properties> +                      <help>Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.</help> +                       <constraint> +                        <validator name="ipv4-address"/> +                      </constraint> +                      <constraintErrorMessage>invalid IPv4 address</constraintErrorMessage> +                      <valueHelp> +                        <format>ipv4</format> +                        <description>NAS-IP-Address Attribute Value</description> +                      </valueHelp> +                    </properties> +                  </leafNode> +                  <node name="dae-server"> +                    <properties> +                      <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help> +                    </properties> +                    <children> +                      <leafNode name="ip-address"> +                        <properties> +                          <help>IP address for Dynamic Authorization Extension server (DM/CoA)</help> +                          <constraint> +                            <validator name="ipv4-address"/> +                          </constraint> +                          <constraintErrorMessage>invalid IPv4 address</constraintErrorMessage> +                          <valueHelp> +                            <format>ipv4</format> +                            <description>Specifies IP address for Dynamic Authorization Extension server (DM/CoA)</description> +                          </valueHelp> +                        </properties> +                      </leafNode> +                      <leafNode name="port"> +                        <properties> +                          <help>Port for Dynamic Authorization Extension server (DM/CoA)</help> +                          <valueHelp> +                            <format>number</format> +                            <description>TCP port</description> +                          </valueHelp> +                          <constraint> +                            <validator name="numeric" argument="--range 1-65535"/> +                          </constraint> +                        </properties> +                      </leafNode> +                      <leafNode name="secret"> +                        <properties> +                          <help>Secret for Dynamic Authorization Extension server (DM/CoA)</help> +                        </properties> +                      </leafNode> +                    </children> +                  </node> +                  <node name="rate-limit"> +                    <properties> +                      <help>Upload/Download speed limits</help> +                    </properties> +                    <children> +                      <leafNode name="attribute"> +                        <properties> +                          <help>Specifies which radius attribute contains rate information. (default is Filter-Id)</help> +                        </properties> +                      </leafNode> +                      <leafNode name="vendor"> +                        <properties> +                          <help>Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius)</help> +                        </properties> +                      </leafNode> +                      <leafNode name="enable"> +                        <properties> +                          <help>Enables Bandwidth shaping via RADIUS</help> +                          <valueless /> +                        </properties> +                      </leafNode> +                    </children> +                  </node> +                </children> +              </node> +            </children> +          </node> +          <node name="sstp-settings"> +            <properties> +              <help>SSTP settings</help> +            </properties> +            <children> +              <node name="ssl-certs"> +                <properties> +                  <help>SSL Certificate, SSL Key and CA (/config/user-data/sstp)</help> +                </properties> +                <children> +                  <leafNode name="ca"> +                    <properties> +                      <help>Certificate Authority certificate</help> +                      <completionHelp> +                        <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script> +                      </completionHelp> +                    </properties> +                  </leafNode> +                  <leafNode name="server-cert"> +                    <properties> +                      <help>Server Certificate</help> +                      <completionHelp> +                        <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script> +                      </completionHelp> +                    </properties> +                  </leafNode> +                  <leafNode name="server-key"> +                    <properties> +                      <help>Privat Key of the Server Certificate</help> +                      <completionHelp> +                        <script>if [ -e /config/user-data/sstp ]; then ls /config/user-data/sstp; fi</script> +                      </completionHelp> +                    </properties> +                  </leafNode> +                </children> +              </node> +            </children> +          </node> +          <node name="network-settings"> +            <properties> +              <help>Network settings</help> +            </properties> +            <children> +              <node name="client-ip-settings"> +                <properties> +                  <help>Client IP pools and gateway setting</help> +                </properties> +                <children> +                  <leafNode name="subnet"> +                    <properties> +                      <help>Client IP subnet (CIDR notation)</help> +                      <constraint> +                        <validator name="ipv4-prefix"/> +                      </constraint> +                      <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage> +                      <multi /> +                    </properties> +                  </leafNode> +                  <leafNode name="gateway-address"> +                    <properties> +                      <help>Gateway IP address</help> +                      <constraint> +                        <validator name="ipv4-address"/> +                      </constraint> +                      <constraintErrorMessage>invalid IPv4 address</constraintErrorMessage> +                      <valueHelp> +                        <format>ipv4</format> +                        <description>Default Gateway send to the client</description> +                      </valueHelp> +                    </properties> +                  </leafNode> +                </children> +              </node> +              <node name="dns-server"> +                <properties> +                  <help>DNS servers propagated to clients</help> +                </properties> +                <children> +                  <leafNode name="primary-dns"> +                    <properties> +                      <help>Primary DNS Server</help> +                      <valueHelp> +                        <format>ipv4</format> +                        <description>IPv4 address</description> +                      </valueHelp> +                      <constraint> +                        <validator name="ipv4-address"/> +                      </constraint> +                    </properties> +                  </leafNode> +                  <leafNode name="secondary-dns"> +                    <properties> +                      <help>Secondary DNS Server</help> +                      <valueHelp> +                        <format>ipv4</format> +                        <description>IPv4 address</description> +                      </valueHelp> +                      <constraint> +                        <validator name="ipv4-address"/> +                      </constraint> +                    </properties> +                  </leafNode> +                </children> +              </node> +              <leafNode name="mtu"> +                <properties> +                  <help>Maximum Transmission Unit (MTU)</help> +                  <constraint> +                    <validator name="numeric" argument="--range 128-16384"/> +                  </constraint> +                </properties> +              </leafNode> +            </children> +          </node> +          <node name="ppp-settings"> +            <properties> +              <help>PPP (Point-to-Point Protocol) settings</help> +            </properties> +            <children> +              <leafNode name="mppe"> +                <properties> +                  <help>Specifies mppe negotiation preferences</help> +                  <completionHelp> +                    <list>require prefer deny</list> +                  </completionHelp> +                  <constraint> +                    <regex>(^require|prefer|deny)</regex> +                  </constraint> +                  <valueHelp> +                    <format>require</format> +                    <description>send mppe request, if client rejects, drop the connection</description> +                  </valueHelp> +                  <valueHelp> +                    <format>prefer</format> +                    <description>send mppe request, if client rejects continue</description> +                  </valueHelp> +                  <valueHelp> +                    <format>deny</format> +                    <description>drop all mppe</description> +                  </valueHelp> +                </properties> +              </leafNode> +              <leafNode name="lcp-echo-interval"> +                <properties> +                  <help>LCP echo-requests/sec</help> +                  <constraint> +                    <validator name="numeric" argument="--positive"/> +                  </constraint> +                </properties> +              </leafNode> +              <leafNode name="lcp-echo-failure"> +                <properties> +                  <help>Maximum number of Echo-Requests may be sent without valid reply</help> +                  <constraint> +                    <validator name="numeric" argument="--positive"/> +                  </constraint> +                </properties> +              </leafNode> +              <leafNode name="lcp-echo-timeout"> +                <properties> +                  <help>Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used.</help> +                  <constraint> +                    <validator name="numeric" argument="--positive"/> +                  </constraint> +                </properties> +              </leafNode> +            </children> +          </node> +      </children> +    </node> +  </children> +</node> +</interfaceDefinition> diff --git a/src/conf_mode/accel_sstp.py b/src/conf_mode/accel_sstp.py new file mode 100755 index 000000000..1317a32db --- /dev/null +++ b/src/conf_mode/accel_sstp.py @@ -0,0 +1,469 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# +# + +import sys +import os +import re +import subprocess +import jinja2 +import socket +import time +import syslog as sl + +from vyos.config import Config +from vyos import ConfigError + +pidfile = r'/var/run/accel_sstp.pid' +sstp_cnf_dir = r'/etc/accel-ppp/sstp' +chap_secrets = sstp_cnf_dir + '/chap-secrets' +sstp_conf = sstp_cnf_dir + '/sstp.config' +ssl_cert_dir = r'/config/user-data/sstp' + +### config path creation +if not os.path.exists(sstp_cnf_dir): +  os.makedirs(sstp_cnf_dir) +  sl.syslog(sl.LOG_NOTICE, sstp_cnf_dir  + " created") + +if not os.path.exists(ssl_cert_dir): +  os.makedirs(ssl_cert_dir) +  sl.syslog(sl.LOG_NOTICE, ssl_cert_dir  + " created") + +sstp_config = ''' +### generated by accel_sstp.py ###  +[modules] +log_syslog +sstp +ippool +shaper +{% if authentication['mode'] == 'local' %} +chap-secrets +{% endif -%} +{% for proto in authentication['auth_proto'] %} +{{proto}} +{% endfor %} +{% if authentication['mode'] == 'radius' %} +radius +{% endif %} + +[core] +thread-count={{thread_cnt}} + +[common] +single-session=replace + +[log] +syslog=accel-sstp,daemon +copy=1 +level=5 + +[client-ip-range] +disable + +[sstp] +verbose=1 +accept=ssl +{% if certs %} +ssl-ca-file=/config/user-data/sstp/{{certs['ca']}} +ssl-pemfile=/config/user-data/sstp/{{certs['server-cert']}} +ssl-keyfile=/config/user-data/sstp/{{certs['server-key']}} +{% endif %} + +{%if ip_pool %} +[ip-pool] +gw-ip-address={{gw}} +{% for sn in ip_pool %} +{{sn}} +{% endfor %} +{% endif %} + +{% if dnsv4 %} +[dns] +{% if dnsv4['primary'] %} +dns1={{dnsv4['primary']}} +{% endif -%} +{% if dnsv4['secondary'] %} +dns2={{dnsv4['secondary']}} +{% endif -%} +{% endif %} + +{% if authentication['mode'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/sstp/chap-secrets +{% endif %} + +{%- if authentication['mode'] == 'radius' %} +[radius] +verbose=1 +{% for rsrv in authentication['radius-srv']: %} +server={{rsrv}},{{authentication['radius-srv'][rsrv]['secret']}},\ +req-limit={{authentication['radius-srv'][rsrv]['req-limit']}},\ +fail-time={{authentication['radius-srv'][rsrv]['fail-time']}} +{% endfor -%} +{% if authentication['radiusopt']['acct-timeout'] %} +acct-timeout={{authentication['radiusopt']['acct-timeout']}} +{% endif -%} +{% if authentication['radiusopt']['timeout'] %} +timeout={{authentication['radiusopt']['timeout']}} +{% endif -%} +{% if authentication['radiusopt']['max-try'] %} +max-try={{authentication['radiusopt']['max-try']}} +{% endif -%} +{% if authentication['radiusopt']['nas-id'] %} +nas-identifier={{authentication['radiusopt']['nas-id']}} +{% endif -%} +{% if authentication['radiusopt']['nas-ip'] %} +nas-ip-address={{authentication['radiusopt']['nas-ip']}} +{% endif -%} +{% if authentication['radiusopt']['dae-srv'] %} +dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ +{{authentication['radiusopt']['dae-srv']['port']}},\ +{{authentication['radiusopt']['dae-srv']['secret']}} +{% endif -%} +{% endif %} + +[ppp] +verbose=1 +check-ip=1 +{% if mtu %} +mtu={{mtu}} +{% endif -%} +{% if ppp['mppe'] %} +mppe={{ppp['mppe']}} +{% endif -%} +{% if ppp['lcp-echo-interval'] %} +lcp-echo-interval={{ppp['lcp-echo-interval']}} +{% endif -%} +{% if ppp['lcp-echo-failure'] %} +lcp-echo-failure={{ppp['lcp-echo-failure']}} +{% endif -%} +{% if ppp['lcp-echo-timeout'] %} +lcp-echo-timeout={{ppp['lcp-echo-timeout']}} +{% endif %} + +{% if authentication['radiusopt']['shaper'] %} +[shaper] +verbose=1 +attr={{authentication['radiusopt']['shaper']['attr']}} +{% if authentication['radiusopt']['shaper']['vendor'] %} +vendor={{authentication['radiusopt']['shaper']['vendor']}} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2005 +''' + +### sstp chap secrets +chap_secrets_conf = ''' +# username  server  password  acceptable local IP addresses   shaper +{% for user in authentication['local-users'] %} +{% if authentication['local-users'][user]['state'] == 'enabled' %} +{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\ +{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}} +{% else %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}} +{% endif %} +{% endif %} +{% endfor %} +''' +### +# inline helper functions +### +# depending on hw and threads, daemon needs a little to start +# if it takes longer than 100 * 0.5 secs, exception is being raised +# not sure if that's the best way to check it, but it worked so far quite well  +### +def chk_con(): +  cnt = 0 +  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +  while True: +    try: +      s.connect(("127.0.0.1", 2005)) +      s.close() +      break +    except ConnectionRefusedError: +      time.sleep(0.5) +      cnt +=1 +      if cnt == 100: +        raise("failed to start sstp server") +        break + +### chap_secrets file if auth mode local +def write_chap_secrets(c): +  tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True) +  chap_secrets_txt = tmpl.render(c) +  old_umask = os.umask(0o077) +  open(chap_secrets,'w').write(chap_secrets_txt) +  os.umask(old_umask) +  sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written') + +def accel_cmd(cmd=''): +  if not cmd: +    return None +  try: +    ret = subprocess.check_output(['/usr/bin/accel-cmd','-p','2005',cmd]).decode().strip() +    return ret +  except: +    return 1 + +#### check ig local-ip is in client pool subnet + + +###  +# inline helper functions end +### + +def get_config(): +  c = Config() +  if not c.exists('service sstp-server'): +    return None + +  c.set_level('service sstp-server') + +  config_data = { +    'authentication'    : { +      'local-users'     : { +      }, +      'mode'            : 'local', +      'auth_proto'      : [], +      'radius-srv'      : {}, +      'radiusopt'       : {}, +      'dae-srv'         : {} +    }, +    'certs'           : { +      'ca'            : None, +      'server-key'    : None, +      'server-cert'   : None +    }, +    'ip_pool'         : [], +    'gw'              : None, +    'dnsv4'           : {}, +    'mtu'             : None, +    'ppp'             : {}, +  } + +  ### local auth +  if c.exists('authentication mode local'): +    if c.exists('authentication local-users'): +      for usr in c.list_nodes('authentication local-users username'): +        config_data['authentication']['local-users'].update( +          { +            usr : { +              'passwd'    : None, +              'state'     : 'enabled', +              'ip'        : '*', +              'upload'    : None, +              'download'  : None +            } +          } +        ) +        if c.exists('authentication local-users username ' + usr + ' password'): +          config_data['authentication']['local-users'][usr]['passwd'] = c.return_value('authentication local-users username ' + usr + ' password') +        if c.exists('authentication local-users username ' + usr + ' disable'): +          config_data['authentication']['local-users'][usr]['state'] = 'disable' +        if c.exists('authentication local-users username ' + usr + ' static-ip'): +          config_data['authentication']['local-users'][usr]['ip'] = c.return_value('authentication local-users username ' + usr + ' static-ip') +        if c.exists('authentication local-users username ' + usr + ' rate-limit download'): +          config_data['authentication']['local-users'][usr]['download'] = c.return_value('authentication local-users username ' + usr + ' rate-limit download') +        if c.exists('authentication local-users username ' + usr + ' rate-limit upload'): +          config_data['authentication']['local-users'][usr]['upload'] = c.return_value('authentication local-users username ' + usr + ' rate-limit upload') + +  if c.exists('authentication protocols'): +    auth_mods = {'pap' : 'pap','chap' : 'auth_chap_md5', 'mschap' : 'auth_mschap_v1', 'mschap-v2' : 'auth_mschap_v2'} +    for proto in c.return_values('authentication protocols'): +      config_data['authentication']['auth_proto'].append(auth_mods[proto]) +  else: +    config_data['authentication']['auth_proto'] = ['auth_mschap_v2'] + +  #### RADIUS auth and settings +  if c.exists('authentication mode radius'): +    config_data['authentication']['mode'] = c.return_value('authentication mode') +    if c.exists('authentication radius-server'): +      for rsrv in c.list_nodes('authentication radius-server'): +        config_data['authentication']['radius-srv'][rsrv] = {} +        if c.exists('authentication radius-server ' + rsrv + ' secret'): +          config_data['authentication']['radius-srv'][rsrv]['secret'] = c.return_value('authentication radius-server ' + rsrv + ' secret') +        else: +          config_data['authentication']['radius-srv'][rsrv]['secret'] = None +        if c.exists('authentication radius-server ' + rsrv + ' fail-time'): +          config_data['authentication']['radius-srv'][rsrv]['fail-time'] = c.return_value('authentication radius-server ' + rsrv + ' fail-time') +        else: +          config_data['authentication']['radius-srv'][rsrv]['fail-time'] = 0 +        if c.exists('authentication radius-server ' + rsrv + ' req-limit'): +          config_data['authentication']['radius-srv'][rsrv]['req-limit'] = c.return_value('authentication radius-server ' + rsrv + ' req-limit') +        else: +          config_data['authentication']['radius-srv'][rsrv]['req-limit'] = 0 + +    #### advanced radius-setting +    if c.exists('authentication radius-settings'): +      if c.exists('authentication radius-settings acct-timeout'): +        config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value('authentication radius-settings acct-timeout') +      if c.exists('authentication radius-settings max-try'): +        config_data['authentication']['radiusopt']['max-try'] = c.return_value('authentication radius-settings max-try') +      if c.exists('authentication radius-settings timeout'): +        config_data['authentication']['radiusopt']['timeout'] = c.return_value('authentication radius-settings timeout') +      if c.exists('authentication radius-settings nas-identifier'): +        config_data['authentication']['radiusopt']['nas-id'] = c.return_value('authentication radius-settings nas-identifier') +      if c.exists('authentication radius-settings nas-ip-address'): +        config_data['authentication']['radiusopt']['nas-ip'] = c.return_value('authentication radius-settings nas-ip-address') +      if c.exists('authentication radius-settings dae-server'): +        config_data['authentication']['radiusopt'].update( +          { +            'dae-srv' : { +              'ip-addr' : c.return_value('authentication radius-settings dae-server ip-address'), +              'port'    : c.return_value('authentication radius-settings dae-server port'), +              'secret'  : str(c.return_value('authentication radius-settings dae-server secret')) +            } +          } +        ) +      if c.exists('authentication radius-settings rate-limit enable'):  +        if not c.exists('authentication radius-settings rate-limit attribute'): +          config_data['authentication']['radiusopt']['shaper'] = { 'attr'  : 'Filter-Id' } +        else: +          config_data['authentication']['radiusopt']['shaper'] = { +            'attr'  : c.return_value('authentication radius-settings rate-limit attribute') +          } +        if c.exists('authentication radius-settings rate-limit vendor'): +          config_data['authentication']['radiusopt']['shaper']['vendor'] = c.return_value('authentication radius-settings rate-limit vendor') + +  if c.exists('sstp-settings ssl-certs ca'): +    config_data['certs']['ca'] = c.return_value('sstp-settings ssl-certs ca') +  if c.exists('sstp-settings ssl-certs server-cert'): +    config_data['certs']['server-cert'] = c.return_value('sstp-settings ssl-certs server-cert') +  if c.exists('sstp-settings ssl-certs server-key'): +    config_data['certs']['server-key'] = c.return_value('sstp-settings ssl-certs server-key') + +  if c.exists('network-settings client-ip-settings subnet'): +    config_data['ip_pool'] = c.return_values('network-settings client-ip-settings subnet') +  if c.exists('network-settings client-ip-settings gateway-address'): +    config_data['gw'] = c.return_value('network-settings client-ip-settings gateway-address') +  if c.exists('network-settings dns-server primary-dns'): +    config_data['dnsv4']['primary'] = c.return_value('network-settings dns-server primary-dns') +  if c.exists('network-settings dns-server secondary-dns'): +    config_data['dnsv4']['secondary'] = c.return_value('network-settings dns-server secondary-dns') +  if c.exists('network-settings mtu'): +    config_data['mtu'] = c.return_value('network-settings mtu') + +  #### ppp +  if c.exists('ppp-settings mppe'): +    config_data['ppp']['mppe'] = c.return_value('ppp-settings mppe') +  if c.exists('ppp-settings lcp-echo-failure'): +    config_data['ppp']['lcp-echo-failure'] = c.return_value('ppp-settings lcp-echo-failure') +  if c.exists('ppp-settings lcp-echo-interval'): +    config_data['ppp']['lcp-echo-interval'] = c.return_value('ppp-settings lcp-echo-interval') +  if c.exists('ppp-settings lcp-echo-timeout'): +    config_data['ppp']['lcp-echo-timeout'] = c.return_value('ppp-settings lcp-echo-timeout') + +  return config_data + +def verify(c): +  if c == None: +    return None +  ### vertify auth settings +  if c['authentication']['mode'] == 'local': +    if not c['authentication']['local-users']: +      raise ConfigError('sstp-server authentication local-users required') + +    for usr in c['authentication']['local-users']: +      if not c['authentication']['local-users'][usr]['passwd']: +        raise ConfigError('user ' + usr + ' requires a password') +      ### if up/download is set, check that both have a value +      if c['authentication']['local-users'][usr]['upload']: +        if not c['authentication']['local-users'][usr]['download']: +          raise ConfigError('user ' + usr + ' requires download speed value') +      if c['authentication']['local-users'][usr]['download']: +        if not c['authentication']['local-users'][usr]['upload']: +          raise ConfigError('user ' + usr + ' requires upload speed value') + +  if not c['certs']['ca'] or not c['certs']['server-key'] or not c['certs']['server-cert']: +    raise ConfigError('service sstp-server sstp-settings ssl-certs needs the ssl certificates set up') +  else: +    ssl_path = ssl_cert_dir + '/' +    if not os.path.exists(ssl_path + c['certs']['ca']): +      raise ConfigError('CA {0} doesn\'t exist'.format(ssl_path + c['certs']['ca'])) +    if not os.path.exists(ssl_path + c['certs']['server-cert']): +      raise ConfigError('SSL Cert {0} doesn\'t exist'.format(ssl_path + c['certs']['server-cert'])) +    if not os.path.exists(ssl_path + c['certs']['server-cert']): +      raise ConfigError('SSL Key {0} doesn\'t exist'.format(ssl_path + c['certs']['server-key'])) + +  if c['authentication']['mode'] == 'radius': +    if len(c['authentication']['radius-srv']) == 0: +      raise ConfigError('service sstp-server authentication radius-server needs a value') +    for rsrv in c['authentication']['radius-srv']: +      if c['authentication']['radius-srv'][rsrv]['secret'] == None: +        raise ConfigError('service sstp-server authentication radius-server {0} secret requires a value'.format(rsrv)) + +  if c['authentication']['mode'] == 'local': +    if not c['ip_pool']: +      print ("WARNING: service sstp-server network-settings client-ip-settings subnet requires a value")  +    if not c['gw']: +      print ("WARNING: service sstp-server network-settings client-ip-settings gateway-address requires a value") +   +def generate(c): +  if c == None: +    return None +   +  ### accel-cmd reload doesn't work so any change results in a restart of the daemon +  try: +    if os.cpu_count() == 1: +      c['thread_cnt'] = 1 +    else: +      c['thread_cnt'] = int(os.cpu_count()/2) +  except KeyError: +    if os.cpu_count() == 1: +      c['thread_cnt'] = 1 +    else: +      c['thread_cnt'] = int(os.cpu_count()/2) + +  tmpl = jinja2.Template(sstp_config, trim_blocks=True) +  config_text = tmpl.render(c) +  open(sstp_conf,'w').write(config_text) + +  if c['authentication']['local-users']: +    write_chap_secrets(c) + +  return c + +def apply(c): +  if c == None: +    if os.path.exists(pidfile): +      accel_cmd('shutdown hard') +      if os.path.exists(pidfile): +        os.remove(pidfile) +    return None + +  if not os.path.exists(pidfile): +    ret = subprocess.call(['/usr/sbin/accel-pppd','-c',sstp_conf,'-p',pidfile,'-d']) +    chk_con() +    if ret !=0 and os.path.exists(pidfile): +      os.remove(pidfile) +      raise ConfigError('accel-pppd failed to start') +  else: +    accel_cmd('restart') +    sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") + +if __name__ == '__main__': +  try: +    c = get_config() +    verify(c) +    generate(c) +    apply(c) +  except ConfigError as e: +    print(e) +    sys.exit(1) | 
