summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interfaces-ethernet.py2
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py81
-rwxr-xr-xsrc/conf_mode/policy.py1
-rw-r--r--src/etc/systemd/system/openvpn@.service.d/override.conf4
-rwxr-xr-xsrc/op_mode/pki.py142
5 files changed, 105 insertions, 125 deletions
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 21a04f954..e7250fb49 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -126,7 +126,7 @@ def verify(ethernet):
if not os.path.exists(f'/sys/class/net/{ifname}/queues/rx-0/rps_cpus'):
raise ConfigError('Interface does not suport RPS!')
- driver = EthernetIf(ifname).get_driver_name()
+ driver = ethtool.get_driver_name()
# T3342 - Xen driver requires special treatment
if driver == 'vif':
if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6be4e918b..02b7f83bf 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -45,9 +45,10 @@ from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.util import call
from vyos.util import chown
-from vyos.util import chmod_600
from vyos.util import dict_search
from vyos.util import dict_search_args
+from vyos.util import makedir
+from vyos.util import write_file
from vyos.validate import is_addr_assigned
from vyos import ConfigError
@@ -80,9 +81,6 @@ def get_config(config=None):
openvpn['pki'] = tmp_pki
openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
- openvpn['daemon_user'] = user
- openvpn['daemon_group'] = group
-
return openvpn
def is_ec_private_key(pki, cert_name):
@@ -128,7 +126,7 @@ def verify_pki(openvpn):
if tls['ca_certificate'] not in pki['ca']:
raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
- if not (mode == 'client' and 'auth_key' in tls):
+ if mode != 'client' and 'auth_key' not in tls:
if 'certificate' not in tls:
raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}')
@@ -449,7 +447,6 @@ def verify(openvpn):
def generate_pki_files(openvpn):
pki = openvpn['pki']
-
if not pki:
return None
@@ -457,16 +454,11 @@ def generate_pki_files(openvpn):
shared_secret_key = dict_search_args(openvpn, 'shared_secret_key')
tls = dict_search_args(openvpn, 'tls')
- files = []
-
if shared_secret_key:
pki_key = pki['openvpn']['shared_secret'][shared_secret_key]
key_path = os.path.join(cfg_dir, f'{interface}_shared.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group)
if tls:
if 'ca_certificate' in tls:
@@ -475,20 +467,15 @@ def generate_pki_files(openvpn):
if 'certificate' in pki_ca:
cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem')
-
- with open(cert_path, 'w') as f:
- f.write(wrap_certificate(pki_ca['certificate']))
-
- files.append(cert_path)
+ write_file(cert_path, wrap_certificate(pki_ca['certificate']),
+ user=user, group=group, mode=0o600)
if 'crl' in pki_ca:
for crl in pki_ca['crl']:
crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem')
+ write_file(crl_path, wrap_crl(crl), user=user, group=group,
+ mode=0o600)
- with open(crl_path, 'w') as f:
- f.write(wrap_crl(crl))
-
- files.append(crl_path)
openvpn['tls']['crl'] = True
if 'certificate' in tls:
@@ -497,19 +484,14 @@ def generate_pki_files(openvpn):
if 'certificate' in pki_cert:
cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem')
-
- with open(cert_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
-
- files.append(cert_path)
+ write_file(cert_path, wrap_certificate(pki_cert['certificate']),
+ user=user, group=group, mode=0o600)
if 'private' in pki_cert and 'key' in pki_cert['private']:
key_path = os.path.join(cfg_dir, f'{interface}_cert.key')
+ write_file(key_path, wrap_private_key(pki_cert['private']['key']),
+ user=user, group=group, mode=0o600)
- with open(key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
-
- files.append(key_path)
openvpn['tls']['private_key'] = True
if 'dh_params' in tls:
@@ -518,11 +500,8 @@ def generate_pki_files(openvpn):
if 'parameters' in pki_dh:
dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem')
-
- with open(dh_path, 'w') as f:
- f.write(wrap_dh_parameters(pki_dh['parameters']))
-
- files.append(dh_path)
+ write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']),
+ user=user, group=group, mode=0o600)
if 'auth_key' in tls:
key_name = tls['auth_key']
@@ -530,11 +509,8 @@ def generate_pki_files(openvpn):
if 'key' in pki_key:
key_path = os.path.join(cfg_dir, f'{interface}_auth.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group, mode=0o600)
if 'crypt_key' in tls:
key_name = tls['crypt_key']
@@ -542,18 +518,17 @@ def generate_pki_files(openvpn):
if 'key' in pki_key:
key_path = os.path.join(cfg_dir, f'{interface}_crypt.key')
-
- with open(key_path, 'w') as f:
- f.write(wrap_openvpn_key(pki_key['key']))
-
- files.append(key_path)
-
- return files
+ write_file(key_path, wrap_openvpn_key(pki_key['key']),
+ user=user, group=group, mode=0o600)
def generate(openvpn):
interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
+ # create base config directory on demand
+ makedir(directory, user, group)
+ # enforce proper permissions on /run/openvpn
+ chown(directory, user, group)
# we can't know in advance which clients have been removed,
# thus all client configs will be removed and re-added on demand
@@ -565,12 +540,10 @@ def generate(openvpn):
return None
# create client config directory on demand
- if not os.path.exists(ccd_dir):
- os.makedirs(ccd_dir, 0o755)
- chown(ccd_dir, user, group)
+ makedir(ccd_dir, user, group)
# Fix file permissons for keys
- fix_permissions = generate_pki_files(openvpn)
+ generate_pki_files(openvpn)
# Generate User/Password authentication file
if 'authentication' in openvpn:
@@ -598,10 +571,6 @@ def generate(openvpn):
render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
formater=lambda _: _.replace(""", '"'), user=user, group=group)
- # Fixup file permissions
- for file in fix_permissions:
- chmod_600(file)
-
return None
def apply(openvpn):
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index d56bae9e9..1a03d520b 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -190,6 +190,7 @@ def apply(policy):
frr_cfg.modify_section(r'^bgp community-list .*')
frr_cfg.modify_section(r'^bgp extcommunity-list .*')
frr_cfg.modify_section(r'^bgp large-community-list .*')
+ frr_cfg.modify_section(r'^route-map .*')
frr_cfg.add_before('^line vty', policy['new_frr_config'])
frr_cfg.commit_configuration(bgp_daemon)
diff --git a/src/etc/systemd/system/openvpn@.service.d/override.conf b/src/etc/systemd/system/openvpn@.service.d/override.conf
index 7946484a3..03fe6b587 100644
--- a/src/etc/systemd/system/openvpn@.service.d/override.conf
+++ b/src/etc/systemd/system/openvpn@.service.d/override.conf
@@ -7,3 +7,7 @@ WorkingDirectory=
WorkingDirectory=/run/openvpn
ExecStart=
ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid
+User=openvpn
+Group=openvpn
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 36891d080..d28cee5d0 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -17,7 +17,6 @@
import argparse
import ipaddress
import os
-import re
import sys
import tabulate
@@ -44,12 +43,14 @@ auth_dir = '/config/auth'
conf = ConfigTreeQuery()
def get_default_values():
# Fetch default x509 values
-
base = ['pki', 'x509', 'default']
x509_defaults = conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
default_values = defaults(base)
- return dict_merge(default_values, x509_defaults)
+ x509_defaults = dict_merge(default_values, x509_defaults)
+
+ return x509_defaults
def get_config_ca_certificate(name=None):
# Fetch ca certificates from config
@@ -63,7 +64,8 @@ def get_config_ca_certificate(name=None):
return False
return conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
def get_config_certificate(name=None):
# Get certificates from config
@@ -77,7 +79,8 @@ def get_config_certificate(name=None):
return False
return conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
def get_certificate_ca(cert, ca_certs):
# Find CA certificate for given certificate
@@ -103,12 +106,14 @@ def get_config_revoked_certificates():
if conf.exists(ca_base):
ca_certificates = conf.get_config_dict(ca_base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
certs.extend(ca_certificates.values())
if conf.exists(cert_base):
certificates = conf.get_config_dict(cert_base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
certs.extend(certificates.values())
return [cert_dict for cert_dict in certs if 'revoke' in cert_dict]
@@ -139,39 +144,41 @@ def get_revoked_by_serial_numbers(serial_numbers=[]):
def install_certificate(name, cert='', private_key=None, key_type=None, key_passphrase=None, is_ca=False):
# Show conf commands for installing certificate
prefix = 'ca' if is_ca else 'certificate'
- print("Configure mode commands to install:")
+ print('Configure mode commands to install:')
+ base = f"set pki {prefix} {name}"
if cert:
cert_pem = "".join(encode_certificate(cert).strip().split("\n")[1:-1])
- print("set pki %s %s certificate '%s'" % (prefix, name, cert_pem))
+ print(f"{base} certificate '{cert_pem}'")
if private_key:
key_pem = "".join(encode_private_key(private_key, passphrase=key_passphrase).strip().split("\n")[1:-1])
- print("set pki %s %s private key '%s'" % (prefix, name, key_pem))
+ print(f"{base} private key '{key_pem}'")
if key_passphrase:
- print("set pki %s %s private password-protected" % (prefix, name))
+ print(f"{base} private password-protected")
def install_crl(ca_name, crl):
# Show conf commands for installing crl
print("Configure mode commands to install CRL:")
crl_pem = "".join(encode_certificate(crl).strip().split("\n")[1:-1])
- print("set pki ca %s crl '%s'" % (ca_name, crl_pem))
+ print(f"set pki ca {ca_name} crl '{crl_pem}'")
def install_dh_parameters(name, params):
# Show conf commands for installing dh params
print("Configure mode commands to install DH parameters:")
dh_pem = "".join(encode_dh_parameters(params).strip().split("\n")[1:-1])
- print("set pki dh %s parameters '%s'" % (name, dh_pem))
+ print(f"set pki dh {name} parameters '{dh_pem}'")
def install_ssh_key(name, public_key, private_key, passphrase=None):
# Show conf commands for installing ssh key
key_openssh = encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH')
username = os.getlogin()
type_key_split = key_openssh.split(" ")
+
+ base = f"set system login user {username} authentication public-keys {name}"
print("Configure mode commands to install SSH key:")
- print("set system login user %s authentication public-keys %s key '%s'" % (username, name, type_key_split[1]))
- print("set system login user %s authentication public-keys %s type '%s'" % (username, name, type_key_split[0]))
- print("")
+ print(f"{base} key '{type_key_split[1]}'")
+ print(f"{base} type '{type_key_split[0]}'", end="\n\n")
print(encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase))
def install_keypair(name, key_type, private_key=None, public_key=None, passphrase=None):
@@ -184,7 +191,7 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_public_key:
install_public_pem = "".join(public_key_pem.strip().split("\n")[1:-1])
- print("set pki key-pair %s public key '%s'" % (name, install_public_pem))
+ print(f"set pki key-pair {name} public key '{install_public_pem}'")
else:
print("Public key:")
print(public_key_pem)
@@ -195,30 +202,31 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_private_key:
install_private_pem = "".join(private_key_pem.strip().split("\n")[1:-1])
- print("set pki key-pair %s private key '%s'" % (name, install_private_pem))
+ print(f"set pki key-pair {name} private key '{install_private_pem}'")
if passphrase:
- print("set pki key-pair %s private password-protected" % (name,))
+ print(f"set pki key-pair {name} private password-protected")
else:
print("Private key:")
print(private_key_pem)
-def install_wireguard_key(name, private_key, public_key):
+def install_wireguard_key(interface, private_key, public_key):
# Show conf commands for installing wireguard key pairs
- is_interface = re.match(r'^wg[\d]+$', name)
-
- print("Configure mode commands to install key:")
- if is_interface:
- print("set interfaces wireguard %s private-key '%s'" % (name, private_key))
- print("")
- print("Public key for use on peer configuration: " + public_key)
- else:
- print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key))
- print("")
- print("Private key for use on peer configuration: " + private_key)
-
-def install_wireguard_psk(name, psk):
+ from vyos.ifconfig import Section
+ if Section.section(interface) != 'wireguard':
+ print(f'"{interface}" is not a WireGuard interface name!')
+ exit(1)
+
+ print("Configure mode commands to install key:", end="\n\n")
+ print(f"set interfaces wireguard {interface} private-key '{private_key}'", end="\n\n")
+ print(f"Public key to use on peer system: '{public_key}'")
+
+def install_wireguard_psk(interface, peer, psk):
+ from vyos.ifconfig import Section
+ if Section.section(interface) != 'wireguard':
+ print(f'"{interface}" is not a WireGuard interface name!')
+ exit(1)
# Show conf commands for installing wireguard psk
- print("set interfaces wireguard [INTERFACE] peer %s preshared-key '%s'" % (name, psk))
+ print(f"set interfaces wireguard {interface} peer {peer} preshared-key '{psk}'")
def ask_passphrase():
passphrase = None
@@ -625,49 +633,37 @@ def generate_openvpn_key(name, install=False, file=False):
key_data = "".join(key_lines[1:-1]) # Remove wrapper tags and line endings
key_version = '1'
+ import re
version_search = re.search(r'BEGIN OpenVPN Static key V(\d+)', result) # Future-proofing (hopefully)
if version_search:
key_version = version_search[1]
+ base = f"set pki openvpn shared-secret {name}"
print("Configure mode commands to install OpenVPN key:")
- print("set pki openvpn shared-secret %s key '%s'" % (name, key_data))
- print("set pki openvpn shared-secret %s version '%s'" % (name, key_version))
+ print(f"{base} key '{key_data}'")
+ print(f"{base} version '{key_version}'")
if file:
write_file(f'{name}.key', result)
-def generate_wireguard_key(name, install=False, file=False):
+def generate_wireguard_key(interface=None, install=False):
private_key = cmd('wg genkey')
public_key = cmd('wg pubkey', input=private_key)
- if not install:
- print("Private key: " + private_key)
- print("Public key: " + public_key)
- return None
-
- if install:
- install_wireguard_key(name, private_key, public_key)
-
- if file:
- write_file(f'{name}_public.key', public_key)
- write_file(f'{name}_private.key', private_key)
+ if interface and install:
+ install_wireguard_key(interface, private_key, public_key)
+ else:
+ print(f'Private key: {private_key}')
+ print(f'Public key: {public_key}', end='\n\n')
-def generate_wireguard_psk(name, install=False, file=False):
+def generate_wireguard_psk(interface=None, peer=None, install=False):
psk = cmd('wg genpsk')
-
- if not install and not file:
- print("Pre-shared key:")
- print(psk)
- return None
-
- if install:
- install_wireguard_psk(name, psk)
-
- if file:
- write_file(f'{name}.key', psk)
+ if interface and peer and install:
+ install_wireguard_psk(interface, peer, psk)
+ else:
+ print(f'Pre-shared key: {psk}')
# Show functions
-
def show_certificate_authority(name=None):
headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent']
data = []
@@ -784,10 +780,13 @@ if __name__ == '__main__':
# OpenVPN
parser.add_argument('--openvpn', help='OpenVPN TLS key', required=False)
- # Wireguard
+ # WireGuard
parser.add_argument('--wireguard', help='Wireguard', action='store_true')
- parser.add_argument('--key', help='Wireguard key pair', required=False)
- parser.add_argument('--psk', help='Wireguard pre shared key', required=False)
+ group = parser.add_mutually_exclusive_group()
+ group.add_argument('--key', help='Wireguard key pair', action='store_true', required=False)
+ group.add_argument('--psk', help='Wireguard pre shared key', action='store_true', required=False)
+ parser.add_argument('--interface', help='Install generated keys into running-config for named interface', action='store')
+ parser.add_argument('--peer', help='Install generated keys into running-config for peer', action='store')
# Global
parser.add_argument('--file', help='Write generated keys into specified filename', action='store_true')
@@ -809,21 +808,28 @@ if __name__ == '__main__':
generate_certificate_selfsign(args.certificate, install=args.install, file=args.file)
else:
generate_certificate_request(name=args.certificate, install=args.install, file=args.file)
+
elif args.crl:
generate_certificate_revocation_list(args.crl, install=args.install, file=args.file)
+
elif args.ssh:
generate_ssh_keypair(args.ssh, install=args.install, file=args.file)
+
elif args.dh:
generate_dh_parameters(args.dh, install=args.install, file=args.file)
+
elif args.keypair:
generate_keypair(args.keypair, install=args.install, file=args.file)
+
elif args.openvpn:
generate_openvpn_key(args.openvpn, install=args.install, file=args.file)
+
elif args.wireguard:
if args.key:
- generate_wireguard_key(args.key, install=args.install, file=args.file)
- elif args.psk:
- generate_wireguard_psk(args.psk, install=args.install, file=args.file)
+ generate_wireguard_key(args.interface, install=args.install)
+ if args.psk:
+ generate_wireguard_psk(args.interface, peer=args.peer, install=args.install)
+
elif args.action == 'show':
if args.ca:
show_certificate_authority(None if args.ca == 'all' else args.ca)
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-21 08:39:28 +0000