create client

vpngen-cli.py

@@ -3,6 +3,7 @@
 from __future__ import print_function
 import argparse
 import json
+import os
 import sys
 import vpngen
 
@@ -14,7 +15,7 @@ def eprint(*args, **kwargs):
 def create_variables(variables, defaults):
     variables_set = defaults.copy()
     for variable in variables:
-        if variable == 'name':
+        if variable == 'name' or variable == 'client':
             continue
         default = variables_set[variable] if variable in variables_set else ''
         print("Enter a value for '%s' [%s]: " % (variable, default), end='', flush=True)
@@ -52,8 +53,14 @@ def main():
 
     vpng = vpngen.VpnGen(config['defaultConfigPath'], config['ovpnConfigPath'])
 
+    config_path = vpng.get_vpn_variables_path(vpn_name)
+    if os.path.exists(config_path):
+        with open(config_path, "r") as f:
+            data = json.load(f)
+        config['defaults'].update(data['variables'])
+
     if args.create:
-        variables = create_variables(vpng.get_vpn_vars(), config['defaults']['vpn'])
+        variables = create_variables(vpng.get_vpn_vars(), config['defaults'])
         res = vpng.create_vpn(vpn_name, variables)
         if res == vpngen.VpnGenError.Success:
             print("VPN %s created successfully" % vpn_name)
@@ -68,8 +75,11 @@ def main():
             eprint("Failed to remove VPN %s: %s" % (vpn_name, res))
             exit(1)
     elif args.create_client:
-        variables = create_variables(vpng.get_vpn_vars(), config['defaults']['vpn'])
-        res = vpng.create_client(vpn_name, client_name, variables)
+        variables = create_variables(vpng.get_client_vars(vpn_name), config['defaults'])
+        if variables is None:
+            res = vpngen.VpnGenError.VpnDoesNotExists
+        else:
+            res = vpng.create_client(vpn_name, client_name, variables)
         if res == vpngen.VpnGenError.Success:
             print("Client %s created successfully on VPN %s" % (client_name, vpn_name))
         else:

vpngen.py

@@ -1,3 +1,4 @@
+import json
 from enum import Enum
 import os
 import os.path
@@ -17,11 +18,13 @@ class VpnGenError(Enum):
 class VpnGen:
     default_config_base_dir = ""
     default_config_file = ""
+    default_client_config_file = ""
     ovpn_config_path = ""
 
     def __init__(self, default_config_path, ovpn_config_path):
         self.default_config_base_dir = os.path.abspath(default_config_path)
         self.default_config_file = "%s.conf" % self.default_config_base_dir
+        self.default_client_config_file = "%s%sclients%sclient.conf" % (self.default_config_base_dir, os.sep, os.sep)
         self.ovpn_config_path = os.path.abspath(ovpn_config_path)
 
     def f7(self, seq):
@@ -29,42 +32,86 @@ class VpnGen:
         seen_add = seen.add
         return [x for x in seq if not (x in seen or seen_add(x))]
 
-    def _find_vars(self, content):
-        variables = re.findall('\$\{([^}]+)}', content)
-        variables = self.f7(variables)
-        return variables
-
     def get_vpn_vars(self):
         with open(self.default_config_file, "r") as f:
             default_config = f.read()
-        variables = self._find_vars(default_config)
+
+        variables = re.findall('\$\{([^}]+)}', default_config)
         variables += ["KEY_COUNTRY", "KEY_PROVINCE", "KEY_CITY", "KEY_ORG", "KEY_EMAIL"]
+        variables = self.f7(variables)
+
         return variables
 
-    def create_vpn(self, vpn_name, variables):
-        base_dir = "%s%s%s" % (self.ovpn_config_path, os.sep, vpn_name)
-        conf_file = "%s.conf" % base_dir
-        if os.path.exists(base_dir) or os.path.exists(conf_file):
-            return VpnGenError.VpnAlreadyExists
+    def get_client_vars(self, vpn_name):
+        default_client_config_path = self.get_client_default_config_path(vpn_name)
+        if not os.path.exists(default_client_config_path):
+            return None
 
-        with open(self.default_config_file, "r") as f:
+        with open(default_client_config_path, "r") as f:
             default_config = f.read()
+        variables = re.findall('\$\{([^}]+)}', default_config)
+        variables = self.f7(variables)
 
-        variables['name'] = vpn_name
-        for variable in variables:
-            default_config = default_config.replace("${%s}" % variable, variables[variable])
+        return variables
 
-        os.makedirs(base_dir)
-        with open(conf_file, "w") as f:
-            f.write(default_config)
+    def get_base_dir(self, vpn_name):
+        return "%s%s%s%s" % (self.ovpn_config_path, os.sep, vpn_name, os.sep)
 
-        os.rmdir(base_dir)
-        shutil.copytree(self.default_config_base_dir, base_dir)
+    def get_config_path(self, vpn_name):
+        return "%s%s%s.conf" % (self.ovpn_config_path, os.sep, vpn_name)
 
-        curdir = os.curdir
-        easyrsadir = base_dir + os.sep + "easy-rsa" + os.sep
-        pkitool = easyrsadir + "pkitool"
-        os.chdir(easyrsadir)
+    def get_vpn_variables_path(self, vpn_name):
+        base_dir = self.get_base_dir(vpn_name)
+        return "%svpngen.json" % base_dir
+
+    def get_easy_rsa_dir(self, vpn_name):
+        base_dir = self.get_base_dir(vpn_name)
+        return "%seasy-rsa%s" % (base_dir, os.sep)
+
+    def get_easy_rsa_key_dir(self, vpn_name):
+        easyrsadir = self.get_easy_rsa_dir(vpn_name)
+        return "%skeys%s" % (easyrsadir, os.sep)
+
+    def get_pkitool_path(self, vpn_name):
+        easyrsadir = self.get_easy_rsa_dir(vpn_name)
+        return "%spkitool" % easyrsadir
+
+    def get_client_default_config_path(self, vpn_name):
+        base_dir = self.get_base_dir(vpn_name)
+        return "%s%sclients/client.conf" % (base_dir, os.sep)
+
+    def get_client_dir(self, vpn_name, client_name):
+        base_dir = self.get_base_dir(vpn_name)
+        return "%sclients%s%s%s" % (base_dir, os.sep, client_name, os.sep)
+
+    def get_client_config_path(self, vpn_name, client_name):
+        client_dir = self.get_client_dir(vpn_name, client_name)
+        return "%s%s-%s.conf" % (client_dir, client_name, vpn_name)
+
+    def get_client_generated_files_paths(self, vpn_name, client_name):
+        keys_dir = self.get_easy_rsa_key_dir(vpn_name,)
+        return [
+            "%s%s.crt" % (keys_dir, client_name),
+            "%s%s.key" % (keys_dir, client_name)
+        ]
+
+    def get_client_tarball_path(self, vpn_name, client_name):
+        base_dir = self.get_base_dir(vpn_name)
+        return "%sclients%s%s-%s.tar.bz2" % (base_dir, os.sep, client_name, vpn_name)
+
+    def get_server_needed_files_paths(self, vpn_name):
+        keys_dir = self.get_easy_rsa_key_dir(vpn_name)
+        return [
+            "%sca.crt" % keys_dir,
+            "%sta.key" % keys_dir
+        ]
+
+    def get_all_needed_files_paths(self, vpn_name, client_name):
+        return self.get_client_generated_files_paths(vpn_name, client_name) +\
+               self.get_server_needed_files_paths(vpn_name)
+
+    def setup_vars(self, vpn_name, variables):
+        easyrsadir = self.get_easy_rsa_dir(vpn_name)
 
         os.environ["KEY_COUNTRY"] = variables['KEY_COUNTRY']
         os.environ["KEY_PROVINCE"] = variables['KEY_PROVINCE']
@@ -82,23 +129,60 @@ class VpnGen:
         os.environ["OPENSSL"] = "openssl"
         os.environ["PKCS11TOOL"] = "pkcs11-tool"
         os.environ["GREP"] = "grep"
-        os.environ["KEY_CONFIG"] = easyrsadir + "openssl.cnf"
-        os.environ["KEY_DIR"] = easyrsadir + "keys"
+        os.environ["KEY_CONFIG"] = "%s%s" % (easyrsadir, "openssl.cnf")
+        os.environ["KEY_DIR"] = "%s%s" % (easyrsadir, "keys")
         os.environ["PKCS11_MODULE_PATH"] = "dummy"
         os.environ["PKCS11_PIN"] = "dummy"
 
-        call(["./clean-all"])
+    def create_vpn(self, vpn_name, variables):
+        base_dir = self.get_base_dir(vpn_name)
+        conf_file = self.get_config_path(vpn_name)
+        conf_vpngen_file = self.get_vpn_variables_path(vpn_name)
+        if os.path.exists(base_dir) or os.path.exists(conf_file):
+            return VpnGenError.VpnAlreadyExists
+
+        with open(self.default_config_file, "r") as f:
+            default_config = f.read()
+
+        variables['name'] = vpn_name
+        for variable in variables:
+            default_config = default_config.replace("${%s}" % variable, variables[variable])
+
+        os.makedirs(base_dir)
+        with open(conf_file, "w") as f:
+            f.write(default_config)
+
+        os.rmdir(base_dir)
+        shutil.copytree(self.default_config_base_dir, base_dir)
+
+        curdir = os.curdir
+        easyrsadir = self.get_easy_rsa_dir(vpn_name)
+        pkitool = self.get_pkitool_path(vpn_name)
+        os.chdir(easyrsadir)
+
+        self.setup_vars(vpn_name, variables)
+
+        call([".%sclean-all" % os.sep])
         call([pkitool, "--initca"])
         call([pkitool, "server"])
-        call(["./build-dh"])
+        call([".%sbuild-dh" % os.sep])
+        call(["openssl", "ca", "-gencrl",
+              "-keyfile", "keys%sca.key" % os.sep,
+              "-cert", "keys%sca.crt" % os.sep,
+              "-out", "keys%crl.pem" % os.sep,
+              "-config", "openssl.cnf"])
+        call(["openvpn", "--genkey", "--secret", "keys%sta.key" % os.sep])
+
+        with open(conf_vpngen_file, "w") as f:
+            json.dump({'variables': variables}, f, indent=4, separators=(',', ': '))
 
         os.chdir(curdir)
 
         return VpnGenError.Success
 
     def remove_vpn(self, vpn_name):
-        base_dir = "%s%s%s" % (self.ovpn_config_path, os.sep, vpn_name)
-        conf_file = "%s.conf" % base_dir
+        base_dir = self.get_base_dir(vpn_name)
+        conf_file = self.get_config_path(vpn_name)
         if not os.path.exists(base_dir) and not os.path.exists(conf_file):
             return VpnGenError.VpnDoesNotExists
         os.remove(conf_file)
@@ -106,10 +190,62 @@ class VpnGen:
         return VpnGenError.Success
 
     def create_client(self, vpn_name, client_name, variables):
-        return VpnGenError.ClientDoesNotExists
+        base_dir = self.get_base_dir(vpn_name)
+        client_conf_file = self.get_client_config_path(vpn_name, client_name)
+        if not os.path.exists(base_dir):
+            return VpnGenError.VpnDoesNotExists
+        client_dir = self.get_client_dir(vpn_name, client_name)
+        if os.path.exists(client_dir):
+            return VpnGenError.ClientAlreadyExists
+
+        client_default_config_path = self.get_client_default_config_path(vpn_name)
+        with open(client_default_config_path, "r") as f:
+            client_default_config = f.read()
+
+        variables['name'] = vpn_name
+        variables['client'] = client_name
+        for variable in variables:
+            client_default_config = client_default_config.replace("${%s}" % variable, variables[variable])
+
+        os.makedirs(client_dir)
+        with open(client_conf_file, "w") as f:
+            f.write(client_default_config)
+
+        curdir = os.curdir
+        easyrsadir = self.get_easy_rsa_dir(vpn_name)
+        pkitool = self.get_pkitool_path(vpn_name)
+        os.chdir(easyrsadir)
+
+        self.setup_vars(vpn_name, variables)
+        os.environ["KEY_CN"] = client_name
+        os.environ["KEY_NAME"] = client_name
+
+        call([pkitool, client_name])
+
+        os.chdir(curdir)
+
+        files_paths = self.get_all_needed_files_paths(vpn_name, client_name)
+        for file_path in files_paths:
+            split = os.path.splitext(file_path)
+            dest = "%s%s-%s%s" % (client_dir, os.path.basename(split[0]), vpn_name, split[1])
+            shutil.copy(file_path, dest)
+
+        files_names = list(map(lambda file_path: os.path.basename(file_path), files_paths))
+
+        call(["tar", "cfj", self.get_client_tarball_path(vpn_name, client_name),
+              "-C", self.get_easy_rsa_key_dir(vpn_name)] + files_names)
+
+        return VpnGenError.Success
 
     def remove_client(self, vpn_name, client_name):
-        return VpnGenError.ClientDoesNotExists
+        base_dir = self.get_base_dir(vpn_name)
+        if not os.path.exists(base_dir):
+            return VpnGenError.VpnDoesNotExists
+        client_dir = self.get_client_dir(vpn_name, client_name)
+        if not os.path.exists(client_dir):
+            return VpnGenError.ClientDoesNotExists
+        return VpnGenError.Success
 
     def rebuild_clients(self, vpn_name):
-        return VpnGenError.ClientDoesNotExists
+        base_dir = self.get_base_dir(vpn_name)
+        return VpnGenError.Success

vpngen/default.conf

@@ -1,4 +1,4 @@
-# Server TCP/443
+# Server TCP on ${hostname}
 mode server
 proto tcp-server
 port ${port}
@@ -6,16 +6,16 @@ dev ${dev}
 client-to-client
 
 # Keys and certificates
-ca /etc/openvpn/${name}/ca.crt
-cert /etc/openvpn/${name}/server.crt
-key /etc/openvpn/${name}/server.key
-dh /etc/openvpn/${name}/dh1024.pem
-tls-auth /etc/openvpn/${name}/ta.key 1
+ca /etc/openvpn/${name}/keys/ca.crt
+cert /etc/openvpn/${name}/keys/server.crt
+key /etc/openvpn/${name}/keys/server.key
+dh /etc/openvpn/${name}/keys/dh1024.pem
+tls-auth /etc/openvpn/${name}/keys/ta.key 1
 
 key-direction 0
 cipher AES-256-CBC
 crl-verify /etc/openvpn/${name}/easy-rsa/keys/crl.pem
-client-config-dir /etc/openvpn/${name}/clientsconf
+client-config-dir /etc/openvpn/${name}/client-config-dir
 
 # Network
 server ${net} ${mask}

vpngen/default/clients/client.conf

@@ -2,18 +2,18 @@
 client
 dev tun
 proto tcp-client
-remote 178.170.113.82 %%VPNPORT%%
+remote ${hostname} ${port}
 resolv-retry infinite
 cipher AES-256-CBC
 
-# Cles
-ca ca-%%VPNNAME%%.crt
-cert %%client%%-%%VPNNAME%%.crt
-key %%client%%-%%VPNNAME%%.key
-tls-auth ta-%%VPNNAME%%.key 1
+# Keys
+ca ca-${name}.crt
+cert ${client}-${name}.crt
+key ${client}-${name}.key
+tls-auth ta-${name}.key 1
 key-direction 1
 
-# Securite
+# Security
 nobind
 persist-key
 persist-tun

vpngen/vpngen.json

@@ -10,26 +10,21 @@
   "ovpnConfigPath": "/etc/openvpn",
 
   "defaults": {
-    "vpn": {
-      "port": "4242",
-      "hostname": "vpn.example.com",
-      "net": "10.0.0.0",
-      "mask": "255.255.255.0",
-      "dev": "tap",
-      "user": "root",
-      "group": "root",
+    "port": "4242",
+    "hostname": "vpn.example.com",
+    "net": "10.0.0.0",
+    "mask": "255.255.255.0",
+    "dev": "tap",
+    "user": "root",
+    "group": "root",
 
-      "KEY_COUNTRY": "COUNTRY",
-      "KEY_PROVINCE": "state",
-      "KEY_CITY": "City",
-      "KEY_ORG": "example",
-      "KEY_EMAIL": "root@example.com",
-      "KEY_SIZE": "1024",
-      "CA_EXPIRE": "3650",
-      "KEY_EXPIRE": "3650"
-    },
-    "client": {
-
-    }
+    "KEY_COUNTRY": "COUNTRY",
+    "KEY_PROVINCE": "state",
+    "KEY_CITY": "City",
+    "KEY_ORG": "example",
+    "KEY_EMAIL": "root@example.com",
+    "KEY_SIZE": "1024",
+    "CA_EXPIRE": "3650",
+    "KEY_EXPIRE": "3650"
   }
 }