begin new version

.gitignore

@@ -0,0 +1,94 @@
+# Created by .ignore support plugin (hsz.mobi)
+.idea
+
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# IPython Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+.env
+
+# virtualenv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject
+

.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>

example/iptables_vpn_internet

@@ -1 +0,0 @@
-iptables -t nat -s 10.8.0.0/24 -A POSTROUTING -j SNAT --to 178.170.113.82

example/vpn_internet.conf

@@ -1,35 +0,0 @@
-# Serveur TCP/443
-mode server
-proto tcp-server
-port 8080
-dev tun
-
-# Cles et certificats
-ca /etc/openvpn/vpn_internet/ca.crt
-cert /etc/openvpn/vpn_internet/server.crt
-key /etc/openvpn/vpn_internet/server.key
-dh /etc/openvpn/vpn_internet/dh1024.pem
-tls-auth /etc/openvpn/vpn_internet/ta.key 1
-
-key-direction 0
-cipher AES-256-CBC
-crl-verify /etc/openvpn/vpn_internet/easy-rsa/keys/crl.pem
-client-config-dir /etc/openvpn/vpn_internet/clientsconf
-
-# Reseau
-server 10.8.0.0 255.255.255.0
-push "redirect-gateway def1 bypass-dhcp"
-keepalive 10 120
-
-# Securite
-user www-data
-group ovpn-manager
-persist-key
-persist-tun
-comp-lzo
-
-# Log
-verb 1
-mute 20
-status /var/vpn.example.com/status-vpn_internet
-log-append /var/log/openvpn-vpn_internet.log

mkclient

@@ -1,14 +1,12 @@
 #!/bin/bash
 if [ $# -ne 3 ]
 then
-    echo "Usage: mkclient clientname password vpn" 1>&2
-    echo "password can be -p to show prompt" 1>&2
+    echo "Usage: mkclient clientname vpn" 1>&2
     exit 1
 fi
 
-pass="$2"
-vpn="$3"
-clientname="$1-${vpn}"
+vpn="${2}"
+clientname="${1}-${vpn}"
 vpn="vpn_${vpn}"
 if [ ! -d "/etc/openvpn/${vpn}" ]
 then
@@ -30,12 +28,6 @@ then
     exit 4
 fi
 
-if [ "${pass}" == "-p" ]
-then
-    echo -n "Password: "
-    read -s pass
-fi
-
 cd ..
 source ./vars
 KEY_CN="${clientname}" KEY_NAME="${clientname}" ./pkitool ${clientname}
@@ -56,14 +48,9 @@ cp ca.crt "$clientdir/ca-${vpn}.crt"
 cp ta.key "$clientdir/ta-${vpn}.key"
 echo "Creating client-${vpn}.conf"
 cd $clientsdir
+
 sed "s/%%client%%/${clientname}/g" client.conf > "$clientdir/${clientname}.conf"
 echo "Creating ${clientname}.tar.bz2"
-cd $clientdir
-tar cfj "${clientname}.tar.bz2" *
-echo "Creating symlink"
-ln -s "$clientdir${clientname}.tar.bz2" "$clientslinkdir${clientname}.tar.bz2"
-echo "Adding apache user"
-echo -e "<Files ${clientname}.tar.bz2>\n\tRequire user ${clientname} ovpn-root\n</Files>" >> $clientslinkdir'.htaccess'
-htpasswd -b "/var/vpn/${vpn}/.htpasswd" ${clientname} ${pass}
+tar cfj "${clientname}.tar.bz2" "${clientname}/"*
 echo "mkclient completed"
 exit 0

vpngen-cli.py

@@ -0,0 +1,82 @@
+#! /usr/bin/env python3
+
+from __future__ import print_function
+import argparse
+import json
+import sys
+import vpngen
+
+
+def eprint(*args, **kwargs):
+    print(*args, file=sys.stderr, **kwargs)
+
+
+def remove_vpn(vpng, vpn_name, force):
+    return 0
+
+def main():
+    parser = argparse.ArgumentParser(description='Manage OpenVPN VPNs')
+    parser.add_argument('--vpn', help='The VPN to use', required=True)
+    parser.add_argument('--config', dest='config', default='/etc/vpngen/vpngen.json', help='Configuration file path')
+
+    parser.add_argument('--create', help='Create a VPN', action='store_true')
+    parser.add_argument('--remove', help='Remove a VPN', action='store_true')
+    parser.add_argument('--create-client', help='Create a client for the VPN', metavar='CLIENT')
+    parser.add_argument('--remove-client', help='Remove a client for the VPN', metavar='CLIENT')
+    parser.add_argument('--rebuild-clients', help='Rebuild clients configurations', action='store_true')
+
+    args = parser.parse_args()
+
+    with open(args.config, "r") as f:
+        config = json.load(f)
+
+    vpn_name = config['vpnPrefix'] + args.vpn + config['vpnSuffix']
+    if args.create_client is not None:
+        client_name = args.create_client
+    elif args.remove_client is not None:
+        client_name = args.remove_client
+    else:
+        client_name = None
+    if client_name is not None:
+        client_name = config['clientPrefix'] + client_name + config['clientSuffix']
+
+    vpng = vpngen.VpnGen()
+
+    if args.create:
+        res = vpng.create_vpn(vpn_name)
+        if res == vpngen.VpnGenError.Success:
+            print("VPN %s created successfully" % vpn_name)
+        else:
+            eprint("Failed to create VPN %s: %s" % (vpn_name, res))
+            exit(1)
+    elif args.remove:
+        res = vpng.remove_vpn(vpn_name)
+        if res == vpngen.VpnGenError.Success:
+            print("VPN %s removed successfully" % vpn_name)
+        else:
+            eprint("Failed to remove VPN %s: %s" % (vpn_name, res))
+            exit(1)
+    elif args.create_client:
+        res = vpng.create_client(vpn_name, client_name)
+        if res == vpngen.VpnGenError.Success:
+            print("Client %s created successfully on VPN %s" % (client_name, vpn_name))
+        else:
+            eprint("Failed to create client %s on VPN %s: %s" % (client_name, vpn_name, res))
+            exit(1)
+    elif args.remove_client:
+        res = vpng.remove_client(vpn_name, client_name)
+        if res == vpngen.VpnGenError.Success:
+            print("Client %s removed successfully on VPN %s" % (client_name, vpn_name))
+        else:
+            eprint("Failed to remove client %s on VPN %s: %s" % (client_name, vpn_name, res))
+            exit(1)
+    elif args.rebuild_clients:
+        res = vpng.rebuild_clients(vpn_name)
+        if res == vpngen.VpnGenError.Success:
+            print("Clients configurations rebuilt successfully on VPN %s" % vpn_name)
+        else:
+            eprint("Failed to rebuild clients configuration on VPN %s: %s" % (vpn_name, res))
+            exit(1)
+
+
+main()

vpngen.py

@@ -0,0 +1,26 @@
+from enum import Enum
+
+
+class VpnGenError(Enum):
+    Success = 0,
+    VpnAlreadyExists = 1,
+    VpnDoesNotExists = 2,
+    ClientAlreadyExists = 3,
+    ClientDoesNotExists = 4
+
+
+class VpnGen:
+    def create_vpn(self, vpn_name):
+        return VpnGenError.ClientDoesNotExists
+
+    def remove_vpn(self, vpn_name):
+        return VpnGenError.ClientDoesNotExists
+
+    def create_client(self, vpn_name, client_name):
+        return VpnGenError.ClientDoesNotExists
+
+    def remove_client(self, vpn_name, client_name):
+        return VpnGenError.ClientDoesNotExists
+
+    def rebuild_clients(self, vpn_name):
+        return VpnGenError.ClientDoesNotExists

sampleconf → vpngen/default.conf

@@ -1,11 +1,11 @@
-# Serveur TCP/443
+# Server TCP/443
 mode server
 proto tcp-server
 port %%VPNPORT%%
 dev tun
 client-to-client
 
-# Cles et certificats
+# Keys and certificates
 ca /etc/openvpn/%%VPNNAME%%/ca.crt
 cert /etc/openvpn/%%VPNNAME%%/server.crt
 key /etc/openvpn/%%VPNNAME%%/server.key
@@ -17,11 +17,16 @@ cipher AES-256-CBC
 crl-verify /etc/openvpn/%%VPNNAME%%/easy-rsa/keys/crl.pem
 client-config-dir /etc/openvpn/%%VPNNAME%%/clientsconf
 
-# Reseau
+# Network
 server %%VPNIPRANGE%% 255.255.255.0
 keepalive 10 120
 
-# Securite
+# Uncomment this to redirect client internet traffic trough VPN
+# You'll also need to add iptables rules like
+# iptables -t nat -s %%internal_subnet%%/24 -A POSTROUTING -j SNAT --to %%out_ip%%
+#push "redirect-gateway def1 bypass-dhcp"
+
+# Security
 user www-data
 group ovpn-manager
 persist-key
@@ -32,4 +37,4 @@ comp-lzo
 verb 1
 mute 20
 status /var/vpn/status-%%VPNNAME%%
-#log-append /var/log/openvpn-%%VPNNAME%%.log
+log-append /var/log/openvpn-%%VPNNAME%%.log

vpngen/vpngen.json

@@ -0,0 +1,8 @@
+{
+  "vpnPrefix": "vpn_",
+  "vpnSuffix": "",
+  "clientPrefix": "",
+  "clientSuffix": "",
+
+  "defaultConfigPath": "/etc/vpngen/default"
+}