2019-07-08 14:36:56 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"errors"
|
|
|
|
"io"
|
|
|
|
"log"
|
|
|
|
"net"
|
2019-07-08 20:32:12 +00:00
|
|
|
"os"
|
2019-07-10 13:47:55 +00:00
|
|
|
"regexp"
|
|
|
|
"strconv"
|
2019-07-08 14:36:56 +00:00
|
|
|
"strings"
|
|
|
|
"sync"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Server represents the server
|
|
|
|
type OpenVpnMgt struct {
|
2019-07-09 10:34:45 +00:00
|
|
|
Port string
|
2019-07-10 13:47:55 +00:00
|
|
|
buf map[string]*bufio.ReadWriter
|
2019-07-09 10:34:45 +00:00
|
|
|
m sync.RWMutex
|
|
|
|
ret chan []string
|
|
|
|
ldap map[string]ldapConfig
|
2019-07-10 13:47:55 +00:00
|
|
|
clients map[string]map[int]*vpnSession
|
2019-07-09 10:34:45 +00:00
|
|
|
authCa string
|
|
|
|
vpnlogUrl string
|
|
|
|
mailRelay string
|
|
|
|
MailFrom string
|
|
|
|
CcPwnPassword string
|
|
|
|
pwnTemplate string
|
|
|
|
newAsTemplate string
|
|
|
|
cacheDir string
|
|
|
|
syslog bool
|
|
|
|
otpMasterSecrets []string
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewServer returns a pointer to a new server
|
|
|
|
func NewVPNServer(port string) *OpenVpnMgt {
|
|
|
|
return &OpenVpnMgt{
|
2019-07-10 13:47:55 +00:00
|
|
|
Port: port,
|
|
|
|
ret: make(chan []string),
|
|
|
|
ldap: make(map[string]ldapConfig),
|
|
|
|
buf: make(map[string]*bufio.ReadWriter),
|
|
|
|
clients: make(map[string]map[int]*vpnSession),
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run starts a the server
|
|
|
|
func (s *OpenVpnMgt) Run() {
|
|
|
|
// Resolve the passed port into an address
|
|
|
|
addrs, err := net.ResolveTCPAddr("tcp", s.Port)
|
|
|
|
if err != nil {
|
2019-07-08 20:32:12 +00:00
|
|
|
log.Println(err)
|
|
|
|
os.Exit(1)
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
// start listening to client connections
|
|
|
|
listener, err := net.ListenTCP("tcp", addrs)
|
|
|
|
if err != nil {
|
2019-07-08 20:32:12 +00:00
|
|
|
log.Println(err)
|
|
|
|
os.Exit(1)
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
// Infinite loop since we dont want the server to shut down
|
|
|
|
for {
|
|
|
|
// Accept the incomming connections
|
|
|
|
conn, err := listener.Accept()
|
|
|
|
if err != nil {
|
|
|
|
// continue accepting connection even if an error occurs (if error occurs dont shut down)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// run it as a go routine to allow multiple clients to connect at the same time
|
|
|
|
go s.handleConn(conn)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) {
|
|
|
|
if len(s.buf) == 0 {
|
|
|
|
return errors.New("No openvpn server present"), nil
|
2019-07-09 21:37:37 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
for _, line := range msg {
|
|
|
|
log.Println(line)
|
|
|
|
if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil {
|
|
|
|
return err, nil
|
|
|
|
}
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
if err := s.buf[remote].Flush(); err != nil {
|
|
|
|
return err, nil
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// wait for the response
|
|
|
|
ret := <-s.ret
|
|
|
|
return nil, ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) {
|
|
|
|
ret := make(map[string]map[string]string)
|
|
|
|
re := regexp.MustCompile("^(.*[^ ]) *: (.*)$")
|
|
|
|
for remote := range s.buf {
|
|
|
|
help := make(map[string]string)
|
|
|
|
err, msg := s.sendCommand([]string{"help"}, remote)
|
2019-07-09 10:34:45 +00:00
|
|
|
if err != nil {
|
2019-07-10 13:47:55 +00:00
|
|
|
return err, ret
|
2019-07-09 10:34:45 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
for _, line := range msg {
|
|
|
|
match := re.FindStringSubmatch(line)
|
|
|
|
if len(match) == 0 {
|
2019-07-08 23:44:18 +00:00
|
|
|
continue
|
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
help[match[1]] = match[2]
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
ret[remote] = help
|
2019-07-09 21:37:37 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
return nil, ret
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
func (s *OpenVpnMgt) Version() (error, map[string][]string) {
|
|
|
|
ret := make(map[string][]string)
|
|
|
|
for remote := range s.buf {
|
|
|
|
err, msg := s.sendCommand([]string{"version"}, remote)
|
|
|
|
if err != nil {
|
|
|
|
return err, ret
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
ret[remote] = msg
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
return nil, ret
|
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
func (s *OpenVpnMgt) ClientValidated(line, remote string) {
|
|
|
|
err, c := s.getClient(line, remote)
|
2019-07-08 14:36:56 +00:00
|
|
|
if err != nil {
|
2019-07-10 13:47:55 +00:00
|
|
|
log.Println(err, line)
|
|
|
|
return
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
<-s.ret
|
|
|
|
|
|
|
|
c.Status = "success"
|
|
|
|
|
|
|
|
log.Println(c)
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
func (s *OpenVpnMgt) ClientDisconnect(line, remote string) {
|
|
|
|
err, c := s.getClient(line, remote)
|
2019-07-08 14:36:56 +00:00
|
|
|
if err != nil {
|
2019-07-10 13:47:55 +00:00
|
|
|
log.Println(err)
|
|
|
|
return
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
2019-07-09 21:37:37 +00:00
|
|
|
<-s.ret
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// if the disconnect is due to an auth failure, don't change the status
|
|
|
|
if c.Status == "success" {
|
|
|
|
c.Operation = "log out"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Don't log the initial auth failure due to absence of OTP code
|
|
|
|
if c.Status != "Need OTP Code" {
|
|
|
|
c.Log()
|
|
|
|
}
|
|
|
|
|
|
|
|
defer delete(s.clients[remote], c.cID)
|
2019-07-09 21:37:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) {
|
|
|
|
// TODO implement
|
|
|
|
ip := s.ldap[c.Profile].ipMin
|
|
|
|
|
|
|
|
return ip.String(), nil
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
func (s *OpenVpnMgt) ClientConnect(line, remote string) {
|
2019-07-09 21:37:37 +00:00
|
|
|
client := NewVPNSession("log in")
|
2019-07-10 13:47:55 +00:00
|
|
|
client.vpnserver = remote
|
2019-07-08 16:41:04 +00:00
|
|
|
client.ParseSessionId(line)
|
2019-07-10 13:47:55 +00:00
|
|
|
s.clients[remote][client.cID] = client
|
2019-07-08 16:41:04 +00:00
|
|
|
infos := <-s.ret
|
2019-07-09 21:37:37 +00:00
|
|
|
if err := client.ParseEnv(&infos); err != nil {
|
|
|
|
log.Println(err)
|
|
|
|
return
|
|
|
|
}
|
2019-07-08 16:41:04 +00:00
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
client.Auth(s)
|
|
|
|
}
|
2019-07-08 23:44:18 +00:00
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// find a client among all registered sessions
|
|
|
|
func (s *OpenVpnMgt) getClient(line, remote string) (error, *vpnSession) {
|
|
|
|
re := regexp.MustCompile("^[^0-9]*,([0-9]+)[^0-9]*")
|
|
|
|
match := re.FindStringSubmatch(line)
|
|
|
|
if len(match) == 0 {
|
|
|
|
return errors.New("invalid message"), nil
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
id, err := strconv.Atoi(match[1])
|
|
|
|
if err != nil {
|
|
|
|
return err, nil
|
2019-07-08 23:44:18 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
if _, ok := s.clients[remote]; !ok {
|
|
|
|
return errors.New("unknown vpn server"), nil
|
2019-07-09 21:37:37 +00:00
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
if c, ok := s.clients[remote][id]; ok {
|
|
|
|
return nil, c
|
|
|
|
}
|
|
|
|
return errors.New("unknown vpn client"), nil
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *OpenVpnMgt) handleConn(conn net.Conn) {
|
2019-07-10 13:47:55 +00:00
|
|
|
remote := conn.RemoteAddr().String()
|
2019-07-08 14:36:56 +00:00
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
defer conn.Close()
|
|
|
|
defer delete(s.buf, remote)
|
|
|
|
defer delete(s.clients, remote)
|
2019-07-08 14:36:56 +00:00
|
|
|
|
|
|
|
// we store the buffer pointer in the struct, to be accessed from other methods
|
2019-07-10 13:47:55 +00:00
|
|
|
s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
|
|
|
|
s.clients[remote] = make(map[int]*vpnSession)
|
2019-07-08 14:36:56 +00:00
|
|
|
|
|
|
|
// most response are multilined, use response to concatenate them
|
|
|
|
response := []string{}
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// remove bogus clients
|
|
|
|
line, err := s.buf[remote].ReadString('\n')
|
|
|
|
if err != nil {
|
|
|
|
log.Println(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if line != ">INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info\r\n" {
|
|
|
|
log.Println("Bogus Client")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// ask for statistics
|
|
|
|
if _, err := s.buf[remote].WriteString("bytecount 10\r\n"); err != nil {
|
|
|
|
log.Println(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err := s.buf[remote].Flush(); err != nil {
|
|
|
|
log.Println(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if line, err := s.buf[remote].ReadString('\n'); err != nil ||
|
|
|
|
line != "SUCCESS: bytecount interval changed\r\n" {
|
|
|
|
log.Println("Bogus Client")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Println("Valid openvpn connected from %s", remote)
|
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
for {
|
2019-07-10 13:47:55 +00:00
|
|
|
line, err := s.buf[remote].ReadString('\n')
|
2019-07-08 14:36:56 +00:00
|
|
|
|
|
|
|
// manage basic errors
|
|
|
|
switch {
|
|
|
|
case err == io.EOF:
|
|
|
|
log.Println("Reached EOF - close this connection.\n")
|
|
|
|
return
|
|
|
|
case err != nil:
|
|
|
|
log.Println("Error reading line. Got: '"+line+"'\n", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
line = strings.Trim(line, "\n\r ")
|
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// manage exit commands
|
|
|
|
for _, terminator := range []string{"quit", "exit"} {
|
|
|
|
if line == terminator || strings.HasPrefix(line, terminator+" ") {
|
|
|
|
log.Println("server disconnected")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-09 21:37:37 +00:00
|
|
|
// manage all "terminator" lines
|
|
|
|
for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} {
|
|
|
|
if strings.HasPrefix(line, terminator) {
|
|
|
|
s.ret <- response
|
|
|
|
response = nil
|
2019-07-10 13:47:55 +00:00
|
|
|
line = ""
|
2019-07-09 21:37:37 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
switch {
|
2019-07-10 13:47:55 +00:00
|
|
|
// command successfull, we can ignore
|
2019-07-08 16:41:04 +00:00
|
|
|
case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
|
2019-07-08 14:36:56 +00:00
|
|
|
|
2019-07-10 13:47:55 +00:00
|
|
|
// trafic stats
|
|
|
|
case strings.HasPrefix(line, ">BYTECOUNT_CLI"):
|
|
|
|
//TODO use that
|
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
// new bloc for a disconnect event.
|
|
|
|
// We start the receiving handler, which will wait for the Channel message
|
|
|
|
case strings.HasPrefix(line, ">CLIENT:DISCONNECT"):
|
2019-07-10 13:47:55 +00:00
|
|
|
go s.ClientDisconnect(line, remote)
|
2019-07-08 14:36:56 +00:00
|
|
|
|
|
|
|
// new bloc for a connect event.
|
|
|
|
// We start the receiving handler, which will wait for the Channel message
|
2019-07-09 21:37:37 +00:00
|
|
|
case strings.HasPrefix(line, ">CLIENT:ADDRESS"):
|
2019-07-10 13:47:55 +00:00
|
|
|
go s.ClientValidated(line, remote)
|
2019-07-09 21:37:37 +00:00
|
|
|
|
2019-07-08 14:36:56 +00:00
|
|
|
case strings.HasPrefix(line, ">CLIENT:CONNECT"):
|
2019-07-10 13:47:55 +00:00
|
|
|
go s.ClientConnect(line, remote)
|
2019-07-08 14:36:56 +00:00
|
|
|
|
|
|
|
default:
|
|
|
|
response = append(response, line)
|
|
|
|
}
|
2019-07-10 13:47:55 +00:00
|
|
|
// TODO remove this
|
|
|
|
if strings.Index(line, "password") == -1 {
|
|
|
|
log.Print(line)
|
|
|
|
}
|
2019-07-08 14:36:56 +00:00
|
|
|
}
|
|
|
|
}
|