euclide
/
openvpn-mgt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

should work with multiple openvpn servers 

the goal is to have an udp instance, and a tcp/443 one

can handle connected and disconnected messages
This commit is contained in:
Xavier Henner 2019-07-10 15:47:55 +02:00
parent 274e824630
commit 44cfdea6ed
4 changed files with 339 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
logs.go Normal file
View File

@ -0,0 +1,11 @@
package main
import (
"log"
)
func (c *vpnSession) Log() error {
//TODO get asname & shit
log.Println(c)
return nil
}

8
otp.go
View File

@ -13,6 +13,14 @@ func (s *OpenVpnMgt) GenerateOTP(user string) ([]string, error) {
// return s.GenerateOTPGeneric(user, 60, "sha256", 30, 8) // return s.GenerateOTPGeneric(user, 60, "sha256", 30, 8)
// } // }
func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) {
//TODO implement that correcly
if c.password == "maith1wiePuw3ieb4heiNie5y" {
return true, "maith1wiePuw3ieb4heiNie5y"
}
return false, "maith1wiePuw3ieb4heiNie5y"
}
func (s *OpenVpnMgt) GenerateOTPGeneric(user string, period int, algo string, secretLen int, digits int) ([]string, error) { func (s *OpenVpnMgt) GenerateOTPGeneric(user string, period int, algo string, secretLen int, digits int) ([]string, error) {
codes := []string{} codes := []string{}
now := time.Now() now := time.Now()

323
vpnserver.go
View File

@ -3,11 +3,12 @@ package main
import ( import (
"bufio" "bufio"
"errors" "errors"
"fmt"
"io" "io"
"log" "log"
"net" "net"
"os" "os"
"regexp"
"strconv"
"strings" "strings"
"sync" "sync"
) )
@ -15,11 +16,11 @@ import (
// Server represents the server // Server represents the server
type OpenVpnMgt struct { type OpenVpnMgt struct {
Port string Port string
buf *bufio.ReadWriter buf map[string]*bufio.ReadWriter
connected bool
m sync.RWMutex m sync.RWMutex
ret chan []string ret chan []string
ldap map[string]ldapConfig ldap map[string]ldapConfig
clients map[string]map[int]*vpnSession
authCa string authCa string
vpnlogUrl string vpnlogUrl string
mailRelay string mailRelay string
@ -38,6 +39,8 @@ func NewVPNServer(port string) *OpenVpnMgt {
Port: port, Port: port,
ret: make(chan []string), ret: make(chan []string),
ldap: make(map[string]ldapConfig), ldap: make(map[string]ldapConfig),
buf: make(map[string]*bufio.ReadWriter),
clients: make(map[string]map[int]*vpnSession),
} }
} }
@ -68,129 +71,18 @@ func (s *OpenVpnMgt) Run() {
} }
} }
func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) { func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) {
//TODO implement that correcly if len(s.buf) == 0 {
if c.password == "maith1wiePuw3ieb4heiNie5y" {
return true, "maith1wiePuw3ieb4heiNie5y"
}
return false, "maith1wiePuw3ieb4heiNie5y"
}
// main authentication function.
// returns 0 if auth is valid
// returns 1 if an TOTP code is necessary
// returns a negative if auth is not valid
func (s *OpenVpnMgt) Auth(c *vpnSession) (error, int) {
// an empty password is not good
if c.password == "" {
return errors.New("Empty Password"), -1
}
// check if the password is a valid token (see TOTP request)
tokenPasswordOk, tokenPassword := s.TokenPassword(c)
// password is a token. We remove it from the session object to
// avoid checking it against the ldap
if tokenPasswordOk {
c.password = ""
}
// if the otp is not empty, we check it against the valid codes as soon as
// possible
otpvalidated := false
if c.otpCode != "" {
codes, err := s.GenerateOTP(c.Login)
if err != nil {
return err, -2
}
for _, possible := range codes {
if possible == c.otpCode {
otpvalidated = true
}
}
}
c.Profile = ""
login := []string{c.Login}
pass := c.password
for {
n := c.Profile
for k, ldap := range s.ldap {
if ldap.upgradeFrom != c.Profile {
continue
}
err, userOk, passOk, secondary := ldap.Auth(login, pass)
// if there is an error, try the other configurations
if err != nil {
log.Println(err)
continue
}
// we did find a valid User
if userOk {
// the login for the new auth level is given by the current one
login = secondary
if c.Mail == "" {
c.Mail = secondary[0]
}
if passOk && c.Profile != "" {
// it's at least the second auth level, and we have a valid
// password on 2 different auth system. It's a dupplicate
// password, let's log it
log.Printf("User %s has a dupplicate password\n", c.Login)
}
// we have either a positive auth ok a previous valid one
if passOk || c.Profile != "" || tokenPasswordOk {
c.Profile = k
}
}
}
// no profile update this turn, no need to continue
if n == c.Profile {
break
}
}
// no profile validated, we stop here
if c.Profile == "" {
return errors.New("Authentication Failed"), -3
}
// check the MFA requested by the secured profile
switch s.ldap[c.Profile].mfaType {
case "internal":
if otpvalidated {
return nil, 0
}
c.password = tokenPassword
return errors.New("Need OTP Code"), 1
case "okta":
//TODO implement okta MFA
return nil, -4
}
// no MFA requested, the login is valid
return nil, 0
}
func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
if !s.connected {
return errors.New("No openvpn server present"), nil return errors.New("No openvpn server present"), nil
} }
for _, line := range msg { for _, line := range msg {
log.Println(line) log.Println(line)
if _, err := s.buf.WriteString(line + "\r\n"); err != nil { if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil {
return err, nil return err, nil
} }
} }
if err := s.buf.Flush(); err != nil { if err := s.buf[remote].Flush(); err != nil {
return err, nil return err, nil
} }
@ -199,30 +91,72 @@ func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
return nil, ret return nil, ret
} }
func (s *OpenVpnMgt) Help() (error, []string) { func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) {
err, msg := s.sendCommand([]string{"help"}) ret := make(map[string]map[string]string)
re := regexp.MustCompile("^(.*[^ ]) *: (.*)$")
for remote := range s.buf {
help := make(map[string]string)
err, msg := s.sendCommand([]string{"help"}, remote)
if err != nil { if err != nil {
return err, nil return err, ret
} }
return nil, msg for _, line := range msg {
match := re.FindStringSubmatch(line)
if len(match) == 0 {
continue
}
help[match[1]] = match[2]
}
ret[remote] = help
}
return nil, ret
} }
func (s *OpenVpnMgt) Version() (error, []string) { func (s *OpenVpnMgt) Version() (error, map[string][]string) {
err, msg := s.sendCommand([]string{"version"}) ret := make(map[string][]string)
for remote := range s.buf {
err, msg := s.sendCommand([]string{"version"}, remote)
if err != nil { if err != nil {
return err, nil return err, ret
} }
return nil, msg ret[remote] = msg
}
return nil, ret
} }
func (s *OpenVpnMgt) ClientValidated(line string) { func (s *OpenVpnMgt) ClientValidated(line, remote string) {
//TODO manage that : find the client, log stuff err, c := s.getClient(line, remote)
if err != nil {
log.Println(err, line)
return
}
<-s.ret <-s.ret
c.Status = "success"
log.Println(c)
}
func (s *OpenVpnMgt) ClientDisconnect(line, remote string) {
err, c := s.getClient(line, remote)
if err != nil {
log.Println(err)
return
} }
func (s *OpenVpnMgt) ClientDisconnect(line string) {
//TODO manage that : find the client, log stuff
<-s.ret <-s.ret
// if the disconnect is due to an auth failure, don't change the status
if c.Status == "success" {
c.Operation = "log out"
}
// Don't log the initial auth failure due to absence of OTP code
if c.Status != "Need OTP Code" {
c.Log()
}
defer delete(s.clients[remote], c.cID)
} }
func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) { func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) {
@ -232,124 +166,141 @@ func (s *OpenVpnMgt) getIP(c *vpnSession) (string, error) {
return ip.String(), nil return ip.String(), nil
} }
func (s *OpenVpnMgt) ClientConnect(line string) { func (s *OpenVpnMgt) ClientConnect(line, remote string) {
var cmd []string
var ip string
var errIP error
client := NewVPNSession("log in") client := NewVPNSession("log in")
client.vpnserver = remote
client.ParseSessionId(line) client.ParseSessionId(line)
s.clients[remote][client.cID] = client
infos := <-s.ret infos := <-s.ret
if err := client.ParseEnv(&infos); err != nil { if err := client.ParseEnv(&infos); err != nil {
log.Println(err) log.Println(err)
return return
} }
err, ok := s.Auth(client) client.Auth(s)
// if auth is ok, time to get an IP address
if ok == 0 {
ip, errIP = s.getIP(client)
if errIP != nil {
ok = -10
err = errIP
}
} }
switch { // find a client among all registered sessions
case ok == 0: func (s *OpenVpnMgt) getClient(line, remote string) (error, *vpnSession) {
cmd = []string{ re := regexp.MustCompile("^[^0-9]*,([0-9]+)[^0-9]*")
fmt.Sprintf("client-auth %d %d", client.cID, client.kID), match := re.FindStringSubmatch(line)
fmt.Sprintf("ifconfig-push %s %s", ip, client.localIP), if len(match) == 0 {
return errors.New("invalid message"), nil
} }
for _, r := range s.ldap[client.Profile].routes { id, err := strconv.Atoi(match[1])
cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r)) if err != nil {
return err, nil
} }
cmd = append(cmd, "END") if _, ok := s.clients[remote]; !ok {
return errors.New("unknown vpn server"), nil
case ok < 0:
cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"",
client.cID, client.kID, err, err)}
case ok == 1:
cmd = []string{fmt.Sprintf(
"client-deny %d %d \"Need OTP\" \"CRV1:R,E:%s:%s:OTP Code \"",
client.cID, client.kID, client.password, client.b64Login())}
} }
if c, ok := s.clients[remote][id]; ok {
if err, _ := s.sendCommand(cmd); err != nil { return nil, c
log.Println(err)
} }
return errors.New("unknown vpn client"), nil
return
} }
func (s *OpenVpnMgt) handleConn(conn net.Conn) { func (s *OpenVpnMgt) handleConn(conn net.Conn) {
defer conn.Close() remote := conn.RemoteAddr().String()
// we don't want multiple connexions, only one openvpn server at a time defer conn.Close()
s.m.Lock() defer delete(s.buf, remote)
if s.connected { defer delete(s.clients, remote)
conn.Write([]byte("Sorry, only one server allowed\n"))
s.m.Unlock()
return
}
s.connected = true
s.m.Unlock()
// we store the buffer pointer in the struct, to be accessed from other methods // we store the buffer pointer in the struct, to be accessed from other methods
s.buf = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)) s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
s.clients[remote] = make(map[int]*vpnSession)
// most response are multilined, use response to concatenate them // most response are multilined, use response to concatenate them
response := []string{} response := []string{}
// remove bogus clients
line, err := s.buf[remote].ReadString('\n')
if err != nil {
log.Println(err)
return
}
if line != ">INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info\r\n" {
log.Println("Bogus Client")
return
}
// ask for statistics
if _, err := s.buf[remote].WriteString("bytecount 10\r\n"); err != nil {
log.Println(err)
return
}
if err := s.buf[remote].Flush(); err != nil {
log.Println(err)
return
}
if line, err := s.buf[remote].ReadString('\n'); err != nil ||
line != "SUCCESS: bytecount interval changed\r\n" {
log.Println("Bogus Client")
return
}
log.Println("Valid openvpn connected from %s", remote)
for { for {
line, err := s.buf.ReadString('\n') line, err := s.buf[remote].ReadString('\n')
// manage basic errors // manage basic errors
switch { switch {
case err == io.EOF: case err == io.EOF:
log.Println("Reached EOF - close this connection.\n") log.Println("Reached EOF - close this connection.\n")
s.connected = false
return return
case err != nil: case err != nil:
log.Println("Error reading line. Got: '"+line+"'\n", err) log.Println("Error reading line. Got: '"+line+"'\n", err)
s.connected = false
return return
} }
line = strings.Trim(line, "\n\r ") line = strings.Trim(line, "\n\r ")
// manage exit commands
for _, terminator := range []string{"quit", "exit"} {
if line == terminator || strings.HasPrefix(line, terminator+" ") {
log.Println("server disconnected")
return
}
}
// manage all "terminator" lines // manage all "terminator" lines
for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} { for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS"} {
if strings.HasPrefix(line, terminator) { if strings.HasPrefix(line, terminator) {
s.ret <- response s.ret <- response
response = nil response = nil
line = ""
break break
} }
} }
switch { switch {
// a new openvpn server is connected // command successfull, we can ignore
case strings.HasPrefix(line, ">INFO"):
// command sucessfull, we can ignore
case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"): case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
// trafic stats
case strings.HasPrefix(line, ">BYTECOUNT_CLI"):
//TODO use that
// new bloc for a disconnect event. // new bloc for a disconnect event.
// We start the receiving handler, which will wait for the Channel message // We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:DISCONNECT"): case strings.HasPrefix(line, ">CLIENT:DISCONNECT"):
go s.ClientDisconnect(line) go s.ClientDisconnect(line, remote)
// new bloc for a connect event. // new bloc for a connect event.
// We start the receiving handler, which will wait for the Channel message // We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:ADDRESS"): case strings.HasPrefix(line, ">CLIENT:ADDRESS"):
go s.ClientValidated(line) go s.ClientValidated(line, remote)
case strings.HasPrefix(line, ">CLIENT:CONNECT"): case strings.HasPrefix(line, ">CLIENT:CONNECT"):
go s.ClientConnect(line) go s.ClientConnect(line, remote)
default: default:
response = append(response, line) response = append(response, line)
} }
// TODO remove this
if strings.Index(line, "password") == -1 {
log.Print(line) log.Print(line)
} }
} }
}

180
vpnsession.go
View File

@ -3,6 +3,9 @@ package main
import ( import (
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"errors"
"fmt"
"log"
"os" "os"
"regexp" "regexp"
"strconv" "strconv"
@ -33,6 +36,7 @@ type vpnSession struct {
password string `json:"-"` password string `json:"-"`
otpCode string `json:"-"` otpCode string `json:"-"`
localIP string `json:"-"` localIP string `json:"-"`
vpnserver string `json:"-"`
} }
func NewVPNSession(operation string) *vpnSession { func NewVPNSession(operation string) *vpnSession {
@ -46,6 +50,13 @@ func NewVPNSession(operation string) *vpnSession {
return &v return &v
} }
func (c *vpnSession) String() string {
if res, err := json.MarshalIndent(c, " ", " "); err == nil {
return string(res)
}
return ""
}
func (c *vpnSession) b64Login() string { func (c *vpnSession) b64Login() string {
return base64.StdEncoding.EncodeToString([]byte(c.Login)) return base64.StdEncoding.EncodeToString([]byte(c.Login))
} }
@ -92,6 +103,9 @@ func (c *vpnSession) ParseEnv(infos *[]string) error {
} }
c.password = split[2] c.password = split[2]
c.otpCode = split[4] c.otpCode = split[4]
if c.otpCode == "" {
c.otpCode = "***"
}
case strings.HasPrefix(p[1], "SCRV1"): case strings.HasPrefix(p[1], "SCRV1"):
split := strings.Split(p[1], ":") split := strings.Split(p[1], ":")
@ -106,13 +120,18 @@ func (c *vpnSession) ParseEnv(infos *[]string) error {
data, err = base64.StdEncoding.DecodeString(split[2]) data, err = base64.StdEncoding.DecodeString(split[2])
if err != nil { if err != nil {
c.password = p[1]
break break
} }
c.otpCode = string(data) c.otpCode = string(data)
if c.otpCode == "" {
c.otpCode = "***"
}
default: default:
c.password = p[1] c.password = p[1]
c.otpCode = "***" c.otpCode = ""
} }
case "username": case "username":
@ -124,9 +143,160 @@ func (c *vpnSession) ParseEnv(infos *[]string) error {
return nil return nil
} }
func (c *vpnSession) String() string { func (c *vpnSession) Auth(s *OpenVpnMgt) {
if res, err := json.MarshalIndent(c, " ", " "); err == nil { var cmd []string
return string(res) var ip string
var errIP error
err, ok := c.auth(s)
// if auth is ok, time to get an IP address
if ok == 0 {
ip, errIP = s.getIP(c)
if errIP != nil {
ok = -10
err = errIP
} }
return "" }
switch {
case ok == 0:
cmd = []string{
fmt.Sprintf("client-auth %d %d", c.cID, c.kID),
fmt.Sprintf("ifconfig-push %s %s", ip, c.localIP),
}
for _, r := range s.ldap[c.Profile].routes {
cmd = append(cmd, fmt.Sprintf("push \"route %s vpn_gateway\"", r))
}
cmd = append(cmd, "END")
case ok < 0:
cmd = []string{fmt.Sprintf("client-deny %d %d \"%s\" \"%s\"",
c.cID, c.kID, err, err)}
case ok == 1:
cmd = []string{fmt.Sprintf(
"client-deny %d %d \"Need OTP\" \"CRV1:R,E:%s:%s:OTP Code \"",
c.cID, c.kID, c.password, c.b64Login())}
}
if err, _ := s.sendCommand(cmd, c.vpnserver); err != nil {
log.Println(err)
}
return
}
// main authentication function.
// returns 0 if auth is valid
// returns 1 if an TOTP code is necessary
// returns a negative if auth is not valid
func (c *vpnSession) auth(s *OpenVpnMgt) (error, int) {
// an empty password is not good
if c.password == "" {
c.Status = "Empty Password"
return errors.New("Empty Password"), -1
}
// check if the password is a valid token (see TOTP request)
tokenPasswordOk, tokenPassword := s.TokenPassword(c)
// password is a token. We remove it from the session object to
// avoid checking it against the ldap
if tokenPasswordOk {
c.password = ""
}
// if the otp is not empty, we check it against the valid codes as soon as
// possible
otpvalidated := false
if c.otpCode != "" {
codes, err := s.GenerateOTP(c.Login)
if err != nil {
return err, -2
}
for _, possible := range codes {
if possible == c.otpCode {
otpvalidated = true
}
}
}
c.Profile = ""
login := []string{c.Login}
pass := c.password
for {
n := c.Profile
for k, ldap := range s.ldap {
if ldap.upgradeFrom != c.Profile {
continue
}
err, userOk, passOk, secondary := ldap.Auth(login, pass)
// if there is an error, try the other configurations
if err != nil {
log.Println(err)
continue
}
// we did find a valid User
if userOk {
// the login for the new auth level is given by the current one
login = secondary
if c.Mail == "" {
c.Mail = secondary[0]
}
if passOk && c.Profile != "" {
// it's at least the second auth level, and we have a valid
// password on 2 different auth system. It's a dupplicate
// password, let's log it
log.Printf("User %s has a dupplicate password\n", c.Login)
}
// we have either a positive auth ok a previous valid one
if passOk || c.Profile != "" || tokenPasswordOk {
c.Profile = k
}
}
}
// no profile update this turn, no need to continue
if n == c.Profile {
break
}
}
// no profile validated, we stop here
if c.Profile == "" {
c.Status = "fail (password)"
return errors.New("Authentication Failed"), -3
}
// check the MFA requested by the secured profile
c.TwoFA = true
switch s.ldap[c.Profile].mfaType {
case "internal":
if otpvalidated {
return nil, 0
}
// log that the failure is due to the OTP
if c.otpCode == "" {
c.Status = "Need OTP Code"
} else {
c.Status = "fail (OTP) : "
}
c.password = tokenPassword
return errors.New("Need OTP Code"), 1
case "okta":
//TODO implement okta MFA
c.Status = "fail (Okta)"
return nil, -4
default:
c.TwoFA = false
}
// no MFA requested, the login is valid
return nil, 0
} }