diff --git a/expressvpn.go b/expressvpn.go new file mode 100644 index 0000000..90b6ef1 --- /dev/null +++ b/expressvpn.go @@ -0,0 +1,100 @@ +package main + +// get https://www.expressvpn.com/vpn-server +// remove everyting starting with > +// remove until "Not supported" and after What the green checks mean + +import ( + "bufio" + "errors" + "fmt" + "net" + "net/http" + "strings" + "sync" + "time" +) + +func (s *OpenVpnMgt) getServerList() error { + var mux sync.Mutex + requestCount := 0 + VPNNames := map[string]bool{} + + // Create HTTP client with timeout + client := &http.Client{ + Timeout: 30 * time.Second, + } + + // Make request + resp, err := client.Get("https://www.expressvpn.com/vpn-server") + if err != nil { + return err + } + defer resp.Body.Close() + + if resp.StatusCode != 200 { + return errors.New(fmt.Sprintf("Server List URL is not valid (%d)\n", resp.StatusCode)) + } + + buf := bufio.NewReader(bufio.NewReader(resp.Body)) + start := false + for { + line, err := buf.ReadString('\n') + if err != nil { + break + } + line = strings.Trim(line, "\n\r ") + if strings.HasPrefix(line, "<") { + continue + } + if line == "Not supported" { + start = true + continue + } + if line == "What the green checks mean" { + start = false + } + if !start { + continue + } + + if line == "" { + continue + } + + requestCount++ + go func(line string) { + line = strings.ToLower(line) + line = strings.Replace(line, " & ", "", -1) + line = strings.Replace(line, " ", "", -1) + + name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line) + if _, err := net.ResolveIPAddr("ip4", name); err == nil { + mux.Lock() + VPNNames[name] = true + mux.Unlock() + } + requestCount-- + }(line) + } + + // wait for all resolutions + for requestCount > 0 { + time.Sleep(100 * time.Millisecond) + } + + if len(VPNNames) == 0 { + return errors.New("Can't get a list of VPN endpoints") + } + + // add the right values + keys := make([]string, 0, len(VPNNames)) + for k := range VPNNames { + keys = append(keys, k) + } + + s.Lock() + s.VpnRemotes = keys + s.Unlock() + return nil +} diff --git a/httpd.go b/httpd.go index 231dbcd..968df08 100644 --- a/httpd.go +++ b/httpd.go @@ -1,17 +1,12 @@ package main import ( - "bufio" - "bytes" - "crypto/tls" - "crypto/x509" "encoding/json" + "errors" "fmt" - "io" "io/ioutil" "log" "net/http" - "os" ) type jsonInput struct { @@ -20,18 +15,13 @@ type jsonInput struct { } type jsonInputParams struct { - Id int `json:"id"` - Session string `json:"session"` + Server string `json:"server"` + Session int `json:"session"` } type HttpServer struct { - Port string - ovpn *OpenVpnMgt - key string - cert string - minProfile string - neededProfiles []string - certPool *x509.CertPool + Port string + ovpn *OpenVpnMgt } func parseJsonQuery(r *http.Request) (*jsonInput, error) { @@ -52,43 +42,12 @@ func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "\n") } -func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) { - err, message := h.ovpn.Version() - if err != nil { - fmt.Fprintf(w, "Error : %s", err) - } - - jsonStr, err := json.Marshal(message) - if err != nil { - fmt.Fprintf(w, "Error : %s", err) - } - fmt.Fprintf(w, "%s", jsonStr) -} - -func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) { - err, message := h.ovpn.Help() - if err != nil { - fmt.Fprintf(w, "Error : %s", err) - } - jsonStr, err := json.Marshal(message) - if err != nil { - fmt.Fprintf(w, "Error : %s", err) - } - fmt.Fprintf(w, "%s", jsonStr) -} - func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { - //var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny} + var err error + var jsonStr []byte w.Header().Set("Content-type", "application/json") - // deactivate if there is no https auth - /* - if h.key == "" || h.cert == "" || h.certPool == nil { - http.Error(w, "No security, deactivated", 403) - return - } - */ // add CORS headers w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) w.Header().Set("Access-Control-Allow-Methods", "POST") @@ -106,27 +65,6 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { return } - // ssl auth - /* - if len(r.TLS.PeerCertificates) == 0 { - log.Println(len(r.TLS.PeerCertificates)) - http.Error(w, "Need certificate", 403) - return - } - opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage} - if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil { - http.Error(w, "Bad certificate", 403) - return - } - - webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1) - */ - //TODO security - - webuser := "xavier" - - log.Printf("%s is connected via the web interfaces\n", webuser) - req, err := parseJsonQuery(r) if err != nil { log.Println(err) @@ -135,54 +73,40 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { } switch req.Action { + case "get-remotes": + jsonStr, err = json.Marshal(h.ovpn) + case "set-remote": + err = h.ovpn.SetRemote(req.Params.Server, req.Params.Session) + jsonStr = []byte("{\"status\": \"ok\"}") + case "version": + err, version := h.ovpn.Version() + if err != nil { + break + } + jsonStr, err = json.Marshal(version) case "stats": case "kill": default: - http.Error(w, "Invalid request", 500) + err = errors.New("Invalid request") } + + if err != nil { + http.Error(w, fmt.Sprintf("Error : %s", err), 500) + return + } + fmt.Fprintf(w, "%s", jsonStr) + return } -func NewHTTPServer(port, key, cert, ca, minProfile string, neededProfiles []string, s *OpenVpnMgt) { +func NewHTTPServer(port string, s *OpenVpnMgt) { h := &HttpServer{ - Port: port, - ovpn: s, - key: key, - cert: cert, - minProfile: minProfile, - neededProfiles: neededProfiles, + Port: port, + ovpn: s, } - http.HandleFunc("/help", h.helpHandler) http.HandleFunc("/ajax", h.ajaxHandler) - http.HandleFunc("/version", h.versionHandler) http.HandleFunc("/", h.handler) - switch { - case key == "" || cert == "": - log.Fatal(http.ListenAndServe(port, nil)) - case ca != "": - h.certPool = x509.NewCertPool() - fi, err := os.Open(ca) - if err != nil { - log.Fatal(err) - } - defer fi.Close() - buf := new(bytes.Buffer) - reader := bufio.NewReader(fi) - io.Copy(buf, reader) - if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok { - log.Fatal("Failed to append PEM.") - } - server := &http.Server{ - Addr: port, - TLSConfig: &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: h.certPool, - }, - } - log.Fatal(server.ListenAndServeTLS(cert, key)) - default: - log.Fatal(http.ListenAndServeTLS(port, cert, key, nil)) - } + log.Fatal(http.ListenAndServe(port, nil)) } diff --git a/main.go b/main.go index 47f606f..9463e80 100644 --- a/main.go +++ b/main.go @@ -29,34 +29,23 @@ func main() { // seed the prng rand.Seed(time.Now().UnixNano()) - server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000")) + server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000"), *debug) - server.syslog = false if *logToSyslog { log.SetFlags(0) - server.syslog = true - logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpnauth") + logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpncontrol") if e == nil { log.SetOutput(logWriter) defer logWriter.Close() } } - server.debug = false - if *debug { - server.debug = true - } - - log.Println(getServerList("https://www.expressvpn.com/vpn-server")) - // time to start the listeners - go server.Run() - NewHTTPServer( + go NewHTTPServer( config.GetString("config.http.port", "127.0.0.01:8080"), - config.GetString("config.http.key", ""), - config.GetString("config.http.cert", ""), - config.GetString("config.http.ca", ""), - config.GetString("config.http.startAuth", "CORP"), - parseConfigArray(config, "config.http.reqAuth"), server) + server.Run() + + // server.Run() should never end + os.Exit(1) } diff --git a/openvpn.go b/openvpn.go new file mode 100644 index 0000000..1694eea --- /dev/null +++ b/openvpn.go @@ -0,0 +1,113 @@ +package main + +import ( + "bufio" + "fmt" + "net" + "sync" +) + +type OpenVpnSrv struct { + Remote string `json:"active-vpn"` + Status string `json:"status"` + hold bool + chanHold chan bool + m sync.RWMutex + ret chan []string + buf *bufio.ReadWriter +} + +func (s *OpenVpnSrv) Lock() { + s.m.Lock() +} + +func (s *OpenVpnSrv) Unlock() { + s.m.Unlock() +} + +func NewOpenVpnSrv(conn net.Conn) *OpenVpnSrv { + return &OpenVpnSrv{ + buf: bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)), + hold: false, + chanHold: make(chan bool), + ret: make(chan []string), + } +} + +// send a command to the server. Set the channel to receive the response +func (s *OpenVpnSrv) sendCommand(msg []string) (error, []string) { + for _, line := range msg { + if _, err := s.buf.WriteString(line + "\r\n"); err != nil { + return err, nil + } + } + + if err := s.buf.Flush(); err != nil { + return err, nil + } + + // wait for the response + ret := <-s.ret + + return nil, ret +} + +func (s *OpenVpnSrv) Response(response []string) { + s.Lock() + s.ret <- response + s.Unlock() +} + +func (s *OpenVpnSrv) GetLine() (string, error) { + return s.buf.ReadString('\n') +} + +func (s *OpenVpnSrv) ValidRemote(server, port, proto string) { + if s.Remote != "" { + s.sendCommand([]string{fmt.Sprintf("remote MOD %s %s %s", s.Remote, port, proto)}) + s.Status = "Connected" + return + } + s.Remote = server + s.sendCommand([]string{"remote ACCEPT"}) +} + +func (s *OpenVpnSrv) Kill() { +} + +func (s *OpenVpnSrv) Version() (error, []string) { + return s.sendCommand([]string{"version"}) +} + +func (s *OpenVpnSrv) SetRemote(server string) error { + // already the active server, do nothing + if s.Remote == server { + return nil + } + + if s.Remote != "" { + s.Kill() + } + + s.Remote = server + + // release Hold if necessary + s.ReleaseHold() + return nil +} + +func (s *OpenVpnSrv) waitForRelase() { + s.hold = true + s.Status = "Hold" + <-s.chanHold + s.sendCommand([]string{"hold release"}) +} + +func (s *OpenVpnSrv) ReleaseHold() { + if !s.hold { + return + } + s.hold = false + s.chanHold <- true + s.Status = "Waiting for connexion" +} diff --git a/vpnlist.go b/vpnlist.go deleted file mode 100644 index 3223168..0000000 --- a/vpnlist.go +++ /dev/null @@ -1,71 +0,0 @@ -package main - -// get https://www.expressvpn.com/vpn-server -// remove everyting starting with > -// remove until "Not supported" and after What the green checks mean - -import ( - "bufio" - "fmt" - "net" - "net/http" - "strings" - "time" -) - -func getServerList(url string) []string { - ret := []string{} - // Create HTTP client with timeout - client := &http.Client{ - Timeout: 30 * time.Second, - } - - // Make request - response, err := client.Get(url) - if err != nil { - fmt.Println(err) - return nil - } - defer response.Body.Close() - - buf := bufio.NewReader(bufio.NewReader(response.Body)) - start := false - for { - line, err := buf.ReadString('\n') - if err != nil { - break - } - line = strings.Trim(line, "\n\r ") - if strings.HasPrefix(line, "<") { - continue - } - if line == "Not supported" { - start = true - continue - } - if line == "What the green checks mean" { - start = false - } - if !start { - continue - } - - if line == "" { - continue - } - - // france-paris-1-ca-version-2.expressnetw.com - line = strings.ToLower(line) - line = strings.ReplaceAll(line, " & ", "") - line = strings.ReplaceAll(line, " ", "") - - name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line) - fmt.Println(name) - - if _, err := net.ResolveIPAddr("ip4", name); err == nil { - ret = append(ret, name) - } - } - - return ret -} diff --git a/vpnserver.go b/vpnserver.go index b976588..3f22ea3 100644 --- a/vpnserver.go +++ b/vpnserver.go @@ -1,12 +1,12 @@ package main import ( - "bufio" "errors" + "fmt" "io" "log" "net" - "os" + "strconv" "strings" "sync" @@ -15,37 +15,50 @@ import ( // Server represents the server type OpenVpnMgt struct { - port string - buf map[string]*bufio.ReadWriter - m sync.RWMutex - ret chan []string - syslog bool - debug bool - hold bool + port string + m sync.RWMutex + debug bool + VpnRemotes []string `json:"remotes"` + vpnServers map[int]*OpenVpnSrv `json:"sessions"` } // NewServer returns a pointer to a new server -func NewVPNServer(port string) *OpenVpnMgt { +func NewVPNServer(port string, debug bool) *OpenVpnMgt { return &OpenVpnMgt{ - port: port, - ret: make(chan []string), - buf: make(map[string]*bufio.ReadWriter), + port: port, + debug: debug, + vpnServers: make(map[int]*OpenVpnSrv), } } +func (s *OpenVpnMgt) Lock() { + s.m.Lock() +} + +func (s *OpenVpnMgt) Unlock() { + s.m.Unlock() +} + // Run starts a the server func (s *OpenVpnMgt) Run() { + + // get the endpoint list + if err := s.getServerList(); err != nil { + log.Println(err) + return + } + // Resolve the passed port into an address addrs, err := net.ResolveTCPAddr("tcp", s.port) if err != nil { log.Println(err) - os.Exit(1) + return } // start listening to client connections listener, err := net.ListenTCP("tcp", addrs) if err != nil { log.Println(err) - os.Exit(1) + return } // Infinite loop since we dont want the server to shut down for { @@ -60,86 +73,59 @@ func (s *OpenVpnMgt) Run() { } } -// send a command to the server. Set the channel to receive the response -func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) { - if len(s.buf) == 0 { - return errors.New("No openvpn server present"), nil +func (s *OpenVpnMgt) GetSession(remote int) (error, *OpenVpnSrv) { + if vpnServer, ok := s.vpnServers[remote]; ok { + return nil, vpnServer } - for _, line := range msg { - if s.debug { - log.Println(line) - } - if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil { - return err, nil - } - } - - if err := s.buf[remote].Flush(); err != nil { - return err, nil - } - - // wait for the response - ret := <-s.ret - - if s.debug { - for _, line := range ret { - log.Println(line) - } - } - - return nil, ret + return errors.New(fmt.Sprintf("unknown session %d", vpnServers)), nil } -// send the help command on all vpn servers. Kind of useless -func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) { - ret := make(map[string]map[string]string) - re := rcache.Get("^(.*[^ ]) *: (.*)$") - for remote := range s.buf { - help := make(map[string]string) - err, msg := s.sendCommand([]string{"help"}, remote) - if err != nil { - return err, ret - } - for _, line := range msg { - match := re.FindStringSubmatch(line) - if len(match) == 0 { - continue - } - help[match[1]] = match[2] - } - ret[remote] = help +func (s *OpenVpnMgt) SetRemote(server string, remote int) error { + // check if the session is valid + err, session := s.GetSession(remote) + if err != nil { + return err } - return nil, ret + + for _, r := range s.VpnRemotes { + if r != server { + continue + } + return session.SetRemote(server) + } + + return errors.New(fmt.Sprintf("unknown remote %s", server)) } // send the version command on all vpn servers. Kind of useless -func (s *OpenVpnMgt) Version() (error, map[string][]string) { - ret := make(map[string][]string) - for remote := range s.buf { - err, msg := s.sendCommand([]string{"version"}, remote) - if err != nil { - return err, ret +func (s *OpenVpnMgt) Version() (error, map[int][]string) { + var err error + ret := make(map[int][]string) + for remote, srv := range s.vpnServers { + err, msg := srv.Version() + if err == nil { + ret[remote] = msg } - ret[remote] = msg } - return nil, ret + return err, ret } // main loop for a given openvpn server func (s *OpenVpnMgt) handleConn(conn net.Conn) { remote := conn.RemoteAddr().String() + pidRegexp := rcache.Get("^SUCCESS: pid=([0-9]+)$") + // >REMOTE:vpn.example.com,1194,udp + remoteRegexp := rcache.Get("^>REMOTE:(.*),([0-9]*),(.*)$") defer conn.Close() - defer delete(s.buf, remote) - // we store the buffer pointer in the struct, to be accessed from other methods - s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)) + vpnServer := NewOpenVpnSrv(conn) // most response are multilined, use response to concatenate them response := []string{} // remove bogus clients - line, err := s.buf[remote].ReadString('\n') + line, err := vpnServer.session.GetLine() if err != nil { log.Println(err) return @@ -151,8 +137,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) { log.Printf("Valid openvpn connected from %s\n", remote) + go session.sendCommand([]string{"pid"}) + for { - line, err := s.buf[remote].ReadString('\n') + line, err := session.GetLine() // manage basic errors switch { @@ -165,6 +153,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) { } line = strings.Trim(line, "\n\r ") + if s.debug && strings.Index(line, "password") == -1 { + log.Print(line) + } + // manage exit commands for _, terminator := range []string{"quit", "exit"} { if line == terminator || strings.HasPrefix(line, terminator+" ") { @@ -173,28 +165,36 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) { } } + // get the PID + match := pidRegexp.FindStringSubmatch(line) + if len(match) == 2 { + pid, _ := strconv.Atoi(match[1]) + s.Lock() + s.vpnServers[pid] = vpnServer + s.Unlock() + defer delete(s.vpnServers, pid) + } + // manage all "terminator" lines for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS", "ERROR"} { if strings.HasPrefix(line, terminator) { - s.ret <- response + vpnServer.Response(response) response = nil line = "" break } } + remoteMatch := remoteRegexp.FindStringSubmatch(line) switch { // command successfull, we can ignore case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"): case strings.HasPrefix(line, ">HOLD"): - s.sendCommand([]string{"hold release"}, remote) - case strings.HasPrefix(line, ">REMOTE"): - s.sendCommand([]string{"remote ACCEPT"}, remote) + go vpnServer.waitForRelase() + case len(remoteMatch) > 0: + go vpnServer.ValidRemote(remoteMatch[1], remoteMatch[2], remoteMatch[3]) default: response = append(response, line) } - if s.debug && strings.Index(line, "password") == -1 { - log.Print(line) - } } }