euclide
/
openvpn-mgt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update

This commit is contained in:
Xavier Henner 2019-08-15 11:19:40 +02:00
parent 65496cbce9
commit a82131c8c8
6 changed files with 331 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
expressvpn.go Normal file
View File

@ -0,0 +1,100 @@
package main
// get https://www.expressvpn.com/vpn-server
// remove everyting starting with >
// remove until "Not supported" and after What the green checks mean
import (
"bufio"
"errors"
"fmt"
"net"
"net/http"
"strings"
"sync"
"time"
)
func (s *OpenVpnMgt) getServerList() error {
var mux sync.Mutex
requestCount := 0
VPNNames := map[string]bool{}
// Create HTTP client with timeout
client := &http.Client{
Timeout: 30 * time.Second,
}
// Make request
resp, err := client.Get("https://www.expressvpn.com/vpn-server")
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return errors.New(fmt.Sprintf("Server List URL is not valid (%d)\n", resp.StatusCode))
}
buf := bufio.NewReader(bufio.NewReader(resp.Body))
start := false
for {
line, err := buf.ReadString('\n')
if err != nil {
break
}
line = strings.Trim(line, "\n\r ")
if strings.HasPrefix(line, "<") {
continue
}
if line == "Not supported" {
start = true
continue
}
if line == "What the green checks mean" {
start = false
}
if !start {
continue
}
if line == "" {
continue
}
requestCount++
go func(line string) {
line = strings.ToLower(line)
line = strings.Replace(line, " &amp; ", "", -1)
line = strings.Replace(line, " ", "", -1)
name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line)
if _, err := net.ResolveIPAddr("ip4", name); err == nil {
mux.Lock()
VPNNames[name] = true
mux.Unlock()
}
requestCount--
}(line)
}
// wait for all resolutions
for requestCount > 0 {
time.Sleep(100 * time.Millisecond)
}
if len(VPNNames) == 0 {
return errors.New("Can't get a list of VPN endpoints")
}
// add the right values
keys := make([]string, 0, len(VPNNames))
for k := range VPNNames {
keys = append(keys, k)
}
s.Lock()
s.VpnRemotes = keys
s.Unlock()
return nil
}

126
httpd.go
View File

@ -1,17 +1,12 @@
package main package main
import ( import (
"bufio"
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io"
"io/ioutil" "io/ioutil"
"log" "log"
"net/http" "net/http"
"os"
) )
type jsonInput struct { type jsonInput struct {
@ -20,18 +15,13 @@ type jsonInput struct {
} }
type jsonInputParams struct { type jsonInputParams struct {
Id int `json:"id"` Server string `json:"server"`
Session string `json:"session"` Session int `json:"session"`
} }
type HttpServer struct { type HttpServer struct {
Port string Port string
ovpn *OpenVpnMgt ovpn *OpenVpnMgt
key string
cert string
minProfile string
neededProfiles []string
certPool *x509.CertPool
} }
func parseJsonQuery(r *http.Request) (*jsonInput, error) { func parseJsonQuery(r *http.Request) (*jsonInput, error) {
@ -52,43 +42,12 @@ func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "\n") fmt.Fprintf(w, "\n")
} }
func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) {
err, message := h.ovpn.Version()
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
jsonStr, err := json.Marshal(message)
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
fmt.Fprintf(w, "%s", jsonStr)
}
func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) {
err, message := h.ovpn.Help()
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
jsonStr, err := json.Marshal(message)
if err != nil {
fmt.Fprintf(w, "Error : %s", err)
}
fmt.Fprintf(w, "%s", jsonStr)
}
func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
//var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny} var err error
var jsonStr []byte
w.Header().Set("Content-type", "application/json") w.Header().Set("Content-type", "application/json")
// deactivate if there is no https auth
/*
if h.key == "" || h.cert == "" || h.certPool == nil {
http.Error(w, "No security, deactivated", 403)
return
}
*/
// add CORS headers // add CORS headers
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Methods", "POST") w.Header().Set("Access-Control-Allow-Methods", "POST")
@ -106,27 +65,6 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
// ssl auth
/*
if len(r.TLS.PeerCertificates) == 0 {
log.Println(len(r.TLS.PeerCertificates))
http.Error(w, "Need certificate", 403)
return
}
opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage}
if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
http.Error(w, "Bad certificate", 403)
return
}
webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
*/
//TODO security
webuser := "xavier"
log.Printf("%s is connected via the web interfaces\n", webuser)
req, err := parseJsonQuery(r) req, err := parseJsonQuery(r)
if err != nil { if err != nil {
log.Println(err) log.Println(err)
@ -135,54 +73,40 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
} }
switch req.Action { switch req.Action {
case "get-remotes":
jsonStr, err = json.Marshal(h.ovpn)
case "set-remote":
err = h.ovpn.SetRemote(req.Params.Server, req.Params.Session)
jsonStr = []byte("{\"status\": \"ok\"}")
case "version":
err, version := h.ovpn.Version()
if err != nil {
break
}
jsonStr, err = json.Marshal(version)
case "stats": case "stats":
case "kill": case "kill":
default: default:
http.Error(w, "Invalid request", 500) err = errors.New("Invalid request")
} }
if err != nil {
http.Error(w, fmt.Sprintf("Error : %s", err), 500)
return
}
fmt.Fprintf(w, "%s", jsonStr)
return return
} }
func NewHTTPServer(port, key, cert, ca, minProfile string, neededProfiles []string, s *OpenVpnMgt) { func NewHTTPServer(port string, s *OpenVpnMgt) {
h := &HttpServer{ h := &HttpServer{
Port: port, Port: port,
ovpn: s, ovpn: s,
key: key,
cert: cert,
minProfile: minProfile,
neededProfiles: neededProfiles,
} }
http.HandleFunc("/help", h.helpHandler)
http.HandleFunc("/ajax", h.ajaxHandler) http.HandleFunc("/ajax", h.ajaxHandler)
http.HandleFunc("/version", h.versionHandler)
http.HandleFunc("/", h.handler) http.HandleFunc("/", h.handler)
switch {
case key == "" || cert == "":
log.Fatal(http.ListenAndServe(port, nil)) log.Fatal(http.ListenAndServe(port, nil))
case ca != "":
h.certPool = x509.NewCertPool()
fi, err := os.Open(ca)
if err != nil {
log.Fatal(err)
}
defer fi.Close()
buf := new(bytes.Buffer)
reader := bufio.NewReader(fi)
io.Copy(buf, reader)
if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok {
log.Fatal("Failed to append PEM.")
}
server := &http.Server{
Addr: port,
TLSConfig: &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: h.certPool,
},
}
log.Fatal(server.ListenAndServeTLS(cert, key))
default:
log.Fatal(http.ListenAndServeTLS(port, cert, key, nil))
}
} }

25
main.go
View File

@ -29,34 +29,23 @@ func main() {
// seed the prng // seed the prng
rand.Seed(time.Now().UnixNano()) rand.Seed(time.Now().UnixNano())
server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000")) server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000"), *debug)
server.syslog = false
if *logToSyslog { if *logToSyslog {
log.SetFlags(0) log.SetFlags(0)
server.syslog = true logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpncontrol")
logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpnauth")
if e == nil { if e == nil {
log.SetOutput(logWriter) log.SetOutput(logWriter)
defer logWriter.Close() defer logWriter.Close()
} }
} }
server.debug = false
if *debug {
server.debug = true
}
log.Println(getServerList("https://www.expressvpn.com/vpn-server"))
// time to start the listeners // time to start the listeners
go server.Run() go NewHTTPServer(
NewHTTPServer(
config.GetString("config.http.port", "127.0.0.01:8080"), config.GetString("config.http.port", "127.0.0.01:8080"),
config.GetString("config.http.key", ""),
config.GetString("config.http.cert", ""),
config.GetString("config.http.ca", ""),
config.GetString("config.http.startAuth", "CORP"),
parseConfigArray(config, "config.http.reqAuth"),
server) server)
server.Run()
// server.Run() should never end
os.Exit(1)
} }

113
openvpn.go Normal file
View File

@ -0,0 +1,113 @@
package main
import (
"bufio"
"fmt"
"net"
"sync"
)
type OpenVpnSrv struct {
Remote string `json:"active-vpn"`
Status string `json:"status"`
hold bool
chanHold chan bool
m sync.RWMutex
ret chan []string
buf *bufio.ReadWriter
}
func (s *OpenVpnSrv) Lock() {
s.m.Lock()
}
func (s *OpenVpnSrv) Unlock() {
s.m.Unlock()
}
func NewOpenVpnSrv(conn net.Conn) *OpenVpnSrv {
return &OpenVpnSrv{
buf: bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)),
hold: false,
chanHold: make(chan bool),
ret: make(chan []string),
}
}
// send a command to the server. Set the channel to receive the response
func (s *OpenVpnSrv) sendCommand(msg []string) (error, []string) {
for _, line := range msg {
if _, err := s.buf.WriteString(line + "\r\n"); err != nil {
return err, nil
}
}
if err := s.buf.Flush(); err != nil {
return err, nil
}
// wait for the response
ret := <-s.ret
return nil, ret
}
func (s *OpenVpnSrv) Response(response []string) {
s.Lock()
s.ret <- response
s.Unlock()
}
func (s *OpenVpnSrv) GetLine() (string, error) {
return s.buf.ReadString('\n')
}
func (s *OpenVpnSrv) ValidRemote(server, port, proto string) {
if s.Remote != "" {
s.sendCommand([]string{fmt.Sprintf("remote MOD %s %s %s", s.Remote, port, proto)})
s.Status = "Connected"
return
}
s.Remote = server
s.sendCommand([]string{"remote ACCEPT"})
}
func (s *OpenVpnSrv) Kill() {
}
func (s *OpenVpnSrv) Version() (error, []string) {
return s.sendCommand([]string{"version"})
}
func (s *OpenVpnSrv) SetRemote(server string) error {
// already the active server, do nothing
if s.Remote == server {
return nil
}
if s.Remote != "" {
s.Kill()
}
s.Remote = server
// release Hold if necessary
s.ReleaseHold()
return nil
}
func (s *OpenVpnSrv) waitForRelase() {
s.hold = true
s.Status = "Hold"
<-s.chanHold
s.sendCommand([]string{"hold release"})
}
func (s *OpenVpnSrv) ReleaseHold() {
if !s.hold {
return
}
s.hold = false
s.chanHold <- true
s.Status = "Waiting for connexion"
}

71
vpnlist.go
View File

@ -1,71 +0,0 @@
package main
// get https://www.expressvpn.com/vpn-server
// remove everyting starting with >
// remove until "Not supported" and after What the green checks mean
import (
"bufio"
"fmt"
"net"
"net/http"
"strings"
"time"
)
func getServerList(url string) []string {
ret := []string{}
// Create HTTP client with timeout
client := &http.Client{
Timeout: 30 * time.Second,
}
// Make request
response, err := client.Get(url)
if err != nil {
fmt.Println(err)
return nil
}
defer response.Body.Close()
buf := bufio.NewReader(bufio.NewReader(response.Body))
start := false
for {
line, err := buf.ReadString('\n')
if err != nil {
break
}
line = strings.Trim(line, "\n\r ")
if strings.HasPrefix(line, "<") {
continue
}
if line == "Not supported" {
start = true
continue
}
if line == "What the green checks mean" {
start = false
}
if !start {
continue
}
if line == "" {
continue
}
// france-paris-1-ca-version-2.expressnetw.com
line = strings.ToLower(line)
line = strings.ReplaceAll(line, " &amp; ", "")
line = strings.ReplaceAll(line, " ", "")
name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line)
fmt.Println(name)
if _, err := net.ResolveIPAddr("ip4", name); err == nil {
ret = append(ret, name)
}
}
return ret
}

146
vpnserver.go
View File

@ -1,12 +1,12 @@
package main package main
import ( import (
"bufio"
"errors" "errors"
"fmt"
"io" "io"
"log" "log"
"net" "net"
"os" "strconv"
"strings" "strings"
"sync" "sync"
@ -16,36 +16,49 @@ import (
// Server represents the server // Server represents the server
type OpenVpnMgt struct { type OpenVpnMgt struct {
port string port string
buf map[string]*bufio.ReadWriter
m sync.RWMutex m sync.RWMutex
ret chan []string
syslog bool
debug bool debug bool
hold bool VpnRemotes []string `json:"remotes"`
vpnServers map[int]*OpenVpnSrv `json:"sessions"`
} }
// NewServer returns a pointer to a new server // NewServer returns a pointer to a new server
func NewVPNServer(port string) *OpenVpnMgt { func NewVPNServer(port string, debug bool) *OpenVpnMgt {
return &OpenVpnMgt{ return &OpenVpnMgt{
port: port, port: port,
ret: make(chan []string), debug: debug,
buf: make(map[string]*bufio.ReadWriter), vpnServers: make(map[int]*OpenVpnSrv),
} }
} }
func (s *OpenVpnMgt) Lock() {
s.m.Lock()
}
func (s *OpenVpnMgt) Unlock() {
s.m.Unlock()
}
// Run starts a the server // Run starts a the server
func (s *OpenVpnMgt) Run() { func (s *OpenVpnMgt) Run() {
// get the endpoint list
if err := s.getServerList(); err != nil {
log.Println(err)
return
}
// Resolve the passed port into an address // Resolve the passed port into an address
addrs, err := net.ResolveTCPAddr("tcp", s.port) addrs, err := net.ResolveTCPAddr("tcp", s.port)
if err != nil { if err != nil {
log.Println(err) log.Println(err)
os.Exit(1) return
} }
// start listening to client connections // start listening to client connections
listener, err := net.ListenTCP("tcp", addrs) listener, err := net.ListenTCP("tcp", addrs)
if err != nil { if err != nil {
log.Println(err) log.Println(err)
os.Exit(1) return
} }
// Infinite loop since we dont want the server to shut down // Infinite loop since we dont want the server to shut down
for { for {
@ -60,86 +73,59 @@ func (s *OpenVpnMgt) Run() {
} }
} }
// send a command to the server. Set the channel to receive the response func (s *OpenVpnMgt) GetSession(remote int) (error, *OpenVpnSrv) {
func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) { if vpnServer, ok := s.vpnServers[remote]; ok {
if len(s.buf) == 0 { return nil, vpnServer
return errors.New("No openvpn server present"), nil
} }
for _, line := range msg { return errors.New(fmt.Sprintf("unknown session %d", vpnServers)), nil
if s.debug {
log.Println(line)
}
if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil {
return err, nil
}
}
if err := s.buf[remote].Flush(); err != nil {
return err, nil
}
// wait for the response
ret := <-s.ret
if s.debug {
for _, line := range ret {
log.Println(line)
}
}
return nil, ret
} }
// send the help command on all vpn servers. Kind of useless func (s *OpenVpnMgt) SetRemote(server string, remote int) error {
func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) { // check if the session is valid
ret := make(map[string]map[string]string) err, session := s.GetSession(remote)
re := rcache.Get("^(.*[^ ]) *: (.*)$")
for remote := range s.buf {
help := make(map[string]string)
err, msg := s.sendCommand([]string{"help"}, remote)
if err != nil { if err != nil {
return err, ret return err
} }
for _, line := range msg {
match := re.FindStringSubmatch(line) for _, r := range s.VpnRemotes {
if len(match) == 0 { if r != server {
continue continue
} }
help[match[1]] = match[2] return session.SetRemote(server)
} }
ret[remote] = help
} return errors.New(fmt.Sprintf("unknown remote %s", server))
return nil, ret
} }
// send the version command on all vpn servers. Kind of useless // send the version command on all vpn servers. Kind of useless
func (s *OpenVpnMgt) Version() (error, map[string][]string) { func (s *OpenVpnMgt) Version() (error, map[int][]string) {
ret := make(map[string][]string) var err error
for remote := range s.buf { ret := make(map[int][]string)
err, msg := s.sendCommand([]string{"version"}, remote) for remote, srv := range s.vpnServers {
if err != nil { err, msg := srv.Version()
return err, ret if err == nil {
}
ret[remote] = msg ret[remote] = msg
} }
return nil, ret }
return err, ret
} }
// main loop for a given openvpn server // main loop for a given openvpn server
func (s *OpenVpnMgt) handleConn(conn net.Conn) { func (s *OpenVpnMgt) handleConn(conn net.Conn) {
remote := conn.RemoteAddr().String() remote := conn.RemoteAddr().String()
pidRegexp := rcache.Get("^SUCCESS: pid=([0-9]+)$")
// >REMOTE:vpn.example.com,1194,udp
remoteRegexp := rcache.Get("^>REMOTE:(.*),([0-9]*),(.*)$")
defer conn.Close() defer conn.Close()
defer delete(s.buf, remote)
// we store the buffer pointer in the struct, to be accessed from other methods vpnServer := NewOpenVpnSrv(conn)
s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
// most response are multilined, use response to concatenate them // most response are multilined, use response to concatenate them
response := []string{} response := []string{}
// remove bogus clients // remove bogus clients
line, err := s.buf[remote].ReadString('\n') line, err := vpnServer.session.GetLine()
if err != nil { if err != nil {
log.Println(err) log.Println(err)
return return
@ -151,8 +137,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
log.Printf("Valid openvpn connected from %s\n", remote) log.Printf("Valid openvpn connected from %s\n", remote)
go session.sendCommand([]string{"pid"})
for { for {
line, err := s.buf[remote].ReadString('\n') line, err := session.GetLine()
// manage basic errors // manage basic errors
switch { switch {
@ -165,6 +153,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
} }
line = strings.Trim(line, "\n\r ") line = strings.Trim(line, "\n\r ")
if s.debug && strings.Index(line, "password") == -1 {
log.Print(line)
}
// manage exit commands // manage exit commands
for _, terminator := range []string{"quit", "exit"} { for _, terminator := range []string{"quit", "exit"} {
if line == terminator || strings.HasPrefix(line, terminator+" ") { if line == terminator || strings.HasPrefix(line, terminator+" ") {
@ -173,28 +165,36 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
} }
} }
// get the PID
match := pidRegexp.FindStringSubmatch(line)
if len(match) == 2 {
pid, _ := strconv.Atoi(match[1])
s.Lock()
s.vpnServers[pid] = vpnServer
s.Unlock()
defer delete(s.vpnServers, pid)
}
// manage all "terminator" lines // manage all "terminator" lines
for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS", "ERROR"} { for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS", "ERROR"} {
if strings.HasPrefix(line, terminator) { if strings.HasPrefix(line, terminator) {
s.ret <- response vpnServer.Response(response)
response = nil response = nil
line = "" line = ""
break break
} }
} }
remoteMatch := remoteRegexp.FindStringSubmatch(line)
switch { switch {
// command successfull, we can ignore // command successfull, we can ignore
case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"): case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
case strings.HasPrefix(line, ">HOLD"): case strings.HasPrefix(line, ">HOLD"):
s.sendCommand([]string{"hold release"}, remote) go vpnServer.waitForRelase()
case strings.HasPrefix(line, ">REMOTE"): case len(remoteMatch) > 0:
s.sendCommand([]string{"remote ACCEPT"}, remote) go vpnServer.ValidRemote(remoteMatch[1], remoteMatch[2], remoteMatch[3])
default: default:
response = append(response, line) response = append(response, line)
} }
if s.debug && strings.Index(line, "password") == -1 {
log.Print(line)
}
} }
} }