update

2019-08-15 11:19:40 +02:00 · 2019-08-15 11:19:40 +02:00 · a82131c8c8
parent 65496cbce9
commit a82131c8c8
6 changed files with 331 additions and 276 deletions
--- a/expressvpn.go
+++ b/expressvpn.go
@ -0,0 +1,100 @@
+package main
+
+// get https://www.expressvpn.com/vpn-server
+// remove everyting starting with >
+// remove until "Not supported" and after What the green checks mean
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+func (s *OpenVpnMgt) getServerList() error {
+	var mux sync.Mutex
+	requestCount := 0
+	VPNNames := map[string]bool{}
+
+	// Create HTTP client with timeout
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+
+	// Make request
+	resp, err := client.Get("https://www.expressvpn.com/vpn-server")
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return errors.New(fmt.Sprintf("Server List URL is not valid (%d)\n", resp.StatusCode))
+	}
+
+	buf := bufio.NewReader(bufio.NewReader(resp.Body))
+	start := false
+	for {
+		line, err := buf.ReadString('\n')
+		if err != nil {
+			break
+		}
+		line = strings.Trim(line, "\n\r ")
+		if strings.HasPrefix(line, "<") {
+			continue
+		}
+		if line == "Not supported" {
+			start = true
+			continue
+		}
+		if line == "What the green checks mean" {
+			start = false
+		}
+		if !start {
+			continue
+		}
+
+		if line == "" {
+			continue
+		}
+
+		requestCount++
+		go func(line string) {
+			line = strings.ToLower(line)
+			line = strings.Replace(line, " &amp; ", "", -1)
+			line = strings.Replace(line, " ", "", -1)
+
+			name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line)
+			if _, err := net.ResolveIPAddr("ip4", name); err == nil {
+				mux.Lock()
+				VPNNames[name] = true
+				mux.Unlock()
+			}
+			requestCount--
+		}(line)
+	}
+
+	// wait for all resolutions
+	for requestCount > 0 {
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	if len(VPNNames) == 0 {
+		return errors.New("Can't get a list of VPN endpoints")
+	}
+
+	// add the right values
+	keys := make([]string, 0, len(VPNNames))
+	for k := range VPNNames {
+		keys = append(keys, k)
+	}
+
+	s.Lock()
+	s.VpnRemotes = keys
+	s.Unlock()
+	return nil
+}
--- a/httpd.go
+++ b/httpd.go
@ -1,17 +1,12 @@
 package main

 import (
-	"bufio"
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
-	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
-	"os"
 )

 type jsonInput struct {
@ -20,18 +15,13 @@ type jsonInput struct {
 }

 type jsonInputParams struct {
-	Id      int    `json:"id"`
-	Session string `json:"session"`
+	Server  string `json:"server"`
+	Session int    `json:"session"`
 }

 type HttpServer struct {
 	Port string
 	ovpn *OpenVpnMgt
-	key            string
-	cert           string
-	minProfile     string
-	neededProfiles []string
-	certPool       *x509.CertPool
 }

 func parseJsonQuery(r *http.Request) (*jsonInput, error) {
@ -52,43 +42,12 @@ func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, "\n")
 }

-func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) {
-	err, message := h.ovpn.Version()
-	if err != nil {
-		fmt.Fprintf(w, "Error : %s", err)
-	}
-
-	jsonStr, err := json.Marshal(message)
-	if err != nil {
-		fmt.Fprintf(w, "Error : %s", err)
-	}
-	fmt.Fprintf(w, "%s", jsonStr)
-}
-
-func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) {
-	err, message := h.ovpn.Help()
-	if err != nil {
-		fmt.Fprintf(w, "Error : %s", err)
-	}
-	jsonStr, err := json.Marshal(message)
-	if err != nil {
-		fmt.Fprintf(w, "Error : %s", err)
-	}
-	fmt.Fprintf(w, "%s", jsonStr)
-}
-
 func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
-	//var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
+	var err error
+	var jsonStr []byte

 	w.Header().Set("Content-type", "application/json")

-	// deactivate if there is no https auth
-	/*
-		if h.key == "" || h.cert == "" || h.certPool == nil {
-			http.Error(w, "No security, deactivated", 403)
-			return
-		}
-	*/
 	// add CORS headers
 	w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
 	w.Header().Set("Access-Control-Allow-Methods", "POST")
@ -106,27 +65,6 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// ssl auth
-	/*
-		if len(r.TLS.PeerCertificates) == 0 {
-			log.Println(len(r.TLS.PeerCertificates))
-			http.Error(w, "Need certificate", 403)
-			return
-		}
-		opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage}
-		if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
-			http.Error(w, "Bad certificate", 403)
-			return
-		}
-
-		webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
-	*/
-	//TODO security
-
-	webuser := "xavier"
-
-	log.Printf("%s is connected via the web interfaces\n", webuser)
-
 	req, err := parseJsonQuery(r)
 	if err != nil {
 		log.Println(err)
@ -135,54 +73,40 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	switch req.Action {
+	case "get-remotes":
+		jsonStr, err = json.Marshal(h.ovpn)
+	case "set-remote":
+		err = h.ovpn.SetRemote(req.Params.Server, req.Params.Session)
+		jsonStr = []byte("{\"status\": \"ok\"}")
+	case "version":
+		err, version := h.ovpn.Version()
+		if err != nil {
+			break
+		}
+		jsonStr, err = json.Marshal(version)
 	case "stats":
 	case "kill":
 	default:
-		http.Error(w, "Invalid request", 500)
+		err = errors.New("Invalid request")
 	}
+
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Error : %s", err), 500)
+		return
+	}
+	fmt.Fprintf(w, "%s", jsonStr)
+
 	return
 }

-func NewHTTPServer(port, key, cert, ca, minProfile string, neededProfiles []string, s *OpenVpnMgt) {
+func NewHTTPServer(port string, s *OpenVpnMgt) {
 	h := &HttpServer{
 		Port: port,
 		ovpn: s,
-		key:            key,
-		cert:           cert,
-		minProfile:     minProfile,
-		neededProfiles: neededProfiles,
 	}

-	http.HandleFunc("/help", h.helpHandler)
 	http.HandleFunc("/ajax", h.ajaxHandler)
-	http.HandleFunc("/version", h.versionHandler)
 	http.HandleFunc("/", h.handler)

-	switch {
-	case key == "" || cert == "":
 	log.Fatal(http.ListenAndServe(port, nil))
-	case ca != "":
-		h.certPool = x509.NewCertPool()
-		fi, err := os.Open(ca)
-		if err != nil {
-			log.Fatal(err)
-		}
-		defer fi.Close()
-		buf := new(bytes.Buffer)
-		reader := bufio.NewReader(fi)
-		io.Copy(buf, reader)
-		if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok {
-			log.Fatal("Failed to append PEM.")
-		}
-		server := &http.Server{
-			Addr: port,
-			TLSConfig: &tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-				ClientCAs:  h.certPool,
-			},
-		}
-		log.Fatal(server.ListenAndServeTLS(cert, key))
-	default:
-		log.Fatal(http.ListenAndServeTLS(port, cert, key, nil))
-	}
 }
--- a/main.go
+++ b/main.go
@ -29,34 +29,23 @@ func main() {
 	// seed the prng
 	rand.Seed(time.Now().UnixNano())

-	server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000"))
+	server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000"), *debug)

-	server.syslog = false
 	if *logToSyslog {
 		log.SetFlags(0)
-		server.syslog = true
-		logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpnauth")
+		logWriter, e := syslog.New(syslog.LOG_NOTICE, "vpncontrol")
 		if e == nil {
 			log.SetOutput(logWriter)
 			defer logWriter.Close()
 		}
 	}

-	server.debug = false
-	if *debug {
-		server.debug = true
-	}
-
-	log.Println(getServerList("https://www.expressvpn.com/vpn-server"))
-
 	// time to start the listeners
-	go server.Run()
-	NewHTTPServer(
+	go NewHTTPServer(
 		config.GetString("config.http.port", "127.0.0.01:8080"),
-		config.GetString("config.http.key", ""),
-		config.GetString("config.http.cert", ""),
-		config.GetString("config.http.ca", ""),
-		config.GetString("config.http.startAuth", "CORP"),
-		parseConfigArray(config, "config.http.reqAuth"),
 		server)
+	server.Run()
+
+	// server.Run() should never end
+	os.Exit(1)
 }
--- a/openvpn.go
+++ b/openvpn.go
@ -0,0 +1,113 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"sync"
+)
+
+type OpenVpnSrv struct {
+	Remote   string `json:"active-vpn"`
+	Status   string `json:"status"`
+	hold     bool
+	chanHold chan bool
+	m        sync.RWMutex
+	ret      chan []string
+	buf      *bufio.ReadWriter
+}
+
+func (s *OpenVpnSrv) Lock() {
+	s.m.Lock()
+}
+
+func (s *OpenVpnSrv) Unlock() {
+	s.m.Unlock()
+}
+
+func NewOpenVpnSrv(conn net.Conn) *OpenVpnSrv {
+	return &OpenVpnSrv{
+		buf:      bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)),
+		hold:     false,
+		chanHold: make(chan bool),
+		ret:      make(chan []string),
+	}
+}
+
+// send a command to the server. Set the channel to receive the response
+func (s *OpenVpnSrv) sendCommand(msg []string) (error, []string) {
+	for _, line := range msg {
+		if _, err := s.buf.WriteString(line + "\r\n"); err != nil {
+			return err, nil
+		}
+	}
+
+	if err := s.buf.Flush(); err != nil {
+		return err, nil
+	}
+
+	// wait for the response
+	ret := <-s.ret
+
+	return nil, ret
+}
+
+func (s *OpenVpnSrv) Response(response []string) {
+	s.Lock()
+	s.ret <- response
+	s.Unlock()
+}
+
+func (s *OpenVpnSrv) GetLine() (string, error) {
+	return s.buf.ReadString('\n')
+}
+
+func (s *OpenVpnSrv) ValidRemote(server, port, proto string) {
+	if s.Remote != "" {
+		s.sendCommand([]string{fmt.Sprintf("remote MOD %s %s %s", s.Remote, port, proto)})
+		s.Status = "Connected"
+		return
+	}
+	s.Remote = server
+	s.sendCommand([]string{"remote ACCEPT"})
+}
+
+func (s *OpenVpnSrv) Kill() {
+}
+
+func (s *OpenVpnSrv) Version() (error, []string) {
+	return s.sendCommand([]string{"version"})
+}
+
+func (s *OpenVpnSrv) SetRemote(server string) error {
+	// already the active server, do nothing
+	if s.Remote == server {
+		return nil
+	}
+
+	if s.Remote != "" {
+		s.Kill()
+	}
+
+	s.Remote = server
+
+	// release Hold if necessary
+	s.ReleaseHold()
+	return nil
+}
+
+func (s *OpenVpnSrv) waitForRelase() {
+	s.hold = true
+	s.Status = "Hold"
+	<-s.chanHold
+	s.sendCommand([]string{"hold release"})
+}
+
+func (s *OpenVpnSrv) ReleaseHold() {
+	if !s.hold {
+		return
+	}
+	s.hold = false
+	s.chanHold <- true
+	s.Status = "Waiting for connexion"
+}
--- a/vpnlist.go
+++ b/vpnlist.go
@ -1,71 +0,0 @@
-package main
-
-// get https://www.expressvpn.com/vpn-server
-// remove everyting starting with >
-// remove until "Not supported" and after What the green checks mean
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-)
-
-func getServerList(url string) []string {
-	ret := []string{}
-	// Create HTTP client with timeout
-	client := &http.Client{
-		Timeout: 30 * time.Second,
-	}
-
-	// Make request
-	response, err := client.Get(url)
-	if err != nil {
-		fmt.Println(err)
-		return nil
-	}
-	defer response.Body.Close()
-
-	buf := bufio.NewReader(bufio.NewReader(response.Body))
-	start := false
-	for {
-		line, err := buf.ReadString('\n')
-		if err != nil {
-			break
-		}
-		line = strings.Trim(line, "\n\r ")
-		if strings.HasPrefix(line, "<") {
-			continue
-		}
-		if line == "Not supported" {
-			start = true
-			continue
-		}
-		if line == "What the green checks mean" {
-			start = false
-		}
-		if !start {
-			continue
-		}
-
-		if line == "" {
-			continue
-		}
-
-		// france-paris-1-ca-version-2.expressnetw.com
-		line = strings.ToLower(line)
-		line = strings.ReplaceAll(line, " &amp; ", "")
-		line = strings.ReplaceAll(line, " ", "")
-
-		name := fmt.Sprintf("%s-ca-version-2.expressnetw.com", line)
-		fmt.Println(name)
-
-		if _, err := net.ResolveIPAddr("ip4", name); err == nil {
-			ret = append(ret, name)
-		}
-	}
-
-	return ret
-}
--- a/vpnserver.go
+++ b/vpnserver.go
@ -1,12 +1,12 @@
 package main

 import (
-	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 	"net"
-	"os"
+	"strconv"
 	"strings"
 	"sync"

@ -16,36 +16,49 @@ import (
 // Server represents the server
 type OpenVpnMgt struct {
 	port       string
-	buf    map[string]*bufio.ReadWriter
 	m          sync.RWMutex
-	ret    chan []string
-	syslog bool
 	debug      bool
-	hold   bool
+	VpnRemotes []string            `json:"remotes"`
+	vpnServers map[int]*OpenVpnSrv `json:"sessions"`
 }

 // NewServer returns a pointer to a new server
-func NewVPNServer(port string) *OpenVpnMgt {
+func NewVPNServer(port string, debug bool) *OpenVpnMgt {
 	return &OpenVpnMgt{
 		port:       port,
-		ret:  make(chan []string),
-		buf:  make(map[string]*bufio.ReadWriter),
+		debug:      debug,
+		vpnServers: make(map[int]*OpenVpnSrv),
 	}
 }

+func (s *OpenVpnMgt) Lock() {
+	s.m.Lock()
+}
+
+func (s *OpenVpnMgt) Unlock() {
+	s.m.Unlock()
+}
+
 // Run starts a the server
 func (s *OpenVpnMgt) Run() {
+
+	// get the endpoint list
+	if err := s.getServerList(); err != nil {
+		log.Println(err)
+		return
+	}
+
 	// Resolve the passed port into an address
 	addrs, err := net.ResolveTCPAddr("tcp", s.port)
 	if err != nil {
 		log.Println(err)
-		os.Exit(1)
+		return
 	}
 	// start listening to client connections
 	listener, err := net.ListenTCP("tcp", addrs)
 	if err != nil {
 		log.Println(err)
-		os.Exit(1)
+		return
 	}
 	// Infinite loop since we dont want the server to shut down
 	for {
@ -60,86 +73,59 @@ func (s *OpenVpnMgt) Run() {
 	}
 }

-// send a command to the server. Set the channel to receive the response
-func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) {
-	if len(s.buf) == 0 {
-		return errors.New("No openvpn server present"), nil
+func (s *OpenVpnMgt) GetSession(remote int) (error, *OpenVpnSrv) {
+	if vpnServer, ok := s.vpnServers[remote]; ok {
+		return nil, vpnServer
 	}
-	for _, line := range msg {
-		if s.debug {
-			log.Println(line)
-		}
-		if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil {
-			return err, nil
-		}
-	}
-
-	if err := s.buf[remote].Flush(); err != nil {
-		return err, nil
-	}
-
-	// wait for the response
-	ret := <-s.ret
-
-	if s.debug {
-		for _, line := range ret {
-			log.Println(line)
-		}
-	}
-
-	return nil, ret
+	return errors.New(fmt.Sprintf("unknown session %d", vpnServers)), nil
 }

-// send the help command on all vpn servers. Kind of useless
-func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) {
-	ret := make(map[string]map[string]string)
-	re := rcache.Get("^(.*[^ ])  *: (.*)$")
-	for remote := range s.buf {
-		help := make(map[string]string)
-		err, msg := s.sendCommand([]string{"help"}, remote)
+func (s *OpenVpnMgt) SetRemote(server string, remote int) error {
+	// check if the session is valid
+	err, session := s.GetSession(remote)
 	if err != nil {
-			return err, ret
+		return err
 	}
-		for _, line := range msg {
-			match := re.FindStringSubmatch(line)
-			if len(match) == 0 {
+
+	for _, r := range s.VpnRemotes {
+		if r != server {
 			continue
 		}
-			help[match[1]] = match[2]
+		return session.SetRemote(server)
 	}
-		ret[remote] = help
-	}
-	return nil, ret
+
+	return errors.New(fmt.Sprintf("unknown remote %s", server))
 }

 // send the version command on all vpn servers. Kind of useless
-func (s *OpenVpnMgt) Version() (error, map[string][]string) {
-	ret := make(map[string][]string)
-	for remote := range s.buf {
-		err, msg := s.sendCommand([]string{"version"}, remote)
-		if err != nil {
-			return err, ret
-		}
+func (s *OpenVpnMgt) Version() (error, map[int][]string) {
+	var err error
+	ret := make(map[int][]string)
+	for remote, srv := range s.vpnServers {
+		err, msg := srv.Version()
+		if err == nil {
 			ret[remote] = msg
 		}
-	return nil, ret
+	}
+	return err, ret
 }

 // main loop for a given openvpn server
 func (s *OpenVpnMgt) handleConn(conn net.Conn) {
 	remote := conn.RemoteAddr().String()
+	pidRegexp := rcache.Get("^SUCCESS: pid=([0-9]+)$")
+	//  >REMOTE:vpn.example.com,1194,udp
+	remoteRegexp := rcache.Get("^>REMOTE:(.*),([0-9]*),(.*)$")

 	defer conn.Close()
-	defer delete(s.buf, remote)

-	// we store the buffer pointer in the struct, to be accessed from other methods
-	s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
+	vpnServer := NewOpenVpnSrv(conn)

 	// most response are multilined, use response to concatenate them
 	response := []string{}

 	// remove bogus clients
-	line, err := s.buf[remote].ReadString('\n')
+	line, err := vpnServer.session.GetLine()
 	if err != nil {
 		log.Println(err)
 		return
@ -151,8 +137,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {

 	log.Printf("Valid openvpn connected from %s\n", remote)

+	go session.sendCommand([]string{"pid"})
+
 	for {
-		line, err := s.buf[remote].ReadString('\n')
+		line, err := session.GetLine()

 		// manage basic errors
 		switch {
@ -165,6 +153,10 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
 		}
 		line = strings.Trim(line, "\n\r ")

+		if s.debug && strings.Index(line, "password") == -1 {
+			log.Print(line)
+		}
+
 		// manage exit commands
 		for _, terminator := range []string{"quit", "exit"} {
 			if line == terminator || strings.HasPrefix(line, terminator+" ") {
@ -173,28 +165,36 @@ func (s *OpenVpnMgt) handleConn(conn net.Conn) {
 			}
 		}

+		// get the PID
+		match := pidRegexp.FindStringSubmatch(line)
+		if len(match) == 2 {
+			pid, _ := strconv.Atoi(match[1])
+			s.Lock()
+			s.vpnServers[pid] = vpnServer
+			s.Unlock()
+			defer delete(s.vpnServers, pid)
+		}
+
 		// manage all "terminator" lines
 		for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS", "ERROR"} {
 			if strings.HasPrefix(line, terminator) {
-				s.ret <- response
+				vpnServer.Response(response)
 				response = nil
 				line = ""
 				break
 			}
 		}

+		remoteMatch := remoteRegexp.FindStringSubmatch(line)
 		switch {
 		// command successfull, we can ignore
 		case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
 		case strings.HasPrefix(line, ">HOLD"):
-			s.sendCommand([]string{"hold release"}, remote)
-		case strings.HasPrefix(line, ">REMOTE"):
-			s.sendCommand([]string{"remote ACCEPT"}, remote)
+			go vpnServer.waitForRelase()
+		case len(remoteMatch) > 0:
+			go vpnServer.ValidRemote(remoteMatch[1], remoteMatch[2], remoteMatch[3])
 		default:
 			response = append(response, line)
 		}
-		if s.debug && strings.Index(line, "password") == -1 {
-			log.Print(line)
-		}
 	}
 }