openvpn-mgt/vpnserver.go

395 lines
9.3 KiB
Go

package main
import (
"bufio"
"errors"
"fmt"
"io"
"log"
"net"
"os"
"strconv"
"strings"
"sync"
hibp "github.com/mattevans/pwned-passwords"
"github.com/pyke369/golang-support/rcache"
)
// Server represents the server
type OpenVpnMgt struct {
port string
buf map[string]*bufio.ReadWriter
m sync.RWMutex
ret chan []string
ldap map[string]ldapConfig
clients map[string]map[int]*vpnSession
authCa string
vpnlogUrl string
mailRelay string
MailFrom string
CcPwnPassword string
pwnTemplate string
newAsTemplate string
cacheDir string
syslog bool
otpMasterSecrets []string
hibpClient *hibp.Client
debug bool
}
// NewServer returns a pointer to a new server
func NewVPNServer(port string) *OpenVpnMgt {
return &OpenVpnMgt{
port: port,
ret: make(chan []string),
ldap: make(map[string]ldapConfig),
buf: make(map[string]*bufio.ReadWriter),
clients: make(map[string]map[int]*vpnSession),
hibpClient: hibp.NewClient(),
}
}
// Run starts a the server
func (s *OpenVpnMgt) Run() {
// Resolve the passed port into an address
addrs, err := net.ResolveTCPAddr("tcp", s.port)
if err != nil {
log.Println(err)
os.Exit(1)
}
// start listening to client connections
listener, err := net.ListenTCP("tcp", addrs)
if err != nil {
log.Println(err)
os.Exit(1)
}
// Infinite loop since we dont want the server to shut down
for {
// Accept the incomming connections
conn, err := listener.Accept()
if err != nil {
// continue accepting connection even if an error occurs (if error occurs dont shut down)
continue
}
// run it as a go routine to allow multiple clients to connect at the same time
go s.handleConn(conn)
}
}
func (s *OpenVpnMgt) CheckPwn(c *vpnSession) error {
c.LogPrintln("checking pwn password")
pwned, err := s.hibpClient.Pwned.Compromised(c.password)
if err != nil {
return err
}
c.PwnedPasswd = pwned
return nil
}
// send a command to the server. Set the channel to receive the response
func (s *OpenVpnMgt) sendCommand(msg []string, remote string) (error, []string) {
if len(s.buf) == 0 {
return errors.New("No openvpn server present"), nil
}
for _, line := range msg {
if s.debug {
log.Println(line)
}
if _, err := s.buf[remote].WriteString(line + "\r\n"); err != nil {
return err, nil
}
}
if err := s.buf[remote].Flush(); err != nil {
return err, nil
}
// wait for the response
ret := <-s.ret
if s.debug {
for _, line := range ret {
log.Println(line)
}
}
return nil, ret
}
// send the list of all connected clients
func (s *OpenVpnMgt) Stats() map[string]map[int]*vpnSession {
return s.clients
}
func (s *OpenVpnMgt) Kill(session string, id int) error {
if _, ok := s.clients[session]; !ok {
return errors.New("unknown session")
}
if _, ok := s.clients[session][id]; !ok {
return errors.New("unknown session id")
}
err, _ := s.sendCommand([]string{fmt.Sprintf("client-kill %d", id)}, session)
return err
}
// send the help command on all vpn servers. Kind of useless
func (s *OpenVpnMgt) Help() (error, map[string]map[string]string) {
ret := make(map[string]map[string]string)
re := rcache.Get("^(.*[^ ]) *: (.*)$")
for remote := range s.buf {
help := make(map[string]string)
err, msg := s.sendCommand([]string{"help"}, remote)
if err != nil {
return err, ret
}
for _, line := range msg {
match := re.FindStringSubmatch(line)
if len(match) == 0 {
continue
}
help[match[1]] = match[2]
}
ret[remote] = help
}
return nil, ret
}
// send the version command on all vpn servers. Kind of useless
func (s *OpenVpnMgt) Version() (error, map[string][]string) {
ret := make(map[string][]string)
for remote := range s.buf {
err, msg := s.sendCommand([]string{"version"}, remote)
if err != nil {
return err, ret
}
ret[remote] = msg
}
return nil, ret
}
// called after a client is confirmed connected and authenticated
func (s *OpenVpnMgt) ClientValidated(line, remote string) {
err, c := s.getClient(line, remote)
if err != nil {
log.Println(err, line)
return
}
c.Status = "success"
infos := <-s.ret
if err := c.ParseEnv(s, &infos); err != nil {
log.Println(err)
}
s.Log(c)
}
// called after a client is disconnected, including for auth issues
func (s *OpenVpnMgt) ClientDisconnect(line, remote string) {
err, c := s.getClient(line, remote)
if err != nil {
log.Println(err)
return
}
<-s.ret
// if the disconnect is due to an auth failure, don't change the status
if c.Status == "success" {
c.Operation = "log out"
}
// Don't log the initial auth failure due to absence of OTP code
// And don't log the auth failure during re auth
if c.Operation != "re auth" && c.Status != "Need OTP Code" {
s.Log(c)
}
defer delete(s.clients[remote], c.cID)
}
// called at the initial connexion
func (s *OpenVpnMgt) ClientConnect(line, remote string) {
c := NewVPNSession()
c.vpnserver = remote
c.ParseSessionId(line)
s.clients[remote][c.cID] = c
infos := <-s.ret
if err := c.ParseEnv(s, &infos); err != nil {
log.Println(err)
return
}
c.Auth(s)
}
func (s *OpenVpnMgt) ClientReAuth(line, remote string) {
err, c := s.getClient(line, remote)
if err != nil {
log.Println(err, line)
return
}
c.ParseSessionId(line)
infos := <-s.ret
if err := c.ParseEnv(s, &infos); err != nil {
log.Println(err)
return
}
// reset some values
c.Profile = ""
c.Status = "system failure"
c.Operation = "re auth"
c.Auth(s)
}
// find a client among all registered sessions
func (s *OpenVpnMgt) getClient(line, remote string) (error, *vpnSession) {
re := rcache.Get("^[^0-9]*,([0-9]+)[^0-9]*")
match := re.FindStringSubmatch(line)
if len(match) == 0 {
return errors.New("invalid message"), nil
}
id, err := strconv.Atoi(match[1])
if err != nil {
return err, nil
}
if _, ok := s.clients[remote]; !ok {
return errors.New("unknown vpn server"), nil
}
if c, ok := s.clients[remote][id]; ok {
return nil, c
}
return errors.New("unknown vpn client"), nil
}
// update counters
func (s *OpenVpnMgt) updateCounters(line, remote string) {
p := strings.Split(strings.Replace(line, ":", ",", 1), ",")
err, c := s.getClient(p[0]+","+p[1], remote)
if err != nil {
log.Println(err, line)
return
}
if c.BwWrite, err = strconv.Atoi(p[2]); err != nil {
c.LogPrintln(err)
return
}
if c.BwRead, err = strconv.Atoi(p[3]); err != nil {
c.LogPrintln(err)
return
}
return
}
// main loop for a given openvpn server
func (s *OpenVpnMgt) handleConn(conn net.Conn) {
remote := conn.RemoteAddr().String()
defer conn.Close()
defer delete(s.buf, remote)
defer delete(s.clients, remote)
// we store the buffer pointer in the struct, to be accessed from other methods
s.buf[remote] = bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn))
s.clients[remote] = make(map[int]*vpnSession)
// most response are multilined, use response to concatenate them
response := []string{}
// remove bogus clients
line, err := s.buf[remote].ReadString('\n')
if err != nil {
log.Println(err)
return
}
if line != ">INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info\r\n" {
log.Println("Bogus Client")
return
}
// ask for statistics
if _, err := s.buf[remote].WriteString("bytecount 30\r\n"); err != nil {
log.Println(err)
return
}
if err := s.buf[remote].Flush(); err != nil {
log.Println(err)
return
}
if line, err := s.buf[remote].ReadString('\n'); err != nil ||
line != "SUCCESS: bytecount interval changed\r\n" {
log.Println("Bogus Client")
return
}
log.Printf("Valid openvpn connected from %s\n", remote)
for {
line, err := s.buf[remote].ReadString('\n')
// manage basic errors
switch {
case err == io.EOF:
log.Println("Reached EOF - close this connection.\n")
return
case err != nil:
log.Println("Error reading line. Got: '"+line+"'\n", err)
return
}
line = strings.Trim(line, "\n\r ")
// manage exit commands
for _, terminator := range []string{"quit", "exit"} {
if line == terminator || strings.HasPrefix(line, terminator+" ") {
log.Println("server disconnected")
return
}
}
// manage all "terminator" lines
for _, terminator := range []string{"END", ">CLIENT:ENV,END", "SUCCESS", "ERROR"} {
if strings.HasPrefix(line, terminator) {
s.ret <- response
response = nil
line = ""
break
}
}
switch {
// command successfull, we can ignore
case strings.HasPrefix(line, ">SUCCESS: client-deny command succeeded"):
// trafic stats
case strings.HasPrefix(line, ">BYTECOUNT_CLI"):
go s.updateCounters(line, remote)
// new bloc for a disconnect event.
// We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:DISCONNECT"):
go s.ClientDisconnect(line, remote)
// new bloc for a connect event.
// We start the receiving handler, which will wait for the Channel message
case strings.HasPrefix(line, ">CLIENT:ADDRESS"):
case strings.HasPrefix(line, ">CLIENT:ESTABLISHED"):
go s.ClientValidated(line, remote)
case strings.HasPrefix(line, ">CLIENT:CONNECT"):
go s.ClientConnect(line, remote)
case strings.HasPrefix(line, ">CLIENT:REAUTH"):
go s.ClientReAuth(line, remote)
default:
response = append(response, line)
}
if s.debug && strings.Index(line, "password") == -1 {
log.Print(line)
}
}
}