Page MenuHomePhabricator

Rewrite OpenVPN interface/op-commands in new style XML/Python
Closed, ResolvedPublicFEATURE REQUEST

Description

Progress can be tracked here: https://github.com/c-po/vyos-1x/tree/t1548-openvpn

Todo

  • make sure OpenVPN no longer runs as user root - use nobody instead
  • write show commands in new style XML
  • remove vyatta-openvpn from vyos-worldpackage and scripts/build-packages
  • disable vyatta-openvpn Jenkins Job and remove it from the package repo

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.Jul 26 2019, 9:21 PM
c-po changed the task status from Open to In progress.Jul 26 2019, 9:31 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
c-po updated the task description. (Show Details)Aug 14 2019, 10:59 AM
c-po updated the task description. (Show Details)
c-po renamed this task from Rewrite OpenVPN interface in new style XML syntax to Rewrite OpenVPN interface/op-commands in new style XML/Python.Aug 14 2019, 11:01 AM
c-po updated the task description. (Show Details)
pasik added a subscriber: pasik.Aug 16 2019, 10:39 PM
c-po changed the task status from In progress to Needs testing.Aug 17 2019, 12:22 AM
c-po updated the task description. (Show Details)
c-po added a comment.EditedAug 17 2019, 9:51 AM

Testcases

OpenVPN site-to-site

Site 1
set interfaces openvpn vtun1 local-address 10.255.1.2
set interfaces openvpn vtun1 local-host '172.18.201.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 mode 'site-to-site'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
set interfaces openvpn vtun1 remote-host '172.18.202.10'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
Site 2
set interfaces openvpn vtun1 local-address 10.255.1.1
set interfaces openvpn vtun1 local-host '172.18.202.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 mode 'site-to-site'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
set interfaces openvpn vtun1 remote-host '172.18.201.10'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'

OpenVPN Server <-> Client (with static client ip)

Site 1 (server)
set interfaces openvpn vtun10 encryption 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '172.18.201.10'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server client client1 push-route '194.145.150.0/23'
set interfaces openvpn vtun10 server client client1 subnet '192.0.2.0/24'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '172.16.254.30'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/server.key'
set interfaces openvpn vtun10 use-lzo-compression
Site 2 (client)
set interfaces openvpn vtun10 encryption 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-host '172.18.201.10'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/client1.crt'
set interfaces openvpn vtun10 tls key-file '/config/auth/client1.key'
set interfaces openvpn vtun10 use-lzo-compression
c-po updated the task description. (Show Details)Aug 19 2019, 8:53 PM
c-po added a comment.EditedAug 26 2019, 10:03 AM
vyos@vyos:~$ show openvpn site-to-site
OpenVPN status on vtun1

Client CN       Remote Host           Local Host           TX bytes    RX bytes   Connected Since
---------       -----------           ----------           --------    --------   ---------------
None (PSK)      N/A                   172.18.201.10:1195   3.3 KB      3.3 KB     N/A


vyos@vyos:~$ show openvpn server
OpenVPN status on vtun10

Client CN       Remote Host           Local Host           TX bytes    RX bytes   Connected Since
---------       -----------           ----------           --------    --------   ---------------
client1         172.18.202.10:58644   172.18.201.10:1194   66.2 KB     66.2 KB    Mon Aug 26 11:47:56 2019
client3         172.18.204.10:52641   172.18.201.10:1194   65.8 KB     65.8 KB    Mon Aug 26 11:47:58 2019

OpenVPN status on vtun11

Client CN       Remote Host           Local Host           TX bytes    RX bytes   Connected Since
---------       -----------           ----------           --------    --------   ---------------
client2         172.18.203.10:39472   172.18.201.10:1200   64.2 KB     64.2 KB    Mon Aug 26 11:50:30 2019
c-po closed this task as Resolved.Aug 26 2019, 11:20 AM
c-po updated the task description. (Show Details)
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 12 2019, 9:18 PM