-
Notifications
You must be signed in to change notification settings - Fork 69
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #762 from dmick/wip-add-sepia-client-tools
Add openvpn client tools (the sepia-vpn-client.tar.gz stuff) for tracking/improvement
- Loading branch information
Showing
5 changed files
with
147 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
| # | ||
| # make a tarball for distribution of this configuration and | ||
| # secret generator | ||
| # | ||
| tar cfz sepia-vpn-client.tar.gz sepia/ca.crt sepia/client.conf sepia/new-client sepia/tlsauth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIDVzCCAj+gAwIBAgIUOAVvdnT5AeNHmQVerBNGyBipF+0wDQYJKoZIhvcNAQEL | ||
| BQAwGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMB4XDTI0MTIwMjE3MTc1MloX | ||
| DTM0MTEzMDE3MTc1MlowGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMIIBIjAN | ||
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApPbQdUr74nVphtcdV9VhJs1cgKGq | ||
| iZNBRdVxW92JurMJuIJXSiBwGochYTs4NQprlD5jYStnpzoe7c1HsFKwVEY3xSmT | ||
| h7wdj0JIRgAdspG2XxxSU63k2t4Ezm6z7W7jnRvXjNhD55AMpxHAQpS0YhpxTm95 | ||
| SJDlk7gCmdIN087ioTYW8Fh+NI/ASjz5m3XWjsF/mTOHLYmlRL4bSWLwpKXuxpPW | ||
| YVeScyDC6olc0MOfNKihxY3Q4IJiLcBPXQhGp3pnKCSut+f+nHu+sSLssliuvGBh | ||
| 6rn5c/5TceGbVvK1BX53F5Znx/AGC7XEEXKddUQbZDVN8pg1VygKt8tDIQIDAQAB | ||
| o4GUMIGRMB0GA1UdDgQWBBSCoc5pUrxKfAoguqWqY25PhYuYrjBVBgNVHSMETjBM | ||
| gBSCoc5pUrxKfAoguqWqY25PhYuYrqEepBwwGjEYMBYGA1UEAwwPb3BlbnZwbmNh | ||
| LXNlcGlhghQ4BW92dPkB40eZBV6sE0bIGKkX7TAMBgNVHRMEBTADAQH/MAsGA1Ud | ||
| DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIPJAeutTT6llsHQcC8CUPxSGe98l | ||
| IPGHFX3AE9tRU1C2jfsidovNnxfpYksctjVcv3Zo6UbY6w83+UXciu4uusfjgJ/X | ||
| dc5na7J+PCNcgNY34fsFmX4yQNF7ffTEUAS91FJ2bXs+Ob/dIQvZ0ZJopLia4C0m | ||
| IT0DJfQV6Xx+R+mQ+MB1c2bmW17C88PCOygTUyn8ssrUkttkrf9xebp2TqyggdSH | ||
| myw4nD/iQz+l7lwmDitEJY6cyLBDihhpKEyeCcIMp2+ytEsqaCKOASvjKnG24O19 | ||
| N0+ctqX/JPZzCEEpYhlFtZEFKjnYV7DiGvC6GiGZAMWNB3oY2bm+Gf2mNQ== | ||
| -----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| script-security 1 | ||
| client | ||
| remote vpn.sepia.ceph.com 1194 | ||
| dev tun | ||
| remote-random | ||
| resolv-retry infinite | ||
| nobind | ||
| user nobody | ||
| group nogroup | ||
| persist-tun | ||
| persist-key | ||
| comp-lzo | ||
| verb 2 | ||
| mute 10 | ||
| remote-cert-tls server | ||
| tls-auth sepia/tlsauth 1 | ||
| ca sepia/ca.crt | ||
| auth-user-pass sepia/secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| #!/usr/bin/python3 | ||
|
|
||
| # How to set up a client (on Ubuntu/Debian): | ||
| # | ||
| # sudo apt-get install openvpn | ||
| # cd /etc/openvpn | ||
| # sudo tar xvzf ~/sepia-vpn-client.tar.gz | ||
| # sudo ./sepia/new-client MYUSERNAME@MYHOST | ||
| # | ||
| # ... submit the secret to admin and wait for acknowledgment ... | ||
| # | ||
| # sudo service openvpn start sepia | ||
|
|
||
| import base64 | ||
| import datetime | ||
| import hashlib | ||
| import os | ||
| import re | ||
| import sys | ||
| import tarfile | ||
|
|
||
| path = os.path.dirname(sys.argv[0]) | ||
| os.chdir(path) | ||
|
|
||
| try: | ||
| (user,) = sys.argv[1:] | ||
| except ValueError: | ||
| raise SystemExit('Usage: new-client USERNAME@HOST') | ||
|
|
||
| # From openvpn(8): | ||
| # | ||
| # To protect against a client passing a maliciously formed username or | ||
| # password string, the username string must consist only of these | ||
| # characters: alphanumeric, underbar ('_'), dash ('-'), dot ('.'), or | ||
| # at ('@'). The password string can consist of any printable | ||
| # characters except for CR or LF. Any illegal characters in either the | ||
| # username or password string will be converted to underbar ('_'). | ||
| # | ||
| # Verifying this here to avoid confusion down the road. | ||
| if not re.match(r'^[a-zA-Z0-9_.@-]+$', user): | ||
| raise SystemExit('new-client: Invalid characters in username') | ||
|
|
||
| salt = base64.b64encode(os.urandom(16)).rstrip(b'=') | ||
| secret = base64.b64encode(os.urandom(64)).rstrip(b'=') | ||
|
|
||
| inner = hashlib.new('sha256') | ||
| inner.update(salt) | ||
| inner.update(secret) | ||
| outer = hashlib.new('sha256') | ||
| outer.update(inner.digest()) | ||
| outer.update(salt) | ||
| hashed = outer.hexdigest() | ||
|
|
||
| with open('secret', 'wb') as f: | ||
| os.fchmod(f.fileno(), 0o600) | ||
| f.write('{user}\n{secret}\n'.format(user=user, secret=secret.decode()).encode('utf-8')) | ||
|
|
||
| base = os.path.basename(path) | ||
| os.symlink(os.path.join(base, 'client.conf'), '../sepia.conf') | ||
|
|
||
| sys.stdout.write( | ||
| "\n!!!!! DO NOT RUN THIS SCRIPT MORE THAN ONCE !!!!!\n\nPlease paste the following line in your Sepia Lab Access Request tracker ticket:\n\n") | ||
| sys.stdout.write("{user} {salt} {hashed}\n\n".format( | ||
| user=user, | ||
| salt=salt.decode('utf-8'), | ||
| hashed=hashed, | ||
| )) | ||
|
|
||
| with open('secret.hash', 'w') as f: | ||
| f.write(f"{user} {salt.decode('utf-8')} {hashed}") | ||
|
|
||
| datestr = datetime.datetime.now().strftime('%Y%m%d_%H%M%S') | ||
| tarfilename = f'secrets.{datestr}.tar.gz' | ||
| tarfile = tarfile.open(tarfilename, 'w:gz') | ||
| for f in ['secret', 'secret.hash']: | ||
| tarfile.add(f) | ||
| tarfile.close() | ||
|
|
||
| sys.stdout.write(f""" | ||
| The secret file (private to you) and secret.hash (the above hashed secret | ||
| information, to be placed on the OpenVPN server) are a matched pair. | ||
| They've been placed into {tarfilename} for safekeeping.""") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # | ||
| # 2048 bit OpenVPN static key | ||
| # | ||
| -----BEGIN OpenVPN Static key V1----- | ||
| 45839625d348b4d5c0af603d94110313 | ||
| 9d6960d0b3c3b22365f0e5ded5281664 | ||
| 3473d1ece7bfc8fcb990232886aec346 | ||
| db726c28f8f6423648a7274d975abd1a | ||
| 587953b38323cf13b763724d5c8e2b77 | ||
| b6a9d12ca751d8e3de0e56be37300855 | ||
| e6864c047148a30cb0b7d87fbd7f5f80 | ||
| d19c05a808ba1b48e9a8139051b63e47 | ||
| 02ab07478c34d75f77d16ecafcaae81c | ||
| 303c64f334e73d9b6ba71d2397941402 | ||
| 51bbd5ab903e89a85cf05ae1158e6258 | ||
| d39b9f9e9a3b00cd96d6b6c8a3b93bf1 | ||
| 9fd3fab9ce8513a525a55feb731ca46c | ||
| 185555b2771351422b703b2c3ecbc809 | ||
| 05cf68e6fd95226c5a45adc01e7645e6 | ||
| aaadeb236c0f44fb42c01decd819e849 | ||
| -----END OpenVPN Static key V1----- |