Commit 1f6f67aa authored by Julien Muchembled's avatar Julien Muchembled

Simplify by setting re6st IP on loopback interface by default

parent 5510b020
#!/usr/bin/python -S #!/usr/bin/python -S
import os import os, sys
import sys
script_type = os.environ['script_type'] if os.environ['script_type'] == 'client-connect':
arg1 = sys.argv[1] # Send client its external ip address
with open(sys.argv[2], 'w') as f:
if script_type == 'up': f.write('push "setenv-safe external_ip %s"\n'
import subprocess % os.environ['trusted_ip'])
def call(*args):
r = subprocess.call(args)
if r:
sys.exit(r)
dev = os.environ['dev']
call('ip', 'link', 'set', dev, 'up')
if arg1 != 'None':
call('ip', 'addr', 'add', arg1, 'dev', dev)
else: # Write into pipe connect/disconnect events
if script_type == 'client-connect': arg1 = sys.argv[1]
# Send client its external ip address if arg1 != 'None':
with open(sys.argv[2], 'w') as f: os.write(int(arg1), '%(script_type)s %(common_name)s\n' % os.environ)
f.write('push "setenv-safe external_ip %s"\n'
% os.environ['trusted_ip'])
# Write into pipe connect/disconnect events
if arg1 != 'None':
os.write(int(arg1), '%(script_type)s %(common_name)s\n' % os.environ)
...@@ -13,6 +13,7 @@ def openvpn(iface, encrypt, *args, **kw): ...@@ -13,6 +13,7 @@ def openvpn(iface, encrypt, *args, **kw):
'--persist-tun', '--persist-tun',
'--persist-key', '--persist-key',
'--script-security', '2', '--script-security', '2',
'--up', ovpn_client,
#'--user', 'nobody', '--group', 'nogroup', #'--user', 'nobody', '--group', 'nogroup',
] + list(args) ] + list(args)
if ovpn_log: if ovpn_log:
...@@ -23,14 +24,13 @@ def openvpn(iface, encrypt, *args, **kw): ...@@ -23,14 +24,13 @@ def openvpn(iface, encrypt, *args, **kw):
return subprocess.Popen(args, **kw) return subprocess.Popen(args, **kw)
def server(iface, my_ip, max_clients, dh_path, pipe_fd, port, proto, encrypt, *args, **kw): def server(iface, max_clients, dh_path, pipe_fd, port, proto, encrypt, *args, **kw):
client_script = '%s %s' % (ovpn_server, pipe_fd) client_script = '%s %s' % (ovpn_server, pipe_fd)
if pipe_fd is not None: if pipe_fd is not None:
args = ('--client-disconnect', client_script) + args args = ('--client-disconnect', client_script) + args
return openvpn(iface, encrypt, return openvpn(iface, encrypt,
'--tls-server', '--tls-server',
'--mode', 'server', '--mode', 'server',
'--up', '%s %s' % (ovpn_server, my_ip),
'--client-connect', client_script, '--client-connect', client_script,
'--dh', dh_path, '--dh', dh_path,
'--max-clients', str(max_clients), '--max-clients', str(max_clients),
......
...@@ -15,7 +15,6 @@ class Connection: ...@@ -15,7 +15,6 @@ class Connection:
'--tls-remote', '%u/%u' % (int(prefix, 2), len(prefix)), '--tls-remote', '%u/%u' % (int(prefix, 2), len(prefix)),
'--connect-retry-max', '3', '--tls-exit', '--connect-retry-max', '3', '--tls-exit',
'--ping-exit', str(timeout), '--ping-exit', str(timeout),
'--up', plib.ovpn_client,
'--route-up', '%s %u' % (plib.ovpn_client, write_pipe), '--route-up', '%s %u' % (plib.ovpn_client, write_pipe),
*ovpn_args) *ovpn_args)
self.iface = iface self.iface = iface
......
...@@ -32,9 +32,9 @@ def getConfig(): ...@@ -32,9 +32,9 @@ def getConfig():
_('-i', '--interface', action='append', dest='iface_list', default=[], _('-i', '--interface', action='append', dest='iface_list', default=[],
help="Extra interface for LAN discovery. Highly recommanded if there" help="Extra interface for LAN discovery. Highly recommanded if there"
" are other re6st node on the same network segment.") " are other re6st node on the same network segment.")
_('-I', '--main-interface', metavar='IFACE', _('-I', '--main-interface', metavar='IFACE', default='lo',
help="Set re6stnet IP on given interface. Any interface not used for" help="Set re6stnet IP on given interface. Any interface not used for"
" tunnelling can be chosen. (default: first OpenVPN interface)") " tunnelling can be chosen.")
_ = parser.add_argument_group('routing').add_argument _ = parser.add_argument_group('routing').add_argument
_('-B', dest='babel_args', metavar='ARG', action='append', default=[], _('-B', dest='babel_args', metavar='ARG', action='append', default=[],
...@@ -205,27 +205,24 @@ def main(): ...@@ -205,27 +205,24 @@ def main():
# prepare persistent interfaces # prepare persistent interfaces
if config.client: if config.client:
cleanup.append(plib.client('re6stnet', config.client, cleanup.append(plib.client('re6stnet', config.client,
config.encrypt, config.encrypt, '--ping-restart', str(timeout),
'--up', '%s %s' % (plib.ovpn_server, None
if config.main_interface else my_ip),
'--ping-restart', str(timeout),
*config.openvpn_args).kill) *config.openvpn_args).kill)
elif server_tunnels: elif server_tunnels:
required('dh') required('dh')
for iface, (port, proto) in server_tunnels.iteritems(): for iface, (port, proto) in server_tunnels.iteritems():
cleanup.append(plib.server(iface, None cleanup.append(plib.server(iface, config.max_clients,
if config.main_interface or proto != pp[0][1] config.dh, write_pipe, port, proto, config.encrypt,
else my_ip, config.max_clients, config.dh, write_pipe,
port, proto, config.encrypt,
'--ping-exit', str(timeout), *config.openvpn_args).kill) '--ping-exit', str(timeout), *config.openvpn_args).kill)
elif config.iface_list and not config.main_interface:
config.main_interface = config.iface_list[0]
else:
sys.exit("--client, --interface or --main-interface required"
" when --max-clients is 0")
if config.main_interface: ip('addr', my_ip, 'dev', config.main_interface)
ip('addr', my_ip, 'dev', config.main_interface) if config.main_interface == 'lo':
# WKRD: The kernel does not remove these routes on exit.
# The first one can be removed now.
del_rtr = ['ip', 'route', 'del', 'unreachable', 'fe80::/64',
'dev', 'lo']
subprocess.call(del_rtr)
del_rtr[4] = '%s/%u' % (utils.ipFromBin(subnet), len(subnet))
cleanup.append(lambda: subprocess.call(del_rtr))
# main loop # main loop
if tunnel_manager is None: if tunnel_manager is None:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment