Commit f06ed8dc authored by David Johnson's avatar David Johnson

Add net30 and net30-mp (a /30 openvpn process for each aggregate) options.

parent 17a78ef3
......@@ -62,7 +62,10 @@ SCP="scp -p -o StrictHostKeyChecking=no"
# Our default configuration
#
CONCENTRATOR="con"
VPNTYPE="private-privaddr"
TOPO_SUBNET="subnet"
TOPO_NET30="net30"
TOPO_NET30MP="net30mp"
VPNTYPE="$TOPO_NET30MP"
VPN_NETWORK="192.168.254.0"
VPN_SERVER="192.168.254.1"
VPN_MASK="255.255.255.0"
......
......@@ -123,13 +123,40 @@ if [ ! -f $OURDIR/vpn-server-done ]; then
#
# Get openvpn setup and restarted.
#
if [ $VPNTYPE = 'routed-privaddr' ]; then
# First, ensure the openvpn systemd deps will be correct.
# Make sure we don't start the VPN until our network is up.
# This is sort of magical, but it works.
#
mkdir /etc/systemd/system/openvpn@.service.d
systemctl list-units | grep -q networking\.service
if [ $? -eq 0 ]; then
cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
[Unit]
Requires=networking.service
After=networking.service
EOF
else
systemctl list-units | grep -q network-online\.target
if [ $? -eq 0 ]; then
cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
[Unit]
Requires=network-online.target
After=network-online.target
EOF
fi
fi
systemctl daemon-reload
#
# Generate the server-side config file(s).
#
if [ $VPNTYPE = $TOPO_SUBNET -o $VPNTYPE = $TOPO_NET30 ]; then
cat <<EOF > /etc/openvpn/server.conf
local $con_conlink_IP
port 1194
proto udp
dev tun
topology subnet
topology $VPNTYPE
ca ca.crt
cert $CONCENTRATOR.crt
key $CONCENTRATOR.key
......@@ -160,47 +187,70 @@ EOF
echo "route $agg_net $agg_mask" >> /etc/openvpn/server.conf
done
elif [ $VPNTYPE = 'bridged' ]; then
echo "bridged VPNTYPE not yet supported!"
exit 1
elif [ $VPNTYPE = 'routed-pubaddr' ]; then
echo "routed-pubaddr VPNTYPE not yet supported!"
exit 1
fi
mkdir -p /etc/openvpn/ccd
#
# Get the server up
#
if [ ${HAVE_SYSTEMD} -eq 1 ]; then
# Make sure we don't start the VPN until our network is up.
# This is sort of magical, but it works.
mkdir /etc/systemd/system/openvpn@.service.d
systemctl list-units | grep -q networking\.service
if [ $? -eq 0 ]; then
cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
[Unit]
Requires=networking.service
After=networking.service
EOF
else
systemctl list-units | grep -q network-online\.target
if [ $? -eq 0 ]; then
cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
[Unit]
Requires=network-online.target
After=network-online.target
EOF
fi
fi
systemctl daemon-reload
systemctl enable openvpn@server.service
systemctl start openvpn@server.service
elif [ $VPNTYPE = $TOPO_NET30MP ]; then
# For each aggregate, add a separate server config file.
for aggprefix in $AGGREGATES ; do
agglan="${aggprefix}lan"
eval "varname=${aggprefix}_HOST"
eval "agghost=\$$varname"
eval "varname=${aggprefix}_GW"
eval "agg_gw=\$$varname"
eval "varname=${agglan}_NETWORK"
eval "agg_net=\$$varname"
eval "varname=${agglan}_MASK"
eval "agg_mask=\$$varname"
eval "varname=${agglan}_CIDR"
eval "agg_cidr=\$$varname"
aggnum=`echo $aggprefix | sed -n -r -e 's/^agg([0-9]+)$/\1/p'`
sport=`expr 1194 + $aggnum`
node="${agghost}${aggprefix}"
eval "varname=${aggprefix}_VPN_NETWORK"
eval "agg_vpn_net=\$$varname"
eval "varname=${aggprefix}_VPN_MASK"
eval "agg_vpn_mask=\$$varname"
cat <<EOF > /etc/openvpn/$node.conf
local $con_conlink_IP
port $sport
proto udp
dev tun-$aggprefix
topology net30
ca ca.crt
cert $CONCENTRATOR.crt
key $CONCENTRATOR.key
dh dh2048.pem
server $agg_vpn_net $agg_vpn_mask
client-config-dir /etc/openvpn/ccd
;client-to-client
;duplicate-cn
keepalive 10 120
$CONFIG_COMPRESS
$CONFIG_CRYPT
fragment 1468
mssfix 1468
persist-key
persist-tun
status openvpn-status.log
verb 3
push "route $mlan_NETWORK $mlan_MASK"
route $agg_net $agg_mask
EOF
systemctl daemon-reload
systemctl enable openvpn@$node.service
systemctl start openvpn@$node.service
done
else
service openvpn restart
echo "VPNTYPE '$VPNTYPE' not yet supported; aborting!"
exit 1
fi
mkdir -p /etc/openvpn/ccd
touch $OURDIR/vpn-server-done
fi
......@@ -222,6 +272,10 @@ for aggprefix in $AGGREGATES ; do
eval "varname=${agglan}_CIDR"
eval "agg_cidr=\$$varname"
aggnum=`echo $aggprefix | sed -n -r -e 's/^agg([0-9]+)$/\1/p'`
sport=1194
if [ $VPNTYPE = $TOPO_NET30MP ]; then
sport=`expr 1194 + $aggnum`
fi
node="${agghost}${aggprefix}"
if [ -f /etc/openvpn/ccd/$node ]; then
......@@ -251,7 +305,7 @@ for aggprefix in $AGGREGATES ; do
client
dev tun-$aggprefix
proto udp
remote $con_conlink_IP 1194
remote $con_conlink_IP $sport
resolv-retry infinite
nobind
persist-key
......
......@@ -225,10 +225,15 @@ clientvars = ClientVariables()
# Create a portal object,
pc = portal.Context()
TOPO_SUBNET = "subnet"
TOPO_NET30 = "net30"
TOPO_NET30MP = "net30mp"
pc.defineParameter(
"vpnType","VPN Type",portal.ParameterType.STRING,"routed-privaddr",
[("routed-privaddr","routed-privaddr"),("bridged","bridged"),],
# ("routed-pubaddr","routed-pubaddr")
"vpnType","VPN Type",portal.ParameterType.STRING,TOPO_NET30MP,
[(TOPO_SUBNET,TOPO_SUBNET),(TOPO_NET30,TOPO_NET30),
(TOPO_NET30MP,TOPO_NET30MP)],
# ("bridged","bridged")
longDescription="VPN Type. routed-privaddr means a routed L3 VPN whose link endpoints are constructed using private IP space. bridged means a bridged L2 VPN.")
pc.defineParameter(
"numAggregates","Number Aggregates",portal.ParameterType.INTEGER,2,
......@@ -328,12 +333,25 @@ if params.aggregateSubnetBitSize < 20 or params.aggregateSubnetBitSize > 29:
['aggregateSubnetBitSize']))
clientvars.addVariable("VPNTYPE",params.vpnType)
clientvars.addVariable("VPN_NETWORK","192.168.254.0")
clientvars.addVariable("VPN_MASK","255.255.255.0")
clientvars.addVariable("VPN_BITS",24)
clientvars.addVariable("VPN_NETWORK","192.168.248.0")
clientvars.addVariable("VPN_MASK","255.255.248.0")
clientvars.addVariable("VPN_BITS",21)
clientvars.addVariable("VPN_COMPRESSION",params.vpnCompression)
clientvars.addVariable("VPN_CIPHER",params.vpnCipher)
if params.vpnType == TOPO_NET30MP:
ipaVPN = IPAssign(baseaddr=[192,168,248,4],basebits=21,allowed_subnets=[30])
for i in range(1,params.numAggregates+1):
ipaVPN.request_network("agg%d" % (i,),1)
ipaVPN.assign_networks()
for i in range(1,params.numAggregates+1):
name = "agg%d" % (i,)
clientvars.addVariable(name + "_VPN_MASK",ipaVPN.get_network_mask(name))
clientvars.addVariable(name + "_VPN_CIDR",ipaVPN.get_network_cidr(name))
clientvars.addVariable(name + "_VPN_BITS",ipaVPN.get_network_bits(name))
clientvars.addVariable(name + "_VPN_NETWORK",ipaVPN.get_network(name))
pass
# Create a Request object to start building the RSpec.
request = pc.makeRequestRSpec()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment