lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-20 11:26:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
core/src/opnsense/scripts/openvpn/kill_session.py
Ad Schellevis e9edb11535
VPN: OpenVPN: Instances (MVC) (#6584) 
* VPN: OpenVPN: Instances - add new module using the same approach as introduced for IPsec in 23.1. Since we likely can't easily migrate the old cruft, we better focus on offering the correct options for openvpn following upstream documentation.

o add boilerplate
o implement a solution to keep vpnid's unique so device creation for legacy and mvc can function in similar ways.
o add some of the main "helper" options for clients and servers
o Implement certificate logic, selecting a certificate also implies an authority (which we validate)
o hook CRL generation into the exising openvpn_refresh_crls() event
o attach already refactored authentication to new MVC as well, OpenVPN->getInstanceById() is responsible for feeding the data needed during authentication and overwrite generation.
o when in client mode and in need for a username+password combination, flush these to file and link in "auth-user-pass"
o routes (remote) and push routes (local), combine IPv4 and IPv6 for ease of administration,
o keep alive [push] ping-[restart] defined as seperate fields for validation
o add various "push" to client options in Miscellaneous section
o add "auth-gen-token" lifetime for https://github.com/opnsense/core/issues/6135
o allow selection of redirect-gateway type for https://github.com/opnsense/core/issues/6220
o move tls-auth/crypt into separate static keys objects (tab in instances page)
o hook existing events (ovpn_event.py) and make sure they locate the server using getServerById() when needed
o use getInstanceById in openvpn_prepare() to return both legacy as MVC device configuration
o add ovpn_service_control.php for service control [stop|start|restart|configure] and glue this in openvpn_services() via configd
o change openvpn_interfaces() to use isEnabled() method on the model to query if any (legacy/mvc) instances are enabled
o move openvpn_config() from openvpn.inc to widget and extend with MVC instances
o extend ovpn_status.py to parse "instance-" sockets as well, since the filename doesn't explain the role, we're using the status call to figure out the use. uuid's are keys in this case
o server_id type to str in kill_session.py so we can match either legacy or mvc sockets
o hook ExportController to OpenVPN model using getInstanceById() to glue the Client Export utility to both components
o extend connection status with mvc sessions (descriptions)

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
2023-05-31 16:04:43 +02:00

85 lines
3.0 KiB
Python
Executable File
Raw Blame History

#!/usr/local/bin/python3
"""
Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import argparse
import glob
import socket
import re
import os
import ujson
socket.setdefaulttimeout(5)
def ovpn_cmd(filename, cmd):
try:
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(filename)
except socket.error:
return None
sock.send(('%s\n'%cmd).encode())
buffer = ''
while True:
try:
buffer += sock.recv(65536).decode()
except socket.timeout:
break
eob = buffer[-200:]
if eob.find('END') > -1 or eob.find('ERROR') > -1 or eob.find('SUCCESS') > -1:
break
sock.close()
return buffer
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('server_id', help='server/client id (where to find socket)', type=str)
parser.add_argument('session_id', help='session id (address+port) or common name')
args = parser.parse_args()
socket_name = None
for filename in glob.glob("/var/etc/openvpn/*.sock"):
basename = os.path.basename(filename)
if basename in [
'client%s.sock'%args.server_id, 'server%s.sock'%args.server_id, 'instance-%s.sock'%args.server_id
]:
socket_name = filename
break
if socket_name:
res = ovpn_cmd(socket_name, 'kill %s\n' % args.session_id)
if res.find('SUCCESS:') >= 0:
clients = 0
for tmp in res.strip().split('\n')[-1].split():
if tmp.isdigit():
clients = int(tmp)
print(ujson.encode({'status': 'killed', 'clients': clients}))
else:
print(ujson.encode({'status': 'not_found'}))
else:
print(ujson.encode({'status': 'server_not_found'}))
Reference in New Issue View Git Blame Copy Permalink