diff options
Diffstat (limited to 'pkg/standalone')
-rw-r--r-- | pkg/standalone/bonafide.go | 311 | ||||
-rw-r--r-- | pkg/standalone/bonafide_integration_test.go | 58 | ||||
-rw-r--r-- | pkg/standalone/bonafide_test.go | 100 | ||||
-rw-r--r-- | pkg/standalone/launcher.go | 97 | ||||
-rw-r--r-- | pkg/standalone/launcher_linux.go | 139 | ||||
-rw-r--r-- | pkg/standalone/main.go | 80 | ||||
-rw-r--r-- | pkg/standalone/status.go | 91 | ||||
-rw-r--r-- | pkg/standalone/testdata/cert | 54 | ||||
-rw-r--r-- | pkg/standalone/testdata/eip-service.json | 113 | ||||
-rw-r--r-- | pkg/standalone/vpn.go | 156 |
10 files changed, 1199 insertions, 0 deletions
diff --git a/pkg/standalone/bonafide.go b/pkg/standalone/bonafide.go new file mode 100644 index 0000000..c4d588e --- /dev/null +++ b/pkg/standalone/bonafide.go @@ -0,0 +1,311 @@ +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "crypto/tls" + "crypto/x509" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "log" + "math/rand" + "net/http" + "sort" + "strconv" + "strings" + "time" +) + +const ( + certAPI = "https://api.black.riseup.net/1/cert" + eipAPI = "https://api.black.riseup.net/1/config/eip-service.json" + geolocationAPI = "https://api.black.riseup.net:9001/json" + secondsPerHour = 60 * 60 +) + +var ( + caCert = []byte(`-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBZMRgwFgYDVQQKDA9SaXNl +dXAgTmV0d29ya3MxGzAZBgNVBAsMEmh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UE +AwwXUmlzZXVwIE5ldHdvcmtzIFJvb3QgQ0EwHhcNMTQwNDI4MDAwMDAwWhcNMjQw +NDI4MDAwMDAwWjBZMRgwFgYDVQQKDA9SaXNldXAgTmV0d29ya3MxGzAZBgNVBAsM +Emh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UEAwwXUmlzZXVwIE5ldHdvcmtzIFJv +b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC76J4ciMJ8Sg0m +TP7DF2DT9zNe0Csk4myoMFC57rfJeqsAlJCv1XMzBmXrw8wq/9z7XHv6n/0sWU7a +7cF2hLR33ktjwODlx7vorU39/lXLndo492ZBhXQtG1INMShyv+nlmzO6GT7ESfNE +LliFitEzwIegpMqxCIHXFuobGSCWF4N0qLHkq/SYUMoOJ96O3hmPSl1kFDRMtWXY +iw1SEKjUvpyDJpVs3NGxeLCaA7bAWhDY5s5Yb2fA1o8ICAqhowurowJpW7n5ZuLK +5VNTlNy6nZpkjt1QycYvNycffyPOFm/Q/RKDlvnorJIrihPkyniV3YY5cGgP+Qkx +HUOT0uLA6LHtzfiyaOqkXwc4b0ZcQD5Vbf6Prd20Ppt6ei0zazkUPwxld3hgyw58 +m/4UIjG3PInWTNf293GngK2Bnz8Qx9e/6TueMSAn/3JBLem56E0WtmbLVjvko+LF +PM5xA+m0BmuSJtrD1MUCXMhqYTtiOvgLBlUm5zkNxALzG+cXB28k6XikXt6MRG7q +hzIPG38zwkooM55yy5i1YfcIi5NjMH6A+t4IJxxwb67MSb6UFOwg5kFokdONZcwj +shczHdG9gLKSBIvrKa03Nd3W2dF9hMbRu//STcQxOailDBQCnXXfAATj9pYzdY4k +ha8VCAREGAKTDAex9oXf1yRuktES4QIDAQABo2AwXjAdBgNVHQ4EFgQUC4tdmLVu +f9hwfK4AGliaet5KkcgwDgYDVR0PAQH/BAQDAgIEMAwGA1UdEwQFMAMBAf8wHwYD +VR0jBBgwFoAUC4tdmLVuf9hwfK4AGliaet5KkcgwDQYJKoZIhvcNAQENBQADggIB +AGzL+GRnYu99zFoy0bXJKOGCF5XUXP/3gIXPRDqQf5g7Cu/jYMID9dB3No4Zmf7v +qHjiSXiS8jx1j/6/Luk6PpFbT7QYm4QLs1f4BlfZOti2KE8r7KRDPIecUsUXW6P/ +3GJAVYH/+7OjA39za9AieM7+H5BELGccGrM5wfl7JeEz8in+V2ZWDzHQO4hMkiTQ +4ZckuaL201F68YpiItBNnJ9N5nHr1MRiGyApHmLXY/wvlrOpclh95qn+lG6/2jk7 +3AmihLOKYMlPwPakJg4PYczm3icFLgTpjV5sq2md9bRyAg3oPGfAuWHmKj2Ikqch +Td5CHKGxEEWbGUWEMP0s1A/JHWiCbDigc4Cfxhy56CWG4q0tYtnc2GMw8OAUO6Wf +Xu5pYKNkzKSEtT/MrNJt44tTZWbKV/Pi/N2Fx36my7TgTUj7g3xcE9eF4JV2H/sg +tsK3pwE0FEqGnT4qMFbixQmc8bGyuakr23wjMvfO7eZUxBuWYR2SkcP26sozF9PF +tGhbZHQVGZUTVPyvwahMUEhbPGVerOW0IYpxkm0x/eaWdTc4vPpf/rIlgbAjarnJ +UN9SaWRlWKSdP4haujnzCoJbM7dU9bjvlGZNyXEekgeT0W2qFeGGp+yyUWw8tNsp +0BuC1b7uW/bBn/xKm319wXVDvBgZgcktMolak39V7DVO +-----END CERTIFICATE-----`) +) + +type bonafide struct { + client httpClient + tzOffsetHours int + eip *eipService + defaultGateway string +} + +type httpClient interface { + Post(url, contentType string, body io.Reader) (resp *http.Response, err error) +} + +type eipService struct { + Gateways []gateway + Locations map[string]struct { + CountryCode string + Hemisphere string + Name string + Timezone string + } + OpenvpnConfiguration map[string]interface{} `json:"openvpn_configuration"` +} + +type gateway struct { + Capabilities struct { + Ports []string + Protocols []string + } + Host string + IPAddress string `json:"ip_address"` + Location string +} + +type gatewayDistance struct { + gateway gateway + distance int +} + +type geoLocation struct { + IPAddress string `json:"ip"` + Country string `json:"cc"` + City string `json:"city"` + Latitude float64 `json:"lat"` + Longitude float64 `json:"lon"` + SortedGateways []string `json:"gateways"` +} + +func newBonafide() *bonafide { + certs := x509.NewCertPool() + certs.AppendCertsFromPEM(caCert) + client := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: certs, + }, + }, + } + _, tzOffsetSeconds := time.Now().Zone() + tzOffsetHours := tzOffsetSeconds / secondsPerHour + + return &bonafide{ + client: client, + tzOffsetHours: tzOffsetHours, + eip: nil, + defaultGateway: "", + } +} + +func (b *bonafide) getCertPem() ([]byte, error) { + resp, err := b.client.Post(certAPI, "", nil) + if err != nil { + return nil, err + } + defer resp.Body.Close() + if resp.StatusCode != 200 { + return nil, fmt.Errorf("get vpn cert has failed with status: %s", resp.Status) + } + + return ioutil.ReadAll(resp.Body) +} + +func (b *bonafide) getGateways() ([]gateway, error) { + if b.eip == nil { + err := b.fetchEipJSON() + if err != nil { + return nil, err + } + } + + return b.eip.Gateways, nil +} + +func (b *bonafide) setDefaultGateway(name string) { + b.defaultGateway = name + b.sortGateways() +} + +func (b *bonafide) getOpenvpnArgs() ([]string, error) { + if b.eip == nil { + err := b.fetchEipJSON() + if err != nil { + return nil, err + } + } + + args := []string{} + for arg, value := range b.eip.OpenvpnConfiguration { + switch v := value.(type) { + case string: + args = append(args, "--"+arg) + args = append(args, strings.Split(v, " ")...) + case bool: + if v { + args = append(args, "--"+arg) + } + default: + log.Printf("Unknown openvpn argument type: %s - %v", arg, value) + } + } + return args, nil +} + +func (b *bonafide) fetchGeolocation() ([]string, error) { + resp, err := b.client.Post(geolocationAPI, "", nil) + if err != nil { + return nil, err + } + defer resp.Body.Close() + if resp.StatusCode != 200 { + return nil, fmt.Errorf("get geolocation failed with status: %s", resp.Status) + } + + geo := &geoLocation{} + dataJSON, err := ioutil.ReadAll(resp.Body) + err = json.Unmarshal(dataJSON, &geo) + if err != nil { + _ = fmt.Errorf("get vpn cert has failed with status: %s", resp.Status) + return nil, err + } + + return geo.SortedGateways, nil + +} + +func (b *bonafide) fetchEipJSON() error { + resp, err := b.client.Post(eipAPI, "", nil) + if err != nil { + return err + } + defer resp.Body.Close() + if resp.StatusCode != 200 { + return fmt.Errorf("get eip json has failed with status: %s", resp.Status) + } + + var eip eipService + decoder := json.NewDecoder(resp.Body) + err = decoder.Decode(&eip) + if err != nil { + return err + } + + b.eip = &eip + b.sortGateways() + return nil +} + +func (b *bonafide) sortGatewaysByGeolocation(geolocatedGateways []string) []gatewayDistance { + gws := []gatewayDistance{} + + for i, host := range geolocatedGateways { + for _, gw := range b.eip.Gateways { + if gw.Host == host { + gws = append(gws, gatewayDistance{gw, i}) + } + } + } + return gws +} + +func (b *bonafide) sortGatewaysByTimezone() []gatewayDistance { + gws := []gatewayDistance{} + + for _, gw := range b.eip.Gateways { + distance := 13 + if gw.Location == b.defaultGateway { + distance = -1 + } else { + gwOffset, err := strconv.Atoi(b.eip.Locations[gw.Location].Timezone) + if err != nil { + log.Printf("Error sorting gateways: %v", err) + } else { + distance = tzDistance(b.tzOffsetHours, gwOffset) + } + } + gws = append(gws, gatewayDistance{gw, distance}) + } + rand.Seed(time.Now().UnixNano()) + cmp := func(i, j int) bool { + if gws[i].distance == gws[j].distance { + return rand.Intn(2) == 1 + } + return gws[i].distance < gws[j].distance + } + sort.Slice(gws, cmp) + return gws +} + +func (b *bonafide) sortGateways() { + gws := []gatewayDistance{} + + geolocatedGateways, _ := b.fetchGeolocation() + + if len(geolocatedGateways) > 0 { + gws = b.sortGatewaysByGeolocation(geolocatedGateways) + } else { + log.Printf("Falling back to timezone heuristic for gateway selection") + gws = b.sortGatewaysByTimezone() + } + + for i, gw := range gws { + b.eip.Gateways[i] = gw.gateway + } +} + +func tzDistance(offset1, offset2 int) int { + abs := func(x int) int { + if x < 0 { + return -x + } + return x + } + distance := abs(offset1 - offset2) + if distance > 12 { + distance = 24 - distance + } + return distance +} diff --git a/pkg/standalone/bonafide_integration_test.go b/pkg/standalone/bonafide_integration_test.go new file mode 100644 index 0000000..5beb8aa --- /dev/null +++ b/pkg/standalone/bonafide_integration_test.go @@ -0,0 +1,58 @@ +// +build integration +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "bytes" + "testing" +) + +var ( + privateKeyHeader = []byte("-----BEGIN RSA PRIVATE KEY-----") + certHeader = []byte("-----BEGIN CERTIFICATE-----") +) + +func TestIntegrationGetCert(t *testing.T) { + b := newBonafide() + cert, err := b.getCertPem() + if err != nil { + t.Fatal("getCert returned an error: ", err) + } + + if !bytes.Contains(cert, privateKeyHeader) { + t.Errorf("No private key present: \n%q", cert) + } + + if !bytes.Contains(cert, certHeader) { + t.Errorf("No cert present: \n%q", cert) + } +} + +func TestGetGateways(t *testing.T) { + b := newBonafide() + gateways, err := b.getGateways() + if err != nil { + t.Fatal("getGateways returned an error: ", err) + } + + for _, gw := range gateways { + if gw.IPAddress == "5.79.86.180" { + return + } + } + t.Errorf("5.79.86.180 not in the list") +} diff --git a/pkg/standalone/bonafide_test.go b/pkg/standalone/bonafide_test.go new file mode 100644 index 0000000..7bfcaa0 --- /dev/null +++ b/pkg/standalone/bonafide_test.go @@ -0,0 +1,100 @@ +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "io" + "io/ioutil" + "net/http" + "os" + "reflect" + "testing" +) + +const ( + certPath = "testdata/cert" + eipPath = "testdata/eip-service.json" +) + +type client struct { + path string +} + +func (c client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error) { + f, err := os.Open(c.path) + return &http.Response{ + Body: f, + StatusCode: 200, + }, err +} + +func TestGetCert(t *testing.T) { + b := bonafide{client: client{certPath}} + cert, err := b.getCertPem() + if err != nil { + t.Fatal("getCert returned an error: ", err) + } + + f, err := os.Open(certPath) + if err != nil { + t.Fatal("Can't open ", certPath, ": ", err) + } + defer f.Close() + + certData, err := ioutil.ReadAll(f) + if err != nil { + t.Fatal("Can't read all: ", err) + } + if !reflect.DeepEqual(certData, cert) { + t.Errorf("cert doesn't match") + } +} + +func TestGatewayTzLocation(t *testing.T) { + // tzOffset -> location + values := map[int]string{ + -12: "c", + -10: "a", + -5: "a", + -3: "a", + -1: "b", + 0: "b", + 2: "b", + 5: "c", + 8: "c", + 12: "c", + } + + for tzOffset, location := range values { + b := bonafide{ + client: client{eipPath}, + tzOffsetHours: tzOffset, + } + gateways, err := b.getGateways() + if err != nil { + t.Errorf("getGateways returned an error: %v", err) + continue + } + if len(gateways) < 4 { + t.Errorf("Wrong number of gateways: %d", len(gateways)) + continue + + } + if gateways[0].Location != location { + t.Errorf("Wrong location for tz %d: %s, expected: %s", tzOffset, gateways[0].Location, location) + } + } +} diff --git a/pkg/standalone/launcher.go b/pkg/standalone/launcher.go new file mode 100644 index 0000000..4dc4761 --- /dev/null +++ b/pkg/standalone/launcher.go @@ -0,0 +1,97 @@ +// +build !linux +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" +) + +const ( + helperAddr = "http://localhost:7171" +) + +type launcher struct { +} + +func newLauncher() (*launcher, error) { + return &launcher{}, nil +} + +func (l *launcher) close() error { + return nil +} + +func (l *launcher) openvpnStart(flags ...string) error { + byteFlags, err := json.Marshal(flags) + if err != nil { + return err + } + return l.send("/openvpn/start", byteFlags) +} + +func (l *launcher) openvpnStop() error { + return l.send("/openvpn/stop", nil) +} + +func (l *launcher) firewallStart(gateways []gateway) error { + ipList := make([]string, len(gateways)) + for i, gw := range gateways { + ipList[i] = gw.IPAddress + } + byteIPs, err := json.Marshal(ipList) + if err != nil { + return err + } + return l.send("/firewall/start", byteIPs) +} + +func (l *launcher) firewallStop() error { + return l.send("/firewall/stop", nil) +} + +func (l *launcher) firewallIsUp() bool { + res, err := http.Post(helperAddr+"/firewall/isup", "", nil) + if err != nil { + return false + } + defer res.Body.Close() + + return res.StatusCode == http.StatusOK +} + +func (l *launcher) send(path string, body []byte) error { + var reader io.Reader + if body != nil { + reader = bytes.NewReader(body) + } + res, err := http.Post(helperAddr+path, "", reader) + if err != nil { + return err + } + defer res.Body.Close() + + resErr, err := ioutil.ReadAll(res.Body) + if len(resErr) > 0 { + return fmt.Errorf("Helper returned an error: %q", resErr) + } + return err +} diff --git a/pkg/standalone/launcher_linux.go b/pkg/standalone/launcher_linux.go new file mode 100644 index 0000000..672eb1f --- /dev/null +++ b/pkg/standalone/launcher_linux.go @@ -0,0 +1,139 @@ +// +build linux +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "errors" + "log" + "os" + "os/exec" +) + +const ( + systemOpenvpnPath = "/usr/sbin/openvpn" + snapOpenvpnPath = "/snap/bin/riseup-vpn.openvpn" +) + +var bitmaskRootPaths = []string{ + "/usr/sbin/bitmask-root", + "/usr/local/sbin/bitmask-root", +} + +type launcher struct { + openvpnCh chan []string +} + +func newLauncher() (*launcher, error) { + l := launcher{make(chan []string, 1)} + go l.openvpnRunner() + return &l, nil +} + +func (l *launcher) close() error { + return nil +} + +func (l *launcher) openvpnStart(flags ...string) error { + log.Println("openvpn start: ", flags) + arg := []string{"openvpn", "start", getOpenvpnPath()} + arg = append(arg, flags...) + l.openvpnCh <- arg + return nil +} + +func (l *launcher) openvpnStop() error { + l.openvpnCh <- nil + log.Println("openvpn stop") + return runBitmaskRoot("openvpn", "stop") +} + +func (l *launcher) firewallStart(gateways []gateway) error { + log.Println("firewall start") + arg := []string{"firewall", "start"} + for _, gw := range gateways { + arg = append(arg, gw.IPAddress) + } + return runBitmaskRoot(arg...) +} + +func (l *launcher) firewallStop() error { + log.Println("firewall stop") + return runBitmaskRoot("firewall", "stop") +} + +func (l *launcher) firewallIsUp() bool { + err := runBitmaskRoot("firewall", "isup") + return err == nil +} + +func (l *launcher) openvpnRunner(arg ...string) { + running := false + runOpenvpn := func(arg []string) { + for running { + err := runBitmaskRoot(arg...) + if err != nil { + log.Printf("An error ocurred running openvpn: %v", err) + } + } + } + + for arg := range l.openvpnCh { + if arg == nil { + running = false + } else { + running = true + go runOpenvpn(arg) + } + } +} + +func runBitmaskRoot(arg ...string) error { + bitmaskRoot, err := bitmaskRootPath() + if err != nil { + return err + } + arg = append([]string{bitmaskRoot}, arg...) + + cmd := exec.Command("pkexec", arg...) + err = cmd.Run() + if err != nil { + return err + } + return nil +} + +func bitmaskRootPath() (string, error) { + if os.Getenv("SNAP") != "" { + path := "/snap/bin/riseup-vpn.bitmask-root" + if _, err := os.Stat(path); !os.IsNotExist(err) { + return path, nil + } + } + for _, path := range bitmaskRootPaths { + if _, err := os.Stat(path); !os.IsNotExist(err) { + return path, nil + } + } + return "", errors.New("No bitmask-root found") +} + +func getOpenvpnPath() string { + if os.Getenv("SNAP") != "" { + return snapOpenvpnPath + } + return systemOpenvpnPath +} diff --git a/pkg/standalone/main.go b/pkg/standalone/main.go new file mode 100644 index 0000000..f7e1976 --- /dev/null +++ b/pkg/standalone/main.go @@ -0,0 +1,80 @@ +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "io/ioutil" + "log" + "os" + + "github.com/apparentlymart/go-openvpn-mgmt/openvpn" +) + +// Bitmask holds the bitmask client data +type Bitmask struct { + tempdir string + statusCh chan string + managementClient *openvpn.MgmtClient + bonafide *bonafide + launch *launcher +} + +// Init the connection to bitmask +func Init() (*Bitmask, error) { + statusCh := make(chan string, 10) + tempdir, err := ioutil.TempDir("", "leap-") + if err != nil { + return nil, err + } + bonafide := newBonafide() + launch, err := newLauncher() + if err != nil { + return nil, err + } + b := Bitmask{tempdir, statusCh, nil, bonafide, launch} + + err = b.StopVPN() + if err != nil { + return nil, err + } + err = ioutil.WriteFile(b.getCaCertPath(), caCert, 0600) + + go b.openvpnManagement() + return &b, err +} + +// GetStatusCh returns a channel that will recieve VPN status changes +func (b *Bitmask) GetStatusCh() <-chan string { + return b.statusCh +} + +// Close the connection to bitmask +func (b *Bitmask) Close() { + b.StopVPN() + err := b.launch.close() + if err != nil { + log.Printf("There was an error closing the launcher: %v", err) + } + err = os.RemoveAll(b.tempdir) + if err != nil { + log.Printf("There was an error removing temp dir: %v", err) + } +} + +// Version gets the bitmask version string +func (b *Bitmask) Version() (string, error) { + return "", nil +} diff --git a/pkg/standalone/status.go b/pkg/standalone/status.go new file mode 100644 index 0000000..42c4687 --- /dev/null +++ b/pkg/standalone/status.go @@ -0,0 +1,91 @@ +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "fmt" + "log" + + "github.com/apparentlymart/go-openvpn-mgmt/openvpn" +) + +const ( + On = "on" + Off = "off" + Starting = "starting" + Stopping = "stopping" + Failed = "failed" +) + +var statusNames = map[string]string{ + "CONNECTING": Starting, + "WAIT": Starting, + "AUTH": Starting, + "GET_CONFIG": Starting, + "ASSIGN_IP": Starting, + "ADD_ROUTES": Starting, + "CONNECTED": On, + "RECONNECTING": Starting, + "EXITING": Stopping, + "OFF": Off, + "FAILED": Off, +} + +func (b *Bitmask) openvpnManagement() { + // TODO: we should warn the user on ListenAndServe errors + newConnection := func(conn openvpn.IncomingConn) { + eventCh := make(chan openvpn.Event, 10) + log.Println("New connection into the management") + b.managementClient = conn.Open(eventCh) + b.managementClient.SetStateEvents(true) + b.eventHandler(eventCh) + } + log.Fatal(openvpn.ListenAndServe( + fmt.Sprintf("%s:%s", openvpnManagementAddr, openvpnManagementPort), + openvpn.IncomingConnHandlerFunc(newConnection), + )) +} + +func (b *Bitmask) eventHandler(eventCh <-chan openvpn.Event) { + // TODO: we are reporing only openvpn status, missing firewall status + for event := range eventCh { + log.Printf("Event: %v", event) + stateEvent, ok := event.(*openvpn.StateEvent) + if !ok { + continue + } + status, ok := statusNames[stateEvent.NewState()] + if ok { + b.statusCh <- status + } + } + b.statusCh <- Off +} + +func (b *Bitmask) getOpenvpnState() (string, error) { + if b.managementClient == nil { + return "", fmt.Errorf("No management connected") + } + stateEvent, err := b.managementClient.LatestState() + if err != nil { + return "", err + } + status, ok := statusNames[stateEvent.NewState()] + if !ok { + return "", fmt.Errorf("Unkonw status") + } + return status, nil +} diff --git a/pkg/standalone/testdata/cert b/pkg/standalone/testdata/cert new file mode 100644 index 0000000..4968b3f --- /dev/null +++ b/pkg/standalone/testdata/cert @@ -0,0 +1,54 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA3TQAmZs9U6e1xqQqVWkb132AGXdaO97bsXPOrrKUp63hKeXD +2OQbmG96H3COi0uubVFQT1cAmpuym2COtgahQlnv42p0u2CYsBqfrCHw3iSK7nf6 +Q8RaG2oUIvlQj5m4DUk1wfRBgG5z0pN2HwFWmgheoT0RnOelTO3vcLCaSJA6PF4M +Wehg5ScXi9wr0vibKsANpqab3oUxcHEYcNcKfJKRnXryJx6ctLrRp1WPv3JAXLnn +oUtQ00S0dSHrLED5yPwGFV08q4bkv54qFai2cPO8ITReC6BpvrilBzOjT6fjCmzm +6MCwBot7aRHYcWJgfp7H2b2S7T2qhnC4c2u6mwIDAQABAoIBAFue83SsOS2SNJdv +Xd18qLyLzeg+aFCOET8h8YSokSwWuEGLWqBWcxujaNjm3RPTKA89c9848RYY0VTM +HLBGdLqv183BRVJrQzMGBAbfFA5e4nC9nxo8lPnv6SFHVNf12qceILcSPaM9nJmm +3HEhM8afGtr8GXR8+hmwH9H0RCMzXIjO1//WrY3nfOP8LRuQpSnnhsfZRyngWhot +xsJlDP5plFNw7J/PDLtbjnbOXOktv0fhhq7aWR+A+0s0627r7Tidk1YoNwusYJeB +uKrzNW1+c7Z9xl2yvMQ6+0Wry7A5YUVYP/BakYb/f/skB4ox/zz8vcWeQ4ShZ7m6 +LwPN0ckCgYEA+9wjSBbOlksath3QrJywikD1sQYFOdNrINTBFQnuipKOYKLJNhQM +OzKHY1OiO7G6FcEvz9gKYMpMyMOs8TsISyKPNOXLpnwpgIUx6WRo6qxgEuyWLpBb +Q3Kodl1a/q51dw56pPDEATKjSB1CjXXzm717m5FimH5csPKj9SzrGecCgYEA4Nbb +QML1Jh9cu7TvlK3WqbAFJa4Mx/0+OQ+5xlhbs/ygn3/AZiSsPWdNK11XJ25jgGJw +AucXr/kHgwJX23kFpCYB3zZE0Vh/hOqk/KlUFmptuADIDOAVst0v8MqBLZpZessN +TXph5VBT6P51Oz/ZLC67uno02R1vUhDMB5VCyy0CgYEAoriZuuuxUXz4pw0gU0Vw +8gICOvsuySuFHVMX5GXkTnddsaW65kuRk3WT72KLgJHVLlUAdQKZwesyLMvvonOH +ajPL3ltRdiDmF3j2xFnxRx1TfSaJ6U+vBya/HKo4Li+9CMy8BHDh0fxLbj4pT4gT +el2zzNDjqK6LaG976t24j6UCgYEAyTD5uRW7cIWX4Y+i4xQ7hlQwBuucHEkMKNtd +jZL7XC+vO4qBi+U9CyUo9KjtmCc7emKbgL1xgNICWsT6ATZmSeCIxEg3hG0Ajtu5 +Dy4mRHiv/XsViA/s2sT6ZSmQNlJrx2lzWeUtPJmIvHEWThJwLw0Sh2dbavzf5DuL +ly2FO3ECgYEA5AKnPQo45I+abEA/zKHsKHCqBPEbIaZpJJTaiInrsLiGJf+WzN4N +zr/VAzvY+v0X5RgZmROY5ZLPVf2fTeVNzU5WzoB78hHOI67YI2Sbq7jZlatOgX4z +Ur2BQdT0bW6VINYpDLUvS4goW5p0nQbGItdk69yyef1v3NDbCJ/Sg+Q= +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIEnDCCAoSgAwIBAgIRAJzr5xxPLgDD+drzU+5p8cgwDQYJKoZIhvcNAQELBQAw +dTEYMBYGA1UECgwPUmlzZXVwIE5ldHdvcmtzMRswGQYDVQQLDBJodHRwczovL3Jp +c2V1cC5uZXQxPDA6BgNVBAMMM1Jpc2V1cCBOZXR3b3JrcyBSb290IENBIChjbGll +bnQgY2VydGlmaWNhdGVzIG9ubHkhKTAeFw0xODEwMjMwMDAwMDBaFw0xOTAxMjMw +MDAwMDBaMC0xKzApBgNVBAMMIlVOTElNSVRFRDVmbzdsMmxiY3g0OWR5ZzR5MWY4 +YXN3YXcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdNACZmz1Tp7XG +pCpVaRvXfYAZd1o73tuxc86uspSnreEp5cPY5BuYb3ofcI6LS65tUVBPVwCam7Kb +YI62BqFCWe/janS7YJiwGp+sIfDeJIrud/pDxFobahQi+VCPmbgNSTXB9EGAbnPS +k3YfAVaaCF6hPRGc56VM7e9wsJpIkDo8XgxZ6GDlJxeL3CvS+JsqwA2mppvehTFw +cRhw1wp8kpGdevInHpy0utGnVY+/ckBcueehS1DTRLR1IessQPnI/AYVXTyrhuS/ +nioVqLZw87whNF4LoGm+uKUHM6NPp+MKbObowLAGi3tpEdhxYmB+nsfZvZLtPaqG +cLhza7qbAgMBAAGjbzBtMB0GA1UdDgQWBBRwXpI96PjilFPrkK+CHUPia++ISTAL +BgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCQYDVR0TBAIwADAfBgNV +HSMEGDAWgBQX9BvV5SoBAU1rol02CikJlmWARjANBgkqhkiG9w0BAQsFAAOCAgEA +ryNFLixuicVRepocY2lTSY0cpG0eRmLuYJGupk9KeiLA5YEFzl4ZfXJLi+9UHoUR +Bgfe6QYLBb77nO24CoeiMJQw6s593ctMLiMU++fjew31gNp6aA9DmvbLd+fNuLyO +XObRtGw99M37cyf3ZS2SEbTBr4NBp/r3OCyUYsxPYKOzEkr9kNYa8ZZSI960i7/R +/aiq2qemQaOQHTlmrhcBuARJoRVVlLnn2zgLSVm6ptbFLNtAk0lWriUT/WlRmn8j +Cyn/JOuo/1wtrK1dHkaXr8bkEq1oFQzcwMN85hrZKWU0BCehELZtiUg8grqaX/sf +/jaXD61FEqWjIXeGqY/K6ruosZCw2R8sQYzTuQNHMjxmx+J3pch7dMmJPbmA3HW2 +nA7yVp51SX8iZ26zb40S7GG6RNesU+BZxz05XVLt1GwyLx/uNxS4rFpKAT/+ifWG +3Y1j1lMqBxx6RbuqiM1TWqU7Xtzu3hf8ytP5qP7kudXn1TyNtpZCIrzbTXbLnYiD +nH4ZQEWGyAKBOz41eOcG6EXn0TznSGE593ueXBeFnsym7i9MjoOWNGaJ7UbkipfX +FzxirlY5IRkWnmHCL0wGUg6YGnZ1OQ8VBBGb/dBPRMDwA7zWvoM7+3yDLR3aRaLH +mTQzNzu3jy6CRdlpIUcPRcgbniySip1jJrHRYBui+9w= +-----END CERTIFICATE----- diff --git a/pkg/standalone/testdata/eip-service.json b/pkg/standalone/testdata/eip-service.json new file mode 100644 index 0000000..d5f2413 --- /dev/null +++ b/pkg/standalone/testdata/eip-service.json @@ -0,0 +1,113 @@ +{ + "gateways": [ + { + "capabilities": { + "adblock": false, + "filter_dns": false, + "limited": false, + "ports": [ + "443" + ], + "protocols": [ + "tcp" + ], + "transport": [ + "openvpn" + ], + "user_ips": false + }, + "host": "1.example.com", + "ip_address": "1.1.1.1", + "location": "a" + }, + { + "capabilities": { + "adblock": false, + "filter_dns": false, + "limited": false, + "ports": [ + "443" + ], + "protocols": [ + "tcp" + ], + "transport": [ + "openvpn" + ], + "user_ips": false + }, + "host": "2.example.com", + "ip_address": "2.2.2.2", + "location": "b" + }, + { + "capabilities": { + "adblock": false, + "filter_dns": false, + "limited": false, + "ports": [ + "443" + ], + "protocols": [ + "tcp" + ], + "transport": [ + "openvpn" + ], + "user_ips": false + }, + "host": "3.example.com", + "ip_address": "3.3.3.3", + "location": "b" + }, + { + "capabilities": { + "adblock": false, + "filter_dns": false, + "limited": false, + "ports": [ + "443" + ], + "protocols": [ + "tcp" + ], + "transport": [ + "openvpn" + ], + "user_ips": false + }, + "host": "4.example.com", + "ip_address": "4.4.4.4", + "location": "c" + } + ], + "locations": { + "a": { + "country_code": "AA", + "hemisphere": "N", + "name": "a", + "timezone": "-5" + }, + "b": { + "country_code": "BB", + "hemisphere": "S", + "name": "b", + "timezone": "+1" + }, + "c": { + "country_code": "CC", + "hemisphere": "N", + "name": "c", + "timezone": "+8" + } + }, + "openvpn_configuration": { + "auth": "SHA1", + "cipher": "AES-128-CBC", + "keepalive": "10 30", + "tls-cipher": "DHE-RSA-AES128-SHA", + "tun-ipv6": true + }, + "serial": 1, + "version": 1 +} diff --git a/pkg/standalone/vpn.go b/pkg/standalone/vpn.go new file mode 100644 index 0000000..941d444 --- /dev/null +++ b/pkg/standalone/vpn.go @@ -0,0 +1,156 @@ +// Copyright (C) 2018 LEAP +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package standalone + +import ( + "io/ioutil" + "os" + "path" +) + +const ( + openvpnManagementAddr = "127.0.0.1" + openvpnManagementPort = "6061" +) + +// StartVPN for provider +func (b *Bitmask) StartVPN(provider string) error { + gateways, err := b.bonafide.getGateways() + if err != nil { + return err + } + certPemPath, err := b.getCert() + if err != nil { + return err + } + + err = b.launch.firewallStart(gateways) + if err != nil { + return err + } + + arg, err := b.bonafide.getOpenvpnArgs() + if err != nil { + return err + } + for _, gw := range gateways { + arg = append(arg, "--remote", gw.IPAddress, "443", "tcp4") + } + arg = append(arg, + "--verb", "1", + "--management-client", + "--management", openvpnManagementAddr, openvpnManagementPort, + "--ca", b.getCaCertPath(), + "--cert", certPemPath, + "--key", certPemPath) + return b.launch.openvpnStart(arg...) +} + +func (b *Bitmask) getCert() (certPath string, err error) { + certPath = b.getCertPemPath() + + if _, err := os.Stat(certPath); os.IsNotExist(err) { + cert, err := b.bonafide.getCertPem() + if err != nil { + return "", err + } + err = ioutil.WriteFile(certPath, cert, 0600) + } + + return certPath, err +} + +// StopVPN or cancel +func (b *Bitmask) StopVPN() error { + err := b.launch.firewallStop() + if err != nil { + return err + } + return b.launch.openvpnStop() +} + +// ReloadFirewall restarts the firewall +func (b *Bitmask) ReloadFirewall() error { + err := b.launch.firewallStop() + if err != nil { + return err + } + + status, err := b.GetStatus() + if err != nil { + return err + } + + if status != Off { + gateways, err := b.bonafide.getGateways() + if err != nil { + return err + } + return b.launch.firewallStart(gateways) + } + return nil +} + +// GetStatus returns the VPN status +func (b *Bitmask) GetStatus() (string, error) { + status, err := b.getOpenvpnState() + if err != nil { + status = Off + } + if status == Off && b.launch.firewallIsUp() { + return Failed, nil + } + return status, nil +} + +// InstallHelpers into the system +func (b *Bitmask) InstallHelpers() error { + // TODO + return nil +} + +// VPNCheck returns if the helpers are installed and up to date and if polkit is running +func (b *Bitmask) VPNCheck() (helpers bool, priviledge bool, err error) { + // TODO + return true, true, nil +} + +// ListGateways return the names of the gateways +func (b *Bitmask) ListGateways(provider string) ([]string, error) { + gateways, err := b.bonafide.getGateways() + if err != nil { + return nil, err + } + gatewayNames := make([]string, len(gateways)) + for i, gw := range gateways { + gatewayNames[i] = gw.Location + } + return gatewayNames, nil +} + +// UseGateway selects name as the default gateway +func (b *Bitmask) UseGateway(name string) error { + b.bonafide.setDefaultGateway(name) + return nil +} + +func (b *Bitmask) getCertPemPath() string { + return path.Join(b.tempdir, "openvpn.pem") +} + +func (b *Bitmask) getCaCertPath() string { + return path.Join(b.tempdir, "cacert.pem") +} |