[Openvpn-users] small feature suggestion

["Earl A.Killian" <openvpn@xxxxxxxxxxxxxxxxx>]

 > Date: Fri, 04 Feb 2005 14:04:02 +1100
 > From: Nik <openvpn@xxxxxxxxxxxxxxxxxxx>
 > 
 > Another is to build a script that generates or modifies a base script.

In case it helps:

I use perlpp to generate the config files.  Perlpp is just a simple
syntatic preprocessor that turns straight text with embedded perl code
into perl code that is executed to produce an output.  All lines that
don't begin with semicolon turn into print statements, and semicolon
lines turn into executed perl code.  In addition backtick can be used
to substitute values into non-semi lines.  I like this because it lets
me put tunnel parameters in one place (a tunnel definition file)
instead of two places that can get out of sync (client and server
.conf files).  For dual-boot machines I even have it generate a .conf
for the Linux and a .opvn for the XP.  Note the use of `$slash` in the
following example to get the pathnames right.

It was a bit complicated to set up originally, but now it is easy to
add new machines and update them (e.g. handling OpenVPN version
changes is much simpler).  Perhaps some of OpenVPN 2.0's features will
make this less necessary.  Right now I'm only using 2.0 on XP clients
because of the SP2 issue with 1.6.  Once 2.0 ships with the standard
Linux distros I'll switch my servers to it and see how much things
simplify.  I suspect some perlpp templating will still be useful.

Here is an sample tunnel definition file (short and sweet compared to
a OpenVPN .conf file):

#
# Format is
#   client server [option=value ...]
#
# huckle's tunnels
#
rasp	huckle	net=10.1.2.0/24  clientping=15
straw	huckle	net=10.1.3.0/24  clientping=15
blue	huckle	net=10.1.10.0/24 clientping=15 tun-mtu=1500 tun-mtu-extra=32 mssfix=1450 key-method=2
bil	huckle	net=10.1.11.0/24 clientping=15
#
# rasp's tunnels
#
straw	rasp	net=10.2.3.0/24 clientping=15
blue	rasp	net=10.2.10.0/24 clientping=15 tun-mtu=1500 tun-mtu-extra=32 mssfix=1450 key-method=2
bil	rasp	net=10.2.11.0/24 clientping=15

Here is the core of the perlpp template for the generated .conf files:

#
# OpenVPN configuration file for the `$localhost->name` to `$remotehost->name` tunnel
# using SSL/TLS mode and RSA certificates/keys.
#

# Use a fixed tun device.
dev `$local->dev`
; if (defined($localhost->internetip)) {
;   my $behindnat = $localhost->behindnat;
;   if (!defined($behindnat) || $behindnat == 0) {

# Our Internet interface
local `$localhost->internetip->dottedaddr32`
;   } elsif (ref($behindnat) eq 'EAK::IP::v4') {

# Our Internet interface
local `$behindnat->dottedaddr32`
;   }
; }

# Local UDP port for packet transport
lport `$local->port`
; if (defined($remotehost->internetip)) {

# Internet address of `$remotehost->fqdn`
remote `$remotehost->internetip->dottedaddr32`
; }

# Remote UDP port for packet transport
rport `$remote->port`

#
# Tunnel parameters (must be the same on both sides)
#
; if (my $udpmtu = $t->udpmtu) {

udp-mtu `$udpmtu`
; }
; if (my $tunmtu = $t->tunmtu) {

tun-mtu `$tunmtu`
; }
; if (my $tunmtuextra = $t->tunmtuextra) {

tun-mtu-extra `$tunmtuextra`
; }
; if (my $mssfix = $t->mssfix) {

mssfix `$mssfix`
; }
; if (my $keymethod = $t->keymethod) {

key-method `$keymethod`
; }
; if ($t->complzo) {

# Enable compression
comp-lzo
;   if ($t->compadapt == 0) {

# Don't adaptively turn compression off
comp-noadapt
;   }
; }

# Choose encryption algorithm
cipher `$t->cipher`

# Choose digest algorithm
auth `$t->auth`

# `$local->ip->dottedaddr32` is `$localhost->name`'s VPN endpoint for this tunnel
# `$remote->ip->dottedaddr32` is `$remotehost->name`'s VPN endpoint for this tunnel
ifconfig `$local->ip->dottedaddr32` `$remote->ip->dottedaddr32`

#
# Authentication/encryption
#
; if ($::gen eq 'server') {

# In SSL/TLS key exchange, `$localhost->name` will assume server role and `$remotehost->name`
# will assume client role.
tls-server
tls-verify `$verify`,`$host{$::client}->fqdn`

# Diffie-Hellman Parameters (tls-server only)
dh /etc/openvpn/dh2048.pem
; } else {

# In SSL/TLS key exchange, `$remotehost->name` will assume server role and `$localhost->name`
# will assume client role.
tls-client
tls-verify `$verify`,`$remotehost->fqdn`
; }

# Certificate Authority file
ca `$certdir``$slash`cacert.org.pem

# Our certificate/public key
cert `$certdir``$slash``$local->host->fqdn`.pem

# Our private key
key `$keydir``$slash``$local->host->fqdn`.key
; if (defined($localos) && $localos =~ /\bLinux\b/) {

# Downgrade UID and GID to "openvpn" after initialization for extra security.
;   if (my $user = $localhost->openvpnuser) {
user `$user`
;   }
;   if (my $group = $localhost->openvpngroup) {
group `$group`
;   }
; }
; if (my $ping = $local->ping) {

# Send a UDP ping to remote once every `$ping` seconds to keep
# stateful firewall connection alive.
ping `$ping`
; }
; if ($localhost->openvpnversioncheck('1.5')) {

#
# Routes
#
;   if ($::gen eq 'server') {
;     my $net = $t->net;
route `$net->dottedaddr32` `$net->dottedmask` `$remote->ip->dottedaddr32`
;   }
;   my $gw = $remote->ip;
;   if (defined($gw)) {
;     foreach my $net ($remotehost->nets) {
route `$net->dottedaddr32` `$net->dottedmask` `$gw->dottedaddr32`
;     } # foreach net
;   }
; }

# Verbosity level.
; if ($localhost->openvpnversioncheck('1.5')) {
# 0 -- no output except fatal errors
# 1 -- show startup information + connection initiated messages
#      + non-fatal encryption & net errors
# 2 -- show SSL/TLS negotiations
# 3 -- show extra SSL/TLS information
# 4 -- show all parameter settings
# 5 -- Output R and W characters to console for each packet read and write
# 6-11 -- show debug info of increasing verbosity
; } else {
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet.
# 5 -- medium output, good for normal operation.
# 8 -- verbose, good for troubleshooting
; }
verb `$localhost->openvpnversioncheck('1.5') ? 4 : 5`

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users