From 4a9fe8e917100d5476dc14ca865f3de6cafe1b52 Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:01:37 +0400 Subject: [PATCH 1/6] openvpn-user: added migrate command --- setup/configure.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/configure.sh b/setup/configure.sh index a9299a5..3f57722 100644 --- a/setup/configure.sh +++ b/setup/configure.sh @@ -48,7 +48,7 @@ if [ ${OVPN_PASSWD_AUTH} = "true" ]; then echo "auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-file" | tee -a /etc/openvpn/openvpn.conf echo "script-security 2" | tee -a /etc/openvpn/openvpn.conf echo "verify-client-cert require" | tee -a /etc/openvpn/openvpn.conf - openvpn-user db-init --db.path=$EASY_RSA_LOC/pki/users.db + openvpn-user db-init --db.path=$EASY_RSA_LOC/pki/users.db && openvpn-user db-migrate --db.path=$EASY_RSA_LOC/pki/users.db fi [ -d $EASY_RSA_LOC/pki ] && chmod 755 $EASY_RSA_LOC/pki From e7599db1bf9f5d5fb86689b3b166fab3859d2e21 Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:02:50 +0400 Subject: [PATCH 2/6] added desc for --auth.db-init flag end env variable --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 05a84d5..d154a3c 100644 --- a/README.md +++ b/README.md @@ -157,7 +157,10 @@ Flags: --auth.db="./easyrsa/pki/users.db" (or OVPN_AUTH_DB_PATH) database path for password authorization - + + --auth.db-init + (or OVPN_AUTH_DB_INIT) enable database init if user db not exists or size is 0 + --log.level set log level: trace, debug, info, warn, error (default info) (or LOG_LEVEL) From 51f35a0b15f703173855c37f603827a79610a1da Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:22:02 +0400 Subject: [PATCH 3/6] Added formatting for defining API endpoints + changed the order of importing libraries --- main.go | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/main.go b/main.go index faf75ec..dadd06c 100644 --- a/main.go +++ b/main.go @@ -9,11 +9,7 @@ import ( "encoding/pem" "errors" "fmt" - "github.com/google/uuid" "io/ioutil" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/rest" "net" "net/http" "os" @@ -25,6 +21,11 @@ import ( "time" "unicode/utf8" + "github.com/google/uuid" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" + "github.com/gobuffalo/packr/v2" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" @@ -558,27 +559,27 @@ func main() { static := CacheControlWrapper(http.FileServer(staticBox)) http.Handle(*listenBaseUrl, http.StripPrefix(strings.TrimRight(*listenBaseUrl, "/"), static)) - http.HandleFunc(*listenBaseUrl + "api/server/settings", ovpnAdmin.serverSettingsHandler) - http.HandleFunc(*listenBaseUrl + "api/users/list", ovpnAdmin.userListHandler) - http.HandleFunc(*listenBaseUrl + "api/user/create", ovpnAdmin.userCreateHandler) - http.HandleFunc(*listenBaseUrl + "api/user/change-password", ovpnAdmin.userChangePasswordHandler) - http.HandleFunc(*listenBaseUrl + "api/user/rotate", ovpnAdmin.userRotateHandler) - http.HandleFunc(*listenBaseUrl + "api/user/delete", ovpnAdmin.userDeleteHandler) - http.HandleFunc(*listenBaseUrl + "api/user/revoke", ovpnAdmin.userRevokeHandler) - http.HandleFunc(*listenBaseUrl + "api/user/unrevoke", ovpnAdmin.userUnrevokeHandler) - http.HandleFunc(*listenBaseUrl + "api/user/config/show", ovpnAdmin.userShowConfigHandler) - http.HandleFunc(*listenBaseUrl + "api/user/disconnect", ovpnAdmin.userDisconnectHandler) - http.HandleFunc(*listenBaseUrl + "api/user/statistic", ovpnAdmin.userStatisticHandler) - http.HandleFunc(*listenBaseUrl + "api/user/ccd", ovpnAdmin.userShowCcdHandler) - http.HandleFunc(*listenBaseUrl + "api/user/ccd/apply", ovpnAdmin.userApplyCcdHandler) + http.HandleFunc(*listenBaseUrl+"api/server/settings", ovpnAdmin.serverSettingsHandler) + http.HandleFunc(*listenBaseUrl+"api/users/list", ovpnAdmin.userListHandler) + http.HandleFunc(*listenBaseUrl+"api/user/create", ovpnAdmin.userCreateHandler) + http.HandleFunc(*listenBaseUrl+"api/user/change-password", ovpnAdmin.userChangePasswordHandler) + http.HandleFunc(*listenBaseUrl+"api/user/rotate", ovpnAdmin.userRotateHandler) + http.HandleFunc(*listenBaseUrl+"api/user/delete", ovpnAdmin.userDeleteHandler) + http.HandleFunc(*listenBaseUrl+"api/user/revoke", ovpnAdmin.userRevokeHandler) + http.HandleFunc(*listenBaseUrl+"api/user/unrevoke", ovpnAdmin.userUnrevokeHandler) + http.HandleFunc(*listenBaseUrl+"api/user/config/show", ovpnAdmin.userShowConfigHandler) + http.HandleFunc(*listenBaseUrl+"api/user/disconnect", ovpnAdmin.userDisconnectHandler) + http.HandleFunc(*listenBaseUrl+"api/user/statistic", ovpnAdmin.userStatisticHandler) + http.HandleFunc(*listenBaseUrl+"api/user/ccd", ovpnAdmin.userShowCcdHandler) + http.HandleFunc(*listenBaseUrl+"api/user/ccd/apply", ovpnAdmin.userApplyCcdHandler) - http.HandleFunc(*listenBaseUrl + "api/sync/last/try", ovpnAdmin.lastSyncTimeHandler) - http.HandleFunc(*listenBaseUrl + "api/sync/last/successful", ovpnAdmin.lastSuccessfulSyncTimeHandler) - http.HandleFunc(*listenBaseUrl + downloadCertsApiUrl, ovpnAdmin.downloadCertsHandler) - http.HandleFunc(*listenBaseUrl + downloadCcdApiUrl, ovpnAdmin.downloadCcdHandler) + http.HandleFunc(*listenBaseUrl+"api/sync/last/try", ovpnAdmin.lastSyncTimeHandler) + http.HandleFunc(*listenBaseUrl+"api/sync/last/successful", ovpnAdmin.lastSuccessfulSyncTimeHandler) + http.HandleFunc(*listenBaseUrl+downloadCertsApiUrl, ovpnAdmin.downloadCertsHandler) + http.HandleFunc(*listenBaseUrl+downloadCcdApiUrl, ovpnAdmin.downloadCcdHandler) http.Handle(*metricsPath, promhttp.HandlerFor(ovpnAdmin.promRegistry, promhttp.HandlerOpts{})) - http.HandleFunc(*listenBaseUrl + "ping", func(w http.ResponseWriter, r *http.Request) { + http.HandleFunc(*listenBaseUrl+"ping", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "pong") }) From f9afd195c070e92b20845cc317f5ffd1e8b17892 Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:22:58 +0400 Subject: [PATCH 4/6] Fixed typos in the --db.path key when calling the openvpn-user command --- main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index dadd06c..1a8e538 100644 --- a/main.go +++ b/main.go @@ -1054,7 +1054,7 @@ func (oAdmin *OvpnAdmin) userRevoke(username string) (error, string) { } if *authByPassword { - o := runBash(fmt.Sprintf("openvpn-user revoke --db-path %s --user %s", *authDatabase, username)) + o := runBash(fmt.Sprintf("openvpn-user revoke --db.path %s --user %s", *authDatabase, username)) log.Debug(o) } @@ -1116,7 +1116,7 @@ func (oAdmin *OvpnAdmin) userUnrevoke(username string) (error, string) { _ = runBash(fmt.Sprintf("cd %s && %s gen-crl 1>/dev/null", *easyrsaDirPath, *easyrsaBinPath)) if *authByPassword { - o := runBash(fmt.Sprintf("openvpn-user restore --db-path %s --user %s", *authDatabase, username)) + o := runBash(fmt.Sprintf("openvpn-user restore --db.path %s --user %s", *authDatabase, username)) log.Debug(o) } From 2ed4fdb369bf2d2402a11408c0eb86530833bdc2 Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:24:43 +0400 Subject: [PATCH 5/6] Added a new parameter authDataBaseInit for initializing the openvpn user database, added the DB initialization function and its call when initializing the ovpn-admin server if the auth.db-init flag is true --- main.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/main.go b/main.go index 1a8e538..fd08df4 100644 --- a/main.go +++ b/main.go @@ -72,6 +72,7 @@ var ( ccdTemplatePath = kingpin.Flag("templates.ccd-path", "path to custom ccd.tpl").Default("").Envar("OVPN_TEMPLATES_CCD_PATH").String() authByPassword = kingpin.Flag("auth.password", "enable additional password authentication").Default("false").Envar("OVPN_AUTH").Bool() authDatabase = kingpin.Flag("auth.db", "database path for password authentication").Default("./easyrsa/pki/users.db").Envar("OVPN_AUTH_DB_PATH").String() + authDataBaseInit = kingpin.Flag("auth.db-init", "enable database initialization if db user not exists or size is 0").Default("false").Envar("OVPN_AUTH_DB_INIT").Bool() logLevel = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String() logFormat = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String() storageBackend = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String() @@ -505,6 +506,10 @@ func main() { *indexTxtPath = *easyrsaDirPath + "/pki/index.txt" } + if *authDataBaseInit { + ovpnUserInitDb() + } + ovpnAdmin := new(OvpnAdmin) ovpnAdmin.lastSyncTime = "unknown" @@ -1502,6 +1507,13 @@ func unArchiveCcd() { } } +func ovpnUserInitDb() { + if fi, err := os.Stat(*authDatabase); errors.Is(err, os.ErrNotExist) || fi.Size() == 0 { + i := runBash(fmt.Sprintf("openvpn-user --db.path %[1]s db-init && openvpn-user --db.path %[1]s db-migrate", *authDatabase)) + log.Debug(i) + } +} + func (oAdmin *OvpnAdmin) syncDataFromMaster() { retryCountMax := 3 certsDownloadFailed := true From 756cb096c9a37b37255dfa747d2a9a695a3de45d Mon Sep 17 00:00:00 2001 From: Izhikov Matvey Date: Mon, 6 Jan 2025 16:25:47 +0400 Subject: [PATCH 6/6] Changed the "status" command to "status 1" for the mgmt interface of the openvpn server for correct parsing of the status of active clients and routes --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index fd08df4..f2a5cb8 100644 --- a/main.go +++ b/main.go @@ -1346,7 +1346,7 @@ func (oAdmin *OvpnAdmin) mgmtGetActiveClients() []clientStatus { break } oAdmin.mgmtRead(conn) // read welcome message - conn.Write([]byte("status\n")) + conn.Write([]byte("status 1\n")) activeClients = append(activeClients, oAdmin.mgmtConnectedUsersParser(oAdmin.mgmtRead(conn), srv)...) conn.Close() }