From 2cfb65fda648e7ff30d3e0c94b37eab7adb82c9b Mon Sep 17 00:00:00 2001
From: Jeremie Dimino <dimino@crans.org>
Date: Thu, 28 Feb 2008 13:38:15 +0100
Subject: [PATCH] Conf d'openvpn

darcs-hash:20080228123815-af139-45398677dde47cc2e86282788c93252d7c6d3fa0.gz
---
 Bundler/openvpn.xml                     | 17 +++++++
 Cfg/etc/openvpn/main.down/info.xml      |  3 ++
 Cfg/etc/openvpn/main.down/main.down     | 11 ++++
 Cfg/etc/openvpn/main.up/info.xml        |  3 ++
 Cfg/etc/openvpn/main.up/main.up         | 10 ++++
 Cfg/etc/openvpn/rescue.down/info.xml    |  3 ++
 Cfg/etc/openvpn/rescue.down/rescue.down | 10 ++++
 Cfg/etc/openvpn/rescue.up/info.xml      |  3 ++
 Cfg/etc/openvpn/rescue.up/rescue.up     | 11 ++++
 Metadata/groups.xml                     | 67 +++++++++++++++----------
 Python/etc/default/openvpn              |  8 +++
 Python/etc/openvpn/external.conf        | 30 +++++++++++
 Python/etc/openvpn/main.conf            | 35 +++++++++++++
 Python/etc/openvpn/rescue.conf          | 35 +++++++++++++
 Rules/rules.xml                         |  2 +
 15 files changed, 222 insertions(+), 26 deletions(-)
 create mode 100644 Bundler/openvpn.xml
 create mode 100644 Cfg/etc/openvpn/main.down/info.xml
 create mode 100755 Cfg/etc/openvpn/main.down/main.down
 create mode 100644 Cfg/etc/openvpn/main.up/info.xml
 create mode 100755 Cfg/etc/openvpn/main.up/main.up
 create mode 100644 Cfg/etc/openvpn/rescue.down/info.xml
 create mode 100755 Cfg/etc/openvpn/rescue.down/rescue.down
 create mode 100644 Cfg/etc/openvpn/rescue.up/info.xml
 create mode 100755 Cfg/etc/openvpn/rescue.up/rescue.up
 create mode 100644 Python/etc/default/openvpn
 create mode 100644 Python/etc/openvpn/external.conf
 create mode 100644 Python/etc/openvpn/main.conf
 create mode 100644 Python/etc/openvpn/rescue.conf

diff --git a/Bundler/openvpn.xml b/Bundler/openvpn.xml
new file mode 100644
index 0000000..00a3a5a
--- /dev/null
+++ b/Bundler/openvpn.xml
@@ -0,0 +1,17 @@
+<Bundle name="openvpn">
+  <Package name="openvpn"/>
+  <Service name="openvpn"/>
+  <ConfigFile name="/etc/default/openvpn"/>
+  <ConfigFile name="/etc/openvpn/up"/>
+  <ConfigFile name="/etc/openvpn/down"/>
+  <Group name="external">
+    <ConfigFile name="/etc/openvpn/main.conf"/>
+    <ConfigFile name="/etc/openvpn/rescue.conf"/>
+  </Group>
+  <Group name="connection-main">
+    <ConfigFile name="/etc/openvpn/external.conf"/>
+  </Group>
+  <Group name="connection-rescue">
+    <ConfigFile name="/etc/openvpn/external.conf"/>
+  </Group>
+</Bundle>
diff --git a/Cfg/etc/openvpn/main.down/info.xml b/Cfg/etc/openvpn/main.down/info.xml
new file mode 100644
index 0000000..a0b21f3
--- /dev/null
+++ b/Cfg/etc/openvpn/main.down/info.xml
@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0755'/>
+</FileInfo>
diff --git a/Cfg/etc/openvpn/main.down/main.down b/Cfg/etc/openvpn/main.down/main.down
new file mode 100755
index 0000000..9ae603c
--- /dev/null
+++ b/Cfg/etc/openvpn/main.down/main.down
@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# Fichier gere par BCfg2 avec le plugin Cfg
+#
+# Configuration des routes lorsque la connexion principale tombe
+
+# La connexion principale est inactive => on passe par la connexion de
+# secours. Si la connexion de secours est down ne marche pas ça
+# changera rien mais de toutes facons on peut pas faire mieux...
+route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
+route add -net 10.231.136.0 netmask 255.255.255.0 dev tun-rescue
diff --git a/Cfg/etc/openvpn/main.up/info.xml b/Cfg/etc/openvpn/main.up/info.xml
new file mode 100644
index 0000000..a0b21f3
--- /dev/null
+++ b/Cfg/etc/openvpn/main.up/info.xml
@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0755'/>
+</FileInfo>
diff --git a/Cfg/etc/openvpn/main.up/main.up b/Cfg/etc/openvpn/main.up/main.up
new file mode 100755
index 0000000..7284544
--- /dev/null
+++ b/Cfg/etc/openvpn/main.up/main.up
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# Fichier gere par BCfg2 avec le plugin Cfg
+#
+# Configuration des routes lorsque la connexion principale est
+# disponible
+
+# La connexion principale est active => on l'utilise
+route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
+route add -net 10.231.136.0 netmask 255.255.255.0 dev $dev
diff --git a/Cfg/etc/openvpn/rescue.down/info.xml b/Cfg/etc/openvpn/rescue.down/info.xml
new file mode 100644
index 0000000..a0b21f3
--- /dev/null
+++ b/Cfg/etc/openvpn/rescue.down/info.xml
@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0755'/>
+</FileInfo>
diff --git a/Cfg/etc/openvpn/rescue.down/rescue.down b/Cfg/etc/openvpn/rescue.down/rescue.down
new file mode 100755
index 0000000..da76677
--- /dev/null
+++ b/Cfg/etc/openvpn/rescue.down/rescue.down
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# Fichier gere par BCfg2 avec le plugin Cfg
+#
+# Configuration des routes lorsque la connexion de secours tombe
+
+# Si c'était la route actuelle, alors tant pis...
+if [ "$(route -n|awk '$1 == "$ifconfig_remote" {print $8}')" = "$dev" ]; then
+    route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
+fi
diff --git a/Cfg/etc/openvpn/rescue.up/info.xml b/Cfg/etc/openvpn/rescue.up/info.xml
new file mode 100644
index 0000000..a0b21f3
--- /dev/null
+++ b/Cfg/etc/openvpn/rescue.up/info.xml
@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0755'/>
+</FileInfo>
diff --git a/Cfg/etc/openvpn/rescue.up/rescue.up b/Cfg/etc/openvpn/rescue.up/rescue.up
new file mode 100755
index 0000000..cf2f67e
--- /dev/null
+++ b/Cfg/etc/openvpn/rescue.up/rescue.up
@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# Fichier gere par BCfg2 avec le plugin Cfg
+#
+# Configuration des routes lorsque la connexion de secours est
+# disponible
+
+# Si on a déjà une route vers le vlan adm alors on ne fait rien
+if [ -z "$(route -n|awk '$1 == "$ifconfig_remote" {print $8}')" ]; then
+    route add -net 10.231.136.0 netmask 255.255.255.0 dev $dev
+fi
diff --git a/Metadata/groups.xml b/Metadata/groups.xml
index efc8ca1..e11abd6 100644
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@@ -9,8 +9,8 @@
 	 profile="true">
     <Group name="crans"/>
     <Group name="firewall"/>
-    <Group name="services-ext-ovh"/>
     <Group name="backup-client"/>
+    <Group name="connection-main"/>
   </Group>
 
   <Group name="sila"
@@ -87,7 +87,7 @@
     <Group name="db-replica"/>
     <Group name="mail-mx-secondary"/>
     <Group name="dns-secondary-no-forward"/>
-    <Group name="vpn-vers-crans"/>
+    <Group name="external"/>
   </Group>
 
   <Group name="fx"
@@ -101,6 +101,7 @@
     <Group name="mail-mx-secondary"/>
     <Group name="dns-secondary-no-forward"/>
     <Group name="backup-client"/>
+    <Group name="connection-rescue"/>
   </Group>
 
   <Group name="mdr"
@@ -252,7 +253,7 @@
     <!-- Mailman a besoin d'un smtp -->
     <Group name="mail-mx"/>
   </Group>
-  
+
   <Group name="adh-antispam-filter"
      comment="filtre antispam pour les adhérents">
     <Group name="antispam-backend"/>
@@ -290,7 +291,7 @@
      category="dns">
     <Group name="dns-server"/>
   </Group>
-  
+
   <Group name="dns-secondary-no-forward"
      comment="un serveur DNS secondaire sans forward de l'association"
      category="dns">
@@ -330,6 +331,24 @@
     <Group name="adblock-server"/>
   </Group>
 
+  <!-- *** Connexion *** -->
+
+  <Group name="external"
+	 comment="Un serveur à l'éxtérieur du campus">
+    <Group name="vpn"/>
+  </Group>
+
+  <Group name="connection-main"
+	 comment="Le serveur qui est connecté à la la
+		  connection principale du crans (RENATER)">
+    <Group name="vpn"/>
+  </Group>
+
+  <Group name="connection-rescue"
+	 comment="Le serveur qui à la connexion de secours (par la freebox)">
+    <Group name="vpn"/>
+  </Group>
+
   <!-- *** Divers *** -->
 
   <Group name="users"
@@ -379,18 +398,6 @@
     <Group name="radius-server-backend"/>
   </Group>
 
-  <Group name="services-ext-ovh"
-     comment="Les services que le firewall doit avoir sur l'extérieur pour ovh">
-    <Group name="monit-ovh"/>
-    <Group name="openvpn-ovh"/>
-  </Group>
-
-  <Group name="vpn-vers-crans"
-     comment="Les VPN de ovh vers le crans">
-    <Group name="openvpn-komaz"/>
-    <Group name="openvpn-freebox"/>
-  </Group>
-
   <Group name="name-service-cache"
 	 comment="Un service de cache pour nss">
     <Group name="nscd"/>
@@ -447,6 +454,13 @@
     <Group name="dns-backend"/>
   </Group>
 
+  <!-- *** Connexion sécurisée *** -->
+
+  <Group name="vpn"
+	 comment="Un des deux points d'un tunnel sécurisée">
+    <Group name="vpn-backend"/>
+  </Group>
+
   <!-- *** Divers  *** -->
 
   <Group name="auth"
@@ -588,6 +602,10 @@
     <Group name="pgsql-sqlgrey"/>
   </Group>
 
+  <Group name="vpn-backend">
+    <Group name="openvpn"/>
+  </Group>
+
   <!-- +==============+ -->
   <!-- | Les backends | -->
   <!-- +==============+ -->
@@ -648,11 +666,11 @@
      category="dns-backend">
     <Bundle name="bind"/>
   </Group>
-  
+
   <Group name="nfs">
     <Bundle name="nfs"/>
   </Group>
-  
+
   <Group name="apache"
      category="http-server-backend">
     <!-- TODO: a implémenter -->
@@ -708,14 +726,6 @@
     <!-- TODO: a implementer -->
   </Group>
 
-  <Group name="openvpn-komaz">
-    <!-- TODO: a implementer -->
-  </Group>
-
-  <Group name="openvpn-freebox">
-    <!-- TODO: a implementer -->
-  </Group>
-
   <Group name="squid"
      category="proxy-server-backend">
     <!-- TODO: a implementer -->
@@ -744,6 +754,11 @@
     <Bundle name="nscd"/>
   </Group>
 
+  <Group name="openvpn"
+	 category="vpn-backend">
+    <Bundle name="openvpn"/>
+  </Group>
+
   <!-- +====================+ -->
   <!-- | Groupes dynamiques | -->
   <!-- +====================+ -->
diff --git a/Python/etc/default/openvpn b/Python/etc/default/openvpn
new file mode 100644
index 0000000..5660fe2
--- /dev/null
+++ b/Python/etc/default/openvpn
@@ -0,0 +1,8 @@
+# -*- coding: utf-8; mode: python -*-
+
+header("Configuration des tunnels a lancer par defauts")
+
+if has("external"):
+    @AUTOSTART = "main rescue"
+else:
+    @AUTOSTART = "external"
diff --git a/Python/etc/openvpn/external.conf b/Python/etc/openvpn/external.conf
new file mode 100644
index 0000000..59ff37b
--- /dev/null
+++ b/Python/etc/openvpn/external.conf
@@ -0,0 +1,30 @@
+# -*- coding: utf-8; mode: python -*-
+
+include("ip")
+
+header("Configuration du tunnel vers les serveurs a 'exterieur")
+
+print """
+daemon tun-ovh
+dev tun-ovh
+
+tls-server
+ca /etc/ssl/certs/root.pem
+cert /etc/ssl/certs/vpn.pem
+tls-verify "/usr/share/openvpn/verify-cn ovh.vpn.crans.org"
+key /etc/ssl/private/vpn.pem
+
+log-append /var/log/openvpn/external.log
+
+port 1194
+
+ifconfig %s %s
+
+ping-timer-rem
+keepalive 10 60
+persist-tun
+
+verb 3
+
+dh /etc/openvpn/dh1024.pem
+""" % (admipof("komaz"), admipof("ovh"))
diff --git a/Python/etc/openvpn/main.conf b/Python/etc/openvpn/main.conf
new file mode 100644
index 0000000..9e06692
--- /dev/null
+++ b/Python/etc/openvpn/main.conf
@@ -0,0 +1,35 @@
+# -*- coding: utf-8; mode: python -*-
+
+include("ip")
+
+header("Configuration du tunnel vers la connexion principale")
+
+print """
+daemon tun-main
+dev tun-main
+
+tls-server
+ca /etc/ssl/certs/root.pem
+cert /etc/ssl/certs/vpn.pem
+tls-verify "/usr/share/openvpn/verify-cn komaz.vpn.crans.org"
+key /etc/ssl/private/vpn.pem
+
+log-append /var/log/openvpn/main.log
+
+port 1194
+
+ifconfig %s %s
+
+ping-timer-rem
+keepalive 10 60
+persist-tun
+
+verb 3
+
+dh /etc/openvpn/dh1024.pem
+up /etc/openvpn/up
+down /etc/openvpn/down
+up-restart
+
+remote %s
+""" % (admipof("ovh"), admipof("komaz"), pubipof("komaz"))
diff --git a/Python/etc/openvpn/rescue.conf b/Python/etc/openvpn/rescue.conf
new file mode 100644
index 0000000..4773c22
--- /dev/null
+++ b/Python/etc/openvpn/rescue.conf
@@ -0,0 +1,35 @@
+# -*- coding: utf-8; mode: python -*-
+
+include("ip")
+
+header("Configuration du tunnel vers la connexion principale")
+
+print """
+daemon tun-rescue
+dev tun-rescue
+
+tls-server
+ca /etc/ssl/certs/root.pem
+cert /etc/ssl/certs/vpn.pem
+tls-verify "/usr/share/openvpn/verify-cn freebox.vpn.crans.org"
+key /etc/ssl/private/vpn.pem
+
+log-append /var/log/openvpn/rescue.log
+
+port 1194
+
+ifconfig %s %s
+
+ping-timer-rem
+keepalive 10 60
+persist-tun
+
+verb 3
+
+dh /etc/openvpn/dh1024.pem
+up /etc/openvpn/up
+down /etc/openvpn/down
+up-restart
+
+remote %s
+""" % (admipof("ovh"), admipof("komaz"), pubipof("freebox"))
diff --git a/Rules/rules.xml b/Rules/rules.xml
index 6d23991..a8ad211 100644
--- a/Rules/rules.xml
+++ b/Rules/rules.xml
@@ -44,6 +44,8 @@
 
   <Service name="nscd" status="on"/>
 
+  <Service name="openvpn" status="on"/>
+
   <!-- Suppression du groupe adm de /etc/group pour forcer sudo à regarder dans la base -->
   <Action name="del-adm"
 	  timing="post" when="modified" status="check"