Browse Source

Pull NetworkManager parameters from bootstrap API as well

master
Lauri Võsandi 1 year ago
parent
commit
450e68c946
  1. 34
      pinecrypt/client/cli.py

34
pinecrypt/client/cli.py

@ -487,30 +487,20 @@ def certidude_enroll(fork, no_wait, kerberos): @@ -487,30 +487,20 @@ def certidude_enroll(fork, no_wait, kerberos):
nm_config.set("vpn", "cert-pass-flags", "0")
nm_config.set("vpn", "tap-dev", "no")
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
nm_config.set("vpn", "remote", endpoint)
nm_config.set("vpn", "key", key_path)
nm_config.set("vpn", "cert", certificate_path)
nm_config.set("vpn", "ca", authority_path)
nm_config.set("vpn", "tls-cipher", "TLS-%s-WITH-AES-256-GCM-SHA384" % (
"ECDHE-ECDSA" if authority_public_key.algorithm == "ec" else "DHE-RSA"))
nm_config.set("vpn", "cipher", "AES-128-GCM")
nm_config.set("vpn", "auth", "SHA384")
nm_config.set("vpn", "tls-cipher", bootstrap["openvpn"]["tls_cipher"])
nm_config.set("vpn", "cipher", bootstrap["openvpn"]["cipher"])
nm_config.set("vpn", "auth", bootstrap["openvpn"]["auth"])
nm_config.add_section("ipv4")
nm_config.set("ipv4", "method", "auto")
nm_config.set("ipv4", "never-default", "true")
nm_config.add_section("ipv6")
nm_config.set("ipv6", "method", "auto")
try:
nm_config.set("vpn", "port", str(service_config.getint(endpoint, "port")))
except NoOptionError:
nm_config.set("vpn", "port", "1194")
try:
if service_config.get(endpoint, "proto") == "tcp":
nm_config.set("vpn", "proto-tcp", "yes")
except NoOptionError:
pass
nm_config.set("vpn", "port", "443")
nm_config.set("vpn", "proto-tcp", "yes")
# Prevent creation of files with liberal permissions
os.umask(0o177)
@ -539,23 +529,17 @@ def certidude_enroll(fork, no_wait, kerberos): @@ -539,23 +529,17 @@ def certidude_enroll(fork, no_wait, kerberos):
nm_config.set("vpn", "virtual", "yes")
nm_config.set("vpn", "method", "key")
nm_config.set("vpn", "ipcomp", "no")
nm_config.set("vpn", "address", service_config.get(endpoint, "remote"))
nm_config.set("vpn", "address", endpoint)
nm_config.set("vpn", "userkey", key_path)
nm_config.set("vpn", "usercert", certificate_path)
nm_config.set("vpn", "certificate", authority_path)
dhgroup = "ecp384" if authority_public_key.algorithm == "ec" else "modp2048"
nm_config.set("vpn", "ike", "aes256-sha384-prfsha384-" + dhgroup)
nm_config.set("vpn", "esp", "aes128gcm16-aes128gmac-" + dhgroup)
nm_config.set("vpn", "ike", bootstrap["strongswan"]["ike"])
nm_config.set("vpn", "esp", bootstrap["strongswan"]["esp"])
nm_config.set("vpn", "proposal", "yes")
nm_config.add_section("ipv4")
nm_config.set("ipv4", "method", "auto")
# Add routes, may need some more tweaking
if service_config.has_option(endpoint, "route"):
for index, subnet in enumerate(service_config.get(endpoint, "route").split(","), start=1):
nm_config.set("ipv4", "route%d" % index, subnet)
# Prevent creation of files with liberal permissions
os.umask(0o177)

Loading…
Cancel
Save