Pull NetworkManager parameters from bootstrap API as well

This commit is contained in:
Lauri Võsandi 2021-04-23 09:53:08 +03:00
parent 1fbdea09ba
commit 450e68c946
1 changed files with 9 additions and 25 deletions

View File

@ -487,30 +487,20 @@ def certidude_enroll(fork, no_wait, kerberos):
nm_config.set("vpn", "cert-pass-flags", "0") nm_config.set("vpn", "cert-pass-flags", "0")
nm_config.set("vpn", "tap-dev", "no") nm_config.set("vpn", "tap-dev", "no")
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote")) nm_config.set("vpn", "remote", endpoint)
nm_config.set("vpn", "key", key_path) nm_config.set("vpn", "key", key_path)
nm_config.set("vpn", "cert", certificate_path) nm_config.set("vpn", "cert", certificate_path)
nm_config.set("vpn", "ca", authority_path) nm_config.set("vpn", "ca", authority_path)
nm_config.set("vpn", "tls-cipher", "TLS-%s-WITH-AES-256-GCM-SHA384" % ( nm_config.set("vpn", "tls-cipher", bootstrap["openvpn"]["tls_cipher"])
"ECDHE-ECDSA" if authority_public_key.algorithm == "ec" else "DHE-RSA")) nm_config.set("vpn", "cipher", bootstrap["openvpn"]["cipher"])
nm_config.set("vpn", "cipher", "AES-128-GCM") nm_config.set("vpn", "auth", bootstrap["openvpn"]["auth"])
nm_config.set("vpn", "auth", "SHA384")
nm_config.add_section("ipv4") nm_config.add_section("ipv4")
nm_config.set("ipv4", "method", "auto") nm_config.set("ipv4", "method", "auto")
nm_config.set("ipv4", "never-default", "true") nm_config.set("ipv4", "never-default", "true")
nm_config.add_section("ipv6") nm_config.add_section("ipv6")
nm_config.set("ipv6", "method", "auto") nm_config.set("ipv6", "method", "auto")
nm_config.set("vpn", "port", "443")
try: nm_config.set("vpn", "proto-tcp", "yes")
nm_config.set("vpn", "port", str(service_config.getint(endpoint, "port")))
except NoOptionError:
nm_config.set("vpn", "port", "1194")
try:
if service_config.get(endpoint, "proto") == "tcp":
nm_config.set("vpn", "proto-tcp", "yes")
except NoOptionError:
pass
# Prevent creation of files with liberal permissions # Prevent creation of files with liberal permissions
os.umask(0o177) os.umask(0o177)
@ -539,23 +529,17 @@ def certidude_enroll(fork, no_wait, kerberos):
nm_config.set("vpn", "virtual", "yes") nm_config.set("vpn", "virtual", "yes")
nm_config.set("vpn", "method", "key") nm_config.set("vpn", "method", "key")
nm_config.set("vpn", "ipcomp", "no") nm_config.set("vpn", "ipcomp", "no")
nm_config.set("vpn", "address", service_config.get(endpoint, "remote")) nm_config.set("vpn", "address", endpoint)
nm_config.set("vpn", "userkey", key_path) nm_config.set("vpn", "userkey", key_path)
nm_config.set("vpn", "usercert", certificate_path) nm_config.set("vpn", "usercert", certificate_path)
nm_config.set("vpn", "certificate", authority_path) nm_config.set("vpn", "certificate", authority_path)
dhgroup = "ecp384" if authority_public_key.algorithm == "ec" else "modp2048" nm_config.set("vpn", "ike", bootstrap["strongswan"]["ike"])
nm_config.set("vpn", "ike", "aes256-sha384-prfsha384-" + dhgroup) nm_config.set("vpn", "esp", bootstrap["strongswan"]["esp"])
nm_config.set("vpn", "esp", "aes128gcm16-aes128gmac-" + dhgroup)
nm_config.set("vpn", "proposal", "yes") nm_config.set("vpn", "proposal", "yes")
nm_config.add_section("ipv4") nm_config.add_section("ipv4")
nm_config.set("ipv4", "method", "auto") nm_config.set("ipv4", "method", "auto")
# Add routes, may need some more tweaking
if service_config.has_option(endpoint, "route"):
for index, subnet in enumerate(service_config.get(endpoint, "route").split(","), start=1):
nm_config.set("ipv4", "route%d" % index, subnet)
# Prevent creation of files with liberal permissions # Prevent creation of files with liberal permissions
os.umask(0o177) os.umask(0o177)