Pull NetworkManager parameters from bootstrap API as well
This commit is contained in:
parent
1fbdea09ba
commit
450e68c946
@ -487,30 +487,20 @@ def certidude_enroll(fork, no_wait, kerberos):
|
|||||||
nm_config.set("vpn", "cert-pass-flags", "0")
|
nm_config.set("vpn", "cert-pass-flags", "0")
|
||||||
nm_config.set("vpn", "tap-dev", "no")
|
nm_config.set("vpn", "tap-dev", "no")
|
||||||
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
|
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
|
||||||
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
|
nm_config.set("vpn", "remote", endpoint)
|
||||||
nm_config.set("vpn", "key", key_path)
|
nm_config.set("vpn", "key", key_path)
|
||||||
nm_config.set("vpn", "cert", certificate_path)
|
nm_config.set("vpn", "cert", certificate_path)
|
||||||
nm_config.set("vpn", "ca", authority_path)
|
nm_config.set("vpn", "ca", authority_path)
|
||||||
nm_config.set("vpn", "tls-cipher", "TLS-%s-WITH-AES-256-GCM-SHA384" % (
|
nm_config.set("vpn", "tls-cipher", bootstrap["openvpn"]["tls_cipher"])
|
||||||
"ECDHE-ECDSA" if authority_public_key.algorithm == "ec" else "DHE-RSA"))
|
nm_config.set("vpn", "cipher", bootstrap["openvpn"]["cipher"])
|
||||||
nm_config.set("vpn", "cipher", "AES-128-GCM")
|
nm_config.set("vpn", "auth", bootstrap["openvpn"]["auth"])
|
||||||
nm_config.set("vpn", "auth", "SHA384")
|
|
||||||
nm_config.add_section("ipv4")
|
nm_config.add_section("ipv4")
|
||||||
nm_config.set("ipv4", "method", "auto")
|
nm_config.set("ipv4", "method", "auto")
|
||||||
nm_config.set("ipv4", "never-default", "true")
|
nm_config.set("ipv4", "never-default", "true")
|
||||||
nm_config.add_section("ipv6")
|
nm_config.add_section("ipv6")
|
||||||
nm_config.set("ipv6", "method", "auto")
|
nm_config.set("ipv6", "method", "auto")
|
||||||
|
nm_config.set("vpn", "port", "443")
|
||||||
try:
|
|
||||||
nm_config.set("vpn", "port", str(service_config.getint(endpoint, "port")))
|
|
||||||
except NoOptionError:
|
|
||||||
nm_config.set("vpn", "port", "1194")
|
|
||||||
|
|
||||||
try:
|
|
||||||
if service_config.get(endpoint, "proto") == "tcp":
|
|
||||||
nm_config.set("vpn", "proto-tcp", "yes")
|
nm_config.set("vpn", "proto-tcp", "yes")
|
||||||
except NoOptionError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
# Prevent creation of files with liberal permissions
|
# Prevent creation of files with liberal permissions
|
||||||
os.umask(0o177)
|
os.umask(0o177)
|
||||||
@ -539,23 +529,17 @@ def certidude_enroll(fork, no_wait, kerberos):
|
|||||||
nm_config.set("vpn", "virtual", "yes")
|
nm_config.set("vpn", "virtual", "yes")
|
||||||
nm_config.set("vpn", "method", "key")
|
nm_config.set("vpn", "method", "key")
|
||||||
nm_config.set("vpn", "ipcomp", "no")
|
nm_config.set("vpn", "ipcomp", "no")
|
||||||
nm_config.set("vpn", "address", service_config.get(endpoint, "remote"))
|
nm_config.set("vpn", "address", endpoint)
|
||||||
nm_config.set("vpn", "userkey", key_path)
|
nm_config.set("vpn", "userkey", key_path)
|
||||||
nm_config.set("vpn", "usercert", certificate_path)
|
nm_config.set("vpn", "usercert", certificate_path)
|
||||||
nm_config.set("vpn", "certificate", authority_path)
|
nm_config.set("vpn", "certificate", authority_path)
|
||||||
dhgroup = "ecp384" if authority_public_key.algorithm == "ec" else "modp2048"
|
nm_config.set("vpn", "ike", bootstrap["strongswan"]["ike"])
|
||||||
nm_config.set("vpn", "ike", "aes256-sha384-prfsha384-" + dhgroup)
|
nm_config.set("vpn", "esp", bootstrap["strongswan"]["esp"])
|
||||||
nm_config.set("vpn", "esp", "aes128gcm16-aes128gmac-" + dhgroup)
|
|
||||||
nm_config.set("vpn", "proposal", "yes")
|
nm_config.set("vpn", "proposal", "yes")
|
||||||
|
|
||||||
nm_config.add_section("ipv4")
|
nm_config.add_section("ipv4")
|
||||||
nm_config.set("ipv4", "method", "auto")
|
nm_config.set("ipv4", "method", "auto")
|
||||||
|
|
||||||
# Add routes, may need some more tweaking
|
|
||||||
if service_config.has_option(endpoint, "route"):
|
|
||||||
for index, subnet in enumerate(service_config.get(endpoint, "route").split(","), start=1):
|
|
||||||
nm_config.set("ipv4", "route%d" % index, subnet)
|
|
||||||
|
|
||||||
# Prevent creation of files with liberal permissions
|
# Prevent creation of files with liberal permissions
|
||||||
os.umask(0o177)
|
os.umask(0o177)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user