pinecrypt/certidude
2
1
Fork 0
Code Issues 1 Pull Requests Activity

Fix IPSec route pushing

Browse Source
This commit is contained in:
Lauri Võsandi 2021-04-14 23:49:25 +03:00
parent f793ae07a1
commit ebeff39168
3 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
entrypoint-openvpn.sh
View File

@ -3,10 +3,5 @@ sleep 10
set -e set -e
$@ $@
AUTHORITY=$3 AUTHORITY=$3
echo "Client config:" test -f /etc/certidude/authority/ca5.dev.lan/host_cert.pem
cat /etc/certidude/client.conf
echo
echo "Generated VPN config:"
cat /etc/openvpn/$AUTHORITY.conf
echo
openvpn --config /etc/openvpn/$AUTHORITY.conf openvpn --config /etc/openvpn/$AUTHORITY.conf

7
entrypoint-strongswan.sh
View File

@ -3,10 +3,5 @@ sleep 10
set -e set -e
$@ $@
AUTHORITY=$3 AUTHORITY=$3
echo "Client config:" test -f /etc/certidude/authority/ca5.dev.lan/host_cert.pem
cat /etc/certidude/client.conf
echo
echo "Generated VPN config:"
cat /etc/ipsec.conf
echo
/usr/sbin/ipsec start --nofork /usr/sbin/ipsec start --nofork

6
pinecrypt/client/cli.py
View File

@ -378,7 +378,6 @@ def certidude_enroll(fork, no_wait, kerberos):
# OpenVPN set up with initscripts # OpenVPN set up with initscripts
if method == "init/openvpn": if method == "init/openvpn":
openvpn_config_path = "/etc/openvpn/%s.conf" % endpoint openvpn_config_path = "/etc/openvpn/%s.conf" % endpoint
print(bootstrap)
with open(openvpn_config_path + ".part", "w") as fh: with open(openvpn_config_path + ".part", "w") as fh:
fh.write("client\n") fh.write("client\n")
fh.write("nobind\n") fh.write("nobind\n")
@ -425,16 +424,17 @@ def certidude_enroll(fork, no_wait, kerberos):
config["conn", endpoint]["keyingtries"] = "%forever" config["conn", endpoint]["keyingtries"] = "%forever"
config["conn", endpoint]["dpdaction"] = "restart" config["conn", endpoint]["dpdaction"] = "restart"
config["conn", endpoint]["closeaction"] = "restart" config["conn", endpoint]["closeaction"] = "restart"
config["conn", endpoint]["rightsubnet"] = "0.0.0.0/0"
config["conn", endpoint]["ike"] = "%s!" % bootstrap["strongswan"]["ike"] config["conn", endpoint]["ike"] = "%s!" % bootstrap["strongswan"]["ike"]
config["conn", endpoint]["esp"] = "%s!" % bootstrap["strongswan"]["esp"] config["conn", endpoint]["esp"] = "%s!" % bootstrap["strongswan"]["esp"]
config["conn", endpoint]["left"] = "%defaultroute" config["conn", endpoint]["leftsourceip"] = "%config"
config["conn", endpoint]["leftcert"] = certificate_path config["conn", endpoint]["leftcert"] = certificate_path
# leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME" # leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
# rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME" # rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
with open(strongswan_secrets_path + ".part", "w") as fh: with open(strongswan_secrets_path + ".part", "w") as fh:
fh.write(": %s %s`n" % ( fh.write(": %s %s\n" % (
"ECDSA" if authority_public_key.algorithm == "ec" else "RSA", "ECDSA" if authority_public_key.algorithm == "ec" else "RSA",
key_path key_path
)) ))