giomba
161172a174
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
|
||
|---|---|---|
| easy-rsa@a9cecc747c | ||
| script | ||
| templates | ||
| .drone.yml | ||
| .gitignore | ||
| .gitmodules | ||
| Dockerfile.deploy | ||
| Dockerfile.develop | ||
| README.md | ||
| docker | ||
| main.py | ||
| pyproject.toml | ||
| requirements.txt | ||
README.md
VPNUnit
Manages our VPN. Lot of details can be found on this page in Italian.
VPNUnit exposes a REST API interface, and endpoints can be used to administer users and their gateways.
- user: an user corresponds to a member of GOLEM, and is identified by her nickname. (this could enable future integrations with argento)
- gateway: a gateway corresponds to an user device, which can act as a leaf end (eg. her smartphone) or a network router (eg. her scatolotto).
An user can have up to 16 gateways. Each gateway is reserved up to 16 /64 networks.
Addresses are given in the following form:
2001:470:c844:uugn:xxxx:xxxx:xxxx:xxxx
where
2001:470:c844::/48: GOLEM prefix, courtesy of Hurrican Electricuu: user id, from 00 to ff. 00 and 01 are reserved, 02 is for the Officina Informatica.g: gateway of the user, from 0 to fn: network n of gateway g of user uu
Using the REST API, the system administrator can manage the uug part of the issued addresses:
- create new users
- create and delete (revoke cert) gateways
- obtain the OpenVPN configuration file for the gateways
Since the whole 2001:470:c844:uug0::/60 network will be forwared to/from the user gateway, then she has to manage the n part of the address (if she wants), for example using forwarding again and DHCPv6 or SLAAC with radv.
REST API endpoints
| endpoint | method | body | description |
|---|---|---|---|
| /users | GET | get list of users | |
| /users | POST | { "name": "johndoe" } |
create new user |
| /gateways | GET | get list of gateways | |
| /gateways | POST | { "name": "fqdn.domain.tld", "user": "johndoe" } |
create new gateway for user |
| /gateway/$fqdn | GET | get info about gateway | |
| /gateway/$fqdn | DELETE | delete gateway | |
| /gateway/$fqdn/config | GET | get client config file for gateway | |
| /gateway/$fqdn/renew | POST | generate new certificate for gateway (min 30 days before expiration) |
Technical details
VPNUnit runs inside a Docker container, and stores its data in the /data subvolume (which is usually mounted on /srv/vpnunit on the physical machine).
/data contains:
database.sqlite3: users and gateways infopki/: Public Key Infrastructure for easy-rsaovpn/: server config file, and static clients addressesip/: static routes
Example:
- system administrator creates a new user, database.sqlite3 is updated
- system administrator creates a new gateway for an user:
- database.sqlite3 is updated
- new certificate is issued using easyrsa pki
- new static client address is registered in
ovpn/clientsin the mentioned form - new static route is added in
ip/routes
Note: the OpenVPN process is actually run on the physical machine! It uses:
- the server configuration file in
ovpn/ - the static clients configurations in
ovpn/clients
Moreover, a cronjob should periodically:
- check for routes in
ip/routesand update them accordingly on the physical machine.
A possible cronjob could be:
while [ true ]; do
while read line; do
COMMAND="ip -6 route add $line"
eval $COMMAND
done < /srv/vpnunit/ip/routes
sleep 60
done
Develop
Dockerfile.develop contains instructions to build a container for assessing this project's quality, and script/qa is automatically run inside that container by the CI system.
Give a look at it.