|
1 | 1 | import fs from "fs"; |
2 | | -import { shell, shellArgs } from "../utils/shell"; |
| 2 | +import { shell } from "../utils/shell"; |
3 | 3 | import { directoryIsEmptyOrEnoent } from "../utils/fs"; |
4 | 4 | import { PKI_PATH, PROXY_ARP_PATH } from "../params"; |
5 | 5 | import { logs } from "../logs"; |
6 | | -import { getContainerIP } from "../utils/getDockerContainerIp"; |
7 | 6 |
|
8 | | -type OvpnGenConfigFlags = { |
9 | | - c: string; // Enable traffic among the clients connected to the VPN (Boolean, no value) |
10 | | - d: string; // Disable default route (disables NAT without '-N'). Only specific traffic will go through the VPN (Boolean, no value) |
11 | | - u: string; // Hostname the clients will use to connect to the VPN |
12 | | - s: string; // Subnet the server will use to assign IPs to the clients |
13 | | - p: string; // Route to push to the client |
14 | | - n: string; // DNS server (BIND) |
15 | | - // There are more flags available, but we don't need them here |
16 | | -}; |
17 | | - |
18 | | -/** |
19 | | - * Initializes the OpenVPN configuration |
20 | | - * This function MUST be called before starting the openvpn binary |
21 | | - */ |
22 | | -export async function initalizeOpenVpnConfig(hostname: string): Promise<void> { |
23 | | - const vpnContainerDomain = "vpn.dappnode"; |
24 | | - // Replicate environment used in entrypoint.sh |
| 7 | +export async function initalizeOpenVpnConfig(hostname: string): Promise<string> { |
25 | 8 | const openVpnEnv = { |
| 9 | + ...process.env, |
26 | 10 | OVPN_CN: hostname, |
27 | | - EASYRSA_REQ_CN: hostname |
| 11 | + EASYRSA_REQ_CN: hostname, |
28 | 12 | }; |
29 | | - let genConfigFlags: OvpnGenConfigFlags; |
30 | | - |
31 | | - logs.info("Initializing OpenVPN configuration"); |
32 | | - |
33 | | - // Check current IP range |
34 | | - const containerIp = await getContainerIP(vpnContainerDomain); |
35 | 13 |
|
36 | | - // If container IP is inside 172.33.0.0/16 --> generate credentials A |
37 | | - if (containerIp && containerIp.startsWith("172.33.")) { |
38 | | - logs.info("Generating credentials for IP range 172.33.0.0/16"); |
39 | | - genConfigFlags = { |
40 | | - c: "", |
41 | | - d: "", |
42 | | - u: `udp://"${hostname}"`, |
43 | | - s: "172.33.8.0/22", |
44 | | - p: `"route 172.33.0.0 255.255.0.0"`, |
45 | | - n: `"172.33.1.2"` |
46 | | - }; |
47 | | - |
48 | | - // Else (default, but it should be 10.20.0.0/24) --> generate credentials B |
49 | | - } else { |
50 | | - logs.info("Generating credentials for IP range 10.20.0.0/24"); |
51 | | - genConfigFlags = { |
52 | | - c: "", |
53 | | - d: "", |
54 | | - u: `udp://"${hostname}"`, |
55 | | - s: "10.20.0.240/28", |
56 | | - p: `"route 10.20.0.0 255.255.255.0"`, |
57 | | - n: `"10.20.0.2"` |
58 | | - }; |
59 | | - } |
| 14 | + logs.info("Initializing OpenVPN configuration (both subnets + both DNS)"); |
60 | 15 |
|
61 | | - // Initialize config and PKI |
62 | | - const output = await shellArgs( |
| 16 | + // Build the full ovpn_genconfig command with multiple -s, -p, -n flags: |
| 17 | + const genCmd = [ |
63 | 18 | "ovpn_genconfig", |
64 | | - genConfigFlags, |
65 | | - { env: { ...process.env, ...openVpnEnv } } |
66 | | - ); |
67 | | - |
68 | | - logs.info(`OpenVPN configuration output:\n\n${output}\n\n`); |
69 | | - |
70 | | - // Check if PKI is initalized already, if not use hostname as CN |
71 | | - if (directoryIsEmptyOrEnoent(PKI_PATH)) |
72 | | - await shell("ovpn_initpki nopass", { |
73 | | - env: { ...process.env, ...openVpnEnv } |
| 19 | + "-c", // client-to-client |
| 20 | + "-d", // disable default route |
| 21 | + "-u", `udp://"${hostname}"`, |
| 22 | + "-s", "10.20.0.0/24", |
| 23 | + "-s", "172.33.0.0/16", |
| 24 | + "-p", "route 10.20.0.0 255.255.255.0", |
| 25 | + "-p", "route 172.33.0.0 255.255.0.0", |
| 26 | + "-n", "10.20.0.2", |
| 27 | + "-n", "172.33.1.2", |
| 28 | + ].join(" "); |
| 29 | + |
| 30 | + // Generate server configuration |
| 31 | + const genOutput = await shell(genCmd, { env: openVpnEnv }); |
| 32 | + logs.info(`ovpn_genconfig output:\n${genOutput}`); |
| 33 | + |
| 34 | + // Initialize the PKI if needed |
| 35 | + if (directoryIsEmptyOrEnoent(PKI_PATH)) { |
| 36 | + const initPkiOutput = await shell("ovpn_initpki nopass", { |
| 37 | + env: openVpnEnv, |
74 | 38 | }); |
| 39 | + logs.info(`ovpn_initpki output:\n${initPkiOutput}`); |
| 40 | + } |
75 | 41 |
|
76 | | - // Enable Proxy ARP (needs privileges) |
| 42 | + // Enable proxy ARP |
77 | 43 | fs.writeFileSync(PROXY_ARP_PATH, "1"); |
| 44 | + |
| 45 | + // Finally, generate and return the client bundle |
| 46 | + const clientConfig = await shell(`ovpn_getclient "${hostname}"`, { |
| 47 | + env: openVpnEnv, |
| 48 | + }); |
| 49 | + logs.info(`Generated client configuration for ${hostname}`); |
| 50 | + |
| 51 | + return clientConfig; |
78 | 52 | } |
0 commit comments