/** * Disconnect all clients with this CN from all pools and instances * managed by this service. * * @param string $commonName the CN to kill */ public function kill($commonName) { $clientsKilled = 0; // loop over all pools foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolNumber => $poolId) { $poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId)); $managementIp = sprintf('127.42.%d.%d', 100 + $this->instanceConfig->v('instanceNumber'), 100 + $poolNumber); // loop over all processes for ($i = 0; $i < $poolConfig->v('processCount'); ++$i) { // add all kills from this instance to poolKills try { // open the socket connection $this->managementSocket->open(sprintf('tcp://%s:%d', $managementIp, 11940 + $i)); $response = $this->managementSocket->command(sprintf('kill %s', $commonName)); if (0 === mb_strpos($response[0], 'SUCCESS: ')) { ++$clientsKilled; } // close the socket connection $this->managementSocket->close(); } catch (ManagementSocketException $e) { // we log the error, but continue with the next instance $this->logger->error(sprintf('error with socket "%s:%s", message: "%s"', $managementIp, 11940 + $i, $e->getMessage())); } } } return 0 !== $clientsKilled; }
public function write($instanceId, InstanceConfig $instanceConfig) { $instanceNumber = $instanceConfig->v('instanceNumber'); foreach (array_keys($instanceConfig->v('vpnPools')) as $poolNumber => $poolId) { $poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId)); $this->writePool($instanceNumber, $instanceId, $poolNumber, $poolId, $poolConfig); } }
private function fetchGroups($bearerToken) { $httpClient = new Client(); try { return $httpClient->get($this->instanceConfig->v('groupProviders', 'VootProvider', 'apiUrl'), ['headers' => ['Authorization' => sprintf('Bearer %s', $bearerToken)]])->json(); } catch (TransferException $e) { return []; } }
public function init(Service $service) { $service->get('/server_pools', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $responseData = []; foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolId) { $poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId)); $responseData[$poolId] = $poolConfig->v(); } return new ApiResponse('server_pools', $responseData); }); $service->get('/server_pool', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $poolId = $request->getQueryParameter('pool_id'); InputValidation::poolId($poolId); $poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId)); return new ApiResponse('server_pool', $poolConfig->v()); }); }
private static function getForwardChain(InstanceConfig $instanceConfig, $inetFamily) { $forwardChain = []; foreach (array_keys($instanceConfig->v('vpnPools')) as $poolNumber => $poolId) { $poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId)); if (6 === $inetFamily && !$poolConfig->v('forward6')) { // IPv6 forwarding was disabled continue; } if (4 === $inetFamily) { // get the IPv4 range $srcNet = $poolConfig->v('range'); } else { // get the IPv6 range $srcNet = $poolConfig->v('range6'); } $forwardChain[] = sprintf('-N vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber); $forwardChain[] = sprintf('-A FORWARD -i tun-%s-%s+ -s %s -j vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet, $instanceConfig->v('instanceNumber'), $poolNumber); // merge outgoing forwarding firewall rules to prevent certain // traffic $forwardChain = array_merge($forwardChain, self::getForwardFirewall($instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig, $inetFamily)); if ($poolConfig->v('clientToClient')) { // allow client-to-client $forwardChain[] = sprintf('-A vpn-%s-%s -o tun-%s-%s+ -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet); } if ($poolConfig->v('defaultGateway')) { // allow traffic to all outgoing destinations $forwardChain[] = sprintf('-A vpn-%s-%s -o %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $srcNet); } else { // only allow certain traffic to the external interface foreach ($poolConfig->v('routes') as $route) { $routeIp = new IP($route); if ($inetFamily === $routeIp->getFamily()) { $forwardChain[] = sprintf('-A vpn-%s-%s -o %s -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $route); } } } } return $forwardChain; }