1# params for ipsec.conf
2IPSEC_CONF = {
3    "config setup": {
4        "charondebug": "chd 2,ike 2,knl 2,net 2,esp 2,dmn 2,"
5                       "mgr 2,lib 1,cfg 2,enc 1".__repr__(),
6        "uniqueids": "never"
7    },
8    "conn %default": {
9        "ike": "aes128-sha-modp1024",
10        "esp": "aes128-sha1"
11    }
12}
13
14IPSEC_L2TP_PSK = {
15    "conn L2TP_PSK": {
16        "keyexchange": "ikev1",
17        "type": "transport",
18        "left": "192.168.1.1",
19        "leftprotoport": "17/1701",
20        "leftauth": "psk",
21        "right": "%any",
22        "rightprotoport": "17/%any",
23        "rightsubnet": "0.0.0.0/0",
24        "rightauth": "psk",
25        "auto": "add"
26    }
27}
28
29IPSEC_L2TP_RSA = {
30    "conn L2TP_RSA": {
31        "keyexchange": "ikev1",
32        "type": "transport",
33        "left": "192.168.1.1",
34        "leftprotoport": "17/1701",
35        "leftauth": "pubkey",
36        "leftcert": "serverCert.der",
37        "right": "%any",
38        "rightprotoport": "17/%any",
39        "rightsubnet": "0.0.0.0/0",
40        "rightauth": "pubkey",
41        "auto": "add"
42    }
43}
44
45IPSEC_HYBRID_RSA = {
46    "conn HYBRID_RSA": {
47        "keyexchange": "ikev1",
48        "left": "192.168.1.1",
49        "leftsubnet": "0.0.0.0/0",
50        "leftauth": "pubkey",
51        "leftcert": "serverCert.der",
52        "leftsendcert": "always",
53        "right": "%any",
54        "rightsubnet": "0.0.0.0/0",
55        "rightauth": "pubkey",
56        "rightauth2": "xauth",
57        "xauth": "server",
58        "auto": "add",
59    }
60}
61
62IPSEC_XAUTH_PSK = {
63    "conn XAUTH_PSK": {
64        "keyexchange": "ikev1",
65        "left": "192.168.1.1",
66        "leftsubnet": "0.0.0.0/0",
67        "leftauth": "psk",
68        "right": "%any",
69        "rightsubnet": "0.0.0.0/0",
70        "rightauth": "psk",
71        "rightauth2": "xauth",
72        "auto": "add",
73    }
74}
75
76IPSEC_XAUTH_RSA = {
77    "conn XAUTH_RSA": {
78        "keyexchange": "ikev1",
79        "left": "192.168.1.1",
80        "leftsubnet": "0.0.0.0/0",
81        "leftcert": "serverCert.der",
82        "leftsendcert": "always",
83        "right": "%any",
84        "rightsubnet": "0.0.0.0/0",
85        "rightauth": "xauth",
86        "xauth": "server",
87        "auto": "add",
88    }
89}
90
91# parmas for lx2tpd
92
93XL2TPD_CONF_GLOBAL = (
94    "[global]",
95    "ipsec saref = no",
96    "debug tunnel = no",
97    "debug avp = no",
98    "debug network = no",
99    "debug state = no",
100    "access control = no",
101    "rand source = dev",
102    "port = 1701",
103)
104
105XL2TPD_CONF_INS = (
106    "[lns default]",
107    "require authentication = yes",
108    "pass peer = yes",
109    "ppp debug = no",
110    "length bit = yes",
111    "refuse pap = yes",
112    "refuse chap = yes",
113)
114
115XL2TPD_OPTION = (
116    "require-mschap-v2",
117    "refuse-mschap",
118    "ms-dns 8.8.8.8",
119    "ms-dns 8.8.4.4",
120    "asyncmap 0",
121    "auth",
122    "crtscts",
123    "idle 1800",
124    "mtu 1410",
125    "mru 1410",
126    "connect-delay 5000",
127    "lock",
128    "hide-password",
129    "local",
130    "debug",
131    "modem",
132    "proxyarp",
133    "lcp-echo-interval 30",
134    "lcp-echo-failure 4",
135    "nomppe"
136)
137
138# iptable rules for vpn_pptp
139FIREWALL_RULES_FOR_PPTP = (
140    "iptables -A input_rule -i ppp+ -j ACCEPT",
141    "iptables -A output_rule -o ppp+ -j ACCEPT",
142    "iptables -A forwarding_rule -i ppp+ -j ACCEPT"
143)
144
145# iptable rules for vpn_l2tp
146FIREWALL_RULES_FOR_L2TP = (
147    "iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT",
148    "iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT",
149    "iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT",
150    "iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT",
151    "iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT",
152    "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT",
153    "iptables -A INPUT -p esp -j ACCEPT",
154    "iptables -A INPUT -i eth0.2 -p udp --dport 500 -j ACCEPT",
155    "iptables -A INPUT -i eth0.2 -p tcp --dport 500 -j ACCEPT",
156    "iptables -A INPUT -i eth0.2 -p udp --dport 4500 -j ACCEPT",
157    "iptables -A INPUT -p udp --dport 500 -j ACCEPT",
158    "iptables -A INPUT -p udp --dport 4500 -j ACCEPT",
159    "iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT"
160)
161
162FIREWALL_RULES_DISABLE_DNS_RESPONSE = (
163    "iptables -I OUTPUT -p udp --sport 53 -j DROP",
164    "iptables -I OUTPUT -p tcp --sport 53 -j DROP",
165    "ip6tables -I OUTPUT -p udp --sport 53 -j DROP",
166    "ip6tables -I OUTPUT -p tcp --sport 53 -j DROP",
167)
168
169
170# Object for vpn profile
171class VpnL2tp(object):
172    """Profile for vpn l2tp type.
173
174    Attributes:
175        hostname: vpn server domain name
176        address: vpn server address
177        username: vpn user account
178        password: vpn user password
179        psk_secret: psk for ipsec
180        name: vpn server name for register in OpenWrt
181    """
182
183    def __init__(self,
184                 vpn_server_hostname,
185                 vpn_server_address,
186                 vpn_username,
187                 vpn_password,
188                 psk_secret,
189                 server_name):
190        self.name = server_name
191        self.hostname = vpn_server_hostname
192        self.address = vpn_server_address
193        self.username = vpn_username
194        self.password = vpn_password
195        self.psk_secret = psk_secret
196