vpnmaker 0.0.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+group :development do
+  gem "pry"
+  gem 'pry-doc' #, :git => 'https://github.com/pry/pry-doc.git'
+  gem 'pry-rails' #, :git => 'https://github.com/rweng/pry-rails.git'
+  gem 'pry-nav' #, :git => 'https://github.com/nixme/pry-nav.git'
+  gem 'pry-syntax-hacks' #, :git => 'https://github.com/ConradIrwin/pry-syntax-hacks.git'
+  gem 'pry-stack_explorer' #, :git =>  'https://github.com/pry/pry-stack_explorer.git'
+  gem 'pry-exception_explorer' #, :git => 'https://github.com/pry/pry-exception_explorer.git'
+  gem "rdoc", "~> 3.12"
+  gem "bundler" #, "~> 1.0.0"
+  gem "jeweler" #, "~> 1.8.3"
+end
+
+gem 'ipaddr_extensions'
+#, :git => 'git://github.com/jamesotron/IPAddrExtensions.git'
+
+gem 'haml'
+gem 'trollop'
+gem 'gibberish', :git => 'git://github.com/mdp/gibberish.git'
+gem 'rubyzip', :git => 'git://github.com/aussiegeek/rubyzip.git'
+# gem 'slim'
+
+# gem 'slop', :git => 'git://github.com/injekt/slop.git'

data/README.rdoc

@@ -0,0 +1,91 @@
+most of the code was stolen from here: http://github.com/pc/vpnmaker
+i made a gem and converted it to use haml
+= VPNMaker
+
+VPNMaker takes the teetering jankiness out of setting up and administering OpenVPN.
+
+== Key management
+
+To set up your VPN, run:
+
+  irb -r vpnmaker
+  >> VPNMaker.generate('foocorp', '/root')
+
+Which will place <tt>foocorp.vpn</tt> in <tt>/root</tt>. All of the files that OpenVPN needs will be placed in <tt>/root/foocorp.vpn/foocorp_data</tt>.
+
+Next, you should create <tt>foocorp.config.yaml</tt> in <tt>/root/foocorp.vpn</tt>. It should look something like this:
+
+  :key_properties:
+    :country: US
+    :province: CA
+    :city: San Francisco
+    :organization: FooCorp Inc
+    :email: security@foocorp.com
+
+The values in <tt>foocorp.config.yaml</tt> will be used to generate keys and OpenVPN configuration files.
+
+Administration tasks are carried out with <tt>VPNMaker::Manager</tt>.
+
+Creating the Certificate Authority is the first order of business. You'll want to keep its keys safe from both intruders and data loss.
+
+  >> mgr = VPNMaker::Manager.new('/root/foocorp.vpn')
+  >> mgr.build_ca
+
+Behind the scenes, this will create <tt>ca.crt</tt>, <tt>ca.key</tt>, <tt>crl.pem</tt>, <tt>dh.pem</tt>, <tt>index.txt</tt> and <tt>serial</tt> in the <tt>foocorp_data</tt> directory. Respectively these are: the public certificate for the CA that every user should get; the private key for signing other certs that should be kept safe; a certificate revocation file you'll need to revoke signed certificates (e.g. after a laptop is compromised); an encryption key for the server side of the VPN connection; a file for OpenSSL to track key state that you should never need to touch; and another file that OpenSSL uses for tracking key IDs that you shouldn't have to worry about.
+
+Now that we have a Certificate Authority, we should create a server certificate:
+
+  >> mgr.build_server
+
+This creates <tt>server.key</tt> and <tt>server.crt</tt> in the <tt>foocorp_data</tt> directory, both of which are for distribution only to the VPN server. It also creates <tt>dh.key</tt> and <tt>ta.key</tt>. The first of these is a key for creating TLS connections on the server; the second is a key shared between both the server and clients that provides some additional security. (See the tls-auth section at http://openvpn.net/index.php/open-source/documentation/howto.html for more details.)
+
+Next, we can create our first user:
+
+  >> mgr.create_user('joe', 'Joe Bloggs', 'joe.bloggs@foocorp.com', 'password')
+  >> mgr.users
+  => ['joe']
+  >> mgr.user('joe')
+  => {:user=>"joe", :revoked=>[], :email=>"joe.bloggs@foocorp.com", :name=>"Joe Bloggs", :modified=>Mon Oct 11 10:42:44 -0700 2010, :active_key=>0}
+
+The most important thing to note here is that Joe Bloggs has no revoked keys, and that his active key is version 0. We can go ahead and give <tt>joe-0.key</tt> and <tt>joe-0.crt</tt> to Joe. (They'll be in the <tt>foocorp_data</tt> directory.)
+
+Now say Joe loses his laptop. We need to both disable his old key and give him a new one:
+
+  >> mgr.regenerate_user('joe', 'newpassword')
+
+This will create new keys for Joe, and update the server's <tt>crl.pem</tt> revocation file. If we check the database, we see that his <tt>active_key</tt> is now <tt>1</tt>, while <tt>0</tt> has been added to the list of revoked keys:
+
+  >> mgr.user('joe')
+  => {:user=>"joe", :revoked=>[0], :email=>"joe.bloggs@foocorp.com", :name=>"Joe Bloggs", :modified=>Mon Oct 11 10:42:44 -0700 2010, :active_key=>1}
+We should now go ahead and distribute <tt>joe-1.key</tt> and <tt>joe-1.crt</tt> to Joe, as well as make sure our OpenVPN servers get the latest version of the <tt>crl.pem</tt> revocation file.
+
+When Joe leaves the company, we can do:
+
+  >> mgr.delete_user('joe')
+  >> mgr.user('joe')
+  => {:user=>"joe", :revoked=>[0, 1], :email=>"joe.bloggs@foocorp.com", :name=>"Joe Bloggs", :modified=>Mon Oct 11 11:32:10 -0700 2010, :active_key=>1}
+
+Which does the same revocation as in <tt>regenerate_user</tt>, but doesn't generate new keys.
+
+== OpenVPN management
+
+To get OpenVPN set up, you should go back and edit <tt>foocorp.config.yaml</tt>, and add the following section:
+
+  :server:
+    :base_ip: 10.10.10.0
+    :user: nouser
+    :group: nogroup
+    :root: /root/openvpn
+    :log: /var/log/openvpn.log
+    :host: foocorp.com
+    :port: 1194
+
+You may want to modify some of the values. Then, head back to irb, and do something like:
+
+  >> puts mgr.config_generator.server
+
+Which will output a config file that you can copy and paste into <tt>openvpn.conf</tt> on your server. You'll want make sure that the following files exist in <tt>/root/openvpn</tt> (or whatever your root directory is): <tt>ca.crt</tt> (so that the server can verify the validity of client certificates), <tt>dh.pem</tt> (for encryption of the connection), <tt>server.crt</tt> (the server's public key), <tt>server.key</tt> (the server's private key), <tt>ta.key</tt> (shared secret between server and clients), and <tt>crl.pem</tt> (so that the server will reject revoked certificates).
+
+== OpenVPN client
+
+Each client will need: <tt>user.key</tt>, <tt>user.crt</tt>, <tt>ca.crt</tt> and <tt>ta.key</tt>. Make sure to enable tls-auth = 1.

data/Rakefile

@@ -0,0 +1,99 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "vpnmaker"
+  gem.executables = 'vpnmaker'
+  gem.homepage = "http://github.com/voipscout/vpnmaker"
+  gem.license = "MIT"
+  gem.summary = %Q{Makes it easy to manage OpenVPN}
+  gem.description = %Q{haml templates and key tracking}
+  gem.email = "voipscout@gmail.com"
+  gem.authors = ["Voip Scout"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+# require 'rake/testtask'
+# Rake::TestTask.new(:test) do |test|
+#   test.libs << 'lib' << 'test'
+#   test.pattern = 'test/**/test_*.rb'
+#   test.verbose = true
+# end
+
+# require 'rcov/rcovtask'
+# Rcov::RcovTask.new do |test|
+#   test.libs << 'test'
+#   test.pattern = 'test/**/test_*.rb'
+#   test.verbose = true
+#   test.rcov_opts << '--exclude "gems/*"'
+# end
+
+# task :default => :test
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "vpnmaker #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# require 'highline/import'
+# require File.join(File.dirname(__FILE__), 'vpnmaker')
+
+# def get_arg(argname, echo=true)
+#   return ENV[argname] if ENV[argname]
+#   ask("Value for #{argname}?") { |q| q.echo = false unless echo }
+# end
+
+# namespace :config do
+#   desc 'Generate server config'
+#   task :server => :environment do
+#     puts $manager.config_generator.server
+#   end
+
+#   desc 'Generate client config'
+#   task :client => :environment do
+#     username = get_arg('username')
+#     puts $manager.config_generator.client($manager.user(username))
+#   end
+# end
+
+# namespace :user do
+#   desc 'Create a new user'
+#   task :create => :environment do
+#     cn = get_arg('cn')
+#     name = get_arg('name')
+#     email = get_arg('email')
+#     password = get_arg('password', false)
+#     confirm_password = get_arg('confirm_password', false)
+#     raise ArgumentError.new("Password mismatch") unless password == confirm_password
+
+#     if password.length > 0
+#       $manager.create_user(cn, name, email, password)
+#     else
+#       $manager.create_user(cn, name, email)
+#     end
+#   end
+# end
+
+# # Set up environment
+# task :environment do
+#   vpndir = get_arg('vpndir')
+#   $manager = VPNMaker::Manager.new(vpndir)
+# end

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/bin/vpnmaker

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require_relative '../lib/vpnmaker.rb'
+require 'trollop'
+
+opts = Trollop::options do
+  version "vpnmaker 0.0.1 (c) Coolio"
+  banner "vpnmaker [options]"
+  opt :verbose, 'Enable verbose mode'
+end
+
+#raise Trollop::HelpNeeded if ARGV.empty?

data/foocorp.config.yaml

@@ -0,0 +1,24 @@
+:server:
+  :base_ip: 10.10.10.0
+  :bridgednets: # real networks to bridge via the VPN server
+    - 172.16.0.0
+  :subnets: # subnets that exist only on the VPN
+    - 10.10.11.0
+  :user: nobody
+  :group: nogroup
+  :root: /root/openvpn
+  :log: /var/log/openvpn.log
+  :host: vpn.foocorp.com
+  :port: 1194
+
+:client:
+  :subnet: 172.16.0.0
+  :local_endpoint: 10.10.10.100
+  :remote_endpoint: 10.10.10.1
+
+:key_properties:
+  :country: US
+  :province: CA
+  :city: San Francisco
+  :organization: FooCorp Inc
+  :email: sec@foocorp.com

data/lib/client.haml

@@ -0,0 +1,13 @@
+remote #{server[:host]} #{server[:port]} udp
+persist-key
+tls-client
+tls-auth ta.key 1
+pull
+ca ca.crt
+dev tun
+persist-tun
+cert #{user}-#{(revoked.max || - 1) + 1}.crt
+nobind
+key #{user}-#{(revoked.max || - 1) + 1}.key
+remote-cert-tls server
+:plain

data/lib/openssl.haml

@@ -0,0 +1,144 @@
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+openssl_conf		= openssl_init
+
+[ openssl_init ]
+oid_section		= new_oids
+engines                 = engine_section
+
+[ new_oids ]
+[ ca ]
+default_ca	= CA_default
+
+[CA_default ]
+
+dir		= #{key_dir}
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key	 	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_anything
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+[ req ]
+default_bits		= #{key_size}
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= #{key_country}
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= #{key_province}
+
+localityName			= Locality Name (eg, city)
+localityName_default		= #{key_city}
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= #{key_org}
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+name				= Name
+name_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= #{key_email}
+emailAddress_max		= 40
+
+organizationalUnitName_default = #{key_ou}
+commonName_default = #{key_cn}
+name_default = #{key_name}
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+basicConstraints=CA:FALSE
+nsComment			= "Easy-RSA Generated Certificate"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+[ server ]
+
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "Easy-RSA Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
+[ v3_req ]
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ engine_section ]
+
+[ pkcs11_section ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/engines/engine_pkcs11.so
+MODULE_PATH = blub # $ENV::PKCS11_MODULE_PATH
+PIN = blub # $ENV::PKCS11_PIN
+init = 0
+:plain

data/lib/server.haml

@@ -0,0 +1,38 @@
+\# Auto-generated by vpnmaker on #{gen_host} #{Time.now.to_s}
+\# See http://github.com/pc/vpnmaker
+mode server
+tls-server
+local #{host}
+port #{port}
+proto udp
+
+dev tun0
+server #{base_ip[:net]} #{base_ip[:mask]}
+\
+\# subnets.each do
+- subnets.each do |net|
+  route #{net[:net]} #{net[:mask]}
+  push route #{net[:mask]} #{net[:mask]}
+\
+\# bridgednets.each do
+- bridgednets.each do |net|
+  push route #{net[:net]} #{net[:mask]}
+\
+user #{user}
+group #{group}
+dh #{root}/keys/dh.pem
+ca #{root}/keys/ca.crt
+cert #{root}/keys/server.crt
+key #{root}/keys/server.key
+crl-verify #{root}/keys/crl.pem
+  
+keepalive 10 120
+
+log #{log}
+
+persist-tun
+persist-key
+
+tls-auth #{root}/keys/ta.key 0
+client-config-dir #{root}/ccd
+:plain