StoneVPN

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

StoneVPN

Post by leon » Thu Oct 21, 2010 11:00 am

Just wanted to say that i've coded a tool for easy OpenVPN certificate and configuration management. It's called StoneVPN, written in python and it's available from the EPEL repository if you're using RHEL/CentOS and Fedora (12 and later) repositories. Also it's available in tarball on github.com/lkeijser/stonevpn.

Any feedback would be most welcome.

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: StoneVPN

Post by krzee » Fri Oct 22, 2010 7:10 am

i have made this post sticky
thank you for sharing your tool :D

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Tue Nov 08, 2011 9:11 am

how to use it ??

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Tue Nov 08, 2011 9:19 am

sorry repost. :(
Last edited by dhruvpandit on Wed Nov 09, 2011 9:52 am, edited 1 time in total.

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Tue Nov 08, 2011 4:27 pm

dhruvpandit wrote:how to use it?
$ man stonevpn
$ stonevpn --help

An easy example is in the man page.

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Wed Nov 09, 2011 9:55 am

leon wrote:
dhruvpandit wrote:how to use it?
$ man stonevpn
$ stonevpn --help

An easy example is in the man page.
thanks for fast reply leon,

but i am very new in OpenVPN, so need some more examples :(
i have setup my server just 2 days back.
also want to ask if you know any GUI based Certificate management script or tool , then pls let me know.

and if possible, pls give some more examples of how to create, revoke new certificates with stonevpn.

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Fri Nov 18, 2011 6:41 am

getting this error

[root@VPN2 stonevpn]# stonevpn -f dhruvpandit -n "dhruvpandit" -z -p -m MY MAIL ID@gmail.com
Traceback (most recent call last):
File "/usr/bin/stonevpn", line 17, in ?
import StoneVPN.app as app
File "/usr/lib/python2.4/site-packages/StoneVPN/app.py", line 38, in ?
from OpenSSL import SSL, crypto
ImportError: No module named OpenSSL

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Fri Nov 18, 2011 6:57 am

Hi,

This means you didn't install the pyOpenSSL library. On RedHat/CentOS it's

Code: Select all

yum install pyOpenSSL
on debian it's (AFAIK)

Code: Select all

apt-get install python-openssl
PS: that was in the README file though ;)

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Mon Nov 28, 2011 12:20 pm

now its giving this error,

Traceback (most recent call last):
File "/usr/bin/stonevpn", line 17, in ?
import StoneVPN.app as app
File "/usr/lib/python2.4/site-packages/StoneVPN/app.py", line 43, in ?
from IPy import IP
ImportError: No module named IPy




i have installed other packages, but this package is not installed from yum also.

pls tell me how to install it.
also give me the list of all required packages so i can install it at once.

if stonevpn should be installed by yum install stonevpn, then it will be great. but its showing this

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* rpmforge: fr2.rpmfind.net
* base: mirrors.cat.pdx.edu
* updates: mirrors.cat.pdx.edu
* extras: ftp.osuosl.org
Warning: No matches found for: stonevpn
No Matches found

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Mon Nov 28, 2011 3:44 pm

You will need to install the EPEL repo first. This is also mentioned in the README file ;)

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: StoneVPN

Post by Mimiko » Tue Nov 29, 2011 7:25 am

Will it be ported to windows?

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Tue Nov 29, 2011 9:48 am

Mimiko wrote:Will it be ported to windows?
I have no immediate plans for that, but it shouldn't be too hard considering it's all python. Perhaps a few linux-only hacks but nothing that can't be ported. I'll make it a TODO item :)

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Tue Nov 29, 2011 11:58 am

thanks, now i have installed it via YUM.

now its giving this error :

Error: missing section 'organizationalUnitName_default' in /etc/pki/tls/openssl.cnf


i already have active OpenVPN with about 25 clients on this server.

i think this is some certificate issue.
how can i use stonevpn by using old certificates??

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Tue Nov 29, 2011 12:37 pm

dhruvpandit wrote:thanks, now i have installed it via YUM.

now its giving this error :

Error: missing section 'organizationalUnitName_default' in /etc/pki/tls/openssl.cnf
...

Really, it's not that hard. Add 'organizationalUnitName_default' to your openssl.cnf file. Search for it, it's probably commented out, and add a default OU name (something like 'VPN' would be ok).

dhruvpandit
OpenVPN Power User
Posts: 53
Joined: Tue Apr 19, 2011 11:18 am

Re: StoneVPN

Post by dhruvpandit » Wed Nov 30, 2011 9:34 am

pls tell me how to use my old certificates with stoneVPN? or will it use the same old certs and key file ?

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Wed Nov 30, 2011 11:05 am

dhruvpandit wrote:pls tell me how to use my old certificates with stoneVPN? or will it use the same old certs and key file ?
You should edit /etc/stonevpn.conf and make sure it points to the correct locations for your CA certificate and key file and openssl.cnf. Then stonevpn just parses openssl.cnf [1], looks up the index file (usually index.txt) and reads information about your already existing certificates. You can check it by running:

Code: Select all

$ stonevpn -a
Which should list your certificates.

Let me know if you run into any problems there. Sometimes the way a certificate is generated has an impact on how stonevpn parses the index file. If everything works okay (in particular the serial numbers for your certs are correct) you can then revoke certificates using:

Code: Select all

$ stonevpn -r SERIAL


[1] i realize now that specifying CA crt and key files in stonevpn.conf is kind of redundant if later it parses openssl.cnf and can read those values there as well. Will probably fix it in the next version.

digital0
OpenVpn Newbie
Posts: 5
Joined: Fri Jan 18, 2013 3:30 pm

Re: StoneVPN

Post by digital0 » Tue Jan 29, 2013 12:15 am

Hello,

I added the possibility to create ovpn file for Android, which has all the certificates inline.
Here's the patch:

Code: Select all

--- app.py.orig 2011-08-08 09:19:31.000000000 +0300
+++ app.py      2013-01-17 02:02:57.263543278 +0200
@@ -142,7 +142,7 @@
         action="store",
         dest="confs",
         default="unix",
-        help="create config files for [windows|unix|mac|all]")
+        help="create config files for [windows|unix|mac|android|all]")
     group_extra.add_option("-e", "--prefix",
         action="store",
         dest="fprefix",
@@ -1045,10 +1045,14 @@
             sectionname = 'mac conf'
             print "Generating Mac configuration file"
             f=open(self.working + '/' + self.fprefix + fname + '.conf', 'w')
+        elif sname == 'android':
+            sectionname = 'android conf'
+            print "Generating Android configuration file"
+            f=open(self.working + '/' + self.fprefix + fname + '.ovpn', 'w')
         elif sname == 'all':
             print "Generating all configuration files"
         else:
-            print "Incorrect OS type specified. Valid options are 'unix', 'windows', 'mac' or 'all'."
+            print "Incorrect OS type specified. Valid options are 'unix', 'windows', 'mac', 'android' or 'all'."
             sys.exit()
         if sname != 'all':
             section=config[sectionname]
@@ -1069,9 +1073,19 @@
                         f.write(section[var] + '\n')
                 else:
                     f.write(section[var] + '\n')
+           if sname == 'android':
+               fp = open ( self.cacertfile, 'r' )
+               f.write('\n' + "<ca>" + '\n' + fp.read() + "</ca>" + '\n')
+               fp.close ()
+               fp = open ( self.working + '/' + self.fprefix + fname + '.crt', 'r' )
+               f.write('\n' + "<cert>" + '\n' + fp.read() + "</cert>" + '\n')
+               fp.close ()
+               fp = open ( self.working + '/' + self.fprefix + fname + '.key', 'r' )
+               f.write('\n' + "<key>" + '\n' + fp.read() + "</key>" + '\n')
+               fp.close ()
             f.close()
         else:
-            os_versions = ["windows", "linux", "mac"]
+            os_versions = ["windows", "linux", "mac", "android"]
             for os_type in os_versions:
                 # soort extensie ipv deze regel <<
                 if os_type == 'linux':
@@ -1086,6 +1100,10 @@
                     sectionname = 'mac conf'
                     print "Generating Mac configuration file"
                     f=open(self.working + '/' + self.fprefix + fname + '.mac.conf', 'w')
+                elif os_type == 'android':
+                    sectionname = 'android conf'
+                    print "Generating Android configuration file"
+                    f=open(self.working + '/' + self.fprefix + fname + '.android.ovpn', 'w')
                 section=config[sectionname]
                 for var in section:
                     if var == 'ca':
@@ -1097,6 +1115,16 @@
                         f.write(section[var].replace('clientkeyfile', self.fprefix + fname + '.key') + '\n')
                     else:
                         f.write(section[var] + '\n')
+               if os_type == 'android':
+                   fp = open ( self.cacertfile, 'r' )
+                   f.write('\n' + "<ca>" + '\n' + fp.read() + "</ca>" + '\n')
+                   fp.close ()
+                   fp = open ( self.working + '/' + self.fprefix + fname + '.crt', 'r' )
+                   f.write('\n' + "<cert>" + '\n' + fp.read() + "</cert>" + '\n')
+                   fp.close ()
+                   fp = open ( self.working + '/' + self.fprefix + fname + '.key', 'r' )
+                   f.write('\n' + "<key>" + '\n' + fp.read() + "</key>" + '\n')
+                   fp.close ()
                 f.close()
And here's the diff for stonevpn.conf:

Code: Select all

--- stonevpn.conf.orig  2010-08-04 17:35:39.000000000 +0300
+++ stonevpn.conf       2013-01-17 02:46:36.718509951 +0200
@@ -114,3 +114,29 @@
 verb = 'verb 3'
 prot = 'proto tcp'

+[android conf]
+# add options to be added to the configuration file here
+daemon = 'daemon'
+dev = 'dev tun'
+ip = 'remote 12.34.56.78'
+# uncomment the next 3 lines to add redundant routers:
+# remote-random
+# resolv-retry 60
+# ip2 = 'remote 23.45.67.89'
+port = 'port 1194'
+#mssfix = 'mssfix 1300'
+client = 'client'
+tlc = 'tls-client'
+# don't touch the next 3 var names:
+#ca = 'ca /Library/openvpn/cacertfile'
+#cert = 'cert /Library/openvpn/clientcertfile'
+#key = 'key /Library/openvpn/clientkeyfile'
+lzo = 'comp-lzo'
+ping = 'ping 15'
+pingrestart = 'ping-restart 45'
+pingtimer = 'ping-timer-rem'
+persisttun = 'persist-tun'
+persistkey = 'persist-key'
+verb = 'verb 3'
+prot = 'proto tcp'
+

leon
OpenVpn Newbie
Posts: 8
Joined: Thu Oct 21, 2010 10:56 am

Re: StoneVPN

Post by leon » Tue Jan 29, 2013 9:58 am

Awesome! I'll review it and will probably include it in the next version.


Thanks!


Léon

Post Reply