Page 1 of 1

StoneVPN

Posted: Thu Oct 21, 2010 11:00 am
by leon
Just wanted to say that i've coded a tool for easy OpenVPN certificate and configuration management. It's called StoneVPN, written in python and it's available from the EPEL repository if you're using RHEL/CentOS and Fedora (12 and later) repositories. Also it's available in tarball on github.com/lkeijser/stonevpn.

Any feedback would be most welcome.

Re: StoneVPN

Posted: Fri Oct 22, 2010 7:10 am
by krzee
i have made this post sticky
thank you for sharing your tool :D

Re: StoneVPN

Posted: Tue Nov 08, 2011 9:11 am
by dhruvpandit
how to use it ??

Re: StoneVPN

Posted: Tue Nov 08, 2011 9:19 am
by dhruvpandit
sorry repost. :(

Re: StoneVPN

Posted: Tue Nov 08, 2011 4:27 pm
by leon
dhruvpandit wrote:how to use it?
$ man stonevpn
$ stonevpn --help

An easy example is in the man page.

Re: StoneVPN

Posted: Wed Nov 09, 2011 9:55 am
by dhruvpandit
leon wrote:
dhruvpandit wrote:how to use it?
$ man stonevpn
$ stonevpn --help

An easy example is in the man page.
thanks for fast reply leon,

but i am very new in OpenVPN, so need some more examples :(
i have setup my server just 2 days back.
also want to ask if you know any GUI based Certificate management script or tool , then pls let me know.

and if possible, pls give some more examples of how to create, revoke new certificates with stonevpn.

Re: StoneVPN

Posted: Fri Nov 18, 2011 6:41 am
by dhruvpandit
getting this error

[root@VPN2 stonevpn]# stonevpn -f dhruvpandit -n "dhruvpandit" -z -p -m MY MAIL ID@gmail.com
Traceback (most recent call last):
File "/usr/bin/stonevpn", line 17, in ?
import StoneVPN.app as app
File "/usr/lib/python2.4/site-packages/StoneVPN/app.py", line 38, in ?
from OpenSSL import SSL, crypto
ImportError: No module named OpenSSL

Re: StoneVPN

Posted: Fri Nov 18, 2011 6:57 am
by leon
Hi,

This means you didn't install the pyOpenSSL library. On RedHat/CentOS it's

Code: Select all

yum install pyOpenSSL
on debian it's (AFAIK)

Code: Select all

apt-get install python-openssl
PS: that was in the README file though ;)

Re: StoneVPN

Posted: Mon Nov 28, 2011 12:20 pm
by dhruvpandit
now its giving this error,

Traceback (most recent call last):
File "/usr/bin/stonevpn", line 17, in ?
import StoneVPN.app as app
File "/usr/lib/python2.4/site-packages/StoneVPN/app.py", line 43, in ?
from IPy import IP
ImportError: No module named IPy




i have installed other packages, but this package is not installed from yum also.

pls tell me how to install it.
also give me the list of all required packages so i can install it at once.

if stonevpn should be installed by yum install stonevpn, then it will be great. but its showing this

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* rpmforge: fr2.rpmfind.net
* base: mirrors.cat.pdx.edu
* updates: mirrors.cat.pdx.edu
* extras: ftp.osuosl.org
Warning: No matches found for: stonevpn
No Matches found

Re: StoneVPN

Posted: Mon Nov 28, 2011 3:44 pm
by leon
You will need to install the EPEL repo first. This is also mentioned in the README file ;)

Re: StoneVPN

Posted: Tue Nov 29, 2011 7:25 am
by Mimiko
Will it be ported to windows?

Re: StoneVPN

Posted: Tue Nov 29, 2011 9:48 am
by leon
Mimiko wrote:Will it be ported to windows?
I have no immediate plans for that, but it shouldn't be too hard considering it's all python. Perhaps a few linux-only hacks but nothing that can't be ported. I'll make it a TODO item :)

Re: StoneVPN

Posted: Tue Nov 29, 2011 11:58 am
by dhruvpandit
thanks, now i have installed it via YUM.

now its giving this error :

Error: missing section 'organizationalUnitName_default' in /etc/pki/tls/openssl.cnf


i already have active OpenVPN with about 25 clients on this server.

i think this is some certificate issue.
how can i use stonevpn by using old certificates??

Re: StoneVPN

Posted: Tue Nov 29, 2011 12:37 pm
by leon
dhruvpandit wrote:thanks, now i have installed it via YUM.

now its giving this error :

Error: missing section 'organizationalUnitName_default' in /etc/pki/tls/openssl.cnf
...

Really, it's not that hard. Add 'organizationalUnitName_default' to your openssl.cnf file. Search for it, it's probably commented out, and add a default OU name (something like 'VPN' would be ok).

Re: StoneVPN

Posted: Wed Nov 30, 2011 9:34 am
by dhruvpandit
pls tell me how to use my old certificates with stoneVPN? or will it use the same old certs and key file ?

Re: StoneVPN

Posted: Wed Nov 30, 2011 11:05 am
by leon
dhruvpandit wrote:pls tell me how to use my old certificates with stoneVPN? or will it use the same old certs and key file ?
You should edit /etc/stonevpn.conf and make sure it points to the correct locations for your CA certificate and key file and openssl.cnf. Then stonevpn just parses openssl.cnf [1], looks up the index file (usually index.txt) and reads information about your already existing certificates. You can check it by running:

Code: Select all

$ stonevpn -a
Which should list your certificates.

Let me know if you run into any problems there. Sometimes the way a certificate is generated has an impact on how stonevpn parses the index file. If everything works okay (in particular the serial numbers for your certs are correct) you can then revoke certificates using:

Code: Select all

$ stonevpn -r SERIAL


[1] i realize now that specifying CA crt and key files in stonevpn.conf is kind of redundant if later it parses openssl.cnf and can read those values there as well. Will probably fix it in the next version.

Re: StoneVPN

Posted: Tue Jan 29, 2013 12:15 am
by digital0
Hello,

I added the possibility to create ovpn file for Android, which has all the certificates inline.
Here's the patch:

Code: Select all

--- app.py.orig 2011-08-08 09:19:31.000000000 +0300
+++ app.py      2013-01-17 02:02:57.263543278 +0200
@@ -142,7 +142,7 @@
         action="store",
         dest="confs",
         default="unix",
-        help="create config files for [windows|unix|mac|all]")
+        help="create config files for [windows|unix|mac|android|all]")
     group_extra.add_option("-e", "--prefix",
         action="store",
         dest="fprefix",
@@ -1045,10 +1045,14 @@
             sectionname = 'mac conf'
             print "Generating Mac configuration file"
             f=open(self.working + '/' + self.fprefix + fname + '.conf', 'w')
+        elif sname == 'android':
+            sectionname = 'android conf'
+            print "Generating Android configuration file"
+            f=open(self.working + '/' + self.fprefix + fname + '.ovpn', 'w')
         elif sname == 'all':
             print "Generating all configuration files"
         else:
-            print "Incorrect OS type specified. Valid options are 'unix', 'windows', 'mac' or 'all'."
+            print "Incorrect OS type specified. Valid options are 'unix', 'windows', 'mac', 'android' or 'all'."
             sys.exit()
         if sname != 'all':
             section=config[sectionname]
@@ -1069,9 +1073,19 @@
                         f.write(section[var] + '\n')
                 else:
                     f.write(section[var] + '\n')
+           if sname == 'android':
+               fp = open ( self.cacertfile, 'r' )
+               f.write('\n' + "<ca>" + '\n' + fp.read() + "</ca>" + '\n')
+               fp.close ()
+               fp = open ( self.working + '/' + self.fprefix + fname + '.crt', 'r' )
+               f.write('\n' + "<cert>" + '\n' + fp.read() + "</cert>" + '\n')
+               fp.close ()
+               fp = open ( self.working + '/' + self.fprefix + fname + '.key', 'r' )
+               f.write('\n' + "<key>" + '\n' + fp.read() + "</key>" + '\n')
+               fp.close ()
             f.close()
         else:
-            os_versions = ["windows", "linux", "mac"]
+            os_versions = ["windows", "linux", "mac", "android"]
             for os_type in os_versions:
                 # soort extensie ipv deze regel <<
                 if os_type == 'linux':
@@ -1086,6 +1100,10 @@
                     sectionname = 'mac conf'
                     print "Generating Mac configuration file"
                     f=open(self.working + '/' + self.fprefix + fname + '.mac.conf', 'w')
+                elif os_type == 'android':
+                    sectionname = 'android conf'
+                    print "Generating Android configuration file"
+                    f=open(self.working + '/' + self.fprefix + fname + '.android.ovpn', 'w')
                 section=config[sectionname]
                 for var in section:
                     if var == 'ca':
@@ -1097,6 +1115,16 @@
                         f.write(section[var].replace('clientkeyfile', self.fprefix + fname + '.key') + '\n')
                     else:
                         f.write(section[var] + '\n')
+               if os_type == 'android':
+                   fp = open ( self.cacertfile, 'r' )
+                   f.write('\n' + "<ca>" + '\n' + fp.read() + "</ca>" + '\n')
+                   fp.close ()
+                   fp = open ( self.working + '/' + self.fprefix + fname + '.crt', 'r' )
+                   f.write('\n' + "<cert>" + '\n' + fp.read() + "</cert>" + '\n')
+                   fp.close ()
+                   fp = open ( self.working + '/' + self.fprefix + fname + '.key', 'r' )
+                   f.write('\n' + "<key>" + '\n' + fp.read() + "</key>" + '\n')
+                   fp.close ()
                 f.close()
And here's the diff for stonevpn.conf:

Code: Select all

--- stonevpn.conf.orig  2010-08-04 17:35:39.000000000 +0300
+++ stonevpn.conf       2013-01-17 02:46:36.718509951 +0200
@@ -114,3 +114,29 @@
 verb = 'verb 3'
 prot = 'proto tcp'

+[android conf]
+# add options to be added to the configuration file here
+daemon = 'daemon'
+dev = 'dev tun'
+ip = 'remote 12.34.56.78'
+# uncomment the next 3 lines to add redundant routers:
+# remote-random
+# resolv-retry 60
+# ip2 = 'remote 23.45.67.89'
+port = 'port 1194'
+#mssfix = 'mssfix 1300'
+client = 'client'
+tlc = 'tls-client'
+# don't touch the next 3 var names:
+#ca = 'ca /Library/openvpn/cacertfile'
+#cert = 'cert /Library/openvpn/clientcertfile'
+#key = 'key /Library/openvpn/clientkeyfile'
+lzo = 'comp-lzo'
+ping = 'ping 15'
+pingrestart = 'ping-restart 45'
+pingtimer = 'ping-timer-rem'
+persisttun = 'persist-tun'
+persistkey = 'persist-key'
+verb = 'verb 3'
+prot = 'proto tcp'
+

Re: StoneVPN

Posted: Tue Jan 29, 2013 9:58 am
by leon
Awesome! I'll review it and will probably include it in the next version.


Thanks!


Léon