Add openvpn client tools (the sepia-vpn-client.tar.gz stuff) for tracking/improvement

tools/openvpn/maketar.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+#
+# make a tarball for distribution of this configuration and
+# secret generator
+#
+tar cfz sepia-vpn-client.tar.gz sepia/ca.crt sepia/client.conf sepia/new-client sepia/tlsauth

tools/openvpn/sepia/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUOAVvdnT5AeNHmQVerBNGyBipF+0wDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMB4XDTI0MTIwMjE3MTc1MloX
+DTM0MTEzMDE3MTc1MlowGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApPbQdUr74nVphtcdV9VhJs1cgKGq
+iZNBRdVxW92JurMJuIJXSiBwGochYTs4NQprlD5jYStnpzoe7c1HsFKwVEY3xSmT
+h7wdj0JIRgAdspG2XxxSU63k2t4Ezm6z7W7jnRvXjNhD55AMpxHAQpS0YhpxTm95
+SJDlk7gCmdIN087ioTYW8Fh+NI/ASjz5m3XWjsF/mTOHLYmlRL4bSWLwpKXuxpPW
+YVeScyDC6olc0MOfNKihxY3Q4IJiLcBPXQhGp3pnKCSut+f+nHu+sSLssliuvGBh
+6rn5c/5TceGbVvK1BX53F5Znx/AGC7XEEXKddUQbZDVN8pg1VygKt8tDIQIDAQAB
+o4GUMIGRMB0GA1UdDgQWBBSCoc5pUrxKfAoguqWqY25PhYuYrjBVBgNVHSMETjBM
+gBSCoc5pUrxKfAoguqWqY25PhYuYrqEepBwwGjEYMBYGA1UEAwwPb3BlbnZwbmNh
+LXNlcGlhghQ4BW92dPkB40eZBV6sE0bIGKkX7TAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIPJAeutTT6llsHQcC8CUPxSGe98l
+IPGHFX3AE9tRU1C2jfsidovNnxfpYksctjVcv3Zo6UbY6w83+UXciu4uusfjgJ/X
+dc5na7J+PCNcgNY34fsFmX4yQNF7ffTEUAS91FJ2bXs+Ob/dIQvZ0ZJopLia4C0m
+IT0DJfQV6Xx+R+mQ+MB1c2bmW17C88PCOygTUyn8ssrUkttkrf9xebp2TqyggdSH
+myw4nD/iQz+l7lwmDitEJY6cyLBDihhpKEyeCcIMp2+ytEsqaCKOASvjKnG24O19
+N0+ctqX/JPZzCEEpYhlFtZEFKjnYV7DiGvC6GiGZAMWNB3oY2bm+Gf2mNQ==
+-----END CERTIFICATE-----

tools/openvpn/sepia/client.conf

@@ -0,0 +1,18 @@
+script-security 1
+client
+remote vpn.sepia.ceph.com 1194
+dev tun
+remote-random
+resolv-retry infinite
+nobind
+user nobody
+group nogroup
+persist-tun
+persist-key
+comp-lzo
+verb 2
+mute 10
+remote-cert-tls server
+tls-auth sepia/tlsauth 1
+ca sepia/ca.crt
+auth-user-pass sepia/secret

tools/openvpn/sepia/new-client

@@ -0,0 +1,82 @@
+#!/usr/bin/python3
+
+# How to set up a client (on Ubuntu/Debian):
+#
+# sudo apt-get install openvpn
+# cd /etc/openvpn
+# sudo tar xvzf ~/sepia-vpn-client.tar.gz
+# sudo ./sepia/new-client MYUSERNAME@MYHOST
+#
+# ... submit the secret to admin and wait for acknowledgment ...
+#
+# sudo service openvpn start sepia
+
+import base64
+import datetime
+import hashlib
+import os
+import re
+import sys
+import tarfile
+
+path = os.path.dirname(sys.argv[0])
+os.chdir(path)
+
+try:
+    (user,) = sys.argv[1:]
+except ValueError:
+    raise SystemExit('Usage: new-client USERNAME@HOST')
+
+# From openvpn(8):
+#
+# To protect against a client passing a maliciously formed username or
+# password string, the username string must consist only of these
+# characters: alphanumeric, underbar ('_'), dash ('-'), dot ('.'), or
+# at ('@'). The password string can consist of any printable
+# characters except for CR or LF. Any illegal characters in either the
+# username or password string will be converted to underbar ('_').
+#
+# Verifying this here to avoid confusion down the road.
+if not re.match(r'^[a-zA-Z0-9_.@-]+$', user):
+    raise SystemExit('new-client: Invalid characters in username')
+
+salt = base64.b64encode(os.urandom(16)).rstrip(b'=')
+secret = base64.b64encode(os.urandom(64)).rstrip(b'=')
+
+inner = hashlib.new('sha256')
+inner.update(salt)
+inner.update(secret)
+outer = hashlib.new('sha256')
+outer.update(inner.digest())
+outer.update(salt)
+hashed = outer.hexdigest()
+
+with open('secret', 'wb') as f:
+    os.fchmod(f.fileno(), 0o600)
+    f.write('{user}\n{secret}\n'.format(user=user, secret=secret.decode()).encode('utf-8'))
+
+base = os.path.basename(path)
+os.symlink(os.path.join(base, 'client.conf'), '../sepia.conf')
+
+sys.stdout.write(
+    "\n!!!!! DO NOT RUN THIS SCRIPT MORE THAN ONCE !!!!!\n\nPlease paste the following line in your Sepia Lab Access Request tracker ticket:\n\n")
+sys.stdout.write("{user} {salt} {hashed}\n\n".format(
+    user=user,
+    salt=salt.decode('utf-8'),
+    hashed=hashed,
+))
+
+with open('secret.hash', 'w') as f:
+    f.write(f"{user} {salt.decode('utf-8')} {hashed}")
+
+datestr = datetime.datetime.now().strftime('%Y%m%d_%H%M%S')
+tarfilename = f'secrets.{datestr}.tar.gz'
+tarfile = tarfile.open(tarfilename, 'w:gz')
+for f in ['secret', 'secret.hash']:
+    tarfile.add(f)
+tarfile.close()
+
+sys.stdout.write(f"""
+The secret file (private to you) and secret.hash (the above hashed secret
+information, to be placed on the OpenVPN server) are a matched pair.
+They've been placed into {tarfilename} for safekeeping.""")

tools/openvpn/sepia/tlsauth

@@ -0,0 +1,21 @@
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+45839625d348b4d5c0af603d94110313
+9d6960d0b3c3b22365f0e5ded5281664
+3473d1ece7bfc8fcb990232886aec346
+db726c28f8f6423648a7274d975abd1a
+587953b38323cf13b763724d5c8e2b77
+b6a9d12ca751d8e3de0e56be37300855
+e6864c047148a30cb0b7d87fbd7f5f80
+d19c05a808ba1b48e9a8139051b63e47
+02ab07478c34d75f77d16ecafcaae81c
+303c64f334e73d9b6ba71d2397941402
+51bbd5ab903e89a85cf05ae1158e6258
+d39b9f9e9a3b00cd96d6b6c8a3b93bf1
+9fd3fab9ce8513a525a55feb731ca46c
+185555b2771351422b703b2c3ecbc809
+05cf68e6fd95226c5a45adc01e7645e6
+aaadeb236c0f44fb42c01decd819e849
+-----END OpenVPN Static key V1-----