Awesome Open Source
Awesome Open Source
Dynvpn
A Dockerized OpenVPN service supporting on connect dynamic network rule loading
Stars
5
License
gpl-3.0
Open Issues
0
Most Recent Commit
3 years ago
Programming Language
Python
Repo

dynvpn

dynVPN is a set of small python programs for dynamicaly applying firewall profiles to users. Based on group memberships when connecting to the VPN server. This proves quite usefull to get a more "enterprisey VPN" creating narrow and unique access controls for each type of connecting user.

Requirements:

Check Dockerfile

How to start the POC:

docker build -t dynvpn 
docker run -ti --privileged -p 1194:1194/udp  -v dynvpn:/etc/openvpn/easy-rsa/keys dynvpn
VOL_PATH=/var/lib/docker/volumes/dynvpn/_data/
openvpn --config $VOL_PATH/client-vpn.conf --cd $VOL_PATH

you can inspect the dynamic ruleset applied from within the container with:

nft list ruleset

to see that explicit allow rules has been added to a custom chain for your connected vpn user

Openvpn client connection state transition

  1. User connects to VPN and auths
  2. After authentication the cn (common name taken from the certificate file generated for vpn client certificate holder) is checked against the acl_members file where for each group a user belongs to (for example group2 group1 ) the learn_adress script will execute a file called group2.py applying that set of nftables rules for the unique ip the user is connected to the OpenVPN server with.
  3. User disconnects User disconnection is handled by a ping time out set in server.conf. When time out is reached the connection is dropped causing OpenVPN to call the learn-address hook with the delete action Dropping the VPN connection and removing firewall rules for that VPN session.

Python program files overview

  • learn_address

Is the hook script called when a a vpn session is established
It allows openvpn to launch a custom program when openvpn learns of a new adress of a connecting user. In our scenario the program calls learn_address doing step 3-4 described above the learn adress hook in OpenVPN sends three variables to the script: Action, IP, User where an action can be:

  • add - when a new connection is established
  • delete - when a connection is reported as disconnected (se #4 above)
  • update - when a connection is updates usually when there is a new ip. We do a DELETE/ADD when this happens

learn_Address be called from the shell to testing the firewall actions:

./learn_address ACTION IP USERNAME
  • globs.py

contains global variables and paths to files for the program learn adress and manage_acl_users It also has a debug flag that can be flipped to increase logging

  • acl_members

This file contains the mapping between users and groups where user is the auth name for openvpn. Each group is referencing a python file containing firewall rules users group information stored in the following format:

john_doe allow_ssh allow_dns jane_doe allow_ntp ...

  • acl_rules/

This folder is where ACL rules are kept and searched for when a user is to be mapped to a group. Path to it is specified in globs.py has to include the python magic in the begining of file check any file except for the template_rule.py for an example

  • acl_rules/template_rule.py

this is a base template that should be included in your custom acl files doing some generic tasks that happen in each rule file

  • /etc/openvpn/scripts/sessions/

Ddestination folder for session files a file for each currently connected user stating the ip, username and applied rules for a connected user

How the VPN scripts interacts with networking and firewalling

For traffic to pass from the OpenVPN client into our networks it first has to auth (check #1 further info). After auth openvpn pushes some explicit routes for our network declared in server.conf

Traffic from a connected vpn client will reach FORWARDING table on the vpn server. The default policy for the forwarding table should be set to drop all traffic. Meaning that only traffic matching the explicit ALLOW rules in the rules mapped to a user will be allowed to pass

The acl_rules/ contains rule files that are applied to mapped users. For each connecting user a jump reference is created in the forwarding table for the users connecting IP in this table each acl rule files rules will be applied

TODO

  • rewrite for python3
  • tests
  • rewrite acl_members and management of file in some more easily parsable format like json or yaml
Related Awesome Lists
Python Projects (821,947)
User Projects (47,135)
Group Projects (19,711)
Vpn Projects (3,906)
Firewall Projects (3,257)
Acl Projects (2,442)
Openvpn Projects (1,828)
Openvpn Server Projects (233)
Firewall Management Projects (38)
Firewall Framework Projects (5)
Openvpn Plugin Projects (5)
Python User Projects (5,934)
Python Group Projects (3,243)
User Group Projects (1,439)
Vpn Openvpn Projects (775)
Python Firewall Projects (602)
Python Vpn Projects (529)
Python Acl Projects (513)
Python Openvpn Projects (257)
User Acl Projects (135)
Vpn Firewall Projects (112)
Vpn Openvpn Server Projects (79)
Group Acl Projects (66)
Firewall Openvpn Projects (51)
Group Firewall Projects (47)
User Vpn Projects (45)
User Openvpn Projects (41)
User Firewall Projects (36)
Python Openvpn Server Projects (34)
Firewall Acl Projects (25)
Group Vpn Projects (18)
Group Openvpn Projects (14)
User Openvpn Server Projects (11)
Top Programming Languages
Javascript  (1,074,350)
Python  (821,947)
Java  (392,336)
Php  (287,697)
Typescript  (255,886)
C Plus Plus  (242,160)
Ruby  (222,156)
C  (183,789)
Shell  (173,309)
C Sharp  (166,623)
Golang  (160,901)
Swift  (65,929)
Rust  (59,584)
R  (58,787)
Objective C  (57,107)
Dart  (54,249)
Kotlin  (47,749)
Lua  (34,689)
Matlab  (31,442)
Perl  (30,581)
Language  (29,993)
Scala  (28,787)
Haskell  (20,503)
Powershell  (19,294)
Clojure  (19,190)
Bash  (18,789)
Coffeescript  (17,258)
Elixir  (16,794)
Assembly  (14,777)
Processing  (13,285)
Julia  (13,028)
Basic  (10,715)
Flow  (10,535)
Emacs Lisp  (10,473)
Erlang  (9,065)
Groovy  (8,466)
Scheme  (8,413)
Solidity  (8,398)
Ocaml  (6,749)
Pascal  (6,487)
Hack  (6,439)
Lisp  (6,339)
Fortran  (5,591)
Elm  (5,478)
Common Lisp  (5,325)
Dlang  (4,747)
Shell Script  (4,689)
Python Library  (4,467)
Crystal  (4,395)
Scripting  (4,218)
Top Projects
Freecodecamp ⭐ 351,305
996.icu ⭐ 263,365
Free Programming Books ⭐ 244,689
Coding Interview University ⭐ 229,270
Awesome ⭐ 214,149
Developer Roadmap ⭐ 206,149
Public Apis ⭐ 205,181
Vue ⭐ 198,593
React ⭐ 193,122
System Design Primer ⭐ 191,492
Tensorflow ⭐ 167,074
Build Your Own X ⭐ 160,771
Bootstrap ⭐ 158,948
You Dont Know Js ⭐ 157,194
Cs Notes ⭐ 155,369
Ohmyzsh ⭐ 148,771
Javascript Algorithms ⭐ 147,438
Flutter ⭐ 143,534
Python ⭐ 141,864
Awesome Python ⭐ 137,284
Gitignore ⭐ 137,018
Linux ⭐ 136,200
Vscode ⭐ 135,318
Javaguide ⭐ 126,170
Javascript ⭐ 125,450
Python 100 Days ⭐ 122,176
Computer Science ⭐ 121,209
Youtube Dl ⭐ 112,278
The Art Of Command Line ⭐ 108,745
Fucking Algorithm ⭐ 108,035
React Native ⭐ 104,260
Electron ⭐ 103,052
Go ⭐ 102,717
D3 ⭐ 101,796
30 Seconds Of Code ⭐ 100,507
Awesome Selfhosted ⭐ 98,330
Create React App ⭐ 96,427
Axios ⭐ 95,087
Free Programming Books Zh_cn ⭐ 94,893
Kubernetes ⭐ 91,090
Next.js ⭐ 91,008
Node ⭐ 89,464
Awesome Go ⭐ 85,662
Terminal ⭐ 84,667
Deno ⭐ 84,513
Three.js ⭐ 84,365
Angular ⭐ 83,204
Typescript ⭐ 83,177
Ant Design ⭐ 81,409
Material Ui ⭐ 80,436

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Python (821,947
User (47,135
Group (19,711
Vpn (3,906
Firewall (3,257
Acl (2,442
Openvpn (1,828
Openvpn Server (233
Firewall Management (38
Firewall Framework (5
Openvpn Plugin (5
Privacy | About | Terms | Follow Us On Twitter

Downloads, Dependent Repos, Dependent Packages, Total Releases, Latest Releases data powered by Libraries.io.

Copyright 2018-2022 Awesome Open Source.  All rights reserved.