Merge branch 'noalias'

.gitignore

@@ -114,5 +114,6 @@ dist
 
 *.retry
 wgfrp-setconf.conf.j2
+certs
 
 __pycache__

ansible/bird.conf.j2

@@ -67,7 +67,7 @@ protocol ospf v2 {
 #			hello 5;		# Default hello perid 10 is too long
 #		};
 {% for connection in connections %}
-{% if connection.protocol != "null" and connection.remoteLocalAddress != address %}
+{% if connection.protocol != "null" and not (connection.protocol == "oc" and connection.ocType == "server") and connection.remoteLocalAddress != address %}
     interface "{{connection.name}}" {
       type ptmp;
 {% if connection.outbound %}
@@ -82,6 +82,16 @@ protocol ospf v2 {
 {% endif %}
 {% endfor %}
 
+{% if ocservNeeded %}
+    interface "mcoc*" {
+      type ptmp;
+      cost {{ocMetric}};
+      hello 5;
+      authentication cryptographic;
+      password "{{ospfToken}}";
+    };
+{% endif %}
+
 {% for interface in lanInterfaces %}
     interface "{{interface}}" {
       type broadcast;

ansible/configure.yaml

@@ -24,12 +24,15 @@
         - utility
         - switch-rules-up
         - switch-rules-down
+        - ocserv-postup
+        - ocserv-predown
       notify: reload_switch_rules
     - name: ipset files
       template:
         src: scripts/ipset.j2
         dest: '{{ansible_user_dir}}/nextgen-network/ipsets/{{item}}.ipset'
       with_items: '{{routeListNames}}'
+      notify: reload_chnroute
     - name: global-postup
       become: true
       shell: '{{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh'
@@ -73,6 +76,9 @@
       become: true
       shell: 'ip -4 rule add pref 81 to {{item}} lookup main || true'
       with_items: '{{routeLists.mycard}}'
+    - name: ocserv pre-configure
+      include_tasks: 'protocols/oc/ocserv-pre.yaml'
+      when: ocservNeeded and not noBird and not systemBird
 # 为了提高测试时候的性能，不改动wg的时候注释掉这段
     - name: 'clean up null connections first'
       include_tasks: 'protocols/{{item.protocol}}/configure.yaml'
@@ -149,8 +155,27 @@
           - frpc-{{item.name}}
       with_items: '{{connections}}'
       when: 'item.protocol == "wgfrp" and item.frpType == "frpc"'
+    - name: restart_ocserv
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - ocserv
+    - name: restart_openconnect
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - openconnect-{{item.name}}
+      with_items: '{{connections}}'
+      when: 'item.protocol == "oc" and item.ocType == "client"'
     - name: restart_bird_systemd
       become: true
       systemd:
         name: bird
         state: restarted
+    - name: reload_chnroute
+      become: true
+      shell: |
+        ipset flush chnrouter
+        sed '/^create chnrouter hash:net family inet$/d' {{ansible_user_dir}}/nextgen-network/ipsets/chnrouter.ipset | ipset restore

ansible/protocols/oc/configure-client.yaml

+- name: up script directory
+  file:
+    path: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/post-connect.d'
+    state: directory
+    recurse: true
+- name: down script directory
+  file:
+    path: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/disconnect.d'
+    state: directory
+    recurse: true
+- name: up script
+  template:
+    src: ./openconnect-post-scripts/post-connect.sh.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/post-connect.d/mycard-network-nextgen.sh'
+    mode: 0755
+  notify: restart_openconnect
+- name: down script
+  template:
+    src: ./openconnect-post-scripts/disconnect.sh.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/disconnect.d/mycard-network-nextgen.sh'
+    mode: 0755
+  notify: restart_openconnect

ansible/protocols/oc/configure-server.yaml

+- name: per-user config
+  template:
+    src: ./ocserv-per-user.conf.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/config-per-user/{{conn.name}}'
+  notify: restart_ocserv
+- name: per-user env
+  template:
+    src: ./ocserv-user-env.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/env-per-user/{{conn.name}}'
+  notify: restart_ocserv

ansible/protocols/oc/configure.yaml

+- name: '{{conn.name}}: stop wireguard'
+  become: true
+  ignore_errors: true
+  systemd:
+    name: 'wg-quick@{{conn.name}}'
+    state: stopped
+    enabled: no
+- name: '{{conn.name}}: tasks for {{conn.ocType}}'
+  include_tasks: './configure-{{conn.ocType}}.yaml'

ansible/protocols/oc/ocserv-per-user.conf.j2

+explicit-ipv4 = {{conn.remoteLocalAddress}}
+route = {{conn.localPeerAddress}}/32
+mtu = {{conn.mtu}}

ansible/protocols/oc/ocserv-pre.yaml

+- name: directories
+  file:
+    name: '{{ansible_user_dir}}/nextgen-network/services/ocserv/{{item}}'
+    recurse: true
+    state: directory
+  with_items:
+    - config-per-user
+    - env-per-user
+    - certs
+- name: ocserv.conf
+  template:
+    src: ./ocserv.conf.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/ocserv.conf'
+  notify: restart_ocserv
+- name: ocpasswd
+  copy:
+    content: |
+      {% for line in ocpasswdLines %}
+      {{line}}
+      {% endfor %}
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/ocpasswd'
+  notify: restart_ocserv
+- name: ocserv certs
+  synchronize:
+    src: ../certs/{{ocservCert}}/
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/certs/{{ocservCert}}'
+    delete: yes
+    copy_links: yes
+    verify_host: no
+    recursive: yes
+    checksum: yes
+    archive: no
+  notify: restart_ocserv

ansible/protocols/oc/ocserv-user-env.j2

+# export dev=
+export localPeerAddress={{conn.localPeerAddress}}
+export remotePeerAddress={{conn.remotePeerAddress}}
+export link6Address={{conn.link6Address}}
+export remoteNextMark={{conn.remoteNextMark}}
+export inbound={{conn.inbound}}
+export outbound={{conn.outbound}}
+export mtu={{conn.mtu|int - 58}}

ansible/protocols/oc/ocserv.conf.j2

+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
+listen-host-is-dyndns = true
+tcp-port = {{ocservPort}}
+udp-port = {{ocservPort}}
+run-as-user = nobody
+run-as-group = daemon
+socket-file = /run/ocserv.socket
+server-cert = /etc/ssl/certs/{{ocservCert}}/fullchain.pem
+server-key = /etc/ssl/certs/{{ocservCert}}/privkey.pem
+dh-params = /etc/ssl/certs/{{ocservCert}}/dhparam.pem
+isolate-workers = true
+server-stats-reset-time = 604800
+keepalive = 300
+dpd = 60
+mobile-dpd = 300
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+cert-user-oid = 0.9.2342.19200300.100.1.1
+compression = true
+no-compress-limit = 256
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
+match-tls-dtls-ciphers = false
+auth-timeout = 240
+idle-timeout = 1200
+mobile-idle-timeout = 1800
+max-ban-score = 80
+ban-reset-time = 300
+cookie-timeout = 604800
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+connect-script = {{ansible_user_dir}}/nextgen-network/scripts/ocserv-postup.sh
+disconnect-script = {{ansible_user_dir}}/nextgen-network/scripts/ocserv-predown.sh
+use-occtl = true
+pid-file = /run/ocserv.pid
+predictable-ips = true
+ipv4-network = {{address}}/32
+ping-leases = false
+device = mcoc
+config-per-user = /etc/ocserv/config-per-user/
+cisco-client-compat = false
+dtls-legacy = true

ansible/protocols/oc/openconnect-post-scripts/disconnect.sh.j2

+#!/bin/bash
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+
+true

ansible/protocols/oc/openconnect-post-scripts/post-connect.sh.j2

+#!/bin/bash
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+
+true

ansible/scripts/global-postup.sh.j2

 #!/usr/bin/env bash
-# Forced update 12.16
+# Forced update 12.18 2
 source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 
 echo "running" > /tmp/mycard_global_postup_done

ansible/scripts/ocserv-postup.sh.j2

+#!/bin/bash
+
+export dev="$DEVICE"
+source /etc/ocserv/env-per-user/$USERNAME
+
+#NEW_DEVICE="$USERNAME"
+#ip link set $DEVICE down
+#ip link set $DEVICE name $NEW_DEVICE
+#ip link set $NEW_DEVICE up
+#ip link property add altname $DEVICE dev $NEW_DEVICE
+
+{{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+{{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+
+true

ansible/scripts/ocserv-predown.sh.j2

+#!/bin/bash
+
+export dev="$USERNAME"
+source /etc/ocserv/env-per-user/$USERNAME
+
+{{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+
+true

ansible/scripts/postup.sh.j2

 #!/usr/bin/env bash
 source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
-wait_lock
+
 #set -e
 
 ip addr add "$localPeerAddress" peer "$remotePeerAddress" dev "$dev" scope link

src/inventory.ts

@@ -8,6 +8,16 @@ import child_process from 'child_process';
 import assert from 'assert';
 import ip from 'ip';
 import { promises as dns } from 'dns';
+import { off } from 'process';
+import os from "os";
+
+async function generateOcpasswdLine(username: string, password: string) {
+	const tmpName = os.tmpdir() + "/" + Math.floor(Math.random() * 10000000);
+	await util.promisify(child_process.exec)(`echo "${password}\\n${password}" | ocpasswd -c ${tmpName} ${username}`);
+	const res = (await fs.promises.readFile(tmpName, "utf-8")).trim();
+	await fs.promises.unlink(tmpName);
+	return res;
+}
 
 class InventoryBuilder {
   hosts: { [key: string]: any };
@@ -16,6 +26,7 @@ class InventoryBuilder {
   routeLists: any;
   resolveCache: Map<string, string>;
   resolver: dns.Resolver;
+  vars: any;
 
   async resolveDomain(domain: string, ipv6: boolean) {
     if (!domain || domain.match(/(\d{1,3}\.){3}\d{1,3}/)) {
@@ -86,11 +97,11 @@ class InventoryBuilder {
     for (const host of Object.values(this.hosts)) {
       host.wgPublickey = await this.wgPublickey(host.wgPrivateKey);
     }
+    this.vars = await this.loadUtilities();
     // console.log(Object.values(this.hosts));
     const rawHosts = await Promise.all(Object.values(this.hosts).map(async (h) => [h.name, await this.host_vars(h)]));
     const hosts = Object.fromEntries(rawHosts);
     // console.log(hosts);
-    const vars = await this.loadUtilities();
     const rawHostsForSwitch = rawHosts.map(rh => {
       const hostVars = JSON.parse(JSON.stringify(rh[1]));
       hostVars.ansible_ssh_host = hostVars.address;
@@ -99,8 +110,8 @@ class InventoryBuilder {
     });
     const switchHosts = Object.fromEntries(rawHostsForSwitch);
     const result = YAML.stringify({
-      wg: { hosts, vars },
-      switch: { hosts: switchHosts, vars: JSON.parse(JSON.stringify(vars)) }
+      wg: { hosts, vars: this.vars },
+      switch: { hosts: switchHosts, vars: JSON.parse(JSON.stringify(this.vars)) }
     });
     return fs.promises.writeFile('result/inventory.yaml', result);
   }
@@ -119,10 +130,6 @@ class InventoryBuilder {
         this.routeLists.mycard.push(c);
       }
     }
-    // temp user before gateways
-    this.routeLists.ladder_needed = raw_utility.ladderNeeded.value.split(',').map((m) => {
-      return m.trim();
-    });
     const vars = {
       routeLists: this.routeLists,
       routeListNames: Object.keys(this.routeLists),
@@ -155,6 +162,7 @@ class InventoryBuilder {
     const lanInterfaces = host.lanInterfaces;
     const masqInterfaces = host.masqInterfaces.length > 0 ? host.masqInterfaces.split(',') : [];
     const routePlans = [];
+    
     for (const h of this.connections) {
       if (h != host.name) {
         const to = host[h]; // 当前主机的条目
@@ -191,6 +199,11 @@ class InventoryBuilder {
       key: host.wgPrivateKey,
       frpsNeeded: host.frpsNeeded,
       frpsPort: host.frpsPort,
+      ocservNeeded: host.ocservNeeded || false,
+      ocservPort: host.ocservPort,
+      ocservCert: host.ocservCert || null,
+      ocMetric: host.ocMetric || null,
+      ocpasswdLines: host.ocpasswdLines || [],
       gateways: _.values(this.gateways[host.name]),
       connections,
       lanInterfaces,
@@ -198,7 +211,7 @@ class InventoryBuilder {
       dockerServices: host.dockerServices,
       routePlans,
       noBird: !!(host.noBird || host.sysBird),
-      systemBird: !!host.sysBird
+      systemBird: !!host.sysBird,
     };
   }
 
@@ -212,12 +225,15 @@ class InventoryBuilder {
     const metric = parseInt(_metric);
     const params = Object.fromEntries(new URLSearchParams(paramsString).entries());
     const name = `mc${!outbound ? 'i' : '-'}${remote.name}`;
+    const remoteName = `mc${!inbound ? 'i' : '-'}${local.name}`;
     const localGatewayName = (cis ? params.lif : params.rif) || params.if;
     const localGateway = localGatewayName ? this.gateways[local.name][localGatewayName] : _.find(this.gateways[local.name]);
+    assert(localGateway, `Gateway ${localGatewayName} for ${local.name} not found.`);
     //console.log(local.name, paramsString, params, localGatewayName, localGateway.name)
     const localGatewayMark = localGateway.mark || 0;
     const remoteGatewayName = (cis ? params.rif : params.lif) || params.if;
     const remoteGateway = remoteGatewayName ? this.gateways[remote.name][remoteGatewayName] : _.find(this.gateways[remote.name]);
+    assert(remoteGateway, `Gateway ${remoteGatewayName} for ${remote.name} not found.`);
     //const remoteGatewayMark = remoteGatewayName ? remoteGateway.mark : undefined;
     //console.log(remoteGateway.name);
     let remoteAddress = remoteGateway.address || null;
@@ -231,12 +247,14 @@ class InventoryBuilder {
     const localPort = (primary ? remote.port : remote.port2) + local.offset;
     const remotePort = (primary ? local.port : local.port2) + remote.offset;
     const remoteFrpsPort = remote.frpsPort;
+    const remoteOcservPort = remote.ocservPort;
     const wgPublicKey = remote.wgPublickey;
     const localPeerAddress = primary ? `10.200.${local.id}.${remote.id}` : `10.201.${local.id}.${remote.id}`;
     const remotePeerAddress = primary ? `10.200.${remote.id}.${local.id}` : `10.201.${remote.id}.${local.id}`;
     const link6Address = `fe80::${primary ? 1 : 2}:${local.id}:${remote.id}/64`;
 
     const frpType = protocol === 'wgfrp' ? (this.gatewayCompare(localGateway, remoteGateway) ? 'frps' : 'frpc') : undefined;
+    const ocType = protocol === 'oc' ? (this.gatewayCompareOcserv(local, remote, localGateway, remoteGateway) ? 'server' : 'client') : undefined;
 
     if (frpType === 'frps' && !local.dockerServices.services.frps) {
       local.frpsNeeded = true;
@@ -259,7 +277,48 @@ class InventoryBuilder {
       };
     }
 
+    if (ocType === 'server') {
+      if (!local.dockerServices.services.ocserv) {
+        local.ocservNeeded = true;
+        local.ocpasswdLines = [];
+        local.ocMetric = metric;
+        local.dockerServices.services.ocserv = {
+          restart: 'always',
+          image: 'git-registry.mycard.moe/nanahira/docker-ocserv',
+          network_mode: 'host',
+          command: 'ocserv -f -d 1',
+          cap_add: ['NET_ADMIN'],
+          devices: ['/dev/net/tun:/dev/net/tun'],
+          volumes: [
+            './ocserv/ocserv.conf:/etc/ocserv/ocserv.conf:ro',
+            './ocserv/config-per-user:/etc/ocserv/config-per-user:ro',
+            './ocserv/env-per-user:/etc/ocserv/env-per-user:ro',
+            './ocserv/ocpasswd:/etc/ocserv/ocpasswd:ro',
+            `./ocserv/certs/${local.ocservCert}:/etc/ssl/certs/${local.ocservCert}:ro`,
+            '$HOME/nextgen-network/scripts:$HOME/nextgen-network/scripts:ro'
+          ]
+        };
+      }
+      local.ocpasswdLines.push(await generateOcpasswdLine(name, this.vars.ocservPassword));
+    }
+
     const mtu = Math.min(localGateway ? localGateway.mtu : 1500, remoteGateway ? remoteGateway.mtu : 1500);
+
+    if (ocType === 'client') {
+      local.dockerServices.services[`openconnect-${name}`] = {
+        restart: 'always',
+        image: 'git-registry.mycard.moe/railgun/openconnect',
+        network_mode: 'host',
+        command: ['bash', '-c', `echo "${this.vars.ocservPassword}" | openconnect --user=${remoteName} --passwd-on-stdin --passtos --interface=${name} --mtu=${mtu} ${remoteAddress}:${remoteOcservPort}`],
+        cap_add: ['NET_ADMIN'],
+        devices: ['/dev/net/tun:/dev/net/tun'],
+        volumes: [
+          `./client-scripts/${name}:/etc/vpnc:ro`,
+          '$HOME/nextgen-network/scripts:$HOME/nextgen-network/scripts:ro'
+        ]
+      };
+    }
+
     //console.log(local.name, name, mtu);
 
     if (outbound) {
@@ -284,7 +343,9 @@ class InventoryBuilder {
       remotePeerAddress,
       link6Address,
       remoteFrpsPort,
+      //remoteOcservPort,
       frpType,
+      ocType,
       inbound,
       outbound,
       mtu
@@ -293,23 +354,30 @@ class InventoryBuilder {
 
   // frps还是frpc的积分，NAT越有利分越高
   gatewayCompareScore(gateway: any): number {
-    let score: number = 0xff - gateway.id; // 8 bits
+    let offset = 0;
+    let score = 0
+    score |= (0xff - gateway.id) << offset; // 8 bits
+    offset += 8;
     const isCNScore = gateway.isCN ? 0 : 1; // 1 bit
-    score |= isCNScore << 8;
+    score |= isCNScore << offset;
+    offset += 1;
     const ipv4NatScore = ({ // 2 bits
       'ports': 0,
       'dmz': 1
     })[gateway.ipv4Nat] || 2;
-    score |= ipv4NatScore << 9;
+    score |= ipv4NatScore << offset;
+    offset += 2;
     const ipv4Score = ({ // 2 bits
       'static': 2,
       'dynamic': 1
     })[gateway.ipv4] || 0;
-    score |= ipv4Score << 11;
+    score |= ipv4Score << offset;
+    offset += 2;
     const globalSSHScore = ({ // 1 bit
       'globalssh': 1
     })[gateway.ssh] || 0;
-    score |= globalSSHScore << 12;
+    score |= globalSSHScore << offset;
+    offset += 1;
     return score;
   }
 
@@ -328,6 +396,17 @@ class InventoryBuilder {
     return this.gatewayCompareScore(localGateway) > this.gatewayCompareScore(remoteGateway);
   }
 
+  gatewayCompareOcserv(local: any, remote: any, localGateway: any, remoteGateway: any): boolean {
+    // 两边至少一个有证书才能连
+    assert(local.ocservCert || remote.ocservCert);
+    // 只有一边有证书用有证书的那边
+    if (!!local.ocservCert !== !!remote.ocservCert) {
+      return !!local.ocservCert;
+    }
+    
+    return this.gatewayCompare(localGateway, remoteGateway);
+  }
+
   async wgPublickey(privateKey) {
     return new Promise((resolve, reject) => {
       const child = child_process.execFile('wg', ['pubkey'], { encoding: 'utf8' }, (error, stdout, stderr) => {

update.sh

@@ -31,5 +31,5 @@ _strip_wg_conf ./protocols/wgfrp/wgfrp.conf.j2 ./protocols/wgfrp/wgfrp-setconf.c
 ansible-playbook -i ../result/inventory.yaml "$@" configure.yaml
 cd ..
 
-rsync -4cavzP ./data/ nanahira@koishi.yuzurisa.com:~/nginx/railgun-data
-ssh -T nanahira@koishi.yuzurisa.com 'cd ~/nginx ; docker-compose restart railgun-enterprise'
+#rsync -4cavzP ./data/ nanahira@koishi.yuzurisa.com:~/nginx/railgun-data
+#ssh -T nanahira@koishi.yuzurisa.com 'cd ~/nginx ; docker-compose restart railgun-enterprise'