[ninux-dev] Fwd: [openwisp] Tinc template for openwisp

Federico Capoano federico.capoano at gmail.com
Tue Apr 18 17:15:37 CEST 2017 

Discussione rilevante a Ninux Firenze dalla lista OpenWISP.

---------- Forwarded message ---------
From: Federico Capoano <federico.capoano at gmail.com>
Date: Tue, Apr 18, 2017 at 5:18 PM
Subject: Re: [openwisp] Tinc template for openwisp
To: <openwisp at googlegroups.com>


Hi Gabriel,

On Tue, Apr 18, 2017 at 12:49 AM Gabriel <gabriel at autistici.org> wrote:

> Hello, I made a template to automate the tinc configuration on
> OpenWRT/LEDE:
> This template configure a L2 "star" vpn with IPv4 on top.
> The central node (or Server) is used to authenticate the users and to
> perform NAT traversal, then all the traffic is P2P between the clients.
>

Great news and thanks for sharing.

The template and the configuration for a generic node are attached, you
> just need to substitute the uppercase stuff:
>
> The vpn must be identified with a unique name: NET_NAME
>
> There's one central node (server) identified by: SERVER_NAME
> This node must have a public address: SERVER_HOSTNAME
> It also needs a public rsa key: SERVER_RSA_PUB_KEY
>

All these variables are good candidates to be kept in a setting called
NETJSONCONFIG_CONTEXT
<https://github.com/openwisp/django-netjsonconfig#netjsonconfig-context>,
which stores a python dictionary that is then passed to the context of
netjsonconfig
<http://netjsonconfig.openwisp.org/en/stable/general/basics.html#context-configuration-variables>
(the underlying configuration engine library).

If you are using ansible-openwisp2
<https://github.com/openwisp/ansible-openwisp2> to deploy and upgrade
openwisp2, you can fill this setting by using the variable
*openwisp2_context*, like in the following example:

- hosts: yourhost
  roles:
    - openwisp.openwisp2
  vars:
    openwisp2_context:
      tinc_net_name: <NET_NAME>
      tinc_server_name: <SERVER_NAME>
      tinc_server_hostname: <SERVER_HOSTNAME>
      tinc_server_pubkey: <SERVER_RSA_PUB_KEY>

You can then reference these variables in the configuration by using
{{ tinc_net_name
}}, {{ tinc_server_name }} and so on.

Doing this will make your life easier when you will have to change one of
those values in the future.

The client must have a unique name: CLIENT_NAME
> and an address to communicate in the vpn: CLIENT_ADDRESS
>
>
> It was easy to create this template and it's working, however I have
> some doubts:
>
> 1) I need to specify the CLIENT_NAME and the CLIENT_ADDRESS _manually_
> on each device using the configuration in  "tinc_client.json".
>     Is there a way to variabilize these values in the template ?
>

For CLIENT_NAME, you can use one of the variables available for each
object, from the docs
<https://github.com/openwisp/django-netjsonconfig#netjsonconfig-context>:

*Each Config object gets the following attributes passed as configuration
variables:*


   - *id*
      - *key*
      - *name*
      - *mac_address*

There's also a video in which I show this feature: Some advanced features
of OpenWISP2 (1:43)
<https://www.youtube.com/watch?v=IZEesG3UDio&feature=youtu.be&t=103>

For CLIENT_ADDRESS, I am afraid OpenWISP2 can't do this out of the box
right now.

It's possible to to write a python function that uses the django ORM to
insert the ip address according to some rules that you can define.
It is then possible to set up this python function to be called each time a
new configuration is created.

2) The VPN is not fully automatic, the rsa public key is generated on
> when tinc get started for the first time, then it must be manually
> copied from the client to the server
>     Any ideas on how automate it?
>

I don't have a simple solution to suggest.

Is it not possible to tell tinc to accept clients which have public key
signed by a specific Certification Authority like OpenVPN does?


> 3) When the configuration is updated openwisp-config doesn't run
> "/etc/init.d/tinc restart" and it must be manually restarted. Is it ok?
>

openwisp-config should run /etc/init.d/tinc reload, see this line:
https://github.com/openwisp/openwisp-config/blob/master/openwisp-config/files/sbin/openwisp-reload-config#L21

Try to deliberately change the configuration so that openwisp-config
downloads it and applies it, then check the logread output with:

logread | grep openwisp

Do you see any mention of tinc?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/ninux-dev/attachments/20170418/5aa03a31/attachment-0001.html>

More information about the ninux-dev mailing list