re6stnet: new client-only and routing-only mode

demo/demo

@@ -9,15 +9,15 @@ VERBOSE = 4
 #                           |.2
 #                           |10.0.0
 #                           |.1
-#        ---------------Internet---------------
-#        |.1                |.1               |.1
-#        |10.1.0            |10.2.0           |
-#        |.2                |.2               |
+#        ---------------Internet----------------
+#        |.1                |.1                |.1
+#        |10.1.0            |10.2.0            |
+#        |.2                |.2                |
 #    gateway1           gateway2           s3:10.0.1
-#        |.1                |.1            |.2     |.3
-#    s1:10.1.1          s2:10.2.1          m5      m6
-#    |.2     |.3        |.2     |.3
-#    m1      m2         m3      m4
+#        |.1                |.1            |.2 |.3 |.4
+#    s1:10.1.1          s2:10.2.1          m6  m7  m8
+#    |.2     |.3        |.2 |.3 |.4
+#    m1      m2         m3  m4  m5
 #
 
 registry = 'registry/registry.db'
@@ -41,8 +41,8 @@ disable_signal_on_children(signal.SIGINT)
 # create nodes
 for name in """internet=I registry=R
                           gateway1=g1 machine1=1 machine2=2
-                          gateway2=g2 machine3=3 machine4=4
-                          machine5=5 machine6=6
+                          gateway2=g2 machine3=3 machine4=4 machine5=5
+                          machine6=6 machine7=7 machine8=8
             """.split():
     name, short = name.split('=')
     globals()[name] = node = nemu.Node()
@@ -78,6 +78,8 @@ m3_if_0 = nemu.NodeInterface(machine3)
 m4_if_0 = nemu.NodeInterface(machine4)
 m5_if_0 = nemu.NodeInterface(machine5)
 m6_if_0 = nemu.NodeInterface(machine6)
+m7_if_0 = nemu.NodeInterface(machine7)
+m8_if_0 = nemu.NodeInterface(machine8)
 
 # connect to switch
 switch1.connect(g1_if_1)
@@ -87,15 +89,17 @@ switch1.connect(m2_if_0)
 switch2.connect(g2_if_1)
 switch2.connect(m3_if_0)
 switch2.connect(m4_if_0)
+switch2.connect(m5_if_0)
 
 switch3.connect(in_if_3)
-switch3.connect(m5_if_0)
 switch3.connect(m6_if_0)
+switch3.connect(m7_if_0)
+switch3.connect(m8_if_0)
 
 # setting everything up
 switch1.up = switch2.up = switch3.up = True
 re_if_0.up = in_if_0.up = in_if_1.up = g1_if_0.up = in_if_2.up = g2_if_0.up = True
-in_if_3.up = g1_if_1.up = g2_if_1.up = m1_if_0.up = m2_if_0.up = m3_if_0.up = m4_if_0.up = m5_if_0.up = m6_if_0.up = True
+in_if_3.up = g1_if_1.up = g2_if_1.up = m1_if_0.up = m2_if_0.up = m3_if_0.up = m4_if_0.up = m5_if_0.up = m6_if_0.up = m7_if_0.up = m8_if_0.up = True
 
 # Add IPv4 addresses
 re_if_0.add_v4_address(address='10.0.0.2', prefix_len=24)
@@ -111,8 +115,10 @@ m1_if_0.add_v4_address(address='10.1.1.2', prefix_len=24)
 m2_if_0.add_v4_address(address='10.1.1.3', prefix_len=24)
 m3_if_0.add_v4_address(address='10.2.1.2', prefix_len=24)
 m4_if_0.add_v4_address(address='10.2.1.3', prefix_len=24)
-m5_if_0.add_v4_address(address='10.0.1.2', prefix_len=24)
-m6_if_0.add_v4_address(address='10.0.1.3', prefix_len=24)
+m5_if_0.add_v4_address(address='10.2.1.4', prefix_len=24)
+m6_if_0.add_v4_address(address='10.0.1.2', prefix_len=24)
+m7_if_0.add_v4_address(address='10.0.1.3', prefix_len=24)
+m8_if_0.add_v4_address(address='10.0.1.4', prefix_len=24)
 
 # setup routes
 registry.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.0.0.1')
@@ -120,12 +126,12 @@ registry.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.0.0.1')
 internet.add_route(prefix='10.2.0.0', prefix_len=16, nexthop='10.2.0.2')
 gateway1.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.1.0.1')
 gateway2.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.2.0.1')
-machine1.add_route(nexthop='10.1.1.1')
-machine2.add_route(nexthop='10.1.1.1')
-machine3.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.2.1.1')
-machine4.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.2.1.1')
-machine5.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.0.1.1')
-machine6.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.0.1.1')
+for m in machine1, machine2:
+    m.add_route(nexthop='10.1.1.1')
+for m in machine3, machine4, machine5:
+    m.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.2.1.1')
+for m in machine6, machine7, machine8:
+    m.add_route(prefix='10.0.0.0', prefix_len=8, nexthop='10.0.1.1')
 
 # Test connectivity first. Run process, hide output and check
 # return code
@@ -147,10 +153,13 @@ if 1:
     machine2.screen('../re6stnet @m2/re6stnet.conf -v%u' % VERBOSE)
     machine3.screen('../re6stnet @m3/re6stnet.conf -v%u -i%s' % (VERBOSE, m3_if_0.name))
     machine4.screen('../re6stnet @m4/re6stnet.conf -v%u -i%s' % (VERBOSE, m4_if_0.name))
-    machine5.screen('../re6stnet @m5/re6stnet.conf -v%u' % VERBOSE)
+    machine5.screen('../re6stnet @m5/re6stnet.conf -v%u -i%s' % (VERBOSE, m5_if_0.name))
     machine6.screen('../re6stnet @m6/re6stnet.conf -v%u' % VERBOSE)
+    machine7.screen('../re6stnet @m7/re6stnet.conf -v%u' % VERBOSE)
+    machine8.screen('../re6stnet @m8/re6stnet.conf -v%u' % VERBOSE)
 
-nodes = registry, machine1, machine2, machine3, machine4, machine5, machine6
+nodes = registry, machine1, machine2, machine3, machine4, \
+                  machine5, machine6, machine7, machine8
 _ll = {}
 def node_by_ll(addr):
     try:

demo/m5/re6stnet.conf

 log m5/
 state m5/
 babel-pidfile m5/babeld.pid
-pp 1194 udp
 hello 4
-dh m5/dh2048.pem
 ca ca.crt
 cert m5/cert.crt
 key m5/cert.key
-client-count 2
-tunnel-refresh 100
-registry http://10.0.0.2:80
+client-count 0
+max-clients 0

demo/m7/cert.key

+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfm4XUr8MTVzJA
+f5VFArRcvZcGguE1BFvu6MauoN/XdJ92EhgxElbV43QZXVtUlp67+HqiUrrebzOp
+sBJ+MYWSNuM63FguUxZHMpDFfYnTpv/vyJVZ7e2gSKyHYDHAEHElVkcyfVWifmom
+ZAR1X7JTey0IK1vnqS+rc4rSRSiuMvqoRHkdzuultNZge+TPkX5pmvmPwXi3fKHS
+t/LOu/Eyxf07eTBw0Tsl6eU4du6BsWQ+ynS8EJKzjUnaLMC6ICPs+wS9PBTyJIIm
+Z92Qri2s14Y+fsN/wPD9ZiKnjmi6x5v9nZNxfzFunpCEgPL7J4slh7tpNEENOMob
+47gTb+4bAgMBAAECggEAVXAhQescV9wTcGdbdmeuOP7cO4YQHBtLQyakRJKlgGZT
+fhbNkGcqyLBLU9CftTYznpeyvfXfRnbshudT3u2PfOeY18dgBNxBTreIu88p2nzJ
+AIi1OkCdNXHxuT4LI68pgj0fO63QC330QLzFjjc99GY5gugC+I2ekP72zvxqfGTB
+M/Pnz7yAYdRiYGV/OUtg7Odoj16SJIRXmM1GgidHwo0Y7n/WxN2sBmlryo/YE25G
+h0ohaD3ia7fIDXRsKmeMo1DYEFwKNPH2RcZyBpUePmJ0KZ/9YvhcINa0rss3pm5R
+mpO6KjrtD7wwrE8eNu0i5CW4g4lPoWc2sXUiO7lkcQKBgQDRF357Uw2OpNvi28kq
+kmtEKD8NR3XDiWdcaCuA8SGiTLRFoyB5X+2vjoabUh8KrbRIpKRn5i1abTDR7NyF
+NO5LfMBWmsQYuZBtGAFpWCGxLWruPSVZBDGr9dUIFN4x7jCk2e4Ef3ewjg3PG4CB
+M/2pQRq9ChgYgqWEAHFtNKoGNQKBgQDDag+fKigQJZrotnsCSRkEnnCIvjmDGUhW
+B+YaZB7mFUaYrCy36ET8RiFhBHRFeEKt9S79zPJGwWAxE622Vy5DIa+hJsX1eKHH
+CV/flZCjwqBP8AoLWXgSN8BZa4hH1Vi4WQw2cgdVXdWfl2JatDXSabJ4/7jv8Gig
+3WC5HCFtDwKBgQCa/qR2vMEu/Uw2ZaBAm5tCQedDa7aDRWbGXD3rblP1YJC9kkfv
+UUn7OlbT6lMyckNTGiD5F+qEvq5S3xc082C1untFd6JnhZ7nD8V0Fq2bDkTW56K4
+0uATTb8mJ3nyX1PVz+qdkPPjf9oCratbm3OstKMigMoN2ULikAWE42YqBQKBgQCw
+ivliCmv3aoHxDCtFfVSk3587at/6mLTJRImV/i4MH9yPwb0EyUrJv3IYfDWvLV7Q
+WloB4U5grgOBUw31Vf3tmFlbdfQSONGvR8Dd9fmeeQ7sKShp6IKZstSL9KJCg3SL
+16c46PvHG+cLL3EkEPsvBV7AAgfKfZ+I9XeUxN1N8QKBgQCMceN/1DHqZqaM4s4y
+S3WEqKSN9QE0UBpNHDCee74J3u4T8eDKVNlBs/NjCozdFu1oU/atyaopS+4wMJxz
+BqyF1kLbXd+8NPnXX2LQv5G/4m5iGB/Le/YUR1CHCvHB0QaiDn7osdBPO5DcJLs6
+XpphqglUPgBRCBZyE2BmG7IwDw==
+-----END PRIVATE KEY-----

demo/m7/re6stnet.conf

+log m7/
+state m7/
+babel-pidfile m7/babeld.pid
+pp 1194 udp
+hello 4
+dh m7/dh2048.pem
+ca ca.crt
+cert m7/cert.crt
+key m7/cert.key
+client-count 2
+tunnel-refresh 100
+registry http://10.0.0.2:80

demo/m8/cert.key

+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCypXS4+KQ0yuaG
+b+xky5gKgs5lT/DhM3QQv78GUGg/4a8eCaKFGxJyOZwryIvVlwQQM2G9NfPSr9ba
+wfR/9t7EIcaqPgVtUvzSRE5eTh52kLnXAmCR4XiKO/HxYvZ3mTDz20ONOcmfohCx
+McO+S5rrDDUoxd6qSUWTSh6TLs8FbHVRx9zhW08kRjpQJ2A/bOwpHpsUeVOUv1vV
+0bKiO/gFfoZkRAPJOLBtxqpWy8OPLUWDk86yta9lXAnG8OrG9pl1Qqch66ajspcL
+KSVraotKPau/lwudWcEkbhuiwKWt1QjeFZDY2QKXeuucXbuumbDPyOsXwsIdvrsW
+IqbJAt+lAgMBAAECggEBAKBkz0SX8Q55Mbp4WN0ysmKViOwLdzEqukWjcsYfgUoB
+vfGRIvqxEMG/mcjxuSLfAMXu7A0umKiMObKVO4l8xAuCa9VD9Clwvg+nRlmDd/Rq
+AoDZ4Ix5zHkIUzSv7qv4vavkLGVrAeyyXJxLGv0K8p+giUX/SejH+pDAlmz9NOAf
+PUwcGOS9GB6cLGWeNvtep+5OZ7q/xgM7JHLJZpGy9nzz3HOrv43FU4BmClYeN9jZ
+RhaBRZHdhGQYV7qO9heWrhpcwX4gsNHodzFzGA6fLZfrcAWhqPaYqHTTC64S3sBo
+rmzNz0E1FAzccr8NBBmiQZRBxoXwCKjAXwT2QDrGt6ECgYEA4G9GlIWdyGqpEqK1
+oTpkFwvzt0ATbvzyFWqAUSpiBDQsBGVntEYSB9Grs2uNBfckUGQAPEyu4FGb5qMw
+8/Fftmr3jRP8KjoExGED+zjfsyxSvJ4Yki6Ab5cQZPCRmCZLmumrG0iqiVDot4eF
+htiy3QvIrQM9D4khaUCfsIL1MTkCgYEAy8WUbP31/Gvz1YhfpiKrMxf/V/QpDKDP
+vkpL8xKn7D01qkocDCggQwxNqhtC7RccJPgTJtXcdT7T+0q85x8c7d5yknBkJoOh
+NbM9wvO3lOOpXoNUbTBiEd1MqByoAfSRawrBduT6z/NjQ+7oTItJFSnJ32a8M13k
+JVVi6w/PHc0CgYEAp1xzbnfBNF3NXJc3CFbJoqIICOPgWgiH4c58h4oqc2YQWOrh
+jX4fHfONrYsLK6KjUstvnYe1dJOGxVN2QsMBE7/qgCqiBT8kpOiPlnxP3IW14O+n
+9QJ2RkCJOixm9eXAxXFwZjUm7qUGFS4bNXZM0ydhaxsaIoapAprtOiw9+YkCgYAG
+y/5ZbFcqJkep1bSrC/j96U0BGAnOfAax6DSEVRj4zknd9j7dQPFiiySECgi/c8fi
+i8vHvdZuqrvTY/jNFMKYRJU5wTn19uoHqoTi3dI/yyA5INROGBENW35VFS+dcRTw
+pxkw6A5dpVaoS23AL90uMYikRP7+D6GuhRyZjptv+QKBgQC+Njwb4fudZ6E57QdT
+T2/B7VRtPPSOsGHi8K+6d7talsJjmk3SUPqXuRyQqyE8v8j1XGMhT6akO8bUqu/B
+OD19f39fvgWF43jjvku3KpDrdVyu5giahRCzBsUfiBQ3jR2yiruro8HgNidzw8Jp
+mSJW4O10KX4nT0Fg6Alg5Srj2Q==
+-----END PRIVATE KEY-----

demo/m8/re6stnet.conf

+log m8/
+state m8/
+babel-pidfile m8/babeld.pid
+hello 4
+ca ca.crt
+cert m8/cert.crt
+key m8/cert.key
+client 10.0.1.2,1194,udp;10.0.1.3,1194,udp

demo/registry/registry.sql

@@ -21,8 +21,9 @@ INSERT INTO "cert" VALUES('000000001',NULL,NULL);
 INSERT INTO "cert" VALUES('0000000001',NULL,NULL);
 INSERT INTO "cert" VALUES('00000000001',NULL,NULL);
 INSERT INTO "cert" VALUES('000000000001',NULL,NULL);
-INSERT INTO "cert" VALUES('0000000000001',NULL,NULL);
-INSERT INTO "cert" VALUES('0000000000000111',NULL,NULL);
+INSERT INTO "cert" VALUES('00000000000011',NULL,NULL);
+INSERT INTO "cert" VALUES('000000000000101',NULL,NULL);
+INSERT INTO "cert" VALUES('0000000000001001',NULL,NULL);
 INSERT INTO "cert" VALUES('0000000000000000','re6st@example.com','-----BEGIN CERTIFICATE-----
 MIICwTCCAakCAQAwDQYJKoZIhvcNAQEFBQAwPjEaMBgGA1UEAwwRcmU2c3QuZXhh
 bXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEXJlNnN0QGV4YW1wbGUuY29tMB4XDTEy
@@ -113,7 +114,7 @@ jMzpA8nGWSXfDKfgtsFRNFcHEf1ozGH9aqtBUtWTNysb2zyMV4NpQ8R0R6UjgJpf
 8eW1huxWm9bSD8PzCzaCApThGN89dvayTVibXaZVtNT0sZaBrw==
 -----END CERTIFICATE-----
 ');
-INSERT INTO "cert" VALUES('0000000000000101','baz@example.com','-----BEGIN CERTIFICATE-----
+INSERT INTO "cert" VALUES('0000000000000101','bar@example.com','-----BEGIN CERTIFICATE-----
 MIICwTCCAakCAQAwDQYJKoZIhvcNAQEFBQAwPjEaMBgGA1UEAwwRcmU2c3QuZXhh
 bXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEXJlNnN0QGV4YW1wbGUuY29tMB4XDTEy
 MDkwNjEyNDgxOVoXDTEzMDkwNjEyNDgxOVowDzENMAsGA1UEAxMENS8xNjCCASIw
@@ -131,7 +132,7 @@ SJT7estAjJYmkPGiZIsZg8z6VquHGEmG+TDP9qmbdlGrPshI11dnqF8B0ozeSNWN
 o1taiYL3UMPOORzgdDrPNe+W4l7BxHAF3ctJLa88PjbK39hhbw==
 -----END CERTIFICATE-----
 ');
-INSERT INTO "cert" VALUES('0000000000000110','qux@example.com','-----BEGIN CERTIFICATE-----
+INSERT INTO "cert" VALUES('0000000000000110','baz@example.com','-----BEGIN CERTIFICATE-----
 MIICwTCCAakCAQAwDQYJKoZIhvcNAQEFBQAwPjEaMBgGA1UEAwwRcmU2c3QuZXhh
 bXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEXJlNnN0QGV4YW1wbGUuY29tMB4XDTEy
 MDkwNjEyNDk1N1oXDTEzMDkwNjEyNDk1N1owDzENMAsGA1UEAxMENi8xNjCCASIw
@@ -149,4 +150,40 @@ ZHyZtobDw/6U+U64dYBfWpDdZ8bSJnaueufbgGsPIIteOBeZJJzPBHYivi6rq6rR
 syCrauaY43bjqe5i8ydsxVuW5CjBC4Us1/IVA7Ju7p7O9H6EeA==
 -----END CERTIFICATE-----
 ');
+INSERT INTO "cert" VALUES('0000000000000111','qux@example.com','-----BEGIN CERTIFICATE-----
+MIICwTCCAakCAQAwDQYJKoZIhvcNAQEFBQAwPjEaMBgGA1UEAwwRcmU2c3QuZXhh
+bXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEXJlNnN0QGV4YW1wbGUuY29tMB4XDTEy
+MDkwNzEzMTkwMFoXDTEzMDkwNzEzMTkwMFowDzENMAsGA1UEAxMENy8xNjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ+bhdSvwxNXMkB/lUUCtFy9lwaC
+4TUEW+7oxq6g39d0n3YSGDESVtXjdBldW1SWnrv4eqJSut5vM6mwEn4xhZI24zrc
+WC5TFkcykMV9idOm/+/IlVnt7aBIrIdgMcAQcSVWRzJ9VaJ+aiZkBHVfslN7LQgr
+W+epL6tzitJFKK4y+qhEeR3O66W01mB75M+Rfmma+Y/BeLd8odK38s678TLF/Tt5
+MHDROyXp5Th27oGxZD7KdLwQkrONSdoswLogI+z7BL08FPIkgiZn3ZCuLazXhj5+
+w3/A8P1mIqeOaLrHm/2dk3F/MW6ekISA8vsniyWHu2k0QQ04yhvjuBNv7hsCAwEA
+ATANBgkqhkiG9w0BAQUFAAOCAQEATTEvWndEObmFBiu+eZlwt8twcbA6r5Qgq/0v
+JIl/TyvGqGa4wWmt/zIHU5rgZe/QC1BfVzB5pSk3TtgCfUQK+eORjowxIaz6BKD4
+U4vxC6cmJhuPwHHaq0z1xgQD6Jha0zkPLWb3FbrcquH/F/hRbA+uIG+sYJLhJC1p
+gtXwzXiA+IcSmWxL4tIynFbsxSpEKyUbgNp8d//AxB08SA62Sx5JtG6lZiLtHrhE
+eOcXdpAmZOs+jsdfax3MhEe8BpaZ8WIx5Au+ddkYAB+8Y/D/17CAl3QJUR6l2JlO
+YmyreTZ8FIIuw8mUoaFgz7lz8qAC7PLklLz81VTgDcq3pCKdJw==
+-----END CERTIFICATE-----
+');
+INSERT INTO "cert" VALUES('0000000000001000','qux@example.com','-----BEGIN CERTIFICATE-----
+MIICwTCCAakCAQAwDQYJKoZIhvcNAQEFBQAwPjEaMBgGA1UEAwwRcmU2c3QuZXhh
+bXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEXJlNnN0QGV4YW1wbGUuY29tMB4XDTEy
+MDkwNzEzMzgyN1oXDTEzMDkwNzEzMzgyN1owDzENMAsGA1UEAxMEOC8xNjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKldLj4pDTK5oZv7GTLmAqCzmVP
+8OEzdBC/vwZQaD/hrx4JooUbEnI5nCvIi9WXBBAzYb0189Kv1trB9H/23sQhxqo+
+BW1S/NJETl5OHnaQudcCYJHheIo78fFi9neZMPPbQ405yZ+iELExw75LmusMNSjF
+3qpJRZNKHpMuzwVsdVHH3OFbTyRGOlAnYD9s7CkemxR5U5S/W9XRsqI7+AV+hmRE
+A8k4sG3GqlbLw48tRYOTzrK1r2VcCcbw6sb2mXVCpyHrpqOylwspJWtqi0o9q7+X
+C51ZwSRuG6LApa3VCN4VkNjZApd665xdu66ZsM/I6xfCwh2+uxYipskC36UCAwEA
+ATANBgkqhkiG9w0BAQUFAAOCAQEAPjQhnmYiTuKcxXmVOQBMHwEe1TAZIgCMdiGI
+B3asRz8OV9LADi9otg3ikNyaKjMJ2RzbBVsy7SBggJcW6ah6GTAoCFeIFy38kz9G
+qZnWyZz2NfI1VXfIIzrvCQQERPjp+c3U5LaPwti6FD0YQ+8u0oydiV+LG/ZtPlv0
+pvyQ0E3VIOZ9u4OJ8cDPmx7CjDEKxg3bpeP6pXJkyXBmyBGvtPUhq7p4hX7f7gUM
+XUqGjnQEt2DbNHB33Z+tL/LP8bsXsiUkNaTRghYSk0PTmFwJbGkTA97AC+QpjpE1
++WUd86Z9FRRR37t/nFQNvm6wZqemsT2Wal1cVv6YVFeEZOvrFw==
+-----END CERTIFICATE-----
+');
 COMMIT;

re6st/ovpn-server

@@ -3,6 +3,8 @@ import os
 import sys
 
 script_type = os.environ['script_type']
+arg1 = sys.argv[1]
+
 if script_type == 'up':
     import subprocess
     def call(*args):
@@ -11,8 +13,8 @@ if script_type == 'up':
             sys.exit(r)
     dev = os.environ['dev']
     call('ip', 'link', 'set', dev, 'up')
-    if sys.argv[1] != 'none':
-        call('ip', 'addr', 'add', sys.argv[1], 'dev', dev)
+    if arg1 != 'None':
+        call('ip', 'addr', 'add', arg1, 'dev', dev)
 
 else:
     if script_type == 'client-connect':
@@ -22,4 +24,5 @@ else:
                     % os.environ['trusted_ip'])
 
     # Write into pipe connect/disconnect events
-    os.write(int(sys.argv[1]), '%(script_type)s %(common_name)s\n' % os.environ)
+    if arg1 != 'None':
+        os.write(int(arg1), '%(script_type)s %(common_name)s\n' % os.environ)

re6st/plib.py

@@ -6,14 +6,13 @@ ovpn_server = os.path.join(here, 'ovpn-server')
 ovpn_client = os.path.join(here, 'ovpn-client')
 ovpn_log = None
 
-def openvpn(iface, hello_interval, encrypt, *args, **kw):
+def openvpn(iface, encrypt, *args, **kw):
     args = ['openvpn',
         '--dev-type', 'tap',
         '--dev', iface,
         '--persist-tun',
         '--persist-key',
         '--script-security', '2',
-        '--ping-exit', str(4 * hello_interval),
         #'--user', 'nobody', '--group', 'nogroup',
         ] + list(args)
     if ovpn_log:
@@ -24,17 +23,15 @@ def openvpn(iface, hello_interval, encrypt, *args, **kw):
     return subprocess.Popen(args, **kw)
 
 
-def server(iface, server_ip, ip_length, max_clients, dh_path, pipe_fd, port, proto, hello_interval, encrypt, *args, **kw):
-    if server_ip:
-        script_up = '%s %s/%u' % (ovpn_server, server_ip, ip_length)
-    else:
-        script_up = '%s none' % (ovpn_server)
-    return openvpn(iface, hello_interval, encrypt,
+def server(iface, my_ip, max_clients, dh_path, pipe_fd, port, proto, encrypt, *args, **kw):
+    client_script = '%s %s' % (ovpn_server, pipe_fd)
+    if pipe_fd is not None:
+        args = ('--client-disconnect', client_script) + args
+    return openvpn(iface, encrypt,
         '--tls-server',
         '--mode', 'server',
-        '--up', script_up,
-        '--client-connect', ovpn_server + ' ' + str(pipe_fd),
-        '--client-disconnect', ovpn_server + ' ' + str(pipe_fd),
+        '--up', '%s %s' % (ovpn_server, my_ip),
+        '--client-connect', client_script,
         '--dh', dh_path,
         '--max-clients', str(max_clients),
         '--port', str(port),
@@ -42,11 +39,8 @@ def server(iface, server_ip, ip_length, max_clients, dh_path, pipe_fd, port, pro
         *args, **kw)
 
 
-def client(iface, server_address, pipe_fd, hello_interval, encrypt, *args, **kw):
-    remote = ['--nobind',
-              '--client',
-              '--up', ovpn_client,
-              '--route-up', ovpn_client + ' ' + str(pipe_fd)]
+def client(iface, server_address, encrypt, *args, **kw):
+    remote = ['--nobind', '--client']
     try:
         for ip, port, proto in utils.address_list(server_address):
             remote += '--remote', ip, port, \
@@ -55,7 +49,7 @@ def client(iface, server_address, pipe_fd, hello_interval, encrypt, *args, **kw)
         logging.warning("Failed to parse node address %r (%s)",
                         server_address, e)
     remote += args
-    return openvpn(iface, hello_interval, encrypt, *remote, **kw)
+    return openvpn(iface, encrypt, *remote, **kw)
 
 
 def router(network, subnet, subnet_size, hello_interval, log_path, state_path,

re6st/tunnel.py

@@ -11,9 +11,13 @@ class Connection:
 
     def __init__(self, address, write_pipe, hello, iface, prefix, encrypt,
             ovpn_args):
-        self.process = plib.client(iface, address, write_pipe, hello, encrypt,
+        self.process = plib.client(iface, address, encrypt,
             '--tls-remote', '%u/%u' % (int(prefix, 2), len(prefix)),
-            '--connect-retry-max', '3', '--tls-exit', *ovpn_args)
+            '--connect-retry-max', '3', '--tls-exit',
+            '--ping-exit', str(4 * hello),
+            '--up', plib.ovpn_client,
+            '--route-up', '%s %u' % (plib.ovpn_client, write_pipe),
+            *ovpn_args)
         self.iface = iface
         self.routes = 0
         self._prefix = prefix

re6stnet

 #!/usr/bin/env python
-import atexit, errno, logging, os, select
-import signal, sqlite3, sys, time, traceback
+import atexit, errno, logging, os, select, signal
+import sqlite3, subprocess, sys, time, traceback
 from re6st import plib, utils, db, tunnel
 
 
@@ -14,7 +14,7 @@ def getConfig():
              "- upnp: force autoconfiguration via UPnP\n"
              "- any: ask peers our IP\n"
              " (default: ask peers if UPnP fails)")
-    _('--registry', required=True, metavar='URL',
+    _('--registry', metavar='URL',
         help="Public HTTP URL of the registry, for bootstrapping.")
     _('-l', '--log', default='/var/log/re6stnet',
         help="Path to the directory used for log files:\n"
@@ -59,7 +59,7 @@ def getConfig():
              " preference. For each protocol (either udp or tcp), start one"
              " openvpn server on the first given port."
              " (default: --pp 1194 udp --pp 1194 tcp)")
-    _('--dh', required=True,
+    _('--dh',
         help='File containing Diffie-Hellman parameters in .pem format')
     _('--ca', required=True, help=parser._ca_help)
     _('--cert', required=True,
@@ -77,6 +77,10 @@ def getConfig():
         help="Interval in seconds between two tunnel refresh: the worst"
              " tunnel is closed if the number of client tunnels has reached"
              " its maximum number (client-count).")
+    _('--client', metavar='HOST,PORT,PROTO[;...]',
+        help="Do not run any OpenVPN server, but only 1 OpenVPN client,"
+             " with specified remotes. Any other option not required in this"
+             " mode is ignored (e.g. client-count, max-clients, etc.)")
 
     return parser.parse_args()
 
@@ -90,6 +94,7 @@ def main():
         '--ca', config.ca,
         '--cert', config.cert,
         '--key', config.key)
+    # TODO: verify certificates (should we moved to M2Crypto ?)
 
     # Set logging
     utils.setupLog(config.verbose, os.path.join(config.log, 're6stnet.log'))
@@ -100,11 +105,6 @@ def main():
     if config.ovpnlog:
         plib.ovpn_log = config.log
 
-    # Create and open read_only pipe to get server events
-    logging.info('Creating pipe for server events...')
-    r_pipe, write_pipe = os.pipe()
-    read_pipe = os.fdopen(r_pipe)
-
     signal.signal(signal.SIGHUP, lambda *args: sys.exit(-1))
     signal.signal(signal.SIGTERM, lambda *args: sys.exit())
 
@@ -112,60 +112,101 @@ def main():
         config.max_clients = config.client_count * 2
 
     address = []
-    if config.pp:
-        pp = [(int(port), proto) for port, proto in config.pp]
-    else:
-        pp = (1194, 'udp'), (1194, 'tcp')
-    ip_changed = lambda ip: [(ip, str(port), proto) for port, proto in pp]
-    forwarder = None
-    if config.ip == 'upnp' or not config.ip:
-        logging.info('Attempting automatic configuration via UPnP...')
-        try:
-            from re6st.upnpigd import Forwarder
-            forwarder = Forwarder()
-        except Exception, e:
-            if config.ip:
-                raise
-            logging.info("%s: assume we are not NATed", e)
+    server_tunnels = {}
+    if config.client:
+        config.babel_args.append('re6stnet')
+    elif config.max_clients:
+        if config.pp:
+            pp = [(int(port), proto) for port, proto in config.pp]
         else:
-            atexit.register(forwarder.clear)
-            for port, proto in pp:
-                ip, port = forwarder.addRule(port, proto)
-                address.append((ip, str(port), proto))
-    elif config.ip != 'any':
-        address = ip_changed(config.ip)
-    if address:
-        ip_changed = None
+            pp = (1194, 'udp'), (1194, 'tcp')
+        ip_changed = lambda ip: [(ip, str(port), proto) for port, proto in pp]
+        forwarder = None
+        if config.ip == 'upnp' or not config.ip:
+            logging.info('Attempting automatic configuration via UPnP...')
+            try:
+                from re6st.upnpigd import Forwarder
+                forwarder = Forwarder()
+            except Exception, e:
+                if config.ip:
+                    raise
+                logging.info("%s: assume we are not NATed", e)
+            else:
+                atexit.register(forwarder.clear)
+                for port, proto in pp:
+                    ip, port = forwarder.addRule(port, proto)
+                    address.append((ip, str(port), proto))
+        elif config.ip != 'any':
+            address = ip_changed(config.ip)
+        if address:
+            ip_changed = None
+        for x in pp:
+            server_tunnels.setdefault('re6stnet-' + x[1], x)
+        config.babel_args += server_tunnels
+
+    def call(*args, **kw):
+        r = subprocess.call(*args, **kw)
+        if r:
+            sys.exit(r)
+    def required(arg):
+        if not getattr(config, arg):
+            sys.exit("error: argument --%s is required" % arg)
 
     try:
+        subnet = network + prefix
+        my_ip = '%s/%s' % (utils.ipFromBin(subnet, '1'), len(subnet))
+
         # Init db and tunnels
-        peer_db = db.PeerDB(db_path, config.registry, config.key, prefix)
-        tunnel_manager = tunnel.TunnelManager(write_pipe, peer_db,
-            config.openvpn_args, config.hello, config.tunnel_refresh,
-            config.client_count, config.iface_list, network, prefix, address,
-            ip_changed, config.encrypt)
+        if config.client_count and not config.client:
+            required('registry')
+            # Create and open read_only pipe to get server events
+            r_pipe, write_pipe = os.pipe()
+            read_pipe = os.fdopen(r_pipe)
+            peer_db = db.PeerDB(db_path, config.registry, config.key, prefix)
+            tunnel_manager = tunnel.TunnelManager(write_pipe, peer_db,
+                config.openvpn_args, config.hello, config.tunnel_refresh,
+                config.client_count, config.iface_list, network, prefix,
+                address, ip_changed, config.encrypt)
+            config.babel_args += tunnel_manager.free_interface_set
+        else:
+            tunnel_manager = write_pipe = None
 
-        server_tunnels = {}
-        for x in pp:
-            server_tunnels.setdefault('re6stnet-' + x[1], x)
-        subnet = network + prefix
-        config.babel_args += tunnel_manager.free_interface_set
         config.babel_args += config.iface_list
-        config.babel_args += server_tunnels
         router = plib.router(network, utils.ipFromBin(subnet), len(subnet),
             config.hello, os.path.join(config.log, 'babeld.log'),
             os.path.join(config.state, 'babeld.state'),
             config.babel_pidfile, *config.babel_args)
 
-        # main loop
         try:
-            server_process = []
-            for iface, (port, proto) in server_tunnels.iteritems():
-                server_process.append(plib.server(iface,
-                    utils.ipFromBin(subnet, '1') if proto == pp[0][1] else None,
-                    len(network) + len(prefix),
-                    config.max_clients, config.dh, write_pipe, port,
-                    proto, config.hello, config.encrypt, *config.openvpn_args))
+            cleanup = []
+            # prepare persistent interfaces
+            if config.client:
+                cleanup.append(plib.client('re6stnet', config.client,
+                    config.encrypt,
+                    '--up', plib.ovpn_server + ' ' + my_ip,
+                    '--ping-restart', str(4 * config.hello),
+                    *config.openvpn_args).kill)
+            elif server_tunnels:
+                required('dh')
+                for iface, (port, proto) in server_tunnels.iteritems():
+                    cleanup.append(plib.server(iface,
+                        my_ip if proto == pp[0][1] else None,
+                        config.max_clients, config.dh, write_pipe, port,
+                        proto, config.encrypt, *config.openvpn_args).kill)
+            elif config.iface_list:
+                ip_args = ['ip', 'addr', 'add', my_ip,
+                           'dev', config.iface_list[0]]
+                call(ip_args)
+                ip_args[2] = 'del'
+                cleanup.append(lambda: call(ip_args))
+            else:
+                sys.exit("--client or --interface required"
+                         " when --max-clients is 0")
+
+            # main loop
+            if tunnel_manager is None:
+                sys.exit(os.WEXITSTATUS(os.wait()[1]))
+            cleanup.append(tunnel_manager.killAll)
             while True:
                 next = tunnel_manager.next_refresh
                 if forwarder:
@@ -188,15 +229,11 @@ def main():
                     forwarder.refresh()
         finally:
             router.terminate()
-            for p in server_process:
+            for cleanup in cleanup:
                 try:
-                    p.kill()
+                    cleanup()
                 except:
                     pass
-            try:
-                tunnel_manager.killAll()
-            except:
-                pass
     except sqlite3.Error:
         logging.exception("Restarting with empty cache")
         os.rename(db_path, db_path + '.bak')