luscis / openlan Goto Github PK

View Code? Open in Web Editor NEW

51.0 51.0 22.0 3.91 MB

Cloudify VPN Written in Golang, Simple deployment via Compose or Kubernetes

Home Page: http://vpn.luscis.cn

License: GNU General Public License v3.0

Makefile 1.58% Go 96.44% HTML 1.83% Dockerfile 0.12% Shell 0.03%

ipsec openlan openvpn sdp sdwan vpn vxlan

openlan's People

Contributors

Stargazers

Watchers

openlan's Issues

已经接入switch的机器A，做成镜像恢复成机器B，B机器接入switch无法和A共存，会发生交替接入的情况

次地址已经与A机器做过区分

support add route for a network

Add a route to network:

openlan route add --network example --prefix 192.168.11.0/24 --nexthop 192.168.1.10

Remove a route from network:

openlan route rm --network example --prefix 192.168.11.0/24 --nexthop 192.168.1.10

Display all routes:

openlan route list --network example

Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z INFO|183.14.132.108:58752|Access.handleLogin: success
Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z INFO|183.14.132.108:58752|Access.onAuth
Jan 15 03:00:55 ops-testus switch.sh[1716]: 2024-01-15T03:00:55Z ERROR|ops-testus|Switch.NewTap: bridge default notFound
Jan 15 03:00:56 ops-testus switch.sh[1716]: 2024-01-15T03:00:56Z INFO|183.14.132.108:58752|Request.onIpAddr: {"name":"","ifAddr":"192.168.200.2","ipStart":"","ipEnd":"","netmask":>
Jan 15 03:00:56 ops-testus switch.sh[1716]: 2024-01-15T03:00:56Z ERROR|183.14.132.108:58752|Request.onIpAddr: invalid network default.

多区域互联配置，openlan-point接入openlan，会多一个网桥地址

{
"name": "private",
"bridge": {
"name": "br-em2",
"address": "192.168.1.88/24"
},
"subnet": {
"end": "192.168.1.150",
"netmask": "255.255.255.0",
"start": "192.168.1.100"
},
"openvpn": {
"listen": "0.0.0.0:1188",
"subnet": "172.32.88.0/24"
},
"links": [
{
"connection": "xxxxx",
"password": "xxxxx",
"username": "access1@private",
"crypt": {
"algo": "aes-128",
"secret": "xxxxx"
}
}
]
}

$ ip r
192.168.1.0/24 dev bi-k3iu61j9 proto kernel scope link src 192.168.1.88
192.168.1.0/24 dev br-me2 proto kernel scope link src 192.168.1.88

ip_forward 内核不能修改

容器里面的内核无法修改，默认已经是1

add output

No local restapi added

When restart switch, lease list cann‘t see dynamic ip address.

has carsh when get routes from confd

switch_1        | panic: runtime error: invalid memory address or nil pointer dereference
switch_1        | [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xa451e6]
switch_1        | goroutine 305 [running]:
switch_1        | github.com/luscis/openlan/pkg/database.(*OvSDB).WhereList(0x0, 0xb0c140, 0xc000200198, 0xadd420, 0xc000200120, 0x2, 0x2)
switch_1        | 	/root/daniel/openlan/pkg/database/client.go:60 +0x26
switch_1        | github.com/luscis/openlan/pkg/switch.GetRoutes(0xc000200120, 0xc0002e7498, 0x6, 0x8, 0xc000770638)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:107 +0x198
switch_1        | github.com/luscis/openlan/pkg/switch.(*MemberLink).Add(0xc000677c88, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:318 +0x439
switch_1        | github.com/luscis/openlan/pkg/switch.(*ConfD).AddLink(0xc000240040, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:135 +0x1fa
switch_1        | github.com/luscis/openlan/pkg/switch.(*ConfD).Add(0xc000240040, 0xc09a1f, 0xc, 0xb38d80, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/pkg/switch/confd.go:57 +0x5cd
switch_1        | github.com/ovn-org/libovsdb/cache.(*EventHandlerFuncs).OnAdd(0xc0002000d8, 0xc09a1f, 0xc, 0xb38d80, 0xc0001bd570)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:434 +0x62
switch_1        | github.com/ovn-org/libovsdb/cache.(*eventProcessor).Run(0xc000a019b0, 0xc0000ba120)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:844 +0x215
switch_1        | github.com/ovn-org/libovsdb/cache.(*TableCache).Run.func1(0xc000443410, 0xc0002f0480, 0xc0000ba120)
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:734 +0x65
switch_1        | created by github.com/ovn-org/libovsdb/cache.(*TableCache).Run
switch_1        | 	/root/daniel/openlan/vendor/github.com/ovn-org/libovsdb/cache/cache.go:732 +0x85
switch_1        | + /usr/bin/env find /var/openlan/point -type f -delete
switch_1        | + /usr/bin/env find /var/openlan/openvpn -name '*.status' -delete
switch_1        | + '[' '!' -e /etc/openlan/switch/switch.json ']'
switch_1        | + '[' '!' -e /etc/openlan/switch/network/example.json ']'
switch_1        | + exec /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20
ovs-vswitchd_1  | 2023-04-05T01:08:08Z|00004|bfd(monitor34)|INFO|vx-10064086: BFD state change: up->down "Control Detection Time Expired"->"Control Detection Time Expired".
ovs-vswitchd_1  |   Forwarding: true
ovs-vswitchd_1  |   Detect Multiplier: 3```

Support single client on for http proxy.

Encrypt control message by SSL

Now, using AES to encrypt control and ethernet frame is not good, with a shared key. we need to support SSL for control message, and ethernet frame as before.

support add output for openlan provider

Add a vlxan type output:

openlan output add --network example --remote 1.1.1.2 --segment 100 --protocol vxlan

Add a gre type output:

openlan output add --network example --remote 1.1.1.2 --segment 100 --protocol gre

Add a vxlan type output:

openlan output add --network example --remote enp2s3 --segment 23

Remove a vxlan type output:

openlan output rm --network example --device vxn100

Display all outputs

openlan output list --network example

Add a openlan type output:

openlan output add --network example --protocol tcp --connection 1.1.1.1 --secret aes-128:key --auth user:password

support ipsec for vxlan

conn %default
    keyingtries=%forever
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tunx-in-1
    type=transport
    left=%defaultroute
    right=45.89.233.156
    authby=secret
    leftprotoport=udp/8472
    rightprotoport=udp

conn tunx-out-1
    type=transport
    left=%defaultroute
    right=45.89.233.156
    authby=secret
    leftprotoport=udp
    rightprotoport=udp/8472

vxlan support openvpn

support export metrics via prometheus interface

docker build 后面会报错

support to split network from host

root@daniel-book:~# iptables -t nat -S XTT_pos-example
-N XTT_pos-example
-A XTT_pos-example -d 169.254.222.0/24 -m set --match-set xtt_example_r src -m comment --comment "To VPN" -j MASQUERADE
-A XTT_pos-example -s 172.66.99.0/24 -m set --match-set xtt_example_r dst -m comment --comment "To Masq" -j MASQUERADE
-A XTT_pos-example -s 169.254.222.0/24 -m mark --mark 0xa -m set --match-set xtt_example_v dst -m comment --comment "From VPN" -j MASQUERADE
root@daniel-book:~#

root@daniel-book:~# iptables -S -t raw -L XTT_pre-example
-A XTT_pre-example -i tun1025 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i br-example -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_pre-example -i tun1025 -j CT --zone mark
-A XTT_pre-example -i br-example -j CT --zone mark
-A XTT_pre-example -i b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# iptables -t raw -S XTT_out-example
-N XTT_out-example
-A XTT_out-example -o b1 -j MARK --set-xmark 0xa/0xffffffff
-A XTT_out-example -o b1 -j CT --zone mark
root@daniel-book:~#

root@daniel-book:~# conntrack -L | grep icmp
conntrack v1.4.5 (conntrack-tools): 31 flow entries have been shown.
icmp     1 18 src=172.66.99.10 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=20752 mark=0 zone=10 use=1
icmp     1 18 src=169.254.222.6 dst=172.66.99.20 type=8 code=0 id=55967 src=172.66.99.20 dst=172.66.99.10 type=0 code=0 id=55967 mark=0 zone=10 use=1
root@daniel-book:~#

自动管理point端路由

我连上vpn后，还需要手动执行ip r add,
不能自动管理路由吗？

链路管理

restapi 没有添加，删除链路相关接口

Qos has warn when a client login

2024-04-09T01:42:58Z WARN|[email protected]|Qos.Del In Rule: iptables failed: iptables --wait -t mangle -D Qos_easystack.cn-in -s 100.68.0.6 -m comment --comment Qos Jump -j Qos_easystack.cn-in-lo5buk7: iptables: No chain/target/match by that name.
 (exit status 1)

Support IPv6

add a ipv6 vxlan tunnel:

[root@node-236 ~]# ip link add v6-100 type vxlan id 100 remote 2001:1::ff
[root@node-236 ~]# ip -d link show v6-100
1473: v6-100: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 66:0c:1c:fe:c6:c4 brd ff:ff:ff:ff:ff:ff promiscuity 0
    vxlan id 100 remote 2001:1::ff srcport 0 0 dstport 8472 ageing 300 noudpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
[root@node-236 ~]#

support speed limit for openvpn client.

Implement ipsec network by strongswan

support a local proxy by a pac

Support nexthop group for routing ha

Firstly, define a nexthop group via:

"nextgroup": {
    "ng1": {
        "check": "ping",
        "ping": {
         "count": 5,
         "loss": 2
       },
        "mode": "load-balance", ## "active-backup"
        "nexthop": [
            "192.168.33.11",
            "192.168.33.10"
        ],
    }
}

And using this group: ng1 for a route nexthop:

{
    "routes": [
      {
          "prefix": "0.0.0.0/0",
          "nextgroup": "ng1"
      }
    ]
}

proxy start failed with Server closed.

2024-01-16T13:56:09Z INFO|jphc.luscis.cn|Switch.ReadTap: vir2
2024-01-16T13:56:09Z INFO|218.94.118.90:39058|Request.onIpAddr: {"name":"hongkong","ifAddr":"","ipStart":"","ipEnd":"","netmask":"255.255.255.255","routes":null}
2024-01-16T13:56:09Z FATAL|root|Go.func|PANIC >>> runtime error: invalid memory address or nil pointer dereference <<<
2024-01-16T13:56:09Z FATAL|root|Go.func|STACK >>> goroutine 281 [running]:
runtime/debug.Stack(0x127dee0, 0x63, 0xc00046c690)
	/usr/local/go/src/runtime/debug/stack.go:24 +0x9f
github.com/luscis/openlan/pkg/libol.Catch(0xc11152, 0x7)
	/root/daniel/openlan/pkg/libol/logger.go:148 +0x18a
panic(0xb3d300, 0x127a090)
	/usr/local/go/src/runtime/panic.go:965 +0x1b9
github.com/luscis/openlan/pkg/app.findLease(0x0, 0x0, 0xc00024c900, 0xc00024c900)
	/root/daniel/openlan/pkg/app/request.go:77 +0xd1
github.com/luscis/openlan/pkg/app.(*Request).onIpAddr(0xc0002e0c70, 0xd03ad8, 0xc0002e0010, 0xc000210010, 0x61, 0x31ff0)
	/root/daniel/openlan/pkg/app/request.go:126 +0x42d
github.com/luscis/openlan/pkg/app.(*Request).OnFrame(0xc0002e0c70, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x0, 0x0)
	/root/daniel/openlan/pkg/app/request.go:38 +0x216
github.com/luscis/openlan/pkg/switch.(*Switch).onFrame(0xc00024c0c0, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x2, 0xc00041feac)
	/root/daniel/openlan/pkg/switch/switch.go:292 +0xab
github.com/luscis/openlan/pkg/switch.(*Switch).ReadClient(0xc00024c0c0, 0xd03ad8, 0xc0002e0010, 0xc000371580, 0x0, 0x0)
	/root/daniel/openlan/pkg/switch/switch.go:348 +0xc7
github.com/luscis/openlan/pkg/libol.(*SocketServerImpl).Read.func1()
	/root/daniel/openlan/pkg/libol/socket.go:537 +0x11d
github.com/luscis/openlan/pkg/libol.Go.func1(0xc0004a0390, 0xd66df0, 0x24)
	/root/daniel/openlan/pkg/libol/go.go:36 +0x187
created by github.com/luscis/openlan/pkg/libol.Go

luscis / openlan Goto Github PK

openlan's People

Contributors

Stargazers

Watchers

Forkers

openlan's Issues

Recommend Projects

Recommend Topics

Recommend Org