Merge pull request #595 from openziti/vpn-mode

VPN share mode
openziti · Apr 16, 2024 · 9182d95 · 9182d95
2 parents 503c911 + 5c7fbec
commit 9182d95
Show file tree

Hide file tree

Showing 21 changed files with 848 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## v0.4.27
 
+FEATURE: New `vpn` backend mode. Use `sudo zrok share private --backend-mode vpn` on the _VPN server_ host, then `sudo zrok access private <token>` on _VPN client_ machine. Works with reserved shares using `zrok reserve private --backend-mode vpn`. Use `<target>` parameter to override default VPN network settings `zrok share private -b vpn 192.168.255.42/24` -- server IP is `192.168.255.42` and VPN netmask will be `192.168.255.0/24`. Client IPs are assigned automatically from netmask range.
+
 CHANGE: Update to OpenZiti SDK (`github.com/openziti/sdk-golang`) at `v0.23.22`.
 
 CHANGE: Added indexes to `environments`, `shares`, and `frontends` tables to improve overall query performance on both PostgreSQL and Sqlite.

diff --git a/bin/generate_rest.sh b/bin/generate_rest.sh
@@ -9,10 +9,12 @@ command -v swagger >/dev/null 2>&1 || {
 
 command -v openapi >/dev/null 2>&1 || {
   echo >&2 "command 'openapi' not installed. see: https://www.npmjs.com/package/openapi-client for installation"
+  exit 1
 }
 
 command -v swagger-codegen 2>&1 || {
   echo >&2 "command 'swagger-codegen. see: https://github.com/swagger-api/swagger-codegen for installation"
+  exit 1
 }
 
 scriptPath=$(realpath $0)

diff --git a/cmd/zrok/accessPrivate.go b/cmd/zrok/accessPrivate.go
@@ -8,6 +8,7 @@ import (
 	"github.com/openziti/zrok/endpoints/proxy"
 	"github.com/openziti/zrok/endpoints/tcpTunnel"
 	"github.com/openziti/zrok/endpoints/udpTunnel"
+	"github.com/openziti/zrok/endpoints/vpn"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/rest_client_zrok"
 	"github.com/openziti/zrok/rest_client_zrok/share"
@@ -165,6 +166,30 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) {
 			}
 		}()
 
+	case "vpn":
+		endpointUrl = &url.URL{
+			Scheme: "VPN",
+		}
+		fe, err := vpn.NewFrontend(&vpn.FrontendConfig{
+			IdentityName: env.EnvironmentIdentityName(),
+			ShrToken:     args[0],
+			RequestsChan: requests,
+		})
+		if err != nil {
+			if !panicInstead {
+				tui.Error("unable to create private access", err)
+			}
+			panic(err)
+		}
+		go func() {
+			if err := fe.Run(); err != nil {
+				if !panicInstead {
+					tui.Error("error starting access", err)
+				}
+				panic(err)
+			}
+		}()
+
 	default:
 		cfg := proxy.DefaultFrontendConfig(env.EnvironmentIdentityName())
 		cfg.ShrToken = shrToken

diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go
@@ -3,12 +3,14 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/openziti/zrok/endpoints/vpn"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/sdk/golang/sdk"
 	"github.com/openziti/zrok/tui"
 	"github.com/openziti/zrok/util"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"net"
 	"slices"
 	"time"
 )
@@ -40,7 +42,7 @@ func newReserveCommand() *reserveCommand {
 	command := &reserveCommand{cmd: cmd}
 	cmd.Flags().StringVarP(&command.uniqueName, "unique-name", "n", "", "A unique name for the reserved share (defaults to generated identifier)")
 	cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share")
-	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode (public|private: proxy, web, caddy, drive) (private: tcpTunnel, udpTunnel, socks)")
+	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode (public|private: proxy, web, caddy, drive) (private: tcpTunnel, udpTunnel, socks, vpn)")
 	cmd.Flags().BoolVarP(&command.jsonOutput, "json-output", "j", false, "Emit JSON describing the created reserved share")
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
 	cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
@@ -56,7 +58,7 @@ func newReserveCommand() *reserveCommand {
 
 func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 	shareMode := sdk.ShareMode(args[0])
-	privateOnlyModes := []string{"tcpTunnel", "udpTunnel", "socks"}
+	privateOnlyModes := []string{"tcpTunnel", "udpTunnel", "socks", "vpn"}
 	if shareMode != sdk.PublicShareMode && shareMode != sdk.PrivateShareMode {
 		tui.Error("invalid sharing mode; expecting 'public' or 'private'", nil)
 	} else if shareMode == sdk.PublicShareMode && slices.Contains(privateOnlyModes, cmd.backendMode) {
@@ -114,8 +116,20 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 			tui.Error("the 'socks' backend mode does not expect <target>", nil)
 		}
 
+	case "vpn":
+		if len(args) == 2 {
+			_, _, err := net.ParseCIDR(args[1])
+			if err != nil {
+				tui.Error("the 'vpn' backend expect valid CIDR <target>", err)
+			}
+			target = args[1]
+		} else {
+			target = vpn.DefaultTarget()
+		}
+
 	default:
-		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web, tcpTunnel, udpTunnel, caddy, drive, socks}", cmd.backendMode), nil)
+		tui.Error(fmt.Sprintf("invalid backend mode '%v'; "+
+			"expected {proxy, web, tcpTunnel, udpTunnel, caddy, drive, socks, vpn}", cmd.backendMode), nil)
 	}
 
 	env, err := environment.LoadRoot()

diff --git a/cmd/zrok/sharePrivate.go b/cmd/zrok/sharePrivate.go
@@ -9,12 +9,14 @@ import (
 	"github.com/openziti/zrok/endpoints/socks"
 	"github.com/openziti/zrok/endpoints/tcpTunnel"
 	"github.com/openziti/zrok/endpoints/udpTunnel"
+	"github.com/openziti/zrok/endpoints/vpn"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/environment/env_core"
 	"github.com/openziti/zrok/sdk/golang/sdk"
 	"github.com/openziti/zrok/tui"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"net"
 	"os"
 	"os/signal"
 	"syscall"
@@ -42,7 +44,7 @@ func newSharePrivateCommand() *sharePrivateCommand {
 	}
 	command := &sharePrivateCommand{cmd: cmd}
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...")
-	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, tcpTunnel, udpTunnel, caddy, drive, socks}")
+	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, tcpTunnel, udpTunnel, caddy, drive, socks, vpn}")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
 	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
 	cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
@@ -105,6 +107,17 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		}
 		target = "socks"
 
+	case "vpn":
+		if len(args) == 1 {
+			_, _, err := net.ParseCIDR(args[0])
+			if err != nil {
+				tui.Error("the 'vpn' backend expect valid CIDR <target>", err)
+			}
+			target = args[0]
+		} else {
+			target = vpn.DefaultTarget()
+		}
+
 	default:
 		tui.Error(fmt.Sprintf("invalid backend mode '%v'; expected {proxy, web, tcpTunnel, udpTunnel, caddy, drive}", cmd.backendMode), nil)
 	}
@@ -318,6 +331,28 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 			}
 		}()
 
+	case "vpn":
+		cfg := &vpn.BackendConfig{
+			IdentityPath:    zif,
+			EndpointAddress: target,
+			ShrToken:        shr.Token,
+			RequestsChan:    requests,
+		}
+
+		be, err := vpn.NewBackend(cfg)
+		if err != nil {
+			if !panicInstead {
+				tui.Error("error creating VPN backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running VPN backend: %v", err)
+			}
+		}()
+
 	default:
 		tui.Error("invalid backend mode", nil)
 	}

diff --git a/cmd/zrok/shareReserved.go b/cmd/zrok/shareReserved.go
@@ -10,6 +10,7 @@ import (
 	"github.com/openziti/zrok/endpoints/socks"
 	"github.com/openziti/zrok/endpoints/tcpTunnel"
 	"github.com/openziti/zrok/endpoints/udpTunnel"
+	"github.com/openziti/zrok/endpoints/vpn"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/rest_client_zrok/metadata"
 	"github.com/openziti/zrok/rest_client_zrok/share"
@@ -282,6 +283,28 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 			}
 		}()
 
+	case "vpn":
+		cfg := &vpn.BackendConfig{
+			IdentityPath:    zif,
+			EndpointAddress: target,
+			ShrToken:        shrToken,
+			RequestsChan:    requests,
+		}
+
+		be, err := vpn.NewBackend(cfg)
+		if err != nil {
+			if !panicInstead {
+				tui.Error("error creating VPN backend", err)
+			}
+			panic(err)
+		}
+
+		go func() {
+			if err := be.Run(); err != nil {
+				logrus.Errorf("error running VPN backend: %v", err)
+			}
+		}()
+
 	default:
 		tui.Error("invalid backend mode", nil)
 	}

diff --git a/controller/store/sql/postgresql/021_v0_4_27_backend_mode_vpn.sql b/controller/store/sql/postgresql/021_v0_4_27_backend_mode_vpn.sql
@@ -0,0 +1,3 @@
+-- +migrate Up
+
+alter type backend_mode add value 'vpn';
diff --git a/controller/store/sql/sqlite3/021_v0_4_27_backend_mode_vpn.sql b/controller/store/sql/sqlite3/021_v0_4_27_backend_mode_vpn.sql
@@ -0,0 +1,76 @@
+-- +migrate Up
+
+alter table shares rename to shares_old;
+create table shares (
+    id                        integer             primary key,
+    environment_id            integer             constraint fk_environments_shares references environments on delete cascade,
+    z_id                      string              not null unique,
+    token                     string              not null,
+    share_mode                string              not null,
+    backend_mode              string              not null,
+    frontend_selection        string,
+    frontend_endpoint         string,
+    backend_proxy_endpoint    string,
+    reserved                  boolean             not null default(false),
+    created_at                datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at                datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    deleted                   boolean             not null default(false),
+    permission_mode           string              not null default('open'),
+
+    constraint chk_z_id check (z_id <> ''),
+    constraint chk_token check (token <> ''),
+    constraint chk_share_mode check (share_mode == 'public' or share_mode == 'private'),
+    constraint chk_backend_mode check (backend_mode == 'proxy' or backend_mode == 'web' or backend_mode == 'tcpTunnel' or backend_mode == 'udpTunnel' or backend_mode == 'caddy' or backend_mode == 'drive' or backend_mode == 'socks' or backend_mode == 'vpn')
+);
+insert into shares select * from shares_old;
+drop index shares_token_idx;
+create unique index shares_token_idx ON shares(token) WHERE deleted is false;
+drop index shares_token_perf_idx;
+create index shares_token_perf_idx on shares (token);
+drop index shares_environment_id_idx;
+create index shares_environment_id_idx on shares (environment_id);
+
+alter table frontends rename to frontends_old;
+create table frontends (
+    id                    integer             primary key,
+    environment_id        integer             references environments(id),
+    token                 varchar(32)         not null unique,
+    z_id                  varchar(32)         not null,
+    public_name           varchar(64)         unique,
+    url_template          varchar(1024),
+    reserved              boolean             not null default(false),
+    created_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    deleted               boolean             not null default(false),
+    private_share_id      integer             references shares(id)
+);
+insert into frontends select * from frontends_old;
+drop table frontends_old;
+create index frontends_environment_id_idx on frontends (environment_id);
+
+alter table share_limit_journal rename to share_limit_journal_old;
+create table share_limit_journal (
+    id                  integer                 primary key,
+    share_id            integer                 references shares(id),
+    rx_bytes            bigint                  not null,
+    tx_bytes            bigint                  not null,
+    action              limit_action_type       not null,
+    created_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now'))
+);
+insert into share_limit_journal select * from share_limit_journal_old;
+drop table share_limit_journal_old;
+
+alter table access_grants rename to access_grants_old;
+create table access_grants (
+    id                  integer                 primary key,
+    share_id            integer                 references shares(id),
+    account_id          integer                 references accounts(id),
+    created_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    updated_at          datetime                not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
+    deleted             boolean                 not null default(false)
+);
+insert into access_grants select * from access_grants_old;
+drop table access_grants_old;
+
+drop table shares_old;
diff --git a/docs/guides/vpn/vpn-share.png b/docs/guides/vpn/vpn-share.png