-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_openvpn
executable file
·172 lines (149 loc) · 5.83 KB
/
check_openvpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#! /usr/bin/python
# Check if an OpenVPN server runs on a given UDP port.
#
# Copyright 2013 Roland Wolters
#
# Version 20151106
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
import os
import sys
import time
import hmac
import hashlib
import struct
import socket
import argparse
import binascii
HMAC_CLIENT_KEY_START = 192
BUFFER_SIZE = 1024
def ok(msg):
print 'OK: %s' % msg
return 0
def critical(msg):
print 'CRIT: %s' % msg
return 2
def buildpacket(tcp, key, digestmod):
packet = 1
ts = int(time.time())
session = os.urandom(8)
if key:
# hmac
h = hmac.new(key, digestmod=digestmod)
h.update(struct.pack('>I', packet)) # packet id
h.update(struct.pack('>I', ts)) # net time
h.update('\x38') # type
h.update(session) # session id
h.update(struct.pack('>B', 0)) # message packet id array length
h.update(struct.pack('>I', 0)) # message packet id
# packet
result = ''
result += '\x38' # type
result += session # session id
if key: result += h.digest() # hmac
result += struct.pack('>I', packet) # packet id
result += struct.pack('>I', ts) # net time
result += struct.pack('>B', 0) # message packet id array length
result += struct.pack('>I', 0) # message packet id
if tcp: result = struct.pack('>H', len(result)) + result
return result
def checkserver(host, port, tcp, timeout, key, digest):
packet = buildpacket(tcp, key, digest)
if tcp:
return checkserver_tcp(host, port, timeout, packet)
else:
return checkserver_udp(host, port, timeout, packet)
def checkserver_udp(host, port, timeout, packet):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(timeout)
try:
s.sendto(packet, (host, port))
data, _ = s.recvfrom(BUFFER_SIZE)
reply = binascii.hexlify(data)
return ok('OpenVPN UDP server response (hex): %s' % reply)
except:
return critical('OpenVPN UDP server not responding')
finally:
s.close()
def checkserver_tcp(host, port, timeout, packet):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
try:
s.connect((host, port))
s.send(packet)
data = s.recv(BUFFER_SIZE)
if len(data) <= 0: raise RuntimeError
reply = binascii.hexlify(data)
return ok('OpenVPN TCP server response (hex): %s' % reply)
except:
return critical('OpenVPN TCP server not responding')
finally:
s.close()
def readkey(path):
key = None
try:
with open(path, 'r') as myfile: key = myfile.read()
except:
return None
index_start = key.find('-\n');
index_end = key.find('\n-', index_start);
if index_start < 0 or index_end < 0 or index_end <= index_start:
return None
index_start += 2
key = key[index_start:index_end].replace('\n', '').replace('\r', '')
return key
def optionsparser(args=None):
parser = argparse.ArgumentParser()
parser.add_argument('-p', '--port', help='set port number (default is %%default)', type=int, dest='port', default='1194')
parser.add_argument('-t', '--tcp', help='use tcp instead of udp', action='store_true')
parser.add_argument('--timeout', help='set timeout (default is %%default)', type=int, default='5')
parser.add_argument('--digest', help='set HMAC digest (default is %%default)', type=str, default='sha1')
parser.add_argument('--digest-size', help='set HMAC digest size', type=int)
parser.add_argument('--digest-key', help='set HMAC key', type=str, default=None)
parser.add_argument('--tls-auth', help='set tls-auth file', type=str, default=None)
parser.add_argument('host', type=str, help='the OpenVPN host name or ip')
return parser.parse_args(args)
def main():
args = optionsparser()
if args.digest_size and args.digest_size < 0:
critical('digest size must be positive')
if args.tls_auth and args.digest_key:
critical('--tls-auth cannot go with --digest-key')
key = args.digest_key
digest = args.digest
digest_size = args.digest_size
digest = digest.lower()
if digest not in hashlib.algorithms:
return critical('digest not available')
try:
digest = getattr(hashlib, digest)
if not digest_size: digest_size = digest().digest_size
except:
return critical('digest creation failed')
if args.tls_auth:
key = readkey(args.tls_auth)
if key == None: return critical('cannot read tls auth file')
index_start = HMAC_CLIENT_KEY_START * 2
index_end = (HMAC_CLIENT_KEY_START + digest_size) * 2
key = key[index_start:index_end]
if key: key = binascii.unhexlify(key)
return checkserver(args.host, args.port, args.tcp, args.timeout, key, digest)
if __name__ == '__main__':
sys.exit(main())