security: Move to vici instead of files

This commit moves away from writing strongSwan configuration files
towards instead using the vici API to program connections.

Note we also migrate the OPI Security API server to hook into the
vpn-client container. The reason being, we expect the DPU or IPU to be
an IPsec client.

Related to #220

Signed-off-by: Kyle Mestery <mestery@mestery.com>

client/go.mod

@@ -3,7 +3,7 @@ module main
 go 1.18
 
 require (
-	github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a
+	github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937
 	google.golang.org/grpc v1.48.0
 )
 

client/go.sum

@@ -45,8 +45,8 @@ github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a h1:3cLfwe8RPdFtKrOy3PAOx1+erxL/EYU/VyfxfuU5g5I=
-github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
+github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937 h1:+DlDnApZMdNv8Bpx+Dmrj0XBCaXIewFVIahEWdIyb5U=
+github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=

client/ipsec.go

@@ -18,6 +18,7 @@ func do_ipsec(conn grpc.ClientConnInterface, ctx context.Context) {
 
 	// Create IPsec Connection
 	local_ipsec := pb.IPsecCreateRequest{
+		Name: "opi-test",
 		Tunnel: &pb.TunnelInterfaces{
 			Tunnels: []*pb.TunnelInterfaces_Tunnel{
 				{
@@ -27,6 +28,7 @@ func do_ipsec(conn grpc.ClientConnInterface, ctx context.Context) {
 					LocalSpi: rand.Uint32(),
 					CryptoAlg: pb.CryptoAlgorithm_AES256GCM128,
 					IntegAlg: pb.IntegAlgorithm_SHA256_96,
+					Dhgroups: pb.DiffieHellmanGroups_CURVE25519,
 					Mode: pb.IPsecMode_TUNNEL_MODE,
 				},
 			},
@@ -39,6 +41,7 @@ func do_ipsec(conn grpc.ClientConnInterface, ctx context.Context) {
 					Protocol: pb.SecurityAssociations_Sa_ESP,
 					CryptoAlg: pb.CryptoAlgorithm_AES256GMAC,
 					IntegAlg: pb.IntegAlgorithm_SHA512,
+					Dhgroups: pb.DiffieHellmanGroups_CURVE25519,
 				},
 			},
 		},

conf/client/swanctl.conf

@@ -1,11 +1,3 @@
-connections {
-
-   include home.conf
-   include psk.conf
-   include eap.conf
-   include eap-tls.conf
-}
-
 secrets {
 
    ike-hacker {

conf/strongswan-client.conf

@@ -8,13 +8,28 @@ charon {
    }
    filelog {
       stderr {
-         default = 1
+        default = 3
+        mgr = 1
+        ike = 1
+        net = 1
+        enc = 0
+        cfg = 4
+        asn = 4
+        job = 1
+        knl = 1
+        lib = 3
       }
    }
    eap-dynamic {
       prefer_user = yes
       preferred = md5, tls
    }
+   plugins {
+      vici {
+         load = yes
+         socket = unix:///var/run/charon.vici
+      }
+   }
 }
 
 libtls {

docker-compose.yml

@@ -33,9 +33,11 @@ services:
     volumes:
       - ./conf/client:/etc/swanctl
       - ./conf/strongswan-client.conf:/etc/strongswan.conf
+      - /var/run
     networks:
       internet:
         ipv4_address: 192.168.0.3
+    command: './charon'
 
   redis:
     image: redis:bullseye
@@ -52,7 +54,7 @@ services:
     depends_on:
       - redis
     volumes_from:
-      - vpn-server:rw
+      - vpn-client:rw
     networks:
       - internet
       - intranet

server/go.mod

@@ -5,7 +5,8 @@ go 1.18
 require (
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/google/uuid v1.3.0
-	github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a
+	github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937
+	github.com/strongswan/govici v0.6.0
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.1
 )

server/go.sum

@@ -57,14 +57,16 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
-github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a h1:3cLfwe8RPdFtKrOy3PAOx1+erxL/EYU/VyfxfuU5g5I=
-github.com/opiproject/opi-api v0.0.0-20220809145755-77ea7f55985a/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
+github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937 h1:+DlDnApZMdNv8Bpx+Dmrj0XBCaXIewFVIahEWdIyb5U=
+github.com/opiproject/opi-api v0.0.0-20220811205735-2cdd70e3c937/go.mod h1:92pv4ulvvPMuxCJ9ND3aYbmBfEMLx0VCjpkiR7ZTqPY=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/strongswan/govici v0.6.0 h1:QAjc7IIx1c/1P0Hz7yMX91FB5BUNKtyXzfxpuPyBKXE=
+github.com/strongswan/govici v0.6.0/go.mod h1:RgO/KrMlFNsRf3dSoxwWSDSV+ASd98n1T+2G3QMEVHE=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

server/ipsec.go

@@ -54,7 +54,8 @@ func (s *server) IPsecCreate(ctx context.Context, in *pb.IPsecCreateRequest) (*p
 		panic(err)
 	}
 
-	err = load_connection("load", in)
+	//err = load_connection("load", in)
+	err = loadConn(in)
 	if err != nil {
 		log.Printf("IPsecCreate: Failed with error %v", err)
 		return nil, err
@@ -92,12 +93,6 @@ func (s *server) IPsecDelete(ctx context.Context, in *pb.IPsecDeleteRequest) (*p
 
 	log.Printf("Dumping unmarshaled protobuf\n%v\n", ipsec_req)
 
-	err = delete_connection("load", ipsec_req)
-	if err != nil {
-		log.Printf("IPsecDelete: Failed with error %v", err)
-		return nil, err
-	}
-
 	// Delete from Redis
 	rdb.Del(ctx, reqId)