diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2005-11-06 20:30:09 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2005-11-06 20:30:09 +0000 |
| commit | bc5dc42181e4b6d468bfcd1283f923e744524371 (patch) | |
| tree | 7073d69a4cbdfcf834b5ba12508a882553ba19c5 | |
| parent | c6ee5ce431ee155a9cc668249a47d4ff7155626c (diff) | |
| download | pfsense-bc5dc42181e4b6d468bfcd1283f923e744524371.zip pfsense-bc5dc42181e4b6d468bfcd1283f923e744524371.tar.gz | |
MFC 7406
Sync OpenVPN with Peter A's latest version:
rootfs-1.2-ovpn2.tar.gz
| -rw-r--r-- | etc/inc/openvpn.inc | 149 | ||||
| -rwxr-xr-x | usr/local/www/vpn_openvpn_cli.php | 6 | ||||
| -rwxr-xr-x | usr/local/www/vpn_openvpn_cli_edit.php | 61 | ||||
| -rwxr-xr-x | usr/local/www/vpn_openvpn_srv.php | 6 | ||||
| -rwxr-xr-x | usr/local/www/vpn_openvpn_srv_edit.php | 77 |
5 files changed, 180 insertions, 119 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 2ba1068..8d1c454 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -53,13 +53,6 @@ function ovpn_link_tap() { mwexec("/sbin/kldload if_tap"); $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'w'); } - //else { - // $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'r+'); - // $link_count = fread($fd, filesize($g['vardb_path'] ."/ovpn_tap_link")); - // $link_count ++; - //} - //fwrite($fd, $link_count); - //fclose($fd); return true; } @@ -89,8 +82,6 @@ function ovpn_unlink_tap() { function ovpn_config_server($reconfigure) { global $config, $g, $d_ovpnsrvdirty_path; - if(!is_array($config['ovpn']['server']['tunnel'])) - return; foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { /* get tunnel interface */ $tun = $server['tun_iface']; @@ -124,7 +115,7 @@ function ovpn_config_server($reconfigure) { $lines = file($d_ovpnsrvdirty_path); /* reconfigure server */ - if (is_array($lines) && in_array($tun, $lines)) { + if (is_array($lines) && in_array($tun . "\n", $lines)) { /* kill running server */ ovpn_server_kill($tun); @@ -274,6 +265,19 @@ EOD; if (isset($server['dynip'])) $ovpn_config .= "persist-remote-ip\n"; + /* LZO compression (off by default) */ + if (isset($server['comp_method'])) { + switch ($server['comp_method']) { + + case 'lzo': + $ovpn_config .= "comp-lzo\n"; + break; + case 'noadapt': + $ovpn_config .= "comp-lzo\n" . "comp-noadapt\n"; + break; + } + } + /* Client to client routing (off by default) */ if (isset($server['cli2cli'])) $ovpn_config .= "client-to-client\n"; @@ -349,6 +353,55 @@ EOD; if (isset($server['dupcn'])) $ovpn_config .= "duplicate-cn\n"; + $push_options = ""; + + /* Client push - redirect gateway */ + if (isset($server['psh_options']['redir'])) { + if (isset($server['psh_options']['redir_loc'])) + $push_config .= "push \"redirect-gateway local\"\n"; + else + $push_config .= "push \"redirect-gateway\"\n"; + } + + /* Client push - route delay */ + if (isset($server['psh_options']['rte_delay'])) + $push_config .= "push \"route-delay {$server['psh_options']['rte_delay_int']}\"\n"; + + /* Client push - ping (note we set both server and client) */ + if (isset ($server['psh_options']['ping'])){ + $conflict = true; + $interval = $server['psh_options']['ping_int']; + $ovpn_config .= "ping {$server['psh_options']['ping_int']}\n "; + $push_config .= "push \"ping {$server['psh_options']['ping_int']}\"\n"; + } + + /* Client push - ping-restart (note server uses 2 x client interval) */ + if (isset ($server['psh_options']['pingrst'])){ + $conflict = true; + $interval = $server['psh_options']['pingrst_int']; + $ovpn_config .= "ping-restart " . ($interval * 2) . "\n"; + $push_config .= "push \"ping-restart $interval\"\n"; + } + + /* Client push - ping-exit (set on client) */ + if (isset ($server['psh_options']['pingexit'])){ + $conflict = true; + $ovpn_config .= "ping-exit {$server['psh_options']['pingexit_int']}\n"; + $push_config .= "push \"ping-exit {$server['psh_options']['pingexit_int']}\"\n"; + } + + /* Client push - inactive (set on client) */ + if (isset ($server['psh_options']['inact'])){ + $ovpn_config .= "inactive {$server['psh_options']['inact_int']}\n"; + $push_config .= "push \"inactive {$server['psh_options']['inact_int']}\"\n"; + } + + if (isset($server['client-to-client'])) + $push_config .= "push \"route {$network} {$netmask}\"\n"; + + if (isset($push_config)) + $ovpn_config .= $push_config; + } else { /* 'authentication_method' == "pre_shared_key" */ $network = gen_subnet($server['lipaddr'], $server['netmask']); @@ -363,61 +416,8 @@ EOD; $ovpn_config .= "ifconfig {$server['lipaddr']} {$netmask}\n"; } - if (isset($server['client-to-client'])) - $ovpn_config .= "push \"route {$network} {$netmask}\"\n"; - else - $ovpn_config .= "push \"route {$server['lipaddr']}\"\n"; - } /* end authentication_method */ - $push_options = ""; - - /* Client push - redirect gateway */ - if (isset($server['psh_options']['redir'])) { - if (isset($server['psh_options']['redir_loc'])) - $push_config .= "push \"redirect-gateway local\"\n"; - else - $push_config .= "push \"redirect-gateway\"\n"; - if ($server['method'] != "ovpn") - $push_config .= "push \"route-gateway {$server['ipblock']}\"\n"; - } - - /* Client push - route delay */ - if (isset($server['psh_options']['rte_delay'])) - $push_config .= "push \"route-delay {$server['psh_options']['rte_delay_int']}\"\n"; - - /* Client push - ping (note we set both server and client) */ - if (isset ($server['psh_options']['ping'])){ - $conflict = true; - $interval = $server['psh_options']['ping_int']; - $ovpn_config .= "ping {$server['psh_options']['ping_int']}\n "; - $push_config .= "push \"ping {$server['psh_options']['ping_int']}\"\n"; - } - - /* Client push - ping-restart (note server uses 2 x client interval) */ - if (isset ($server['psh_options']['pingrst'])){ - $conflict = true; - $interval = $server['psh_options']['pingrst_int']; - $ovpn_config .= "ping-restart " . ($interval * 2) . "\n"; - $push_config .= "push \"ping-restart $interval\"\n"; - } - - /* Client push - ping-exit (set on client) */ - if (isset ($server['psh_options']['pingexit'])){ - $conflict = true; - $ovpn_config .= "ping-exit {$server['psh_options']['pingexit_int']}\n"; - $push_config .= "push \"ping-exit {$server['psh_options']['pingexit_int']}\"\n"; - } - - /* Client push - inactive (set on client) */ - if (isset ($server['psh_options']['inact'])){ - $ovpn_config .= "inactive {$server['psh_options']['inact_int']}\n"; - $push_config .= "push \"inactive {$server['psh_options']['inact_int']}\"\n"; - } - - if (isset($push_config)) - $ovpn_config .= $push_config; - if (!isset($conflict)) $ovpn_config .= "keepalive 10 60\n"; @@ -648,7 +648,7 @@ function ovpn_server_crl_add() { $lines = file($d_ovpncrldirty_path); /* reconfigure crl file */ - if (is_array($lines) && in_array($name, $lines)) { + if (is_array($lines) && in_array($name . "\n", $lines)) { /* restart running openvpn daemon */ foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { @@ -744,7 +744,7 @@ function ovpn_srv_dirty($tun) { $fd = fopen($d_ovpnsrvdirty_path, 'a'); if ($fd) { - fwrite($fd, $tun); + fwrite($fd, $tun ."\n"); fclose($fd); } } @@ -755,7 +755,7 @@ function ovpn_crl_dirty($name) { $fd = fopen($d_ovpncrldirty_path, 'a'); if ($fd) { - fwrite($fd, $name); + fwrite($fd, $name ."\n"); fclose($fd); } } @@ -797,7 +797,7 @@ function ovpn_config_client() { $lines = file($d_ovpnclidirty_path); /* reconfigure client */ - if (is_array($lines) && in_array($tun, $lines)) { + if (is_array($lines) && in_array($tun . "\n", $lines)) { /* kill running client */ ovpn_client_kill($tun); @@ -987,6 +987,19 @@ EOD; } /* end authentication_method */ + /* LZO compression (off by default) */ + if (isset($client['comp_method'])) { + switch ($client['comp_method']) { + + case 'lzo': + $ovpn_config .= "comp-lzo\n"; + break; + case 'noadapt': + $ovpn_config .= "comp-lzo\n" . "comp-noadapt\n"; + break; + } + } + /* Expert mode paramters */ if (isset($client['expertmode_enabled']) && is_array($client['expertmode'])) { $ovpn_config .= ";begin expertmode\n"; @@ -1096,7 +1109,7 @@ function ovpn_cli_dirty($tun) { $fd = fopen($d_ovpnclidirty_path, 'a'); if ($fd) { - fwrite($fd, $tun); + fwrite($fd, $tun . "\n"); fclose($fd); } } diff --git a/usr/local/www/vpn_openvpn_cli.php b/usr/local/www/vpn_openvpn_cli.php index fe01ee0..a5d2e1e 100755 --- a/usr/local/www/vpn_openvpn_cli.php +++ b/usr/local/www/vpn_openvpn_cli.php @@ -28,6 +28,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$pgtitle = array("VPN", "OpenVPN"); require("guiconfig.inc"); require_once("openvpn.inc"); @@ -81,12 +82,7 @@ if ($_GET['act'] == "del") { exit; } } - -$pgtitle = "VPN: OpenVPN"; -include("head.inc"); - ?> - <?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnclidirty_path)) print_info_box(get_std_save_message(0)); ?> diff --git a/usr/local/www/vpn_openvpn_cli_edit.php b/usr/local/www/vpn_openvpn_cli_edit.php index 1f4fca3..c22faf2 100755 --- a/usr/local/www/vpn_openvpn_cli_edit.php +++ b/usr/local/www/vpn_openvpn_cli_edit.php @@ -28,6 +28,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$pgtitle = array("VPN", "OpenVPN", "Edit client"); require("guiconfig.inc"); require_once("openvpn.inc"); @@ -170,8 +171,6 @@ if ($_POST) { if (!empty($retval)) $input_errors[] = $retval; - else - ovpn_cli_dirty($ovpnent['if']); } if ( $ovpncli[$id]['sport'] != $_POST['sport'] || @@ -192,17 +191,11 @@ if ($_POST) { $input_errors[] = "Delete this interface first before changing the type of the tunnel to " . strtoupper($_POST['type']) ."."; - /* Has the enable/disable state changed? */ - if (isset($ovpnent['enable']) && isset($_POST['disabled'])) { - ovpn_cli_dirty($ovpnent['if']); - } if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { /* check if port number is free, else choose another one */ if (in_array($ovpnent['cport'], used_port_list())) $ovpnent['cport'] = getnxt_port(); - - ovpn_cli_dirty($ovpnent['if']); } } else { /* Creating a new entry */ @@ -220,8 +213,6 @@ if ($_POST) { if (!empty($retval)) $input_errors[] = $retval; - else - ovpn_cli_dirty($ovpnent['if']); } } @@ -239,8 +230,10 @@ if ($_POST) { $ovpnent['cli_cert'] = $pconfig['cli_cert']; $ovpnent['cli_key'] = $pconfig['cli_key']; $ovpnent['crypto'] = $_POST['crypto']; + $ovpnent['comp_method'] = $_POST['comp_method']; $ovpnent['ns_cert_type'] = $_POST['ns_cert_type'] ? true : false; $ovpnent['pull'] = $_POST['pull'] ? true : false; + $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; $ovpnent['bridge'] = $_POST['bridge']; $ovpnent['lipaddr'] = $_POST['lipaddr']; @@ -292,12 +285,7 @@ if ($_POST) { } } - -$pgtitle = "VPN: OpenVPN: Edit client"; -include("head.inc"); - ?> - <?php include("fbegin.inc"); ?> <script language="JavaScript"> function enable_change(enable_over) { @@ -318,6 +306,7 @@ function enable_change(enable_over) { document.iform.cli_cert.disabled = endis; document.iform.cli_key.disabled = endis; document.iform.crypto.disabled = endis; + document.iform.comp_method.disabled = endis; document.iform.ns_cert_type.disabled = endis; document.iform.pull.disabled = endis; document.iform.tlsauth.disabled = endis; @@ -342,7 +331,6 @@ function expertmode_change(enable_over) { document.iform.expertmode_options.disabled = endis; } - function tls_change(enable_over) { var endis; endis = !(document.iform.tlsauth.checked || enable_over); @@ -659,13 +647,44 @@ function get_radio_value(obj) { <tr> <td colspan="2" valign="top" class="listtopic">Client Options</td> </tr> + <tr> + <td width="22%" valign="top" class="vncell">Pull Options</td> + <td width="78%" class="vtable"> + <input type="checkbox" name="pull" value="yes" <?php if ($pconfig['pull']) echo "checked"; ?>> + <strong>Client-pull</strong><br> + This option must be used on a client which is connecting to a + multi-client server. It indicates to OpenVPN that it should + accept options pushed by the server, provided they are part of the + legal set of pushable options. + </td> + </tr> - <tr> - <td width="22%" valign="top" class="vncell">Options</td> - <td width="78%" class="vtable"> - <input type="checkbox" name="pull" value="yes" <?php if ($pconfig['pull']) echo "checked"; ?>> - <strong>Client-pull</strong></td> + <tr> + <td width="22%" valign="top" class="vncell">Compression method</td> + <td width="78%" class="vtable"> + <select name="comp_method" class="formfld" id="comp_method"> + <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> + <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); + foreach($compression_method as $comp_method => $comp_methodname): ?> + <option value="<?=$comp_method;?>" + <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> + <?=htmlspecialchars($comp_methodname);?> + </option> + <?php endforeach; ?> + </select> + <br> + Choose which compression method to use.<br> + <br> + LZO compression generally improves performance on slow links, + but may add up to 1 byte per packet for incompressible data.<br> + <br> + With adaptive compression, OpenVPN will periodically sample the + compression process to measure its efficiency. If the data being + sent over the tunnel is already compressed, the compression + efficiency will be very low. Choose 'LZO (no adaptive)' + to disable OpenVPN's adaptive compression algorithm. + </td> </tr> <tr> diff --git a/usr/local/www/vpn_openvpn_srv.php b/usr/local/www/vpn_openvpn_srv.php index 5cd6ff1..9ad6b6b 100755 --- a/usr/local/www/vpn_openvpn_srv.php +++ b/usr/local/www/vpn_openvpn_srv.php @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$pgtitle = array("VPN", "OpenVPN"); require("guiconfig.inc"); require_once("openvpn.inc"); @@ -82,12 +83,7 @@ if ($_GET['act'] == "del") { exit; } } - -$pgtitle = "VPN: OpenVPN"; -include("head.inc"); - ?> - <?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnsrvdirty_path)) print_info_box(get_std_save_message(0)); ?> diff --git a/usr/local/www/vpn_openvpn_srv_edit.php b/usr/local/www/vpn_openvpn_srv_edit.php index e2ac9f1..4ba535f 100755 --- a/usr/local/www/vpn_openvpn_srv_edit.php +++ b/usr/local/www/vpn_openvpn_srv_edit.php @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$pgtitle = array("VPN", "OpenVPN", "Edit server"); require("guiconfig.inc"); require_once("openvpn.inc"); @@ -80,7 +81,6 @@ if ($_POST) { unset($input_errors); unset($check_ipblock); - unset($bridge_reset); /* input validation */ $reqdfields = explode(" ", "type bind_iface"); @@ -170,6 +170,8 @@ if ($_POST) { if ($_POST['ipblock'] && $check_ipblock) { if (!is_ipaddr($_POST['ipblock'])) { $input_errors[] = "A valid IP netblock must be specified."; + } else if ($_POST['type'] == "tun" && intval($_POST['prefix']) > 29) { + $input_errors[] = "Network mask too high for tun-style tunnels."; } else { $network = ip2long(gen_subnet($_POST['ipblock'], $_POST['prefix'])); $broadcast = ip2long(gen_subnet_max($_POST['ipblock'], $_POST['prefix'])); @@ -242,9 +244,6 @@ if ($_POST) { if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) $input_errors[] = "The range is invalid (first element higher than second element)."; - - if (!($_POST['type'] == "tap" && $_POST['authentication_method'] == "rsasig")) - $bridge_reset = 1; } } @@ -295,8 +294,6 @@ if ($_POST) { if (!empty($retval)) $input_errors[] = $retval; - else - ovpn_srv_dirty($ovpnent['tun_iface']); } /* port number syntactically valid, so lets check, if it is free */ @@ -344,12 +341,6 @@ if ($_POST) { } - /* Has the enable/disable state changed? */ - if (isset($ovpnent['enable']) && isset($_POST['disabled'])) { - /* status changed to disabled */ - ovpn_srv_dirty($ovpnent['tun_iface']); - } - /* status changed to enable */ if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { @@ -367,8 +358,6 @@ if ($_POST) { $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; } } - - ovpn_srv_dirty($ovpnent['tun_iface']); } } else { @@ -404,8 +393,6 @@ if ($_POST) { if (!empty($retval)) $input_errors[] = $retval; - else - ovpn_srv_dirty($ovpnent['tun_iface']); } } @@ -434,6 +421,7 @@ if ($_POST) { $ovpnent['verb'] = $_POST['verb']; $ovpnent['maxcli'] = $_POST['maxcli']; $ovpnent['crypto'] = $_POST['crypto']; + $ovpnent['comp_method'] = $_POST['comp_method']; $ovpnent['cli2cli'] = $_POST['cli2cli'] ? true : false; $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; $ovpnent['dynip'] = $_POST['dynip'] ? true : false; @@ -525,11 +513,8 @@ if ($_POST) { } } -$pgtitle = "VPN: OpenVPN: Edit Server"; -include("head.inc"); ?> - <?php include("fbegin.inc"); ?> <script language="JavaScript"> function enable_change(enable_over) { @@ -568,6 +553,7 @@ function enable_change(enable_over) { document.iform.netmask.disabled = endis; document.iform.cli2cli.disabled = endis; document.iform.dupcn.disabled = endis; + document.iform.comp_method.disabled = endis; document.iform.psh_redir.disabled = endis; document.iform.psh_redir_loc.disabled = endis; document.iform.psh_rtedelay.disabled = endis; @@ -609,7 +595,6 @@ function tls_change(enable_over) { document.iform.psk.disabled = endis; } - function expertmode_change(enable_over) { var endis; endis = !(document.iform.expertmode_enabled.checked || enable_over); @@ -676,6 +661,19 @@ function methodsel_change(enable_over) { document.iform.lipaddr.disabled = 1; document.iform.ripaddr.disabled = 1; document.iform.netmask.disabled = 1; + document.iform.cli2cli.disabled = 0; + document.iform.psh_redir.disabled = 0; + document.iform.psh_redir_loc.disabled = 0; + document.iform.psh_rtedelay.disabled = 0; + document.iform.psh_rtedelay_int.disabled = 0; + document.iform.psh_inact.disabled = 0; + document.iform.psh_inact_int.disabled = 0; + document.iform.psh_ping.disabled = 0; + document.iform.psh_ping_int.disabled = 0; + document.iform.psh_pingexit.disabled = 0; + document.iform.psh_pingexit_int.disabled = 0; + document.iform.psh_pingrst.disabled = 0; + document.iform.psh_pingrst_int.disabled = 0; tls_change(); break; default: /* pre-shared */ @@ -715,6 +713,18 @@ function methodsel_change(enable_over) { document.iform.dupcn.checked = 0; document.iform.cli2cli.disabled = 1; document.iform.cli2cli.checked = 0; + document.iform.psh_redir.disabled = 1; + document.iform.psh_redir_loc.disabled = 1; + document.iform.psh_rtedelay.disabled = 1; + document.iform.psh_rtedelay_int.disabled = 1; + document.iform.psh_inact.disabled = 1; + document.iform.psh_inact_int.disabled = 1; + document.iform.psh_ping.disabled = 1; + document.iform.psh_ping_int.disabled = 1; + document.iform.psh_pingexit.disabled = 1; + document.iform.psh_pingexit_int.disabled = 1; + document.iform.psh_pingrst.disabled = 1; + document.iform.psh_pingrst_int.disabled = 1; break; } @@ -1090,6 +1100,33 @@ function get_radio_value(obj) { </tr> <tr> + <td width="22%" valign="top" class="vncell">Compression method</td> + <td width="78%" class="vtable"> + <select name="comp_method" class="formfld" id="comp_method"> + <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> + <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); + foreach($compression_method as $comp_method => $comp_methodname): ?> + <option value="<?=$comp_method;?>" + <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> + <?=htmlspecialchars($comp_methodname);?> + </option> + <?php endforeach; ?> + </select> + <br> + Choose which compression method to use.<br> + <br> + LZO compression generally improves performance on slow links, + but may add up to 1 byte per packet for incompressible data.<br> + <br> + With adaptive compression, OpenVPN will periodically sample the + compression process to measure its efficiency. If the data being + sent over the tunnel is already compressed, the compression + efficiency will be very low. Choose 'LZO (no adaptive)' + to disable OpenVPN's adaptive compression algorithm. + </td> + </tr> + + <tr> <td width="22%" valign="top" class="vncell">Client-push options</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> |
