diff options
author | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-26 22:20:01 +0000 |
---|---|---|
committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-26 22:20:01 +0000 |
commit | e28120e5379d6f8310a4a4082f5178da55a321e8 (patch) | |
tree | b83c6f628e6daf127418a2ed5b7e292e1476d5c9 | |
parent | d799787e49e0a535acbc881b8e8944b860e25e47 (diff) | |
download | pfsense-e28120e5379d6f8310a4a4082f5178da55a321e8.zip pfsense-e28120e5379d6f8310a4a4082f5178da55a321e8.tar.gz |
Dump the per-configuration dh parameters data. It make no sense to keep
this information in the configuration as its not specific to the server.
It only contains the parameters ( a safe large prime number ) that is
used during a DH key exchange. Instead, we now use a system wide dh file
that is generated when the /var/etc/openvpn directory is setup. This
shaves 10 to 30 seconds off of the server config creation process. Also
correct a bug in the hack I added to work around carp related issues
that prevented filter re-configuration from working properly.
-rw-r--r-- | etc/inc/config.inc | 14 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 13 | ||||
-rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 5 |
3 files changed, 25 insertions, 7 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index 006af13..edff9e0 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1747,6 +1747,7 @@ endif; } /* modify configuration values */ + unset($server['dh_params']); if (!$server['interface']) $server['interface'] = 'wan'; $server['tunnel_network'] = $server['addresspool']; @@ -1886,8 +1887,17 @@ endif; unset($config['installedpackages']['openvpncsc']); } - $config['installedpackages'] = array(); - $config['installedpackages']['carp'] = array(); + /* + * FIXME: hack to keep things working with no installedpackages + * or carp array in the configuration data. + */ + if (!is_array($config['installedpackages'])) + $config['installedpackages'] = array(); + if (!is_array($config['installedpackages']['carp'])) + $config['installedpackages']['carp'] = array(); + + /* reconfigure openvpn services */ + openvpn_resync_all(); $config['version'] = "5.2"; } diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index efea035..1225f40 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -342,8 +342,11 @@ EOD; openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); - if ($mode == 'server') - openvpn_add_keyfile($settings['dh_params'], $conf, $mode_id, "dh"); + if ($mode == 'server') { + $path_ovdh = $g['varetc_path']."/openvpn/dh-parameters"; + $conf .= "dh {$path_ovdh}\n"; + } + if ($settings['crl']) openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify"); if ($settings['tls']) @@ -465,6 +468,12 @@ function openvpn_resync_all() { chown($path_ovpn, 'nobody'); chgrp($path_ovpn, 'nobody'); + $path_ovdh = $g['varetc_path']."/openvpn/dh-parameters"; + if (!file_exists($path_ovdh)) { + echo "Setting up OpenVPN environment ...\n"; + exec("/usr/bin/openssl dhparam -out {$path_ovdh} 1024"); + } + $path_csc = $g['varetc_path']."/openvpn_csc"; safe_mkdir($path_csc); diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 0de0cef..e2b2b84 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -205,10 +205,9 @@ if ($_POST) { $server = array(); - if (isset($id) && $a_server[$id]) { - $server['dh_params'] = $a_server[$id]['dh_params']; + if (isset($id) && $a_server[$id]) $server['vpnid'] = $a_server[$id]['vpnid']; - } else + else $server['vpnid'] = openvpn_vpnid_next(); $server['disable'] = $pconfig['disable']; |