diff options
| author | Ermal Luçi <eri@pfsense.org> | 2010-03-03 00:26:54 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2010-03-03 00:27:13 +0000 |
| commit | f9ac378473ffc6adbab054640c93c08948a09516 (patch) | |
| tree | 9e420a5552b0f4bc58e4d336d875819ff98ca86c /etc/inc/openvpn.inc | |
| parent | 94ca29a9165d855c8db06b7d37c99ba79d53f9ef (diff) | |
| download | pfsense-f9ac378473ffc6adbab054640c93c08948a09516.zip pfsense-f9ac378473ffc6adbab054640c93c08948a09516.tar.gz | |
Do not include tls-auth on authentication based only on user/pass.
Diffstat (limited to 'etc/inc/openvpn.inc')
| -rw-r--r-- | etc/inc/openvpn.inc | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 8ec9bbe..c5145a3 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -254,8 +254,9 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") $fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}"; file_put_contents($fpath, base64_decode($data)); - chown($fpath, 'nobody'); - chgrp($fpath, 'nobody'); + //chown($fpath, 'nobody'); + //chgrp($fpath, 'nobody'); + chmod($fpath, 0600); $conf .= "{$directive} {$fpath} {$opt}\n"; } @@ -488,7 +489,6 @@ function openvpn_reconfigure($mode,& $settings) { case 'server_tls_user': $ca = lookup_ca($settings['caref']); openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); - case 'server_user': $cert = lookup_cert($settings['certref']); openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); @@ -504,6 +504,17 @@ function openvpn_reconfigure($mode,& $settings) { openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth", $tlsopt); } break; + case 'server_user': + $ca = lookup_ca($settings['caref']); + openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); + $cert = lookup_cert($settings['certref']); + openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); + openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); + if ($mode == 'server') + $conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n"; + if ($settings['crl']) + openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify"); + break; } if ($settings['compression']) @@ -524,8 +535,12 @@ function openvpn_reconfigure($mode,& $settings) { $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; file_put_contents($fpath, $conf); - chown($fpath, 'nobody'); - chgrp($fpath, 'nobody'); + //chown($fpath, 'nobody'); + //chgrp($fpath, 'nobody'); + chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600); + chmod("{$g['varetc_path']}/openvpn/{$mode_id}.key", 0600); + chmod("{$g['varetc_path']}/openvpn/{$mode_id}.tls-auth", 0600); + chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600); } function openvpn_restart($mode, & $settings) { |
