diff options
author | Martin Fuchs <mfuchs@pfsense.org> | 2007-06-07 16:28:51 +0000 |
---|---|---|
committer | Martin Fuchs <mfuchs@pfsense.org> | 2007-06-07 16:28:51 +0000 |
commit | 54816afd7500782544cf19c65a374d1bf4fcb5e5 (patch) | |
tree | dcbe7d15fc068e035b1367f7bd6c3a0d6e61dfd7 /etc | |
parent | 24e53389c2c7fa50006db64ae7f4ab832a10b177 (diff) | |
download | pfsense-54816afd7500782544cf19c65a374d1bf4fcb5e5.zip pfsense-54816afd7500782544cf19c65a374d1bf4fcb5e5.tar.gz |
Add OpenVPN CSC-DHCP Options (override per Client), add TLS-Authentication, add connection-limit for server
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/openvpn.inc | 126 |
1 files changed, 121 insertions, 5 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index bd2446a..ffcda86 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -88,7 +88,6 @@ function openvpn_validate_input($mode, $post, $input_errors) { if ($result = openvpn_validate_cidr($post['local_network'], 'Local network')) $input_errors[] = $result; -// DHCP-Options logic-check if (!empty($post['dhcp_dns'])) { $servers = explode(';', $post['dhcp_dns']); foreach ($servers as $server) if (!is_ipaddr($server)) @@ -109,6 +108,10 @@ function openvpn_validate_input($mode, $post, $input_errors) { foreach ($servers as $server) if (!is_ipaddr($server)) {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; break;}} + if (isset($post['maxclients']) && $post['maxclients'] != "") { + if (!is_numeric($post['maxclients'])) + $input_errors[] = 'The field \'Maximum clients\' must be numeric.'; + } } @@ -163,8 +166,14 @@ function openvpn_validate_input($mode, $post, $input_errors) { } do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors); + if ($post['protocol'] != 'UDP') { + if (!empty($post['tls'])) + $input_errors[] = 'TLS-authentication can only be used with protocol UDP'; + } + $value = trim($post['shared_key']); $items = array(); + if ($_POST['auth_method'] == 'shared_key') { $items[] = array( 'field' => 'shared_key', 'string' => 'OpenVPN Static key V1', @@ -180,6 +189,9 @@ function openvpn_validate_input($mode, $post, $input_errors) { $items[] = array( 'field' => "{$mode}_key", 'string' => 'RSA PRIVATE KEY', 'name' => "$Mode key"); + $items[] = array( 'field' => 'tls', + 'string' => 'OpenVPN Static key V1', + 'name' => 'TLS'); if ($mode == 'server') { $items[] = array( 'field' => 'dh_params', 'string' => 'DH PARAMETERS', @@ -201,8 +213,50 @@ function openvpn_validate_input($mode, $post, $input_errors) { function openvpn_validate_input_csc($post, $input_errors) { if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP')) $input_errors[] = $result; -} + if ($post['push_reset'] != 'on') { + if (!empty($post['dhcp_domainname'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_dns'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_wins'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbdd'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_ntp'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbttype']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbtscope'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbtdisable']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + + } + else { + + if (!empty($post['dhcp_dns'])) { + $servers = explode(';', $post['dhcp_dns']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: DNS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_wins'])) { + $servers = explode(';', $post['dhcp_wins']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: WINS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_nbdd'])) { + $servers = explode(';', $post['dhcp_nbdd']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NBDD-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_ntp'])) { + $servers = explode(';', $post['dhcp_ntp']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + +}} // Rewrite the settings function openvpn_reconfigure($mode, $id) { @@ -227,6 +281,9 @@ function openvpn_reconfigure($mode, $id) { $keys[] = array('field' => 'dh_params', 'ext' => 'dh', 'directive' => 'dh'); if ($settings['crl']) $keys[] = array('field' => 'crl', 'ext' => 'crl', 'directive' => 'crl-verify'); + if ($settings['tls']) + $keys[] = array('field' => 'tls', 'ext' => 'tls', 'directive' => 'tls-auth'); + } foreach($keys as $key) { $filename = $base_file . $key['ext']; @@ -334,7 +391,9 @@ EOD; if (!empty($settings['dhcp_nbtscope'])) $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; if ($settings['dhcp_nbtdisable']) $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n"; - } + if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n"; + if (!empty($settings['maxclients'])) $openvpn_conf .= "max-clients {$settings['maxclients']}\n"; + } else { // $mode == client // The remote server @@ -362,6 +421,9 @@ EOD; /* ;http-proxy-retry # retry on connection failures */ $openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n"; } + + if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n"; + } // Add the routes if they're set @@ -373,7 +435,9 @@ EOD; // Write the settings for the keys foreach ($keys as $key) + if ($key['directive'] != 'tls-auth') { $openvpn_conf .= $key['directive'] . ' ' . $base_file . $key['ext'] . "\n"; + } if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n"; @@ -412,6 +476,55 @@ function openvpn_resync_csc($id) { $baselong = ip2long($ip) & gen_subnet_mask_long($mask); $conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n"; } + +// DHCP-Options + if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n"; + + if (!empty($settings['dhcp_dns'])) { + $servers = explode(';', $settings['dhcp_dns']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n"; + } + } + + if (!empty($settings['dhcp_wins'])) { + $servers = explode(';', $settings['dhcp_wins']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n"; + } + } + + if (!empty($settings['dhcp_nbdd'])) { + $servers = explode(';', $settings['dhcp_nbdd']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n"; + } + } + + if (!empty($settings['dhcp_ntp'])) { + $servers = explode(';', $settings['dhcp_ntp']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; + } + } + + if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; + if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; + if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n"; + + if (!empty($settings['custom_options'])) { $options = explode(';', $settings['custom_options']); if (is_array($options)) { @@ -427,6 +540,7 @@ function openvpn_resync_csc($id) { file_put_contents($filename, $conf); chown($filename, 'nobody'); chgrp($filename, 'nogroup'); + } @@ -488,7 +602,6 @@ function openvpn_resync_all() { } - function openvpn_print_javascript($mode) { $javascript = <<<EOD <script language="JavaScript"> @@ -501,15 +614,18 @@ function onAuthMethodChanged() { document.iform.ca_cert.disabled = endis; document.iform.{$mode}_cert.disabled = endis; document.iform.{$mode}_key.disabled = endis; + document.iform.tls.disabled = endis; EOD; if ($mode == 'server') { $javascript .= <<<EOD document.iform.dh_params.disabled = endis; document.iform.crl.disabled = endis; + document.iform.tls.disabled = endis; document.iform.nopool.disabled = endis; document.iform.local_network.disabled = endis; document.iform.client2client.disabled = endis; + document.iform.maxclients.disabled = endis; EOD; } @@ -539,4 +655,4 @@ function openvpn_print_javascript2() { EOD; print($javascript); } -?>
\ No newline at end of file +?> |