diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-03-02 08:55:03 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-03-02 08:55:03 -0300 |
commit | 76de1b3feee5b7f988fbb7877a44905a9a0b2f49 (patch) | |
tree | 1dff5ff053b6dfcdd36323ce50316c08a6ea27d4 /etc | |
parent | 969a579330fba0a35206e499ab2d44da7c5c7117 (diff) | |
parent | ef00af3c3a7d205a028404c863484d89b26169cf (diff) | |
download | pfsense-76de1b3feee5b7f988fbb7877a44905a9a0b2f49.zip pfsense-76de1b3feee5b7f988fbb7877a44905a9a0b2f49.tar.gz |
Merge pull request #1526 from phil-davis/Code-Style-openvpn
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/openvpn.inc | 451 |
1 files changed, 286 insertions, 165 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 3bdb5a6..99b039f 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -85,7 +85,7 @@ $openvpn_verbosity_level = array( global $openvpn_dh_lengths; $openvpn_dh_lengths = array( - 1024, 2048, 4096 ); + 1024, 2048, 4096); global $openvpn_cert_depths; $openvpn_cert_depths = array( @@ -107,20 +107,21 @@ $openvpn_server_modes = array( global $openvpn_client_modes; $openvpn_client_modes = array( 'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"), - 'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )") ); + 'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )")); global $openvpn_compression_modes; $openvpn_compression_modes = array( - '' => gettext("No Preference"), - 'no' => gettext("Disabled - No Compression"), - 'adaptive' => gettext("Enabled with Adaptive Compression"), - 'yes' => gettext("Enabled without Adaptive Compression")); + '' => gettext("No Preference"), + 'no' => gettext("Disabled - No Compression"), + 'adaptive' => gettext("Enabled with Adaptive Compression"), + 'yes' => gettext("Enabled without Adaptive Compression")); function openvpn_create_key() { $fp = popen("/usr/local/sbin/openvpn --genkey --secret /dev/stdout 2>/dev/null", "r"); - if (!$fp) + if (!$fp) { return false; + } $rslt = stream_get_contents($fp); pclose($fp); @@ -131,8 +132,9 @@ function openvpn_create_key() { function openvpn_create_dhparams($bits) { $fp = popen("/usr/bin/openssl dhparam {$bits} 2>/dev/null", "r"); - if (!$fp) + if (!$fp) { return false; + } $rslt = stream_get_contents($fp); pclose($fp); @@ -143,15 +145,21 @@ function openvpn_create_dhparams($bits) { function openvpn_vpnid_used($vpnid) { global $config; - if (is_array($config['openvpn']['openvpn-server'])) - foreach ($config['openvpn']['openvpn-server'] as & $settings) - if ($vpnid == $settings['vpnid']) + if (is_array($config['openvpn']['openvpn-server'])) { + foreach ($config['openvpn']['openvpn-server'] as & $settings) { + if ($vpnid == $settings['vpnid']) { return true; + } + } + } - if (is_array($config['openvpn']['openvpn-client'])) - foreach ($config['openvpn']['openvpn-client'] as & $settings) - if ($vpnid == $settings['vpnid']) + if (is_array($config['openvpn']['openvpn-client'])) { + foreach ($config['openvpn']['openvpn-client'] as & $settings) { + if ($vpnid == $settings['vpnid']) { return true; + } + } + } return false; } @@ -159,8 +167,9 @@ function openvpn_vpnid_used($vpnid) { function openvpn_vpnid_next() { $vpnid = 1; - while(openvpn_vpnid_used($vpnid)) + while (openvpn_vpnid_used($vpnid)) { $vpnid++; + } return $vpnid; } @@ -170,29 +179,35 @@ function openvpn_port_used($prot, $interface, $port, $curvpnid = 0) { if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as & $settings) { - if (isset($settings['disable'])) + if (isset($settings['disable'])) { continue; + } - if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) + if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) { continue; + } if ($port == $settings['local_port'] && $prot == $settings['protocol'] && - ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) + ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) { return $settings['vpnid']; + } } } if (is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as & $settings) { - if (isset($settings['disable'])) + if (isset($settings['disable'])) { continue; + } - if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) + if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) { continue; + } if ($port == $settings['local_port'] && $prot == $settings['protocol'] && - ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) + ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) { return $settings['vpnid']; + } } } @@ -202,10 +217,12 @@ function openvpn_port_used($prot, $interface, $port, $curvpnid = 0) { function openvpn_port_next($prot, $interface = "wan") { $port = 1194; - while(openvpn_port_used($prot, $interface, $port)) + while (openvpn_port_used($prot, $interface, $port)) { $port++; - while(openvpn_port_used($prot, "any", $port)) + } + while (openvpn_port_used($prot, "any", $port)) { $port++; + } return $port; } @@ -252,19 +269,25 @@ function openvpn_get_engines() { $linematch = array(); preg_match("/\((.*)\)\s(.*)/", $engine, $linematch); foreach ($details as $dt) { - if (strpos($dt, "unavailable") !== FALSE) + if (strpos($dt, "unavailable") !== FALSE) { $keep = false; - if (strpos($dt, "available") !== FALSE) + } + if (strpos($dt, "available") !== FALSE) { continue; - if (strpos($dt, "[") !== FALSE) + } + if (strpos($dt, "[") !== FALSE) { $ciphers = trim($dt, "[]"); + } } - if (!empty($ciphers)) + if (!empty($ciphers)) { $ciphers = " - " . $ciphers; - if (strlen($ciphers) > 60) + } + if (strlen($ciphers) > 60) { $ciphers = substr($ciphers, 0, 60) . " ... "; - if ($keep) + } + if ($keep) { $openssl_engines[$linematch[1]] = $linematch[2] . $ciphers; + } } return $openssl_engines; } @@ -276,49 +299,57 @@ function openvpn_validate_engine($engine) { function openvpn_validate_host($value, $name) { $value = trim($value); - if (empty($value) || (!is_domain($value) && !is_ipaddr($value))) + if (empty($value) || (!is_domain($value) && !is_ipaddr($value))) { return sprintf(gettext("The field '%s' must contain a valid IP address or domain name."), $name); + } return false; } function openvpn_validate_port($value, $name) { $value = trim($value); - if (empty($value) || !is_numeric($value) || $value < 0 || ($value > 65535)) + if (empty($value) || !is_numeric($value) || $value < 0 || ($value > 65535)) { return sprintf(gettext("The field '%s' must contain a valid port, ranging from 0 to 65535."), $name); + } return false; } function openvpn_validate_cidr($value, $name, $multiple = false, $ipproto = "ipv4") { $value = trim($value); $error = false; - if (empty($value)) + if (empty($value)) { return false; + } $networks = explode(',', $value); - if (!$multiple && (count($networks) > 1)) + if (!$multiple && (count($networks) > 1)) { return sprintf(gettext("The field '%s' must contain a single valid %s CIDR range."), $name, $ipproto); + } foreach ($networks as $network) { - if ($ipproto == "ipv4") + if ($ipproto == "ipv4") { $error = !openvpn_validate_cidr_ipv4($network); - else + } else { $error = !openvpn_validate_cidr_ipv6($network); - if ($error) + } + if ($error) { break; + } } - if ($error) + if ($error) { return sprintf(gettext("The field '%s' must contain only valid %s CIDR range(s) separated by commas."), $name, $ipproto); - else + } else { return false; + } } function openvpn_validate_cidr_ipv4($value) { $value = trim($value); if (!empty($value)) { list($ip, $mask) = explode('/', $value); - if (!is_ipaddrv4($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0)) + if (!is_ipaddrv4($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0)) { return false; + } } return true; } @@ -327,54 +358,70 @@ function openvpn_validate_cidr_ipv6($value) { $value = trim($value); if (!empty($value)) { list($ipv6, $prefix) = explode('/', $value); - if (empty($prefix)) + if (empty($prefix)) { $prefix = "128"; - if (!is_ipaddrv6($ipv6) or !is_numeric($prefix) or ($prefix > 128) or ($prefix < 0)) + } + if (!is_ipaddrv6($ipv6) or !is_numeric($prefix) or ($prefix > 128) or ($prefix < 0)) { return false; + } } return true; } function openvpn_add_dhcpopts(& $settings, & $conf) { - if (!empty($settings['dns_domain'])) + if (!empty($settings['dns_domain'])) { $conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n"; + } - if (!empty($settings['dns_server1'])) + if (!empty($settings['dns_server1'])) { $conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n"; - if (!empty($settings['dns_server2'])) + } + if (!empty($settings['dns_server2'])) { $conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n"; - if (!empty($settings['dns_server3'])) + } + if (!empty($settings['dns_server3'])) { $conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n"; - if (!empty($settings['dns_server4'])) + } + if (!empty($settings['dns_server4'])) { $conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n"; + } - if (!empty($settings['push_register_dns'])) + if (!empty($settings['push_register_dns'])) { $conf .= "push \"register-dns\"\n"; + } - if (!empty($settings['ntp_server1'])) + if (!empty($settings['ntp_server1'])) { $conf .= "push \"dhcp-option NTP {$settings['ntp_server1']}\"\n"; - if (!empty($settings['ntp_server2'])) + } + if (!empty($settings['ntp_server2'])) { $conf .= "push \"dhcp-option NTP {$settings['ntp_server2']}\"\n"; + } if ($settings['netbios_enable']) { - if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0)) + if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0)) { $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; - if (!empty($settings['dhcp_nbtscope'])) + } + if (!empty($settings['dhcp_nbtscope'])) { $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; + } - if (!empty($settings['wins_server1'])) + if (!empty($settings['wins_server1'])) { $conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n"; - if (!empty($settings['wins_server2'])) + } + if (!empty($settings['wins_server2'])) { $conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n"; + } - if (!empty($settings['nbdd_server1'])) + if (!empty($settings['nbdd_server1'])) { $conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n"; + } } - if ($settings['gwredir']) + if ($settings['gwredir']) { $conf .= "push \"redirect-gateway def1\"\n"; + } } function openvpn_add_custom(& $settings, & $conf) { @@ -384,10 +431,12 @@ function openvpn_add_custom(& $settings, & $conf) { $options = explode(';', $settings['custom_options']); if (is_array($options)) { - foreach ($options as $option) + foreach ($options as $option) { $conf .= "$option\n"; - } else + } + } else { $conf .= "{$settings['custom_options']}\n"; + } } } @@ -407,10 +456,12 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") function openvpn_reconfigure($mode, $settings) { global $g, $config; - if (empty($settings)) + if (empty($settings)) { return; - if (isset($settings['disable'])) + } + if (isset($settings['disable'])) { return; + } openvpn_create_dirs(); /* * NOTE: Deleting tap devices causes spontaneous reboots. Instead, @@ -421,24 +472,27 @@ function openvpn_reconfigure($mode, $settings) { $vpnid = $settings['vpnid']; $mode_id = $mode.$vpnid; - if (isset($settings['dev_mode'])) + if (isset($settings['dev_mode'])) { $tunname = "{$settings['dev_mode']}{$vpnid}"; - else { /* defaults to tun */ + } else { + /* defaults to tun */ $tunname = "tun{$vpnid}"; $settings['dev_mode'] = "tun"; } - if ($mode == "server") + if ($mode == "server") { $devname = "ovpns{$vpnid}"; - else + } else { $devname = "ovpnc{$vpnid}"; + } /* is our device already configured */ if (!does_interface_exist($devname)) { /* create the tap device if required */ - if (!file_exists("/dev/{$tunname}")) + if (!file_exists("/dev/{$tunname}")) { exec("/sbin/ifconfig " . escapeshellarg($tunname) . " create"); + } /* rename the device */ mwexec("/sbin/ifconfig " . escapeshellarg($tunname) . " name " . escapeshellarg($devname)); @@ -448,15 +502,17 @@ function openvpn_reconfigure($mode, $settings) { $ifname = convert_real_interface_to_friendly_interface_name($devname); $grouptmp = link_interface_to_group($ifname); - if (!empty($grouptmp)) + if (!empty($grouptmp)) { array_walk($grouptmp, 'interface_group_add_member'); + } unset($grouptmp, $ifname); } $pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid"; $proto = strtolower($settings['protocol']); - if (substr($settings['protocol'], 0, 3) == "TCP") + if (substr($settings['protocol'], 0, 3) == "TCP") { $proto = "{$proto}-{$mode}"; + } $dev_mode = $settings['dev_mode']; $cipher = $settings['crypto']; // OpenVPN defaults to SHA1, so use it when unset to maintain compatibility. @@ -468,7 +524,7 @@ function openvpn_reconfigure($mode, $settings) { // If a specific ip address (VIP) is requested, use it. // Otherwise, if a specific interface is requested, use it - // If "any" interface was selected, local directive will be ommited. + // If "any" interface was selected, local directive will be omitted. if (is_ipaddrv4($ipaddr)) { $iface_ip=$ipaddr; } else { @@ -491,7 +547,7 @@ function openvpn_reconfigure($mode, $settings) { } $conf .= "dev-type {$settings['dev_mode']}\n"; - switch($settings['dev_mode']) { + switch ($settings['dev_mode']) { case "tun": if (!$settings['no_tun_ipv6']) { $conf .= "tun-ipv6\n"; @@ -514,7 +570,7 @@ function openvpn_reconfigure($mode, $settings) { $conf .= "up /usr/local/sbin/ovpn-linkup\n"; $conf .= "down /usr/local/sbin/ovpn-linkdown\n"; if (file_exists("/usr/local/sbin/openvpn.attributes.sh")) { - switch($settings['mode']) { + switch ($settings['mode']) { case 'server_user': case 'server_tls_user': $conf .= "client-connect /usr/local/sbin/openvpn.attributes.sh\n"; @@ -530,8 +586,9 @@ function openvpn_reconfigure($mode, $settings) { $conf .= "local {$iface_ipv6}\n"; } - if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none")) + if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none")) { $conf .= "engine {$settings['engine']}\n"; + } // server specific settings if ($mode == 'server') { @@ -541,7 +598,7 @@ function openvpn_reconfigure($mode, $settings) { $mask = gen_subnet_mask($cidr); // configure tls modes - switch($settings['mode']) { + switch ($settings['mode']) { case 'p2p_tls': case 'server_tls': case 'server_user': @@ -551,7 +608,7 @@ function openvpn_reconfigure($mode, $settings) { } // configure p2p/server modes - switch($settings['mode']) { + switch ($settings['mode']) { case 'p2p_tls': // If the CIDR is less than a /30, OpenVPN will complain if you try to // use the server directive. It works for a single client without it. @@ -559,23 +616,26 @@ function openvpn_reconfigure($mode, $settings) { if (!empty($ip) && !empty($mask) && ($cidr < 30)) { $conf .= "server {$ip} {$mask}\n"; $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; - if(is_ipaddr($ipv6)) + if (is_ipaddr($ipv6)) { $conf .= "server-ipv6 {$ipv6}/{$prefix}\n"; + } } case 'p2p_shared_key': if (!empty($ip) && !empty($mask)) { list($ip1, $ip2) = openvpn_get_interface_ip($ip, $mask); - if ($settings['dev_mode'] == 'tun') + if ($settings['dev_mode'] == 'tun') { $conf .= "ifconfig {$ip1} {$ip2}\n"; - else + } else { $conf .= "ifconfig {$ip1} {$mask}\n"; + } } if (!empty($ipv6) && !empty($prefix)) { list($ipv6_1, $ipv6_2) = openvpn_get_interface_ipv6($ipv6, $prefix); - if ($settings['dev_mode'] == 'tun') + if ($settings['dev_mode'] == 'tun') { $conf .= "ifconfig-ipv6 {$ipv6_1} {$ipv6_2}\n"; - else + } else { $conf .= "ifconfig-ipv6 {$ipv6_1} {$prefix}\n"; + } } break; case 'server_tls': @@ -583,8 +643,9 @@ function openvpn_reconfigure($mode, $settings) { case 'server_tls_user': if (!empty($ip) && !empty($mask)) { $conf .= "server {$ip} {$mask}\n"; - if(is_ipaddr($ipv6)) + if (is_ipaddr($ipv6)) { $conf .= "server-ipv6 {$ipv6}/{$prefix}\n"; + } $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; } else { if ($settings['serverbridge_dhcp']) { @@ -606,27 +667,30 @@ function openvpn_reconfigure($mode, $settings) { } // configure user auth modes - switch($settings['mode']) { + switch ($settings['mode']) { case 'server_user': $conf .= "client-cert-not-required\n"; case 'server_tls_user': /* username-as-common-name is not compatible with server-bridge */ - if (stristr($conf, "server-bridge") === false) + if (stristr($conf, "server-bridge") === false) { $conf .= "username-as-common-name\n"; + } if (!empty($settings['authmode'])) { $strictusercn = "false"; - if ($settings['strictusercn']) + if ($settings['strictusercn']) { $strictusercn = "true"; + } $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id}\" via-env\n"; } break; } - if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls'))) + if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls'))) { $settings['cert_depth'] = 1; + } if (is_numeric($settings['cert_depth'])) { - if (($mode == 'client') && empty($settings['certref'])) + if (($mode == 'client') && empty($settings['certref'])) { $cert = ""; - else { + } else { $cert = lookup_cert($settings['certref']); /* XXX: Seems not used at all! */ $servercn = urlencode(cert_get_cn($cert['crt'])); @@ -642,8 +706,9 @@ function openvpn_reconfigure($mode, $settings) { $conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n"; //$conf .= "management 127.0.0.1 {$settings['local_port']}\n"; - if ($settings['maxclients']) + if ($settings['maxclients']) { $conf .= "max-clients {$settings['maxclients']}\n"; + } // Can we push routes if ($settings['local_network']) { @@ -653,18 +718,20 @@ function openvpn_reconfigure($mode, $settings) { $conf .= openvpn_gen_routes($settings['local_networkv6'], "ipv6", true); } - switch($settings['mode']) { + switch ($settings['mode']) { case 'server_tls': case 'server_user': case 'server_tls_user': // Configure client dhcp options openvpn_add_dhcpopts($settings, $conf); - if ($settings['client2client']) + if ($settings['client2client']) { $conf .= "client-to-client\n"; + } break; } - if (isset($settings['duplicate_cn'])) + if (isset($settings['duplicate_cn'])) { $conf .= "duplicate-cn\n"; + } } // client specific settings @@ -672,7 +739,7 @@ function openvpn_reconfigure($mode, $settings) { if ($mode == 'client') { // configure p2p mode - switch($settings['mode']) { + switch ($settings['mode']) { case 'p2p_tls': $conf .= "tls-client\n"; case 'shared_key': @@ -683,12 +750,13 @@ function openvpn_reconfigure($mode, $settings) { // If there is no bind option at all (ip and/or port), add "nobind" directive // Otherwise, use the local port if defined, failing that, use lport 0 to // ensure a random source port. - if ((empty($iface_ip)) && (!$settings['local_port'])) + if ((empty($iface_ip)) && (!$settings['local_port'])) { $conf .= "nobind\n"; - elseif ($settings['local_port']) + } elseif ($settings['local_port']) { $conf .= "lport {$settings['local_port']}\n"; - else + } else { $conf .= "lport 0\n"; + } // Use unix socket to overcome the problem on any type of server $conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n"; @@ -696,26 +764,29 @@ function openvpn_reconfigure($mode, $settings) { // The remote server $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n"; - if (!empty($settings['use_shaper'])) + if (!empty($settings['use_shaper'])) { $conf .= "shaper {$settings['use_shaper']}\n"; + } if (!empty($settings['tunnel_network'])) { list($ip, $mask) = explode('/', $settings['tunnel_network']); $mask = gen_subnet_mask($mask); list($ip1, $ip2) = openvpn_get_interface_ip($ip, $mask); - if ($settings['dev_mode'] == 'tun') + if ($settings['dev_mode'] == 'tun') { $conf .= "ifconfig {$ip2} {$ip1}\n"; - else + } else { $conf .= "ifconfig {$ip2} {$mask}\n"; + } } if (!empty($settings['tunnel_networkv6'])) { list($ipv6, $prefix) = explode('/', $settings['tunnel_networkv6']); list($ipv6_1, $ipv6_2) = openvpn_get_interface_ipv6($ipv6, $prefix); - if ($settings['dev_mode'] == 'tun') + if ($settings['dev_mode'] == 'tun') { $conf .= "ifconfig-ipv6 {$ipv6_2} {$ipv6_1}\n"; - else + } else { $conf .= "ifconfig-ipv6 {$ipv6_2} {$prefix}\n"; + } } if ($settings['auth_user'] && $settings['auth_pass']) { @@ -748,7 +819,7 @@ function openvpn_reconfigure($mode, $settings) { } // Write the settings for the keys - switch($settings['mode']) { + switch ($settings['mode']) { case 'p2p_shared_key': openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret"); break; @@ -764,33 +835,38 @@ function openvpn_reconfigure($mode, $settings) { openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); } - if ($mode == 'server') + if ($mode == 'server') { $conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n"; + } if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); crl_update($crl); openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify"); } if ($settings['tls']) { - if ($mode == "server") + if ($mode == "server") { $tlsopt = 0; - else + } else { $tlsopt = 1; + } openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth", $tlsopt); } break; } - if (!empty($settings['compression'])) + if (!empty($settings['compression'])) { $conf .= "comp-lzo {$settings['compression']}\n"; + } - if ($settings['passtos']) + if ($settings['passtos']) { $conf .= "passtos\n"; + } - if ($settings['resolve_retry']) + if ($settings['resolve_retry']) { $conf .= "resolv-retry infinite\n"; - else if ($mode == 'client') + } else if ($mode == 'clie} nt') { $conf .= "resolv-retry infinite\n"; + } if ($settings['dynamic_ip']) { $conf .= "persist-remote-ip\n"; @@ -850,7 +926,7 @@ function openvpn_restart($mode, $settings) { /* wait until the process exits, or timeout and kill it */ $i = 0; - while(posix_kill($pid, 0)) { + while (posix_kill($pid, 0)) { usleep(250000); if ($i > 10) { log_error("OpenVPN ID $mode_id PID $pid still running, killing."); @@ -861,19 +937,22 @@ function openvpn_restart($mode, $settings) { } } - if (isset($settings['disable'])) + if (isset($settings['disable'])) { return; + } /* Do not start a client if we are a CARP backup on this vip! */ - if (($mode == "client") && (strstr($settings['interface'], "_vip") && get_carp_interface_status($settings['interface']) != "MASTER")) + if (($mode == "client") && (strstr($settings['interface'], "_vip") && get_carp_interface_status($settings['interface']) != "MASTER")) { return; + } /* Check if client is bound to a gateway group */ $a_groups = return_gateway_groups_array(); if (is_array($a_groups[$settings['interface']])) { - /* the interface is a gateway group. If a vip is defined and its a CARP backup then do not start */ - if (($a_groups[$settings['interface']][0]['vip'] <> "") && (get_carp_interface_status($a_groups[$settings['interface']][0]['vip']) != "MASTER")) + /* the interface is a gateway group. If a vip is defined and its a CARP backup then do not start */ + if (($a_groups[$settings['interface']][0]['vip'] <> "") && (get_carp_interface_status($a_groups[$settings['interface']][0]['vip']) != "MASTER")) { return; + } } /* start the new process */ @@ -881,8 +960,9 @@ function openvpn_restart($mode, $settings) { openvpn_clear_route($mode, $settings); mwexec_bg("/usr/local/sbin/openvpn --config " . escapeshellarg($fpath)); - if (!platform_booting()) + if (!platform_booting()) { send_event("filter reload"); + } } function openvpn_delete($mode, & $settings) { @@ -891,16 +971,18 @@ function openvpn_delete($mode, & $settings) { $vpnid = $settings['vpnid']; $mode_id = $mode.$vpnid; - if (isset($settings['dev_mode'])) + if (isset($settings['dev_mode'])) { $tunname = "{$settings['dev_mode']}{$vpnid}"; - else { /* defaults to tun */ + } else { + /* defaults to tun */ $tunname = "tun{$vpnid}"; } - if ($mode == "server") + if ($mode == "server") { $devname = "ovpns{$vpnid}"; - else + } else { $devname = "ovpnc{$vpnid}"; + } /* kill the process if running */ $pfile = "{$g['varrun_path']}/openvpn_{$mode_id}.pid"; @@ -926,11 +1008,13 @@ function openvpn_delete($mode, & $settings) { function openvpn_cleanup_csc($common_name) { global $g, $config; - if (empty($common_name)) + if (empty($common_name)) { return; + } $fpath = "{$g['varetc_path']}/openvpn-csc/" . basename($common_name); - if (is_file($fpath)) + if (is_file($fpath)) { unlink_if_exists($fpath); + } return; } @@ -946,11 +1030,13 @@ function openvpn_resync_csc(& $settings) { openvpn_create_dirs(); $conf = ''; - if ($settings['block']) + if ($settings['block']) { $conf .= "disable\n"; + } - if ($settings['push_reset']) + if ($settings['push_reset']) { $conf .= "push-reset\n"; + } if (!empty($settings['tunnel_network'])) { list($ip, $mask) = explode('/', $settings['tunnel_network']); @@ -958,10 +1044,11 @@ function openvpn_resync_csc(& $settings) { $serverip = long2ip32($baselong + 1); $clientip = long2ip32($baselong + 2); /* Because this is being pushed, the order from the client's point of view. */ - if ($settings['dev_mode'] != 'tap') + if ($settings['dev_mode'] != 'tap') { $conf .= "ifconfig-push {$clientip} {$serverip}\n"; - else + } else { $conf .= "ifconfig-push {$clientip} {$mask}\n"; + } } if ($settings['local_network']) { @@ -982,8 +1069,9 @@ function openvpn_resync_csc(& $settings) { openvpn_add_dhcpopts($settings, $conf); - if ($settings['gwredir']) + if ($settings['gwredir']) { $conf .= "push \"redirect-gateway def1\"\n"; + } openvpn_add_custom($settings, $conf); @@ -1009,12 +1097,14 @@ function openvpn_resync($mode, $settings) { function openvpn_resync_all($interface = "") { global $g, $config; - if ($g['platform'] == 'jail') + if ($g['platform'] == 'jail') { return; + } openvpn_create_dirs(); - if (!is_array($config['openvpn'])) + if (!is_array($config['openvpn'])) { $config['openvpn'] = array(); + } /* if (!$config['openvpn']['dh-parameters']) { @@ -1032,30 +1122,35 @@ function openvpn_resync_all($interface = "") { file_put_contents($path_ovdh, $dh_parameters); } */ - if ($interface <> "") + if ($interface <> "") { log_error("Resyncing OpenVPN instances for interface " . convert_friendly_interface_to_friendly_descr($interface) . "."); - else + } else { log_error("Resyncing OpenVPN instances."); + } if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as & $settings) { - if ($interface <> "" && $interface != $settings['interface']) + if ($interface <> "" && $interface != $settings['interface']) { continue; + } openvpn_resync('server', $settings); } } if (is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as & $settings) { - if ($interface <> "" && $interface != $settings['interface']) + if ($interface <> "" && $interface != $settings['interface']) { continue; + } openvpn_resync('client', $settings); } } - if (is_array($config['openvpn']['openvpn-csc'])) - foreach ($config['openvpn']['openvpn-csc'] as & $settings) + if (is_array($config['openvpn']['openvpn-csc'])) { + foreach ($config['openvpn']['openvpn-csc'] as & $settings) { openvpn_resync_csc($settings); + } + } } @@ -1084,8 +1179,9 @@ function openvpn_resync_gwgroup($gwgroupname = "") { // Note: no need to resysnc Client Specific (csc) here, as changes to the OpenVPN real interface do not effect these. - } else + } else { log_error("openvpn_resync_gwgroup called with null gwgroup parameter."); + } } function openvpn_get_active_servers($type="multipoint") { @@ -1094,8 +1190,9 @@ function openvpn_get_active_servers($type="multipoint") { $servers = array(); if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as & $settings) { - if (empty($settings) || isset($settings['disable'])) + if (empty($settings) || isset($settings['disable'])) { continue; + } $prot = $settings['protocol']; $port = $settings['local_port']; @@ -1103,21 +1200,22 @@ function openvpn_get_active_servers($type="multipoint") { $server = array(); $server['port'] = ($settings['local_port']) ? $settings['local_port'] : 1194; $server['mode'] = $settings['mode']; - if ($settings['description']) + if ($settings['description']) { $server['name'] = "{$settings['description']} {$prot}:{$port}"; - else + } else { $server['name'] = "Server {$prot}:{$port}"; + } $server['conns'] = array(); $server['vpnid'] = $settings['vpnid']; $server['mgmt'] = "server{$server['vpnid']}"; $socket = "unix://{$g['varetc_path']}/openvpn/{$server['mgmt']}.sock"; list($tn, $sm) = explode('/', $settings['tunnel_network']); - if ((($server['mode'] == "p2p_shared_key") || ($sm >= 30) ) && ($type == "p2p")) + if ((($server['mode'] == "p2p_shared_key") || ($sm >= 30)) && ($type == "p2p")) { $servers[] = openvpn_get_client_status($server, $socket); - elseif (($server['mode'] != "p2p_shared_key") && ($type == "multipoint") && ($sm < 30)) + } elseif (($server['mode'] != "p2p_shared_key") && ($type == "multipoint") && ($sm < 30)) { $servers[] = openvpn_get_server_status($server, $socket); - + } } } return $servers; @@ -1140,16 +1238,19 @@ function openvpn_get_server_status($server, $socket) { $line = fgets($fp, 1024); $info = stream_get_meta_data($fp); - if ($info['timed_out']) + if ($info['timed_out']) { break; + } /* parse header list line */ - if (strstr($line, "HEADER")) + if (strstr($line, "HEADER")) { continue; + } /* parse end of output line */ - if (strstr($line, "END") || strstr($line, "ERROR")) + if (strstr($line, "END") || strstr($line, "ERROR")) { break; + } /* parse client list line */ if (strstr($line, "CLIENT_LIST")) { @@ -1197,18 +1298,20 @@ function openvpn_get_active_clients() { if (is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as & $settings) { - if (empty($settings) || isset($settings['disable'])) + if (empty($settings) || isset($settings['disable'])) { continue; + } $prot = $settings['protocol']; $port = ($settings['local_port']) ? ":{$settings['local_port']}" : ""; $client = array(); $client['port'] = $settings['local_port']; - if ($settings['description']) + if ($settings['description']) { $client['name'] = "{$settings['description']} {$prot}{$port}"; - else + } else { $client['name'] = "Client {$prot}{$port}"; + } $client['vpnid'] = $settings['vpnid']; $client['mgmt'] = "client{$client['vpnid']}"; @@ -1236,8 +1339,9 @@ function openvpn_get_client_status($client, $socket) { $line = fgets($fp, 1024); $info = stream_get_meta_data($fp); - if ($info['timed_out']) + if ($info['timed_out']) { break; + } /* Get the client state */ if (strstr($line,"CONNECTED")) { @@ -1266,8 +1370,9 @@ function openvpn_get_client_status($client, $socket) { $client['status'] .= "; " . $list[2]; } /* parse end of output line */ - if (strstr($line, "END") || strstr($line, "ERROR")) + if (strstr($line, "END") || strstr($line, "ERROR")) { break; + } } /* If up, get read/write stats */ @@ -1279,8 +1384,9 @@ function openvpn_get_client_status($client, $socket) { $line = fgets($fp, 1024); $info = stream_get_meta_data($fp); - if ($info['timed_out']) + if ($info['timed_out']) { break; + } if (strstr($line,"TCP/UDP read bytes")) { $list = explode(",", $line); @@ -1293,8 +1399,9 @@ function openvpn_get_client_status($client, $socket) { } /* parse end of output line */ - if (strstr($line, "END")) + if (strstr($line, "END")) { break; + } } } @@ -1318,12 +1425,14 @@ function openvpn_refresh_crls() { if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as $settings) { - if (empty($settings)) + if (empty($settings)) { continue; - if (isset($settings['disable'])) + } + if (isset($settings['disable'])) { continue; + } // Write the settings for the keys - switch($settings['mode']) { + switch ($settings['mode']) { case 'p2p_tls': case 'server_tls': case 'server_tls_user': @@ -1343,10 +1452,12 @@ function openvpn_refresh_crls() { function openvpn_create_dirs() { global $g; - if (!is_dir("{$g['varetc_path']}/openvpn")) + if (!is_dir("{$g['varetc_path']}/openvpn")) { safe_mkdir("{$g['varetc_path']}/openvpn", 0750); - if (!is_dir("{$g['varetc_path']}/openvpn-csc")) + } + if (!is_dir("{$g['varetc_path']}/openvpn-csc")) { safe_mkdir("{$g['varetc_path']}/openvpn-csc", 0750); + } } function openvpn_get_interface_ip($ip, $mask) { @@ -1367,20 +1478,22 @@ function openvpn_get_interface_ipv6($ipv6, $prefix) { } function openvpn_clear_route($mode, $settings) { - if (empty($settings['tunnel_network'])) + if (empty($settings['tunnel_network'])) { return; + } list($ip, $cidr) = explode('/', $settings['tunnel_network']); $mask = gen_subnet_mask($cidr); $clear_route = false; - switch($settings['mode']) { + switch ($settings['mode']) { case 'shared_key': $clear_route = true; break; case 'p2p_tls': case 'p2p_shared_key': - if ($cidr == 30) + if ($cidr == 30) { $clear_route = true; + } break; } @@ -1394,20 +1507,23 @@ function openvpn_clear_route($mode, $settings) { function openvpn_gen_routes($value, $ipproto = "ipv4", $push = false, $iroute = false) { $routes = ""; - if (empty($value)) + if (empty($value)) { return ""; + } $networks = explode(',', $value); foreach ($networks as $network) { - if ($ipproto == "ipv4") + if ($ipproto == "ipv4") { $route = openvpn_gen_route_ipv4($network, $iroute); - else + } else { $route = openvpn_gen_route_ipv6($network, $iroute); + } - if ($push) + if ($push) { $routes .= "push \"{$route}\"\n"; - else + } else { $routes .= "{$route}\n"; + } } return $routes; } @@ -1422,8 +1538,9 @@ function openvpn_gen_route_ipv4($network, $iroute = false) { function openvpn_gen_route_ipv6($network, $iroute = false) { $i = ($iroute) ? "i" : ""; list($ipv6, $prefix) = explode('/', trim($network)); - if (empty($prefix)) + if (empty($prefix)) { $prefix = "128"; + } return "{$i}route-ipv6 ${ipv6}/${prefix}"; } @@ -1432,21 +1549,25 @@ function openvpn_get_settings($mode, $vpnid) { if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as $settings) { - if (isset($settings['disable'])) + if (isset($settings['disable'])) { continue; + } - if ($vpnid != 0 && $vpnid == $settings['vpnid']) + if ($vpnid != 0 && $vpnid == $settings['vpnid']) { return $settings; + } } } if (is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as $settings) { - if (isset($settings['disable'])) + if (isset($settings['disable'])) { continue; + } - if ($vpnid != 0 && $vpnid == $settings['vpnid']) + if ($vpnid != 0 && $vpnid == $settings['vpnid']) { return $settings; + } } } |