diff options
| -rw-r--r-- | etc/inc/openvpn.inc | 126 | ||||
| -rw-r--r-- | usr/local/pkg/openvpn.xml | 15 | ||||
| -rw-r--r-- | usr/local/pkg/openvpn_cli.xml | 11 | ||||
| -rw-r--r-- | usr/local/pkg/openvpn_csc.xml | 77 |
4 files changed, 222 insertions, 7 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index bd2446a..ffcda86 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -88,7 +88,6 @@ function openvpn_validate_input($mode, $post, $input_errors) { if ($result = openvpn_validate_cidr($post['local_network'], 'Local network')) $input_errors[] = $result; -// DHCP-Options logic-check if (!empty($post['dhcp_dns'])) { $servers = explode(';', $post['dhcp_dns']); foreach ($servers as $server) if (!is_ipaddr($server)) @@ -109,6 +108,10 @@ function openvpn_validate_input($mode, $post, $input_errors) { foreach ($servers as $server) if (!is_ipaddr($server)) {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; break;}} + if (isset($post['maxclients']) && $post['maxclients'] != "") { + if (!is_numeric($post['maxclients'])) + $input_errors[] = 'The field \'Maximum clients\' must be numeric.'; + } } @@ -163,8 +166,14 @@ function openvpn_validate_input($mode, $post, $input_errors) { } do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors); + if ($post['protocol'] != 'UDP') { + if (!empty($post['tls'])) + $input_errors[] = 'TLS-authentication can only be used with protocol UDP'; + } + $value = trim($post['shared_key']); $items = array(); + if ($_POST['auth_method'] == 'shared_key') { $items[] = array( 'field' => 'shared_key', 'string' => 'OpenVPN Static key V1', @@ -180,6 +189,9 @@ function openvpn_validate_input($mode, $post, $input_errors) { $items[] = array( 'field' => "{$mode}_key", 'string' => 'RSA PRIVATE KEY', 'name' => "$Mode key"); + $items[] = array( 'field' => 'tls', + 'string' => 'OpenVPN Static key V1', + 'name' => 'TLS'); if ($mode == 'server') { $items[] = array( 'field' => 'dh_params', 'string' => 'DH PARAMETERS', @@ -201,8 +213,50 @@ function openvpn_validate_input($mode, $post, $input_errors) { function openvpn_validate_input_csc($post, $input_errors) { if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP')) $input_errors[] = $result; -} + if ($post['push_reset'] != 'on') { + if (!empty($post['dhcp_domainname'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_dns'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_wins'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbdd'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_ntp'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbttype']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbtscope'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbtdisable']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + + } + else { + + if (!empty($post['dhcp_dns'])) { + $servers = explode(';', $post['dhcp_dns']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: DNS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_wins'])) { + $servers = explode(';', $post['dhcp_wins']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: WINS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_nbdd'])) { + $servers = explode(';', $post['dhcp_nbdd']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NBDD-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_ntp'])) { + $servers = explode(';', $post['dhcp_ntp']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + +}} // Rewrite the settings function openvpn_reconfigure($mode, $id) { @@ -227,6 +281,9 @@ function openvpn_reconfigure($mode, $id) { $keys[] = array('field' => 'dh_params', 'ext' => 'dh', 'directive' => 'dh'); if ($settings['crl']) $keys[] = array('field' => 'crl', 'ext' => 'crl', 'directive' => 'crl-verify'); + if ($settings['tls']) + $keys[] = array('field' => 'tls', 'ext' => 'tls', 'directive' => 'tls-auth'); + } foreach($keys as $key) { $filename = $base_file . $key['ext']; @@ -334,7 +391,9 @@ EOD; if (!empty($settings['dhcp_nbtscope'])) $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; if ($settings['dhcp_nbtdisable']) $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n"; - } + if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n"; + if (!empty($settings['maxclients'])) $openvpn_conf .= "max-clients {$settings['maxclients']}\n"; + } else { // $mode == client // The remote server @@ -362,6 +421,9 @@ EOD; /* ;http-proxy-retry # retry on connection failures */ $openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n"; } + + if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n"; + } // Add the routes if they're set @@ -373,7 +435,9 @@ EOD; // Write the settings for the keys foreach ($keys as $key) + if ($key['directive'] != 'tls-auth') { $openvpn_conf .= $key['directive'] . ' ' . $base_file . $key['ext'] . "\n"; + } if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n"; @@ -412,6 +476,55 @@ function openvpn_resync_csc($id) { $baselong = ip2long($ip) & gen_subnet_mask_long($mask); $conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n"; } + +// DHCP-Options + if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n"; + + if (!empty($settings['dhcp_dns'])) { + $servers = explode(';', $settings['dhcp_dns']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n"; + } + } + + if (!empty($settings['dhcp_wins'])) { + $servers = explode(';', $settings['dhcp_wins']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n"; + } + } + + if (!empty($settings['dhcp_nbdd'])) { + $servers = explode(';', $settings['dhcp_nbdd']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n"; + } + } + + if (!empty($settings['dhcp_ntp'])) { + $servers = explode(';', $settings['dhcp_ntp']); + if (is_array($servers)) { + foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n"; + } + else { + $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; + } + } + + if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; + if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; + if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n"; + + if (!empty($settings['custom_options'])) { $options = explode(';', $settings['custom_options']); if (is_array($options)) { @@ -427,6 +540,7 @@ function openvpn_resync_csc($id) { file_put_contents($filename, $conf); chown($filename, 'nobody'); chgrp($filename, 'nogroup'); + } @@ -488,7 +602,6 @@ function openvpn_resync_all() { } - function openvpn_print_javascript($mode) { $javascript = <<<EOD <script language="JavaScript"> @@ -501,15 +614,18 @@ function onAuthMethodChanged() { document.iform.ca_cert.disabled = endis; document.iform.{$mode}_cert.disabled = endis; document.iform.{$mode}_key.disabled = endis; + document.iform.tls.disabled = endis; EOD; if ($mode == 'server') { $javascript .= <<<EOD document.iform.dh_params.disabled = endis; document.iform.crl.disabled = endis; + document.iform.tls.disabled = endis; document.iform.nopool.disabled = endis; document.iform.local_network.disabled = endis; document.iform.client2client.disabled = endis; + document.iform.maxclients.disabled = endis; EOD; } @@ -539,4 +655,4 @@ function openvpn_print_javascript2() { EOD; print($javascript); } -?>
\ No newline at end of file +?> diff --git a/usr/local/pkg/openvpn.xml b/usr/local/pkg/openvpn.xml index 23bfad0..ab90599 100644 --- a/usr/local/pkg/openvpn.xml +++ b/usr/local/pkg/openvpn.xml @@ -193,6 +193,15 @@ <cols>40</cols> </field> <field> + <fieldname>tls</fieldname> + <fielddescr>TLS</fielddescr> + <description>Paste your HMAC signature (TLS) here (optional).</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>8</rows> + <cols>40</cols> + </field> + <field> <fieldname>dhcp_domainname</fieldname> <fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr> <description>Set connection-specific DNS Suffix.</description> @@ -270,6 +279,12 @@ <type>checkbox</type> </field> <field> + <fieldname>maxclients</fieldname> + <fielddescr>Maximum clients</fielddescr> + <description>The maximum number of concurrently connected clients we want to allow.</description> + <type>input</type> + </field> + <field> <fieldname>custom_options</fieldname> <fielddescr>Custom options</fielddescr> <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the server configuration.</description> diff --git a/usr/local/pkg/openvpn_cli.xml b/usr/local/pkg/openvpn_cli.xml index e05bacf..d199a77 100644 --- a/usr/local/pkg/openvpn_cli.xml +++ b/usr/local/pkg/openvpn_cli.xml @@ -169,6 +169,15 @@ <cols>40</cols> </field> <field> + <fieldname>tls</fieldname> + <fielddescr>TLS</fielddescr> + <description>Paste your HMAC signature (TLS) here (optional).</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>8</rows> + <cols>40</cols> + </field> + <field> <fieldname>use_lzo</fieldname> <fielddescr>LZO compression</fielddescr> <description>Checking this will compress the packets using the LZO algorithm before sending them.</description> @@ -216,4 +225,4 @@ <custom_php_resync_config_command> openvpn_resync('client', $id); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/usr/local/pkg/openvpn_csc.xml b/usr/local/pkg/openvpn_csc.xml index 93e0fb8..c962b50 100644 --- a/usr/local/pkg/openvpn_csc.xml +++ b/usr/local/pkg/openvpn_csc.xml @@ -67,11 +67,86 @@ <description>Set this option to push an IP to the client's interface. Expressed as a CIDR range (e.g. 10.5.0.0/16). The first IP in the range will be used as the remote IP of the interface, and the second IP will be used as the local IP of the interface.</description> <type>input</type> </field> + + <field> + <fieldname>dhcp_domainname</fieldname> + <fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr> + <description>Set connection-specific DNS Suffix.</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_dns</fieldname> + <fielddescr>DHCP-Opt.: DNS-Server</fielddescr> + <description>Set domain name server addressses, separated by semi-colons (;).</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_wins</fieldname> + <fielddescr>DHCP-Opt.: WINS-Server</fielddescr> + <description>Set WINS server addressses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;).</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_nbdd</fieldname> + <fielddescr>DHCP-Opt.: NBDD-Server</fielddescr> + <description>Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;).</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_ntp</fieldname> + <fielddescr>DHCP-Opt.: NTP-Server</fielddescr> + <description>Set NTP server addresses (Network Time Protocol), separated by semi-colons (;).</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_nbttype</fieldname> + <fielddescr>DHCP-Opt.: NetBIOS node type</fielddescr> + <description>Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).</description> + <type>select</type> + <options> + <option> + <value>0</value> + <name>none</name> + </option> + <option> + <value>1</value> + <name>b-node</name> + </option> + <option> + <value>2</value> + <name>p-node</name> + </option> + <option> + <value>4</value> + <name>m-node</name> + </option> + <option> + <value>8</value> + <name>h-node</name> + </option> + </options> + <default_value>0</default_value> + </field> + <field> + <fieldname>dhcp_nbtscope</fieldname> + <fielddescr>DHCP-Opt.: NetBIOS Scope</fielddescr> + <description>Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.</description> + <type>input</type> + </field> + <field> + <fieldname>dhcp_nbtdisable</fieldname> + <fielddescr>DHCP-Opt.: Disable NetBIOS</fielddescr> + <description>If this option is set, Netbios-over-TCP/IP will be disabled.</description> + <type>checkbox</type> + </field> + <field> <fieldname>custom_options</fieldname> <fielddescr>Custom options</fielddescr> <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the client-specific configuration.</description> - <type>input</type> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> </field> <field> <fieldname>description</fieldname> |
