diff options
37 files changed, 2928 insertions, 6212 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index d49fa01..006af13 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1178,6 +1178,8 @@ function convert_config() { $config['version'] = "4.3"; } +if(0): + /* Convert 4.3 -> 4.4 */ if ($config['version'] <= 4.3) { if (isset($config['installedpackages']['openvpnserver']['config'])) { @@ -1224,14 +1226,16 @@ function convert_config() { $config['version'] = "4.4"; } - /* Convert 4.4 -> 4.5 */ - if ($config['version'] <= 4.4) { - if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { - foreach ($config['vlans']['vlan'] as $id => $vlan) - $config['vlans']['vlan'][$id]['vlanif'] = "vlan{$id}"; - } - $config['version'] = "4.5"; - } +endif; + + /* Convert 4.4 -> 4.5 */ + if ($config['version'] <= 4.4) { + if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { + foreach ($config['vlans']['vlan'] as $id => $vlan) + $config['vlans']['vlan'][$id]['vlanif'] = "vlan{$id}"; + } + $config['version'] = "4.5"; + } /* Upgrade load balancer from slb to relayd */ /* Convert 4.5 -> 4.6 */ @@ -1652,18 +1656,18 @@ function convert_config() { $config['version'] = "5.0"; } - /* Convert 5.0 -> 5.1 */ - if ($config['version'] <= 5.1) { + /* Convert 5.0 -> 5.1 */ + if ($config['version'] <= 5.1) { $pconfig = array(); $pconfig['desc'] = "Set to 0 to disable filtering on the incoming and outgoing member interfaces."; $pconfig['tunable'] = "net.link.bridge.pfil_member"; $pconfig['value'] = "1"; $config['sysctl']['item'][] = $pconfig; $pconfig = array(); - $pconfig['desc'] = "Set to 1 to enable filtering on the bridge interface"; - $pconfig['tunable'] = "net.link.bridge.pfil_bridge"; - $pconfig['value'] = "0"; - $config['sysctl']['item'][] = $pconfig; + $pconfig['desc'] = "Set to 1 to enable filtering on the bridge interface"; + $pconfig['tunable'] = "net.link.bridge.pfil_bridge"; + $pconfig['value'] = "0"; + $config['sysctl']['item'][] = $pconfig; unset($config['bridge']); @@ -1693,6 +1697,201 @@ function convert_config() { $config['version'] = "5.1"; } + /* Convert 5.1 -> 5.2 */ + if ($config['version'] <= 5.1) { + + $config['openvpn'] = array(); + if (!is_array($config['system']['ca'])) + $config['system']['ca'] = array(); + if (!is_array($config['system']['cert'])) + $config['system']['cert'] = array(); + + $vpnid = 1; + + /* openvpn server configurations */ + if (is_array($config['installedpackages']['openvpnserver']['config'])) { + $config['openvpn']['openvpn-server'] = array(); + + $index = 1; + foreach($config['installedpackages']['openvpnserver']['config'] as $server) { + + if ($server['auth_method'] == "pki") { + + /* create ca entry */ + $ca = array(); + $ca['refid'] = uniqid(); + $ca['name'] = "OpenVPN Server CA #{$index}"; + $ca['crt'] = $server['ca_cert']; + $ca['crl'] = $server['crl']; + $config['system']['ca'][] = $ca; + + /* create ca reference */ + unset($server['ca_cert']); + unset($server['crl']); + $server['caref'] = $ca['refid']; + + /* create cert entry */ + $cert = array(); + $cert['refid'] = uniqid(); + $cert['name'] = "OpenVPN Server Certificate #{$index}"; + $cert['crt'] = $server['server_cert']; + $cert['prv'] = $server['server_key']; + $config['system']['cert'][] = $cert; + + /* create cert reference */ + unset($server['server_cert']); + unset($server['server_key']); + $server['certref'] = $cert['refid']; + + $index++; + } + + /* modify configuration values */ + if (!$server['interface']) + $server['interface'] = 'wan'; + $server['tunnel_network'] = $server['addresspool']; + unset($server['addresspool']); + $server['compress'] = $server['use_lzo']; + unset($server['use_lzo']); + if ($server['nopool']) + $server['pool_enable'] = false; + else + $server['pool_enable'] = "yes"; + unset($server['nopool']); + $server['dns_domain'] = $server['dhcp_domainname']; + unset($server['dhcp_domainname']); + $server['dns_server1'] = $server['dhcp_dns']; + unset($server['dhcp_dns']); + $server['ntp_server1'] = $server['dhcp_ntp']; + unset($server['dhcp_ntp']); + if ($server['dhcp_nbtdisable']) + $server['netbios_enable'] = false; + else + $server['netbios_enable'] = "yes"; + unset($server['dhcp_nbtdisable']); + $server['netbios_ntype'] = $server['dhcp_nbttype']; + unset($server['dhcp_nbttype']); + $server['netbios_scope'] = $server['dhcp_nbtscope']; + unset($server['dhcp_nbtscope']); + $server['nbdd_server1'] = $server['dhcp_nbdd']; + unset($server['dhcp_nbdd']); + $server['wins_server1'] = $server['dhcp_wins']; + unset($server['dhcp_wins']); + + /* allocate vpnid */ + $server['vpnid'] = $vpnid++; + + $config['openvpn']['openvpn-server'][] = $server; + } + unset($config['installedpackages']['openvpnserver']); + } + + /* openvpn client configurations */ + if (is_array($config['installedpackages']['openvpnclient']['config'])) { + $config['openvpn']['openvpn-client'] = array(); + + $index = 1; + foreach($config['installedpackages']['openvpnclient']['config'] as $client) { + + if ($client['auth_method'] == "pki") { + + /* create ca entry */ + $ca = array(); + $ca['refid'] = uniqid(); + $ca['name'] = "OpenVPN Client CA #{$index}"; + $ca['crt'] = $client['ca_cert']; + $ca['crl'] = $client['crl']; + $config['system']['ca'][] = $ca; + + /* create ca reference */ + unset($client['ca_cert']); + unset($client['crl']); + $client['caref'] = $ca['refid']; + + /* create cert entry */ + $cert = array(); + $cert['refid'] = uniqid(); + $cert['name'] = "OpenVPN Client Certificate #{$index}"; + $cert['crt'] = $client['client_cert']; + $cert['prv'] = $client['client_key']; + $config['system']['cert'][] = $cert; + + /* create cert reference */ + unset($client['client_cert']); + unset($client['client_key']); + $client['certref'] = $cert['refid']; + + $index++; + } + + /* modify configuration values */ + if (!$client['interface']) + $client['interface'] = 'wan'; + $client['tunnel_network'] = $client['interface_ip']; + unset($client['interface_ip']); + $client['server_addr'] = $client['serveraddr']; + unset($client['serveraddr']); + $client['server_port'] = $client['serverport']; + unset($client['serverport']); + $client['proxy_addr'] = $client['poxy_hostname']; + unset($client['proxy_addr']); + $client['compress'] = $client['use_lzo']; + unset($client['use_lzo']); + $client['resolve_retry'] = $client['infiniteresolvretry']; + unset($client['infiniteresolvretry']); + + /* allocate vpnid */ + $client['vpnid'] = $vpnid++; + + $config['openvpn']['openvpn-client'][] = $client; + } + + unset($config['installedpackages']['openvpnclient']); + } + + /* openvpn client specific configurations */ + if (is_array($config['installedpackages']['openvpncsc']['config'])) { + $config['openvpn']['openvpn-csc'] = array(); + + foreach($config['installedpackages']['openvpncsc']['config'] as $csc) { + + /* modify configuration values */ + $csc['common_name'] = $csc['commonname']; + unset($csc['commonname']); + $csc['tunnel_network'] = $csc['ifconfig_push']; + unset($csc['ifconfig_push']); + $csc['dns_domain'] = $csc['dhcp_domainname']; + unset($csc['dhcp_domainname']); + $csc['dns_server1'] = $csc['dhcp_dns']; + unset($csc['dhcp_dns']); + $csc['ntp_server1'] = $csc['dhcp_ntp']; + unset($csc['dhcp_ntp']); + if ($csc['dhcp_nbtdisable']) + $csc['netbios_enable'] = false; + else + $csc['netbios_enable'] = "yes"; + unset($csc['dhcp_nbtdisable']); + $csc['netbios_ntype'] = $csc['dhcp_nbttype']; + unset($csc['dhcp_nbttype']); + $csc['netbios_scope'] = $csc['dhcp_nbtscope']; + unset($csc['dhcp_nbtscope']); + $csc['nbdd_server1'] = $csc['dhcp_nbdd']; + unset($csc['dhcp_nbdd']); + $csc['wins_server1'] = $csc['dhcp_wins']; + unset($csc['dhcp_wins']); + + $config['openvpn']['openvpn-csc'][] = $csc; + } + + unset($config['installedpackages']['openvpncsc']); + } + + $config['installedpackages'] = array(); + $config['installedpackages']['carp'] = array(); + + $config['version'] = "5.2"; + } + $now = date("H:i:s"); log_error("Ended Configuration upgrade at $now"); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f251159..27cbe7f 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -357,12 +357,11 @@ function get_vpns_list() { } /* openvpn */ foreach (array('client', 'server') as $type) { - $conf =& $config['installedpackages']["openvpn$type"]['config']; - if (!is_array($conf)) continue; - foreach ($conf as $tunnel) { - if(is_subnet($tunnel['remote-subnet'])) { + foreach ($config['openvpn']["openvpn-$type"] as & $settings) { + if (!is_array($settings)) + continue; + if(is_subnet($settings['remote-subnet'])) $vpns_arr[] = $tunnel['remote_network']; - } } } /* pppoe */ @@ -371,9 +370,8 @@ function get_vpns_list() { $vpns_arr[] = $config['pppoe']['remoteip'] ."/". $config['pppoe']['pppoe_subnet']; } } - if(!empty($vpns_arr)) { + if(!empty($vpns_arr)) $vpns = implode(" ", $vpns_arr); - } return $vpns; } @@ -474,22 +472,19 @@ function generate_optcfg_array() } /* add openvpn interfaces */ - if ($config['installedpackages']["openvpnserver"] || - $config['installedpackages']["openvpnclient"]) { - $ovpn_count = 0; - if (is_array($config['installedpackages']["openvpnserver"]['config'])) - $ovpn_count += count($config['installedpackages']["openvpnserver"]['config']); - if (is_array($config['installedpackages']["openvpnclient"]['config'])) - $ovpn_count += count($config['installedpackages']["openvpnclient"]['config']); - - if ($ovpn_count) { + if ($config['openvpn']['openvpn-server'] || $config['openvpn']['openvpn-client']) { + + $ovpnifs = array( "ovpns1"); + foreach ($config['openvpn']['openvpn-server'] as & $server) + if (!$server['disable']) + $ovpnifs[] = "ovpns".$server['vpnid']; + foreach ($config['openvpn']['openvpn-client'] as & $client) + if (!$client['disable']) + $ovpnifs[] = "ovpnc".$client['vpnid']; + + if (count($ovpnifs)) { $oic = array(); - for ($i = 0; $i < $ovpn_count; $i++) { - if (!$i) - $oic['if'] = "ovpn{$i}"; - else - $oic['if'] .= " ovpn{$i}"; - } + $oic['if'] = implode(" ", $ovpnifs); $oic['descr'] = 'OpenVPN'; $oic['ip'] = "none"; $FilterIflist['openvpn'] = $oic; @@ -748,10 +743,13 @@ function filter_nat_rules_generate() if ($numberofnathosts > 0): - if (!empty($config['installedpackages']['openvpnclient']['config'])) - foreach ($config['installedpackages']['openvpnclient']['config'] as $id => $settings) + if (!empty($config['openvpn']['openvpn-client'])) { + foreach ($config['openvpn']['openvpn-client'] as $settings) { + $vpnid = $settings['vpnid']; if (!empty($settings['remote_network'])) - $natrules .= "nat on ovpnc{$id} from \$tonatsubnets to any -> (ovpnc{$id})\n"; + $natrules .= "nat on ovpnc{$vpnid} from \$tonatsubnets to any -> (ovpnc{$vpnid})\n"; + } + } foreach ($FilterIflist as $if => $ifcfg) { update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})"); @@ -2652,22 +2650,25 @@ function process_carp_nat_rules() $mt = microtime(); echo "process_carp_nat_rules() being called $mt\n"; } + $lines = ""; - if($config['installedpackages']['carp']['config'] != "") - foreach($config['installedpackages']['carp']['config'] as $carp) { - $ip = $carp['ipaddress']; - if($ip <> "any") { - $ipnet = "any"; - } else { - $int = find_ip_interface($ip); - $carp_int = find_carp_interface($ip); - } - if($int != false and $int != $wan_interface) { - $ipnet = convert_ip_to_network_format($ip, $carp['netmask']); - if($int) - $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n"; + + if (is_array($config['installedpackages']['carp']['config'])) { + foreach($config['installedpackages']['carp']['config'] as $carp) { + $ip = $carp['ipaddress']; + if($ip <> "any") { + $ipnet = "any"; + } else { + $int = find_ip_interface($ip); + $carp_int = find_carp_interface($ip); + } + if($int != false and $int != $wan_interface) { + $ipnet = convert_ip_to_network_format($ip, $carp['netmask']); + if($int) + $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n"; + } } - } + } return $lines; } diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index ab119ec..913d216 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -60,7 +60,7 @@ $g = array( "n_pppoe_units" => 16, /* this value can be overriden in pppoe->n_pppoe_units */ "pppoe_subnet" => 28, /* this value can be overriden in pppoe->pppoe_subnet */ "debug" => false, - "latest_config" => "5.1", + "latest_config" => "5.2", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 76ea0f8..2328e24 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -88,6 +88,29 @@ $p2_pfskeygroups = array( '5' => '5'); /* + * ikeid management functions + */ + +function ipsec_ikeid_used($ikeid) { + global $config; + + foreach ($config['ipsec']['phase1'] as $ph1ent) + if( $ikeid == $ph1ent['ikeid'] ) + return true; + + return false; +} + +function ipsec_ikeid_next() { + + $ikeid = 1; + while(ipsec_ikeid_used($ikeid)) + $ikeid++; + + return $ikeid; +} + +/* * Return phase1 local address */ function ipsec_get_phase1_src(& $ph1ent) { diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index cd3f2a0..efea035 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -45,67 +45,65 @@ require_once('config.inc'); require_once('pfsense-utils.inc'); require_once('util.inc'); -// Shutdown running process if needed -function openvpn_delete($mode, $id) { - global $g, $config; - - $settings = $config['installedpackages']['openvpn$mode']['config'][$id]; - $mode = $settings['mode']; - $ps = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf"; - $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`; - killbypid($ps_id); -} +$openvpn_prots = array( "UDP", "TCP"); -// Return the list of ciphers OpenVPN supports -function openvpn_get_ciphers($pkg) { +$openvpn_auth_methods = array( + 'pki' => "Public Key Infrastructure", + 'shared_key' => "Pre Shared Key"); + +function openvpn_vpnid_used($vpnid) { global $config; - foreach ($pkg['fields']['field'] as $i => $field) { - if ($field['fieldname'] == 'crypto') { - $option_array = &$pkg['fields']['field'][$i]['options']['option']; - $ciphers_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\''); - $ciphers = explode("\n", trim($ciphers_out)); - sort($ciphers); - foreach ($ciphers as $cipher) { - $value = explode(' ', $cipher); - $value = $value[0]; - $option_array[] = array('value' => $value, 'name' => $cipher); - } - } - if ($field['fieldname'] == 'cipher') { - if (is_array($config['openvpn']['keys'])) { - if (count($config['openvpn']['keys']) > 0) { - $option_array = &$pkg['fields']['field'][$i]['options']['option']; - foreach ($config['openvpn']['keys'] as $cipher => $type) { - if ($type['shared.key']) - $option_array[] = array('value' => $cipher, 'name' => $cipher); - } - } - } - } - if ($field['fieldname'] == 'cipherpki') { - if (is_array($config['openvpn']['keys'])) { - if (count($config['openvpn']['keys']) > 0) { - $option_array = &$pkg['fields']['field'][$i]['options']['option']; - foreach ($config['openvpn']['keys'] as $cipher => $type) { - if ($type['auth_method'] == 'pki') - $option_array[] = array('value' => $cipher, 'name' => $type['descr']); - } - } - } - } + if (is_array($config['openvpn']['openvpn-server'])) + foreach ($config['openvpn']['openvpn-server'] as $id => & $settings) + if( $vpnid == $settings['vpnid'] ) + return true; + + if (is_array($config['openvpn']['openvpn-client'])) + foreach ($config['openvpn']['openvpn-client'] as $id => & $settings) + if( $vpnid == $settings['vpnid'] ) + return true; + return false; +} + +function openvpn_vpnid_next() { + + $vpnid = 1; + while(openvpn_vpnid_used($vpnid)) + $vpnid++; + + return $vpnid; +} + +function openvpn_get_cipherlist() { + + $ciphers = array(); + $cipher_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\''); + $cipher_lines = explode("\n", trim($cipher_out)); + sort($cipher_lines); + foreach ($cipher_lines as $line) { + $words = explode(' ', $line); + $ciphers[$words[0]] = "{$words[0]} {$words[1]}"; } + + return $ciphers; +} + +function openvpn_validate_host($value, $name) { + $value = trim($value); + if (empty($value) || !(is_domain($value) && is_ipaddr($value))) + return "The field '$name' must contain a valid IP address or domain name."; + return false; } function openvpn_validate_port($value, $name) { $value = trim($value); - if (!empty($value) && !(is_numeric($value) && ($value > 0) && ($value < 65535))) + if (empty($value) || !(is_numeric($value) && ($value > 0) && ($value < 65535))) return "The field '$name' must contain a valid port, ranging from 0 to 65535."; return false; } - function openvpn_validate_cidr($value, $name) { $value = trim($value); if (!empty($value)) { @@ -116,271 +114,115 @@ function openvpn_validate_cidr($value, $name) { return false; } +function openvpn_add_dhcpopts(& $settings, & $conf) { -// Do the input validation -function openvpn_validate_input($mode, $post, $input_errors) { - $Mode = ucfirst($mode); + if (!empty($settings['dns_domain'])) + $conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n"; - if ($mode == 'server') { - if ($result = openvpn_validate_port($post['local_port'], 'Local port')) - $input_errors[] = $result; - - if ($result = openvpn_validate_cidr($post['addresspool'], 'Address pool')) - $input_errors[] = $result; - - if ($result = openvpn_validate_cidr($post['local_network'], 'Local network')) - $input_errors[] = $result; - -/* check for port in use - update of existing entries not possible because $_GET['act'] is not passed from pkg_edit.php :-( mfuchs - $portinuse = shell_exec('sockstat | grep '.$post['local_port'].' | grep '.strtolower($post['protocol'])); - if (!empty($portinuse)) - $input_errors[] = 'The port '.$post['local_port'].'/'.strtolower($post['protocol']).' is already in use.'; -*/ + if (!empty($settings['dns_server1'])) + $conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n"; + if (!empty($settings['dns_server2'])) + $conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n"; + if (!empty($settings['dns_server3'])) + $conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n"; + if (!empty($settings['dns_server4'])) + $conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n"; - if (!empty($post['dhcp_dns'])) { - $servers = explode(';', $post['dhcp_dns']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_wins'])) { - $servers = explode(';', $post['dhcp_wins']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_nbdd'])) { - $servers = explode(';', $post['dhcp_nbdd']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_ntp'])) { - $servers = explode(';', $post['dhcp_ntp']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (isset($post['maxclients']) && $post['maxclients'] != "") { - if (!is_numeric($post['maxclients'])) - $input_errors[] = 'The field \'Maximum clients\' must be numeric.'; - } + if (!empty($settings['ntp_server1'])) + $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; + if (!empty($settings['ntp_server2'])) + $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; - } + if ($settings['netbios_enable']) { - else { // Client mode - if ($result = openvpn_validate_port($post['serverport'], 'Server port')) - $input_errors[] = $result; + if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0)) + $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; + if (!empty($settings['dhcp_nbtscope'])) + $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; - $server_addr = trim($post['serveraddr']); - if (!empty($value) && !(is_domain($server_addr) || is_ipaddr($server_addr))) - $input_errors[] = 'The field \'Server address\' must contain a valid IP address or domain name.'; + if (!empty($settings['wins_server1'])) + $conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n"; + if (!empty($settings['wins_server2'])) + $conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n"; - if ($result = openvpn_validate_cidr($post['interface_ip'], 'Interface IP')) - $input_errors[] = $result; + if (!empty($settings['nbdd_server1'])) + $conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n"; + } - if ($post['auth_method'] == 'shared_key') { - if (empty($post['interface_ip'])) - $input_errors[] = 'The field \'Interface IP\' is required.'; - } - if (isset($post['proxy_hostname']) && $post['proxy_hostname'] != "") { - if (!is_domain($post['proxy_hostname']) || is_ipaddr($post['proxy_hostname'])) - $input_errors[] = 'The field \'Proxy Host\' must contain a valid IP address or domain name.'; - if (!is_port($post['proxy_port'])) - $input_errors[] = 'The field \'Proxy port\' must contain a valid port number.'; - if ($post['protocol'] != "TCP") - $input_errors[] = 'The protocol must be TCP to use a HTTP proxy server.'; - } - if (isset($post['use_shaper']) && $post['use_shaper'] != "") { - if (!is_numeric($post['use_shaper'])) - $input_errors[] = 'The field \'Limit outgoing bandwidth\' must be numeric.'; - } + if ($settings['gwredir']) + $conf .= "push \"redirect-gateway def1\"\n"; +} - } +function openvpn_add_custom(& $settings, & $conf) { - if ($result = openvpn_validate_cidr($post['remote_network'], 'Remote network')) - $input_errors[] = $result; + if ($settings['custom_options']) { -/* This are no more needed comment them from now and remove later */ -/* - if ($_POST['auth_method'] == 'shared_key') { - $reqfields[] = 'shared_key'; - $reqfieldsn[] = 'Shared key'; - } - else { - $req = explode(' ', "ca_cert {$mode}_cert {$mode}_key"); - $reqn = array( 'CA certificate', - ucfirst($mode) . ' certificate', - ucfirst($mode) . ' key'); - $reqfields = array_merge($reqfields, $req); - $reqfieldsn = array_merge($reqfieldsn, $reqn); - if ($mode == 'server') { - $reqfields[] = 'dh_params'; - $reqfieldsn[] = 'DH parameters'; - } - } - do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors); -*/ -if ($mode != "server") { - $value = trim($post['shared_key']); - $items = array(); - - if ($_POST['auth_method'] == 'shared_key') { - $items[] = array( 'field' => 'shared.key', - 'string' => 'OpenVPN Static key V1', - 'name' => 'Shared key'); - } - else { - $items[] = array( 'field' => 'ca.crt', - 'string' => 'CERTIFICATE', - 'name' => 'CA certificate'); - $items[] = array( 'field' => "{$mode}.crt", - 'string' => 'CERTIFICATE', - 'name' => "$Mode certificate"); - $items[] = array( 'field' => "{$mode}.key", - 'string' => 'RSA PRIVATE KEY', - 'name' => "$Mode key"); - $items[] = array( 'field' => 'tls', - 'string' => 'OpenVPN Static key V1', - 'name' => 'TLS'); - if ($mode == 'server') { - $items[] = array( 'field' => 'dh_param.dhs', - 'string' => 'DH PARAMETERS', - 'name' => 'DH parameters'); - $items[] = array( 'field' => 'crl.crl', - 'string' => 'X509 CRL', - 'name' => 'CRL'); - } - } - foreach ($items as $item) { - $value = trim($_POST[$item['field']]); - $string = $item['string']; - if ($value && (!strstr($value, "-----BEGIN {$string}-----") || !strstr($value, "-----END {$string}-----"))) - $input_errors[] = "The field '{$item['name']}' does not appear to be valid"; + $options = explode(';', $settings['custom_options']); + + if (is_array($options)) { + foreach ($options as $option) + $conf .= "$option\n"; + } else + $conf .= "{$settings['custom_options']}\n"; } } -} +function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive) { + global $g; -function openvpn_validate_input_csc($post, $input_errors) { - if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP')) - $input_errors[] = $result; - - if ($post['push_reset'] != 'on') { - if (!empty($post['dhcp_domainname'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif (!empty($post['dhcp_dns'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif (!empty($post['dhcp_wins'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif (!empty($post['dhcp_nbdd'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif (!empty($post['dhcp_ntp'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif ($post['dhcp_nbttype']) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif (!empty($post['dhcp_nbtscope'])) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - elseif ($post['dhcp_nbtdisable']) - $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options'; - - } else { - - if (!empty($post['dhcp_dns'])) { - $servers = explode(';', $post['dhcp_dns']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_wins'])) { - $servers = explode(';', $post['dhcp_wins']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_nbdd'])) { - $servers = explode(';', $post['dhcp_nbdd']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.'; - break;}} - if (!empty($post['dhcp_ntp'])) { - $servers = explode(';', $post['dhcp_ntp']); - foreach ($servers as $server) if (!is_ipaddr($server)) - {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.'; - break;}} - -}} - -// Create server PKI certificate if it is not present on system -function openvpn_server_create_cert($mode, $id) { - if($mode == "client") - return; - global $g, $config; - $settings = $config['installedpackages']["openvpn$mode"]['config'][$id]; - $interface = $settings['interface']; - if(!$interface) - $interface = "WAN"; - $serveruniq = $interface . $settings['local_port'] . $settings['protocol']; - log_error("Creating server certificate for {$settings['description']}."); - $caname = $settings['cipherpki']; - foreach($config['openvpn']['keys'] as $ca => $ca2) { - if($ca == $caname) - $cakeysize = $ca2['keysize']; - } - $ovpncapath = $g['varetc_path']."/openvpn/certificates"; - $easyrsapath = $g['easyrsapath']; - config_lock(); - $fd = fopen($ovpncapath . "/RUNME_2ND", "w"); - fwrite($fd, "#!/bin/tcsh\n"); - fwrite($fd, "cd $ovpncapath \n"); - fwrite($fd, "source $ovpncapath/$caname/vars \n"); - fwrite($fd, "$easyrsapath/pkitool --batch --server {$serveruniq} \n"); - fwrite($fd, "openssl dhparam -out $ovpncapath/$caname/dh_params.dh $cakeysize \n"); - fclose($fd); - system("/bin/chmod a+rx $ovpncapath/RUNME_2ND"); - mwexec("/bin/tcsh $ovpncapath/RUNME_2ND"); - $config['installedpackages']["openvpn$mode"]['config'][$id]['server.key'] = file_get_contents("$ovpncapath/$caname/server.key"); - $config['installedpackages']["openvpn$mode"]['config'][$id]['server.crt'] = file_get_contents("$ovpncapath/$caname/server.crt"); - $config['installedpackages']["openvpn$mode"]['config'][$id]['dh_params.dh'] = file_get_contents("$ovpncapath/$caname/dh_params.dh"); - config_unlock(); - write_config(); - log_error("Server certificate for {$settings['description']} created."); + $fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}"; + file_put_contents($fpath, base64_decode($data)); + chown($fpath, 'nobody'); + chgrp($fpath, 'nobody'); + + $conf .= "{$directive} {$fpath}\n"; } -// Rewrite the settings function openvpn_reconfigure($mode, $id) { global $g, $config; - $settings = $config['installedpackages']["openvpn$mode"]['config'][$id]; - + $settings = $config['openvpn']["openvpn-$mode"][$id]; + if (empty($settings)) return; if ($settings['disable']) return; - /* create cert if needed */ - if(!$settings['server.key'] and $mode == "server") - openvpn_server_create_cert($mode, $id); - - $lport = 1194 + $id; - /* - * NOTE: if you change the name of the interfaces here than - * be sure to change it even on the openvpn command parameters at - * openvpn_restart() function. + * NOTE: Deleting tap devices causes spontaneous reboots. Instead, + * we use a vpnid number which is allocated for a particular client + * or server configuration. ( see openvpn_vpnid_next() ) */ - if ($mode == "client") - $ovpndevice = "ovpnc{$id}"; - else - $ovpndevice = "ovpn{$id}"; + $vpnid = $settings['vpnid']; + $mode_id = $mode.$vpnid; + $tunname = "tun{$vpnid}"; - if (!$g['booting']) - mwexec("/sbin/ifconfig {$ovpndevice} destroy"); + if ($mode == "server") + $devname = "ovpns{$vpnid}"; + else + $devname = "ovpnc{$vpnid}"; - $tunname = exec("/sbin/ifconfig tun create"); - mwexec("/sbin/ifconfig {$tunname} name {$ovpndevice}"); - mwexec("/sbin/ifconfig {$ovpndevice} group openvpn"); + if (!file_exists("/dev/{$tunname}")) + $tunname = exec("/sbin/ifconfig {$tunname} create"); - $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid"; + mwexec("/sbin/ifconfig {$tunname} name {$devname}"); + mwexec("/sbin/ifconfig {$devname} group openvpn"); + + $pidfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid"; $proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}"); $cipher = $settings['crypto']; - $openvpn_conf .= <<<EOD -dev {$ovpndevice} + + $interface = $settings['interface']; + if (!$interface) + $interface = 'WAN'; + + $iface = convert_friendly_interface_to_real_interface_name($interface); + $lines = explode(' ', trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"))); + $iface_ip = $lines[1]; + +$conf .= <<<EOD +dev {$devname} dev-type tun dev-node /dev/{$tunname} writepid $pidfile @@ -395,347 +237,216 @@ proto $proto cipher $cipher up /etc/rc.filter_configure down /etc/rc.filter_configure +local {$iface_ip} EOD; - // Mode-specific stuff + // Mode specific stuff + if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['addresspool']); + + list($ip, $mask) = explode('/', $settings['tunnel_network']); $mask = gen_subnet_mask($mask); // Using a shared key or not dynamically assigning IPs to the clients - if (($settings['auth_method'] == 'shared_key') || ($settings['nopool'] == 'on')) { - if ($settings['auth_method'] == 'pki') $openvpn_conf .= "tls-server\n"; + if (($settings['auth_method'] == 'shared_key') || (!$settings['pool_enable'] == 'on')) { + + if ($settings['auth_method'] == 'pki') + $conf .= "tls-server\n"; $baselong = ip2long($ip) & ip2long($mask); $ip1 = long2ip($baselong + 1); $ip2 = long2ip($baselong + 2); - $openvpn_conf .= "ifconfig $ip1 $ip2\n"; + $conf .= "ifconfig $ip1 $ip2\n"; } // Using a PKI else if ($settings['auth_method'] == 'pki') { - if ($settings['client2client']) $openvpn_conf .= "client-to-client\n"; - $openvpn_conf .= "server $ip $mask\n"; + + if ($settings['client2client']) + $conf .= "client-to-client\n"; + + $conf .= "server $ip $mask\n"; $csc_dir = "{$g['varetc_path']}/openvpn_csc"; - $openvpn_conf .= "client-config-dir $csc_dir\n"; + $conf .= "client-config-dir $csc_dir\n"; } // We can push routes if (!empty($settings['local_network'])) { + list($ip, $mask) = explode('/', $settings['local_network']); $mask = gen_subnet_mask($mask); - $openvpn_conf .= "push \"route $ip $mask\"\n"; + $conf .= "push \"route $ip $mask\"\n"; } - if ($settings['bind_to_iface'] == 'on') { - $iface = $settings['interface']; - $iface = convert_friendly_interface_to_real_interface_name($iface); - $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); - list($dummy, $ip, $dummy2, $dummy3) = explode(' ', $line); - - $openvpn_conf .= "local {$ip}\n"; - } - // The port we'll listen at - $openvpn_conf .= "lport {$settings['local_port']}\n"; - - // DHCP-Options - if (!empty($settings['dhcp_domainname'])) - $openvpn_conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n"; - - if (!empty($settings['dhcp_dns'])) { - $servers = explode(';', $settings['dhcp_dns']); - if (is_array($servers)) { - foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option DNS {$server}\"\n"; - } else { - $openvpn_conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n"; - } - } - - if (!empty($settings['dhcp_wins'])) { - $servers = explode(';', $settings['dhcp_wins']); - if (is_array($servers)) { - foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option WINS {$server}\"\n"; - } else { - $openvpn_conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n"; - } - } - - if (!empty($settings['dhcp_nbdd'])) { - $servers = explode(';', $settings['dhcp_nbdd']); - if (is_array($servers)) { - foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NBDD {$server}\"\n"; - } else { - $openvpn_conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n"; - } - } - - if (!empty($settings['dhcp_ntp'])) { - $servers = explode(';', $settings['dhcp_ntp']); - if (is_array($servers)) { - foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NTP {$server}\"\n"; - } else { - $openvpn_conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; - } - } - - if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) - $openvpn_conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; - if (!empty($settings['dhcp_nbtscope'])) - $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; - if ($settings['dhcp_nbtdisable']) - $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n"; + $conf .= "lport {$settings['local_port']}\n"; - if (!empty($settings['tls'])) - $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n"; if (!empty($settings['maxclients'])) - $openvpn_conf .= "max-clients {$settings['maxclients']}\n"; - if ($settings['gwredir']) - $openvpn_conf .= "push \"redirect-gateway def1\"\n"; - } else { // $mode == client + $conf .= "max-clients {$settings['maxclients']}\n"; + + openvpn_add_dhcpopts($settings, $conf); + } + + if ($mode == 'client') { + // The remote server - $openvpn_conf .= "remote {$settings['serveraddr']} {$settings['serverport']}\n"; + $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n"; + + if ($settings['auth_method'] == 'pki') + $conf .= "client\n"; + + // FIXME : This should be a gui option + // The port we'll listen at + if ($settings['local_port']) + $conf .= "lport {$settings['local_port']}\n"; + else + $conf .= "nobind\n"; - if ($settings['auth_method'] == 'pki') $openvpn_conf .= "client\n"; - if ($settings['use_dynamicport']) $openvpn_conf .= "nobind\n"; - else - // The port we'll listen at - $openvpn_conf .= "lport {$lport}\n"; + if (!empty($settings['use_shaper'])) + $conf .= "shaper {$settings['use_shaper']}\n"; - if (!empty($settings['use_shaper'])) $openvpn_conf .= "shaper {$settings['use_shaper']}\n"; + if (!empty($settings['tunnel_network'])) { - if (!empty($settings['interface_ip'])) { // Configure the IPs according to the address pool - list($ip, $mask) = explode('/', $settings['interface_ip']); + list($ip, $mask) = explode('/', $settings['tunnel_network']); $mask = gen_subnet_mask($mask); $baselong = ip2long($ip) & ip2long($mask); $ip1 = long2ip($baselong + 1); $ip2 = long2ip($baselong + 2); - $openvpn_conf .= "ifconfig $ip2 $ip1\n"; + $conf .= "ifconfig $ip2 $ip1\n"; } - if (isset($settings['proxy_hostname']) && $settings['proxy_hostname'] != "") { + + if ($settings['proxy_addr']) { /* ;http-proxy-retry # retry on connection failures */ - $openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n"; + $conf .= "http-proxy {$settings['proxy_addr']} {$settings['proxy_port']}\n"; } - - if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n"; - } // Add the routes if they're set if (!empty($settings['remote_network'])) { list($ip, $mask) = explode('/', $settings['remote_network']); $mask = gen_subnet_mask($mask); - $openvpn_conf .= "route $ip $mask\n"; + $conf .= "route $ip $mask\n"; } - // Write the settings for the keys - // Set the keys up - $base_file = $g['varetc_path'] . "/openvpn/certificates/"; - $keys = array(); - if ($settings['auth_method'] == 'shared_key') - $keys[] = array('field' => 'shared.key', 'ext' => 'secret', 'directive' => 'secret'); - else { - $interface = $settings['interface']; - if(!$interface) - $interface = "WAN"; - $serveruniq = $interface . $settings['local_port'] . $settings['protocol']; - $keys[] = array('field' => 'ca.crt', 'directive' => 'ca'); - $keys[] = array('field' => "{$serveruniq}.crt", 'directive' => 'cert'); - $keys[] = array('field' => "{$serveruniq}.key", 'directive' => 'key'); - if ($mode == 'server') - $keys[] = array('field' => 'dh_params.dh', 'directive' => 'dh'); - if ($settings['crl']) - $keys[] = array('field' => 'crl.crl', 'directive' => 'crl-verify'); - } - - foreach ($keys as $key) { - if ($mode == "server") { - if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) && - $settings['cipherpki'] != "none") - $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] . - "/".$key['field']."\n"; - else if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) && - $settings['cipherpki'] != "none") - $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] . - "/".$key['field']."\n"; - } else { - $filename = $g['varetc_path']."/openvpn_{$mode}{$id}." . $key['field']; - file_put_contents($filename, base64_decode($settings[$key['field']])); - chown($filename, 'nobody'); - chgrp($filename, 'nobody'); - $openvpn_conf .= $key['directive'] . " $filename \n"; - } - } - - if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n"; - - if ($settings['passtos']) $openvpn_conf .= "passtos\n"; - - if ($settings['infiniteresolvretry']) $openvpn_conf .= "resolv-retry infinite\n"; - - if ($settings['dynamic_ip']) { - $openvpn_conf .= "persist-remote-ip\n"; - $openvpn_conf .= "float\n"; + // Write the settings for the keys + if ($settings['auth_method'] == 'shared_key') + openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret"); + + if ($settings['auth_method'] == 'pki') { + + $ca = lookup_ca($settings['caref']); + $cert = lookup_cert($settings['certref']); + + openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); + openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); + openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); + + if ($mode == 'server') + openvpn_add_keyfile($settings['dh_params'], $conf, $mode_id, "dh"); + if ($settings['crl']) + openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify"); + if ($settings['tls']) + openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth"); } - if (!empty($settings['custom_options'])) { - $options = explode(';', $settings['custom_options']); - if (is_array($options)) { - foreach ($options as $option) - $openvpn_conf .= "$option\n"; - } - else { - $openvpn_conf .= "{$settings['custom_options']}\n"; - } + if ($settings['compress']) + $conf .= "comp-lzo\n"; + + if ($settings['passtos']) + $conf .= "passtos\n"; + + if ($settings['resolve_retry']) + $conf .= "resolv-retry infinite\n"; + + if ($settings['dynamic_ip']) { + $conf .= "persist-remote-ip\n"; + $conf .= "float\n"; } - file_put_contents($g['varetc_path'] . "/openvpn_{$mode}{$id}.conf", $openvpn_conf); + openvpn_add_custom($settings, $conf); + + $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; + file_put_contents($fpath, $conf); + chown($fpath, 'nobody'); + chgrp($fpath, 'nobody'); +} + +function openvpn_restart($mode, $id) { + global $g, $config; + + $settings = $config['openvpn']["openvpn-$mode"][$id]; + $vpnid = $settings['vpnid']; + $mode_id = $mode.$vpnid; + + $pidfile = $g['varrun_path']."/openvpn_{$mode_id}.pid"; + killbypid($pidfile); + sleep(2); + + if ($settings['disable']) + return; + + $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; + mwexec_bg("nohup openvpn --config {$fpath}"); + touch("{$g['tmp_path']}/filter_dirty"); } +function openvpn_delete($mode, $id) { + global $g, $config; + + $settings = $config['openvpn']["openvpn-$mode"][$id]; + $vpnid = $settings['vpnid']; + $mode_id = $mode.$vpnid; + + $ps = $g['varetc_path']."/openvpn_{$mode_id}.conf"; + $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`; + killbypid($ps_id); +} function openvpn_resync_csc($id) { global $g, $config; - $settings = $config['installedpackages']['openvpncsc']['config'][$id]; + $settings = $config['openvpn']['openvpn-csc'][$id]; + $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name']; - if ($settings['disable'] == 'on') { - $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}"; - unlink_if_exists($filename); + if ($settings['disable']) { + unlink_if_exists($fpath); return; } - + $conf = ''; - if ($settings['block'] == 'on') $conf .= "disable\n"; - if ($settings['push_reset'] == 'on') $conf .= "push-reset\n"; - if (!empty($settings['ifconfig_push'])) { - list($ip, $mask) = explode('/', $settings['ifconfig_push']); + if ($settings['block']) + $conf .= "disable\n"; + + if ($settings['push_reset']) + $conf .= "push-reset\n"; + + if (!empty($settings['tunnel_network'])) { + list($ip, $mask) = explode('/', $settings['tunnel_network']); $baselong = ip2long($ip) & gen_subnet_mask_long($mask); - $conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n"; + $ip1 = long2ip($baselong + 1); + $ip2 = long2ip($baselong + 2); + $conf .= "ifconfig-push {$ip1} {$ip2}\n"; } -// DHCP-Options - if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n"; - - if (!empty($settings['dhcp_dns'])) { - $servers = explode(';', $settings['dhcp_dns']); - if (is_array($servers)) { - foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n"; - } - else { - $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n"; - } - } - - if (!empty($settings['dhcp_wins'])) { - $servers = explode(';', $settings['dhcp_wins']); - if (is_array($servers)) { - foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n"; - } - else { - $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n"; - } - } - - if (!empty($settings['dhcp_nbdd'])) { - $servers = explode(';', $settings['dhcp_nbdd']); - if (is_array($servers)) { - foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n"; - } - else { - $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n"; - } - } - - if (!empty($settings['dhcp_ntp'])) { - $servers = explode(';', $settings['dhcp_ntp']); - if (is_array($servers)) { - foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n"; - } - else { - $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n"; - } - } - - if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n"; - if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n"; - if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n"; - if ($settings['gwredir']) $conf .= "push \"redirect-gateway def1\"\n"; - - if (!empty($settings['custom_options'])) { - $options = explode(';', $settings['custom_options']); - if (is_array($options)) { - foreach ($options as $option) - $conf .= "$option\n"; - } - else { - $conf .= "{$settings['custom_options']}\n"; - } - } + openvpn_add_dhcpopts($settings, $conf); - $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}"; - file_put_contents($filename, $conf); - chown($filename, 'nobody'); - chgrp($filename, 'nogroup'); + if ($settings['gwredir']) + $conf .= "push \"redirect-gateway def1\"\n"; -} + openvpn_add_custom($settings, $conf); + file_put_contents($fpath, $conf); + chown($fpath, 'nobody'); + chgrp($fpath, 'nobody'); +} -function openvpn_restart($mode, $id) { +function openvpn_delete_csc($id) { global $g, $config; - $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid"; - killbypid($pidfile); - sleep(2); - - $settings = $config['installedpackages']["openvpn$mode"]['config'][$id]; - if ($settings['disable']) return; - - $configfile = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf"; - mwexec_bg("nohup openvpn --config $configfile");// --dev-type tun --dev-node /dev/tun{$id}"); - touch("{$g['tmp_path']}/filter_dirty"); -} - -//Make ciphers ready for openvpn -function openvpn_restore_all_ciphers() { - global $config, $g; - - $ovpncapath = $g['varetc_path']."/openvpn/certificates"; - - if (is_array($config['openvpn']['keys']) && count($config['openvpn']['keys'])) { - if (!is_dir($g['varetc_path']."/openvpn")) - safe_mkdir($g['varetc_path']."/openvpn"); - if (!is_dir($ovpncapath)) - safe_mkdir($ovpncapath); - - /* XXX: hardcoded path; worth making it a global?! */ - mwexec("cp -r /usr/local/share/openvpn/certificates ".$g['varetc_path']."/openvpn/"); - if (!is_dir($ovpncapath)) { - log_error("Failed to create environment for creating certificates. "); - } else { - - foreach ($config['openvpn']['keys'] as $caname => $ciphers) { - if (!is_dir("$ovpncapath/$caname")) - safe_mkdir("$ovpncapath/$caname"); - - $cfg = ""; - /* NOTE: vars; Do we need them restored?! */ - $cfg .= "setenv KEY_SIZE " .$ciphers['keysize'] ."\n"; - $cfg .= "setenv KEY_EXPIRE ".$ciphers['keyexpire'] ."\n"; - $cfg .= "setenv CA_EXPIRE " .$ciphers['caexpire'] . "\n"; - $cfg .= "setenv KEY_COUNTRY " .$ciphers['keycountry'] ."\n"; - $cfg .= "setenv KEY_RPOVINCE " .$ciphers['keyprovince'] . "\n"; - $cfg .= "setenv KEY_CITY " .$ciphers['keycity'] . "\n"; - $cfg .= "setenv KEY_ORG " .$ciphers['keyorg'] . "\n"; - $cfg .= "setenv KEY_EMAIL " .$ciphers['keyemail'] . "\n"; - file_put_contents("$ovpncapath/$caname/vars", $cfg); - /* put ciphers back in their files */ - foreach ($ciphers as $filename => $value) { - file_put_contents("$ovpncapath/$caname/$filename", $value); - } - } - } - } + $settings = $config['openvpn']['openvpn-csc'][$id]; + $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name']; + unlink_if_exists($fpath); } // Resync the configuration and restart the VPN @@ -744,94 +455,39 @@ function openvpn_resync($mode, $id) { openvpn_restart($mode, $id); } -function openvpn_create_cscdir() { - global $g; - - $csc_dir = "{$g['varetc_path']}/openvpn_csc"; - if (is_dir($csc_dir)) - rmdir_recursive($csc_dir); - make_dirs($csc_dir); - chown($csc_dir, 'nobody'); - chgrp($csc_dir, 'nobody'); -} - // Resync and restart all VPNs function openvpn_resync_all() { - global $config; - $ovpncapath = $g['varetc_path']."/openvpn/certificates"; + global $g, $config; - openvpn_restore_all_ciphers(); + $path_ovpn = $g['varetc_path']."/openvpn"; + safe_mkdir($path_ovpn); - foreach (array('server', 'client') as $mode) { - if ($config['installedpackages']["openvpn$mode"]) { - $cfgp =& $config['installedpackages']["openvpn$mode"]; - if (is_array($cfgp['config']) && count($cfgp['config'])) { - foreach ($cfgp['config'] as $id => $settings) - openvpn_resync($mode, $id); - } - } - } - - openvpn_create_cscdir(); - if ($config['installedpackages']['openvpncsc']) { - $cfgp =& $config['installedpackages']['openvpncsc']; - if (is_array($cfgp['config']) && count($cfgp['config'])) { - foreach ($cfgp['config'] as $id => $csc) - openvpn_resync_csc($id); - } - } - - /* give speedy machines time to settle */ - sleep(5); + chown($path_ovpn, 'nobody'); + chgrp($path_ovpn, 'nobody'); - /* reload the filter policy */ - filter_configure(); + $path_csc = $g['varetc_path']."/openvpn_csc"; + safe_mkdir($path_csc); -} + chown($path_csc, 'nobody'); + chgrp($path_csc, 'nobody'); -function openvpn_print_javascript($mode) { - $javascript = <<<EOD -<script language="JavaScript"> -//<!-- -function onAuthMethodChanged() { - var method = document.iform.auth_method; - var endis = (method.options[method.selectedIndex].value == 'shared_key'); - - if ('$mode' == 'server') { - document.iform.nopool.disabled = endis; - document.iform.local_network.disabled = endis; - document.iform.client2client.disabled = endis; - document.iform.maxclients.disabled = endis; - document.iform.cipher.disabled = !endis; - document.iform.cipherpki.disabled = endis; - } - else { // Client mode - document.iform.remote_network.disabled = !endis;; - document.iform['shared.key'].disabled = !endis; - document.iform['ca.crt'].disabled = endis; - document.iform["{$mode}.crt"].disabled = endis; - document.iform["{$mode}.key"].disabled = endis; - document.iform.tls.disabled = endis; - } -} -//--> -</script> + if (is_array($config['openvpn']['openvpn-server'])) + foreach ($config['openvpn']['openvpn-server'] as $id => & $settings) + openvpn_resync('server', $id); -EOD; - print($javascript); -} + if (is_array($config['openvpn']['openvpn-client'])) + foreach ($config['openvpn']['openvpn-client'] as $id => & $settings) + openvpn_resync('client', $id); + if (is_array($config['openvpn']['openvpn-csc'])) + foreach ($config['openvpn']['openvpn-csc'] as $id => & $settings) + openvpn_resync_csc($id); -function openvpn_print_javascript2() { - $javascript = <<<EOD -<script language="JavaScript"> -//<!-- - onAuthMethodChanged(); -//--> -</script> + /* give speedy machines time to settle */ + sleep(5); -EOD; - print($javascript); + /* reload the filter policy */ + filter_configure(); } ?> diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index a7b3192..1f5b24c 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -42,7 +42,8 @@ function listtags() { "servernat servers serversdisabled earlyshellcmd shellcmd staticmap ". "subqueue timerange tunnel user authserver vip virtual_server vlan ". "winsserver ntpserver wolentry widget depends_on_package ". - "gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg"); + "gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg ". + "openvpn-server openvpn-client openvpn-csc"); return $ret; } diff --git a/usr/local/pkg/openvpn.xml b/usr/local/pkg/openvpn.xml deleted file mode 100644 index 0a91a63..0000000 --- a/usr/local/pkg/openvpn.xml +++ /dev/null @@ -1,305 +0,0 @@ -<packagegui> - <name>openvpnserver</name> - <title>OpenVPN: Server</title> - <include_file>openvpn.inc</include_file> - <delete_string>An OpenVPN server has been deleted.</delete_string> - <addedit_string>An OpenVPN server has been created/modified.</addedit_string> - <tabs> - <tab> - <text>Server</text> - <url>/pkg.php?xml=openvpn.xml</url> - <active/> - </tab> - <tab> - <text>Client</text> - <url>/pkg.php?xml=openvpn_cli.xml</url> - </tab> - <tab> - <text>Client-specific overrides</text> - <url>/pkg.php?xml=openvpn_csc.xml</url> - </tab> - <tab> - <text>Certificate Authority</text> - <url>/vpn_openvpn_certs.php</url> - </tab> - <tab> - <text>Users</text> - <url>/vpn_openvpn_users.php</url> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fieldname>disable</fieldname> - <fielddescr>Disabled</fielddescr> - <type>checkbox</type> - </columnitem> - <columnitem> - <fieldname>protocol</fieldname> - <fielddescr>Protocol</fielddescr> - </columnitem> - <columnitem> - <fieldname>addresspool</fieldname> - <fielddescr>Address pool</fielddescr> - </columnitem> - <columnitem> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fieldname>disable</fieldname> - <fielddescr>Disable this tunnel</fielddescr> - <description>This allows you to disable this tunnel without removing it from the list.</description> - <required/> - <type>checkbox</type> - </field> - <field> - <fieldname>protocol</fieldname> - <fielddescr>Protocol</fielddescr> - <description>The protocol to be used for the VPN.</description> - <required/> - <type>select</type> - <options> - <option> - <value>TCP</value> - <name>TCP</name> - </option> - <option> - <value>UDP</value> - <name>UDP</name> - </option> - </options> - <default_value>UDP</default_value> - </field> - <field> - <fieldname>bind_to_iface</fieldname> - <fielddescr>Bind to an interface</fielddescr> - <description>Check to bind on a specific network interface.</description> - <type>checkbox</type> - <enablefields>interface</enablefields> - </field> - <field> - <fieldname>interface</fieldname> - <fielddescr>Interface</fielddescr> - <description>The interface on which the OpenVPN daemon will listen.</description> - <type>interfaces_selection</type> - <default_value>wan</default_value> - </field> - <field> - <fieldname>dynamic_ip</fieldname> - <fielddescr>Dynamic IP</fielddescr> - <description>Assume dynamic IPs, so that DHCP clients can connect.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>local_port</fieldname> - <fielddescr>Local port</fielddescr> - <description>The port OpenVPN will listen on. You generally want 1194 here.</description> - <required/> - <type>input</type> - <default_value>1194</default_value> - <size>5</size> - </field> - <field> - <fieldname>addresspool</fieldname> - <fielddescr>Address pool</fielddescr> - <description>This is the address pool to be assigned to the clients. Expressed as a CIDR range (eg. 10.0.8.0/24). If the 'Use static IPs' field isn't set, clients will be assigned addresses from this pool. Otherwise, this will be used to set the local interface's IP.</description> - <required/> - <type>input</type> - </field> - <field> - <fieldname>nopool</fieldname> - <fielddescr>Use static IPs</fielddescr> - <description>If this option is set, IPs won't be assigned to clients. Instead, the server will use static IPs on its side, and the clients are expected to use this same value in the 'Address pool' field.</description> - <required/> - <type>checkbox</type> - </field> - <field> - <fieldname>local_network</fieldname> - <fielddescr>Local network</fielddescr> - <description>This is the network that will be accessable from the remote endpoint. Expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.</description> - <type>input</type> - </field> - <field> - <fieldname>remote_network</fieldname> - <fielddescr>Remote network</fielddescr> - <description>This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.</description> - <type>input</type> - </field> - <field> - <fieldname>client2client</fieldname> - <fielddescr>Client-to-client VPN</fielddescr> - <description>If this option is set, clients will be able to talk to each other. Otherwise, they will only be able to talk to the server.</description> - <required/> - <type>checkbox</type> - </field> - <field> - <fieldname>crypto</fieldname> - <fielddescr>Cryptography</fielddescr> - <description>Here you can choose the cryptography algorithm to be used.</description> - <required/> - <type>select</type> - <default_value>BF-CBC</default_value> - </field> - <field> - <fieldname>auth_method</fieldname> - <fielddescr>Authentication method</fielddescr> - <description>The authentication method to be used.</description> - <required/> - <type>select</type> - <options> - <option> - <value>shared_key</value> - <name>Shared key</name> - </option> - <option> - <value>pki</value> - <name>PKI (Public Key Infrastructure)</name> - </option> - </options> - <onchange>onAuthMethodChanged()</onchange> - </field> - <field> - <fieldname>cipher</fieldname> - <fielddescr>Shared key</fielddescr> - <description>Shared key to use.</description> - <type>input</type> - <default_value></default_value> - </field> - <field> - <fieldname>cipherpki</fieldname> - <fielddescr>Certificate Authority</fielddescr> - <description>CA associated with this server.</description> - <type>select</type> - <default_value>none</default_value> - </field> - <field> - <fieldname>dhcp_domainname</fieldname> - <fielddescr>DHCP Option: DNS Suffix</fielddescr> - <description>Set connection-specific DNS Suffix.</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_dns</fieldname> - <fielddescr>DHCP Option: DNS Server</fielddescr> - <description>Set domain name server addresses, separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_wins</fieldname> - <fielddescr>DHCP Option: WINS Server</fielddescr> - <description>Set WINS server addresses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbdd</fieldname> - <fielddescr>DHCP Option: NBDD Server</fielddescr> - <description>Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_ntp</fieldname> - <fielddescr>DHCP Option: NTP Server</fielddescr> - <description>Set NTP server addresses (Network Time Protocol), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbttype</fieldname> - <fielddescr>DHCP Option: NetBIOS Node Type</fielddescr> - <description>Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).</description> - <type>select</type> - <options> - <option> - <value>0</value> - <name>none</name> - </option> - <option> - <value>1</value> - <name>b-node</name> - </option> - <option> - <value>2</value> - <name>p-node</name> - </option> - <option> - <value>4</value> - <name>m-node</name> - </option> - <option> - <value>8</value> - <name>h-node</name> - </option> - </options> - <default_value>0</default_value> - </field> - <field> - <fieldname>dhcp_nbtscope</fieldname> - <fielddescr>DHCP Option: NetBIOS Scope</fielddescr> - <description>Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbtdisable</fieldname> - <fielddescr>DHCP Option: Disable NetBIOS</fielddescr> - <description>If this option is set, Netbios-over-TCP/IP will be disabled.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>use_lzo</fieldname> - <fielddescr>LZO compression</fielddescr> - <description>Checking this will compress the packets using the LZO algorithm before sending them.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>maxclients</fieldname> - <fielddescr>Maximum clients</fielddescr> - <description>The maximum number of concurrently connected clients we want to allow.</description> - <type>input</type> - </field> - <field> - <fieldname>passtos</fieldname> - <fielddescr>Pass Type-Of-Service</fielddescr> - <description>Checking this will set the TOS field of the tunnel packet to what the payload's TOS is.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>gwredir</fieldname> - <fielddescr>Redirect Gateway</fielddescr> - <description>Redirect ALL traffic through the OpenVPN server.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>custom_options</fieldname> - <fielddescr>Custom options</fielddescr> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the server configuration.</description> - <type>textarea</type> - <cols>65</cols> - <rows>5</rows> - </field> - <field> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - <description>You may enter a description here. This is optional and is not parsed.</description> - <type>input</type> - </field> - </fields> - <custom_delete_php_command> - openvpn_delete('server', $id); - </custom_delete_php_command> - <custom_php_command_before_form> - openvpn_get_ciphers(&$pkg); - </custom_php_command_before_form> - <custom_php_after_head_command> - openvpn_print_javascript('server'); - </custom_php_after_head_command> - <custom_php_after_form_command> - openvpn_print_javascript2(); - </custom_php_after_form_command> - <custom_php_validation_command> - openvpn_validate_input('server', $_POST, &$input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - openvpn_resync('server', $id); - </custom_php_resync_config_command> -</packagegui> diff --git a/usr/local/pkg/openvpn_cli.xml b/usr/local/pkg/openvpn_cli.xml deleted file mode 100644 index 042b184..0000000 --- a/usr/local/pkg/openvpn_cli.xml +++ /dev/null @@ -1,251 +0,0 @@ -<packagegui> - <name>openvpnclient</name> - <title>OpenVPN: Client</title> - <include_file>openvpn.inc</include_file> - <delete_string>An OpenVPN client has been deleted.</delete_string> - <addedit_string>An OpenVPN client has been created/modified.</addedit_string> - <tabs> - <tab> - <text>Server</text> - <url>/pkg.php?xml=openvpn.xml</url> - </tab> - <tab> - <text>Client</text> - <url>/pkg.php?xml=openvpn_cli.xml</url> - <active/> - </tab> - <tab> - <text>Client-specific overrides</text> - <url>/pkg.php?xml=openvpn_csc.xml</url> - </tab> - <tab> - <text>Certificate Authority</text> - <url>/vpn_openvpn_certs.php</url> - </tab> - <tab> - <text>Users</text> - <url>/vpn_openvpn_users.php</url> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fieldname>disable</fieldname> - <fielddescr>Disabled</fielddescr> - <type>checkbox</type> - </columnitem> - <columnitem> - <fieldname>serveraddr</fieldname> - <fielddescr>Server</fielddescr> - </columnitem> - <columnitem> - <fieldname>protocol</fieldname> - <fielddescr>Protocol</fielddescr> - </columnitem> - <columnitem> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fieldname>disable</fieldname> - <fielddescr>Disable this tunnel</fielddescr> - <description>This allows you to disable this tunnel without removing it from the list.</description> - <required/> - <type>checkbox</type> - </field> - <field> - <fieldname>protocol</fieldname> - <fielddescr>Protocol</fielddescr> - <description>The protocol to be used for the VPN.</description> - <required/> - <type>select</type> - <options> - <option> - <value>TCP</value> - <name>TCP</name> - </option> - <option> - <value>UDP</value> - <name>UDP</name> - </option> - </options> - <default_value>UDP</default_value> - </field> - <field> - <fieldname>serveraddr</fieldname> - <fielddescr>Server address</fielddescr> - <description>This is the address OpenVPN will try to connect to in order to establish the tunnel. Set it to the remote endpoint's address.</description> - <required/> - <type>input</type> - </field> - <field> - <fieldname>serverport</fieldname> - <fielddescr>Server port</fielddescr> - <description>The port OpenVPN will use to connect to the server. Most people would want to use 1194 here.</description> - <required/> - <type>input</type> - <default_value>1194</default_value> - <size>5</size> - </field> - <field> - <fieldname>interface_ip</fieldname> - <fielddescr>Interface IP</fielddescr> - <description>This specifies the IPs to be assigned to the local interface. Expressed as a CIDR range. The first address in the range will be set to the remote endpoint of the interface, and the second will be assigned to the local endpoint. For TLS VPNs, the interface IPs are assigned by the server pool.</description> - <type>input</type> - </field> - <field> - <fieldname>remote_network</fieldname> - <fielddescr>Remote network</fielddescr> - <description>This is the network that will be accessable from your endpoint. Expressed as a CIDR range. You may leave this blank if all you want is to access the VPN clients. You normally want this set to the remote endpoint's LAN network.</description> - <type>input</type> - </field> - <field> - <fieldname>proxy_hostname</fieldname> - <fielddescr>Proxy Host</fielddescr> - <description>Proxy server hostname.</description> - <type>input</type> - </field> - <field> - <fieldname>proxy_port</fieldname> - <fielddescr>Proxy port</fielddescr> - <description>The port OpenVPN will use on the proxy server.</description> - <type>input</type> - <default_value>3128</default_value> - <size>5</size> - </field> - <field> - <fieldname>crypto</fieldname> - <fielddescr>Cryptography</fielddescr> - <description>Here you can choose the cryptography algorithm to be used.</description> - <required/> - <type>select</type> - <default_value>BF-CBC</default_value> - </field> - <field> - <fieldname>auth_method</fieldname> - <fielddescr>Authentication method</fielddescr> - <description>The authentication method to be used.</description> - <required/> - <type>select</type> - <options> - <option> - <value>shared_key</value> - <name>Shared key</name> - </option> - <option> - <value>pki</value> - <name>PKI (Public Key Infrastructure)</name> - </option> - </options> - <onchange>onAuthMethodChanged()</onchange> - </field> - <field> - <fieldname>shared_key</fieldname> - <fielddescr>Shared key</fielddescr> - <description>Paste your shared key here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>ca.crt</fieldname> - <fielddescr>CA certificate</fielddescr> - <description>Paste the server's CA certificate in X.509 format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>client.crt</fieldname> - <fielddescr>Client certificate</fielddescr> - <description>Paste your client certificate in X.509 format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>client.key</fieldname> - <fielddescr>Client key</fielddescr> - <description>Paste your client key in RSA format here.</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>tls</fieldname> - <fielddescr>TLS</fielddescr> - <description>Paste your HMAC signature (TLS) here (optional).</description> - <type>textarea</type> - <encoding>base64</encoding> - <rows>8</rows> - <cols>40</cols> - </field> - <field> - <fieldname>use_lzo</fieldname> - <fielddescr>LZO compression</fielddescr> - <description>Checking this will compress the packets using the LZO algorithm before sending them.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>use_shaper</fieldname> - <fielddescr>Limit outgoing bandwidth</fielddescr> - <description>Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).</description> - <type>input</type> - </field> - <field> - <fieldname>use_dynamicport</fieldname> - <fielddescr>Dynamic sourceport</fielddescr> - <description>Checking this will let the openvpn client choose a dynamic sourceport for this connection.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>passtos</fieldname> - <fielddescr>Pass Type-Of-Service</fielddescr> - <description>Checking this will set the TOS field of the tunnel packet to what the payload's TOS is.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>infiniteresolvretry</fieldname> - <fielddescr>Infinitely resolve server</fielddescr> - <description>Infinitely retry to resolve the host name of the OpenVPN server. Useful for not permanently internet-connected machines.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>custom_options</fieldname> - <fielddescr>Custom options</fielddescr> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the client configuration.</description> - <type>textarea</type> - <cols>65</cols> - <rows>5</rows> - </field> - <field> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - <description>You may enter a description here. This is optional and is not parsed.</description> - <type>input</type> - </field> - </fields> - <custom_delete_php_command> - openvpn_delete('client', $id); - </custom_delete_php_command> - <custom_php_command_before_form> - openvpn_get_ciphers(&$pkg); - </custom_php_command_before_form> - <custom_php_after_head_command> - openvpn_print_javascript('client'); - </custom_php_after_head_command> - <custom_php_after_form_command> - openvpn_print_javascript2(); - </custom_php_after_form_command> - <custom_php_validation_command> - openvpn_validate_input('client', $_POST, &$input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - openvpn_resync('client', $id); - </custom_php_resync_config_command> -</packagegui> diff --git a/usr/local/pkg/openvpn_csc.xml b/usr/local/pkg/openvpn_csc.xml deleted file mode 100644 index 0e2f986..0000000 --- a/usr/local/pkg/openvpn_csc.xml +++ /dev/null @@ -1,177 +0,0 @@ -<packagegui> - <name>openvpncsc</name> - <title>OpenVPN: Client-specific configuration</title> - <include_file>openvpn.inc</include_file> - <delete_string>An OpenVPN client-specific configuration has been deleted.</delete_string> - <addedit_string>An OpenVPN client-specific configuration has been created/modified.</addedit_string> - <tabs> - <tab> - <text>Server</text> - <url>/pkg.php?xml=openvpn.xml</url> - </tab> - <tab> - <text>Client</text> - <url>/pkg.php?xml=openvpn_cli.xml</url> - </tab> - <tab> - <text>Client-specific overrides</text> - <url>/pkg.php?xml=openvpn_csc.xml</url> - <active/> - </tab> - <tab> - <text>Certificate Authority</text> - <url>/vpn_openvpn_certs.php</url> - </tab> - <tab> - <text>Users</text> - <url>/vpn_openvpn_users.php</url> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fieldname>disable</fieldname> - <fielddescr>Disabled</fielddescr> - <type>checkbox</type> - </columnitem> - <columnitem> - <fieldname>commonname</fieldname> - <fielddescr>Common name</fielddescr> - </columnitem> - <columnitem> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fieldname>disable</fieldname> - <fielddescr>Disabled</fielddescr> - <description>Set this option to disable this client-specific configuration without removing it from the list.</description> - <required/> - <type>checkbox</type> - </field> - <field> - <fieldname>commonname</fieldname> - <fielddescr>Common name</fielddescr> - <description>Enter the client's X.509 common name here.</description> - <required/> - <type>input</type> - </field> - <field> - <fieldname>block</fieldname> - <fielddescr>Blocked</fielddescr> - <description>Check this to block (disable) this client, based on its common name. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>push_reset</fieldname> - <fielddescr>Push reset</fielddescr> - <description>Setting this option will make this client not inherit the global push options.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>ifconfig_push</fieldname> - <fielddescr>Interface IP</fielddescr> - <description>Set this option to push an IP to the client's interface. Expressed as a CIDR range (e.g. 10.5.0.0/16). The first IP in the range will be used as the remote IP of the interface, and the second IP will be used as the local IP of the interface.</description> - <type>input</type> - </field> - - <field> - <fieldname>dhcp_domainname</fieldname> - <fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr> - <description>Set connection-specific DNS Suffix.</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_dns</fieldname> - <fielddescr>DHCP-Opt.: DNS-Server</fielddescr> - <description>Set domain name server addresses, separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_wins</fieldname> - <fielddescr>DHCP-Opt.: WINS-Server</fielddescr> - <description>Set WINS server addresses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbdd</fieldname> - <fielddescr>DHCP-Opt.: NBDD-Server</fielddescr> - <description>Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_ntp</fieldname> - <fielddescr>DHCP-Opt.: NTP-Server</fielddescr> - <description>Set NTP server addresses (Network Time Protocol), separated by semi-colons (;).</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbttype</fieldname> - <fielddescr>DHCP-Opt.: NetBIOS node type</fielddescr> - <description>Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).</description> - <type>select</type> - <options> - <option> - <value>0</value> - <name>none</name> - </option> - <option> - <value>1</value> - <name>b-node</name> - </option> - <option> - <value>2</value> - <name>p-node</name> - </option> - <option> - <value>4</value> - <name>m-node</name> - </option> - <option> - <value>8</value> - <name>h-node</name> - </option> - </options> - <default_value>0</default_value> - </field> - <field> - <fieldname>dhcp_nbtscope</fieldname> - <fielddescr>DHCP-Opt.: NetBIOS Scope</fielddescr> - <description>Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.</description> - <type>input</type> - </field> - <field> - <fieldname>dhcp_nbtdisable</fieldname> - <fielddescr>DHCP-Opt.: Disable NetBIOS</fielddescr> - <description>If this option is set, Netbios-over-TCP/IP will be disabled.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>gwredir</fieldname> - <fielddescr>Redirect Gateway</fielddescr> - <description>Redirect ALL traffic through the OpenVPN server.</description> - <type>checkbox</type> - </field> - <field> - <fieldname>custom_options</fieldname> - <fielddescr>Custom options</fielddescr> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the client-specific configuration.</description> - <type>textarea</type> - <cols>65</cols> - <rows>5</rows> - </field> - <field> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> - </field> - </fields> - <custom_php_validation_command> - openvpn_validate_input_csc($_POST, &$input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - openvpn_resync_csc($id); - </custom_php_resync_config_command> -</packagegui> diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 80da3e5..9400d0f 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -130,6 +130,7 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') { <?=output_menu_item("/wizard.php?xml=setup_wizard.xml", "Setup Wizard");?> <?=output_menu_item("/system_gateways.php", "Routing");?> <?=output_menu_item("/firewall_system_tunables.php", "Tunables");?> + <?=output_menu_item("/system_camanager.php", "Cert Manager");?> <?=output_menu_item("/system_usermanager.php", "User Manager");?> </ul> </li> @@ -216,7 +217,7 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') { <div>VPN</div> <ul class="subdrop"> <?=output_menu_item("/vpn_ipsec.php", "IPsec");?> - <?=output_menu_item("/pkg.php?xml=openvpn.xml", "OpenVPN");?> + <?=output_menu_item("/vpn_openvpn_server.php", "OpenVPN");?> <?=output_menu_item("/vpn_pptp.php", "PPTP");?> <?php echo return_ext_menu("VPN"); ?> </ul> diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php index b1d0fad..274076d 100755 --- a/usr/local/www/firewall_rules.php +++ b/usr/local/www/firewall_rules.php @@ -72,11 +72,8 @@ if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients'] $iflist["enc0"] = "IPsec"; /* add openvpn/tun interfaces */ -if ($config['installedpackages']["openvpnserver"] || $config['installedpackages']["openvpnclient"]) { - if (is_array($config['installedpackages']["openvpnserver"]['config']) || - is_array($config['installedpackages']["openvpnclient"]['config'])) - $iflist["openvpn"] = "OpenVPN"; -} +if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) + $iflist["openvpn"] = "OpenVPN"; if (!$if || !isset($iflist[$if])) { if ("any" == $if) diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index dce748b..f7e82db 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -525,12 +525,8 @@ include("head.inc"); $interfaces["enc0"] = "IPsec"; /* add openvpn/tun interfaces */ - if ($config['installedpackages']["openvpnserver"] || $config['installedpackages']["openvpnclient"]) { - if (is_array($config['installedpackages']["openvpnserver"]['config']) || - is_array($config['installedpackages']["openvpnclient"]['config'])) - $interfaces["openvpn"] = "OpenVPN"; - } - + if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) + $interfaces["openvpn"] = "OpenVPN"; foreach ($interfaces as $iface => $ifacename): ?> <option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option> diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index c704f5e..152ab87 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -147,6 +147,13 @@ $radius_srvcs = array( 'auth' => "Authentication", 'acct' => "Accounting"); +$netbios_nodetypes = array( + '0' => "none", + '1' => "b-node", + '2' => "p-node", + '4' => "m-node", + '5' => "h-node"); + /* some well knows ports */ $wkports = array( 3389 => "MS RDP", @@ -940,4 +947,4 @@ function print_rfc2616_select($tag, $current){ } } -?>
\ No newline at end of file +?> diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index e85c615..40687cc 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -344,10 +344,8 @@ function radius_srvcschange(){ $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), true, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), true, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index 168372c..dff286d 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -194,12 +194,8 @@ function method_change() { <td class="tabnavtbl"> <?php $tab_array = array(); - $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); - $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("CAs"), true, "system_camanager.php"); $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); - $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 327aea9..7ca0ff4 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -316,12 +316,8 @@ function internalca_change() { <td class="tabnavtbl"> <?php $tab_array = array(); - $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); - $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); $tab_array[] = array(gettext("Certificates"), true, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); - $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index 2c848b2..7991a59 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -225,10 +225,8 @@ function presubmit() { $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), true, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </ul> @@ -239,19 +237,6 @@ function presubmit() { <?php if($_GET['act']=="new" || $_GET['act']=="edit"): ?> - <script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> - <script type="text/javascript"> - function checkall() { - var el = document.getElementById('iform'); - for (var i = 0; i < el.elements.length; i++) - el.elements[i].checked = true; - } - function checknone() { - var el = document.getElementById('iform'); - for (var i = 0; i < el.elements.length; i++) - el.elements[i].checked = false; - } - </script> <form action="system_groupmanager.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <?php diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 979b2fb..665df34 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -276,10 +276,8 @@ function presubmit() { $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_usermanager_addcert.php b/usr/local/www/system_usermanager_addcert.php index f14c653..3b3a417 100644 --- a/usr/local/www/system_usermanager_addcert.php +++ b/usr/local/www/system_usermanager_addcert.php @@ -173,10 +173,8 @@ function internalca_change() { $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_usermanager_addcert.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index ca89dfa..8f82622 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -220,10 +220,8 @@ include("head.inc"); $tab_array = array();
$tab_array[] = array(gettext("Users"), false, "system_usermanager.php");
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
- $tab_array[] = array(gettext("CAs"), false, "system_camanager.php");
- $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php");
- $tab_array[] = array(gettext("Servers"), false, "system_authservers.php");
$tab_array[] = array(gettext("Settings"), true, "system_usermanager_settings.php");
+ $tab_array[] = array(gettext("Servers"), false, "system_authservers.php");
display_top_tabs($tab_array);
/* Default to pfsense backend type if none is defined */
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index f081b45..7c59c00 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -304,17 +304,8 @@ if ($_POST) { $ph1ent['pinghost'] = $pconfig['pinghost']; /* generate unique phase1 ikeid */ - if ($ph1ent['ikeid'] == 0) { - while (true) { - $ph1ent['ikeid']++; - foreach ($a_phase1 as $ph1tmp) - if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] ) - break; - - if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] ) - break; - } - } + if ($ph1ent['ikeid'] == 0) + $ph1ent['ikeid'] = ipsec_ikeid_next(); if (isset($p1index) && $a_phase1[$p1index]) $a_phase1[$p1index] = $ph1ent; diff --git a/usr/local/www/vpn_openvpn.php b/usr/local/www/vpn_openvpn.php deleted file mode 100755 index 896a4cc..0000000 --- a/usr/local/www/vpn_openvpn.php +++ /dev/null @@ -1,363 +0,0 @@ -<?php -/* - vpn_openvpn.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tun_iface'] = "tun0"; - $config['ovpn']['server']['psh_options'] = array(); - /* Initialise with some sensible defaults */ - $config['ovpn']['server']['port'] = 5000; - $config['ovpn']['server']['proto'] = 'UDP'; - $config['ovpn']['server']['maxcli'] = 25; - $config['ovpn']['server']['crypto'] = 'BF-CBC'; - $config['ovpn']['server']['dupcn'] = true; - $config['ovpn']['server']['verb'] = 1; -} - -if ($_POST) { - - unset($input_errors); - - /* input validation */ - if (isset($_POST['enable'])) { - $reqdfields = explode(" ", "tun_iface bind_iface ipblock"); - $reqdfieldsn = explode(",", "Tunnel type,Interface binding,IP address block start"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - } - - /* need a test here to make sure prefix and max_clients are coherent */ - - /* Sort out the cert+key files */ - if (is_null($_POST['ca_cert'])) - $input_errors[] = "You must provide a CA certificate file"; - elseif (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || !strstr($_POST['ca_cert'], "END CERTIFICATE")) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (is_null($_POST['srv_cert'])) - $input_errors[] = "You must provide a server certificate file"; - elseif (!strstr($_POST['srv_cert'], "BEGIN CERTIFICATE") || !strstr($_POST['srv_cert'], "END CERTIFICATE")) - $input_errors[] = "The server certificate does not appear to be valid."; - - if (is_null($_POST['srv_key'])) - $input_errors[] = "You must provide a server key file"; - elseif (!strstr($_POST['srv_key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['srv_key'], "END RSA PRIVATE KEY")) - $input_errors[] = "The server key does not appear to be valid."; - - if (is_null($_POST['dh_param'])) - $input_errors[] = "You must provide a DH parameters file"; - elseif (!strstr($_POST['dh_param'], "BEGIN DH PARAMETERS") || !strstr($_POST['dh_param'], "END DH PARAMETERS")) - $input_errors[] = "The DH parameters do not appear to be valid."; - - if (!$input_errors) { - $server =& $config['ovpn']['server']; - $server['enable'] = $_POST['enable'] ? true : false; - /* Make sure that the tunnel interface type has not changed */ - if ($server['tun_iface'] != $_POST['tun_iface']){ - $server['tun_iface'] = $_POST['tun_iface']; - - } - - $server['bind_iface'] = $_POST['bind_iface']; - $server['port'] = $_POST['port']; - $server['proto'] = $_POST['proto']; - - /* Make sure the IP address and/or prefix have not changed */ - if ($server['ipblock'] != $_POST['ipblock']){ - $server['ipblock'] = $_POST['ipblock']; - } - if ($server['prefix'] != $_POST['prefix']){ - $server['prefix'] = $_POST['prefix']; - } - - $server['maxcli'] = $_POST['maxcli']; - $server['crypto'] = $_POST['crypto']; - $server['cli2cli'] = $_POST['cli2cli'] ? true : false; - $server['dupcn'] = $_POST['dupcn'] ? true : false; - $server['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $server['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - if ($_POST['psh_rtedelay']) - $server['psh_options']['rtedelay'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_ping']) - $server['psh_options']['ping'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingexit']) - $server['psh_options']['pingexit'] = $_POST['psh_pingexit_int']; - if ($_POST['psh_pingrst']) - $server['psh_options']['pingrst'] = $_POST['psh_pingrst_int']; - if ($_POST['inact']) - $server['psh_options']['inact'] = $_POST['psh_inact_int']; - $server['ca_cert'] = base64_encode($_POST['ca_cert']); - $server['srv_cert'] = base64_encode($_POST['srv_cert']); - $server['srv_key'] = base64_encode($_POST['srv_key']); - $server['dh_param'] = base64_encode($_POST['dh_param']); - - write_config(); - - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_server_iface(); - } - else{ - ovpn_lock(); - $retval = ovpn_config_server($server['enable']); - ovpn_unlock(); - } - $savemsg = get_std_save_message($retval); - } -} - -/* Simply take a copy of the array */ -$pconfig = $config['ovpn']['server']; - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> - -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", true, "vpn_openvpn.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td colspan="2"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> - <br> - </span></strong> - </td></tr> - <tr> - <td width="22%" valign="top" class="vtable"> </td> - <td width="78%" class="vtable"> - <input name="enable" type="checkbox" value="yes" <?php if (isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Enable OpenVPN server </strong></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel type</td> - <td width="78%" class="vtable"> - <input type="radio" name="tun_iface" class="formfld" value="tun0" <?php if ($pconfig['tun_iface'] == 'tun0') echo "checked"; ?>> - TUN - <input type="radio" name="tun_iface" class="formfld" value="tap0" <?php if ($pconfig['tun_iface'] == 'tap0') echo "checked"; ?>> - TAP - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN protocol/port</td> - <td width="78%" class="vtable"> - <input type="radio" name="proto" class="formfld" value="UDP" <?php if ($pconfig['proto'] == 'UDP') echo "checked"; ?>> - UDP - <input type="radio" name="proto" class="formfld" value="TCP" <?php if ($pconfig['proto'] == 'TCP') echo "checked"; ?>> - TCP<br><br> - Port: - <input name="port" type="text" class="formfld" size="5" maxlength="5" value="<?= $pconfig['port']; ?>"><br> - Enter the port number to use for the server (default is 5000).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Interface binding</td> - <td width="78%" class="vtable"> - <select name="bind_iface" class="formfld"> - <?php - $interfaces = ovpn_real_interface_list(); - foreach ($interfaces as $key => $iface): - ?> - <option value="<?=$key;?>" <?php if ($key == $pconfig['bind_iface']) echo "selected"; ?>> <?= $iface;?> - </option> - <?php endforeach;?> - </select> - <span class="vexpl"><br> - Choose an interface for the OpenVPN server to listen on.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">IP address block</td> - <td width="78%" class="vtable"> - <input name="ipblock" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ipblock']);?>"> - / - <select name="prefix" class="formfld"> - <?php for ($i = 29; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['prefix']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - <br> - Enter the IP address block for the OpenVPN server and clients to use.<br> - <br> - Maximum number of simultaneous clients: - <input name="maxcli" type="text" class="formfld" size="3" maxlength="3" value="<?=htmlspecialchars($pconfig['maxcli']);?>"> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="srv_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_cert']));?></textarea> - <br> - Paste a server certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server key</td> - <td width="78%" class="vtable"> - <textarea name="srv_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_key']));?></textarea> - <br>Paste the server RSA private key here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh_param" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['dh_param']));?></textarea> - <br> - Paste the Diffie-Hellman parameters in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select a data channel encryption cipher.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Internal routing mode</td> - <td width="78%" class="vtable"> - <input name="cli2cli" type="checkbox" value="yes" <?php if (isset($pconfig['cli2cli'])) echo "checked"; ?>> - <strong>Enable client-to-client routing</strong><br> - If this option is on, clients are allowed to talk to each other.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client authentication</td> - <td width="78%" class="vtable"> - <input name="dupcn" type="checkbox" value="yes" <?php if (isset($pconfig['dupcn'])) echo "checked"; ?>> - <strong>Permit duplicate client certificates</strong><br> - If this option is on, clients with duplicate certificates will not be disconnected.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst']?>"> seconds</td> - </tr> - </table></td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>Changing any settings on this page will disconnect all clients!</span> - </td> - </tr> - </table> - </div> -</td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_ccd.php b/usr/local/www/vpn_openvpn_ccd.php deleted file mode 100755 index d8c236d..0000000 --- a/usr/local/www/vpn_openvpn_ccd.php +++ /dev/null @@ -1,211 +0,0 @@ -<?php -/* - vpn_openvpn_ccd.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} -if (!is_array($config['ovpn']['server']['ccd'])) - $config['ovpn']['server']['ccd'] = array(); - -$ovpnccd = &$config['ovpn']['server']['ccd']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - - $retval = ovpn_server_ccd_add(); - -# -# /* should we send a SIGUSR1 to openvpn daemon? */ -# foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { -# /* get tunnel interface */ -# $tun = $server['tun_iface']; -# -# /* send SIGUSR1 to running openvpn daemon */ -# if (isset($server['enable'])) -# sigkillbypid($g['varrun_path']."/ovpn_srv_{$tun}.pid", "SIGUSR1"); -# } -# - - /* remove dirty flag */ - unlink_if_exists($d_ovpnccddirty_path); - - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpnccd[$id]) { - $ovpnent = $ovpnccd[$id]; - - unset($ovpnccd[$id]); - write_config(); - - /* Remove config files */ - ovpn_server_ccd_del($ovpnent['cn']); - - header("Location: vpn_openvpn_ccd.php"); - exit; - } - -} else if ($_GET['act'] == "toggle") { - if ($ovpnccd[$_GET['id']]) { - $ovpnccd[$_GET['id']]['enable'] = !isset($ovpnccd[$_GET['id']]['enable']); - write_config(); - touch($d_ovpnccddirty_path); - header("Location: vpn_openvpn_ccd.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnccddirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_ccd.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnccddirty_path)): ?><p> -<?php print_info_box_np("OpenVPN client-specific configuration options have been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", true, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="5%" class="list"> </td> - <td width="38%" class="listhdrr">Common Name</td> - <td width="47%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php $i = 0; foreach ($ovpnccd as $ccd): - - if (isset($ccd['disable'])) - $iconfn = "block"; - else - $iconfn = "pass"; - - if (!isset($ccd['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - $iconfn .= "_d"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listt" align="center"> - <a href="?act=toggle&id=<?=$i;?>"><img src="<?=$iconfn;?>.gif" - width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> - </td> - <td class="listlr"><?=$spans;?> - <?= $ccd['cn'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($ccd['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"><a href="vpn_openvpn_ccd_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit client-specific configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_ccd.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client-specific configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete client-specific configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="3"> </td> - <td class="list"><a href="vpn_openvpn_ccd_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add client-specific configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" width="11" height="11"></td> - <td>pass</td> - <td width="14"></td> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> - <td>block</td> - <td width="14"></td> - <td width="16"> </td> - <td> </td> - <td width="14"></td> - <td width="16"> </td> - <td> </td> - </tr> - <tr> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass_d.gif" width="11" height="11"></td> - <td nowrap>pass (disabled)</td> - <td> </td> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> - <td nowrap>block (disabled)</td> - <td> </td> - <td> </td> - <td nowrap> </td> - <td> </td> - <td width="16"> </td> - <td nowrap> </td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_ccd_edit.php b/usr/local/www/vpn_openvpn_ccd_edit.php deleted file mode 100755 index 4affb4a..0000000 --- a/usr/local/www/vpn_openvpn_ccd_edit.php +++ /dev/null @@ -1,420 +0,0 @@ -<?php -/* - vpn_openvpn_ccd_edit.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -$pgtitle = array("VPN", "OpenVPN", "Edit client-specific configuration"); -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])) - $config['ovpn']['server'] = array(); -if (!is_array($config['ovpn']['server']['ccd'])) - $config['ovpn']['server']['ccd'] = array(); - -$ovpnccd =& $config['ovpn']['server']['ccd']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpnccd[$id]) { - - $pconfig = $config['ovpn']['server']['ccd'][$id]; - - if (isset($ovpnccd[$id]['enable'])) - $pconfig['enable'] = true; - - if (is_array($config['ovpn']['server']['ccd'][$id]['options'])) { - $pconfig['options'] = ""; - foreach ($ovpnccd[$id]['options']['option'] as $optent) { - $pconfig['options'] .= $optent . "\n"; - } - $pconfig['options'] = rtrim($pconfig['options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "cn"); - $reqdfieldsn = explode(",", "Common name"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9\.\-_\:\/\@]/", $_POST['cn'])) - $input_errors[] = "The common name contains invalid characters."; - - if ($_POST['psh_pingrst'] && $_POST['psh_pingexit']) - $input_errors[] = "Ping-restart and Ping-exit are mutually exclusive and cannot be used together"; - - if ($_POST['psh_rtedelay'] && !is_numeric($_POST['psh_rtedelay_int'])) - $input_errors[] = "Route-delay needs a numerical interval setting."; - - if ($_POST['psh_inact'] && !is_numeric($_POST['psh_inact_int'])) - $input_errors[] = "Inactive needs a numerical interval setting."; - - if ($_POST['psh_ping'] && !is_numeric($_POST['psh_ping_int'])) - $input_errors[] = "Ping needs a numerical interval setting."; - - if ($_POST['psh_pingexit'] && !is_numeric($_POST['psh_pingexit_int'])) - $input_errors[] = "Ping-exit needs a numerical interval setting."; - - if ($_POST['psh_pingrst'] && !is_numeric($_POST['psh_pingrst_int'])) - $input_errors[] = "Ping-restart needs a numerical interval setting."; - - /* Editing an existing entry? */ - if (!$input_errors && !(isset($id) && $ovpnccd[$id])) { - /* make sure there are no dupes */ - foreach ($ovpnccd as $ccdent) { - if ($ccdent['cn'] == $_POST['cn']) { - $input_errors[] = "Another entry with the same common name already exists."; - break; - } - } - } - - if (isset($id) && $ovpnccd[$id]) { - $ccdent = $ovpnccd[$id]; - - /* Has the enable/disable state changed? */ - if (isset($ccdent['enable']) && isset($_POST['disabled'])) { - /* status changed to disabled */ - touch($d_ovpnccddirty_path); - } - - /* status changed to enable */ - if (!isset($ccdent['enable']) && !isset($_POST['disabled'])) { - /* touch($d_sysrebootreqd_path); */ - touch($d_ovpnccddirty_path); - } - } - - if (!$input_errors) { - - $ccdent = array(); - - if (isset($id) && $ovpnccd[$id]) - $ccdent = $ovpnccd[$id]; - - $ccdent['cn'] = $_POST['cn']; - $ccdent['descr'] = $_POST['descr']; - $ccdent['enable'] = $_POST['disabled'] ? false : true; - $ccdent['disable'] = $_POST['disable'] ? true : false; - - - if (!is_array($options)) - $options = array(); - if (!is_array($ccdent['options'])) - $ccdent['options'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['options']))); - $ccdent['options'] = $options; - - $ccdent['psh_reset'] = $_POST['psh_reset'] ? true : false; - $ccdent['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $ccdent['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - $ccdent['psh_options']['rtedelay'] = $_POST['psh_rtedelay'] ? true : false; - $ccdent['psh_options']['inact'] = $_POST['psh_inact'] ? true : false; - $ccdent['psh_options']['ping'] = $_POST['psh_ping'] ? true : false; - $ccdent['psh_options']['pingrst'] = $_POST['psh_pingrst'] ? true : false; - $ccdent['psh_options']['pingexit'] = $_POST['psh_pingexit'] ? true : false; - - unset($ccdent['psh_options']['rtedelay_int']); - unset($ccdent['psh_options']['inact_int']); - unset($ccdent['psh_options']['ping_int']); - unset($ccdent['psh_options']['pingrst_int']); - unset($ccdent['psh_options']['pingexit_int']); - - if ($_POST['psh_rtedelay_int']) - $ccdent['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_inact_int']) - $ccdent['psh_options']['inact_int'] = $_POST['psh_inact_int']; - if ($_POST['psh_ping_int']) - $ccdent['psh_options']['ping_int'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingrst_int']) - $ccdent['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - if ($_POST['psh_pingexit_int']) - $ccdent['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - - if (isset($id) && $ovpnccd[$id]) - $ovpnccd[$id] = $ccdent; - else - $ovpnccd[] = $ccdent; - - write_config(); - touch($d_ovpnccddirty_path); - - header("Location: vpn_openvpn_ccd.php"); - exit; - - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['psh_reset'] = $_POST['psh_reset']; - $pconfig['psh_options']['redir'] = $_POST['psh_redir']; - $pconfig['psh_options']['redir_loc'] = $_POST['psh_redir_loc']; - $pconfig['psh_options']['rtedelay'] = $_POST['psh_rtedelay']; - $pconfig['psh_options']['inact'] = $_POST['psh_inact']; - $pconfig['psh_options']['ping'] = $_POST['psh_ping']; - $pconfig['psh_options']['pingrst'] = $_POST['psh_pingrst']; - $pconfig['psh_options']['pingexit'] = $_POST['psh_pingexit']; - - $pconfig['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - $pconfig['psh_options']['inact_int'] = $_POST['psh_inact_int']; - $pconfig['psh_options']['ping_int'] = $_POST['psh_ping_int']; - $pconfig['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - $pconfig['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - } -} - -$pgtitle = "VPN: OpenVPN: Edit client-specific configuration"; -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.cn.disabled = endis; - document.iform.disable.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.psh_reset.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.options.disabled = endis; - - if (!document.iform.disabled.checked) { - push_change(false); - disable_change(false); - } - -} - -function disable_change(enable_over) { - var endis; - endis = !(!document.iform.disable.checked || enable_over); - - document.iform.psh_reset.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.options.disabled = endis; - - if (!document.iform.disable.checked) { - push_change(enable_over); - } - -} - -function push_change(enable_over) { - var endis; - endis = !(document.iform.psh_reset.checked || enable_over); - - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; -} - -//--> -</script> -<form action="vpn_openvpn_ccd_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this entry</strong><br> - <span class="vexpl">Set this option to disable this client-specific configuration - without removing it from the list.</span></td> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Common Name</td> - <td width="78%" class="vtable"> - <input name="cn" type="text" class="formfld" id="cn" size="40" value="<?=htmlspecialchars($pconfig['cn']);?>"> - <br><span class="vexpl">Enter client's X.509 common name here.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br><span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Block client</td> - <td width="78%" class="vtable"> - <input name="disable" type="checkbox" value="yes" onclick="disable_change(false)" <?php if (isset($pconfig['disable'])) echo "checked"; ?>> - <strong>Disable this client from connecting</strong><br> - <span class="vexpl">Disable a particular client (based on the common name) from connecting. - Don't use this option to disable a client due to key - or password compromise. Use a CRL (certificate revocation list) - instead.</span></td> - </td> - </tr> - - <tr> - <tr> - <td colspan="2" valign="top" height="16"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Push options</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-Push Inheritation</td> - <td width="78%" class="vtable"> - <input type="checkbox" name="psh_reset" value="yes" onchange="push_change(false)" <?php if (isset($pconfig['psh_reset'])) echo "checked"; ?>>Push reset - <br><span class="vexpl">Set this option to on, if you don't want to inherit - the global push list for this client from the server page.</span> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact_int']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst_int']?>"> seconds</td> - </tr> - </table></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Custom client options</td> - <td width="78%" class="vtable"> - <span>The following options are legal in a client-specific context:<br> - push, push-reset, iroute, ifconfig-push and config.</span><br> - <textarea name="options" id="options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in here aren't supported.</span></strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true);disable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -disable_change(false); -push_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> diff --git a/usr/local/www/vpn_openvpn_certs.php b/usr/local/www/vpn_openvpn_certs.php deleted file mode 100644 index 72bc9d1..0000000 --- a/usr/local/www/vpn_openvpn_certs.php +++ /dev/null @@ -1,123 +0,0 @@ -<?php -/* - vpn_openvpn_certs.php - part of pfSense - - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -$pgtitle = array("OpenVPN", "Certificate management"); -$ovpncapath = $g['varetc_path']."/openvpn/certificates"; - -if ($_GET['reset']) { - mwexec("killall -9 openssl"); - if (is_dir($_GET['reset'])) - mwexec("rm -rf $ovpncapath/".$_GET['reset']); -} -if ($_GET['delete']) { - if (!is_dir($ovpncapath."/".$_GET['delete'])) - $input_error[] = "Certificate does not exist!"; - else - mwexec("rm -rf ".$g['varetc_path']."/openvpn/certificates/".$_GET['delete']); - if (is_array($config['openvpn']['keys'])) { - if (is_array($config['openvpn']['keys'][$_GET['delete']])) { - unset($config['openvpn']['keys'][$_GET['delete']]); - if (count($config['openvpn']['keys']) < 1) - unset($config['openvpn']); - write_config(); - } - } -} - -if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); -$certificates = &$config['openvpn']['keys']; - -include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - <?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn_certs.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="100%" border="0" cellpadding="6" cellspacing="0" > - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "/pkg.php?xml=openvpn.xml"); - $tab_array[] = array("Client", false, "/pkg.php?xml=openvpn_cli.xml"); - $tab_array[] = array("Client-specific overrides", false, "/pkg.php?xml=openvpn_csc.xml"); - $tab_array[] = array("Certificate Authority", true, "/vpn_openvpn_certs.php"); - $tab_array[] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="2" cellspacing="0"> - <tr> - <td class="listhdrr" width="35%">Certificates</td> - <td width="60%" class="listhdrr">Expires</td></tr> - <?php foreach ($certificates as $cert => $ca) { ?> - <tr class="vtable"> - <td class="listlr" width="35%"> - <?php - if($ca['descr']) - echo $ca['descr']; - else - echo $cert; - ?> - </td> - <td class="listr" width="60%"> - <?=$ca['caexpire'];?> - </td> - <td><a href=" -<?php - if ($ca['existing'] == "yes") - echo "vpn_openvpn_certs_existing.php?ca=$cert"; - else - echo "vpn_openvpn_certs_create.php?ca=$cert"; -?> - "><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> - <td><a href="vpn_openvpn_certs.php?delete=<?=$cert;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete certificate");?>" width="17" height="17" border="0" alt="" /></a></td> - </tr> - <?php } ?> - <tr><td colspan="2"></td><td><a href="vpn_openvpn_certs_create.php?add=true"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?>" width="17" height="17" border="0" alt="" /></a></td></tr> - <tr> - <td colspan="2" >To import existing certificates please <a href="vpn_openvpn_certs_existing.php"> - click this link.</a> - </td></tr> - </table> - </td></tr> - </table> - <?php include("fend.inc"); ?> -</body> -</html> - - diff --git a/usr/local/www/vpn_openvpn_certs_create.php b/usr/local/www/vpn_openvpn_certs_create.php deleted file mode 100644 index 294e441..0000000 --- a/usr/local/www/vpn_openvpn_certs_create.php +++ /dev/null @@ -1,320 +0,0 @@ -<?php -/* $Id$ */ -/* - vpn_openvpn_certs_create.php - part of pfSense - - Copyright (C) 2004 Scott Ullrich - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createcerts -##|*NAME=VPN: OpenVPN: Create Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Certs' page. -##|*MATCH=vpn_openvpn_certs_create.php* -##|-PRIV - - -require("globals.inc"); -require("guiconfig.inc"); - -$pgtitle = array("VPN", "OpenVPN", "Create Certs"); - -$ovpncapath = $g['varetc_path'] . "/openvpn/certificates"; -$easyrsapath = $g['easyrsapath']; - -$edit_mode = true; -if($_GET['add'] == "true") - $edit_mode = false; - -if ($_GET['ca']) { - if ($config['openvpn']['keys'][$_GET['ca']]) { - $data = &$config['openvpn']['keys'][$_GET['ca']]; - $caname = trim($_GET['ca']); - $cakeysize = $data['keysize']; - $caexpire = $data['caexpire']; - $cakeyexpire = $data['keyexpire']; - $countrycode= $data['keycountry']; - $descr = $data['descr']; - $stateorprovince= $data['keyprovince']; - $cityname= $data['keycity']; - $orginizationname= $data['keyorg']; - $email = $data['keyemail']; - $authmode = $data['auth_method']; - $edit_mode = true; - } else { - $input_errors[] = "Certificate does not exist."; - } -} - -if ($_POST) { - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['descr'])) - $input_errors[] = "Description contains invalid characters."; - $descr = $_POST['descr']; - $cakeysize = $_POST['cakeysize']; - $caexpire = $_POST['caexpire']; - $cakeyexpire = $_POST['cakeyexpire']; - $countrycode=$_POST['countrycode']; - $stateorprovince=$_POST['stateorprovince']; - $cityname=$_POST['cityname']; - $orginizationname=$_POST['orginizationname']; - $email = $_POST['email']; - $authmode = $_POST['auth_method']; - $caname = trim(strtolower($_POST['descr'])); - - if ($caname) { - - /* XXX: do more input validation */ - - /* Create sane environment for easyrsa scripts */ - conf_mount_rw(); - if (!is_dir($g['varetc_path']."/openvpn")) - safe_mkdir($g['varetc_path']."/openvpn"); - - if (!is_dir($ovpncapath)) - safe_mkdir($ovpncapath); - else - mwexec("rm -rf $ovpncapath/$caname"); - - safe_mkdir("$ovpncapath/$caname", 0755); - mwexec("cp -r $easyrsapath ".$g['varetc_path']."/openvpn/"); - - if (!is_dir("$ovpncapath/$caname")) { - $input_errors[] = "Failed to create $ovpncapath/$caname environment certificate environment."; - Header("Location: vpn_openvpn_certs_create.php"); - } - - $fd = fopen($ovpncapath . "/$caname/vars", "w"); - fwrite($fd, "#!/bin/tcsh\n"); - fwrite($fd, "setenv EASY_RSA \"$easyrsapath\" \n"); - fwrite($fd, "setenv OPENSSL \"`which openssl`\"\n"); - fwrite($fd, "setenv PKCS11TOOL \"pkcs11-tool\" \n"); - fwrite($fd, "setenv GREP \"grep\" \n"); - fwrite($fd, "setenv KEY_CONFIG \"`$ovpncapath/whichopensslcnf $ovpncapath`\" \n"); - fwrite($fd, "setenv KEY_DIR \"$ovpncapath/$caname\" \n"); - fwrite($fd, "setenv KEY_SIZE \"$cakeysize\" \n"); - fwrite($fd, "setenv CA_EXPIRE \"$caexpire\" \n"); - fwrite($fd, "setenv KEY_EXPIRE \"$cakeyexpire\" \n"); - fwrite($fd, "setenv KEY_COUNTRY \"$countrycode\" \n"); - fwrite($fd, "setenv KEY_PROVINCE \"$stateorprovince\" \n"); - fwrite($fd, "setenv KEY_CITY \"$cityname\" \n"); - fwrite($fd, "setenv KEY_ORG \"$orginizationname\" \n"); - fwrite($fd, "setenv KEY_EMAIL \"$email\" \n"); - fwrite($fd, "setenv CA_OK \"$ovpncapath/$caname/finished_ok\" \n"); - fwrite($fd, "\n\n"); - fclose($fd); - - $fd = fopen($ovpncapath . "/RUNME_FIRST", "w"); - fwrite($fd, "cd $ovpncapath \n"); - fwrite($fd, "touch $ovpncapath/$caname/index.txt \n"); - fwrite($fd, "echo \"01\" > $ovpncapath/$caname/serial \n"); - fwrite($fd, "source $ovpncapath/$caname/vars \n"); - //fwrite($fd, "echo \"Creating Shared Key...\" \n"); - //fwrite($fd, "openvpn --genkey --secret $ovpncapath/$caname/shared.key \n"); - fwrite($fd, "echo \"Creating CA...\" \n"); - fwrite($fd, "$easyrsapath/pkitool --batch --initca $ovpncapath/$caname/ca.crt \n"); - fwrite($fd, "echo \"Done!\" \n"); - fclose($fd); - - } else { - $input_errors[] = "You should specify a name."; - } - if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); - - $ovpnkeys =& $config['openvpn']['keys']; - if (!is_array($ovpnkeys[$caname])) - $ovpnkeys[$caname] = array(); - -} - - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - - <script type="text/javascript"> - function f() { - /* do nothing */ - } - function edit_mode() { - document.iform.cakeysize.disabled = true; - document.iform.caexpire.disabled = true; - document.iform.cakeyexpire.disabled = true; - document.iform.countrycode.disabled = true; - document.iform.stateorprovince.disabled = true; - document.iform.cityname.disabled = true; - document.iform.orginizationname.disabled = true; - document.iform.email.disabled = true; - document.iform.descr.disabled = true; - } - </script> - -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_openvpn_certs_create.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr><td colspan="2"> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "pkg.php?xml=openvpn.xml"); - $tab_array[] = array("Client", false, "pkg.php?xml=openvpn_cli.xml"); - $tab_array[] = array("Client-specific overrides", false, "pkg.php?xml=openvpn_csc.xml"); - $tab_array[] = array("Certificate Authority", true, "vpn_openvpn_certs.php"); - $tab_array[] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> -<?php - if ($_POST && $caname) { -?> -<tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td> - <textarea cols="80" rows="35" name="output" id="output" wrap="hard"></textarea> - </td> - </tr> - <tr> - <td> - <a href="vpn_openvpn_certs.php"><inpput name="OK" type="button" value="Return"></a> - </td> - </tr> - </table></td></tr> - </table> -<?php - if(!$input_errors) { - execute_command_return_output("/bin/tcsh $ovpncapath/RUNME_FIRST", "r"); - conf_mount_ro(); - /* vars */ - $ovpnkeys[$caname]['existing'] = "no"; - $ovpnkeys[$caname]['descr'] = $descr; - $ovpnkeys[$caname]['auth_method'] = "pki"; - $ovpnkeys[$caname]['keysize'] = $cakeysize; - $ovpnkeys[$caname]['keyexpire'] = $cakeyexpire; - $ovpnkeys[$caname]['caexpire'] = $caexpire; - $ovpnkeys[$caname]['keycountry'] = $countrycode; - $ovpnkeys[$caname]['keyprovince'] = $stateorprovince; - $ovpnkeys[$caname]['keycity'] = $cityname; - $ovpnkeys[$caname]['keyorg'] = $orginizationname; - $ovpnkeys[$caname]['keyemail'] = $email; - /* ciphers */ - $ovpnkeys[$caname]['ca.key'] = file_get_contents("$ovpncapath/$caname/ca.key"); - $ovpnkeys[$caname]['ca.crt'] = file_get_contents("$ovpncapath/$caname/ca.crt"); - - /* save it */ - write_config(); - } -} else { ?> -<tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="35%" class="vncell"><B>Certificate Name</td> - <td width="78%" class="vtable"> - <input name="descr" class="formfld" value="<?=$descr?>"> - </span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Key Size</td> - <td width="78%" class="vtable"> - <select name="cakeysize" > -<?php - $strength = array("512", "1024", "2048"); - foreach ($strength as $key) { - echo "<option value=\"{$key}\" "; - if ($cakeysize == intval($key)) - echo " selected=\"true\" "; - echo ">{$key}</option>"; - } -?> - </select> - <br/><span>Higher you set this value the slower TLS negotiation and DH key creation performance gets.</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Expire</td> - <td width="78%" class="vtable"> - <input name="caexpire" class="formfld" value="<?=$caexpire?>"/> - <br/><span>In how many days should the root CA key expire?</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Key Expire</td> - <td width="78%" class="vtable"> - <input name="cakeyexpire" class="formfld" value="<?=$cakeyexpire?>"> - <br/><span>In how many days should certificates expire?</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Country Code (2 Letters)</td> - <td width="78%" class="vtable"> - <input size="2" maxlength="2" name="countrycode" class="formfld" value="<?=$countrycode?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>State or Province name</td> - <td width="78%" class="vtable"> - <input name="stateorprovince" class="formfld" value="<?=$stateorprovince?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>City name</td> - <td width="78%" class="vtable"> - <input name="cityname" class="formfld" value="<?=$cityname?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Organization name</td> - <td width="78%" class="vtable"> - <input name="orginizationname" class="formfld" value="<?=$orginizationname?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>E-Mail address</td> - <td width="78%" class="vtable"> - <input name="email" class="formfld" value="<?=$email?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" > </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <a href="vpn_openvpn_certs.php?reset=<?=$caname;?>"><input name="Cancel" type="button" class="formbtn" value="Cancel"></a> - </td> - </tr> - </table> - </td></tr> - </table> - <?php - if($edit_mode) { - echo "<script language='javascript'>\n"; - echo "edit_mode();\n"; - echo "</script>\n"; - } - ?> - <?php include("fend.inc"); ?> - </body> - </html> -<? } ?> diff --git a/usr/local/www/vpn_openvpn_certs_existing.php b/usr/local/www/vpn_openvpn_certs_existing.php deleted file mode 100644 index 90534de..0000000 --- a/usr/local/www/vpn_openvpn_certs_existing.php +++ /dev/null @@ -1,201 +0,0 @@ -<?php -/* $Id$ */ -/* - vpn_openvpn_certs_existing.php - part of pfSense - - Copyright (C) 2008 Scott Ullrich - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createexistingcerts -##|*NAME=VPN: OpenVPN: Create Existing Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Existing Certs' page. -##|*MATCH=vpn_openvpn_certs_existing.php* -##|-PRIV - - -require("guiconfig.inc"); - -$pgtitle = array("VPN", "OpenVPN", "Create Existing Certs"); -$ovpncapath = $g['varetc_path']."/openvpn/certificates"; -/* XXX: hardcoded path; worth making it a global?! */ -$easyrsapath = "/usr/local/share/openvpn/certificates"; - -if ($_GET['ca']) { - if ($config['openvpn']['keys'][$_GET['ca']]) { - $data = $config['openvpn']['keys'][$_GET['ca']]; - $caname = trim($_GET['ca']); - $cakey = $ovpnkeys[$caname]['ca.key']; - $cacrt = $ovpnkeys[$caname]['ca.crt']; - $sharedkey = $ovpnkeys[$caname]['shared.key']; - $serverkey = $ovpnkeys[$caname]['server.key']; - $servercrt = $ovpnkeys[$caname]['server.crt']; - $dh = $ovpnkeys[$caname]['dh_params.dh']; - } else - $input_errors[] = "Certificate does not exist."; -} - -if ($_POST) { - if ($_POST['caname'] && $_POST['caname'] != "") { - $caname = $_POST['caname']; - - /* Create sane environment for easyrsa scripts */ - conf_mount_rw(); - if (!is_dir($g['varetc_path']."/openvpn")) - safe_mkdir($g['varetc_path']."/openvpn"); - if (!is_dir($ovpncapath)) - safe_mkdir($ovpncapath); - else - mwexec("rm -rf $ovpncapath/$caname"); - safe_mkdir("$ovpncapath/$caname", 0755); - - if (!is_dir($ovpncapath)) { - $input_errors[] = "Failed to create environment for creating certificates. "; - header("Location: vpn_openvpn_certs.php"); - } - - conf_mount_ro(); - if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); - $ovpnkeys =& $config['openvpn']['keys']; - if (!is_array($ovpnkeys[$caname])) - $ovpnkeys[$caname] = array(); - /* vars */ - $ovpnkeys[$caname]['existing'] = "yes"; - /* ciphers */ - $ovpnkeys[$caname]['crl'] = $crl; - file_put_contents("$ovpncapath/$caname/crl.pem", base64_decode($_POST['crl'])); - chown("$ovpncapath/$caname/crl.pem", 'nobody'); - chgrp("$ovpncapath/$caname/crl.pem", 'nobody'); - - $ovpnkeys[$caname]['ca.crt'] = $cacrt; - file_put_contents("$ovpncapath/$caname/ca.crt", base64_decode($_POST['ca.crt'])); - chown("$ovpncapath/$caname/ca.crt", 'nobody'); - chgrp("$ovpncapath/$caname/ca.crt", 'nobody'); - - $ovpnkeys[$caname]['server.key'] = $serverkey; - file_put_contents("$ovpncapath/$caname/server.key", base64_decode($_POST['server.key'])); - chown("$ovpncapath/$caname/server.key", 'nobody'); - chgrp("$ovpncapath/$caname/server.key", 'nobody'); - - $ovpnkeys[$caname]['server.crt'] = $servercrt; - file_put_contents("$ovpncapath/$caname/server.crt", base64_decode($_POST['server.crt'])); - chown("$ovpncapath/$caname/server.crt", 'nobody'); - chgrp("$ovpncapath/$caname/server.crt", 'nobody'); - - $ovpnkeys[$caname]['dh_params.dh'] = $dh; - file_put_contents("$ovpncapath/$caname/dh_params.dh", base64_decode($_POST['dh'])); - chown("$ovpncapath/$caname/dh_params.dh", 'nobody'); - chgrp("$ovpncapath/$caname/dh_params.dh", 'nobody'); - - /* save it */ - write_config(); - - header("Location: vpn_openvpn_certs.php"); - } else - $input_errors[] = "You need to specify the Certificate name"; -} - - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - - <?php include("fbegin.inc"); ?> - -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn_certs_existing.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="90%" border="0" cellpadding="6" cellspacing="0"> - <tr><td colspan="2"> -<?php - $tab_array = array(); - $tab_array[0] = array("Server", false, "pkg.php?xml=openvpn.xml"); - $tab_array[1] = array("Client", false, "pkg.php?xml=openvpn_cli.xml"); - $tab_array[2] = array("Client-specific configuration", false, "pkg.php?xml=openvpn_csc.xml"); - $tab_array[3] = array("Certificate Authority", true, "vpn_openvpn_certs.php"); - $tab_array[4] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="35%" class="vncell"><B>Certificate name</td> - <td width="78%" class="vtable"> - <input name="caname" value="<?=$caname?>"> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca.crt" rows="8" cols="40" ><?=$cacrt;?></textarea> - <br/><span>Paste your CA certificate in X.509 format here.</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="server.crt" rows="8" cols="40" ><?=$servercrt;?></textarea> - <br/><span>Paste your server certificate in X.509 format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Server key</td> - <td width="78%" class="vtable"> - <textarea name="server.key" rows="8" cols="40" ><?=$serverkey;?></textarea> - <br/><span>Paste your server key in RSA format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh" rows="8" cols="40"><?=$dh;?></textarea> - <br/><span>Paste your Diffie Hellman parameters in PEM format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>CRL</td> - <td width="78%" class="vtable"> - <textarea name="crl" rows="8" cols="40" ><?=$crl;?></textarea> - <br/><span>Paste your certificate revocation list (CRL) in PEM format here (optional).</span> - </td> - </tr> - <tr> - <td width="35%" > </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <a href="vpn_openvpn_certs.php?reset=<?=$caname;?>"><input name="Cancel" type="button" class="formbtn" value="Cancel"></a> - </td> - </td> - </tr> - </table></td></tr> - </table> - <?php include("fend.inc"); ?> - </body> - </html> diff --git a/usr/local/www/vpn_openvpn_cli.php b/usr/local/www/vpn_openvpn_cli.php deleted file mode 100755 index 285518c..0000000 --- a/usr/local/www/vpn_openvpn_cli.php +++ /dev/null @@ -1,179 +0,0 @@ -<?php -/* - vpn_openvpn_cli.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['client'])){ - $config['ovpn']['client'] = array(); - $config['ovpn']['client']['tunnel'] = array(); -} - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -$ovpncli =& $config['ovpn']['client']['tunnel']; - -if ($_POST['apply']) { - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_client_iface(); - } - else{ - ovpn_lock(); - $retval = ovpn_client_iface(); - $retval = ovpn_config_client(); - ovpn_unlock(); - } - if (file_exists($d_ovpnclidirty_path)) - unlink($d_ovpnclidirty_path); - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpncli[$id]) { - $ovpnent = $ovpncli[$id]; - unset($ovpncli[$id]); - - /* Kill running processes */ - ovpn_client_kill($ovpnent['if']); - - /* Remove old certs & keys */ - ovpn_client_certs_del($ovpnent['if']); - - /* Remove interface from list of optional interfaces */ - ovpn_client_iface_del($ovpnent['if']); - - write_config(); - //touch($d_sysrebootreqd_path); - header("Location: vpn_openvpn_cli.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnclidirty_path)) print_info_box(get_std_save_message(0)); ?> -<form action="vpn_openvpn_cli.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnclidirty_path)): ?><p> -<?php print_info_box_np("The OpenVPN client configuration has been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", true, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="10%" class="listhdrr">Interface</td> - <td width="5%" class="listhdrr">Protocol</td> - <td width="15%" class="listhdrr">Socket</td> - <td width="15%" class="listhdrr">Server address</td> - <td width="5%" class="listhdrr" align="center">Version</td> - <td width="40%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - - <?php $i = 0; foreach ($ovpncli as $client): - if (!isset($client['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?php if ($interface = ovpn_get_opt_interface($client['if'])) - $iface = $config['interfaces'][$interface]['descr']; - else $iface = strtoupper($client['if']);?> - <?= $iface;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= strtoupper($client['proto']);?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= "0.0.0.0:" . $client['cport'];?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $client['saddr'].":".$client['sport'];?> - <?=$spane;?></td> - <td align="middle" class="listr"><?=$spans;?> - <?= $client['ver'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($client['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> <a href="vpn_openvpn_cli_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit client configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_cli.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete client configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"> </td> - <td class="list"> <a href="vpn_openvpn_cli_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add client configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_cli_edit.php b/usr/local/www/vpn_openvpn_cli_edit.php deleted file mode 100755 index 6fdbb75..0000000 --- a/usr/local/www/vpn_openvpn_cli_edit.php +++ /dev/null @@ -1,732 +0,0 @@ -<?php -/* - vpn_openvpn_cli_edit.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editclient -##|*NAME=VPN: OpenVPN: Edit client page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit client' page. -##|*MATCH=vpn_openvpn_cli_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['client'])){ - $config['ovpn']['client'] = array(); - $config['ovpn']['client']['tunnel'] = array(); -} - - -$ovpncli =& $config['ovpn']['client']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpncli[$id]) { - $pconfig = $config['ovpn']['client']['tunnel'][$id]; - if (isset($ovpncli[$id]['pull'])) - $pconfig['pull'] = true; - if (is_array($ovpncli[$id]['expertmode'])) { - $pconfig['expertmode_options'] = ""; - foreach ($ovpncli[$id]['expertmode']['option'] as $optent) { - $pconfig['expertmode_options'] .= $optent . "\n"; - } - $pconfig['expertmode_options'] = rtrim($pconfig['expertmode_options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['authentication_method'] = "rsasig"; - $pconfig['type'] = 'tun'; - $pconfig['proto'] = 'udp'; - $pconfig['sport'] = '1194'; - $pconfig['ver'] = '2'; - $pconfig['crypto'] = 'BF-CBC'; - $pconfig['pull'] = true; - $pconfig['enable'] = true; -} - -if ($_POST) { - - /* Called from form */ - unset($input_errors); - - /* input validation */ - $reqdfields = explode(" ", "type saddr sport"); - $reqdfieldsn = explode(",", "Tunnel type,Address,Port"); - - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = array_merge($reqdfields, explode(" ", "lipaddr pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Local IP address,Pre-shared secret")); - - if ($_POST['type'] == "tun") { - /* tun */ - $reqdfields = array_merge($reqdfields, explode(" ", "ripaddr")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Remote IP address")); - - /* subnet or ip address */ - if ($_POST['ripaddr']) { - if (!is_ipaddr($_POST['ripaddr'])) - $input_errors[] = "A valid static remote IP address must be specified."; - else if (ip2long($_POST['lipaddr']) == ip2long($_POST['ripaddr'])) - $input_errors[] = "Local IP address and remote IP address are the same."; - } - if ($_POST['lipaddr']) - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid static local IP address must be specified."; - - } else { - /* tap */ - if ($_POST['lipaddr']) { - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid static local IP address must be specified."; - else if (gen_subnet($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is subnet address."; - else if (gen_subnet_max($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is broadcast address."; - } - } - - if (!empty($_POST['pre-shared-key']) && - (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key"))) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - } else { - /* rsa */ - $reqdfields = array_merge($reqdfields, explode(" ", "ca_cert cli_cert cli_key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "CA certificate,Client certificate,Client key")); - - if (!empty($_POST['ca_cert']) && - (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['ca_cert'], "END CERTIFICATE"))) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (!empty($_POST['cli_cert']) && - (!strstr($_POST['cli_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['cli_cert'], "END CERTIFICATE"))) - $input_errors[] = "The client certificate does not appear to be valid."; - - if (!empty($_POST['cli_key']) && - (!strstr($_POST['cli_key'], "BEGIN RSA PRIVATE KEY") || - !strstr($_POST['cli_key'], "END RSA PRIVATE KEY"))) - $input_errors[] = "The client key does not appear to be valid."; - - if (!empty($_POST['pre-shared-key']) && - (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key"))) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - if (isset($_POST['tlsauth']) && empty($_POST['pre-shared-key'])) { - $reqdfields = array_merge($reqdfields, explode(" ", "pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Pre-shared secret")); - } - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - /* valid Port */ - if (($_POST['sport'] && !is_port($_POST['sport']))) - $input_errors[] = "The server's port must be an integer between 1 and 65535."; - - /* valid FQDN or IP address */ - if (($_POST['saddr'] && !is_ipaddr($_POST['saddr']) && !is_domain($_POST['saddr']))) - $input_errors[] = "The server name contains invalid characters."; - - if (isset($id) && $ovpncli[$id]) { - /* Editing an existing entry */ - $ovpnent = $ovpncli[$id]; - - if ($ovpncli[$id]['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - - if ( $ovpncli[$id]['sport'] != $_POST['sport'] || - $ovpncli[$id]['proto'] != $_POST['proto'] ) { - - /* some entries changed */ - for ($i = 0; isset($config['ovpn']['client']['tunnel'][$i]); $i++) { - $current = &$config['ovpn']['client']['tunnel'][$i]; - - if ($current['sport'] == $_POST['sport']) - if ($current['proto'] == $_POST['proto']) - $input_errors[] = "You already have this combination for port and protocol settings. You can't use it twice"; - } - } - - /* Test Server type hasn't changed */ - if ($ovpnent['type'] != $_POST['type']) - $input_errors[] = "Delete this interface first before changing the type of the tunnel to " - . strtoupper($_POST['type']) ."."; - - if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { - - /* check if port number is free, else choose another one */ - if (in_array($ovpnent['cport'], used_port_list())) - $ovpnent['cport'] = getnxt_port(); - } - } else { - /* Creating a new entry */ - $ovpnent = array(); - if (!($ovpnent['if'] = getnxt_if($_POST['type']))) - $input_errors[] = "Run out of devices for a tunnel of type {$_POST['type']}"; - - $ovpnent['cport'] = getnxt_port(); - - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") { - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - } - - if (!$input_errors) { - - $ovpnent['enable'] = isset($_POST['disabled']) ? false : true; - $ovpnent['type'] = $_POST['type']; - $ovpnent['authentication_method'] = $_POST['authentication_method']; - $ovpnent['proto'] = $_POST['proto']; - $ovpnent['sport'] = $_POST['sport']; - $ovpnent['ver'] = $_POST['ver']; - $ovpnent['saddr'] = $_POST['saddr']; - $ovpnent['descr'] = $_POST['descr']; - $ovpnent['ca_cert'] = $pconfig['ca_cert']; - $ovpnent['cli_cert'] = $pconfig['cli_cert']; - $ovpnent['cli_key'] = $pconfig['cli_key']; - $ovpnent['crypto'] = $_POST['crypto']; - $ovpnent['comp_method'] = $_POST['comp_method']; - $ovpnent['ns_cert_type'] = $_POST['ns_cert_type'] ? true : false; - $ovpnent['pull'] = $_POST['pull'] ? true : false; - $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; - $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; - $ovpnent['bridge'] = $_POST['bridge']; - $ovpnent['lipaddr'] = $_POST['lipaddr']; - $ovpnent['ripaddr'] = $_POST['ripaddr']; - $ovpnent['netmask'] = $_POST['netmask']; - - unset($ovpnent['pre-shared-key']); - if ($_POST['pre-shared-key']) - $ovpnent['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - - $ovpnent['ca_cert'] = base64_encode($_POST['ca_cert']); - $ovpnent['cli_cert'] = base64_encode($_POST['cli_cert']); - $ovpnent['cli_key'] = base64_encode($_POST['cli_key']); - - /* expertmode params */ - $ovpnent['expertmode_enabled'] = $_POST['expertmode_enabled'] ? true : false; - - if (!is_array($options)) - $options = array(); - if (!is_array($ovpnent['expertmode'])) - $ovpnent['expertmode'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['expertmode_options']))); - $ovpnent['expertmode'] = $options; - - if (isset($id) && $ovpncli[$id]){ - $ovpncli[$id] = $ovpnent; - } - else{ - $ovpncli[] = $ovpnent; - } - - write_config(); - ovpn_cli_dirty($ovpnent['if']); - - header("Location: vpn_openvpn_cli.php"); - exit; - } else { - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - $pconfig['ca_cert'] = base64_encode($_POST['ca_cert']); - $pconfig['cli_cert'] = base64_encode($_POST['cli_cert']); - $pconfig['cli_key'] = base64_encode($_POST['cli_key']); - } -} - -$pgtitle = array("VPN","OpenVPN","Edit client"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.type[0].disabled = endis; - document.iform.type[1].disabled = endis; - document.iform.proto[0].disabled = endis; - document.iform.proto[1].disabled = endis; - document.iform.sport.disabled = endis; - document.iform.saddr.disabled = endis; - document.iform.ver[0].disabled = endis; - document.iform.ver[1].disabled = endis; - document.iform.descr.disabled = endis; - document.iform.authentication_method.disabled = endis; - document.iform.ca_cert.disabled = endis; - document.iform.cli_cert.disabled = endis; - document.iform.cli_key.disabled = endis; - document.iform.crypto.disabled = endis; - document.iform.comp_method.disabled = endis; - document.iform.ns_cert_type.disabled = endis; - document.iform.pull.disabled = endis; - document.iform.tlsauth.disabled = endis; - document.iform.lipaddr.disabled = endis; - document.iform.ripaddr.disabled = endis; - document.iform.netmask.disabled = endis; - document.iform.psk.disabled = endis; - document.iform.expertmode_enabled.disabled = endis; - document.iform.expertmode_options.disabled = endis; - - if (!document.iform.disabled.checked) { - tls_change(enable_over); - expertmode_change(enable_over); - methodsel_change(enable_over); - } -} - -function expertmode_change(enable_over) { - var endis; - endis = !(document.iform.expertmode_enabled.checked || enable_over); - - document.iform.expertmode_options.disabled = endis; -} - -function tls_change(enable_over) { - var endis; - endis = !(document.iform.tlsauth.checked || enable_over); - - document.iform.psk.disabled = endis; -} - -function methodsel_change(enable_over) { - var endis; - - switch (document.iform.authentication_method.selectedIndex) { - case 1: /* rsa */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.bridge.disabled = 0; - } else { - /* tun */ - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - } - - document.iform.psk.disabled = 1; - document.iform.ca_cert.disabled = 0; - document.iform.cli_cert.disabled = 0; - document.iform.cli_key.disabled = 0; - document.iform.ns_cert_type.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.lipaddr.disabled = 1; - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 1; - document.iform.pull.disabled = 0; - tls_change(); - break; - default: /* pre-shared */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 0; - } else { - /* tun */ - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 1; - } - - document.iform.lipaddr.disabled = 0; - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 1; - document.iform.cli_cert.disabled = 1; - document.iform.cli_key.disabled = 1; - document.iform.ns_cert_type.disabled = 1; - document.iform.tlsauth.disabled = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.pull.disabled = 1; - break; - } - - if (enable_over) { - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 0; - document.iform.cli_cert.disabled = 0; - document.iform.cli_key.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.bridge.disabled = 0; - document.iform.lipaddr.disabled = 0; - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 0; - document.iform.pull.disabled = 0; - } -} - -function get_radio_value(obj) { - for (i = 0; i < obj.length; i++) { - if (obj[i].checked) - return obj[i].value; - } - return null; -} - -//--> -</script> -<form action="vpn_openvpn_cli_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" id="disabled" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this client</strong><br> - <span class="vexpl">Set this option to disable this client without removing it from the list.</span> - </td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Server information</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Address</td> - <td width="78%" class="vtable"> - <input name="saddr" type="text" class="formfld" size="20" maxlength="255" value="<?=htmlspecialchars($pconfig['saddr']);?>"> - <br> - Enter the server's IP address or FQDN.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Port</td> - <td width="78%" class="vtable"> - <input name="sport" type="text" class="formfld" size="5" maxlength="5" value="<?=htmlspecialchars($pconfig['sport']);?>"><br> - Enter the server's port number (default is 1194).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Version</td> - <td width="78%" class="vtable"> - <input name="ver" type="radio" class="formfld" value="2" <?php if ($pconfig['ver'] == '2') echo "checked"; ?>> 2.0 - <input name="ver" type="radio" class="formfld" value="1" <?php if ($pconfig['ver'] == '1') echo "checked"; ?>> 1.x - <br> - Specify which version of the OpenVPN protocol the server runs.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Cryptographic options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="authentication_method" class="formfld" onchange="methodsel_change(false)"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting chosen on the remote side.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Client certificate</td> - <td width="78%" class="vtable"> - <textarea name="cli_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['cli_cert']));?></textarea> - <br> - Paste a client certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Client key</td> - <td width="78%" class="vtable"> - <textarea name="cli_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['cli_key']));?></textarea> - <br>Paste the client RSA private key here.</td> - </tr> - - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select the data channel encryption cipher. This must match the setting on the server. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">nsCertType</td> - <td width="78%" class="vtable"> - <input name="ns_cert_type" type="checkbox" value="yes" <?php if (isset($pconfig['ns_cert_type'])) echo "checked";?>> - <strong>nsCertType</strong><br> - Require that peer certificate was signed with an explicit - nsCertType designation of "server". - This is a useful security option for clients, to ensure that the - host they connect with is a designated server. - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">TLS auth</td> - <td width="78%" class="vtable"> - <input name="tlsauth" type="checkbox" value="yes" onclick="tls_change(false)" <?php if (isset($pconfig['tlsauth'])) echo "checked";?>> - <strong>TLS auth</strong><br> - The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Pre-shared secret</td> - <td width="78%" class="vtable"> - <textarea name="pre-shared-key" id="psk" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['pre-shared-key']));?></textarea> - <br> - Paste your own pre-shared secret here.</td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Client configuration</td> - </tr> - - <tr> - <td valign="top" class="vncellreq">Tunnel type</td> - <td class="vtable"> - <input name="type" type="radio" class="formfld" value="tun" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tun') echo "checked"; ?>> TUN - <input name="type" type="radio" class="formfld" value="tap" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tap') echo "checked"; ?>> TAP</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel protocol</td> - <td width="78%" class="vtable"> -<input name="proto" type="radio" class="formfld" value="udp" <?php if ($pconfig['proto'] == 'udp') echo "checked"; ?>> UDP -<input name="proto" type="radio" class="formfld" value="tcp" <?php if ($pconfig['proto'] == 'tcp') echo "checked"; ?>> TCP<br> - <span class="vexpl">Important: These settings must match the server's configuration.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Interface</td> - <td width="78%" class="vtable"> - <strong>Auto</strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Port</td> - <td width="78%" class="vtable"> - <strong>Auto</strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Bridge with</td> - <td width="78%" class="vtable"> - <select name="bridge" class="formfld" id="bridge" onchange="methodsel_change(false)"> - <option <?php if (!$pconfig['bridge']) echo "selected";?> value="">none</option> - <?php $iflist = get_configured_interface_with_descr(); - foreach ($iflist as $if => $ifdesc) { - if (!($config['interfaces'][$if]['ovpn'])) - $opts[$if] = "Optional " . $if . " (" . $ifdesc . ")"; - } - foreach ($opts as $opt => $optname): ?> - <option <?php if ($opt == $pconfig['bridge']) echo "selected";?> value="<?=htmlspecialchars($opt);?>"> - <?=htmlspecialchars($optname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Only supported with authentication method set to RSA signature.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN address assignment</td> - <td width="78%" class="vtable"> - When using pre-shared keys, enter the IP address and subnet mask - of the local and remote VPN endpoint here. For TAP devices, only the - IP address of the local VPN endpoint is needed. The netmask is the subnet mask - of the virtual ethernet segment which is being created or connected to.<br> - <br> - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Local IP address: </td> - <td valign="top"><input name="lipaddr" id="lipaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['lipaddr']);?>"> - / - <select name="netmask" id="netmask" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['netmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - <tr> - <td>Remote IP address: </td> - <td valign="top"><input name="ripaddr" id="ripaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ripaddr']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Client Options</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Pull Options</td> - <td width="78%" class="vtable"> - <input type="checkbox" name="pull" value="yes" <?php if ($pconfig['pull']) echo "checked"; ?>> - <strong>Client-pull</strong><br> - This option must be used on a client which is connecting to a - multi-client server. It indicates to OpenVPN that it should - accept options pushed by the server, provided they are part of the - legal set of pushable options. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Compression method</td> - <td width="78%" class="vtable"> - <select name="comp_method" class="formfld" id="comp_method"> - <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> - <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); - foreach($compression_method as $comp_method => $comp_methodname): ?> - <option value="<?=$comp_method;?>" - <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> - <?=htmlspecialchars($comp_methodname);?> - </option> - <?php endforeach; ?> - </select> - <br> - Choose which compression method to use.<br> - <br> - LZO compression generally improves performance on slow links, - but may add up to 1 byte per packet for incompressible data.<br> - <br> - With adaptive compression, OpenVPN will periodically sample the - compression process to measure its efficiency. If the data being - sent over the tunnel is already compressed, the compression - efficiency will be very low. Choose 'LZO (no adaptive)' - to disable OpenVPN's adaptive compression algorithm. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Expert mode</td> - <td width="78%" class="vtable"> - <input name="expertmode_enabled" type="checkbox" value="yes" onclick="expertmode_change(false)" <?php if (isset($pconfig['expertmode_enabled'])) echo "checked"; ?>> - <strong>Enable expert OpenVPN mode</strong><br> - If this option is on, you can specify your own extra commands for the OpenVPN server.<br/> - <textarea name="expertmode_options" id="expertmode_options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['expertmode_options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in expert mode aren't supported. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="methodsel_change(true);tls_change(true);expertmode_change(true);enable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<script language="JavaScript"> -<!-- -tls_change(false); -methodsel_change(false); -expertmode_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php new file mode 100644 index 0000000..4f42e40 --- /dev/null +++ b/usr/local/www/vpn_openvpn_client.php @@ -0,0 +1,615 @@ +<?php +/* + vpn_openvpn_client.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-client +##|*NAME=OpenVPN: Client page +##|*DESCR=Allow access to the 'OpenVPN: Client' page. +##|*MATCH=vpn_openvpn_client.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Client"); + +if (!is_array($config['openvpn']['openvpn-client'])) + $config['openvpn']['openvpn-client'] = array(); + +$a_client = &$config['openvpn']['openvpn-client']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_client[$id]) { + pfSenseHeader("vpn_openvpn_client.php"); + exit; + } + + openvpn_delete('client', $id); + unset($a_client[$id]); + write_config(); + $savemsg = gettext("Client successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_client[$id]) { + + $pconfig['disable'] = $a_client[$id]['disable']; + $pconfig['protocol'] = $a_client[$id]['protocol']; + $pconfig['interface'] = $a_client[$id]['interface']; + $pconfig['local_port'] = $a_client[$id]['local_port']; + $pconfig['server_addr'] = $a_client[$id]['server_addr']; + $pconfig['server_port'] = $a_client[$id]['server_port']; + $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; + $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; + $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; + $pconfig['description'] = $a_client[$id]['description']; + + $pconfig['auth_method'] = $a_client[$id]['auth_method']; + if ($pconfig['auth_method'] == "shared_key") + $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); + else { + $pconfig['caref'] = $a_client[$id]['caref']; + $pconfig['certref'] = $a_client[$id]['certref']; + } + $pconfig['crypto'] = $a_client[$id]['crypto']; + + $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_client[$id]['remote_network']; + $pconfig['compression'] = $a_client[$id]['compression']; + $pconfig['settos'] = $a_client[$id]['settos']; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) + $input_errors[] = $result; + + if ($pconfig['proxy_addr']) { + + if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($pconfig['auth_method'] == 'shared_key') + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = "The field 'Shared Key' does not appear to be valid"; + + if ($pconfig['auth_method'] == 'shared_key') { + $reqfields[] = 'shared_key'; + $reqfieldsn[] = 'Shared key'; + } else { + $reqfields[] = explode(" ", "caref certref"); + $reqfieldsn[] = explode(",", "Certificate Authority,Certificate");; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $client = array(); + + if (isset($id) && $a_client[$id]) + $client['vpnid'] = $a_client[$id]['vpnid']; + else + $client['vpnid'] = openvpn_vpnid_next(); + + $client['disable'] = $pconfig['disable']; + $client['protocol'] = $pconfig['protocol']; + $client['interface'] = $pconfig['interface']; + $client['local_port'] = $pconfig['local_port']; + $client['server_addr'] = $pconfig['server_addr']; + $client['server_port'] = $pconfig['server_port']; + $client['resolve_retry'] = $pconfig['resolve_retry']; + $client['proxy_addr'] = $pconfig['proxy_addr']; + $client['proxy_port'] = $pconfig['proxy_port']; + $client['description'] = $pconfig['description']; + + $client['auth_method'] = $pconfig['auth_method']; + if ($client['auth_method'] == "shared_key") + $client['shared_key'] = base64_encode($pconfig['shared_key']); + else { + $client['caref'] = $pconfig['caref']; + $client['certref'] = $pconfig['certref']; + } + $client['crypto'] = $pconfig['crypto']; + + $client['tunnel_network'] = $pconfig['tunnel_network']; + $client['remote_network'] = $pconfig['remote_network']; + $client['compression'] = $pconfig['compression']; + + if (isset($id) && $a_client[$id]) + $a_client[$id] = $client; + else + $a_client[] = $client; + + openvpn_resync('client', $id); + write_config(); + + header("Location: vpn_openvpn_client.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function method_change() { + index = document.iform.auth_method.selectedIndex; + value = document.iform.auth_method.options[index].value; + switch(value) { + case "pki": + document.getElementById("pki_ca").style.display=""; + document.getElementById("pki_cert").style.display=""; + document.getElementById("psk").style.display="none"; + break; + case "shared_key": + document.getElementById("pki_ca").style.display="none"; + document.getElementById("pki_cert").style.display="none"; + document.getElementById("psk").style.display=""; + break; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), true, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_client.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this client</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this client without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol");?></td> + <td width="78%" class="vtable"> + <select name='protocol' class="formselect"> + <?php + foreach ($openvpn_prots as $prot): + $selected = ""; + if ($pconfig['protocol'] == $prot) + $selected = "selected"; + ?> + <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Local port");?></td> + <td width="78%" class="vtable"> + <input name="local_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['local_port']);?>"/> + <br/> + Set this option if you would like to bind to a specific port. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server host or address");?></td> + <td width="78%" class="vtable"> + <input name="server_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['server_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server port");?></td> + <td width="78%" class="vtable"> + <input name="server_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['server_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy host or address");?></td> + <td width="78%" class="vtable"> + <input name="proxy_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['proxy_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy port");?></td> + <td width="78%" class="vtable"> + <input name="proxy_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['proxy_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Server host name resolution</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['resolve_retry'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Infinitely resolve server + </span> + </td> + </tr> + </table> + Continuously attempt to resolve the server host + name. Useful when communicating with a server + that is not permanently connected to the internet. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Cryptographic Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication Method</td> + <td width="78%" class="vtable"> + <select name='auth_method' id='auth_method' class="formselect" onchange='method_change()'> + <?php + foreach ($openvpn_auth_methods as $method => $name): + $selected = ""; + if ($pconfig['auth_method'] == $method) + $selected = "selected"; + ?> + <option value="<?=$method;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_ca"> + <td width="22%" valign="top" class="vncellreq">Certificate Authority</td> + <td width="78%" class="vtable"> + <select name='caref' class="formselect"> + <?php + foreach ($config['system']['ca'] as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_cert"> + <td width="22%" valign="top" class="vncellreq">Certificate</td> + <td width="78%" class="vtable"> + <select name='certref' class="formselect"> + <?php + foreach ($config['system']['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="psk"> + <td width="22%" valign="top" class="vncellreq">Shared Key</td> + <td width="78%" class="vtable"> + <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['shared_key']);?></textarea> + <br/> + Paste your shared key here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="crypto" class="formselect"> + <?php + $cipherlist = openvpn_get_cipherlist(); + foreach ($cipherlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['crypto']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this client and the + server expressed using CIDR (eg. 10.0.8.0/24). + The first network address is assumed to be the + server address and the second network address + will be assigned to the client virtual + interface. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Remote Network</td> + <td width="78%" class="vtable"> + <input name="remote_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['remote_network']);?>"> + <br> + This is a network that will be routed through + the tunnel, so that a site-to-site VPN can be + established without manually changing the + routing tables. Expressed as a CIDR range. If + this is a site-to-site VPN, enter here the + remote LAN here. You may leave this blank to + only communicate with other clients. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Limit outgoing bandwidth");?></td> + <td width="78%" class="vtable"> + <input name="use_shaper" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['use_shaper']);?>"/> + <br/> + Maximum outgoing bandwidth for this tunnel. + Leave empty for no limit. The input value has + to be something between 100 bytes/sec and 100 + Mbytes/sec (entered as bytes per second). + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Compression</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['compression'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Compress tunnel packets using the LZO algorithm. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Type-of-Service</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['settos'],$chk); ?> + <input name="settos" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Set the TOS IP header value of tunnel packets to match the encapsulated packet value. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_client[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="10%" class="listhdrr">Protocol</td> + <td width="30%" class="listhdrr">Server</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_client as $client): + $disabled = "NO"; + if ($client['disable']) + $disabled = "YES"; + $server = "{$client['server_addr']}:{$client['server_port']}"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($client['protocol']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server);?> + </td> + <td class="listr"> + <?=htmlspecialchars($client['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_client.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit client" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_client.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete client" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <a href="vpn_openvpn_client.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add client" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="4"> + <p> + <?=gettext("Additional OpenVPN clients can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +method_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_create_certs.php b/usr/local/www/vpn_openvpn_create_certs.php deleted file mode 100755 index 3cd847f..0000000 --- a/usr/local/www/vpn_openvpn_create_certs.php +++ /dev/null @@ -1,358 +0,0 @@ -<?php -/* $Id$ */ -/* - system_advanced_create_certs.php - part of pfSense - - Copyright (C) 2004 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createcerts -##|*NAME=VPN: OpenVPN: Create Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Certs' page. -##|*MATCH=vpn_openvpn_create_certs.php* -##|-PRIV - - -require("guiconfig.inc"); - -function get_file_contents($filename) { - $filecontents = ""; - if(file_exists($filename)) { - $fd = fopen($filename, "r"); - $tmp = fread($fd,8096); - $filecontents .= $tmp; - fclose($fd); - return $filecontents; - } - return "File not found " . $filename; -} - -$fd = fopen("/etc/ssl/openssl.cnf", "r"); -$openssl = fread($fd,8096); -fclose($fd); - -/* Lets match the fileds in the read in file and - populate the variables for the form */ -preg_match('/\nC\=(.*)\n/', $openssl, $countrycodeA); -preg_match('/\nST\=(.*)\n/', $openssl, $stateorprovinceA); -preg_match('/\nL\=(.*)\n/', $openssl, $citynameA); -preg_match('/\nO\=(.*)\n/', $openssl, $orginizationnameA); -preg_match('/\nOU\=(.*)\n/', $openssl, $orginizationdepartmentA); -preg_match('/\nCN\=(.*)\n/', $openssl, $commonnameA); - -$countrycode = $countrycodeA[1]; -$stateorprovince = $stateorprovinceA[1]; -$cityname = $citynameA[1]; -$orginizationname = $orginizationnameA[1]; -$orginizationdepartment = $orginizationdepartmentA[1]; -$commonname = $commonnameA[1]; - -if ($_POST) { - - /* Grab posted variables and create a new openssl.cnf */ - $countrycode=$_POST['countrycode']; - $stateorprovince=$_POST['stateorprovince']; - $cityname=$_POST['cityname']; - $orginizationname=$_POST['orginizationname']; - $orginizationdepartment=$_POST['orginizationdepartment']; - $commonname=$_POST['commonname']; - - /* Write out /etc/ssl/openssl.cnf */ - $fd = fopen("/etc/ssl/openssl.cnf", "w"); - fwrite($fd, ""); - fwrite($fd, "[ req ]\n"); - fwrite($fd, "distinguished_name=req_distinguished_name \n"); - fwrite($fd, "req_extensions = v3_req \n"); - fwrite($fd, "prompt=no\n"); - fwrite($fd, "default_bits = 1024\n"); - fwrite($fd, "default_keyfile = privkey.pem\n"); - fwrite($fd, "distinguished_name = req_distinguished_name\n"); - fwrite($fd, "attributes = req_attributes\n"); - fwrite($fd, "x509_extensions = v3_ca # The extentions to add to the self signed cert\n"); - fwrite($fd, "[ req_distinguished_name ] \n"); - fwrite($fd, "C=" . $countrycode . " \n"); - fwrite($fd, "ST=" . $stateorprovince. " \n"); - fwrite($fd, "L=" . $cityname . " \n"); - fwrite($fd, "O=" . $orginizationname . " \n"); - fwrite($fd, "OU=" . $orginizationdepartment . " \n"); - fwrite($fd, "CN=" . $commonname . " \n"); - fwrite($fd, "[EMAIL PROTECTED] \n"); - fwrite($fd, "[EMAIL PROTECTED] \n"); - fwrite($fd, "[ v3_req ] \n"); - fwrite($fd, "basicConstraints = critical,CA:FALSE \n"); - fwrite($fd, "keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement \n"); - fwrite($fd, "extendedKeyUsage=emailProtection,clientAuth \n"); - fwrite($fd, "[ ca ]\n"); - fwrite($fd, "default_ca = CA_default\n"); - fwrite($fd, "[ CA_default ]\n"); - fwrite($fd, "certificate = /tmp/cacert.pem \n"); - fwrite($fd, "private_key = /tmp/cakey.pem \n"); - fwrite($fd, "dir = /tmp/\n"); - fwrite($fd, "certs = /tmp/certs\n"); - fwrite($fd, "crl_dir = /tmp/crl\n"); - fwrite($fd, "database = /tmp/index.txt \n"); - fwrite($fd, "new_certs_dir = /tmp/newcerts \n"); - fwrite($fd, "serial = /tmp/serial \n"); - fwrite($fd, "crl = /tmp/crl.pem \n"); - fwrite($fd, "RANDFILE = /tmp/.rand \n"); - fwrite($fd, "x509_extensions = usr_cert \n"); - fwrite($fd, "name_opt = ca_default \n"); - fwrite($fd, "cert_opt = ca_default \n"); - fwrite($fd, "default_days = 365 \n"); - fwrite($fd, "default_crl_days = 30 \n"); - fwrite($fd, "default_md = md5 \n"); - fwrite($fd, "preserve = no \n"); - fwrite($fd, "policy = policy_match\n"); - fwrite($fd, "[ policy_match ]\n"); - fwrite($fd, "countryName = match\n"); - fwrite($fd, "stateOrProvinceName = match\n"); - fwrite($fd, "organizationName = match\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ policy_anything ]\n"); - fwrite($fd, "countryName = optional\n"); - fwrite($fd, "stateOrProvinceName = optional\n"); - fwrite($fd, "localityName = optional\n"); - fwrite($fd, "organizationName = optional\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ req_distinguished_name ]\n"); - fwrite($fd, "countryName = US\n"); - fwrite($fd, "[ req_attributes ]\n"); - fwrite($fd, "challengePassword = A challenge password\n"); - fwrite($fd, "unstructuredName = An optional company name\n"); - fwrite($fd, "[ usr_cert ]\n"); - fwrite($fd, "basicConstraints=CA:FALSE\n"); - fwrite($fd, "[ v3_ca ]\n"); - fwrite($fd, "subjectKeyIdentifier=hash\n"); - fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); - fwrite($fd, "basicConstraints = CA:true\n"); - fwrite($fd, "[ crl_ext ]\n"); - fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); - fclose($fd); - -$pgtitle = array("VPN","OpenVPN","Create Certs"); - -include("head.inc"); - -?> - -<script language="JavaScript"> -<!-- -function f(ta_id){ - var d=document, ta, rng; - if(d.all){ - ta=d.all[ta_id]; - if(ta && ta.createTextRange){ - rng=ta.createTextRange(); - rng.collapse(false); - rng.select(); - } else { - ta_id.focus(); - ta_id.select(); - ta_id.blur(); - } - } -} ---> -</script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="system_advanced_create_certs.php" method="post" name="iform" id="iform"> - - <?php if ($input_errors) print_input_errors($input_errors); ?> - <?php if ($savemsg) print_info_box($savemsg); ?> - <p> - <textarea cols="55" rows="1" name="status" id="status" wrap="hard">One moment please... This will take a while!</textarea> - <textarea cols="55" rows="25" name="output" id="output" wrap="hard"></textarea> -</form> -<?php include("fend.inc"); ?> -</body> -</html> - - <?php - - echo "<script language=\"JavaScript\">document.forms[0].status.value=\"Creating CA...\";</script>"; - mwexec("rm -rf /tmp/*"); - //mwexec("rm -rf /tmp/newcerts"); - safe_mkdir("/tmp/newcerts", 0755); - touch("/tmp/index.txt"); - $fd = fopen("/tmp/serial","w"); - fwrite($fd, "01\n"); - fclose($fd); - - /* - mkdir /tmp/newcerts - touch /tmp/index.txt - echo 01 > serial - #Create The Certificate Authority Root Certificate - cd /tmp/ && openssl req -nodes -new -x509 -keyout cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf - #Create User Certificates - cd /tmp/ && openssl req -nodes -new -keyout vpnkey.pem -out vpncert-req.pem -config /etc/ssl/openssl.cnf - mkdir /tmp/newcerts - openssl ca -out vpncert.pem -in vpncert-req.pem -batch - - - # Diffie-Hellman Parameters (tls-server only) - dh dh1024.pem - # Root certificate - ca CA-DB/cacert.pem - # Server certificate - cert vpncert.pem - # Server private key - key vpnkey.pem - */ - - execute_command_return_output("/usr/bin/openssl req -nodes -new -x509 -keyout /tmp/cakey.pem -out /tmp/cacert.pem -config /etc/ssl/openssl.cnf"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating Server Certificates...\";</script>"; - - execute_command_return_output("/usr/bin/openssl req -nodes -new -keyout /tmp/vpnkey.pem -out /tmp/vpncert-req.pem -config /etc/ssl/openssl.cnf"); - - execute_command_return_output("/usr/bin/openssl ca -out /tmp/vpncert.pem -in /tmp/vpncert-req.pem -batch"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating DH Parms...\";</script>"; - - execute_command_return_output("/usr/bin/openssl dhparam -out /tmp/dh1024.pem 1024"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Done!\";</script>"; - - //CLIENT - //mwexec("openssl req -nodes -new -keyout home.key -out home.csr"); - //mwexec("openssl ca -out home.crt -in home.csr"); - - $cacertA = get_file_contents("/tmp/cacert.pem"); - $serverkeyA = get_file_contents("/tmp/vpnkey.pem"); - $servercertA = get_file_contents("/tmp/vpncert.pem"); - $dhpemA = get_file_contents("/tmp/dh1024.pem"); - - $cacert = ereg_replace("\n","\\n", $cacertA); - $serverkey = ereg_replace("\n","\\n", $serverkeyA); - $dhpem = ereg_replace("\n","\\n", $dhpemA); - //$servercert = ereg_replace("\n","\\n", $servercertA); - - $tmp = strstr($servercertA, "-----BEGIN CERTIFICATE-----"); - $servercert = ereg_replace("\n","\\n", $tmp); - - ?> - <script language="JavaScript"> - <!-- - var ca_cert ='<?= $cacert ?>'; - var srv_key ='<?= $serverkey ?>'; - var srv_cert ='<?= $servercert ?>'; - var dh_param ='<?= $dhpem ?>'; - opener.document.forms[0].ca_cert.value=ca_cert; - opener.document.forms[0].server_key.value=srv_key; - opener.document.forms[0].server_cert.value=srv_cert; - opener.document.forms[0].dh_params.value=dh_param; - this.close(); - --> - </script> - - -<?php - -} else { - - $pgtitle = 'OpenVPN: Create Certificates'; - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - <form action="vpn_openvpn_create_certs.php" method="post" name="iform" id="iform"> - <?php include("fbegin.inc"); ?> - <p class="pgtitle">System: Advanced - Create Certificates</p> - - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="35%" valign="top" class="vncell"><B>Country Code (2 Letters)</td> - <td width="78%" class="vtable"> - <input name="countrycode" class="formfld unknown" value="<?=$countrycode?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>State or Province name</td> - <td width="78%" class="vtable"> - <input name="stateorprovince" class="formfld unknown" value="<?=$stateorprovince?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>City name</td> - <td width="78%" class="vtable"> - <input name="cityname" class="formfld unknown" value="<?=$cityname?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Organization name</td> - <td width="78%" class="vtable"> - <input name="orginizationname" class="formfld unknown" value="<?=$orginizationname?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Organization department</td> - <td width="78%" class="vtable"> - <input name="orginizationdepartment" class="formfld unknown" value="<?=$orginizationdepartment?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Common Name (Your name)</td> - <td width="78%" class="vtable"> - <input name="commonname" class="formfld unknown" value="<?=$commonname?>"> - </span></td> - </tr> - - <!-- - <tr> - <td width="35%" valign="top" class="vncell"><B>E-Mail address</td> - <td width="78%" class="vtable"> - <input name="email" class="formfld unknown" value="<?=$email?>"> - </span></td> - </tr> - --> - - <tr> - <td width="35%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - <?php include("fend.inc"); ?> - </body> - </html> - -<?php -} -?> diff --git a/usr/local/www/vpn_openvpn_crl.php b/usr/local/www/vpn_openvpn_crl.php deleted file mode 100755 index 6314607..0000000 --- a/usr/local/www/vpn_openvpn_crl.php +++ /dev/null @@ -1,170 +0,0 @@ -<?php -/* - vpn_openvpn_crl.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} -if (!is_array($config['ovpn']['server']['crl'])) - $config['ovpn']['server']['crl'] = array(); - -$ovpncrl = &$config['ovpn']['server']['crl']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - $retval = ovpn_server_crl_add(); - - /* remove dirty flag */ - unlink_if_exists($d_ovpncrldirty_path); - - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpncrl[$id]) { - $ovpnent = $ovpncrl[$id]; - - unset($ovpncrl[$id]); - write_config(); - - /* Remove crl file */ - ovpn_server_crl_del($ovpnent['crlname']); - - /* we should send a SIGUSR1 to openvpn daemon */ - touch($d_ovpncrldirty_path); - - header("Location: vpn_openvpn_crl.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpncrldirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_crl.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpncrldirty_path)): ?><p> -<?php print_info_box_np("OpenVPN CRL files have been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> - <?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", true, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="40%" class="listhdrr">CRL name</td> - <td width="50%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php $i = 0; foreach ($ovpncrl as $crl): - - if (!isset($crl['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?= $crl['crlname'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($crl['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"><a href="vpn_openvpn_crl_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit CRL file" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_crl.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this CRL file?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete CRL file" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="2"> </td> - <td class="list"><a href="vpn_openvpn_crl_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add CRL file" width="17" height="17" border="0"></a></td> - </tr> - <td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> - A CRL (certificate revocation list) is used when a particular - key is compromised but when the overall PKI is still intact.<br> - <br> - Suppose you had a PKI consisting of a CA, root certificate, and - a number of client certificates. Suppose a laptop computer - containing a client key and certificate was stolen. By adding the - stolen certificate to the CRL file, you could reject any connection - which attempts to use it, while preserving the overall - integrity of the PKI.<br> - <br> - The only time when it would be necessary to rebuild the entire - PKI from scratch would be if the root certificate key itself was - compromised. - </span> - </p> - </td> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_crl_edit.php b/usr/local/www/vpn_openvpn_crl_edit.php deleted file mode 100755 index bfd0b79..0000000 --- a/usr/local/www/vpn_openvpn_crl_edit.php +++ /dev/null @@ -1,247 +0,0 @@ -<?php -/* - vpn_openvpn_crl_edit.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editcrl -##|*NAME=VPN: OpenVPN: Edit CRL page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit CRL' page. -##|*MATCH=vpn_openvpn_crl_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])) - $config['ovpn']['server'] = array(); -if (!is_array($config['ovpn']['server']['crl'])) - $config['ovpn']['server']['crl'] = array(); - -$ovpncrl =& $config['ovpn']['server']['crl']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpncrl[$id]) { - - $pconfig = $config['ovpn']['server']['crl'][$id]; - - if (isset($ovpncrl[$id]['enable'])) - $pconfig['enable'] = true; - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "crlname"); - $reqdfieldsn = explode(",", "Name"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['crlname'])) - $input_errors[] = "The name contains invalid characters."; - - /* Editing an existing entry? */ - if (!$input_errors && !(isset($id) && $ovpncrl[$id])) { - /* make sure there are no dupes */ - foreach ($ovpncrl as $crlent) { - if ($crlent['crlname'] == $_POST['crlname']) { - $input_errors[] = "Another entry with the same name already exists."; - break; - } - } - } - - /* check if a crl was given */ - if (is_uploaded_file($_FILES['filename']['tmp_name']) && !empty($_FILES['filename']['size'])) { - $content = file_get_contents($_FILES['filename']['tmp_name']); - } else if (!empty($_POST['crl_list'])) { - $content = $_POST['crl_list']; - } else { - $content = ""; - $input_errors[] = "A valid X.509 CRL is required."; - } - - /* check if crl is valid */ - if (!empty($content) && - (!strstr($content, "BEGIN X509 CRL") || - !strstr($content, "END X509 CRL"))) - $input_errors[] = "The X.509 CRL file content does not appear to be valid."; - - if (isset($id) && $ovpncrl[$id]) { - $crlent = $ovpncrl[$id]; - - /* Has the enable/disable state changed? */ - if (isset($crlent['enable']) && isset($_POST['disabled'])) { - /* status changed to disabled */ - ovpn_crl_dirty($ovpncrl['crlname']); - } else if (!isset($crlent['enable']) && !isset($_POST['disabled'])) { - /* status changed to enable */ - ovpn_crl_dirty($ovpncrl['crlname']); - } - } - - if (!$input_errors) { - - $crlent = array(); - - if (isset($id) && $ovpncrl[$id]) - $crlent = $ovpncrl[$id]; - - $crlent['crlname'] = $_POST['crlname']; - $crlent['descr'] = $_POST['descr']; - $crlent['enable'] = $_POST['disabled'] ? false : true; - - /* file upload? */ - if ($_POST['crlname'] && is_uploaded_file($_FILES['filename']['tmp_name'])) - $crlent['crl_list'] = base64_encode(file_get_contents($_FILES['filename']['tmp_name'])); - else if (!empty($_POST['crl_list'])) - $crlent['crl_list'] = base64_encode($_POST['crl_list']); - - if (isset($id) && $ovpncrl[$id]) - $ovpncrl[$id] = $crlent; - else - $ovpncrl[] = $crlent; - - write_config(); - ovpn_crl_dirty($ovpncrl['crlname']); - - header("Location: vpn_openvpn_crl.php"); - exit; - - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['crl_list'] = base64_encode($_POST['crl_list']); - } -} - -$pgtitle = array("VPN","OpenVPN","Edit CRL"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.crlname.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.crl_list.disabled = endis; - document.iform.filename.disabled = endis; - -} - -//--> -</script> -<form action="vpn_openvpn_crl_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this X.509 CRL list</strong><br> - <span class="vexpl">Set this option to on to disable this X.509 CRL file - without removing it from the list.</span></td> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Name</td> - <td width="78%" class="vtable"> - <input name="crlname" type="text" class="formfld" id="crlname" size="40" value="<?=htmlspecialchars($pconfig['crlname']);?>"> - <br><span class="vexpl">Enter a unique name here, to describe the X.509 CRL list.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br><span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td valign="top" class="vncellreq">X.509 CRL file content</td> - <td class="vtable"> - <textarea name="crl_list" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['crl_list']));?></textarea> - <br> - Paste the contents of a X.509 CRL file in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">X.509 CRL file</td> - <td class="vtable"> - <input name="filename" type="file" class="formfld" id="filename"><br> - Instead of pasting the contents of a X.509 CRL file above, - you can upload a X.509 CRL file in PEM format here. It will - overwrite the values entered in the "X.509 CRL file content" - field. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> diff --git a/usr/local/www/vpn_openvpn_csc.php b/usr/local/www/vpn_openvpn_csc.php new file mode 100644 index 0000000..1866f75 --- /dev/null +++ b/usr/local/www/vpn_openvpn_csc.php @@ -0,0 +1,730 @@ +<?php +/* + vpn_openvpn_csc.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-csc +##|*NAME=OpenVPN: Client Specific Override page +##|*DESCR=Allow access to the 'OpenVPN: Client Specific Override' page. +##|*MATCH=vpn_openvpn_csc.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Client Specific Override"); + +if (!is_array($config['openvpn']['openvpn-csc'])) + $config['openvpn']['openvpn-csc'] = array(); + +$a_csc = &$config['openvpn']['openvpn-csc']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_csc[$id]) { + pfSenseHeader("vpn_openvpn_csc.php"); + exit; + } + + openvpn_delete_csc($id); + unset($a_csc[$id]); + write_config(); + $savemsg = gettext("Client Specific Override successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_csc[$id]) { + + $pconfig['disable'] = $a_csc[$id]['disable']; + $pconfig['common_name'] = $a_csc[$id]['common_name']; + $pconfig['block'] = $a_csc[$id]['block']; + $pconfig['description'] = $a_csc[$id]['description']; + + $pconfig['tunnel_network'] = $a_csc[$id]['tunnel_network']; + $pconfig['gwredir'] = $a_csc[$id]['gwredir']; + + $pconfig['push_reset'] = $a_csc[$id]['push_reset']; + + $pconfig['dns_domain'] = $a_csc[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + $pconfig['dns_server1'] = $a_csc[$id]['dns_server1']; + $pconfig['dns_server2'] = $a_csc[$id]['dns_server2']; + $pconfig['dns_server3'] = $a_csc[$id]['dns_server3']; + $pconfig['dns_server4'] = $a_csc[$id]['dns_server4']; + if ($pconfig['dns_server1'] || + $pconfig['dns_server2'] || + $pconfig['dns_server3'] || + $pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + $pconfig['ntp_server1'] = $a_csc[$id]['ntp_server1']; + $pconfig['ntp_server2'] = $a_csc[$id]['ntp_server2']; + if ($pconfig['ntp_server1'] || + $pconfig['ntp_server2']) + $pconfig['ntp_server_enable'] = true; + + $pconfig['netbios_enable'] = $a_csc[$id]['netbios_enable']; + $pconfig['netbios_ntype'] = $a_csc[$id]['netbios_ntype']; + $pconfig['netbios_scope'] = $a_csc[$id]['netbios_scope']; + + $pconfig['wins_server1'] = $a_csc[$id]['wins_server1']; + $pconfig['wins_server2'] = $a_csc[$id]['wins_server2']; + if ($pconfig['wins_server1'] || + $pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + $pconfig['nbdd_server1'] = $a_csc[$id]['nbdd_server1']; + if ($pconfig['nbdd_server1']) + $pconfig['nbdd_server_enable'] = true; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($pconfig['dns_server_enable']) { + if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) + $input_errors[] = "The field 'DNS Server #1' must contain a valid IP address"; + if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) + $input_errors[] = "The field 'DNS Server #2' must contain a valid IP address"; + if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) + $input_errors[] = "The field 'DNS Server #3' must contain a valid IP address"; + if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) + $input_errors[] = "The field 'DNS Server #4' must contain a valid IP address"; + } + + if ($pconfig['ntp_server_enable']) { + if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) + $input_errors[] = "The field 'NTP Server #1' must contain a valid IP address"; + if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) + $input_errors[] = "The field 'NTP Server #2' must contain a valid IP address"; + if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) + $input_errors[] = "The field 'NTP Server #3' must contain a valid IP address"; + if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) + $input_errors[] = "The field 'NTP Server #4' must contain a valid IP address"; + } + + if ($pconfig['netbios_enable']) { + if ($pconfig['wins_server_enable']) { + if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) + $input_errors[] = "The field 'WINS Server #1' must contain a valid IP address"; + if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) + $input_errors[] = "The field 'WINS Server #2' must contain a valid IP address"; + } + if ($pconfig['nbdd_server_enable']) + if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) + $input_errors[] = "The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"; + } + + $reqfields[] = 'common_name'; + $reqfieldsn[] = 'Common name'; + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $csc = array(); + + $csc['disable'] = $pconfig['disable']; + $csc['common_name'] = $pconfig['common_name']; + $csc['block'] = $pconfig['block']; + $csc['description'] = $pconfig['description']; + + $csc['tunnel_network'] = $pconfig['tunnel_network']; + $csc['gwredir'] = $pconfig['gwredir']; + + $csc['push_reset'] = $pconfig['push_reset']; + + if ($pconfig['dns_domain_enable']) + $csc['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $csc['dns_server1'] = $pconfig['dns_server1']; + $csc['dns_server2'] = $pconfig['dns_server2']; + $csc['dns_server3'] = $pconfig['dns_server3']; + $csc['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['ntp_server_enable']) { + $csc['ntp_server1'] = $pconfig['ntp_server1']; + $csc['ntp_server2'] = $pconfig['ntp_server2']; + } + + $csc['netbios_enable'] = $pconfig['netbios_enable']; + $csc['netbios_ntype'] = $pconfig['netbios_ntype']; + $csc['netbios_scope'] = $pconfig['netbios_scope']; + + if ($pconfig['netbios_enable']) { + + if ($pconfig['wins_server_enable']) { + $csc['wins_server1'] = $pconfig['wins_server1']; + $csc['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['dns_server_enable']) + $csc['nbdd_server1'] = $pconfig['nbdd_server1']; + } + + if (isset($id) && $a_csc[$id]) + $a_csc[$id] = $csc; + else + $a_csc[] = $csc; + + openvpn_resync_csc($id); + write_config(); + + header("Location: vpn_openvpn_csc.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function dns_domain_change() { + + if (document.iform.dns_domain_enable.checked) + document.getElementById("dns_domain_data").style.display=""; + else + document.getElementById("dns_domain_data").style.display="none"; +} + +function dns_server_change() { + + if (document.iform.dns_server_enable.checked) + document.getElementById("dns_server_data").style.display=""; + else + document.getElementById("dns_server_data").style.display="none"; +} + +function wins_server_change() { + + if (document.iform.wins_server_enable.checked) + document.getElementById("wins_server_data").style.display=""; + else + document.getElementById("wins_server_data").style.display="none"; +} + +function ntp_server_change() { + + if (document.iform.ntp_server_enable.checked) + document.getElementById("ntp_server_data").style.display=""; + else + document.getElementById("ntp_server_data").style.display="none"; +} + +function netbios_change() { + + if (document.iform.netbios_enable.checked) { + document.getElementById("netbios_data").style.display=""; + document.getElementById("wins_opts").style.display=""; + } else { + document.getElementById("netbios_data").style.display="none"; + document.getElementById("wins_opts").style.display="none"; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), true, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_csc.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this override</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this client specific override without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Common name</td> + <td width="78%" class="vtable"> + <input name="common_name" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['common_name']);?>"> + <br> + Enter the client's X.509 common name here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Connection blocking</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['block'],$chk); ?> + <input name="block" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Block this client connection based on its common name. + </span> + </td> + </tr> + </table> + Don't use this option to permenently disable a + client due to a compromised key or password. + Use a CRL (certificate revocation list) instead. + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this client and the + server expressed using CIDR (eg. 10.0.8.0/24). + The first network address is assumed to be the + server address and the second network address + will be assigned to the client virtual + interface. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Redirect Gateway</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['gwredir'],$chk); ?> + <input name="gwredir" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Force all client generated traffic through the tunnel. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Client Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Server Definitions</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['push_reset'],$chk); ?> + <input name="push_reset" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Prevent this client from receiving any server defined client settings. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Default Domain</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_domain_enable'],$chk); ?> + <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=$chk;?> onClick="dns_domain_change()"> + </td> + <td> + <span class="vexpl"> + Provide a default domain name to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_domain_data"> + <tr> + <td> + <input name="dns_domain" type="text" class="formfld unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_server_enable'],$chk); ?> + <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=$chk;?> onClick="dns_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a DNS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #3: + </span> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #4: + </span> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NTP Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['ntp_server_enable'],$chk); ?> + <input name="ntp_server_enable" type="checkbox" id="ntp_server_enable" value="yes" <?=$chk;?> onClick="ntp_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a NTP server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="ntp_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NetBIOS Options</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['netbios_enable'],$chk); ?> + <input name="netbios_enable" type="checkbox" id="netbios_enable" value="yes" <?=$chk;?> onClick="netbios_change()"> + </td> + <td> + <span class="vexpl"> + Enable NetBIOS over TCP/IP<br> + </span> + </td> + </tr> + </table> + If this option is not set, all Netbios-over-TCP/IP options (includeing WINS) will be disabled. + <br/> + <table border="0" cellpadding="2" cellspacing="0" id="netbios_data"> + <tr> + <td> + <br/> + <span class="vexpl"> + Node Type: + </span> + <select name='netbios_ntype' class="formselect"> + <?php + foreach ($netbios_nodetypes as $type => $name): + $selected = ""; + if ($pconfig['netbios_ntype'] == $type) + $selected = "selected"; + ?> + <option value="<?=$type;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + <br/> + Possible options: b-node (broadcasts), p-node + (point-to-point name queries to a WINS server), + m-node (broadcast then query name server), and + h-node (query name server, then broadcast). + </td> + </tr> + <tr> + <td> + <br/> + <span class="vexpl"> + Scope ID: + </span> + <input name="netbios_scope" type="text" class="formfld unknown" id="netbios_scope" size="30" value="<?=htmlspecialchars($pconfig['netbios_scope']);?>"> + <br/> + A NetBIOS Scope ID provides an extended naming + service for NetBIOS over TCP/IP. The NetBIOS + scope ID isolates NetBIOS traffic on a single + network to only those nodes with the same + NetBIOS scope ID. + </td> + </tr> + </table> + </td> + </tr> + <tr id="wins_opts"> + <td width="22%" valign="top" class="vncell">WINS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['wins_server_enable'],$chk); ?> + <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=$chk;?> onClick="wins_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a WINS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="wins_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_csc[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="40%" class="listhdrr">Common Name</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_csc as $csc): + $disabled = "NO"; + if ($csc['disable']) + $disabled = "YES"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($csc['common_name']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($csc['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_csc.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit csc" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_csc.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this csc?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete csc" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <a href="vpn_openvpn_csc.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add csc" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="3"> + <p> + <?=gettext("Additional OpenVPN client specific overrides can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +dns_domain_change(); +dns_server_change(); +wins_server_change(); +ntp_server_change(); +netbios_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php new file mode 100644 index 0000000..0de0cef --- /dev/null +++ b/usr/local/www/vpn_openvpn_server.php @@ -0,0 +1,998 @@ +<?php +/* + vpn_openvpn_server.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-server +##|*NAME=OpenVPN: Server page +##|*DESCR=Allow access to the 'OpenVPN: Server' page. +##|*MATCH=vpn_openvpn_server.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Server"); + +if (!is_array($config['openvpn']['openvpn-server'])) + $config['openvpn']['openvpn-server'] = array(); + +$a_server = &$config['openvpn']['openvpn-server']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_server[$id]) { + pfSenseHeader("vpn_openvpn_server.php"); + exit; + } + + openvpn_delete('server', $id); + unset($a_server[$id]); + write_config(); + $savemsg = gettext("Server successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_server[$id]) { + + $pconfig['disable'] = $a_server[$id]['disable']; + $pconfig['protocol'] = $a_server[$id]['protocol']; + $pconfig['interface'] = $a_server[$id]['interface']; + $pconfig['local_port'] = $a_server[$id]['local_port']; + $pconfig['description'] = $a_server[$id]['description']; + + $pconfig['auth_method'] = $a_server[$id]['auth_method']; + if ($pconfig['auth_method'] == "shared_key") + $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); + else { + $pconfig['caref'] = $a_server[$id]['caref']; + $pconfig['certref'] = $a_server[$id]['certref']; + } + $pconfig['crypto'] = $a_server[$id]['crypto']; + + $pconfig['tunnel_network'] = $a_server[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_server[$id]['remote_network']; + $pconfig['gwredir'] = $a_server[$id]['gwredir']; + $pconfig['local_network'] = $a_server[$id]['local_network']; + $pconfig['maxclients'] = $a_server[$id]['maxclients']; + $pconfig['compression'] = $a_server[$id]['compression']; + $pconfig['settos'] = $a_server[$id]['settos']; + $pconfig['client2client'] = $a_server[$id]['client2client']; + + $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; + + $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + $pconfig['dns_server1'] = $a_server[$id]['dns_server1']; + $pconfig['dns_server2'] = $a_server[$id]['dns_server2']; + $pconfig['dns_server3'] = $a_server[$id]['dns_server3']; + $pconfig['dns_server4'] = $a_server[$id]['dns_server4']; + if ($pconfig['dns_server1'] || + $pconfig['dns_server2'] || + $pconfig['dns_server3'] || + $pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + $pconfig['ntp_server1'] = $a_server[$id]['ntp_server1']; + $pconfig['ntp_server2'] = $a_server[$id]['ntp_server2']; + if ($pconfig['ntp_server1'] || + $pconfig['ntp_server2']) + $pconfig['ntp_server_enable'] = true; + + $pconfig['netbios_enable'] = $a_server[$id]['netbios_enable']; + $pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype']; + $pconfig['netbios_scope'] = $a_server[$id]['netbios_scope']; + + $pconfig['wins_server1'] = $a_server[$id]['wins_server1']; + $pconfig['wins_server2'] = $a_server[$id]['wins_server2']; + if ($pconfig['wins_server1'] || + $pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + $pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1']; + if ($pconfig['nbdd_server1']) + $pconfig['nbdd_server_enable'] = true; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['local_network'], 'Local network')) + $input_errors[] = $result; + + if ($pconfig['auth_method'] == 'shared_key') + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = "The field 'Shared Key' does not appear to be valid"; + + if ($pconfig['dns_server_enable']) { + if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) + $input_errors[] = "The field 'DNS Server #1' must contain a valid IP address"; + if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) + $input_errors[] = "The field 'DNS Server #2' must contain a valid IP address"; + if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) + $input_errors[] = "The field 'DNS Server #3' must contain a valid IP address"; + if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) + $input_errors[] = "The field 'DNS Server #4' must contain a valid IP address"; + } + + if ($pconfig['ntp_server_enable']) { + if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) + $input_errors[] = "The field 'NTP Server #1' must contain a valid IP address"; + if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) + $input_errors[] = "The field 'NTP Server #2' must contain a valid IP address"; + if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) + $input_errors[] = "The field 'NTP Server #3' must contain a valid IP address"; + if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) + $input_errors[] = "The field 'NTP Server #4' must contain a valid IP address"; + } + + if ($pconfig['netbios_enable']) { + if ($pconfig['wins_server_enable']) { + if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) + $input_errors[] = "The field 'WINS Server #1' must contain a valid IP address"; + if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) + $input_errors[] = "The field 'WINS Server #2' must contain a valid IP address"; + } + if ($pconfig['nbdd_server_enable']) + if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) + $input_errors[] = "The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"; + } + + if ($pconfig['maxclients'] && !is_numeric($pconfig['maxclients'])) + $input_errors[] = "The field 'Concurrent connections' must be numeric."; + + if ($pconfig['auth_method'] == 'shared_key') { + $reqfields[] = 'shared_key'; + $reqfieldsn[] = 'Shared key'; + } else { + $reqfields[] = explode(" ", "caref certref"); + $reqfieldsn[] = explode(",", "Certificate Authority,Certificate");; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $server = array(); + + if (isset($id) && $a_server[$id]) { + $server['dh_params'] = $a_server[$id]['dh_params']; + $server['vpnid'] = $a_server[$id]['vpnid']; + } else + $server['vpnid'] = openvpn_vpnid_next(); + + $server['disable'] = $pconfig['disable']; + $server['protocol'] = $pconfig['protocol']; + $server['interface'] = $pconfig['interface']; + $server['local_port'] = $pconfig['local_port']; + $server['description'] = $pconfig['description']; + + $server['auth_method'] = $pconfig['auth_method']; + if ($server['auth_method'] == "shared_key") + $server['shared_key'] = base64_encode($pconfig['shared_key']); + else { + $server['caref'] = $pconfig['caref']; + $server['certref'] = $pconfig['certref']; + } + $server['crypto'] = $pconfig['crypto']; + + $server['tunnel_network'] = $pconfig['tunnel_network']; + $server['remote_network'] = $pconfig['remote_network']; + $server['gwredir'] = $pconfig['gwredir']; + $server['local_network'] = $pconfig['local_network']; + $server['maxclients'] = $pconfig['maxclients']; + $server['compression'] = $pconfig['compression']; + $server['client2client'] = $pconfig['client2client']; + + $server['pool_enable'] = $pconfig['pool_enable']; + + if ($pconfig['dns_domain_enable']) + $server['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $server['dns_server1'] = $pconfig['dns_server1']; + $server['dns_server2'] = $pconfig['dns_server2']; + $server['dns_server3'] = $pconfig['dns_server3']; + $server['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['ntp_server_enable']) { + $server['ntp_server1'] = $pconfig['ntp_server1']; + $server['ntp_server2'] = $pconfig['ntp_server2']; + } + + $server['netbios_enable'] = $pconfig['netbios_enable']; + $server['netbios_ntype'] = $pconfig['netbios_ntype']; + $server['netbios_scope'] = $pconfig['netbios_scope']; + + if ($pconfig['netbios_enable']) { + + if ($pconfig['wins_server_enable']) { + $server['wins_server1'] = $pconfig['wins_server1']; + $server['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['dns_server_enable']) + $server['nbdd_server1'] = $pconfig['nbdd_server1']; + } + + if (isset($id) && $a_server[$id]) + $a_server[$id] = $server; + else + $a_server[] = $server; + + openvpn_resync('server', $id); + write_config(); + + header("Location: vpn_openvpn_server.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function method_change() { + index = document.iform.auth_method.selectedIndex; + value = document.iform.auth_method.options[index].value; + switch(value) { + case "pki": + document.getElementById("pki_ca").style.display=""; + document.getElementById("pki_cert").style.display=""; + document.getElementById("psk").style.display="none"; + break; + case "shared_key": + document.getElementById("pki_ca").style.display="none"; + document.getElementById("pki_cert").style.display="none"; + document.getElementById("psk").style.display=""; + break; + } +} + +function gwredir_change() { + + if (document.iform.gwredir.checked) + document.getElementById("local_opts").style.display="none"; + else + document.getElementById("local_opts").style.display=""; +} + +function dns_domain_change() { + + if (document.iform.dns_domain_enable.checked) + document.getElementById("dns_domain_data").style.display=""; + else + document.getElementById("dns_domain_data").style.display="none"; +} + +function dns_server_change() { + + if (document.iform.dns_server_enable.checked) + document.getElementById("dns_server_data").style.display=""; + else + document.getElementById("dns_server_data").style.display="none"; +} + +function wins_server_change() { + + if (document.iform.wins_server_enable.checked) + document.getElementById("wins_server_data").style.display=""; + else + document.getElementById("wins_server_data").style.display="none"; +} + +function ntp_server_change() { + + if (document.iform.ntp_server_enable.checked) + document.getElementById("ntp_server_data").style.display=""; + else + document.getElementById("ntp_server_data").style.display="none"; +} + +function netbios_change() { + + if (document.iform.netbios_enable.checked) { + document.getElementById("netbios_data").style.display=""; + document.getElementById("wins_opts").style.display=""; + } else { + document.getElementById("netbios_data").style.display="none"; + document.getElementById("wins_opts").style.display="none"; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), true, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_server.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this server</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this server without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol");?></td> + <td width="78%" class="vtable"> + <select name='protocol' class="formselect"> + <?php + foreach ($openvpn_prots as $prot): + $selected = ""; + if ($pconfig['protocol'] == $prot) + $selected = "selected"; + ?> + <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Local port");?></td> + <td width="78%" class="vtable"> + <input name="local_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['local_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Cryptographic Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication Method</td> + <td width="78%" class="vtable"> + <select name='auth_method' id='auth_method' class="formselect" onchange='method_change()'> + <?php + foreach ($openvpn_auth_methods as $method => $name): + $selected = ""; + if ($pconfig['auth_method'] == $method) + $selected = "selected"; + ?> + <option value="<?=$method;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_ca"> + <td width="22%" valign="top" class="vncellreq">Certificate Authority</td> + <td width="78%" class="vtable"> + <select name='caref' class="formselect"> + <?php + foreach ($config['system']['ca'] as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_cert"> + <td width="22%" valign="top" class="vncellreq">Certificate</td> + <td width="78%" class="vtable"> + <select name='certref' class="formselect"> + <?php + foreach ($config['system']['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="psk"> + <td width="22%" valign="top" class="vncellreq">Shared Key</td> + <td width="78%" class="vtable"> + <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['shared_key']);?></textarea> + <br/> + Paste your shared key here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="crypto" class="formselect"> + <?php + $cipherlist = openvpn_get_cipherlist(); + foreach ($cipherlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['crypto']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this server and client + hosts expressed using CIDR (eg. 10.0.8.0/24). + The first network address will be assigned to + the server virtual interface. The remaining + network addresses can optionally be assigned + to connecting clients. (see Address Pool) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Remote Network</td> + <td width="78%" class="vtable"> + <input name="remote_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['remote_network']);?>"> + <br> + This is a network that will be routed through + the tunnel, so that a site-to-site VPN can be + established without manually changing the + routing tables. Expressed as a CIDR range. If + this is a site-to-site VPN, enter here the + remote LAN here. You may leave this blank if + you don't want a site-to-site VPN. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Redirect Gateway</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['gwredir'],$chk); ?> + <input name="gwredir" type="checkbox" value="yes" <?=$chk;?> onClick="gwredir_change()"/> + </td> + <td> + <span class="vexpl"> + Force all client generated traffic through the tunnel. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr id="local_opts"> + <td width="22%" valign="top" class="vncell">Local Network</td> + <td width="78%" class="vtable"> + <input name="local_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['local_network']);?>"> + <br> + This is the network that will be accessable + from the remote endpoint. Expressed as a CIDR + range. You may leave this blank if you don't + want to add a route to the local network + through this tunnel on the remote machine. + This is generally set to your LAN network. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Concurrent connections");?></td> + <td width="78%" class="vtable"> + <input name="maxclients" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['maxclients']);?>"/> + <br/> + Specify the maximum number of clients allowed to concurrently connect to this server. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Compression</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['compression'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Compress tunnel packets using the LZO algorithm. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Type-of-Service</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['settos'],$chk); ?> + <input name="settos" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Set the TOS IP header value of tunnel packets to match the encapsulated packet value. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Inter-client communication</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['client2client'],$chk); ?> + <input name="client2client" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Allow communication between clients connected to this server + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Client Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Address Pool</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['pool_enable'],$chk); ?> + <input name="pool_enable" type="checkbox" id="pool_enable" value="yes" <?=$chk;?>"> + </td> + <td> + <span class="vexpl"> + Provide a virtual adapter IP address to clients (see Tunnel Network)<br> + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Default Domain</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_domain_enable'],$chk); ?> + <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=$chk;?> onClick="dns_domain_change()"> + </td> + <td> + <span class="vexpl"> + Provide a default domain name to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_domain_data"> + <tr> + <td> + <input name="dns_domain" type="text" class="formfld unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_server_enable'],$chk); ?> + <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=$chk;?> onClick="dns_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a DNS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #3: + </span> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #4: + </span> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NTP Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['ntp_server_enable'],$chk); ?> + <input name="ntp_server_enable" type="checkbox" id="ntp_server_enable" value="yes" <?=$chk;?> onClick="ntp_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a NTP server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="ntp_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NetBIOS Options</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['netbios_enable'],$chk); ?> + <input name="netbios_enable" type="checkbox" id="netbios_enable" value="yes" <?=$chk;?> onClick="netbios_change()"> + </td> + <td> + <span class="vexpl"> + Enable NetBIOS over TCP/IP<br> + </span> + </td> + </tr> + </table> + If this option is not set, all Netbios-over-TCP/IP options (includeing WINS) will be disabled. + <br/> + <table border="0" cellpadding="2" cellspacing="0" id="netbios_data"> + <tr> + <td> + <br/> + <span class="vexpl"> + Node Type: + </span> + <select name='netbios_ntype' class="formselect"> + <?php + foreach ($netbios_nodetypes as $type => $name): + $selected = ""; + if ($pconfig['netbios_ntype'] == $type) + $selected = "selected"; + ?> + <option value="<?=$type;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + <br/> + Possible options: b-node (broadcasts), p-node + (point-to-point name queries to a WINS server), + m-node (broadcast then query name server), and + h-node (query name server, then broadcast). + </td> + </tr> + <tr> + <td> + <br/> + <span class="vexpl"> + Scope ID: + </span> + <input name="netbios_scope" type="text" class="formfld unknown" id="netbios_scope" size="30" value="<?=htmlspecialchars($pconfig['netbios_scope']);?>"> + <br/> + A NetBIOS Scope ID provides an extended naming + service for NetBIOS over TCP/IP. The NetBIOS + scope ID isolates NetBIOS traffic on a single + network to only those nodes with the same + NetBIOS scope ID. + </td> + </tr> + </table> + </td> + </tr> + <tr id="wins_opts"> + <td width="22%" valign="top" class="vncell">WINS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['wins_server_enable'],$chk); ?> + <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=$chk;?> onClick="wins_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a WINS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="wins_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_server[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="10%" class="listhdrr">Protocol</td> + <td width="30%" class="listhdrr">Tunnel Network</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_server as $server): + $disabled = "NO"; + if ($server['disable']) + $disabled = "YES"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['protocol']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['tunnel_network']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_server.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit server" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_server.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this server?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete server" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <a href="vpn_openvpn_server.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add server" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="4"> + <p> + <?=gettext("Additional OpenVPN servers can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +method_change(); +gwredir_change(); +dns_domain_change(); +dns_server_change(); +wins_server_change(); +ntp_server_change(); +netbios_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_srv.php b/usr/local/www/vpn_openvpn_srv.php deleted file mode 100755 index 2d194af..0000000 --- a/usr/local/www/vpn_openvpn_srv.php +++ /dev/null @@ -1,198 +0,0 @@ -<?php -/* - vpn_openvpn_srv.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} - -$ovpnsrv = &$config['ovpn']['server']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_server_iface(); - } else { - ovpn_lock(); - $retval = ovpn_server_iface(); - $retval = ovpn_config_server(false); - ovpn_unlock(); - } - if (file_exists($d_ovpnsrvdirty_path)) - unlink($d_ovpnsrvdirty_path); - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpnsrv[$id]) { - $ovpnent = $ovpnsrv[$id]; - unset($ovpnsrv[$id]); - - /* Kill running processes */ - ovpn_server_kill($ovpnent['tun_iface']); - - /* Remove old certs & keys */ - ovpn_server_certs_del($ovpnent['tun_iface']); - - /* Remove interface from list of optional interfaces */ - ovpn_server_iface_del($ovpnent['tun_iface']); - - write_config(); - //touch($d_sysrebootreqd_path); - header("Location: vpn_openvpn_srv.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnsrvdirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_srv.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnsrvdirty_path)): ?><p> -<?php print_info_box_np("The OpenVPN server configuration has been changed.<br>You must apply the changes in order for them to take effect.");?> -</p> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", true, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="5%" class="listhdrr">Interface</td> - <td width="5%" class="listhdrr">Protocol</td> - <td width="5%" class="listhdrr">Socket</td> - <td width="25%" class="listhdrr">IP Block</td> - <td width="15%" class="listhdrr">Crypto</td> - <td width="35%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - - <?php $i = 0; foreach ($ovpnsrv as $server): - if (!isset($server['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - - if ($server['bind_iface'] == 'all') - $ipaddr = "0.0.0.0"; - else - $ipaddr = ovpn_get_ip($server['bind_iface']); - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?php if ($interface = ovpn_get_opt_interface($server['tun_iface'])) - $iface = $config['interfaces'][$interface]['descr']; - else $iface = strtoupper($server['tun_iface']);?> - <?= $iface;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= strtoupper($server['proto']);?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $ipaddr.":".$server['port'];?> - <?=$spane;?></td> - <td nowrap class="listr"><?=$spans;?> - <?php if ($server['authentication_method'] == "pre_shared_key") { - if ($server['type'] == "tun") { - $ipblock = $server['lipaddr'] . " / " . $server['ripaddr']; - } else { - $ipblock = $server['lipaddr'] . "/" . $server['netmask']; - } - } else if (!$server['bridge']) - $ipblock = $server['ipblock'] . "/" . $server['prefix']; - else if ($server['range_from']) - $ipblock = $server['range_from'] . " - " . $server['range_to']; - else - $ipblock = "--";?> - <?= $ipblock;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $server['crypto'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($server['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> <a href="vpn_openvpn_srv_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit server configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_srv.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this server configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete server configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"> </td> - <td class="list"> <a href="vpn_openvpn_srv_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add server configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_srv_edit.php b/usr/local/www/vpn_openvpn_srv_edit.php deleted file mode 100755 index 35d4249..0000000 --- a/usr/local/www/vpn_openvpn_srv_edit.php +++ /dev/null @@ -1,1213 +0,0 @@ -<?php -/* - vpn_openvpn_srv_edit.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editserver -##|*NAME=VPN: OpenVPN: Edit server page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit server' page. -##|*MATCH=vpn_openvpn_srv_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} - -$ovpnsrv =& $config['ovpn']['server']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpnsrv[$id]) { - $pconfig = $config['ovpn']['server']['tunnel'][$id]; - if (isset($ovpnsrv[$id]['enable'])) - $pconfig['enable'] = true; - if (!isset($ovpnsrv[$id]['method'])) - $pconfig['method'] = "ovpn"; - if (is_array($ovpnsrv[$id]['expertmode'])) { - $pconfig['expertmode_options'] = ""; - foreach ($ovpnsrv[$id]['expertmode']['option'] as $optent) { - $pconfig['expertmode_options'] .= $optent . "\n"; - } - $pconfig['expertmode_options'] = rtrim($pconfig['expertmode_options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['type'] = "tun"; - $pconfig['psh_options'] = array(); - /* Initialise with some sensible defaults */ - $pconfig['authentication_method'] = "rsasig"; - $pconfig['port'] = getnxt_port(); - $pconfig['proto'] = 'udp'; - $pconfig['method'] = 'ovpn'; - $pconfig['maxcli'] = ''; - $pconfig['crypto'] = 'BF-CBC'; - $pconfig['dupcn'] = false; - $pconfig['verb'] = 1; - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - unset($check_ipblock); - - /* input validation */ - $reqdfields = explode(" ", "type bind_iface"); - $reqdfieldsn = explode(",", "Tunnel type,Interface binding"); - - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = array_merge($reqdfields, explode(" ", "lipaddr pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Local IP address,Pre-shared secret")); - - if ($_POST['type'] == "tun") { - /* tun */ - $reqdfields = array_merge($reqdfields, explode(" ", "ripaddr")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Remote IP address")); - - /* subnet or ip address */ - if ($_POST['ripaddr']) { - if (!is_ipaddr($_POST['ripaddr'])) - $input_errors[] = "A valid static remote IP address must be specified."; - else if (ip2long($_POST['lipaddr']) == ip2long($_POST['ripaddr'])) - $input_errors[] = "Local IP address and remote IP address are the same."; - } - if ($_POST['lipaddr']) - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid local static IP address must be specified."; - - } else { - /* tap */ - if ($_POST['lipaddr']) { - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid local static IP address must be specified."; - if (gen_subnet($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is subnet address."; - if (gen_subnet_max($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is broadcast address."; - } - } - - if (intval($_POST['maxcli']) > 1) - $input_errors[] = "Maximum number of simultaneous clients should not be greater than \"1\"."; - - /* checked also by javascript */ - if ($_POST['method'] != "static") - $input_errors[] = "Only static address assignment is supported."; - - } else { - /* rsa */ - $reqdfields = array_merge($reqdfields, explode(" ", "ca_cert srv_cert srv_key dh_param")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "CA certificate,Server certificate,Server key,DH parameters")); - - if ($_POST['type'] == "tap") { - /* tap*/ - if (!$_POST['bridge']) { - if ($_POST['method'] == "ovpn") { - $reqdfields = array_merge($reqdfields, "ipblock"); - $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); - - $check_ipblock = 1; - } else { - $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; - } - } else { - if ($_POST['method'] == "ovpn") { - $reqdfields = array_merge($reqdfields, explode(" ", "range_from range_to gateway")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Range begin,Range end,Gateway")); - if (intval($_POST['maxcli']) > (ip2long($_POST['range_to']) - ip2long($_POST['range_from']) + 1)) - $input_errors[] = "IP range to small for maximum number of simultaneous clients."; - - } else if ($_POST['method'] != "dhcp") { - $input_errors[] = "Wrong or emtpy OpenVPN address assignment."; - } - } - - } else { - /* tun*/ - $reqdfields = array_merge($reqdfields, "ipblock"); - $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); - - /* checked also by javascript */ - if ($_POST['method'] != "ovpn") - $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; - - $check_ipblock = 1; - } - - - /* valid IP */ - if ($_POST['ipblock'] && $check_ipblock) { - if (!is_ipaddr($_POST['ipblock'])) { - $input_errors[] = "A valid IP netblock must be specified."; - } else if ($_POST['type'] == "tun" && intval($_POST['prefix']) > 29) { - $input_errors[] = "Network mask too high for tun-style tunnels."; - } else { - $network = ip2long(gen_subnet($_POST['ipblock'], $_POST['prefix'])); - $broadcast = ip2long(gen_subnet_max($_POST['ipblock'], $_POST['prefix'])); - - if ($_POST['maxcli']) { - if ($_POST['type'] == "tap") { - if (intval($_POST['maxcli']) > ($broadcast - $network - 3)) - $input_errors[] = "Maximum number of simultaneous clients too high"; - } else { - if (intval($_POST['maxcli']) > floor(($broadcast - $network) / 4)) - $input_errors[] = "Maximum number of simultaneous clients too high"; - } - } - } - } - - /* Sort out the cert+key files */ - if (!empty($_POST['ca_cert']) && - (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['ca_cert'], "END CERTIFICATE"))) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (!empty($_POST['srv_cert']) && - (!strstr($_POST['srv_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['srv_cert'], "END CERTIFICATE"))) - $input_errors[] = "The server certificate does not appear to be valid."; - - if (!empty($_POST['srv_key']) && - (!strstr($_POST['srv_key'], "BEGIN RSA PRIVATE KEY") || - !strstr($_POST['srv_key'], "END RSA PRIVATE KEY"))) - $input_errors[] = "The server key does not appear to be valid."; - - if (!empty($_POST['dh_param']) && - (!strstr($_POST['dh_param'], "BEGIN DH PARAMETERS") || - !strstr($_POST['dh_param'], "END DH PARAMETERS"))) - $input_errors[] = "The DH parameters do not appear to be valid."; - - if (isset($_POST['tlsauth']) && empty($_POST['pre-shared-key'])) - $input_errors[] = "The field 'Pre-shared secret' is required."; - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (($_POST['range_from'] && !is_ipaddr($_POST['range_from']))) - $input_errors[] = "A valid range must be specified."; - - if (($_POST['range_to'] && !is_ipaddr($_POST['range_to']))) - $input_errors[] = "A valid range must be specified."; - - if ($_POST['gateway'] && !is_ipaddr($_POST['gateway'])) - $input_errors[] = "A valid gateway IP address must be specified."; - - /* make sure the range lies within the bridged subnet */ - if ($_POST['bridge']) { - if ($_POST['method'] == "ovpn") { - - $ipaddr = $config['interfaces'][$_POST['bridge']]['ipaddr']; - $subnet = $config['interfaces'][$_POST['bridge']]['subnet']; - - $subnet_start = (ip2long($ipaddr) & gen_subnet_mask_long($subnet)); - $subnet_end = (ip2long($ipaddr) | (~gen_subnet_mask_long($subnet))); - - if (!ip_in_subnet($_POST['gateway'], gen_subnet($ipaddr, $subnet) . "/" . $subnet)) - $input_errors[] = "The specified gateway lies outside of the bridged subnet."; - - if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || - (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { - $input_errors[] = "The specified range lies outside of the bridged subnet."; - } - - if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) - $input_errors[] = "The range is invalid (first element higher than second element)."; - } - } - - /* valid Port */ - if (empty($_POST['port'])) - $input_errors[] = "You must provide a server in between 1 and 65535."; - else if (!is_port($_POST['port'])) - $input_errors[] = "The server port must be an integer between 1 and 65535."; - - /* check if dynip is set correctly */ - if ($_POST['dynip'] && $_POST['bind_iface'] != 'all') - $input_errors[] = "Dynamic IP address can only be set with interface binding set to ALL."; - - if (!empty($_POST['pre-shared-key'])) - if (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key")) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - if ($_POST['psh_pingrst'] && $_POST['psh_pingexit']) - $input_errors[] = "Ping-restart and Ping-exit are mutually exclusive and cannot be used together"; - - if ($_POST['psh_rtedelay'] && !is_numeric($_POST['psh_rtedelay_int'])) - $input_errors[] = "Route-delay needs a numerical interval setting."; - - if ($_POST['psh_inact'] && !is_numeric($_POST['psh_inact_int'])) - $input_errors[] = "Inactive needs a numerical interval setting."; - - if ($_POST['psh_ping'] && !is_numeric($_POST['psh_ping_int'])) - $input_errors[] = "Ping needs a numerical interval setting."; - - if ($_POST['psh_pingexit'] && !is_numeric($_POST['psh_pingexit_int'])) - $input_errors[] = "Ping-exit needs a numerical interval setting."; - - if ($_POST['psh_pingrst'] && !is_numeric($_POST['psh_pingrst_int'])) - $input_errors[] = "Ping-restart needs a numerical interval setting."; - - /* Editing an existing entry? */ - if (isset($id) && $ovpnsrv[$id]) { - $ovpnent = $ovpnsrv[$id]; - - /* bridging changed */ - if ($ovpnent['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - - /* port number syntactically valid, so lets check, if it is free */ - if (isset($ovpnent['enable']) && - !isset($_POST['disabled']) && - $ovpnent['port'] != $_POST['port']) { - /* port number has changed */ - - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - - /* return interfaces bind to this port */ - $bind_list = used_bind_list($_POST['port']); - - /* check if binding is in use */ - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list) || - in_array($_POST['bind_iface'], $bind_list) ) { - $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; - } - } - } - - /* binding free? */ - if (isset($ovpnent['enable']) && - !isset($_POST['disabled']) && - $ovpnent['bind_iface'] != $_POST['bind_iface']) { - /* binding has changed, remove existing old entry from list */ - $entry = array(); - array_push($entry, $ovpnent['bind_iface']); - $bind_list = array_diff(used_bind_list($_POST['port']), $entry); - - if (count($bind_list)) { - if ($_POST['bind_iface'] == "all") - $input_errors[] = "Interface binding is already in use."; - else if (in_array("all", $bind_list) || - in_array($_POST['bind_iface'], $bind_list)) - $input_errors[] = "Interface binding is already in use."; - } - } - - /* Test Server type hasn't changed */ - if ($ovpnent['type'] != $_POST['type']) { - $input_errors[] = "Delete this interface first before changing the type of the tunnel to " . strtoupper($_POST['type']) ."."; - - } - - /* status changed to enable */ - if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { - - /* check if port number is free */ - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - - /* return interfaces bind to this port */ - $bind_list = used_bind_list($_POST['port']); - - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list ) || - in_array($_POST['bind_iface'], $bind_list) ) { - /* binding in use */ - $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; - } - } - } - - } else { - /* Creating a new entry */ - $ovpnent = array(); - - /* port number syntactically valid, so lets check, if it is free */ - if ($_POST['port']) { - /* new port number */ - $bind_list = used_bind_list($_POST['port']); - - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list ) || - in_array($_POST['bind_iface'], $bind_list) ) { - /* binding in use */ - $input_errors[] = "Port {$_POST['port']} is already used for another interface."; - } - } - } - - if (!($ovpnent['tun_iface'] = getnxt_if($_POST['type']))) - $input_errors[] = "Run out of devices for a tunnel of type {$_POST['type']}"; - - /* double bridging? */ - if ($ovpnent['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - } - - if (!$input_errors) { - - $ovpnent['enable'] = isset($_POST['disabled']) ? false : true; - $ovpnent['bind_iface'] = $_POST['bind_iface']; - $ovpnent['port'] = $_POST['port']; - $ovpnent['proto'] = $_POST['proto']; - $ovpnent['type'] = $_POST['type']; - $ovpnent['method'] = $_POST['method']; - $ovpnent['authentication_method'] = $_POST['authentication_method']; - - /* convert IP address block to a correct network IP address */ - $ovpnent['ipblock'] = gen_subnet($_POST['ipblock'], $_POST['prefix']); - $ovpnent['prefix'] = $_POST['prefix']; - $ovpnent['lipaddr'] = $_POST['lipaddr']; - $ovpnent['ripaddr'] = $_POST['ripaddr']; - $ovpnent['netmask'] = $_POST['netmask']; - $ovpnent['range_from'] = $_POST['range_from']; - $ovpnent['range_to'] = $_POST['range_to']; - $ovpnent['gateway'] = $_POST['gateway']; - $ovpnent['bridge'] = $_POST['bridge']; - - $ovpnent['descr'] = $_POST['descr']; - $ovpnent['verb'] = $_POST['verb']; - $ovpnent['maxcli'] = $_POST['maxcli']; - $ovpnent['crypto'] = $_POST['crypto']; - $ovpnent['comp_method'] = $_POST['comp_method']; - $ovpnent['cli2cli'] = $_POST['cli2cli'] ? true : false; - $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; - $ovpnent['dynip'] = $_POST['dynip'] ? true : false; - $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; - $ovpnent['crlname'] = $_POST['crlname']; - - unset($ovpnent['pre-shared-key']); - if ($_POST['pre-shared-key']) - $ovpnent['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - - $ovpnent['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $ovpnent['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - $ovpnent['psh_options']['rtedelay'] = $_POST['psh_rtedelay'] ? true : false; - $ovpnent['psh_options']['inact'] = $_POST['psh_inact'] ? true : false; - $ovpnent['psh_options']['ping'] = $_POST['psh_ping'] ? true : false; - $ovpnent['psh_options']['pingrst'] = $_POST['psh_pingrst'] ? true : false; - $ovpnent['psh_options']['pingexit'] = $_POST['psh_pingexit'] ? true : false; - - unset($ovpnent['psh_options']['rtedelay_int']); - unset($ovpnent['psh_options']['inact_int']); - unset($ovpnent['psh_options']['ping_int']); - unset($ovpnent['psh_options']['pingrst_int']); - unset($ovpnent['psh_options']['pingexit_int']); - - if ($_POST['psh_rtedelay_int']) - $ovpnent['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_inact_int']) - $ovpnent['psh_options']['inact_int'] = $_POST['psh_inact_int']; - if ($_POST['psh_ping_int']) - $ovpnent['psh_options']['ping_int'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingrst_int']) - $ovpnent['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - if ($_POST['psh_pingexit_int']) - $ovpnent['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - - $ovpnent['ca_cert'] = base64_encode($_POST['ca_cert']); - $ovpnent['srv_cert'] = base64_encode($_POST['srv_cert']); - $ovpnent['srv_key'] = base64_encode($_POST['srv_key']); - $ovpnent['dh_param'] = base64_encode($_POST['dh_param']); - - /* expertmode params */ - $ovpnent['expertmode_enabled'] = $_POST['expertmode_enabled'] ? true : false; - - if (!is_array($options)) - $options = array(); - if (!is_array($ovpnent['expertmode'])) - $ovpnent['expertmode'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['expertmode_options']))); - $ovpnent['expertmode'] = $options; - - if (isset($id) && $ovpnsrv[$id]) - $ovpnsrv[$id] = $ovpnent; - else - $ovpnsrv[] = $ovpnent; - - write_config(); - ovpn_srv_dirty($ovpnent['tun_iface']); - - header("Location: vpn_openvpn_srv.php"); - exit; - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - $pconfig['ca_cert'] = base64_encode($_POST['ca_cert']); - $pconfig['srv_cert'] = base64_encode($_POST['srv_cert']); - $pconfig['srv_key'] = base64_encode($_POST['srv_key']); - $pconfig['dh_param'] = base64_encode($_POST['dh_param']); - - $pconfig['psh_options']['redir'] = $_POST['psh_redir']; - $pconfig['psh_options']['redir_loc'] = $_POST['psh_redir_loc']; - $pconfig['psh_options']['rtedelay'] = $_POST['psh_rtedelay']; - $pconfig['psh_options']['inact'] = $_POST['psh_inact']; - $pconfig['psh_options']['ping'] = $_POST['psh_ping']; - $pconfig['psh_options']['pingrst'] = $_POST['psh_pingrst']; - $pconfig['psh_options']['pingexit'] = $_POST['psh_pingexit']; - - $pconfig['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - $pconfig['psh_options']['inact_int'] = $_POST['psh_inact_int']; - $pconfig['psh_options']['ping_int'] = $_POST['psh_ping_int']; - $pconfig['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - $pconfig['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - } -} - -$pgtitle = array("VPN","OpenVPN","Edit server"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.proto[0].disabled = endis; - document.iform.proto[1].disabled = endis; - document.iform.port.disabled = endis; - document.iform.bind_iface.disabled = endis; - document.iform.dynip.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.authentication_method.disabled = endis; - document.iform.ca_cert.disabled = endis; - document.iform.srv_cert.disabled = endis; - document.iform.srv_key.disabled = endis; - document.iform.dh_param.disabled = endis; - document.iform.crypto.disabled = endis; - document.iform.tlsauth.disabled = endis; - document.iform.crlname.disabled = endis; - document.iform.psk.disabled = endis; - document.iform.type[0].disabled = endis; - document.iform.type[1].disabled = endis; - document.iform.bridge.disabled = endis; - document.iform.method[0].disabled = endis; - document.iform.method[1].disabled = endis; - document.iform.method[2].disabled = endis; - document.iform.maxcli.disabled = endis; - document.iform.ipblock.disabled = endis; - document.iform.prefix.disabled = endis; - document.iform.range_from.disabled = endis; - document.iform.range_to.disabled = endis; - document.iform.gateway.disabled = endis; - document.iform.lipaddr.disabled = endis; - document.iform.ripaddr.disabled = endis; - document.iform.netmask.disabled = endis; - document.iform.cli2cli.disabled = endis; - document.iform.dupcn.disabled = endis; - document.iform.comp_method.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.expertmode_enabled.disabled = endis; - document.iform.expertmode_options.disabled = endis; - - if (!document.iform.disabled.checked) { - type_change(); - tls_change(enable_over); - expertmode_change(enable_over); - methodsel_change(enable_over); - } -} - -function type_change() { - switch (document.iform.bind_iface.selectedIndex) { - /* ALL */ - case 0: - document.iform.dynip.disabled = 0; - break; - default: - document.iform.dynip.disabled = 1; - } -} - -function tls_change(enable_over) { - var endis; - endis = !(document.iform.tlsauth.checked || enable_over); - - document.iform.psk.disabled = endis; -} - -function expertmode_change(enable_over) { - var endis; - endis = !(document.iform.expertmode_enabled.checked || enable_over); - - document.iform.expertmode_options.disabled = endis; -} - -function methodsel_change(enable_over) { - var endis; - - switch (document.iform.authentication_method.selectedIndex) { - case 1: /* rsa */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - - endis = !((document.iform.bridge.selectedIndex == 0) || enable_over); - - if (document.iform.bridge.selectedIndex == 0) - document.iform.method[0].checked = 1; - - document.iform.method[0].disabled = 0; - document.iform.method[1].disabled = !endis; - document.iform.method[2].disabled = 1; - document.iform.method[2].checked = 0; - document.iform.bridge.disabled = 0; - - if (get_radio_value(document.iform.method) == "ovpn") { - document.iform.ipblock.disabled = endis; - document.iform.prefix.disabled = endis; - document.iform.range_from.disabled = !endis; - document.iform.range_to.disabled = !endis; - document.iform.gateway.disabled = !endis; - } else if (get_radio_value(document.iform.method) == "dhcp") { - document.iform.ipblock.disabled = 1; - document.iform.prefix.disabled = 1; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - } - } else { - /* tun */ - document.iform.method[0].disabled = 0; - document.iform.method[0].checked = 1; - document.iform.method[1].disabled = 1; - document.iform.method[2].disabled = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.ipblock.disabled = 0; - document.iform.prefix.disabled = 0; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - } - - document.iform.psk.disabled = 1; - document.iform.ca_cert.disabled = 0; - document.iform.srv_cert.disabled = 0; - document.iform.srv_key.disabled = 0; - document.iform.dh_param.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.crlname.disabled = 0; - document.iform.maxcli.disabled = 0; - document.iform.dupcn.disabled = 0; - document.iform.lipaddr.disabled = 1; - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 1; - document.iform.cli2cli.disabled = 0; - document.iform.psh_redir.disabled = 0; - document.iform.psh_redir_loc.disabled = 0; - document.iform.psh_rtedelay.disabled = 0; - document.iform.psh_rtedelay_int.disabled = 0; - document.iform.psh_inact.disabled = 0; - document.iform.psh_inact_int.disabled = 0; - document.iform.psh_ping.disabled = 0; - document.iform.psh_ping_int.disabled = 0; - document.iform.psh_pingexit.disabled = 0; - document.iform.psh_pingexit_int.disabled = 0; - document.iform.psh_pingrst.disabled = 0; - document.iform.psh_pingrst_int.disabled = 0; - tls_change(); - break; - default: /* pre-shared */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 0; - } else { - /* tun */ - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 1; - } - - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 1; - document.iform.srv_cert.disabled = 1; - document.iform.srv_key.disabled = 1; - document.iform.dh_param.disabled = 1; - document.iform.tlsauth.disabled = 1; - document.iform.crlname.disabled = 1; - - document.iform.method[0].disabled = 1; - document.iform.method[1].disabled = 1; - document.iform.method[2].disabled = 0; - document.iform.method[2].checked = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.ipblock.disabled = 1; - document.iform.prefix.disabled = 1; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - document.iform.lipaddr.disabled = 0; - document.iform.maxcli.disabled = 1; - document.iform.maxcli.value = ""; - document.iform.dupcn.disabled = 1; - document.iform.dupcn.checked = 0; - document.iform.cli2cli.disabled = 1; - document.iform.cli2cli.checked = 0; - document.iform.psh_redir.disabled = 1; - document.iform.psh_redir_loc.disabled = 1; - document.iform.psh_rtedelay.disabled = 1; - document.iform.psh_rtedelay_int.disabled = 1; - document.iform.psh_inact.disabled = 1; - document.iform.psh_inact_int.disabled = 1; - document.iform.psh_ping.disabled = 1; - document.iform.psh_ping_int.disabled = 1; - document.iform.psh_pingexit.disabled = 1; - document.iform.psh_pingexit_int.disabled = 1; - document.iform.psh_pingrst.disabled = 1; - document.iform.psh_pingrst_int.disabled = 1; - break; - } - - if (enable_over) { - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 0; - document.iform.srv_cert.disabled = 0; - document.iform.srv_key.disabled = 0; - document.iform.dh_param.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.crlname.disabled = 0; - document.iform.bridge.disabled = 0; - document.iform.ipblock.disabled = 0; - document.iform.prefix.disabled = 0; - document.iform.range_from.disabled = 0; - document.iform.range_to.disabled = 0; - document.iform.gateway.disabled = 0; - document.iform.lipaddr.disabled = 0; - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 0; - document.iform.maxcli.disabled = 0; - document.iform.method[0].disabled = 0; - document.iform.method[1].disabled = 0; - document.iform.method[2].disabled = 0; - } -} - -function get_radio_value(obj) { - for (i = 0; i < obj.length; i++) { - if (obj[i].checked) - return obj[i].value; - } - return null; -} - -//--> -</script> -<form action="vpn_openvpn_srv_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this server</strong><br> - <span class="vexpl">Set this option to disable this server without removing it from the list.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN protocol/port</td> - <td width="78%" class="vtable"> - <input type="radio" name="proto" class="formfld" value="udp" <?php if ($pconfig['proto'] == 'udp') echo "checked"; ?>> - UDP - <input type="radio" name="proto" class="formfld" value="tcp" <?php if ($pconfig['proto'] == 'tcp') echo "checked"; ?>> - TCP<br><br> - Port: - <input name="port" type="text" class="formfld" size="5" maxlength="5" value="<?= $pconfig['port']; ?>"><br> - Enter the port number to use for the server (default is 1194).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Interface binding</td> - <td width="78%" class="vtable"> - <select name="bind_iface" class="formfld" onchange="type_change()"> - <?php - $interfaces = ovpn_real_interface_list(); - foreach ($interfaces as $key => $iface): - ?> - <option value="<?=$key;?>" <?php if ($key == $pconfig['bind_iface']) echo "selected"; ?>> <?= $iface;?> - </option> - <?php endforeach;?> - </select> - <span class="vexpl"><br> - Choose an interface for the OpenVPN server to listen on.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Dynamic IP address</td> - <td width="78%" class="vtable"> - <input name="dynip" type="checkbox" value="yes" <?php if (isset($pconfig['dynip'])) echo "checked"; ?>> - <strong>Dynamic IP address</strong><br> - Set this option to on, if your IP addresses are being assigned dynamically. Can only be used with interface binding set to ALL.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Cryptographic options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="authentication_method" class="formfld" onChange="methodsel_change(false)"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting chosen on the remote side.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="srv_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_cert']));?></textarea> - <br> - Paste a server certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server key</td> - <td width="78%" class="vtable"> - <textarea name="srv_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_key']));?></textarea> - <br>Paste the server RSA private key here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh_param" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['dh_param']));?></textarea> - <br> - Paste the Diffie-Hellman parameters in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select a data channel encryption cipher.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">TLS auth</td> - <td width="78%" class="vtable"> - <input name="tlsauth" type="checkbox" value="yes" <?php if (isset($pconfig['tlsauth'])) echo "checked";?> onclick="tls_change(false)"> - <strong>TLS auth</strong><br> - The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-shared secret</td> - <td width="78%" class="vtable"> - <textarea name="pre-shared-key" id="psk" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['pre-shared-key']));?></textarea> - <br> - Paste your own pre-shared secret here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">CRL</td> - <td width="78%" class="vtable"> - <select name="crlname" class="formfld" id="crlname"> - <option <?php if (!$pconfig['crlname']) echo "selected";?> value="">none</option> - <?php $crl_list = ovpn_get_crl_list(); - foreach($crl_list as $crlname): ?> - <option value="<?=$crlname;?>" <?php if ($crlname == $pconfig['crlname']) echo "selected";?>> - <?=htmlspecialchars($crlname);?> - </option> - <?php endforeach; ?> - </select> - <br> <span class="vexpl"> - You can choose a CRL (certificate revocation list) file in PEM format here. - Each peer certificate is checked against this file.</span></td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">IP configuration</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel type</td> - <td width="78%" class="vtable"> - <input type="radio" name="type" class="formfld" value="tun" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tun') echo "checked"; ?>> - TUN - <input type="radio" name="type" class="formfld" value="tap" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tap') echo "checked"; ?>> - TAP - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Bridge with</td> - <td width="78%" class="vtable"> - <select name="bridge" class="formfld" id="bridge" onChange="methodsel_change(false)"> - <option <?php if (!$pconfig['bridge']) echo "selected";?> value="">none</option> - <?php $iflist = get_configured_interface_with_descr(); - foreach ($iflist as $if => $ifdesc) { - if (!($config['interfaces'][$if]['ovpn'])) - $opts[$if] = "Optional " . $if . " (" . $ifdesc . ")"; - } - foreach ($opts as $opt => $optname): ?> - <option <?php if ($opt == $pconfig['bridge']) echo "selected";?> value="<?=htmlspecialchars($opt);?>"> - <?=htmlspecialchars($optname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Only supported with authentication method set to RSA signature.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">OpenVPN address assignment</td> - <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="ovpn" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "ovpn" || $pconfig['type'] == "tun") echo "checked"; ?>> - Managed by OpenVPN - </td> - </tr> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="dhcp" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "dhcp") echo "checked"; ?>> - Configure manually or by DHCP Server - </td> - </tr> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="static" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "static") echo "checked"; ?>> - Static assignment - </td> - </tr> - <tr> - <td> </td> - <td> </td> - </tr> - <tr> - <td>Maximum number of simultaneous clients: <br>(leave blank to disable)</td> - <td valign="top"> - <input name="maxcli" type="text" class="formfld" size="3" maxlength="3" value="<?=htmlspecialchars($pconfig['maxcli']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"></td> - <td width="78%" class="vtable"> - When using OpenVPN for address assignment, set aside a pool of subnets to be - dynamically allocated to connecting clients, similar to a DHCP server.<br> - <br> - For tun-style tunnels, each client will be given a /30 subnet - (for interoperability with Windows clients).<br> - For tap-style tunnels, individual addresses will be allocated, and the optional - netmask parameter will also be pushed to clients.<br> - <br> - - <table cellpadding="0" cellspacing="0"> - <tr> - <td>IP address block: </td> - <td valign="top"><input name="ipblock" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ipblock']);?>"> - / - <select name="prefix" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['prefix']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"></td> - <td width="78%" class="vtable"> - For bridges interfaces OpenVPN will allocate - an IP range in the bridged subnet to connecting clients.<br><br> - The gateway and netmask parameters - can be set to either the IP of the bridge interface, or to - the IP of the default gateway/router on the bridged subnet.<br> - <br> - - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Range: </td> - <td valign="top"><input name="range_from" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['range_from']);?>"> - to <input name="range_to" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['range_to']);?>"> - </td> - </tr> - - <tr> - <td>Gateway: </td> - <td valign="top"><input name="gateway" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['gateway']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - When using pre-shared keys, enter the IP address and subnet mask - of the local and remote VPN endpoint here. For TAP devices, only the - IP address of the local VPN endpoint is needed. The netmask is the subnet mask - of the virtual ethernet segment which is being created or connected to.<br> - <br> - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Local IP address: </td> - <td valign="top"><input name="lipaddr" id="lipaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['lipaddr']);?>"> - / - <select name="netmask" id="netmask" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['netmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - - <tr> - <td>Remote IP address: </td> - <td valign="top"><input name="ripaddr" id="ripaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ripaddr']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Server Options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Internal routing mode</td> - <td width="78%" class="vtable"> - <input name="cli2cli" type="checkbox" value="yes" <?php if (isset($pconfig['cli2cli'])) echo "checked"; ?>> - <strong>Enable client-to-client routing</strong><br> - If this option is on, clients are allowed to talk to each other.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client authentication</td> - <td width="78%" class="vtable"> - <input name="dupcn" type="checkbox" value="yes" <?php if (isset($pconfig['dupcn'])) echo "checked"; ?>> - <strong>Permit duplicate client certificates</strong><br> - If this option is on, clients with duplicate certificates will not be disconnected.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Compression method</td> - <td width="78%" class="vtable"> - <select name="comp_method" class="formfld" id="comp_method"> - <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> - <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); - foreach($compression_method as $comp_method => $comp_methodname): ?> - <option value="<?=$comp_method;?>" - <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> - <?=htmlspecialchars($comp_methodname);?> - </option> - <?php endforeach; ?> - </select> - <br> - Choose which compression method to use.<br> - <br> - LZO compression generally improves performance on slow links, - but may add up to 1 byte per packet for incompressible data.<br> - <br> - With adaptive compression, OpenVPN will periodically sample the - compression process to measure its efficiency. If the data being - sent over the tunnel is already compressed, the compression - efficiency will be very low. Choose 'LZO (no adaptive)' - to disable OpenVPN's adaptive compression algorithm. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact_int']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst_int']?>"> seconds</td> - </tr> - </table></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Expert mode</td> - <td width="78%" class="vtable"> - <input name="expertmode_enabled" type="checkbox" value="yes" onclick="expertmode_change(false);" <?php if (isset($pconfig['expertmode_enabled'])) echo "checked"; ?>> - <strong>Enable expert OpenVPN mode</strong><br> - If this option is on, you can specify your own extra commands for the OpenVPN server.<br/> - <textarea name="expertmode_options" id="expertmode_options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['expertmode_options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in expert mode aren't supported. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="methodsel_change(true);tls_change(true);expertmode_change(true);enable_change(true)"> - <input name="verb" type="hidden" value="<?=$pconfig['verb'];?>"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -type_change(); -tls_change(false); -methodsel_change(false); -expertmode_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> |
