summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/inc/openvpn.inc126
-rw-r--r--usr/local/pkg/openvpn.xml15
-rw-r--r--usr/local/pkg/openvpn_cli.xml11
-rw-r--r--usr/local/pkg/openvpn_csc.xml77
4 files changed, 222 insertions, 7 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index bd2446a..ffcda86 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -88,7 +88,6 @@ function openvpn_validate_input($mode, $post, $input_errors) {
if ($result = openvpn_validate_cidr($post['local_network'], 'Local network'))
$input_errors[] = $result;
-// DHCP-Options logic-check
if (!empty($post['dhcp_dns'])) {
$servers = explode(';', $post['dhcp_dns']);
foreach ($servers as $server) if (!is_ipaddr($server))
@@ -109,6 +108,10 @@ function openvpn_validate_input($mode, $post, $input_errors) {
foreach ($servers as $server) if (!is_ipaddr($server))
{$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.';
break;}}
+ if (isset($post['maxclients']) && $post['maxclients'] != "") {
+ if (!is_numeric($post['maxclients']))
+ $input_errors[] = 'The field \'Maximum clients\' must be numeric.';
+ }
}
@@ -163,8 +166,14 @@ function openvpn_validate_input($mode, $post, $input_errors) {
}
do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors);
+ if ($post['protocol'] != 'UDP') {
+ if (!empty($post['tls']))
+ $input_errors[] = 'TLS-authentication can only be used with protocol UDP';
+ }
+
$value = trim($post['shared_key']);
$items = array();
+
if ($_POST['auth_method'] == 'shared_key') {
$items[] = array( 'field' => 'shared_key',
'string' => 'OpenVPN Static key V1',
@@ -180,6 +189,9 @@ function openvpn_validate_input($mode, $post, $input_errors) {
$items[] = array( 'field' => "{$mode}_key",
'string' => 'RSA PRIVATE KEY',
'name' => "$Mode key");
+ $items[] = array( 'field' => 'tls',
+ 'string' => 'OpenVPN Static key V1',
+ 'name' => 'TLS');
if ($mode == 'server') {
$items[] = array( 'field' => 'dh_params',
'string' => 'DH PARAMETERS',
@@ -201,8 +213,50 @@ function openvpn_validate_input($mode, $post, $input_errors) {
function openvpn_validate_input_csc($post, $input_errors) {
if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP'))
$input_errors[] = $result;
-}
+ if ($post['push_reset'] != 'on') {
+ if (!empty($post['dhcp_domainname']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif (!empty($post['dhcp_dns']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif (!empty($post['dhcp_wins']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif (!empty($post['dhcp_nbdd']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif (!empty($post['dhcp_ntp']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif ($post['dhcp_nbttype'])
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif (!empty($post['dhcp_nbtscope']))
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+ elseif ($post['dhcp_nbtdisable'])
+ $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options';
+
+ }
+ else {
+
+ if (!empty($post['dhcp_dns'])) {
+ $servers = explode(';', $post['dhcp_dns']);
+ foreach ($servers as $server) if (!is_ipaddr($server))
+ {$input_errors[] = 'The field \'DHCP-Opt.: DNS-Server\' must contain a valid IP address and no whitespaces.';
+ break;}}
+ if (!empty($post['dhcp_wins'])) {
+ $servers = explode(';', $post['dhcp_wins']);
+ foreach ($servers as $server) if (!is_ipaddr($server))
+ {$input_errors[] = 'The field \'DHCP-Opt.: WINS-Server\' must contain a valid IP address and no whitespaces.';
+ break;}}
+ if (!empty($post['dhcp_nbdd'])) {
+ $servers = explode(';', $post['dhcp_nbdd']);
+ foreach ($servers as $server) if (!is_ipaddr($server))
+ {$input_errors[] = 'The field \'DHCP-Opt.: NBDD-Server\' must contain a valid IP address and no whitespaces.';
+ break;}}
+ if (!empty($post['dhcp_ntp'])) {
+ $servers = explode(';', $post['dhcp_ntp']);
+ foreach ($servers as $server) if (!is_ipaddr($server))
+ {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.';
+ break;}}
+
+}}
// Rewrite the settings
function openvpn_reconfigure($mode, $id) {
@@ -227,6 +281,9 @@ function openvpn_reconfigure($mode, $id) {
$keys[] = array('field' => 'dh_params', 'ext' => 'dh', 'directive' => 'dh');
if ($settings['crl'])
$keys[] = array('field' => 'crl', 'ext' => 'crl', 'directive' => 'crl-verify');
+ if ($settings['tls'])
+ $keys[] = array('field' => 'tls', 'ext' => 'tls', 'directive' => 'tls-auth');
+
}
foreach($keys as $key) {
$filename = $base_file . $key['ext'];
@@ -334,7 +391,9 @@ EOD;
if (!empty($settings['dhcp_nbtscope'])) $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
if ($settings['dhcp_nbtdisable']) $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n";
- }
+ if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n";
+ if (!empty($settings['maxclients'])) $openvpn_conf .= "max-clients {$settings['maxclients']}\n";
+ }
else { // $mode == client
// The remote server
@@ -362,6 +421,9 @@ EOD;
/* ;http-proxy-retry # retry on connection failures */
$openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n";
}
+
+ if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n";
+
}
// Add the routes if they're set
@@ -373,7 +435,9 @@ EOD;
// Write the settings for the keys
foreach ($keys as $key)
+ if ($key['directive'] != 'tls-auth') {
$openvpn_conf .= $key['directive'] . ' ' . $base_file . $key['ext'] . "\n";
+ }
if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n";
@@ -412,6 +476,55 @@ function openvpn_resync_csc($id) {
$baselong = ip2long($ip) & gen_subnet_mask_long($mask);
$conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n";
}
+
+// DHCP-Options
+ if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n";
+
+ if (!empty($settings['dhcp_dns'])) {
+ $servers = explode(';', $settings['dhcp_dns']);
+ if (is_array($servers)) {
+ foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n";
+ }
+ else {
+ $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n";
+ }
+ }
+
+ if (!empty($settings['dhcp_wins'])) {
+ $servers = explode(';', $settings['dhcp_wins']);
+ if (is_array($servers)) {
+ foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n";
+ }
+ else {
+ $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n";
+ }
+ }
+
+ if (!empty($settings['dhcp_nbdd'])) {
+ $servers = explode(';', $settings['dhcp_nbdd']);
+ if (is_array($servers)) {
+ foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n";
+ }
+ else {
+ $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n";
+ }
+ }
+
+ if (!empty($settings['dhcp_ntp'])) {
+ $servers = explode(';', $settings['dhcp_ntp']);
+ if (is_array($servers)) {
+ foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n";
+ }
+ else {
+ $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
+ }
+ }
+
+ if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
+ if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
+ if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n";
+
+
if (!empty($settings['custom_options'])) {
$options = explode(';', $settings['custom_options']);
if (is_array($options)) {
@@ -427,6 +540,7 @@ function openvpn_resync_csc($id) {
file_put_contents($filename, $conf);
chown($filename, 'nobody');
chgrp($filename, 'nogroup');
+
}
@@ -488,7 +602,6 @@ function openvpn_resync_all() {
}
-
function openvpn_print_javascript($mode) {
$javascript = <<<EOD
<script language="JavaScript">
@@ -501,15 +614,18 @@ function onAuthMethodChanged() {
document.iform.ca_cert.disabled = endis;
document.iform.{$mode}_cert.disabled = endis;
document.iform.{$mode}_key.disabled = endis;
+ document.iform.tls.disabled = endis;
EOD;
if ($mode == 'server') {
$javascript .= <<<EOD
document.iform.dh_params.disabled = endis;
document.iform.crl.disabled = endis;
+ document.iform.tls.disabled = endis;
document.iform.nopool.disabled = endis;
document.iform.local_network.disabled = endis;
document.iform.client2client.disabled = endis;
+ document.iform.maxclients.disabled = endis;
EOD;
}
@@ -539,4 +655,4 @@ function openvpn_print_javascript2() {
EOD;
print($javascript);
}
-?> \ No newline at end of file
+?>
diff --git a/usr/local/pkg/openvpn.xml b/usr/local/pkg/openvpn.xml
index 23bfad0..ab90599 100644
--- a/usr/local/pkg/openvpn.xml
+++ b/usr/local/pkg/openvpn.xml
@@ -193,6 +193,15 @@
<cols>40</cols>
</field>
<field>
+ <fieldname>tls</fieldname>
+ <fielddescr>TLS</fielddescr>
+ <description>Paste your HMAC signature (TLS) here (optional).</description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <rows>8</rows>
+ <cols>40</cols>
+ </field>
+ <field>
<fieldname>dhcp_domainname</fieldname>
<fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr>
<description>Set connection-specific DNS Suffix.</description>
@@ -270,6 +279,12 @@
<type>checkbox</type>
</field>
<field>
+ <fieldname>maxclients</fieldname>
+ <fielddescr>Maximum clients</fielddescr>
+ <description>The maximum number of concurrently connected clients we want to allow.</description>
+ <type>input</type>
+ </field>
+ <field>
<fieldname>custom_options</fieldname>
<fielddescr>Custom options</fielddescr>
<description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the server configuration.</description>
diff --git a/usr/local/pkg/openvpn_cli.xml b/usr/local/pkg/openvpn_cli.xml
index e05bacf..d199a77 100644
--- a/usr/local/pkg/openvpn_cli.xml
+++ b/usr/local/pkg/openvpn_cli.xml
@@ -169,6 +169,15 @@
<cols>40</cols>
</field>
<field>
+ <fieldname>tls</fieldname>
+ <fielddescr>TLS</fielddescr>
+ <description>Paste your HMAC signature (TLS) here (optional).</description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <rows>8</rows>
+ <cols>40</cols>
+ </field>
+ <field>
<fieldname>use_lzo</fieldname>
<fielddescr>LZO compression</fielddescr>
<description>Checking this will compress the packets using the LZO algorithm before sending them.</description>
@@ -216,4 +225,4 @@
<custom_php_resync_config_command>
openvpn_resync('client', $id);
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/usr/local/pkg/openvpn_csc.xml b/usr/local/pkg/openvpn_csc.xml
index 93e0fb8..c962b50 100644
--- a/usr/local/pkg/openvpn_csc.xml
+++ b/usr/local/pkg/openvpn_csc.xml
@@ -67,11 +67,86 @@
<description>Set this option to push an IP to the client's interface. Expressed as a CIDR range (e.g. 10.5.0.0/16). The first IP in the range will be used as the remote IP of the interface, and the second IP will be used as the local IP of the interface.</description>
<type>input</type>
</field>
+
+ <field>
+ <fieldname>dhcp_domainname</fieldname>
+ <fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr>
+ <description>Set connection-specific DNS Suffix.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_dns</fieldname>
+ <fielddescr>DHCP-Opt.: DNS-Server</fielddescr>
+ <description>Set domain name server addressses, separated by semi-colons (;).</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_wins</fieldname>
+ <fielddescr>DHCP-Opt.: WINS-Server</fielddescr>
+ <description>Set WINS server addressses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;).</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_nbdd</fieldname>
+ <fielddescr>DHCP-Opt.: NBDD-Server</fielddescr>
+ <description>Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;).</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_ntp</fieldname>
+ <fielddescr>DHCP-Opt.: NTP-Server</fielddescr>
+ <description>Set NTP server addresses (Network Time Protocol), separated by semi-colons (;).</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_nbttype</fieldname>
+ <fielddescr>DHCP-Opt.: NetBIOS node type</fielddescr>
+ <description>Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).</description>
+ <type>select</type>
+ <options>
+ <option>
+ <value>0</value>
+ <name>none</name>
+ </option>
+ <option>
+ <value>1</value>
+ <name>b-node</name>
+ </option>
+ <option>
+ <value>2</value>
+ <name>p-node</name>
+ </option>
+ <option>
+ <value>4</value>
+ <name>m-node</name>
+ </option>
+ <option>
+ <value>8</value>
+ <name>h-node</name>
+ </option>
+ </options>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fieldname>dhcp_nbtscope</fieldname>
+ <fielddescr>DHCP-Opt.: NetBIOS Scope</fielddescr>
+ <description>Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>dhcp_nbtdisable</fieldname>
+ <fielddescr>DHCP-Opt.: Disable NetBIOS</fielddescr>
+ <description>If this option is set, Netbios-over-TCP/IP will be disabled.</description>
+ <type>checkbox</type>
+ </field>
+
<field>
<fieldname>custom_options</fieldname>
<fielddescr>Custom options</fielddescr>
<description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the client-specific configuration.</description>
- <type>input</type>
+ <type>textarea</type>
+ <cols>65</cols>
+ <rows>5</rows>
</field>
<field>
<fieldname>description</fieldname>
OpenPOWER on IntegriCloud