diff options
| -rw-r--r-- | etc/inc/auth.inc | 8 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 2 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-user.php | 38 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 4 |
4 files changed, 48 insertions, 4 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 1c176ab..614c93d 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -1127,7 +1127,7 @@ function ldap_backed($username, $passwd, $authcfg) { return true; } -function radius_backed($username, $passwd, $authcfg){ +function radius_backed($username, $passwd, $authcfg, &$attributes = array()) { global $debug, $config; $ret = false; @@ -1163,6 +1163,8 @@ function radius_backed($username, $passwd, $authcfg){ if ($debug) printf(gettext("Radius send failed: %s<br>\n"), $retvalue['error']); } else if ($result === true) { + if ($rauth->getAttributes()) + $attributes = $rauth->listAttributes(); $retvalue['auth_val'] = 2; if ($debug) printf(gettext("Radius Auth succeeded")."<br>\n"); @@ -1259,7 +1261,7 @@ function getUserGroups($username, $authcfg) { return $member_groups; } -function authenticate_user($username, $password, $authcfg = NULL) { +function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) { if (!$authcfg) { return local_backed($username, $password); @@ -1272,7 +1274,7 @@ function authenticate_user($username, $password, $authcfg = NULL) { $authenticated = true; break; case 'radius': - if (radius_backed($username, $password, $authcfg)) + if (radius_backed($username, $password, $authcfg, $attributes)) $authenticated = true; break; default: diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c417db1..16fbaf5 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2365,6 +2365,8 @@ function filter_rules_generate() { /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; + /* OpenVPN user rules from radius */ + $ipfrules .= "anchor \"openvpn/*\"\n"; # BEGIN OF firewall rules /* default block logging? */ if(!isset($config['syslog']['nologdefaultblock'])) diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 0558dbb..92c3b87 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -96,6 +96,11 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> +if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { + putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); + putenv("LDAPTLS_REQCERT=never"); +} + $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -103,12 +108,13 @@ if (($strictusercn === true) && ($common_name != $username)) { exit(1); } +$attributes = array(); foreach ($authmodes as $authmode) { $authcfg = auth_get_authserver($authmode); if (!$authcfg && $authmode != "local") continue; - $authenticated = authenticate_user($username, $password, $authcfg); + $authenticated = authenticate_user($username, $password, $authcfg, $attributes); if ($authenticated == true) break; } @@ -118,6 +124,36 @@ if ($authenticated == false) { exit(-1); } +if (file_exists("/etc/inc/openvpn.attributes.php")) + include_once("/etc/inc/openvpn.attributes.php"); + +$content = ""; +if (is_array($attributes['dns-servers'])) { + foreach ($attributes['dns-servers'] as $dnssrv) { + if (is_ipaddr($dnssrv)) + $content .= "push \"dhcp-option DNS {$dnssrv}\"\n"; + } +} +if (is_array($attributes['routes'])) { + foreach ($attributes['routes'] as $route) + $content .= "push \"route {$route} vpn_gateway\"\n"; +} + +if (isset($attributes['framed_ip'])) { +/* XXX: only use when TAP windows driver >= 8.2.x */ +/* if (isset($attributes['framed_mask'])) { + $content .= "topology subnet\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}"; + } else { +*/ + $content .= "topology net30\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1)); +// } +} + +if (!empty($content)) + @file_put_contents("{$g['tmp_path']}/{$username}", $content); + syslog(LOG_NOTICE, "user {$username} authenticated\n"); exit(0); diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index af7d921..bec3e9b 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -375,6 +375,10 @@ function openvpn_reconfigure($mode, $settings) { $conf .= "cipher {$cipher}\n"; $conf .= "up /usr/local/sbin/ovpn-linkup\n"; $conf .= "down /usr/local/sbin/ovpn-linkdown\n"; + if (file_exists("/usr/local/sbin/openvpn.attributes.sh")) { + $conf .= "client-connect /usr/local/sbin/openvpn.attributes.sh\n"; + $conf .= "client-disconnect /usr/local/sbin/openvpn.attributes.sh\n"; + } if (is_ipaddrv4($iface_ip)) { $conf .= "local {$iface_ip}\n"; |
