summaryrefslogtreecommitdiffstats
path: root/etc/inc/openvpn.inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc/openvpn.inc')
-rw-r--r--etc/inc/openvpn.inc914
1 files changed, 285 insertions, 629 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index cd3f2a0..efea035 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -45,67 +45,65 @@ require_once('config.inc');
require_once('pfsense-utils.inc');
require_once('util.inc');
-// Shutdown running process if needed
-function openvpn_delete($mode, $id) {
- global $g, $config;
-
- $settings = $config['installedpackages']['openvpn$mode']['config'][$id];
- $mode = $settings['mode'];
- $ps = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf";
- $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`;
- killbypid($ps_id);
-}
+$openvpn_prots = array( "UDP", "TCP");
-// Return the list of ciphers OpenVPN supports
-function openvpn_get_ciphers($pkg) {
+$openvpn_auth_methods = array(
+ 'pki' => "Public Key Infrastructure",
+ 'shared_key' => "Pre Shared Key");
+
+function openvpn_vpnid_used($vpnid) {
global $config;
- foreach ($pkg['fields']['field'] as $i => $field) {
- if ($field['fieldname'] == 'crypto') {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- $ciphers_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\'');
- $ciphers = explode("\n", trim($ciphers_out));
- sort($ciphers);
- foreach ($ciphers as $cipher) {
- $value = explode(' ', $cipher);
- $value = $value[0];
- $option_array[] = array('value' => $value, 'name' => $cipher);
- }
- }
- if ($field['fieldname'] == 'cipher') {
- if (is_array($config['openvpn']['keys'])) {
- if (count($config['openvpn']['keys']) > 0) {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- foreach ($config['openvpn']['keys'] as $cipher => $type) {
- if ($type['shared.key'])
- $option_array[] = array('value' => $cipher, 'name' => $cipher);
- }
- }
- }
- }
- if ($field['fieldname'] == 'cipherpki') {
- if (is_array($config['openvpn']['keys'])) {
- if (count($config['openvpn']['keys']) > 0) {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- foreach ($config['openvpn']['keys'] as $cipher => $type) {
- if ($type['auth_method'] == 'pki')
- $option_array[] = array('value' => $cipher, 'name' => $type['descr']);
- }
- }
- }
- }
+ if (is_array($config['openvpn']['openvpn-server']))
+ foreach ($config['openvpn']['openvpn-server'] as $id => & $settings)
+ if( $vpnid == $settings['vpnid'] )
+ return true;
+
+ if (is_array($config['openvpn']['openvpn-client']))
+ foreach ($config['openvpn']['openvpn-client'] as $id => & $settings)
+ if( $vpnid == $settings['vpnid'] )
+ return true;
+ return false;
+}
+
+function openvpn_vpnid_next() {
+
+ $vpnid = 1;
+ while(openvpn_vpnid_used($vpnid))
+ $vpnid++;
+
+ return $vpnid;
+}
+
+function openvpn_get_cipherlist() {
+
+ $ciphers = array();
+ $cipher_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\'');
+ $cipher_lines = explode("\n", trim($cipher_out));
+ sort($cipher_lines);
+ foreach ($cipher_lines as $line) {
+ $words = explode(' ', $line);
+ $ciphers[$words[0]] = "{$words[0]} {$words[1]}";
}
+
+ return $ciphers;
+}
+
+function openvpn_validate_host($value, $name) {
+ $value = trim($value);
+ if (empty($value) || !(is_domain($value) && is_ipaddr($value)))
+ return "The field '$name' must contain a valid IP address or domain name.";
+ return false;
}
function openvpn_validate_port($value, $name) {
$value = trim($value);
- if (!empty($value) && !(is_numeric($value) && ($value > 0) && ($value < 65535)))
+ if (empty($value) || !(is_numeric($value) && ($value > 0) && ($value < 65535)))
return "The field '$name' must contain a valid port, ranging from 0 to 65535.";
return false;
}
-
function openvpn_validate_cidr($value, $name) {
$value = trim($value);
if (!empty($value)) {
@@ -116,271 +114,115 @@ function openvpn_validate_cidr($value, $name) {
return false;
}
+function openvpn_add_dhcpopts(& $settings, & $conf) {
-// Do the input validation
-function openvpn_validate_input($mode, $post, $input_errors) {
- $Mode = ucfirst($mode);
+ if (!empty($settings['dns_domain']))
+ $conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n";
- if ($mode == 'server') {
- if ($result = openvpn_validate_port($post['local_port'], 'Local port'))
- $input_errors[] = $result;
-
- if ($result = openvpn_validate_cidr($post['addresspool'], 'Address pool'))
- $input_errors[] = $result;
-
- if ($result = openvpn_validate_cidr($post['local_network'], 'Local network'))
- $input_errors[] = $result;
-
-/* check for port in use - update of existing entries not possible because $_GET['act'] is not passed from pkg_edit.php :-( mfuchs
- $portinuse = shell_exec('sockstat | grep '.$post['local_port'].' | grep '.strtolower($post['protocol']));
- if (!empty($portinuse))
- $input_errors[] = 'The port '.$post['local_port'].'/'.strtolower($post['protocol']).' is already in use.';
-*/
+ if (!empty($settings['dns_server1']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n";
+ if (!empty($settings['dns_server2']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n";
+ if (!empty($settings['dns_server3']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n";
+ if (!empty($settings['dns_server4']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n";
- if (!empty($post['dhcp_dns'])) {
- $servers = explode(';', $post['dhcp_dns']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_wins'])) {
- $servers = explode(';', $post['dhcp_wins']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_nbdd'])) {
- $servers = explode(';', $post['dhcp_nbdd']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_ntp'])) {
- $servers = explode(';', $post['dhcp_ntp']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (isset($post['maxclients']) && $post['maxclients'] != "") {
- if (!is_numeric($post['maxclients']))
- $input_errors[] = 'The field \'Maximum clients\' must be numeric.';
- }
+ if (!empty($settings['ntp_server1']))
+ $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
+ if (!empty($settings['ntp_server2']))
+ $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
+ if ($settings['netbios_enable']) {
- else { // Client mode
- if ($result = openvpn_validate_port($post['serverport'], 'Server port'))
- $input_errors[] = $result;
+ if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0))
+ $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
+ if (!empty($settings['dhcp_nbtscope']))
+ $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- $server_addr = trim($post['serveraddr']);
- if (!empty($value) && !(is_domain($server_addr) || is_ipaddr($server_addr)))
- $input_errors[] = 'The field \'Server address\' must contain a valid IP address or domain name.';
+ if (!empty($settings['wins_server1']))
+ $conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n";
+ if (!empty($settings['wins_server2']))
+ $conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n";
- if ($result = openvpn_validate_cidr($post['interface_ip'], 'Interface IP'))
- $input_errors[] = $result;
+ if (!empty($settings['nbdd_server1']))
+ $conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
+ }
- if ($post['auth_method'] == 'shared_key') {
- if (empty($post['interface_ip']))
- $input_errors[] = 'The field \'Interface IP\' is required.';
- }
- if (isset($post['proxy_hostname']) && $post['proxy_hostname'] != "") {
- if (!is_domain($post['proxy_hostname']) || is_ipaddr($post['proxy_hostname']))
- $input_errors[] = 'The field \'Proxy Host\' must contain a valid IP address or domain name.';
- if (!is_port($post['proxy_port']))
- $input_errors[] = 'The field \'Proxy port\' must contain a valid port number.';
- if ($post['protocol'] != "TCP")
- $input_errors[] = 'The protocol must be TCP to use a HTTP proxy server.';
- }
- if (isset($post['use_shaper']) && $post['use_shaper'] != "") {
- if (!is_numeric($post['use_shaper']))
- $input_errors[] = 'The field \'Limit outgoing bandwidth\' must be numeric.';
- }
+ if ($settings['gwredir'])
+ $conf .= "push \"redirect-gateway def1\"\n";
+}
- }
+function openvpn_add_custom(& $settings, & $conf) {
- if ($result = openvpn_validate_cidr($post['remote_network'], 'Remote network'))
- $input_errors[] = $result;
+ if ($settings['custom_options']) {
-/* This are no more needed comment them from now and remove later */
-/*
- if ($_POST['auth_method'] == 'shared_key') {
- $reqfields[] = 'shared_key';
- $reqfieldsn[] = 'Shared key';
- }
- else {
- $req = explode(' ', "ca_cert {$mode}_cert {$mode}_key");
- $reqn = array( 'CA certificate',
- ucfirst($mode) . ' certificate',
- ucfirst($mode) . ' key');
- $reqfields = array_merge($reqfields, $req);
- $reqfieldsn = array_merge($reqfieldsn, $reqn);
- if ($mode == 'server') {
- $reqfields[] = 'dh_params';
- $reqfieldsn[] = 'DH parameters';
- }
- }
- do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors);
-*/
-if ($mode != "server") {
- $value = trim($post['shared_key']);
- $items = array();
-
- if ($_POST['auth_method'] == 'shared_key') {
- $items[] = array( 'field' => 'shared.key',
- 'string' => 'OpenVPN Static key V1',
- 'name' => 'Shared key');
- }
- else {
- $items[] = array( 'field' => 'ca.crt',
- 'string' => 'CERTIFICATE',
- 'name' => 'CA certificate');
- $items[] = array( 'field' => "{$mode}.crt",
- 'string' => 'CERTIFICATE',
- 'name' => "$Mode certificate");
- $items[] = array( 'field' => "{$mode}.key",
- 'string' => 'RSA PRIVATE KEY',
- 'name' => "$Mode key");
- $items[] = array( 'field' => 'tls',
- 'string' => 'OpenVPN Static key V1',
- 'name' => 'TLS');
- if ($mode == 'server') {
- $items[] = array( 'field' => 'dh_param.dhs',
- 'string' => 'DH PARAMETERS',
- 'name' => 'DH parameters');
- $items[] = array( 'field' => 'crl.crl',
- 'string' => 'X509 CRL',
- 'name' => 'CRL');
- }
- }
- foreach ($items as $item) {
- $value = trim($_POST[$item['field']]);
- $string = $item['string'];
- if ($value && (!strstr($value, "-----BEGIN {$string}-----") || !strstr($value, "-----END {$string}-----")))
- $input_errors[] = "The field '{$item['name']}' does not appear to be valid";
+ $options = explode(';', $settings['custom_options']);
+
+ if (is_array($options)) {
+ foreach ($options as $option)
+ $conf .= "$option\n";
+ } else
+ $conf .= "{$settings['custom_options']}\n";
}
}
-}
+function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive) {
+ global $g;
-function openvpn_validate_input_csc($post, $input_errors) {
- if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP'))
- $input_errors[] = $result;
-
- if ($post['push_reset'] != 'on') {
- if (!empty($post['dhcp_domainname']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_dns']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_wins']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_nbdd']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_ntp']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif ($post['dhcp_nbttype'])
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_nbtscope']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif ($post['dhcp_nbtdisable'])
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
-
- } else {
-
- if (!empty($post['dhcp_dns'])) {
- $servers = explode(';', $post['dhcp_dns']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_wins'])) {
- $servers = explode(';', $post['dhcp_wins']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_nbdd'])) {
- $servers = explode(';', $post['dhcp_nbdd']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_ntp'])) {
- $servers = explode(';', $post['dhcp_ntp']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.';
- break;}}
-
-}}
-
-// Create server PKI certificate if it is not present on system
-function openvpn_server_create_cert($mode, $id) {
- if($mode == "client")
- return;
- global $g, $config;
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
- $interface = $settings['interface'];
- if(!$interface)
- $interface = "WAN";
- $serveruniq = $interface . $settings['local_port'] . $settings['protocol'];
- log_error("Creating server certificate for {$settings['description']}.");
- $caname = $settings['cipherpki'];
- foreach($config['openvpn']['keys'] as $ca => $ca2) {
- if($ca == $caname)
- $cakeysize = $ca2['keysize'];
- }
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
- $easyrsapath = $g['easyrsapath'];
- config_lock();
- $fd = fopen($ovpncapath . "/RUNME_2ND", "w");
- fwrite($fd, "#!/bin/tcsh\n");
- fwrite($fd, "cd $ovpncapath \n");
- fwrite($fd, "source $ovpncapath/$caname/vars \n");
- fwrite($fd, "$easyrsapath/pkitool --batch --server {$serveruniq} \n");
- fwrite($fd, "openssl dhparam -out $ovpncapath/$caname/dh_params.dh $cakeysize \n");
- fclose($fd);
- system("/bin/chmod a+rx $ovpncapath/RUNME_2ND");
- mwexec("/bin/tcsh $ovpncapath/RUNME_2ND");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['server.key'] = file_get_contents("$ovpncapath/$caname/server.key");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['server.crt'] = file_get_contents("$ovpncapath/$caname/server.crt");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['dh_params.dh'] = file_get_contents("$ovpncapath/$caname/dh_params.dh");
- config_unlock();
- write_config();
- log_error("Server certificate for {$settings['description']} created.");
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}";
+ file_put_contents($fpath, base64_decode($data));
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+
+ $conf .= "{$directive} {$fpath}\n";
}
-// Rewrite the settings
function openvpn_reconfigure($mode, $id) {
global $g, $config;
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
-
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+
if (empty($settings))
return;
if ($settings['disable'])
return;
- /* create cert if needed */
- if(!$settings['server.key'] and $mode == "server")
- openvpn_server_create_cert($mode, $id);
-
- $lport = 1194 + $id;
-
/*
- * NOTE: if you change the name of the interfaces here than
- * be sure to change it even on the openvpn command parameters at
- * openvpn_restart() function.
+ * NOTE: Deleting tap devices causes spontaneous reboots. Instead,
+ * we use a vpnid number which is allocated for a particular client
+ * or server configuration. ( see openvpn_vpnid_next() )
*/
- if ($mode == "client")
- $ovpndevice = "ovpnc{$id}";
- else
- $ovpndevice = "ovpn{$id}";
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+ $tunname = "tun{$vpnid}";
- if (!$g['booting'])
- mwexec("/sbin/ifconfig {$ovpndevice} destroy");
+ if ($mode == "server")
+ $devname = "ovpns{$vpnid}";
+ else
+ $devname = "ovpnc{$vpnid}";
- $tunname = exec("/sbin/ifconfig tun create");
- mwexec("/sbin/ifconfig {$tunname} name {$ovpndevice}");
- mwexec("/sbin/ifconfig {$ovpndevice} group openvpn");
+ if (!file_exists("/dev/{$tunname}"))
+ $tunname = exec("/sbin/ifconfig {$tunname} create");
- $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid";
+ mwexec("/sbin/ifconfig {$tunname} name {$devname}");
+ mwexec("/sbin/ifconfig {$devname} group openvpn");
+
+ $pidfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid";
$proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}");
$cipher = $settings['crypto'];
- $openvpn_conf .= <<<EOD
-dev {$ovpndevice}
+
+ $interface = $settings['interface'];
+ if (!$interface)
+ $interface = 'WAN';
+
+ $iface = convert_friendly_interface_to_real_interface_name($interface);
+ $lines = explode(' ', trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")));
+ $iface_ip = $lines[1];
+
+$conf .= <<<EOD
+dev {$devname}
dev-type tun
dev-node /dev/{$tunname}
writepid $pidfile
@@ -395,347 +237,216 @@ proto $proto
cipher $cipher
up /etc/rc.filter_configure
down /etc/rc.filter_configure
+local {$iface_ip}
EOD;
- // Mode-specific stuff
+ // Mode specific stuff
+
if ($mode == 'server') {
- list($ip, $mask) = explode('/', $settings['addresspool']);
+
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$mask = gen_subnet_mask($mask);
// Using a shared key or not dynamically assigning IPs to the clients
- if (($settings['auth_method'] == 'shared_key') || ($settings['nopool'] == 'on')) {
- if ($settings['auth_method'] == 'pki') $openvpn_conf .= "tls-server\n";
+ if (($settings['auth_method'] == 'shared_key') || (!$settings['pool_enable'] == 'on')) {
+
+ if ($settings['auth_method'] == 'pki')
+ $conf .= "tls-server\n";
$baselong = ip2long($ip) & ip2long($mask);
$ip1 = long2ip($baselong + 1);
$ip2 = long2ip($baselong + 2);
- $openvpn_conf .= "ifconfig $ip1 $ip2\n";
+ $conf .= "ifconfig $ip1 $ip2\n";
}
// Using a PKI
else if ($settings['auth_method'] == 'pki') {
- if ($settings['client2client']) $openvpn_conf .= "client-to-client\n";
- $openvpn_conf .= "server $ip $mask\n";
+
+ if ($settings['client2client'])
+ $conf .= "client-to-client\n";
+
+ $conf .= "server $ip $mask\n";
$csc_dir = "{$g['varetc_path']}/openvpn_csc";
- $openvpn_conf .= "client-config-dir $csc_dir\n";
+ $conf .= "client-config-dir $csc_dir\n";
}
// We can push routes
if (!empty($settings['local_network'])) {
+
list($ip, $mask) = explode('/', $settings['local_network']);
$mask = gen_subnet_mask($mask);
- $openvpn_conf .= "push \"route $ip $mask\"\n";
+ $conf .= "push \"route $ip $mask\"\n";
}
- if ($settings['bind_to_iface'] == 'on') {
- $iface = $settings['interface'];
- $iface = convert_friendly_interface_to_real_interface_name($iface);
- $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
- list($dummy, $ip, $dummy2, $dummy3) = explode(' ', $line);
-
- $openvpn_conf .= "local {$ip}\n";
- }
-
// The port we'll listen at
- $openvpn_conf .= "lport {$settings['local_port']}\n";
-
- // DHCP-Options
- if (!empty($settings['dhcp_domainname']))
- $openvpn_conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n";
-
- if (!empty($settings['dhcp_dns'])) {
- $servers = explode(';', $settings['dhcp_dns']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option DNS {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_wins'])) {
- $servers = explode(';', $settings['dhcp_wins']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option WINS {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbdd'])) {
- $servers = explode(';', $settings['dhcp_nbdd']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NBDD {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_ntp'])) {
- $servers = explode(';', $settings['dhcp_ntp']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NTP {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0)
- $openvpn_conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
- if (!empty($settings['dhcp_nbtscope']))
- $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- if ($settings['dhcp_nbtdisable'])
- $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n";
+ $conf .= "lport {$settings['local_port']}\n";
- if (!empty($settings['tls']))
- $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n";
if (!empty($settings['maxclients']))
- $openvpn_conf .= "max-clients {$settings['maxclients']}\n";
- if ($settings['gwredir'])
- $openvpn_conf .= "push \"redirect-gateway def1\"\n";
- } else { // $mode == client
+ $conf .= "max-clients {$settings['maxclients']}\n";
+
+ openvpn_add_dhcpopts($settings, $conf);
+ }
+
+ if ($mode == 'client') {
+
// The remote server
- $openvpn_conf .= "remote {$settings['serveraddr']} {$settings['serverport']}\n";
+ $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n";
+
+ if ($settings['auth_method'] == 'pki')
+ $conf .= "client\n";
+
+ // FIXME : This should be a gui option
+ // The port we'll listen at
+ if ($settings['local_port'])
+ $conf .= "lport {$settings['local_port']}\n";
+ else
+ $conf .= "nobind\n";
- if ($settings['auth_method'] == 'pki') $openvpn_conf .= "client\n";
- if ($settings['use_dynamicport']) $openvpn_conf .= "nobind\n";
- else
- // The port we'll listen at
- $openvpn_conf .= "lport {$lport}\n";
+ if (!empty($settings['use_shaper']))
+ $conf .= "shaper {$settings['use_shaper']}\n";
- if (!empty($settings['use_shaper'])) $openvpn_conf .= "shaper {$settings['use_shaper']}\n";
+ if (!empty($settings['tunnel_network'])) {
- if (!empty($settings['interface_ip'])) {
// Configure the IPs according to the address pool
- list($ip, $mask) = explode('/', $settings['interface_ip']);
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$mask = gen_subnet_mask($mask);
$baselong = ip2long($ip) & ip2long($mask);
$ip1 = long2ip($baselong + 1);
$ip2 = long2ip($baselong + 2);
- $openvpn_conf .= "ifconfig $ip2 $ip1\n";
+ $conf .= "ifconfig $ip2 $ip1\n";
}
- if (isset($settings['proxy_hostname']) && $settings['proxy_hostname'] != "") {
+
+ if ($settings['proxy_addr']) {
/* ;http-proxy-retry # retry on connection failures */
- $openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n";
+ $conf .= "http-proxy {$settings['proxy_addr']} {$settings['proxy_port']}\n";
}
-
- if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n";
-
}
// Add the routes if they're set
if (!empty($settings['remote_network'])) {
list($ip, $mask) = explode('/', $settings['remote_network']);
$mask = gen_subnet_mask($mask);
- $openvpn_conf .= "route $ip $mask\n";
+ $conf .= "route $ip $mask\n";
}
- // Write the settings for the keys
- // Set the keys up
- $base_file = $g['varetc_path'] . "/openvpn/certificates/";
- $keys = array();
- if ($settings['auth_method'] == 'shared_key')
- $keys[] = array('field' => 'shared.key', 'ext' => 'secret', 'directive' => 'secret');
- else {
- $interface = $settings['interface'];
- if(!$interface)
- $interface = "WAN";
- $serveruniq = $interface . $settings['local_port'] . $settings['protocol'];
- $keys[] = array('field' => 'ca.crt', 'directive' => 'ca');
- $keys[] = array('field' => "{$serveruniq}.crt", 'directive' => 'cert');
- $keys[] = array('field' => "{$serveruniq}.key", 'directive' => 'key');
- if ($mode == 'server')
- $keys[] = array('field' => 'dh_params.dh', 'directive' => 'dh');
- if ($settings['crl'])
- $keys[] = array('field' => 'crl.crl', 'directive' => 'crl-verify');
- }
-
- foreach ($keys as $key) {
- if ($mode == "server") {
- if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) &&
- $settings['cipherpki'] != "none")
- $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] .
- "/".$key['field']."\n";
- else if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) &&
- $settings['cipherpki'] != "none")
- $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] .
- "/".$key['field']."\n";
- } else {
- $filename = $g['varetc_path']."/openvpn_{$mode}{$id}." . $key['field'];
- file_put_contents($filename, base64_decode($settings[$key['field']]));
- chown($filename, 'nobody');
- chgrp($filename, 'nobody');
- $openvpn_conf .= $key['directive'] . " $filename \n";
- }
- }
-
- if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n";
-
- if ($settings['passtos']) $openvpn_conf .= "passtos\n";
-
- if ($settings['infiniteresolvretry']) $openvpn_conf .= "resolv-retry infinite\n";
-
- if ($settings['dynamic_ip']) {
- $openvpn_conf .= "persist-remote-ip\n";
- $openvpn_conf .= "float\n";
+ // Write the settings for the keys
+ if ($settings['auth_method'] == 'shared_key')
+ openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret");
+
+ if ($settings['auth_method'] == 'pki') {
+
+ $ca = lookup_ca($settings['caref']);
+ $cert = lookup_cert($settings['certref']);
+
+ openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca");
+ openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert");
+ openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
+
+ if ($mode == 'server')
+ openvpn_add_keyfile($settings['dh_params'], $conf, $mode_id, "dh");
+ if ($settings['crl'])
+ openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify");
+ if ($settings['tls'])
+ openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth");
}
- if (!empty($settings['custom_options'])) {
- $options = explode(';', $settings['custom_options']);
- if (is_array($options)) {
- foreach ($options as $option)
- $openvpn_conf .= "$option\n";
- }
- else {
- $openvpn_conf .= "{$settings['custom_options']}\n";
- }
+ if ($settings['compress'])
+ $conf .= "comp-lzo\n";
+
+ if ($settings['passtos'])
+ $conf .= "passtos\n";
+
+ if ($settings['resolve_retry'])
+ $conf .= "resolv-retry infinite\n";
+
+ if ($settings['dynamic_ip']) {
+ $conf .= "persist-remote-ip\n";
+ $conf .= "float\n";
}
- file_put_contents($g['varetc_path'] . "/openvpn_{$mode}{$id}.conf", $openvpn_conf);
+ openvpn_add_custom($settings, $conf);
+
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
+ file_put_contents($fpath, $conf);
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+}
+
+function openvpn_restart($mode, $id) {
+ global $g, $config;
+
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+
+ $pidfile = $g['varrun_path']."/openvpn_{$mode_id}.pid";
+ killbypid($pidfile);
+ sleep(2);
+
+ if ($settings['disable'])
+ return;
+
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
+ mwexec_bg("nohup openvpn --config {$fpath}");
+ touch("{$g['tmp_path']}/filter_dirty");
}
+function openvpn_delete($mode, $id) {
+ global $g, $config;
+
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+
+ $ps = $g['varetc_path']."/openvpn_{$mode_id}.conf";
+ $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`;
+ killbypid($ps_id);
+}
function openvpn_resync_csc($id) {
global $g, $config;
- $settings = $config['installedpackages']['openvpncsc']['config'][$id];
+ $settings = $config['openvpn']['openvpn-csc'][$id];
+ $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name'];
- if ($settings['disable'] == 'on') {
- $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}";
- unlink_if_exists($filename);
+ if ($settings['disable']) {
+ unlink_if_exists($fpath);
return;
}
-
+
$conf = '';
- if ($settings['block'] == 'on') $conf .= "disable\n";
- if ($settings['push_reset'] == 'on') $conf .= "push-reset\n";
- if (!empty($settings['ifconfig_push'])) {
- list($ip, $mask) = explode('/', $settings['ifconfig_push']);
+ if ($settings['block'])
+ $conf .= "disable\n";
+
+ if ($settings['push_reset'])
+ $conf .= "push-reset\n";
+
+ if (!empty($settings['tunnel_network'])) {
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$baselong = ip2long($ip) & gen_subnet_mask_long($mask);
- $conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n";
+ $ip1 = long2ip($baselong + 1);
+ $ip2 = long2ip($baselong + 2);
+ $conf .= "ifconfig-push {$ip1} {$ip2}\n";
}
-// DHCP-Options
- if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n";
-
- if (!empty($settings['dhcp_dns'])) {
- $servers = explode(';', $settings['dhcp_dns']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_wins'])) {
- $servers = explode(';', $settings['dhcp_wins']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbdd'])) {
- $servers = explode(';', $settings['dhcp_nbdd']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_ntp'])) {
- $servers = explode(';', $settings['dhcp_ntp']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
- if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n";
- if ($settings['gwredir']) $conf .= "push \"redirect-gateway def1\"\n";
-
- if (!empty($settings['custom_options'])) {
- $options = explode(';', $settings['custom_options']);
- if (is_array($options)) {
- foreach ($options as $option)
- $conf .= "$option\n";
- }
- else {
- $conf .= "{$settings['custom_options']}\n";
- }
- }
+ openvpn_add_dhcpopts($settings, $conf);
- $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}";
- file_put_contents($filename, $conf);
- chown($filename, 'nobody');
- chgrp($filename, 'nogroup');
+ if ($settings['gwredir'])
+ $conf .= "push \"redirect-gateway def1\"\n";
-}
+ openvpn_add_custom($settings, $conf);
+ file_put_contents($fpath, $conf);
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+}
-function openvpn_restart($mode, $id) {
+function openvpn_delete_csc($id) {
global $g, $config;
- $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid";
- killbypid($pidfile);
- sleep(2);
-
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
- if ($settings['disable']) return;
-
- $configfile = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf";
- mwexec_bg("nohup openvpn --config $configfile");// --dev-type tun --dev-node /dev/tun{$id}");
- touch("{$g['tmp_path']}/filter_dirty");
-}
-
-//Make ciphers ready for openvpn
-function openvpn_restore_all_ciphers() {
- global $config, $g;
-
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
-
- if (is_array($config['openvpn']['keys']) && count($config['openvpn']['keys'])) {
- if (!is_dir($g['varetc_path']."/openvpn"))
- safe_mkdir($g['varetc_path']."/openvpn");
- if (!is_dir($ovpncapath))
- safe_mkdir($ovpncapath);
-
- /* XXX: hardcoded path; worth making it a global?! */
- mwexec("cp -r /usr/local/share/openvpn/certificates ".$g['varetc_path']."/openvpn/");
- if (!is_dir($ovpncapath)) {
- log_error("Failed to create environment for creating certificates. ");
- } else {
-
- foreach ($config['openvpn']['keys'] as $caname => $ciphers) {
- if (!is_dir("$ovpncapath/$caname"))
- safe_mkdir("$ovpncapath/$caname");
-
- $cfg = "";
- /* NOTE: vars; Do we need them restored?! */
- $cfg .= "setenv KEY_SIZE " .$ciphers['keysize'] ."\n";
- $cfg .= "setenv KEY_EXPIRE ".$ciphers['keyexpire'] ."\n";
- $cfg .= "setenv CA_EXPIRE " .$ciphers['caexpire'] . "\n";
- $cfg .= "setenv KEY_COUNTRY " .$ciphers['keycountry'] ."\n";
- $cfg .= "setenv KEY_RPOVINCE " .$ciphers['keyprovince'] . "\n";
- $cfg .= "setenv KEY_CITY " .$ciphers['keycity'] . "\n";
- $cfg .= "setenv KEY_ORG " .$ciphers['keyorg'] . "\n";
- $cfg .= "setenv KEY_EMAIL " .$ciphers['keyemail'] . "\n";
- file_put_contents("$ovpncapath/$caname/vars", $cfg);
- /* put ciphers back in their files */
- foreach ($ciphers as $filename => $value) {
- file_put_contents("$ovpncapath/$caname/$filename", $value);
- }
- }
- }
- }
+ $settings = $config['openvpn']['openvpn-csc'][$id];
+ $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name'];
+ unlink_if_exists($fpath);
}
// Resync the configuration and restart the VPN
@@ -744,94 +455,39 @@ function openvpn_resync($mode, $id) {
openvpn_restart($mode, $id);
}
-function openvpn_create_cscdir() {
- global $g;
-
- $csc_dir = "{$g['varetc_path']}/openvpn_csc";
- if (is_dir($csc_dir))
- rmdir_recursive($csc_dir);
- make_dirs($csc_dir);
- chown($csc_dir, 'nobody');
- chgrp($csc_dir, 'nobody');
-}
-
// Resync and restart all VPNs
function openvpn_resync_all() {
- global $config;
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
+ global $g, $config;
- openvpn_restore_all_ciphers();
+ $path_ovpn = $g['varetc_path']."/openvpn";
+ safe_mkdir($path_ovpn);
- foreach (array('server', 'client') as $mode) {
- if ($config['installedpackages']["openvpn$mode"]) {
- $cfgp =& $config['installedpackages']["openvpn$mode"];
- if (is_array($cfgp['config']) && count($cfgp['config'])) {
- foreach ($cfgp['config'] as $id => $settings)
- openvpn_resync($mode, $id);
- }
- }
- }
-
- openvpn_create_cscdir();
- if ($config['installedpackages']['openvpncsc']) {
- $cfgp =& $config['installedpackages']['openvpncsc'];
- if (is_array($cfgp['config']) && count($cfgp['config'])) {
- foreach ($cfgp['config'] as $id => $csc)
- openvpn_resync_csc($id);
- }
- }
-
- /* give speedy machines time to settle */
- sleep(5);
+ chown($path_ovpn, 'nobody');
+ chgrp($path_ovpn, 'nobody');
- /* reload the filter policy */
- filter_configure();
+ $path_csc = $g['varetc_path']."/openvpn_csc";
+ safe_mkdir($path_csc);
-}
+ chown($path_csc, 'nobody');
+ chgrp($path_csc, 'nobody');
-function openvpn_print_javascript($mode) {
- $javascript = <<<EOD
-<script language="JavaScript">
-//<!--
-function onAuthMethodChanged() {
- var method = document.iform.auth_method;
- var endis = (method.options[method.selectedIndex].value == 'shared_key');
-
- if ('$mode' == 'server') {
- document.iform.nopool.disabled = endis;
- document.iform.local_network.disabled = endis;
- document.iform.client2client.disabled = endis;
- document.iform.maxclients.disabled = endis;
- document.iform.cipher.disabled = !endis;
- document.iform.cipherpki.disabled = endis;
- }
- else { // Client mode
- document.iform.remote_network.disabled = !endis;;
- document.iform['shared.key'].disabled = !endis;
- document.iform['ca.crt'].disabled = endis;
- document.iform["{$mode}.crt"].disabled = endis;
- document.iform["{$mode}.key"].disabled = endis;
- document.iform.tls.disabled = endis;
- }
-}
-//-->
-</script>
+ if (is_array($config['openvpn']['openvpn-server']))
+ foreach ($config['openvpn']['openvpn-server'] as $id => & $settings)
+ openvpn_resync('server', $id);
-EOD;
- print($javascript);
-}
+ if (is_array($config['openvpn']['openvpn-client']))
+ foreach ($config['openvpn']['openvpn-client'] as $id => & $settings)
+ openvpn_resync('client', $id);
+ if (is_array($config['openvpn']['openvpn-csc']))
+ foreach ($config['openvpn']['openvpn-csc'] as $id => & $settings)
+ openvpn_resync_csc($id);
-function openvpn_print_javascript2() {
- $javascript = <<<EOD
-<script language="JavaScript">
-//<!--
- onAuthMethodChanged();
-//-->
-</script>
+ /* give speedy machines time to settle */
+ sleep(5);
-EOD;
- print($javascript);
+ /* reload the filter policy */
+ filter_configure();
}
?>
OpenPOWER on IntegriCloud