summaryrefslogtreecommitdiffstats
path: root/etc/inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc')
-rw-r--r--etc/inc/config.inc227
-rw-r--r--etc/inc/filter.inc79
-rw-r--r--etc/inc/globals.inc2
-rw-r--r--etc/inc/ipsec.inc23
-rw-r--r--etc/inc/openvpn.inc914
-rw-r--r--etc/inc/xmlparse.inc3
6 files changed, 564 insertions, 684 deletions
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index d49fa01..006af13 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -1178,6 +1178,8 @@ function convert_config() {
$config['version'] = "4.3";
}
+if(0):
+
/* Convert 4.3 -> 4.4 */
if ($config['version'] <= 4.3) {
if (isset($config['installedpackages']['openvpnserver']['config'])) {
@@ -1224,14 +1226,16 @@ function convert_config() {
$config['version'] = "4.4";
}
- /* Convert 4.4 -> 4.5 */
- if ($config['version'] <= 4.4) {
- if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) {
- foreach ($config['vlans']['vlan'] as $id => $vlan)
- $config['vlans']['vlan'][$id]['vlanif'] = "vlan{$id}";
- }
- $config['version'] = "4.5";
- }
+endif;
+
+ /* Convert 4.4 -> 4.5 */
+ if ($config['version'] <= 4.4) {
+ if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) {
+ foreach ($config['vlans']['vlan'] as $id => $vlan)
+ $config['vlans']['vlan'][$id]['vlanif'] = "vlan{$id}";
+ }
+ $config['version'] = "4.5";
+ }
/* Upgrade load balancer from slb to relayd */
/* Convert 4.5 -> 4.6 */
@@ -1652,18 +1656,18 @@ function convert_config() {
$config['version'] = "5.0";
}
- /* Convert 5.0 -> 5.1 */
- if ($config['version'] <= 5.1) {
+ /* Convert 5.0 -> 5.1 */
+ if ($config['version'] <= 5.1) {
$pconfig = array();
$pconfig['desc'] = "Set to 0 to disable filtering on the incoming and outgoing member interfaces.";
$pconfig['tunable'] = "net.link.bridge.pfil_member";
$pconfig['value'] = "1";
$config['sysctl']['item'][] = $pconfig;
$pconfig = array();
- $pconfig['desc'] = "Set to 1 to enable filtering on the bridge interface";
- $pconfig['tunable'] = "net.link.bridge.pfil_bridge";
- $pconfig['value'] = "0";
- $config['sysctl']['item'][] = $pconfig;
+ $pconfig['desc'] = "Set to 1 to enable filtering on the bridge interface";
+ $pconfig['tunable'] = "net.link.bridge.pfil_bridge";
+ $pconfig['value'] = "0";
+ $config['sysctl']['item'][] = $pconfig;
unset($config['bridge']);
@@ -1693,6 +1697,201 @@ function convert_config() {
$config['version'] = "5.1";
}
+ /* Convert 5.1 -> 5.2 */
+ if ($config['version'] <= 5.1) {
+
+ $config['openvpn'] = array();
+ if (!is_array($config['system']['ca']))
+ $config['system']['ca'] = array();
+ if (!is_array($config['system']['cert']))
+ $config['system']['cert'] = array();
+
+ $vpnid = 1;
+
+ /* openvpn server configurations */
+ if (is_array($config['installedpackages']['openvpnserver']['config'])) {
+ $config['openvpn']['openvpn-server'] = array();
+
+ $index = 1;
+ foreach($config['installedpackages']['openvpnserver']['config'] as $server) {
+
+ if ($server['auth_method'] == "pki") {
+
+ /* create ca entry */
+ $ca = array();
+ $ca['refid'] = uniqid();
+ $ca['name'] = "OpenVPN Server CA #{$index}";
+ $ca['crt'] = $server['ca_cert'];
+ $ca['crl'] = $server['crl'];
+ $config['system']['ca'][] = $ca;
+
+ /* create ca reference */
+ unset($server['ca_cert']);
+ unset($server['crl']);
+ $server['caref'] = $ca['refid'];
+
+ /* create cert entry */
+ $cert = array();
+ $cert['refid'] = uniqid();
+ $cert['name'] = "OpenVPN Server Certificate #{$index}";
+ $cert['crt'] = $server['server_cert'];
+ $cert['prv'] = $server['server_key'];
+ $config['system']['cert'][] = $cert;
+
+ /* create cert reference */
+ unset($server['server_cert']);
+ unset($server['server_key']);
+ $server['certref'] = $cert['refid'];
+
+ $index++;
+ }
+
+ /* modify configuration values */
+ if (!$server['interface'])
+ $server['interface'] = 'wan';
+ $server['tunnel_network'] = $server['addresspool'];
+ unset($server['addresspool']);
+ $server['compress'] = $server['use_lzo'];
+ unset($server['use_lzo']);
+ if ($server['nopool'])
+ $server['pool_enable'] = false;
+ else
+ $server['pool_enable'] = "yes";
+ unset($server['nopool']);
+ $server['dns_domain'] = $server['dhcp_domainname'];
+ unset($server['dhcp_domainname']);
+ $server['dns_server1'] = $server['dhcp_dns'];
+ unset($server['dhcp_dns']);
+ $server['ntp_server1'] = $server['dhcp_ntp'];
+ unset($server['dhcp_ntp']);
+ if ($server['dhcp_nbtdisable'])
+ $server['netbios_enable'] = false;
+ else
+ $server['netbios_enable'] = "yes";
+ unset($server['dhcp_nbtdisable']);
+ $server['netbios_ntype'] = $server['dhcp_nbttype'];
+ unset($server['dhcp_nbttype']);
+ $server['netbios_scope'] = $server['dhcp_nbtscope'];
+ unset($server['dhcp_nbtscope']);
+ $server['nbdd_server1'] = $server['dhcp_nbdd'];
+ unset($server['dhcp_nbdd']);
+ $server['wins_server1'] = $server['dhcp_wins'];
+ unset($server['dhcp_wins']);
+
+ /* allocate vpnid */
+ $server['vpnid'] = $vpnid++;
+
+ $config['openvpn']['openvpn-server'][] = $server;
+ }
+ unset($config['installedpackages']['openvpnserver']);
+ }
+
+ /* openvpn client configurations */
+ if (is_array($config['installedpackages']['openvpnclient']['config'])) {
+ $config['openvpn']['openvpn-client'] = array();
+
+ $index = 1;
+ foreach($config['installedpackages']['openvpnclient']['config'] as $client) {
+
+ if ($client['auth_method'] == "pki") {
+
+ /* create ca entry */
+ $ca = array();
+ $ca['refid'] = uniqid();
+ $ca['name'] = "OpenVPN Client CA #{$index}";
+ $ca['crt'] = $client['ca_cert'];
+ $ca['crl'] = $client['crl'];
+ $config['system']['ca'][] = $ca;
+
+ /* create ca reference */
+ unset($client['ca_cert']);
+ unset($client['crl']);
+ $client['caref'] = $ca['refid'];
+
+ /* create cert entry */
+ $cert = array();
+ $cert['refid'] = uniqid();
+ $cert['name'] = "OpenVPN Client Certificate #{$index}";
+ $cert['crt'] = $client['client_cert'];
+ $cert['prv'] = $client['client_key'];
+ $config['system']['cert'][] = $cert;
+
+ /* create cert reference */
+ unset($client['client_cert']);
+ unset($client['client_key']);
+ $client['certref'] = $cert['refid'];
+
+ $index++;
+ }
+
+ /* modify configuration values */
+ if (!$client['interface'])
+ $client['interface'] = 'wan';
+ $client['tunnel_network'] = $client['interface_ip'];
+ unset($client['interface_ip']);
+ $client['server_addr'] = $client['serveraddr'];
+ unset($client['serveraddr']);
+ $client['server_port'] = $client['serverport'];
+ unset($client['serverport']);
+ $client['proxy_addr'] = $client['poxy_hostname'];
+ unset($client['proxy_addr']);
+ $client['compress'] = $client['use_lzo'];
+ unset($client['use_lzo']);
+ $client['resolve_retry'] = $client['infiniteresolvretry'];
+ unset($client['infiniteresolvretry']);
+
+ /* allocate vpnid */
+ $client['vpnid'] = $vpnid++;
+
+ $config['openvpn']['openvpn-client'][] = $client;
+ }
+
+ unset($config['installedpackages']['openvpnclient']);
+ }
+
+ /* openvpn client specific configurations */
+ if (is_array($config['installedpackages']['openvpncsc']['config'])) {
+ $config['openvpn']['openvpn-csc'] = array();
+
+ foreach($config['installedpackages']['openvpncsc']['config'] as $csc) {
+
+ /* modify configuration values */
+ $csc['common_name'] = $csc['commonname'];
+ unset($csc['commonname']);
+ $csc['tunnel_network'] = $csc['ifconfig_push'];
+ unset($csc['ifconfig_push']);
+ $csc['dns_domain'] = $csc['dhcp_domainname'];
+ unset($csc['dhcp_domainname']);
+ $csc['dns_server1'] = $csc['dhcp_dns'];
+ unset($csc['dhcp_dns']);
+ $csc['ntp_server1'] = $csc['dhcp_ntp'];
+ unset($csc['dhcp_ntp']);
+ if ($csc['dhcp_nbtdisable'])
+ $csc['netbios_enable'] = false;
+ else
+ $csc['netbios_enable'] = "yes";
+ unset($csc['dhcp_nbtdisable']);
+ $csc['netbios_ntype'] = $csc['dhcp_nbttype'];
+ unset($csc['dhcp_nbttype']);
+ $csc['netbios_scope'] = $csc['dhcp_nbtscope'];
+ unset($csc['dhcp_nbtscope']);
+ $csc['nbdd_server1'] = $csc['dhcp_nbdd'];
+ unset($csc['dhcp_nbdd']);
+ $csc['wins_server1'] = $csc['dhcp_wins'];
+ unset($csc['dhcp_wins']);
+
+ $config['openvpn']['openvpn-csc'][] = $csc;
+ }
+
+ unset($config['installedpackages']['openvpncsc']);
+ }
+
+ $config['installedpackages'] = array();
+ $config['installedpackages']['carp'] = array();
+
+ $config['version'] = "5.2";
+ }
+
$now = date("H:i:s");
log_error("Ended Configuration upgrade at $now");
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index f251159..27cbe7f 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -357,12 +357,11 @@ function get_vpns_list() {
}
/* openvpn */
foreach (array('client', 'server') as $type) {
- $conf =& $config['installedpackages']["openvpn$type"]['config'];
- if (!is_array($conf)) continue;
- foreach ($conf as $tunnel) {
- if(is_subnet($tunnel['remote-subnet'])) {
+ foreach ($config['openvpn']["openvpn-$type"] as & $settings) {
+ if (!is_array($settings))
+ continue;
+ if(is_subnet($settings['remote-subnet']))
$vpns_arr[] = $tunnel['remote_network'];
- }
}
}
/* pppoe */
@@ -371,9 +370,8 @@ function get_vpns_list() {
$vpns_arr[] = $config['pppoe']['remoteip'] ."/". $config['pppoe']['pppoe_subnet'];
}
}
- if(!empty($vpns_arr)) {
+ if(!empty($vpns_arr))
$vpns = implode(" ", $vpns_arr);
- }
return $vpns;
}
@@ -474,22 +472,19 @@ function generate_optcfg_array()
}
/* add openvpn interfaces */
- if ($config['installedpackages']["openvpnserver"] ||
- $config['installedpackages']["openvpnclient"]) {
- $ovpn_count = 0;
- if (is_array($config['installedpackages']["openvpnserver"]['config']))
- $ovpn_count += count($config['installedpackages']["openvpnserver"]['config']);
- if (is_array($config['installedpackages']["openvpnclient"]['config']))
- $ovpn_count += count($config['installedpackages']["openvpnclient"]['config']);
-
- if ($ovpn_count) {
+ if ($config['openvpn']['openvpn-server'] || $config['openvpn']['openvpn-client']) {
+
+ $ovpnifs = array( "ovpns1");
+ foreach ($config['openvpn']['openvpn-server'] as & $server)
+ if (!$server['disable'])
+ $ovpnifs[] = "ovpns".$server['vpnid'];
+ foreach ($config['openvpn']['openvpn-client'] as & $client)
+ if (!$client['disable'])
+ $ovpnifs[] = "ovpnc".$client['vpnid'];
+
+ if (count($ovpnifs)) {
$oic = array();
- for ($i = 0; $i < $ovpn_count; $i++) {
- if (!$i)
- $oic['if'] = "ovpn{$i}";
- else
- $oic['if'] .= " ovpn{$i}";
- }
+ $oic['if'] = implode(" ", $ovpnifs);
$oic['descr'] = 'OpenVPN';
$oic['ip'] = "none";
$FilterIflist['openvpn'] = $oic;
@@ -748,10 +743,13 @@ function filter_nat_rules_generate()
if ($numberofnathosts > 0):
- if (!empty($config['installedpackages']['openvpnclient']['config']))
- foreach ($config['installedpackages']['openvpnclient']['config'] as $id => $settings)
+ if (!empty($config['openvpn']['openvpn-client'])) {
+ foreach ($config['openvpn']['openvpn-client'] as $settings) {
+ $vpnid = $settings['vpnid'];
if (!empty($settings['remote_network']))
- $natrules .= "nat on ovpnc{$id} from \$tonatsubnets to any -> (ovpnc{$id})\n";
+ $natrules .= "nat on ovpnc{$vpnid} from \$tonatsubnets to any -> (ovpnc{$vpnid})\n";
+ }
+ }
foreach ($FilterIflist as $if => $ifcfg) {
update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})");
@@ -2652,22 +2650,25 @@ function process_carp_nat_rules()
$mt = microtime();
echo "process_carp_nat_rules() being called $mt\n";
}
+
$lines = "";
- if($config['installedpackages']['carp']['config'] != "")
- foreach($config['installedpackages']['carp']['config'] as $carp) {
- $ip = $carp['ipaddress'];
- if($ip <> "any") {
- $ipnet = "any";
- } else {
- $int = find_ip_interface($ip);
- $carp_int = find_carp_interface($ip);
- }
- if($int != false and $int != $wan_interface) {
- $ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
- if($int)
- $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";
+
+ if (is_array($config['installedpackages']['carp']['config'])) {
+ foreach($config['installedpackages']['carp']['config'] as $carp) {
+ $ip = $carp['ipaddress'];
+ if($ip <> "any") {
+ $ipnet = "any";
+ } else {
+ $int = find_ip_interface($ip);
+ $carp_int = find_carp_interface($ip);
+ }
+ if($int != false and $int != $wan_interface) {
+ $ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
+ if($int)
+ $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";
+ }
}
- }
+ }
return $lines;
}
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index ab119ec..913d216 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -60,7 +60,7 @@ $g = array(
"n_pppoe_units" => 16, /* this value can be overriden in pppoe->n_pppoe_units */
"pppoe_subnet" => 28, /* this value can be overriden in pppoe->pppoe_subnet */
"debug" => false,
- "latest_config" => "5.1",
+ "latest_config" => "5.2",
"nopkg_platforms" => array("cdrom"),
"minimum_ram_warning" => "115",
"minimum_ram_warning_text" => "128 megabytes",
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index 76ea0f8..2328e24 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -88,6 +88,29 @@ $p2_pfskeygroups = array(
'5' => '5');
/*
+ * ikeid management functions
+ */
+
+function ipsec_ikeid_used($ikeid) {
+ global $config;
+
+ foreach ($config['ipsec']['phase1'] as $ph1ent)
+ if( $ikeid == $ph1ent['ikeid'] )
+ return true;
+
+ return false;
+}
+
+function ipsec_ikeid_next() {
+
+ $ikeid = 1;
+ while(ipsec_ikeid_used($ikeid))
+ $ikeid++;
+
+ return $ikeid;
+}
+
+/*
* Return phase1 local address
*/
function ipsec_get_phase1_src(& $ph1ent) {
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index cd3f2a0..efea035 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -45,67 +45,65 @@ require_once('config.inc');
require_once('pfsense-utils.inc');
require_once('util.inc');
-// Shutdown running process if needed
-function openvpn_delete($mode, $id) {
- global $g, $config;
-
- $settings = $config['installedpackages']['openvpn$mode']['config'][$id];
- $mode = $settings['mode'];
- $ps = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf";
- $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`;
- killbypid($ps_id);
-}
+$openvpn_prots = array( "UDP", "TCP");
-// Return the list of ciphers OpenVPN supports
-function openvpn_get_ciphers($pkg) {
+$openvpn_auth_methods = array(
+ 'pki' => "Public Key Infrastructure",
+ 'shared_key' => "Pre Shared Key");
+
+function openvpn_vpnid_used($vpnid) {
global $config;
- foreach ($pkg['fields']['field'] as $i => $field) {
- if ($field['fieldname'] == 'crypto') {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- $ciphers_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\'');
- $ciphers = explode("\n", trim($ciphers_out));
- sort($ciphers);
- foreach ($ciphers as $cipher) {
- $value = explode(' ', $cipher);
- $value = $value[0];
- $option_array[] = array('value' => $value, 'name' => $cipher);
- }
- }
- if ($field['fieldname'] == 'cipher') {
- if (is_array($config['openvpn']['keys'])) {
- if (count($config['openvpn']['keys']) > 0) {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- foreach ($config['openvpn']['keys'] as $cipher => $type) {
- if ($type['shared.key'])
- $option_array[] = array('value' => $cipher, 'name' => $cipher);
- }
- }
- }
- }
- if ($field['fieldname'] == 'cipherpki') {
- if (is_array($config['openvpn']['keys'])) {
- if (count($config['openvpn']['keys']) > 0) {
- $option_array = &$pkg['fields']['field'][$i]['options']['option'];
- foreach ($config['openvpn']['keys'] as $cipher => $type) {
- if ($type['auth_method'] == 'pki')
- $option_array[] = array('value' => $cipher, 'name' => $type['descr']);
- }
- }
- }
- }
+ if (is_array($config['openvpn']['openvpn-server']))
+ foreach ($config['openvpn']['openvpn-server'] as $id => & $settings)
+ if( $vpnid == $settings['vpnid'] )
+ return true;
+
+ if (is_array($config['openvpn']['openvpn-client']))
+ foreach ($config['openvpn']['openvpn-client'] as $id => & $settings)
+ if( $vpnid == $settings['vpnid'] )
+ return true;
+ return false;
+}
+
+function openvpn_vpnid_next() {
+
+ $vpnid = 1;
+ while(openvpn_vpnid_used($vpnid))
+ $vpnid++;
+
+ return $vpnid;
+}
+
+function openvpn_get_cipherlist() {
+
+ $ciphers = array();
+ $cipher_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\'');
+ $cipher_lines = explode("\n", trim($cipher_out));
+ sort($cipher_lines);
+ foreach ($cipher_lines as $line) {
+ $words = explode(' ', $line);
+ $ciphers[$words[0]] = "{$words[0]} {$words[1]}";
}
+
+ return $ciphers;
+}
+
+function openvpn_validate_host($value, $name) {
+ $value = trim($value);
+ if (empty($value) || !(is_domain($value) && is_ipaddr($value)))
+ return "The field '$name' must contain a valid IP address or domain name.";
+ return false;
}
function openvpn_validate_port($value, $name) {
$value = trim($value);
- if (!empty($value) && !(is_numeric($value) && ($value > 0) && ($value < 65535)))
+ if (empty($value) || !(is_numeric($value) && ($value > 0) && ($value < 65535)))
return "The field '$name' must contain a valid port, ranging from 0 to 65535.";
return false;
}
-
function openvpn_validate_cidr($value, $name) {
$value = trim($value);
if (!empty($value)) {
@@ -116,271 +114,115 @@ function openvpn_validate_cidr($value, $name) {
return false;
}
+function openvpn_add_dhcpopts(& $settings, & $conf) {
-// Do the input validation
-function openvpn_validate_input($mode, $post, $input_errors) {
- $Mode = ucfirst($mode);
+ if (!empty($settings['dns_domain']))
+ $conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n";
- if ($mode == 'server') {
- if ($result = openvpn_validate_port($post['local_port'], 'Local port'))
- $input_errors[] = $result;
-
- if ($result = openvpn_validate_cidr($post['addresspool'], 'Address pool'))
- $input_errors[] = $result;
-
- if ($result = openvpn_validate_cidr($post['local_network'], 'Local network'))
- $input_errors[] = $result;
-
-/* check for port in use - update of existing entries not possible because $_GET['act'] is not passed from pkg_edit.php :-( mfuchs
- $portinuse = shell_exec('sockstat | grep '.$post['local_port'].' | grep '.strtolower($post['protocol']));
- if (!empty($portinuse))
- $input_errors[] = 'The port '.$post['local_port'].'/'.strtolower($post['protocol']).' is already in use.';
-*/
+ if (!empty($settings['dns_server1']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n";
+ if (!empty($settings['dns_server2']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n";
+ if (!empty($settings['dns_server3']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n";
+ if (!empty($settings['dns_server4']))
+ $conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n";
- if (!empty($post['dhcp_dns'])) {
- $servers = explode(';', $post['dhcp_dns']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_wins'])) {
- $servers = explode(';', $post['dhcp_wins']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_nbdd'])) {
- $servers = explode(';', $post['dhcp_nbdd']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_ntp'])) {
- $servers = explode(';', $post['dhcp_ntp']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (isset($post['maxclients']) && $post['maxclients'] != "") {
- if (!is_numeric($post['maxclients']))
- $input_errors[] = 'The field \'Maximum clients\' must be numeric.';
- }
+ if (!empty($settings['ntp_server1']))
+ $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
+ if (!empty($settings['ntp_server2']))
+ $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
+ if ($settings['netbios_enable']) {
- else { // Client mode
- if ($result = openvpn_validate_port($post['serverport'], 'Server port'))
- $input_errors[] = $result;
+ if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0))
+ $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
+ if (!empty($settings['dhcp_nbtscope']))
+ $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- $server_addr = trim($post['serveraddr']);
- if (!empty($value) && !(is_domain($server_addr) || is_ipaddr($server_addr)))
- $input_errors[] = 'The field \'Server address\' must contain a valid IP address or domain name.';
+ if (!empty($settings['wins_server1']))
+ $conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n";
+ if (!empty($settings['wins_server2']))
+ $conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n";
- if ($result = openvpn_validate_cidr($post['interface_ip'], 'Interface IP'))
- $input_errors[] = $result;
+ if (!empty($settings['nbdd_server1']))
+ $conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
+ }
- if ($post['auth_method'] == 'shared_key') {
- if (empty($post['interface_ip']))
- $input_errors[] = 'The field \'Interface IP\' is required.';
- }
- if (isset($post['proxy_hostname']) && $post['proxy_hostname'] != "") {
- if (!is_domain($post['proxy_hostname']) || is_ipaddr($post['proxy_hostname']))
- $input_errors[] = 'The field \'Proxy Host\' must contain a valid IP address or domain name.';
- if (!is_port($post['proxy_port']))
- $input_errors[] = 'The field \'Proxy port\' must contain a valid port number.';
- if ($post['protocol'] != "TCP")
- $input_errors[] = 'The protocol must be TCP to use a HTTP proxy server.';
- }
- if (isset($post['use_shaper']) && $post['use_shaper'] != "") {
- if (!is_numeric($post['use_shaper']))
- $input_errors[] = 'The field \'Limit outgoing bandwidth\' must be numeric.';
- }
+ if ($settings['gwredir'])
+ $conf .= "push \"redirect-gateway def1\"\n";
+}
- }
+function openvpn_add_custom(& $settings, & $conf) {
- if ($result = openvpn_validate_cidr($post['remote_network'], 'Remote network'))
- $input_errors[] = $result;
+ if ($settings['custom_options']) {
-/* This are no more needed comment them from now and remove later */
-/*
- if ($_POST['auth_method'] == 'shared_key') {
- $reqfields[] = 'shared_key';
- $reqfieldsn[] = 'Shared key';
- }
- else {
- $req = explode(' ', "ca_cert {$mode}_cert {$mode}_key");
- $reqn = array( 'CA certificate',
- ucfirst($mode) . ' certificate',
- ucfirst($mode) . ' key');
- $reqfields = array_merge($reqfields, $req);
- $reqfieldsn = array_merge($reqfieldsn, $reqn);
- if ($mode == 'server') {
- $reqfields[] = 'dh_params';
- $reqfieldsn[] = 'DH parameters';
- }
- }
- do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors);
-*/
-if ($mode != "server") {
- $value = trim($post['shared_key']);
- $items = array();
-
- if ($_POST['auth_method'] == 'shared_key') {
- $items[] = array( 'field' => 'shared.key',
- 'string' => 'OpenVPN Static key V1',
- 'name' => 'Shared key');
- }
- else {
- $items[] = array( 'field' => 'ca.crt',
- 'string' => 'CERTIFICATE',
- 'name' => 'CA certificate');
- $items[] = array( 'field' => "{$mode}.crt",
- 'string' => 'CERTIFICATE',
- 'name' => "$Mode certificate");
- $items[] = array( 'field' => "{$mode}.key",
- 'string' => 'RSA PRIVATE KEY',
- 'name' => "$Mode key");
- $items[] = array( 'field' => 'tls',
- 'string' => 'OpenVPN Static key V1',
- 'name' => 'TLS');
- if ($mode == 'server') {
- $items[] = array( 'field' => 'dh_param.dhs',
- 'string' => 'DH PARAMETERS',
- 'name' => 'DH parameters');
- $items[] = array( 'field' => 'crl.crl',
- 'string' => 'X509 CRL',
- 'name' => 'CRL');
- }
- }
- foreach ($items as $item) {
- $value = trim($_POST[$item['field']]);
- $string = $item['string'];
- if ($value && (!strstr($value, "-----BEGIN {$string}-----") || !strstr($value, "-----END {$string}-----")))
- $input_errors[] = "The field '{$item['name']}' does not appear to be valid";
+ $options = explode(';', $settings['custom_options']);
+
+ if (is_array($options)) {
+ foreach ($options as $option)
+ $conf .= "$option\n";
+ } else
+ $conf .= "{$settings['custom_options']}\n";
}
}
-}
+function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive) {
+ global $g;
-function openvpn_validate_input_csc($post, $input_errors) {
- if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP'))
- $input_errors[] = $result;
-
- if ($post['push_reset'] != 'on') {
- if (!empty($post['dhcp_domainname']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_dns']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_wins']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_nbdd']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_ntp']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif ($post['dhcp_nbttype'])
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif (!empty($post['dhcp_nbtscope']))
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
- elseif ($post['dhcp_nbtdisable'])
- $input_errors[] = 'It makes no sense to unselect push reset and configure DHCP options';
-
- } else {
-
- if (!empty($post['dhcp_dns'])) {
- $servers = explode(';', $post['dhcp_dns']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: DNS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_wins'])) {
- $servers = explode(';', $post['dhcp_wins']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: WINS Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_nbdd'])) {
- $servers = explode(';', $post['dhcp_nbdd']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NBDD Server\' must contain a valid IP address and no whitespaces.';
- break;}}
- if (!empty($post['dhcp_ntp'])) {
- $servers = explode(';', $post['dhcp_ntp']);
- foreach ($servers as $server) if (!is_ipaddr($server))
- {$input_errors[] = 'The field \'DHCP Option: NTP Server\' must contain a valid IP address and no whitespaces.';
- break;}}
-
-}}
-
-// Create server PKI certificate if it is not present on system
-function openvpn_server_create_cert($mode, $id) {
- if($mode == "client")
- return;
- global $g, $config;
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
- $interface = $settings['interface'];
- if(!$interface)
- $interface = "WAN";
- $serveruniq = $interface . $settings['local_port'] . $settings['protocol'];
- log_error("Creating server certificate for {$settings['description']}.");
- $caname = $settings['cipherpki'];
- foreach($config['openvpn']['keys'] as $ca => $ca2) {
- if($ca == $caname)
- $cakeysize = $ca2['keysize'];
- }
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
- $easyrsapath = $g['easyrsapath'];
- config_lock();
- $fd = fopen($ovpncapath . "/RUNME_2ND", "w");
- fwrite($fd, "#!/bin/tcsh\n");
- fwrite($fd, "cd $ovpncapath \n");
- fwrite($fd, "source $ovpncapath/$caname/vars \n");
- fwrite($fd, "$easyrsapath/pkitool --batch --server {$serveruniq} \n");
- fwrite($fd, "openssl dhparam -out $ovpncapath/$caname/dh_params.dh $cakeysize \n");
- fclose($fd);
- system("/bin/chmod a+rx $ovpncapath/RUNME_2ND");
- mwexec("/bin/tcsh $ovpncapath/RUNME_2ND");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['server.key'] = file_get_contents("$ovpncapath/$caname/server.key");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['server.crt'] = file_get_contents("$ovpncapath/$caname/server.crt");
- $config['installedpackages']["openvpn$mode"]['config'][$id]['dh_params.dh'] = file_get_contents("$ovpncapath/$caname/dh_params.dh");
- config_unlock();
- write_config();
- log_error("Server certificate for {$settings['description']} created.");
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}";
+ file_put_contents($fpath, base64_decode($data));
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+
+ $conf .= "{$directive} {$fpath}\n";
}
-// Rewrite the settings
function openvpn_reconfigure($mode, $id) {
global $g, $config;
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
-
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+
if (empty($settings))
return;
if ($settings['disable'])
return;
- /* create cert if needed */
- if(!$settings['server.key'] and $mode == "server")
- openvpn_server_create_cert($mode, $id);
-
- $lport = 1194 + $id;
-
/*
- * NOTE: if you change the name of the interfaces here than
- * be sure to change it even on the openvpn command parameters at
- * openvpn_restart() function.
+ * NOTE: Deleting tap devices causes spontaneous reboots. Instead,
+ * we use a vpnid number which is allocated for a particular client
+ * or server configuration. ( see openvpn_vpnid_next() )
*/
- if ($mode == "client")
- $ovpndevice = "ovpnc{$id}";
- else
- $ovpndevice = "ovpn{$id}";
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+ $tunname = "tun{$vpnid}";
- if (!$g['booting'])
- mwexec("/sbin/ifconfig {$ovpndevice} destroy");
+ if ($mode == "server")
+ $devname = "ovpns{$vpnid}";
+ else
+ $devname = "ovpnc{$vpnid}";
- $tunname = exec("/sbin/ifconfig tun create");
- mwexec("/sbin/ifconfig {$tunname} name {$ovpndevice}");
- mwexec("/sbin/ifconfig {$ovpndevice} group openvpn");
+ if (!file_exists("/dev/{$tunname}"))
+ $tunname = exec("/sbin/ifconfig {$tunname} create");
- $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid";
+ mwexec("/sbin/ifconfig {$tunname} name {$devname}");
+ mwexec("/sbin/ifconfig {$devname} group openvpn");
+
+ $pidfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid";
$proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}");
$cipher = $settings['crypto'];
- $openvpn_conf .= <<<EOD
-dev {$ovpndevice}
+
+ $interface = $settings['interface'];
+ if (!$interface)
+ $interface = 'WAN';
+
+ $iface = convert_friendly_interface_to_real_interface_name($interface);
+ $lines = explode(' ', trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")));
+ $iface_ip = $lines[1];
+
+$conf .= <<<EOD
+dev {$devname}
dev-type tun
dev-node /dev/{$tunname}
writepid $pidfile
@@ -395,347 +237,216 @@ proto $proto
cipher $cipher
up /etc/rc.filter_configure
down /etc/rc.filter_configure
+local {$iface_ip}
EOD;
- // Mode-specific stuff
+ // Mode specific stuff
+
if ($mode == 'server') {
- list($ip, $mask) = explode('/', $settings['addresspool']);
+
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$mask = gen_subnet_mask($mask);
// Using a shared key or not dynamically assigning IPs to the clients
- if (($settings['auth_method'] == 'shared_key') || ($settings['nopool'] == 'on')) {
- if ($settings['auth_method'] == 'pki') $openvpn_conf .= "tls-server\n";
+ if (($settings['auth_method'] == 'shared_key') || (!$settings['pool_enable'] == 'on')) {
+
+ if ($settings['auth_method'] == 'pki')
+ $conf .= "tls-server\n";
$baselong = ip2long($ip) & ip2long($mask);
$ip1 = long2ip($baselong + 1);
$ip2 = long2ip($baselong + 2);
- $openvpn_conf .= "ifconfig $ip1 $ip2\n";
+ $conf .= "ifconfig $ip1 $ip2\n";
}
// Using a PKI
else if ($settings['auth_method'] == 'pki') {
- if ($settings['client2client']) $openvpn_conf .= "client-to-client\n";
- $openvpn_conf .= "server $ip $mask\n";
+
+ if ($settings['client2client'])
+ $conf .= "client-to-client\n";
+
+ $conf .= "server $ip $mask\n";
$csc_dir = "{$g['varetc_path']}/openvpn_csc";
- $openvpn_conf .= "client-config-dir $csc_dir\n";
+ $conf .= "client-config-dir $csc_dir\n";
}
// We can push routes
if (!empty($settings['local_network'])) {
+
list($ip, $mask) = explode('/', $settings['local_network']);
$mask = gen_subnet_mask($mask);
- $openvpn_conf .= "push \"route $ip $mask\"\n";
+ $conf .= "push \"route $ip $mask\"\n";
}
- if ($settings['bind_to_iface'] == 'on') {
- $iface = $settings['interface'];
- $iface = convert_friendly_interface_to_real_interface_name($iface);
- $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
- list($dummy, $ip, $dummy2, $dummy3) = explode(' ', $line);
-
- $openvpn_conf .= "local {$ip}\n";
- }
-
// The port we'll listen at
- $openvpn_conf .= "lport {$settings['local_port']}\n";
-
- // DHCP-Options
- if (!empty($settings['dhcp_domainname']))
- $openvpn_conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n";
-
- if (!empty($settings['dhcp_dns'])) {
- $servers = explode(';', $settings['dhcp_dns']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option DNS {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_wins'])) {
- $servers = explode(';', $settings['dhcp_wins']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option WINS {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbdd'])) {
- $servers = explode(';', $settings['dhcp_nbdd']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NBDD {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_ntp'])) {
- $servers = explode(';', $settings['dhcp_ntp']);
- if (is_array($servers)) {
- foreach ($servers as $server) $openvpn_conf .= "push \"dhcp-option NTP {$server}\"\n";
- } else {
- $openvpn_conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0)
- $openvpn_conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
- if (!empty($settings['dhcp_nbtscope']))
- $openvpn_conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- if ($settings['dhcp_nbtdisable'])
- $openvpn_conf .= "push \"dhcp-option DISABLE-NBT\"\n";
+ $conf .= "lport {$settings['local_port']}\n";
- if (!empty($settings['tls']))
- $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_server{$id}.tls 0\n";
if (!empty($settings['maxclients']))
- $openvpn_conf .= "max-clients {$settings['maxclients']}\n";
- if ($settings['gwredir'])
- $openvpn_conf .= "push \"redirect-gateway def1\"\n";
- } else { // $mode == client
+ $conf .= "max-clients {$settings['maxclients']}\n";
+
+ openvpn_add_dhcpopts($settings, $conf);
+ }
+
+ if ($mode == 'client') {
+
// The remote server
- $openvpn_conf .= "remote {$settings['serveraddr']} {$settings['serverport']}\n";
+ $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n";
+
+ if ($settings['auth_method'] == 'pki')
+ $conf .= "client\n";
+
+ // FIXME : This should be a gui option
+ // The port we'll listen at
+ if ($settings['local_port'])
+ $conf .= "lport {$settings['local_port']}\n";
+ else
+ $conf .= "nobind\n";
- if ($settings['auth_method'] == 'pki') $openvpn_conf .= "client\n";
- if ($settings['use_dynamicport']) $openvpn_conf .= "nobind\n";
- else
- // The port we'll listen at
- $openvpn_conf .= "lport {$lport}\n";
+ if (!empty($settings['use_shaper']))
+ $conf .= "shaper {$settings['use_shaper']}\n";
- if (!empty($settings['use_shaper'])) $openvpn_conf .= "shaper {$settings['use_shaper']}\n";
+ if (!empty($settings['tunnel_network'])) {
- if (!empty($settings['interface_ip'])) {
// Configure the IPs according to the address pool
- list($ip, $mask) = explode('/', $settings['interface_ip']);
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$mask = gen_subnet_mask($mask);
$baselong = ip2long($ip) & ip2long($mask);
$ip1 = long2ip($baselong + 1);
$ip2 = long2ip($baselong + 2);
- $openvpn_conf .= "ifconfig $ip2 $ip1\n";
+ $conf .= "ifconfig $ip2 $ip1\n";
}
- if (isset($settings['proxy_hostname']) && $settings['proxy_hostname'] != "") {
+
+ if ($settings['proxy_addr']) {
/* ;http-proxy-retry # retry on connection failures */
- $openvpn_conf .= "http-proxy {$settings['proxy_hostname']} {$settings['proxy_port']}\n";
+ $conf .= "http-proxy {$settings['proxy_addr']} {$settings['proxy_port']}\n";
}
-
- if (!empty($settings['tls'])) $openvpn_conf .= "tls-auth {$g['varetc_path']}/openvpn_client{$id}.tls 1\n";
-
}
// Add the routes if they're set
if (!empty($settings['remote_network'])) {
list($ip, $mask) = explode('/', $settings['remote_network']);
$mask = gen_subnet_mask($mask);
- $openvpn_conf .= "route $ip $mask\n";
+ $conf .= "route $ip $mask\n";
}
- // Write the settings for the keys
- // Set the keys up
- $base_file = $g['varetc_path'] . "/openvpn/certificates/";
- $keys = array();
- if ($settings['auth_method'] == 'shared_key')
- $keys[] = array('field' => 'shared.key', 'ext' => 'secret', 'directive' => 'secret');
- else {
- $interface = $settings['interface'];
- if(!$interface)
- $interface = "WAN";
- $serveruniq = $interface . $settings['local_port'] . $settings['protocol'];
- $keys[] = array('field' => 'ca.crt', 'directive' => 'ca');
- $keys[] = array('field' => "{$serveruniq}.crt", 'directive' => 'cert');
- $keys[] = array('field' => "{$serveruniq}.key", 'directive' => 'key');
- if ($mode == 'server')
- $keys[] = array('field' => 'dh_params.dh', 'directive' => 'dh');
- if ($settings['crl'])
- $keys[] = array('field' => 'crl.crl', 'directive' => 'crl-verify');
- }
-
- foreach ($keys as $key) {
- if ($mode == "server") {
- if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) &&
- $settings['cipherpki'] != "none")
- $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] .
- "/".$key['field']."\n";
- else if ($settings['auth_method'] == 'pki' && isset($settings['cipherpki']) &&
- $settings['cipherpki'] != "none")
- $openvpn_conf .= $key['directive'] . " " . $base_file . $settings['cipherpki'] .
- "/".$key['field']."\n";
- } else {
- $filename = $g['varetc_path']."/openvpn_{$mode}{$id}." . $key['field'];
- file_put_contents($filename, base64_decode($settings[$key['field']]));
- chown($filename, 'nobody');
- chgrp($filename, 'nobody');
- $openvpn_conf .= $key['directive'] . " $filename \n";
- }
- }
-
- if ($settings['use_lzo']) $openvpn_conf .= "comp-lzo\n";
-
- if ($settings['passtos']) $openvpn_conf .= "passtos\n";
-
- if ($settings['infiniteresolvretry']) $openvpn_conf .= "resolv-retry infinite\n";
-
- if ($settings['dynamic_ip']) {
- $openvpn_conf .= "persist-remote-ip\n";
- $openvpn_conf .= "float\n";
+ // Write the settings for the keys
+ if ($settings['auth_method'] == 'shared_key')
+ openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret");
+
+ if ($settings['auth_method'] == 'pki') {
+
+ $ca = lookup_ca($settings['caref']);
+ $cert = lookup_cert($settings['certref']);
+
+ openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca");
+ openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert");
+ openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
+
+ if ($mode == 'server')
+ openvpn_add_keyfile($settings['dh_params'], $conf, $mode_id, "dh");
+ if ($settings['crl'])
+ openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify");
+ if ($settings['tls'])
+ openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth");
}
- if (!empty($settings['custom_options'])) {
- $options = explode(';', $settings['custom_options']);
- if (is_array($options)) {
- foreach ($options as $option)
- $openvpn_conf .= "$option\n";
- }
- else {
- $openvpn_conf .= "{$settings['custom_options']}\n";
- }
+ if ($settings['compress'])
+ $conf .= "comp-lzo\n";
+
+ if ($settings['passtos'])
+ $conf .= "passtos\n";
+
+ if ($settings['resolve_retry'])
+ $conf .= "resolv-retry infinite\n";
+
+ if ($settings['dynamic_ip']) {
+ $conf .= "persist-remote-ip\n";
+ $conf .= "float\n";
}
- file_put_contents($g['varetc_path'] . "/openvpn_{$mode}{$id}.conf", $openvpn_conf);
+ openvpn_add_custom($settings, $conf);
+
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
+ file_put_contents($fpath, $conf);
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+}
+
+function openvpn_restart($mode, $id) {
+ global $g, $config;
+
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+
+ $pidfile = $g['varrun_path']."/openvpn_{$mode_id}.pid";
+ killbypid($pidfile);
+ sleep(2);
+
+ if ($settings['disable'])
+ return;
+
+ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
+ mwexec_bg("nohup openvpn --config {$fpath}");
+ touch("{$g['tmp_path']}/filter_dirty");
}
+function openvpn_delete($mode, $id) {
+ global $g, $config;
+
+ $settings = $config['openvpn']["openvpn-$mode"][$id];
+ $vpnid = $settings['vpnid'];
+ $mode_id = $mode.$vpnid;
+
+ $ps = $g['varetc_path']."/openvpn_{$mode_id}.conf";
+ $ps_id = `ps awux | grep $ps | awk '{ print \$2 }'`;
+ killbypid($ps_id);
+}
function openvpn_resync_csc($id) {
global $g, $config;
- $settings = $config['installedpackages']['openvpncsc']['config'][$id];
+ $settings = $config['openvpn']['openvpn-csc'][$id];
+ $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name'];
- if ($settings['disable'] == 'on') {
- $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}";
- unlink_if_exists($filename);
+ if ($settings['disable']) {
+ unlink_if_exists($fpath);
return;
}
-
+
$conf = '';
- if ($settings['block'] == 'on') $conf .= "disable\n";
- if ($settings['push_reset'] == 'on') $conf .= "push-reset\n";
- if (!empty($settings['ifconfig_push'])) {
- list($ip, $mask) = explode('/', $settings['ifconfig_push']);
+ if ($settings['block'])
+ $conf .= "disable\n";
+
+ if ($settings['push_reset'])
+ $conf .= "push-reset\n";
+
+ if (!empty($settings['tunnel_network'])) {
+ list($ip, $mask) = explode('/', $settings['tunnel_network']);
$baselong = ip2long($ip) & gen_subnet_mask_long($mask);
- $conf .= 'ifconfig-push ' . long2ip($baselong + 1) . ' ' . long2ip($baselong + 2) . "\n";
+ $ip1 = long2ip($baselong + 1);
+ $ip2 = long2ip($baselong + 2);
+ $conf .= "ifconfig-push {$ip1} {$ip2}\n";
}
-// DHCP-Options
- if (!empty($settings['dhcp_domainname'])) $conf .= "push \"dhcp-option DOMAIN {$settings['dhcp_domainname']}\"\n";
-
- if (!empty($settings['dhcp_dns'])) {
- $servers = explode(';', $settings['dhcp_dns']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option DNS {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option DNS {$settings['dhcp_dns']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_wins'])) {
- $servers = explode(';', $settings['dhcp_wins']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option WINS {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option WINS {$settings['dhcp_wins']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbdd'])) {
- $servers = explode(';', $settings['dhcp_nbdd']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option NBDD {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option NBDD {$settings['dhcp_nbdd']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_ntp'])) {
- $servers = explode(';', $settings['dhcp_ntp']);
- if (is_array($servers)) {
- foreach ($servers as $server) $conf .= "push \"dhcp-option NTP {$server}\"\n";
- }
- else {
- $conf .= "push \"dhcp-option NTP {$settings['dhcp_ntp']}\"\n";
- }
- }
-
- if (!empty($settings['dhcp_nbttype']) && $settings['dhcp_nbttype'] !=0) $conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
- if (!empty($settings['dhcp_nbtscope'])) $conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
- if ($settings['dhcp_nbtdisable']) $conf .= "push \"dhcp-option DISABLE-NBT\"\n";
- if ($settings['gwredir']) $conf .= "push \"redirect-gateway def1\"\n";
-
- if (!empty($settings['custom_options'])) {
- $options = explode(';', $settings['custom_options']);
- if (is_array($options)) {
- foreach ($options as $option)
- $conf .= "$option\n";
- }
- else {
- $conf .= "{$settings['custom_options']}\n";
- }
- }
+ openvpn_add_dhcpopts($settings, $conf);
- $filename = "{$g['varetc_path']}/openvpn_csc/{$settings['commonname']}";
- file_put_contents($filename, $conf);
- chown($filename, 'nobody');
- chgrp($filename, 'nogroup');
+ if ($settings['gwredir'])
+ $conf .= "push \"redirect-gateway def1\"\n";
-}
+ openvpn_add_custom($settings, $conf);
+ file_put_contents($fpath, $conf);
+ chown($fpath, 'nobody');
+ chgrp($fpath, 'nobody');
+}
-function openvpn_restart($mode, $id) {
+function openvpn_delete_csc($id) {
global $g, $config;
- $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid";
- killbypid($pidfile);
- sleep(2);
-
- $settings = $config['installedpackages']["openvpn$mode"]['config'][$id];
- if ($settings['disable']) return;
-
- $configfile = $g['varetc_path'] . "/openvpn_{$mode}{$id}.conf";
- mwexec_bg("nohup openvpn --config $configfile");// --dev-type tun --dev-node /dev/tun{$id}");
- touch("{$g['tmp_path']}/filter_dirty");
-}
-
-//Make ciphers ready for openvpn
-function openvpn_restore_all_ciphers() {
- global $config, $g;
-
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
-
- if (is_array($config['openvpn']['keys']) && count($config['openvpn']['keys'])) {
- if (!is_dir($g['varetc_path']."/openvpn"))
- safe_mkdir($g['varetc_path']."/openvpn");
- if (!is_dir($ovpncapath))
- safe_mkdir($ovpncapath);
-
- /* XXX: hardcoded path; worth making it a global?! */
- mwexec("cp -r /usr/local/share/openvpn/certificates ".$g['varetc_path']."/openvpn/");
- if (!is_dir($ovpncapath)) {
- log_error("Failed to create environment for creating certificates. ");
- } else {
-
- foreach ($config['openvpn']['keys'] as $caname => $ciphers) {
- if (!is_dir("$ovpncapath/$caname"))
- safe_mkdir("$ovpncapath/$caname");
-
- $cfg = "";
- /* NOTE: vars; Do we need them restored?! */
- $cfg .= "setenv KEY_SIZE " .$ciphers['keysize'] ."\n";
- $cfg .= "setenv KEY_EXPIRE ".$ciphers['keyexpire'] ."\n";
- $cfg .= "setenv CA_EXPIRE " .$ciphers['caexpire'] . "\n";
- $cfg .= "setenv KEY_COUNTRY " .$ciphers['keycountry'] ."\n";
- $cfg .= "setenv KEY_RPOVINCE " .$ciphers['keyprovince'] . "\n";
- $cfg .= "setenv KEY_CITY " .$ciphers['keycity'] . "\n";
- $cfg .= "setenv KEY_ORG " .$ciphers['keyorg'] . "\n";
- $cfg .= "setenv KEY_EMAIL " .$ciphers['keyemail'] . "\n";
- file_put_contents("$ovpncapath/$caname/vars", $cfg);
- /* put ciphers back in their files */
- foreach ($ciphers as $filename => $value) {
- file_put_contents("$ovpncapath/$caname/$filename", $value);
- }
- }
- }
- }
+ $settings = $config['openvpn']['openvpn-csc'][$id];
+ $fpath = $g['varetc_path']."/openvpn_csc/".$settings['common_name'];
+ unlink_if_exists($fpath);
}
// Resync the configuration and restart the VPN
@@ -744,94 +455,39 @@ function openvpn_resync($mode, $id) {
openvpn_restart($mode, $id);
}
-function openvpn_create_cscdir() {
- global $g;
-
- $csc_dir = "{$g['varetc_path']}/openvpn_csc";
- if (is_dir($csc_dir))
- rmdir_recursive($csc_dir);
- make_dirs($csc_dir);
- chown($csc_dir, 'nobody');
- chgrp($csc_dir, 'nobody');
-}
-
// Resync and restart all VPNs
function openvpn_resync_all() {
- global $config;
- $ovpncapath = $g['varetc_path']."/openvpn/certificates";
+ global $g, $config;
- openvpn_restore_all_ciphers();
+ $path_ovpn = $g['varetc_path']."/openvpn";
+ safe_mkdir($path_ovpn);
- foreach (array('server', 'client') as $mode) {
- if ($config['installedpackages']["openvpn$mode"]) {
- $cfgp =& $config['installedpackages']["openvpn$mode"];
- if (is_array($cfgp['config']) && count($cfgp['config'])) {
- foreach ($cfgp['config'] as $id => $settings)
- openvpn_resync($mode, $id);
- }
- }
- }
-
- openvpn_create_cscdir();
- if ($config['installedpackages']['openvpncsc']) {
- $cfgp =& $config['installedpackages']['openvpncsc'];
- if (is_array($cfgp['config']) && count($cfgp['config'])) {
- foreach ($cfgp['config'] as $id => $csc)
- openvpn_resync_csc($id);
- }
- }
-
- /* give speedy machines time to settle */
- sleep(5);
+ chown($path_ovpn, 'nobody');
+ chgrp($path_ovpn, 'nobody');
- /* reload the filter policy */
- filter_configure();
+ $path_csc = $g['varetc_path']."/openvpn_csc";
+ safe_mkdir($path_csc);
-}
+ chown($path_csc, 'nobody');
+ chgrp($path_csc, 'nobody');
-function openvpn_print_javascript($mode) {
- $javascript = <<<EOD
-<script language="JavaScript">
-//<!--
-function onAuthMethodChanged() {
- var method = document.iform.auth_method;
- var endis = (method.options[method.selectedIndex].value == 'shared_key');
-
- if ('$mode' == 'server') {
- document.iform.nopool.disabled = endis;
- document.iform.local_network.disabled = endis;
- document.iform.client2client.disabled = endis;
- document.iform.maxclients.disabled = endis;
- document.iform.cipher.disabled = !endis;
- document.iform.cipherpki.disabled = endis;
- }
- else { // Client mode
- document.iform.remote_network.disabled = !endis;;
- document.iform['shared.key'].disabled = !endis;
- document.iform['ca.crt'].disabled = endis;
- document.iform["{$mode}.crt"].disabled = endis;
- document.iform["{$mode}.key"].disabled = endis;
- document.iform.tls.disabled = endis;
- }
-}
-//-->
-</script>
+ if (is_array($config['openvpn']['openvpn-server']))
+ foreach ($config['openvpn']['openvpn-server'] as $id => & $settings)
+ openvpn_resync('server', $id);
-EOD;
- print($javascript);
-}
+ if (is_array($config['openvpn']['openvpn-client']))
+ foreach ($config['openvpn']['openvpn-client'] as $id => & $settings)
+ openvpn_resync('client', $id);
+ if (is_array($config['openvpn']['openvpn-csc']))
+ foreach ($config['openvpn']['openvpn-csc'] as $id => & $settings)
+ openvpn_resync_csc($id);
-function openvpn_print_javascript2() {
- $javascript = <<<EOD
-<script language="JavaScript">
-//<!--
- onAuthMethodChanged();
-//-->
-</script>
+ /* give speedy machines time to settle */
+ sleep(5);
-EOD;
- print($javascript);
+ /* reload the filter policy */
+ filter_configure();
}
?>
diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc
index a7b3192..1f5b24c 100644
--- a/etc/inc/xmlparse.inc
+++ b/etc/inc/xmlparse.inc
@@ -42,7 +42,8 @@ function listtags() {
"servernat servers serversdisabled earlyshellcmd shellcmd staticmap ".
"subqueue timerange tunnel user authserver vip virtual_server vlan ".
"winsserver ntpserver wolentry widget depends_on_package ".
- "gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg");
+ "gateway_item gateway_group dyndns dnsupdate gre gif bridged lagg ".
+ "openvpn-server openvpn-client openvpn-csc");
return $ret;
}
OpenPOWER on IntegriCloud