diff options
Diffstat (limited to 'usr/local/www')
28 files changed, 2364 insertions, 4795 deletions
diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 80da3e5..9400d0f 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -130,6 +130,7 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') { <?=output_menu_item("/wizard.php?xml=setup_wizard.xml", "Setup Wizard");?> <?=output_menu_item("/system_gateways.php", "Routing");?> <?=output_menu_item("/firewall_system_tunables.php", "Tunables");?> + <?=output_menu_item("/system_camanager.php", "Cert Manager");?> <?=output_menu_item("/system_usermanager.php", "User Manager");?> </ul> </li> @@ -216,7 +217,7 @@ if ($_REQUEST['noticeaction'] == 'acknowledge') { <div>VPN</div> <ul class="subdrop"> <?=output_menu_item("/vpn_ipsec.php", "IPsec");?> - <?=output_menu_item("/pkg.php?xml=openvpn.xml", "OpenVPN");?> + <?=output_menu_item("/vpn_openvpn_server.php", "OpenVPN");?> <?=output_menu_item("/vpn_pptp.php", "PPTP");?> <?php echo return_ext_menu("VPN"); ?> </ul> diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php index b1d0fad..274076d 100755 --- a/usr/local/www/firewall_rules.php +++ b/usr/local/www/firewall_rules.php @@ -72,11 +72,8 @@ if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients'] $iflist["enc0"] = "IPsec"; /* add openvpn/tun interfaces */ -if ($config['installedpackages']["openvpnserver"] || $config['installedpackages']["openvpnclient"]) { - if (is_array($config['installedpackages']["openvpnserver"]['config']) || - is_array($config['installedpackages']["openvpnclient"]['config'])) - $iflist["openvpn"] = "OpenVPN"; -} +if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) + $iflist["openvpn"] = "OpenVPN"; if (!$if || !isset($iflist[$if])) { if ("any" == $if) diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index dce748b..f7e82db 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -525,12 +525,8 @@ include("head.inc"); $interfaces["enc0"] = "IPsec"; /* add openvpn/tun interfaces */ - if ($config['installedpackages']["openvpnserver"] || $config['installedpackages']["openvpnclient"]) { - if (is_array($config['installedpackages']["openvpnserver"]['config']) || - is_array($config['installedpackages']["openvpnclient"]['config'])) - $interfaces["openvpn"] = "OpenVPN"; - } - + if ($config['openvpn']["openvpn-server"] || $config['openvpn']["openvpn-client"]) + $interfaces["openvpn"] = "OpenVPN"; foreach ($interfaces as $iface => $ifacename): ?> <option value="<?=$iface;?>" <?php if ($pconfig['interface'] <> "" && stristr($pconfig['interface'], $iface)) echo "selected"; ?>><?=gettext($ifacename);?></option> diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index c704f5e..152ab87 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -147,6 +147,13 @@ $radius_srvcs = array( 'auth' => "Authentication", 'acct' => "Accounting"); +$netbios_nodetypes = array( + '0' => "none", + '1' => "b-node", + '2' => "p-node", + '4' => "m-node", + '5' => "h-node"); + /* some well knows ports */ $wkports = array( 3389 => "MS RDP", @@ -940,4 +947,4 @@ function print_rfc2616_select($tag, $current){ } } -?>
\ No newline at end of file +?> diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index e85c615..40687cc 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -344,10 +344,8 @@ function radius_srvcschange(){ $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), true, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), true, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index 168372c..dff286d 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -194,12 +194,8 @@ function method_change() { <td class="tabnavtbl"> <?php $tab_array = array(); - $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); - $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("CAs"), true, "system_camanager.php"); $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); - $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 327aea9..7ca0ff4 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -316,12 +316,8 @@ function internalca_change() { <td class="tabnavtbl"> <?php $tab_array = array(); - $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); - $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); $tab_array[] = array(gettext("Certificates"), true, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); - $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index 2c848b2..7991a59 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -225,10 +225,8 @@ function presubmit() { $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), true, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </ul> @@ -239,19 +237,6 @@ function presubmit() { <?php if($_GET['act']=="new" || $_GET['act']=="edit"): ?> - <script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> - <script type="text/javascript"> - function checkall() { - var el = document.getElementById('iform'); - for (var i = 0; i < el.elements.length; i++) - el.elements[i].checked = true; - } - function checknone() { - var el = document.getElementById('iform'); - for (var i = 0; i < el.elements.length; i++) - el.elements[i].checked = false; - } - </script> <form action="system_groupmanager.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <?php diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 979b2fb..665df34 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -276,10 +276,8 @@ function presubmit() { $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_usermanager_addcert.php b/usr/local/www/system_usermanager_addcert.php index f14c653..3b3a417 100644 --- a/usr/local/www/system_usermanager_addcert.php +++ b/usr/local/www/system_usermanager_addcert.php @@ -173,10 +173,8 @@ function internalca_change() { $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); - $tab_array[] = array(gettext("CAs"), false, "system_camanager.php"); - $tab_array[] = array(gettext("Certificates"), false, "system_usermanager_addcert.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); ?> </td> diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index ca89dfa..8f82622 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -220,10 +220,8 @@ include("head.inc"); $tab_array = array();
$tab_array[] = array(gettext("Users"), false, "system_usermanager.php");
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
- $tab_array[] = array(gettext("CAs"), false, "system_camanager.php");
- $tab_array[] = array(gettext("Certificates"), false, "system_certmanager.php");
- $tab_array[] = array(gettext("Servers"), false, "system_authservers.php");
$tab_array[] = array(gettext("Settings"), true, "system_usermanager_settings.php");
+ $tab_array[] = array(gettext("Servers"), false, "system_authservers.php");
display_top_tabs($tab_array);
/* Default to pfsense backend type if none is defined */
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index f081b45..7c59c00 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -304,17 +304,8 @@ if ($_POST) { $ph1ent['pinghost'] = $pconfig['pinghost']; /* generate unique phase1 ikeid */ - if ($ph1ent['ikeid'] == 0) { - while (true) { - $ph1ent['ikeid']++; - foreach ($a_phase1 as $ph1tmp) - if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] ) - break; - - if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] ) - break; - } - } + if ($ph1ent['ikeid'] == 0) + $ph1ent['ikeid'] = ipsec_ikeid_next(); if (isset($p1index) && $a_phase1[$p1index]) $a_phase1[$p1index] = $ph1ent; diff --git a/usr/local/www/vpn_openvpn.php b/usr/local/www/vpn_openvpn.php deleted file mode 100755 index 896a4cc..0000000 --- a/usr/local/www/vpn_openvpn.php +++ /dev/null @@ -1,363 +0,0 @@ -<?php -/* - vpn_openvpn.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tun_iface'] = "tun0"; - $config['ovpn']['server']['psh_options'] = array(); - /* Initialise with some sensible defaults */ - $config['ovpn']['server']['port'] = 5000; - $config['ovpn']['server']['proto'] = 'UDP'; - $config['ovpn']['server']['maxcli'] = 25; - $config['ovpn']['server']['crypto'] = 'BF-CBC'; - $config['ovpn']['server']['dupcn'] = true; - $config['ovpn']['server']['verb'] = 1; -} - -if ($_POST) { - - unset($input_errors); - - /* input validation */ - if (isset($_POST['enable'])) { - $reqdfields = explode(" ", "tun_iface bind_iface ipblock"); - $reqdfieldsn = explode(",", "Tunnel type,Interface binding,IP address block start"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - } - - /* need a test here to make sure prefix and max_clients are coherent */ - - /* Sort out the cert+key files */ - if (is_null($_POST['ca_cert'])) - $input_errors[] = "You must provide a CA certificate file"; - elseif (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || !strstr($_POST['ca_cert'], "END CERTIFICATE")) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (is_null($_POST['srv_cert'])) - $input_errors[] = "You must provide a server certificate file"; - elseif (!strstr($_POST['srv_cert'], "BEGIN CERTIFICATE") || !strstr($_POST['srv_cert'], "END CERTIFICATE")) - $input_errors[] = "The server certificate does not appear to be valid."; - - if (is_null($_POST['srv_key'])) - $input_errors[] = "You must provide a server key file"; - elseif (!strstr($_POST['srv_key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['srv_key'], "END RSA PRIVATE KEY")) - $input_errors[] = "The server key does not appear to be valid."; - - if (is_null($_POST['dh_param'])) - $input_errors[] = "You must provide a DH parameters file"; - elseif (!strstr($_POST['dh_param'], "BEGIN DH PARAMETERS") || !strstr($_POST['dh_param'], "END DH PARAMETERS")) - $input_errors[] = "The DH parameters do not appear to be valid."; - - if (!$input_errors) { - $server =& $config['ovpn']['server']; - $server['enable'] = $_POST['enable'] ? true : false; - /* Make sure that the tunnel interface type has not changed */ - if ($server['tun_iface'] != $_POST['tun_iface']){ - $server['tun_iface'] = $_POST['tun_iface']; - - } - - $server['bind_iface'] = $_POST['bind_iface']; - $server['port'] = $_POST['port']; - $server['proto'] = $_POST['proto']; - - /* Make sure the IP address and/or prefix have not changed */ - if ($server['ipblock'] != $_POST['ipblock']){ - $server['ipblock'] = $_POST['ipblock']; - } - if ($server['prefix'] != $_POST['prefix']){ - $server['prefix'] = $_POST['prefix']; - } - - $server['maxcli'] = $_POST['maxcli']; - $server['crypto'] = $_POST['crypto']; - $server['cli2cli'] = $_POST['cli2cli'] ? true : false; - $server['dupcn'] = $_POST['dupcn'] ? true : false; - $server['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $server['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - if ($_POST['psh_rtedelay']) - $server['psh_options']['rtedelay'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_ping']) - $server['psh_options']['ping'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingexit']) - $server['psh_options']['pingexit'] = $_POST['psh_pingexit_int']; - if ($_POST['psh_pingrst']) - $server['psh_options']['pingrst'] = $_POST['psh_pingrst_int']; - if ($_POST['inact']) - $server['psh_options']['inact'] = $_POST['psh_inact_int']; - $server['ca_cert'] = base64_encode($_POST['ca_cert']); - $server['srv_cert'] = base64_encode($_POST['srv_cert']); - $server['srv_key'] = base64_encode($_POST['srv_key']); - $server['dh_param'] = base64_encode($_POST['dh_param']); - - write_config(); - - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_server_iface(); - } - else{ - ovpn_lock(); - $retval = ovpn_config_server($server['enable']); - ovpn_unlock(); - } - $savemsg = get_std_save_message($retval); - } -} - -/* Simply take a copy of the array */ -$pconfig = $config['ovpn']['server']; - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> - -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", true, "vpn_openvpn.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td colspan="2"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> - <br> - </span></strong> - </td></tr> - <tr> - <td width="22%" valign="top" class="vtable"> </td> - <td width="78%" class="vtable"> - <input name="enable" type="checkbox" value="yes" <?php if (isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Enable OpenVPN server </strong></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel type</td> - <td width="78%" class="vtable"> - <input type="radio" name="tun_iface" class="formfld" value="tun0" <?php if ($pconfig['tun_iface'] == 'tun0') echo "checked"; ?>> - TUN - <input type="radio" name="tun_iface" class="formfld" value="tap0" <?php if ($pconfig['tun_iface'] == 'tap0') echo "checked"; ?>> - TAP - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN protocol/port</td> - <td width="78%" class="vtable"> - <input type="radio" name="proto" class="formfld" value="UDP" <?php if ($pconfig['proto'] == 'UDP') echo "checked"; ?>> - UDP - <input type="radio" name="proto" class="formfld" value="TCP" <?php if ($pconfig['proto'] == 'TCP') echo "checked"; ?>> - TCP<br><br> - Port: - <input name="port" type="text" class="formfld" size="5" maxlength="5" value="<?= $pconfig['port']; ?>"><br> - Enter the port number to use for the server (default is 5000).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Interface binding</td> - <td width="78%" class="vtable"> - <select name="bind_iface" class="formfld"> - <?php - $interfaces = ovpn_real_interface_list(); - foreach ($interfaces as $key => $iface): - ?> - <option value="<?=$key;?>" <?php if ($key == $pconfig['bind_iface']) echo "selected"; ?>> <?= $iface;?> - </option> - <?php endforeach;?> - </select> - <span class="vexpl"><br> - Choose an interface for the OpenVPN server to listen on.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">IP address block</td> - <td width="78%" class="vtable"> - <input name="ipblock" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ipblock']);?>"> - / - <select name="prefix" class="formfld"> - <?php for ($i = 29; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['prefix']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - <br> - Enter the IP address block for the OpenVPN server and clients to use.<br> - <br> - Maximum number of simultaneous clients: - <input name="maxcli" type="text" class="formfld" size="3" maxlength="3" value="<?=htmlspecialchars($pconfig['maxcli']);?>"> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="srv_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_cert']));?></textarea> - <br> - Paste a server certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server key</td> - <td width="78%" class="vtable"> - <textarea name="srv_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_key']));?></textarea> - <br>Paste the server RSA private key here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh_param" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['dh_param']));?></textarea> - <br> - Paste the Diffie-Hellman parameters in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select a data channel encryption cipher.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Internal routing mode</td> - <td width="78%" class="vtable"> - <input name="cli2cli" type="checkbox" value="yes" <?php if (isset($pconfig['cli2cli'])) echo "checked"; ?>> - <strong>Enable client-to-client routing</strong><br> - If this option is on, clients are allowed to talk to each other.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client authentication</td> - <td width="78%" class="vtable"> - <input name="dupcn" type="checkbox" value="yes" <?php if (isset($pconfig['dupcn'])) echo "checked"; ?>> - <strong>Permit duplicate client certificates</strong><br> - If this option is on, clients with duplicate certificates will not be disconnected.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst']?>"> seconds</td> - </tr> - </table></td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>Changing any settings on this page will disconnect all clients!</span> - </td> - </tr> - </table> - </div> -</td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_ccd.php b/usr/local/www/vpn_openvpn_ccd.php deleted file mode 100755 index d8c236d..0000000 --- a/usr/local/www/vpn_openvpn_ccd.php +++ /dev/null @@ -1,211 +0,0 @@ -<?php -/* - vpn_openvpn_ccd.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} -if (!is_array($config['ovpn']['server']['ccd'])) - $config['ovpn']['server']['ccd'] = array(); - -$ovpnccd = &$config['ovpn']['server']['ccd']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - - $retval = ovpn_server_ccd_add(); - -# -# /* should we send a SIGUSR1 to openvpn daemon? */ -# foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { -# /* get tunnel interface */ -# $tun = $server['tun_iface']; -# -# /* send SIGUSR1 to running openvpn daemon */ -# if (isset($server['enable'])) -# sigkillbypid($g['varrun_path']."/ovpn_srv_{$tun}.pid", "SIGUSR1"); -# } -# - - /* remove dirty flag */ - unlink_if_exists($d_ovpnccddirty_path); - - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpnccd[$id]) { - $ovpnent = $ovpnccd[$id]; - - unset($ovpnccd[$id]); - write_config(); - - /* Remove config files */ - ovpn_server_ccd_del($ovpnent['cn']); - - header("Location: vpn_openvpn_ccd.php"); - exit; - } - -} else if ($_GET['act'] == "toggle") { - if ($ovpnccd[$_GET['id']]) { - $ovpnccd[$_GET['id']]['enable'] = !isset($ovpnccd[$_GET['id']]['enable']); - write_config(); - touch($d_ovpnccddirty_path); - header("Location: vpn_openvpn_ccd.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnccddirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_ccd.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnccddirty_path)): ?><p> -<?php print_info_box_np("OpenVPN client-specific configuration options have been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", true, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="5%" class="list"> </td> - <td width="38%" class="listhdrr">Common Name</td> - <td width="47%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php $i = 0; foreach ($ovpnccd as $ccd): - - if (isset($ccd['disable'])) - $iconfn = "block"; - else - $iconfn = "pass"; - - if (!isset($ccd['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - $iconfn .= "_d"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listt" align="center"> - <a href="?act=toggle&id=<?=$i;?>"><img src="<?=$iconfn;?>.gif" - width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> - </td> - <td class="listlr"><?=$spans;?> - <?= $ccd['cn'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($ccd['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"><a href="vpn_openvpn_ccd_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit client-specific configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_ccd.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client-specific configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete client-specific configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="3"> </td> - <td class="list"><a href="vpn_openvpn_ccd_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add client-specific configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" width="11" height="11"></td> - <td>pass</td> - <td width="14"></td> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> - <td>block</td> - <td width="14"></td> - <td width="16"> </td> - <td> </td> - <td width="14"></td> - <td width="16"> </td> - <td> </td> - </tr> - <tr> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass_d.gif" width="11" height="11"></td> - <td nowrap>pass (disabled)</td> - <td> </td> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> - <td nowrap>block (disabled)</td> - <td> </td> - <td> </td> - <td nowrap> </td> - <td> </td> - <td width="16"> </td> - <td nowrap> </td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_ccd_edit.php b/usr/local/www/vpn_openvpn_ccd_edit.php deleted file mode 100755 index 4affb4a..0000000 --- a/usr/local/www/vpn_openvpn_ccd_edit.php +++ /dev/null @@ -1,420 +0,0 @@ -<?php -/* - vpn_openvpn_ccd_edit.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -$pgtitle = array("VPN", "OpenVPN", "Edit client-specific configuration"); -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])) - $config['ovpn']['server'] = array(); -if (!is_array($config['ovpn']['server']['ccd'])) - $config['ovpn']['server']['ccd'] = array(); - -$ovpnccd =& $config['ovpn']['server']['ccd']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpnccd[$id]) { - - $pconfig = $config['ovpn']['server']['ccd'][$id]; - - if (isset($ovpnccd[$id]['enable'])) - $pconfig['enable'] = true; - - if (is_array($config['ovpn']['server']['ccd'][$id]['options'])) { - $pconfig['options'] = ""; - foreach ($ovpnccd[$id]['options']['option'] as $optent) { - $pconfig['options'] .= $optent . "\n"; - } - $pconfig['options'] = rtrim($pconfig['options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "cn"); - $reqdfieldsn = explode(",", "Common name"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9\.\-_\:\/\@]/", $_POST['cn'])) - $input_errors[] = "The common name contains invalid characters."; - - if ($_POST['psh_pingrst'] && $_POST['psh_pingexit']) - $input_errors[] = "Ping-restart and Ping-exit are mutually exclusive and cannot be used together"; - - if ($_POST['psh_rtedelay'] && !is_numeric($_POST['psh_rtedelay_int'])) - $input_errors[] = "Route-delay needs a numerical interval setting."; - - if ($_POST['psh_inact'] && !is_numeric($_POST['psh_inact_int'])) - $input_errors[] = "Inactive needs a numerical interval setting."; - - if ($_POST['psh_ping'] && !is_numeric($_POST['psh_ping_int'])) - $input_errors[] = "Ping needs a numerical interval setting."; - - if ($_POST['psh_pingexit'] && !is_numeric($_POST['psh_pingexit_int'])) - $input_errors[] = "Ping-exit needs a numerical interval setting."; - - if ($_POST['psh_pingrst'] && !is_numeric($_POST['psh_pingrst_int'])) - $input_errors[] = "Ping-restart needs a numerical interval setting."; - - /* Editing an existing entry? */ - if (!$input_errors && !(isset($id) && $ovpnccd[$id])) { - /* make sure there are no dupes */ - foreach ($ovpnccd as $ccdent) { - if ($ccdent['cn'] == $_POST['cn']) { - $input_errors[] = "Another entry with the same common name already exists."; - break; - } - } - } - - if (isset($id) && $ovpnccd[$id]) { - $ccdent = $ovpnccd[$id]; - - /* Has the enable/disable state changed? */ - if (isset($ccdent['enable']) && isset($_POST['disabled'])) { - /* status changed to disabled */ - touch($d_ovpnccddirty_path); - } - - /* status changed to enable */ - if (!isset($ccdent['enable']) && !isset($_POST['disabled'])) { - /* touch($d_sysrebootreqd_path); */ - touch($d_ovpnccddirty_path); - } - } - - if (!$input_errors) { - - $ccdent = array(); - - if (isset($id) && $ovpnccd[$id]) - $ccdent = $ovpnccd[$id]; - - $ccdent['cn'] = $_POST['cn']; - $ccdent['descr'] = $_POST['descr']; - $ccdent['enable'] = $_POST['disabled'] ? false : true; - $ccdent['disable'] = $_POST['disable'] ? true : false; - - - if (!is_array($options)) - $options = array(); - if (!is_array($ccdent['options'])) - $ccdent['options'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['options']))); - $ccdent['options'] = $options; - - $ccdent['psh_reset'] = $_POST['psh_reset'] ? true : false; - $ccdent['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $ccdent['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - $ccdent['psh_options']['rtedelay'] = $_POST['psh_rtedelay'] ? true : false; - $ccdent['psh_options']['inact'] = $_POST['psh_inact'] ? true : false; - $ccdent['psh_options']['ping'] = $_POST['psh_ping'] ? true : false; - $ccdent['psh_options']['pingrst'] = $_POST['psh_pingrst'] ? true : false; - $ccdent['psh_options']['pingexit'] = $_POST['psh_pingexit'] ? true : false; - - unset($ccdent['psh_options']['rtedelay_int']); - unset($ccdent['psh_options']['inact_int']); - unset($ccdent['psh_options']['ping_int']); - unset($ccdent['psh_options']['pingrst_int']); - unset($ccdent['psh_options']['pingexit_int']); - - if ($_POST['psh_rtedelay_int']) - $ccdent['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_inact_int']) - $ccdent['psh_options']['inact_int'] = $_POST['psh_inact_int']; - if ($_POST['psh_ping_int']) - $ccdent['psh_options']['ping_int'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingrst_int']) - $ccdent['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - if ($_POST['psh_pingexit_int']) - $ccdent['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - - if (isset($id) && $ovpnccd[$id]) - $ovpnccd[$id] = $ccdent; - else - $ovpnccd[] = $ccdent; - - write_config(); - touch($d_ovpnccddirty_path); - - header("Location: vpn_openvpn_ccd.php"); - exit; - - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['psh_reset'] = $_POST['psh_reset']; - $pconfig['psh_options']['redir'] = $_POST['psh_redir']; - $pconfig['psh_options']['redir_loc'] = $_POST['psh_redir_loc']; - $pconfig['psh_options']['rtedelay'] = $_POST['psh_rtedelay']; - $pconfig['psh_options']['inact'] = $_POST['psh_inact']; - $pconfig['psh_options']['ping'] = $_POST['psh_ping']; - $pconfig['psh_options']['pingrst'] = $_POST['psh_pingrst']; - $pconfig['psh_options']['pingexit'] = $_POST['psh_pingexit']; - - $pconfig['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - $pconfig['psh_options']['inact_int'] = $_POST['psh_inact_int']; - $pconfig['psh_options']['ping_int'] = $_POST['psh_ping_int']; - $pconfig['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - $pconfig['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - } -} - -$pgtitle = "VPN: OpenVPN: Edit client-specific configuration"; -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.cn.disabled = endis; - document.iform.disable.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.psh_reset.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.options.disabled = endis; - - if (!document.iform.disabled.checked) { - push_change(false); - disable_change(false); - } - -} - -function disable_change(enable_over) { - var endis; - endis = !(!document.iform.disable.checked || enable_over); - - document.iform.psh_reset.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.options.disabled = endis; - - if (!document.iform.disable.checked) { - push_change(enable_over); - } - -} - -function push_change(enable_over) { - var endis; - endis = !(document.iform.psh_reset.checked || enable_over); - - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; -} - -//--> -</script> -<form action="vpn_openvpn_ccd_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this entry</strong><br> - <span class="vexpl">Set this option to disable this client-specific configuration - without removing it from the list.</span></td> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Common Name</td> - <td width="78%" class="vtable"> - <input name="cn" type="text" class="formfld" id="cn" size="40" value="<?=htmlspecialchars($pconfig['cn']);?>"> - <br><span class="vexpl">Enter client's X.509 common name here.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br><span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Block client</td> - <td width="78%" class="vtable"> - <input name="disable" type="checkbox" value="yes" onclick="disable_change(false)" <?php if (isset($pconfig['disable'])) echo "checked"; ?>> - <strong>Disable this client from connecting</strong><br> - <span class="vexpl">Disable a particular client (based on the common name) from connecting. - Don't use this option to disable a client due to key - or password compromise. Use a CRL (certificate revocation list) - instead.</span></td> - </td> - </tr> - - <tr> - <tr> - <td colspan="2" valign="top" height="16"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Push options</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-Push Inheritation</td> - <td width="78%" class="vtable"> - <input type="checkbox" name="psh_reset" value="yes" onchange="push_change(false)" <?php if (isset($pconfig['psh_reset'])) echo "checked"; ?>>Push reset - <br><span class="vexpl">Set this option to on, if you don't want to inherit - the global push list for this client from the server page.</span> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact_int']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst_int']?>"> seconds</td> - </tr> - </table></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Custom client options</td> - <td width="78%" class="vtable"> - <span>The following options are legal in a client-specific context:<br> - push, push-reset, iroute, ifconfig-push and config.</span><br> - <textarea name="options" id="options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in here aren't supported.</span></strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true);disable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -disable_change(false); -push_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> diff --git a/usr/local/www/vpn_openvpn_certs.php b/usr/local/www/vpn_openvpn_certs.php deleted file mode 100644 index 72bc9d1..0000000 --- a/usr/local/www/vpn_openvpn_certs.php +++ /dev/null @@ -1,123 +0,0 @@ -<?php -/* - vpn_openvpn_certs.php - part of pfSense - - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -$pgtitle = array("OpenVPN", "Certificate management"); -$ovpncapath = $g['varetc_path']."/openvpn/certificates"; - -if ($_GET['reset']) { - mwexec("killall -9 openssl"); - if (is_dir($_GET['reset'])) - mwexec("rm -rf $ovpncapath/".$_GET['reset']); -} -if ($_GET['delete']) { - if (!is_dir($ovpncapath."/".$_GET['delete'])) - $input_error[] = "Certificate does not exist!"; - else - mwexec("rm -rf ".$g['varetc_path']."/openvpn/certificates/".$_GET['delete']); - if (is_array($config['openvpn']['keys'])) { - if (is_array($config['openvpn']['keys'][$_GET['delete']])) { - unset($config['openvpn']['keys'][$_GET['delete']]); - if (count($config['openvpn']['keys']) < 1) - unset($config['openvpn']); - write_config(); - } - } -} - -if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); -$certificates = &$config['openvpn']['keys']; - -include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - <?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn_certs.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="100%" border="0" cellpadding="6" cellspacing="0" > - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "/pkg.php?xml=openvpn.xml"); - $tab_array[] = array("Client", false, "/pkg.php?xml=openvpn_cli.xml"); - $tab_array[] = array("Client-specific overrides", false, "/pkg.php?xml=openvpn_csc.xml"); - $tab_array[] = array("Certificate Authority", true, "/vpn_openvpn_certs.php"); - $tab_array[] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="2" cellspacing="0"> - <tr> - <td class="listhdrr" width="35%">Certificates</td> - <td width="60%" class="listhdrr">Expires</td></tr> - <?php foreach ($certificates as $cert => $ca) { ?> - <tr class="vtable"> - <td class="listlr" width="35%"> - <?php - if($ca['descr']) - echo $ca['descr']; - else - echo $cert; - ?> - </td> - <td class="listr" width="60%"> - <?=$ca['caexpire'];?> - </td> - <td><a href=" -<?php - if ($ca['existing'] == "yes") - echo "vpn_openvpn_certs_existing.php?ca=$cert"; - else - echo "vpn_openvpn_certs_create.php?ca=$cert"; -?> - "><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> - <td><a href="vpn_openvpn_certs.php?delete=<?=$cert;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete certificate");?>" width="17" height="17" border="0" alt="" /></a></td> - </tr> - <?php } ?> - <tr><td colspan="2"></td><td><a href="vpn_openvpn_certs_create.php?add=true"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?>" width="17" height="17" border="0" alt="" /></a></td></tr> - <tr> - <td colspan="2" >To import existing certificates please <a href="vpn_openvpn_certs_existing.php"> - click this link.</a> - </td></tr> - </table> - </td></tr> - </table> - <?php include("fend.inc"); ?> -</body> -</html> - - diff --git a/usr/local/www/vpn_openvpn_certs_create.php b/usr/local/www/vpn_openvpn_certs_create.php deleted file mode 100644 index 294e441..0000000 --- a/usr/local/www/vpn_openvpn_certs_create.php +++ /dev/null @@ -1,320 +0,0 @@ -<?php -/* $Id$ */ -/* - vpn_openvpn_certs_create.php - part of pfSense - - Copyright (C) 2004 Scott Ullrich - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createcerts -##|*NAME=VPN: OpenVPN: Create Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Certs' page. -##|*MATCH=vpn_openvpn_certs_create.php* -##|-PRIV - - -require("globals.inc"); -require("guiconfig.inc"); - -$pgtitle = array("VPN", "OpenVPN", "Create Certs"); - -$ovpncapath = $g['varetc_path'] . "/openvpn/certificates"; -$easyrsapath = $g['easyrsapath']; - -$edit_mode = true; -if($_GET['add'] == "true") - $edit_mode = false; - -if ($_GET['ca']) { - if ($config['openvpn']['keys'][$_GET['ca']]) { - $data = &$config['openvpn']['keys'][$_GET['ca']]; - $caname = trim($_GET['ca']); - $cakeysize = $data['keysize']; - $caexpire = $data['caexpire']; - $cakeyexpire = $data['keyexpire']; - $countrycode= $data['keycountry']; - $descr = $data['descr']; - $stateorprovince= $data['keyprovince']; - $cityname= $data['keycity']; - $orginizationname= $data['keyorg']; - $email = $data['keyemail']; - $authmode = $data['auth_method']; - $edit_mode = true; - } else { - $input_errors[] = "Certificate does not exist."; - } -} - -if ($_POST) { - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['descr'])) - $input_errors[] = "Description contains invalid characters."; - $descr = $_POST['descr']; - $cakeysize = $_POST['cakeysize']; - $caexpire = $_POST['caexpire']; - $cakeyexpire = $_POST['cakeyexpire']; - $countrycode=$_POST['countrycode']; - $stateorprovince=$_POST['stateorprovince']; - $cityname=$_POST['cityname']; - $orginizationname=$_POST['orginizationname']; - $email = $_POST['email']; - $authmode = $_POST['auth_method']; - $caname = trim(strtolower($_POST['descr'])); - - if ($caname) { - - /* XXX: do more input validation */ - - /* Create sane environment for easyrsa scripts */ - conf_mount_rw(); - if (!is_dir($g['varetc_path']."/openvpn")) - safe_mkdir($g['varetc_path']."/openvpn"); - - if (!is_dir($ovpncapath)) - safe_mkdir($ovpncapath); - else - mwexec("rm -rf $ovpncapath/$caname"); - - safe_mkdir("$ovpncapath/$caname", 0755); - mwexec("cp -r $easyrsapath ".$g['varetc_path']."/openvpn/"); - - if (!is_dir("$ovpncapath/$caname")) { - $input_errors[] = "Failed to create $ovpncapath/$caname environment certificate environment."; - Header("Location: vpn_openvpn_certs_create.php"); - } - - $fd = fopen($ovpncapath . "/$caname/vars", "w"); - fwrite($fd, "#!/bin/tcsh\n"); - fwrite($fd, "setenv EASY_RSA \"$easyrsapath\" \n"); - fwrite($fd, "setenv OPENSSL \"`which openssl`\"\n"); - fwrite($fd, "setenv PKCS11TOOL \"pkcs11-tool\" \n"); - fwrite($fd, "setenv GREP \"grep\" \n"); - fwrite($fd, "setenv KEY_CONFIG \"`$ovpncapath/whichopensslcnf $ovpncapath`\" \n"); - fwrite($fd, "setenv KEY_DIR \"$ovpncapath/$caname\" \n"); - fwrite($fd, "setenv KEY_SIZE \"$cakeysize\" \n"); - fwrite($fd, "setenv CA_EXPIRE \"$caexpire\" \n"); - fwrite($fd, "setenv KEY_EXPIRE \"$cakeyexpire\" \n"); - fwrite($fd, "setenv KEY_COUNTRY \"$countrycode\" \n"); - fwrite($fd, "setenv KEY_PROVINCE \"$stateorprovince\" \n"); - fwrite($fd, "setenv KEY_CITY \"$cityname\" \n"); - fwrite($fd, "setenv KEY_ORG \"$orginizationname\" \n"); - fwrite($fd, "setenv KEY_EMAIL \"$email\" \n"); - fwrite($fd, "setenv CA_OK \"$ovpncapath/$caname/finished_ok\" \n"); - fwrite($fd, "\n\n"); - fclose($fd); - - $fd = fopen($ovpncapath . "/RUNME_FIRST", "w"); - fwrite($fd, "cd $ovpncapath \n"); - fwrite($fd, "touch $ovpncapath/$caname/index.txt \n"); - fwrite($fd, "echo \"01\" > $ovpncapath/$caname/serial \n"); - fwrite($fd, "source $ovpncapath/$caname/vars \n"); - //fwrite($fd, "echo \"Creating Shared Key...\" \n"); - //fwrite($fd, "openvpn --genkey --secret $ovpncapath/$caname/shared.key \n"); - fwrite($fd, "echo \"Creating CA...\" \n"); - fwrite($fd, "$easyrsapath/pkitool --batch --initca $ovpncapath/$caname/ca.crt \n"); - fwrite($fd, "echo \"Done!\" \n"); - fclose($fd); - - } else { - $input_errors[] = "You should specify a name."; - } - if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); - - $ovpnkeys =& $config['openvpn']['keys']; - if (!is_array($ovpnkeys[$caname])) - $ovpnkeys[$caname] = array(); - -} - - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - - <script type="text/javascript"> - function f() { - /* do nothing */ - } - function edit_mode() { - document.iform.cakeysize.disabled = true; - document.iform.caexpire.disabled = true; - document.iform.cakeyexpire.disabled = true; - document.iform.countrycode.disabled = true; - document.iform.stateorprovince.disabled = true; - document.iform.cityname.disabled = true; - document.iform.orginizationname.disabled = true; - document.iform.email.disabled = true; - document.iform.descr.disabled = true; - } - </script> - -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_openvpn_certs_create.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr><td colspan="2"> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "pkg.php?xml=openvpn.xml"); - $tab_array[] = array("Client", false, "pkg.php?xml=openvpn_cli.xml"); - $tab_array[] = array("Client-specific overrides", false, "pkg.php?xml=openvpn_csc.xml"); - $tab_array[] = array("Certificate Authority", true, "vpn_openvpn_certs.php"); - $tab_array[] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> -<?php - if ($_POST && $caname) { -?> -<tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td> - <textarea cols="80" rows="35" name="output" id="output" wrap="hard"></textarea> - </td> - </tr> - <tr> - <td> - <a href="vpn_openvpn_certs.php"><inpput name="OK" type="button" value="Return"></a> - </td> - </tr> - </table></td></tr> - </table> -<?php - if(!$input_errors) { - execute_command_return_output("/bin/tcsh $ovpncapath/RUNME_FIRST", "r"); - conf_mount_ro(); - /* vars */ - $ovpnkeys[$caname]['existing'] = "no"; - $ovpnkeys[$caname]['descr'] = $descr; - $ovpnkeys[$caname]['auth_method'] = "pki"; - $ovpnkeys[$caname]['keysize'] = $cakeysize; - $ovpnkeys[$caname]['keyexpire'] = $cakeyexpire; - $ovpnkeys[$caname]['caexpire'] = $caexpire; - $ovpnkeys[$caname]['keycountry'] = $countrycode; - $ovpnkeys[$caname]['keyprovince'] = $stateorprovince; - $ovpnkeys[$caname]['keycity'] = $cityname; - $ovpnkeys[$caname]['keyorg'] = $orginizationname; - $ovpnkeys[$caname]['keyemail'] = $email; - /* ciphers */ - $ovpnkeys[$caname]['ca.key'] = file_get_contents("$ovpncapath/$caname/ca.key"); - $ovpnkeys[$caname]['ca.crt'] = file_get_contents("$ovpncapath/$caname/ca.crt"); - - /* save it */ - write_config(); - } -} else { ?> -<tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="35%" class="vncell"><B>Certificate Name</td> - <td width="78%" class="vtable"> - <input name="descr" class="formfld" value="<?=$descr?>"> - </span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Key Size</td> - <td width="78%" class="vtable"> - <select name="cakeysize" > -<?php - $strength = array("512", "1024", "2048"); - foreach ($strength as $key) { - echo "<option value=\"{$key}\" "; - if ($cakeysize == intval($key)) - echo " selected=\"true\" "; - echo ">{$key}</option>"; - } -?> - </select> - <br/><span>Higher you set this value the slower TLS negotiation and DH key creation performance gets.</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Expire</td> - <td width="78%" class="vtable"> - <input name="caexpire" class="formfld" value="<?=$caexpire?>"/> - <br/><span>In how many days should the root CA key expire?</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Certificate Key Expire</td> - <td width="78%" class="vtable"> - <input name="cakeyexpire" class="formfld" value="<?=$cakeyexpire?>"> - <br/><span>In how many days should certificates expire?</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Country Code (2 Letters)</td> - <td width="78%" class="vtable"> - <input size="2" maxlength="2" name="countrycode" class="formfld" value="<?=$countrycode?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>State or Province name</td> - <td width="78%" class="vtable"> - <input name="stateorprovince" class="formfld" value="<?=$stateorprovince?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>City name</td> - <td width="78%" class="vtable"> - <input name="cityname" class="formfld" value="<?=$cityname?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Organization name</td> - <td width="78%" class="vtable"> - <input name="orginizationname" class="formfld" value="<?=$orginizationname?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>E-Mail address</td> - <td width="78%" class="vtable"> - <input name="email" class="formfld" value="<?=$email?>"> - <br/></span></td> - </tr> - <tr> - <td width="35%" > </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <a href="vpn_openvpn_certs.php?reset=<?=$caname;?>"><input name="Cancel" type="button" class="formbtn" value="Cancel"></a> - </td> - </tr> - </table> - </td></tr> - </table> - <?php - if($edit_mode) { - echo "<script language='javascript'>\n"; - echo "edit_mode();\n"; - echo "</script>\n"; - } - ?> - <?php include("fend.inc"); ?> - </body> - </html> -<? } ?> diff --git a/usr/local/www/vpn_openvpn_certs_existing.php b/usr/local/www/vpn_openvpn_certs_existing.php deleted file mode 100644 index 90534de..0000000 --- a/usr/local/www/vpn_openvpn_certs_existing.php +++ /dev/null @@ -1,201 +0,0 @@ -<?php -/* $Id$ */ -/* - vpn_openvpn_certs_existing.php - part of pfSense - - Copyright (C) 2008 Scott Ullrich - Copyright (C) 2008 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createexistingcerts -##|*NAME=VPN: OpenVPN: Create Existing Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Existing Certs' page. -##|*MATCH=vpn_openvpn_certs_existing.php* -##|-PRIV - - -require("guiconfig.inc"); - -$pgtitle = array("VPN", "OpenVPN", "Create Existing Certs"); -$ovpncapath = $g['varetc_path']."/openvpn/certificates"; -/* XXX: hardcoded path; worth making it a global?! */ -$easyrsapath = "/usr/local/share/openvpn/certificates"; - -if ($_GET['ca']) { - if ($config['openvpn']['keys'][$_GET['ca']]) { - $data = $config['openvpn']['keys'][$_GET['ca']]; - $caname = trim($_GET['ca']); - $cakey = $ovpnkeys[$caname]['ca.key']; - $cacrt = $ovpnkeys[$caname]['ca.crt']; - $sharedkey = $ovpnkeys[$caname]['shared.key']; - $serverkey = $ovpnkeys[$caname]['server.key']; - $servercrt = $ovpnkeys[$caname]['server.crt']; - $dh = $ovpnkeys[$caname]['dh_params.dh']; - } else - $input_errors[] = "Certificate does not exist."; -} - -if ($_POST) { - if ($_POST['caname'] && $_POST['caname'] != "") { - $caname = $_POST['caname']; - - /* Create sane environment for easyrsa scripts */ - conf_mount_rw(); - if (!is_dir($g['varetc_path']."/openvpn")) - safe_mkdir($g['varetc_path']."/openvpn"); - if (!is_dir($ovpncapath)) - safe_mkdir($ovpncapath); - else - mwexec("rm -rf $ovpncapath/$caname"); - safe_mkdir("$ovpncapath/$caname", 0755); - - if (!is_dir($ovpncapath)) { - $input_errors[] = "Failed to create environment for creating certificates. "; - header("Location: vpn_openvpn_certs.php"); - } - - conf_mount_ro(); - if (!is_array($config['openvpn']['keys'])) - $config['openvpn']['keys'] = array(); - $ovpnkeys =& $config['openvpn']['keys']; - if (!is_array($ovpnkeys[$caname])) - $ovpnkeys[$caname] = array(); - /* vars */ - $ovpnkeys[$caname]['existing'] = "yes"; - /* ciphers */ - $ovpnkeys[$caname]['crl'] = $crl; - file_put_contents("$ovpncapath/$caname/crl.pem", base64_decode($_POST['crl'])); - chown("$ovpncapath/$caname/crl.pem", 'nobody'); - chgrp("$ovpncapath/$caname/crl.pem", 'nobody'); - - $ovpnkeys[$caname]['ca.crt'] = $cacrt; - file_put_contents("$ovpncapath/$caname/ca.crt", base64_decode($_POST['ca.crt'])); - chown("$ovpncapath/$caname/ca.crt", 'nobody'); - chgrp("$ovpncapath/$caname/ca.crt", 'nobody'); - - $ovpnkeys[$caname]['server.key'] = $serverkey; - file_put_contents("$ovpncapath/$caname/server.key", base64_decode($_POST['server.key'])); - chown("$ovpncapath/$caname/server.key", 'nobody'); - chgrp("$ovpncapath/$caname/server.key", 'nobody'); - - $ovpnkeys[$caname]['server.crt'] = $servercrt; - file_put_contents("$ovpncapath/$caname/server.crt", base64_decode($_POST['server.crt'])); - chown("$ovpncapath/$caname/server.crt", 'nobody'); - chgrp("$ovpncapath/$caname/server.crt", 'nobody'); - - $ovpnkeys[$caname]['dh_params.dh'] = $dh; - file_put_contents("$ovpncapath/$caname/dh_params.dh", base64_decode($_POST['dh'])); - chown("$ovpncapath/$caname/dh_params.dh", 'nobody'); - chgrp("$ovpncapath/$caname/dh_params.dh", 'nobody'); - - /* save it */ - write_config(); - - header("Location: vpn_openvpn_certs.php"); - } else - $input_errors[] = "You need to specify the Certificate name"; -} - - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - - <?php include("fbegin.inc"); ?> - -<?php if ($input_errors) print_input_errors($input_errors); ?> - -<form action="vpn_openvpn_certs_existing.php" method="post" name="iform" id="iform"> -<?php if ($savemsg) print_info_box($savemsg); ?> - - <table width="90%" border="0" cellpadding="6" cellspacing="0"> - <tr><td colspan="2"> -<?php - $tab_array = array(); - $tab_array[0] = array("Server", false, "pkg.php?xml=openvpn.xml"); - $tab_array[1] = array("Client", false, "pkg.php?xml=openvpn_cli.xml"); - $tab_array[2] = array("Client-specific configuration", false, "pkg.php?xml=openvpn_csc.xml"); - $tab_array[3] = array("Certificate Authority", true, "vpn_openvpn_certs.php"); - $tab_array[4] = array("Users", false, "vpn_openvpn_users.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr><td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="35%" class="vncell"><B>Certificate name</td> - <td width="78%" class="vtable"> - <input name="caname" value="<?=$caname?>"> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca.crt" rows="8" cols="40" ><?=$cacrt;?></textarea> - <br/><span>Paste your CA certificate in X.509 format here.</span></td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="server.crt" rows="8" cols="40" ><?=$servercrt;?></textarea> - <br/><span>Paste your server certificate in X.509 format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>Server key</td> - <td width="78%" class="vtable"> - <textarea name="server.key" rows="8" cols="40" ><?=$serverkey;?></textarea> - <br/><span>Paste your server key in RSA format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh" rows="8" cols="40"><?=$dh;?></textarea> - <br/><span>Paste your Diffie Hellman parameters in PEM format here.</span> - </td> - </tr> - <tr> - <td width="35%" class="vncell"><B>CRL</td> - <td width="78%" class="vtable"> - <textarea name="crl" rows="8" cols="40" ><?=$crl;?></textarea> - <br/><span>Paste your certificate revocation list (CRL) in PEM format here (optional).</span> - </td> - </tr> - <tr> - <td width="35%" > </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <a href="vpn_openvpn_certs.php?reset=<?=$caname;?>"><input name="Cancel" type="button" class="formbtn" value="Cancel"></a> - </td> - </td> - </tr> - </table></td></tr> - </table> - <?php include("fend.inc"); ?> - </body> - </html> diff --git a/usr/local/www/vpn_openvpn_cli.php b/usr/local/www/vpn_openvpn_cli.php deleted file mode 100755 index 285518c..0000000 --- a/usr/local/www/vpn_openvpn_cli.php +++ /dev/null @@ -1,179 +0,0 @@ -<?php -/* - vpn_openvpn_cli.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['client'])){ - $config['ovpn']['client'] = array(); - $config['ovpn']['client']['tunnel'] = array(); -} - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -$ovpncli =& $config['ovpn']['client']['tunnel']; - -if ($_POST['apply']) { - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_client_iface(); - } - else{ - ovpn_lock(); - $retval = ovpn_client_iface(); - $retval = ovpn_config_client(); - ovpn_unlock(); - } - if (file_exists($d_ovpnclidirty_path)) - unlink($d_ovpnclidirty_path); - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpncli[$id]) { - $ovpnent = $ovpncli[$id]; - unset($ovpncli[$id]); - - /* Kill running processes */ - ovpn_client_kill($ovpnent['if']); - - /* Remove old certs & keys */ - ovpn_client_certs_del($ovpnent['if']); - - /* Remove interface from list of optional interfaces */ - ovpn_client_iface_del($ovpnent['if']); - - write_config(); - //touch($d_sysrebootreqd_path); - header("Location: vpn_openvpn_cli.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnclidirty_path)) print_info_box(get_std_save_message(0)); ?> -<form action="vpn_openvpn_cli.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnclidirty_path)): ?><p> -<?php print_info_box_np("The OpenVPN client configuration has been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", true, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="10%" class="listhdrr">Interface</td> - <td width="5%" class="listhdrr">Protocol</td> - <td width="15%" class="listhdrr">Socket</td> - <td width="15%" class="listhdrr">Server address</td> - <td width="5%" class="listhdrr" align="center">Version</td> - <td width="40%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - - <?php $i = 0; foreach ($ovpncli as $client): - if (!isset($client['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?php if ($interface = ovpn_get_opt_interface($client['if'])) - $iface = $config['interfaces'][$interface]['descr']; - else $iface = strtoupper($client['if']);?> - <?= $iface;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= strtoupper($client['proto']);?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= "0.0.0.0:" . $client['cport'];?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $client['saddr'].":".$client['sport'];?> - <?=$spane;?></td> - <td align="middle" class="listr"><?=$spans;?> - <?= $client['ver'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($client['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> <a href="vpn_openvpn_cli_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit client configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_cli.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete client configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"> </td> - <td class="list"> <a href="vpn_openvpn_cli_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add client configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_cli_edit.php b/usr/local/www/vpn_openvpn_cli_edit.php deleted file mode 100755 index 6fdbb75..0000000 --- a/usr/local/www/vpn_openvpn_cli_edit.php +++ /dev/null @@ -1,732 +0,0 @@ -<?php -/* - vpn_openvpn_cli_edit.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editclient -##|*NAME=VPN: OpenVPN: Edit client page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit client' page. -##|*MATCH=vpn_openvpn_cli_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['client'])){ - $config['ovpn']['client'] = array(); - $config['ovpn']['client']['tunnel'] = array(); -} - - -$ovpncli =& $config['ovpn']['client']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpncli[$id]) { - $pconfig = $config['ovpn']['client']['tunnel'][$id]; - if (isset($ovpncli[$id]['pull'])) - $pconfig['pull'] = true; - if (is_array($ovpncli[$id]['expertmode'])) { - $pconfig['expertmode_options'] = ""; - foreach ($ovpncli[$id]['expertmode']['option'] as $optent) { - $pconfig['expertmode_options'] .= $optent . "\n"; - } - $pconfig['expertmode_options'] = rtrim($pconfig['expertmode_options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['authentication_method'] = "rsasig"; - $pconfig['type'] = 'tun'; - $pconfig['proto'] = 'udp'; - $pconfig['sport'] = '1194'; - $pconfig['ver'] = '2'; - $pconfig['crypto'] = 'BF-CBC'; - $pconfig['pull'] = true; - $pconfig['enable'] = true; -} - -if ($_POST) { - - /* Called from form */ - unset($input_errors); - - /* input validation */ - $reqdfields = explode(" ", "type saddr sport"); - $reqdfieldsn = explode(",", "Tunnel type,Address,Port"); - - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = array_merge($reqdfields, explode(" ", "lipaddr pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Local IP address,Pre-shared secret")); - - if ($_POST['type'] == "tun") { - /* tun */ - $reqdfields = array_merge($reqdfields, explode(" ", "ripaddr")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Remote IP address")); - - /* subnet or ip address */ - if ($_POST['ripaddr']) { - if (!is_ipaddr($_POST['ripaddr'])) - $input_errors[] = "A valid static remote IP address must be specified."; - else if (ip2long($_POST['lipaddr']) == ip2long($_POST['ripaddr'])) - $input_errors[] = "Local IP address and remote IP address are the same."; - } - if ($_POST['lipaddr']) - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid static local IP address must be specified."; - - } else { - /* tap */ - if ($_POST['lipaddr']) { - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid static local IP address must be specified."; - else if (gen_subnet($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is subnet address."; - else if (gen_subnet_max($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is broadcast address."; - } - } - - if (!empty($_POST['pre-shared-key']) && - (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key"))) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - } else { - /* rsa */ - $reqdfields = array_merge($reqdfields, explode(" ", "ca_cert cli_cert cli_key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "CA certificate,Client certificate,Client key")); - - if (!empty($_POST['ca_cert']) && - (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['ca_cert'], "END CERTIFICATE"))) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (!empty($_POST['cli_cert']) && - (!strstr($_POST['cli_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['cli_cert'], "END CERTIFICATE"))) - $input_errors[] = "The client certificate does not appear to be valid."; - - if (!empty($_POST['cli_key']) && - (!strstr($_POST['cli_key'], "BEGIN RSA PRIVATE KEY") || - !strstr($_POST['cli_key'], "END RSA PRIVATE KEY"))) - $input_errors[] = "The client key does not appear to be valid."; - - if (!empty($_POST['pre-shared-key']) && - (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key"))) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - if (isset($_POST['tlsauth']) && empty($_POST['pre-shared-key'])) { - $reqdfields = array_merge($reqdfields, explode(" ", "pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Pre-shared secret")); - } - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - /* valid Port */ - if (($_POST['sport'] && !is_port($_POST['sport']))) - $input_errors[] = "The server's port must be an integer between 1 and 65535."; - - /* valid FQDN or IP address */ - if (($_POST['saddr'] && !is_ipaddr($_POST['saddr']) && !is_domain($_POST['saddr']))) - $input_errors[] = "The server name contains invalid characters."; - - if (isset($id) && $ovpncli[$id]) { - /* Editing an existing entry */ - $ovpnent = $ovpncli[$id]; - - if ($ovpncli[$id]['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - - if ( $ovpncli[$id]['sport'] != $_POST['sport'] || - $ovpncli[$id]['proto'] != $_POST['proto'] ) { - - /* some entries changed */ - for ($i = 0; isset($config['ovpn']['client']['tunnel'][$i]); $i++) { - $current = &$config['ovpn']['client']['tunnel'][$i]; - - if ($current['sport'] == $_POST['sport']) - if ($current['proto'] == $_POST['proto']) - $input_errors[] = "You already have this combination for port and protocol settings. You can't use it twice"; - } - } - - /* Test Server type hasn't changed */ - if ($ovpnent['type'] != $_POST['type']) - $input_errors[] = "Delete this interface first before changing the type of the tunnel to " - . strtoupper($_POST['type']) ."."; - - if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { - - /* check if port number is free, else choose another one */ - if (in_array($ovpnent['cport'], used_port_list())) - $ovpnent['cport'] = getnxt_port(); - } - } else { - /* Creating a new entry */ - $ovpnent = array(); - if (!($ovpnent['if'] = getnxt_if($_POST['type']))) - $input_errors[] = "Run out of devices for a tunnel of type {$_POST['type']}"; - - $ovpnent['cport'] = getnxt_port(); - - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") { - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - } - - if (!$input_errors) { - - $ovpnent['enable'] = isset($_POST['disabled']) ? false : true; - $ovpnent['type'] = $_POST['type']; - $ovpnent['authentication_method'] = $_POST['authentication_method']; - $ovpnent['proto'] = $_POST['proto']; - $ovpnent['sport'] = $_POST['sport']; - $ovpnent['ver'] = $_POST['ver']; - $ovpnent['saddr'] = $_POST['saddr']; - $ovpnent['descr'] = $_POST['descr']; - $ovpnent['ca_cert'] = $pconfig['ca_cert']; - $ovpnent['cli_cert'] = $pconfig['cli_cert']; - $ovpnent['cli_key'] = $pconfig['cli_key']; - $ovpnent['crypto'] = $_POST['crypto']; - $ovpnent['comp_method'] = $_POST['comp_method']; - $ovpnent['ns_cert_type'] = $_POST['ns_cert_type'] ? true : false; - $ovpnent['pull'] = $_POST['pull'] ? true : false; - $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; - $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; - $ovpnent['bridge'] = $_POST['bridge']; - $ovpnent['lipaddr'] = $_POST['lipaddr']; - $ovpnent['ripaddr'] = $_POST['ripaddr']; - $ovpnent['netmask'] = $_POST['netmask']; - - unset($ovpnent['pre-shared-key']); - if ($_POST['pre-shared-key']) - $ovpnent['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - - $ovpnent['ca_cert'] = base64_encode($_POST['ca_cert']); - $ovpnent['cli_cert'] = base64_encode($_POST['cli_cert']); - $ovpnent['cli_key'] = base64_encode($_POST['cli_key']); - - /* expertmode params */ - $ovpnent['expertmode_enabled'] = $_POST['expertmode_enabled'] ? true : false; - - if (!is_array($options)) - $options = array(); - if (!is_array($ovpnent['expertmode'])) - $ovpnent['expertmode'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['expertmode_options']))); - $ovpnent['expertmode'] = $options; - - if (isset($id) && $ovpncli[$id]){ - $ovpncli[$id] = $ovpnent; - } - else{ - $ovpncli[] = $ovpnent; - } - - write_config(); - ovpn_cli_dirty($ovpnent['if']); - - header("Location: vpn_openvpn_cli.php"); - exit; - } else { - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - $pconfig['ca_cert'] = base64_encode($_POST['ca_cert']); - $pconfig['cli_cert'] = base64_encode($_POST['cli_cert']); - $pconfig['cli_key'] = base64_encode($_POST['cli_key']); - } -} - -$pgtitle = array("VPN","OpenVPN","Edit client"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.type[0].disabled = endis; - document.iform.type[1].disabled = endis; - document.iform.proto[0].disabled = endis; - document.iform.proto[1].disabled = endis; - document.iform.sport.disabled = endis; - document.iform.saddr.disabled = endis; - document.iform.ver[0].disabled = endis; - document.iform.ver[1].disabled = endis; - document.iform.descr.disabled = endis; - document.iform.authentication_method.disabled = endis; - document.iform.ca_cert.disabled = endis; - document.iform.cli_cert.disabled = endis; - document.iform.cli_key.disabled = endis; - document.iform.crypto.disabled = endis; - document.iform.comp_method.disabled = endis; - document.iform.ns_cert_type.disabled = endis; - document.iform.pull.disabled = endis; - document.iform.tlsauth.disabled = endis; - document.iform.lipaddr.disabled = endis; - document.iform.ripaddr.disabled = endis; - document.iform.netmask.disabled = endis; - document.iform.psk.disabled = endis; - document.iform.expertmode_enabled.disabled = endis; - document.iform.expertmode_options.disabled = endis; - - if (!document.iform.disabled.checked) { - tls_change(enable_over); - expertmode_change(enable_over); - methodsel_change(enable_over); - } -} - -function expertmode_change(enable_over) { - var endis; - endis = !(document.iform.expertmode_enabled.checked || enable_over); - - document.iform.expertmode_options.disabled = endis; -} - -function tls_change(enable_over) { - var endis; - endis = !(document.iform.tlsauth.checked || enable_over); - - document.iform.psk.disabled = endis; -} - -function methodsel_change(enable_over) { - var endis; - - switch (document.iform.authentication_method.selectedIndex) { - case 1: /* rsa */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.bridge.disabled = 0; - } else { - /* tun */ - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - } - - document.iform.psk.disabled = 1; - document.iform.ca_cert.disabled = 0; - document.iform.cli_cert.disabled = 0; - document.iform.cli_key.disabled = 0; - document.iform.ns_cert_type.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.lipaddr.disabled = 1; - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 1; - document.iform.pull.disabled = 0; - tls_change(); - break; - default: /* pre-shared */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 0; - } else { - /* tun */ - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 1; - } - - document.iform.lipaddr.disabled = 0; - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 1; - document.iform.cli_cert.disabled = 1; - document.iform.cli_key.disabled = 1; - document.iform.ns_cert_type.disabled = 1; - document.iform.tlsauth.disabled = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.pull.disabled = 1; - break; - } - - if (enable_over) { - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 0; - document.iform.cli_cert.disabled = 0; - document.iform.cli_key.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.bridge.disabled = 0; - document.iform.lipaddr.disabled = 0; - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 0; - document.iform.pull.disabled = 0; - } -} - -function get_radio_value(obj) { - for (i = 0; i < obj.length; i++) { - if (obj[i].checked) - return obj[i].value; - } - return null; -} - -//--> -</script> -<form action="vpn_openvpn_cli_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" id="disabled" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this client</strong><br> - <span class="vexpl">Set this option to disable this client without removing it from the list.</span> - </td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Server information</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Address</td> - <td width="78%" class="vtable"> - <input name="saddr" type="text" class="formfld" size="20" maxlength="255" value="<?=htmlspecialchars($pconfig['saddr']);?>"> - <br> - Enter the server's IP address or FQDN.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Port</td> - <td width="78%" class="vtable"> - <input name="sport" type="text" class="formfld" size="5" maxlength="5" value="<?=htmlspecialchars($pconfig['sport']);?>"><br> - Enter the server's port number (default is 1194).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Version</td> - <td width="78%" class="vtable"> - <input name="ver" type="radio" class="formfld" value="2" <?php if ($pconfig['ver'] == '2') echo "checked"; ?>> 2.0 - <input name="ver" type="radio" class="formfld" value="1" <?php if ($pconfig['ver'] == '1') echo "checked"; ?>> 1.x - <br> - Specify which version of the OpenVPN protocol the server runs.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Cryptographic options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="authentication_method" class="formfld" onchange="methodsel_change(false)"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting chosen on the remote side.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Client certificate</td> - <td width="78%" class="vtable"> - <textarea name="cli_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['cli_cert']));?></textarea> - <br> - Paste a client certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Client key</td> - <td width="78%" class="vtable"> - <textarea name="cli_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['cli_key']));?></textarea> - <br>Paste the client RSA private key here.</td> - </tr> - - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select the data channel encryption cipher. This must match the setting on the server. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">nsCertType</td> - <td width="78%" class="vtable"> - <input name="ns_cert_type" type="checkbox" value="yes" <?php if (isset($pconfig['ns_cert_type'])) echo "checked";?>> - <strong>nsCertType</strong><br> - Require that peer certificate was signed with an explicit - nsCertType designation of "server". - This is a useful security option for clients, to ensure that the - host they connect with is a designated server. - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">TLS auth</td> - <td width="78%" class="vtable"> - <input name="tlsauth" type="checkbox" value="yes" onclick="tls_change(false)" <?php if (isset($pconfig['tlsauth'])) echo "checked";?>> - <strong>TLS auth</strong><br> - The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Pre-shared secret</td> - <td width="78%" class="vtable"> - <textarea name="pre-shared-key" id="psk" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['pre-shared-key']));?></textarea> - <br> - Paste your own pre-shared secret here.</td> - </tr> - - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic">Client configuration</td> - </tr> - - <tr> - <td valign="top" class="vncellreq">Tunnel type</td> - <td class="vtable"> - <input name="type" type="radio" class="formfld" value="tun" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tun') echo "checked"; ?>> TUN - <input name="type" type="radio" class="formfld" value="tap" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tap') echo "checked"; ?>> TAP</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel protocol</td> - <td width="78%" class="vtable"> -<input name="proto" type="radio" class="formfld" value="udp" <?php if ($pconfig['proto'] == 'udp') echo "checked"; ?>> UDP -<input name="proto" type="radio" class="formfld" value="tcp" <?php if ($pconfig['proto'] == 'tcp') echo "checked"; ?>> TCP<br> - <span class="vexpl">Important: These settings must match the server's configuration.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Interface</td> - <td width="78%" class="vtable"> - <strong>Auto</strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Port</td> - <td width="78%" class="vtable"> - <strong>Auto</strong> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Bridge with</td> - <td width="78%" class="vtable"> - <select name="bridge" class="formfld" id="bridge" onchange="methodsel_change(false)"> - <option <?php if (!$pconfig['bridge']) echo "selected";?> value="">none</option> - <?php $iflist = get_configured_interface_with_descr(); - foreach ($iflist as $if => $ifdesc) { - if (!($config['interfaces'][$if]['ovpn'])) - $opts[$if] = "Optional " . $if . " (" . $ifdesc . ")"; - } - foreach ($opts as $opt => $optname): ?> - <option <?php if ($opt == $pconfig['bridge']) echo "selected";?> value="<?=htmlspecialchars($opt);?>"> - <?=htmlspecialchars($optname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Only supported with authentication method set to RSA signature.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN address assignment</td> - <td width="78%" class="vtable"> - When using pre-shared keys, enter the IP address and subnet mask - of the local and remote VPN endpoint here. For TAP devices, only the - IP address of the local VPN endpoint is needed. The netmask is the subnet mask - of the virtual ethernet segment which is being created or connected to.<br> - <br> - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Local IP address: </td> - <td valign="top"><input name="lipaddr" id="lipaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['lipaddr']);?>"> - / - <select name="netmask" id="netmask" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['netmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - <tr> - <td>Remote IP address: </td> - <td valign="top"><input name="ripaddr" id="ripaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ripaddr']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Client Options</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Pull Options</td> - <td width="78%" class="vtable"> - <input type="checkbox" name="pull" value="yes" <?php if ($pconfig['pull']) echo "checked"; ?>> - <strong>Client-pull</strong><br> - This option must be used on a client which is connecting to a - multi-client server. It indicates to OpenVPN that it should - accept options pushed by the server, provided they are part of the - legal set of pushable options. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Compression method</td> - <td width="78%" class="vtable"> - <select name="comp_method" class="formfld" id="comp_method"> - <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> - <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); - foreach($compression_method as $comp_method => $comp_methodname): ?> - <option value="<?=$comp_method;?>" - <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> - <?=htmlspecialchars($comp_methodname);?> - </option> - <?php endforeach; ?> - </select> - <br> - Choose which compression method to use.<br> - <br> - LZO compression generally improves performance on slow links, - but may add up to 1 byte per packet for incompressible data.<br> - <br> - With adaptive compression, OpenVPN will periodically sample the - compression process to measure its efficiency. If the data being - sent over the tunnel is already compressed, the compression - efficiency will be very low. Choose 'LZO (no adaptive)' - to disable OpenVPN's adaptive compression algorithm. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Expert mode</td> - <td width="78%" class="vtable"> - <input name="expertmode_enabled" type="checkbox" value="yes" onclick="expertmode_change(false)" <?php if (isset($pconfig['expertmode_enabled'])) echo "checked"; ?>> - <strong>Enable expert OpenVPN mode</strong><br> - If this option is on, you can specify your own extra commands for the OpenVPN server.<br/> - <textarea name="expertmode_options" id="expertmode_options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['expertmode_options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in expert mode aren't supported. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="methodsel_change(true);tls_change(true);expertmode_change(true);enable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<script language="JavaScript"> -<!-- -tls_change(false); -methodsel_change(false); -expertmode_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php new file mode 100644 index 0000000..4f42e40 --- /dev/null +++ b/usr/local/www/vpn_openvpn_client.php @@ -0,0 +1,615 @@ +<?php +/* + vpn_openvpn_client.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-client +##|*NAME=OpenVPN: Client page +##|*DESCR=Allow access to the 'OpenVPN: Client' page. +##|*MATCH=vpn_openvpn_client.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Client"); + +if (!is_array($config['openvpn']['openvpn-client'])) + $config['openvpn']['openvpn-client'] = array(); + +$a_client = &$config['openvpn']['openvpn-client']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_client[$id]) { + pfSenseHeader("vpn_openvpn_client.php"); + exit; + } + + openvpn_delete('client', $id); + unset($a_client[$id]); + write_config(); + $savemsg = gettext("Client successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_client[$id]) { + + $pconfig['disable'] = $a_client[$id]['disable']; + $pconfig['protocol'] = $a_client[$id]['protocol']; + $pconfig['interface'] = $a_client[$id]['interface']; + $pconfig['local_port'] = $a_client[$id]['local_port']; + $pconfig['server_addr'] = $a_client[$id]['server_addr']; + $pconfig['server_port'] = $a_client[$id]['server_port']; + $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; + $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; + $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; + $pconfig['description'] = $a_client[$id]['description']; + + $pconfig['auth_method'] = $a_client[$id]['auth_method']; + if ($pconfig['auth_method'] == "shared_key") + $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); + else { + $pconfig['caref'] = $a_client[$id]['caref']; + $pconfig['certref'] = $a_client[$id]['certref']; + } + $pconfig['crypto'] = $a_client[$id]['crypto']; + + $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_client[$id]['remote_network']; + $pconfig['compression'] = $a_client[$id]['compression']; + $pconfig['settos'] = $a_client[$id]['settos']; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) + $input_errors[] = $result; + + if ($pconfig['proxy_addr']) { + + if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($pconfig['auth_method'] == 'shared_key') + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = "The field 'Shared Key' does not appear to be valid"; + + if ($pconfig['auth_method'] == 'shared_key') { + $reqfields[] = 'shared_key'; + $reqfieldsn[] = 'Shared key'; + } else { + $reqfields[] = explode(" ", "caref certref"); + $reqfieldsn[] = explode(",", "Certificate Authority,Certificate");; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $client = array(); + + if (isset($id) && $a_client[$id]) + $client['vpnid'] = $a_client[$id]['vpnid']; + else + $client['vpnid'] = openvpn_vpnid_next(); + + $client['disable'] = $pconfig['disable']; + $client['protocol'] = $pconfig['protocol']; + $client['interface'] = $pconfig['interface']; + $client['local_port'] = $pconfig['local_port']; + $client['server_addr'] = $pconfig['server_addr']; + $client['server_port'] = $pconfig['server_port']; + $client['resolve_retry'] = $pconfig['resolve_retry']; + $client['proxy_addr'] = $pconfig['proxy_addr']; + $client['proxy_port'] = $pconfig['proxy_port']; + $client['description'] = $pconfig['description']; + + $client['auth_method'] = $pconfig['auth_method']; + if ($client['auth_method'] == "shared_key") + $client['shared_key'] = base64_encode($pconfig['shared_key']); + else { + $client['caref'] = $pconfig['caref']; + $client['certref'] = $pconfig['certref']; + } + $client['crypto'] = $pconfig['crypto']; + + $client['tunnel_network'] = $pconfig['tunnel_network']; + $client['remote_network'] = $pconfig['remote_network']; + $client['compression'] = $pconfig['compression']; + + if (isset($id) && $a_client[$id]) + $a_client[$id] = $client; + else + $a_client[] = $client; + + openvpn_resync('client', $id); + write_config(); + + header("Location: vpn_openvpn_client.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function method_change() { + index = document.iform.auth_method.selectedIndex; + value = document.iform.auth_method.options[index].value; + switch(value) { + case "pki": + document.getElementById("pki_ca").style.display=""; + document.getElementById("pki_cert").style.display=""; + document.getElementById("psk").style.display="none"; + break; + case "shared_key": + document.getElementById("pki_ca").style.display="none"; + document.getElementById("pki_cert").style.display="none"; + document.getElementById("psk").style.display=""; + break; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), true, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_client.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this client</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this client without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol");?></td> + <td width="78%" class="vtable"> + <select name='protocol' class="formselect"> + <?php + foreach ($openvpn_prots as $prot): + $selected = ""; + if ($pconfig['protocol'] == $prot) + $selected = "selected"; + ?> + <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Local port");?></td> + <td width="78%" class="vtable"> + <input name="local_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['local_port']);?>"/> + <br/> + Set this option if you would like to bind to a specific port. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server host or address");?></td> + <td width="78%" class="vtable"> + <input name="server_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['server_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server port");?></td> + <td width="78%" class="vtable"> + <input name="server_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['server_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy host or address");?></td> + <td width="78%" class="vtable"> + <input name="proxy_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['proxy_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy port");?></td> + <td width="78%" class="vtable"> + <input name="proxy_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['proxy_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Server host name resolution</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['resolve_retry'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Infinitely resolve server + </span> + </td> + </tr> + </table> + Continuously attempt to resolve the server host + name. Useful when communicating with a server + that is not permanently connected to the internet. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Cryptographic Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication Method</td> + <td width="78%" class="vtable"> + <select name='auth_method' id='auth_method' class="formselect" onchange='method_change()'> + <?php + foreach ($openvpn_auth_methods as $method => $name): + $selected = ""; + if ($pconfig['auth_method'] == $method) + $selected = "selected"; + ?> + <option value="<?=$method;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_ca"> + <td width="22%" valign="top" class="vncellreq">Certificate Authority</td> + <td width="78%" class="vtable"> + <select name='caref' class="formselect"> + <?php + foreach ($config['system']['ca'] as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_cert"> + <td width="22%" valign="top" class="vncellreq">Certificate</td> + <td width="78%" class="vtable"> + <select name='certref' class="formselect"> + <?php + foreach ($config['system']['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="psk"> + <td width="22%" valign="top" class="vncellreq">Shared Key</td> + <td width="78%" class="vtable"> + <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['shared_key']);?></textarea> + <br/> + Paste your shared key here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="crypto" class="formselect"> + <?php + $cipherlist = openvpn_get_cipherlist(); + foreach ($cipherlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['crypto']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this client and the + server expressed using CIDR (eg. 10.0.8.0/24). + The first network address is assumed to be the + server address and the second network address + will be assigned to the client virtual + interface. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Remote Network</td> + <td width="78%" class="vtable"> + <input name="remote_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['remote_network']);?>"> + <br> + This is a network that will be routed through + the tunnel, so that a site-to-site VPN can be + established without manually changing the + routing tables. Expressed as a CIDR range. If + this is a site-to-site VPN, enter here the + remote LAN here. You may leave this blank to + only communicate with other clients. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Limit outgoing bandwidth");?></td> + <td width="78%" class="vtable"> + <input name="use_shaper" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['use_shaper']);?>"/> + <br/> + Maximum outgoing bandwidth for this tunnel. + Leave empty for no limit. The input value has + to be something between 100 bytes/sec and 100 + Mbytes/sec (entered as bytes per second). + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Compression</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['compression'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Compress tunnel packets using the LZO algorithm. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Type-of-Service</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['settos'],$chk); ?> + <input name="settos" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Set the TOS IP header value of tunnel packets to match the encapsulated packet value. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_client[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="10%" class="listhdrr">Protocol</td> + <td width="30%" class="listhdrr">Server</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_client as $client): + $disabled = "NO"; + if ($client['disable']) + $disabled = "YES"; + $server = "{$client['server_addr']}:{$client['server_port']}"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($client['protocol']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server);?> + </td> + <td class="listr"> + <?=htmlspecialchars($client['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_client.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit client" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_client.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this client?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete client" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <a href="vpn_openvpn_client.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add client" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="4"> + <p> + <?=gettext("Additional OpenVPN clients can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +method_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_create_certs.php b/usr/local/www/vpn_openvpn_create_certs.php deleted file mode 100755 index 3cd847f..0000000 --- a/usr/local/www/vpn_openvpn_create_certs.php +++ /dev/null @@ -1,358 +0,0 @@ -<?php -/* $Id$ */ -/* - system_advanced_create_certs.php - part of pfSense - - Copyright (C) 2004 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-createcerts -##|*NAME=VPN: OpenVPN: Create Certs page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Create Certs' page. -##|*MATCH=vpn_openvpn_create_certs.php* -##|-PRIV - - -require("guiconfig.inc"); - -function get_file_contents($filename) { - $filecontents = ""; - if(file_exists($filename)) { - $fd = fopen($filename, "r"); - $tmp = fread($fd,8096); - $filecontents .= $tmp; - fclose($fd); - return $filecontents; - } - return "File not found " . $filename; -} - -$fd = fopen("/etc/ssl/openssl.cnf", "r"); -$openssl = fread($fd,8096); -fclose($fd); - -/* Lets match the fileds in the read in file and - populate the variables for the form */ -preg_match('/\nC\=(.*)\n/', $openssl, $countrycodeA); -preg_match('/\nST\=(.*)\n/', $openssl, $stateorprovinceA); -preg_match('/\nL\=(.*)\n/', $openssl, $citynameA); -preg_match('/\nO\=(.*)\n/', $openssl, $orginizationnameA); -preg_match('/\nOU\=(.*)\n/', $openssl, $orginizationdepartmentA); -preg_match('/\nCN\=(.*)\n/', $openssl, $commonnameA); - -$countrycode = $countrycodeA[1]; -$stateorprovince = $stateorprovinceA[1]; -$cityname = $citynameA[1]; -$orginizationname = $orginizationnameA[1]; -$orginizationdepartment = $orginizationdepartmentA[1]; -$commonname = $commonnameA[1]; - -if ($_POST) { - - /* Grab posted variables and create a new openssl.cnf */ - $countrycode=$_POST['countrycode']; - $stateorprovince=$_POST['stateorprovince']; - $cityname=$_POST['cityname']; - $orginizationname=$_POST['orginizationname']; - $orginizationdepartment=$_POST['orginizationdepartment']; - $commonname=$_POST['commonname']; - - /* Write out /etc/ssl/openssl.cnf */ - $fd = fopen("/etc/ssl/openssl.cnf", "w"); - fwrite($fd, ""); - fwrite($fd, "[ req ]\n"); - fwrite($fd, "distinguished_name=req_distinguished_name \n"); - fwrite($fd, "req_extensions = v3_req \n"); - fwrite($fd, "prompt=no\n"); - fwrite($fd, "default_bits = 1024\n"); - fwrite($fd, "default_keyfile = privkey.pem\n"); - fwrite($fd, "distinguished_name = req_distinguished_name\n"); - fwrite($fd, "attributes = req_attributes\n"); - fwrite($fd, "x509_extensions = v3_ca # The extentions to add to the self signed cert\n"); - fwrite($fd, "[ req_distinguished_name ] \n"); - fwrite($fd, "C=" . $countrycode . " \n"); - fwrite($fd, "ST=" . $stateorprovince. " \n"); - fwrite($fd, "L=" . $cityname . " \n"); - fwrite($fd, "O=" . $orginizationname . " \n"); - fwrite($fd, "OU=" . $orginizationdepartment . " \n"); - fwrite($fd, "CN=" . $commonname . " \n"); - fwrite($fd, "[EMAIL PROTECTED] \n"); - fwrite($fd, "[EMAIL PROTECTED] \n"); - fwrite($fd, "[ v3_req ] \n"); - fwrite($fd, "basicConstraints = critical,CA:FALSE \n"); - fwrite($fd, "keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement \n"); - fwrite($fd, "extendedKeyUsage=emailProtection,clientAuth \n"); - fwrite($fd, "[ ca ]\n"); - fwrite($fd, "default_ca = CA_default\n"); - fwrite($fd, "[ CA_default ]\n"); - fwrite($fd, "certificate = /tmp/cacert.pem \n"); - fwrite($fd, "private_key = /tmp/cakey.pem \n"); - fwrite($fd, "dir = /tmp/\n"); - fwrite($fd, "certs = /tmp/certs\n"); - fwrite($fd, "crl_dir = /tmp/crl\n"); - fwrite($fd, "database = /tmp/index.txt \n"); - fwrite($fd, "new_certs_dir = /tmp/newcerts \n"); - fwrite($fd, "serial = /tmp/serial \n"); - fwrite($fd, "crl = /tmp/crl.pem \n"); - fwrite($fd, "RANDFILE = /tmp/.rand \n"); - fwrite($fd, "x509_extensions = usr_cert \n"); - fwrite($fd, "name_opt = ca_default \n"); - fwrite($fd, "cert_opt = ca_default \n"); - fwrite($fd, "default_days = 365 \n"); - fwrite($fd, "default_crl_days = 30 \n"); - fwrite($fd, "default_md = md5 \n"); - fwrite($fd, "preserve = no \n"); - fwrite($fd, "policy = policy_match\n"); - fwrite($fd, "[ policy_match ]\n"); - fwrite($fd, "countryName = match\n"); - fwrite($fd, "stateOrProvinceName = match\n"); - fwrite($fd, "organizationName = match\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ policy_anything ]\n"); - fwrite($fd, "countryName = optional\n"); - fwrite($fd, "stateOrProvinceName = optional\n"); - fwrite($fd, "localityName = optional\n"); - fwrite($fd, "organizationName = optional\n"); - fwrite($fd, "organizationalUnitName = optional\n"); - fwrite($fd, "commonName = supplied\n"); - fwrite($fd, "emailAddress = optional\n"); - fwrite($fd, "[ req_distinguished_name ]\n"); - fwrite($fd, "countryName = US\n"); - fwrite($fd, "[ req_attributes ]\n"); - fwrite($fd, "challengePassword = A challenge password\n"); - fwrite($fd, "unstructuredName = An optional company name\n"); - fwrite($fd, "[ usr_cert ]\n"); - fwrite($fd, "basicConstraints=CA:FALSE\n"); - fwrite($fd, "[ v3_ca ]\n"); - fwrite($fd, "subjectKeyIdentifier=hash\n"); - fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); - fwrite($fd, "basicConstraints = CA:true\n"); - fwrite($fd, "[ crl_ext ]\n"); - fwrite($fd, "authorityKeyIdentifier=keyid:always,issuer:always\n"); - fclose($fd); - -$pgtitle = array("VPN","OpenVPN","Create Certs"); - -include("head.inc"); - -?> - -<script language="JavaScript"> -<!-- -function f(ta_id){ - var d=document, ta, rng; - if(d.all){ - ta=d.all[ta_id]; - if(ta && ta.createTextRange){ - rng=ta.createTextRange(); - rng.collapse(false); - rng.select(); - } else { - ta_id.focus(); - ta_id.select(); - ta_id.blur(); - } - } -} ---> -</script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="system_advanced_create_certs.php" method="post" name="iform" id="iform"> - - <?php if ($input_errors) print_input_errors($input_errors); ?> - <?php if ($savemsg) print_info_box($savemsg); ?> - <p> - <textarea cols="55" rows="1" name="status" id="status" wrap="hard">One moment please... This will take a while!</textarea> - <textarea cols="55" rows="25" name="output" id="output" wrap="hard"></textarea> -</form> -<?php include("fend.inc"); ?> -</body> -</html> - - <?php - - echo "<script language=\"JavaScript\">document.forms[0].status.value=\"Creating CA...\";</script>"; - mwexec("rm -rf /tmp/*"); - //mwexec("rm -rf /tmp/newcerts"); - safe_mkdir("/tmp/newcerts", 0755); - touch("/tmp/index.txt"); - $fd = fopen("/tmp/serial","w"); - fwrite($fd, "01\n"); - fclose($fd); - - /* - mkdir /tmp/newcerts - touch /tmp/index.txt - echo 01 > serial - #Create The Certificate Authority Root Certificate - cd /tmp/ && openssl req -nodes -new -x509 -keyout cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf - #Create User Certificates - cd /tmp/ && openssl req -nodes -new -keyout vpnkey.pem -out vpncert-req.pem -config /etc/ssl/openssl.cnf - mkdir /tmp/newcerts - openssl ca -out vpncert.pem -in vpncert-req.pem -batch - - - # Diffie-Hellman Parameters (tls-server only) - dh dh1024.pem - # Root certificate - ca CA-DB/cacert.pem - # Server certificate - cert vpncert.pem - # Server private key - key vpnkey.pem - */ - - execute_command_return_output("/usr/bin/openssl req -nodes -new -x509 -keyout /tmp/cakey.pem -out /tmp/cacert.pem -config /etc/ssl/openssl.cnf"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating Server Certificates...\";</script>"; - - execute_command_return_output("/usr/bin/openssl req -nodes -new -keyout /tmp/vpnkey.pem -out /tmp/vpncert-req.pem -config /etc/ssl/openssl.cnf"); - - execute_command_return_output("/usr/bin/openssl ca -out /tmp/vpncert.pem -in /tmp/vpncert-req.pem -batch"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Creating DH Parms...\";</script>"; - - execute_command_return_output("/usr/bin/openssl dhparam -out /tmp/dh1024.pem 1024"); - - echo "\n<script language=\"JavaScript\">document.forms[0].status.value=\"Done!\";</script>"; - - //CLIENT - //mwexec("openssl req -nodes -new -keyout home.key -out home.csr"); - //mwexec("openssl ca -out home.crt -in home.csr"); - - $cacertA = get_file_contents("/tmp/cacert.pem"); - $serverkeyA = get_file_contents("/tmp/vpnkey.pem"); - $servercertA = get_file_contents("/tmp/vpncert.pem"); - $dhpemA = get_file_contents("/tmp/dh1024.pem"); - - $cacert = ereg_replace("\n","\\n", $cacertA); - $serverkey = ereg_replace("\n","\\n", $serverkeyA); - $dhpem = ereg_replace("\n","\\n", $dhpemA); - //$servercert = ereg_replace("\n","\\n", $servercertA); - - $tmp = strstr($servercertA, "-----BEGIN CERTIFICATE-----"); - $servercert = ereg_replace("\n","\\n", $tmp); - - ?> - <script language="JavaScript"> - <!-- - var ca_cert ='<?= $cacert ?>'; - var srv_key ='<?= $serverkey ?>'; - var srv_cert ='<?= $servercert ?>'; - var dh_param ='<?= $dhpem ?>'; - opener.document.forms[0].ca_cert.value=ca_cert; - opener.document.forms[0].server_key.value=srv_key; - opener.document.forms[0].server_cert.value=srv_cert; - opener.document.forms[0].dh_params.value=dh_param; - this.close(); - --> - </script> - - -<?php - -} else { - - $pgtitle = 'OpenVPN: Create Certificates'; - include("head.inc"); -?> - - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - <form action="vpn_openvpn_create_certs.php" method="post" name="iform" id="iform"> - <?php include("fbegin.inc"); ?> - <p class="pgtitle">System: Advanced - Create Certificates</p> - - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="35%" valign="top" class="vncell"><B>Country Code (2 Letters)</td> - <td width="78%" class="vtable"> - <input name="countrycode" class="formfld unknown" value="<?=$countrycode?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>State or Province name</td> - <td width="78%" class="vtable"> - <input name="stateorprovince" class="formfld unknown" value="<?=$stateorprovince?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>City name</td> - <td width="78%" class="vtable"> - <input name="cityname" class="formfld unknown" value="<?=$cityname?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Organization name</td> - <td width="78%" class="vtable"> - <input name="orginizationname" class="formfld unknown" value="<?=$orginizationname?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Organization department</td> - <td width="78%" class="vtable"> - <input name="orginizationdepartment" class="formfld unknown" value="<?=$orginizationdepartment?>"> - </span></td> - </tr> - - <tr> - <td width="35%" valign="top" class="vncell"><B>Common Name (Your name)</td> - <td width="78%" class="vtable"> - <input name="commonname" class="formfld unknown" value="<?=$commonname?>"> - </span></td> - </tr> - - <!-- - <tr> - <td width="35%" valign="top" class="vncell"><B>E-Mail address</td> - <td width="78%" class="vtable"> - <input name="email" class="formfld unknown" value="<?=$email?>"> - </span></td> - </tr> - --> - - <tr> - <td width="35%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - <?php include("fend.inc"); ?> - </body> - </html> - -<?php -} -?> diff --git a/usr/local/www/vpn_openvpn_crl.php b/usr/local/www/vpn_openvpn_crl.php deleted file mode 100755 index 6314607..0000000 --- a/usr/local/www/vpn_openvpn_crl.php +++ /dev/null @@ -1,170 +0,0 @@ -<?php -/* - vpn_openvpn_crl.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} -if (!is_array($config['ovpn']['server']['crl'])) - $config['ovpn']['server']['crl'] = array(); - -$ovpncrl = &$config['ovpn']['server']['crl']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - $retval = ovpn_server_crl_add(); - - /* remove dirty flag */ - unlink_if_exists($d_ovpncrldirty_path); - - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpncrl[$id]) { - $ovpnent = $ovpncrl[$id]; - - unset($ovpncrl[$id]); - write_config(); - - /* Remove crl file */ - ovpn_server_crl_del($ovpnent['crlname']); - - /* we should send a SIGUSR1 to openvpn daemon */ - touch($d_ovpncrldirty_path); - - header("Location: vpn_openvpn_crl.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpncrldirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_crl.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpncrldirty_path)): ?><p> -<?php print_info_box_np("OpenVPN CRL files have been changed.<br>You must apply the changes in order for them to take effect.");?> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> - <?php - $tab_array = array(); - $tab_array[] = array("Server", false, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", true, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="40%" class="listhdrr">CRL name</td> - <td width="50%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php $i = 0; foreach ($ovpncrl as $crl): - - if (!isset($crl['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?= $crl['crlname'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($crl['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"><a href="vpn_openvpn_crl_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit CRL file" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_crl.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this CRL file?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete CRL file" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="2"> </td> - <td class="list"><a href="vpn_openvpn_crl_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add CRL file" width="17" height="17" border="0"></a></td> - </tr> - <td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> - A CRL (certificate revocation list) is used when a particular - key is compromised but when the overall PKI is still intact.<br> - <br> - Suppose you had a PKI consisting of a CA, root certificate, and - a number of client certificates. Suppose a laptop computer - containing a client key and certificate was stolen. By adding the - stolen certificate to the CRL file, you could reject any connection - which attempts to use it, while preserving the overall - integrity of the PKI.<br> - <br> - The only time when it would be necessary to rebuild the entire - PKI from scratch would be if the root certificate key itself was - compromised. - </span> - </p> - </td> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_crl_edit.php b/usr/local/www/vpn_openvpn_crl_edit.php deleted file mode 100755 index bfd0b79..0000000 --- a/usr/local/www/vpn_openvpn_crl_edit.php +++ /dev/null @@ -1,247 +0,0 @@ -<?php -/* - vpn_openvpn_crl_edit.php - - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editcrl -##|*NAME=VPN: OpenVPN: Edit CRL page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit CRL' page. -##|*MATCH=vpn_openvpn_crl_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])) - $config['ovpn']['server'] = array(); -if (!is_array($config['ovpn']['server']['crl'])) - $config['ovpn']['server']['crl'] = array(); - -$ovpncrl =& $config['ovpn']['server']['crl']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpncrl[$id]) { - - $pconfig = $config['ovpn']['server']['crl'][$id]; - - if (isset($ovpncrl[$id]['enable'])) - $pconfig['enable'] = true; - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "crlname"); - $reqdfieldsn = explode(",", "Name"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['crlname'])) - $input_errors[] = "The name contains invalid characters."; - - /* Editing an existing entry? */ - if (!$input_errors && !(isset($id) && $ovpncrl[$id])) { - /* make sure there are no dupes */ - foreach ($ovpncrl as $crlent) { - if ($crlent['crlname'] == $_POST['crlname']) { - $input_errors[] = "Another entry with the same name already exists."; - break; - } - } - } - - /* check if a crl was given */ - if (is_uploaded_file($_FILES['filename']['tmp_name']) && !empty($_FILES['filename']['size'])) { - $content = file_get_contents($_FILES['filename']['tmp_name']); - } else if (!empty($_POST['crl_list'])) { - $content = $_POST['crl_list']; - } else { - $content = ""; - $input_errors[] = "A valid X.509 CRL is required."; - } - - /* check if crl is valid */ - if (!empty($content) && - (!strstr($content, "BEGIN X509 CRL") || - !strstr($content, "END X509 CRL"))) - $input_errors[] = "The X.509 CRL file content does not appear to be valid."; - - if (isset($id) && $ovpncrl[$id]) { - $crlent = $ovpncrl[$id]; - - /* Has the enable/disable state changed? */ - if (isset($crlent['enable']) && isset($_POST['disabled'])) { - /* status changed to disabled */ - ovpn_crl_dirty($ovpncrl['crlname']); - } else if (!isset($crlent['enable']) && !isset($_POST['disabled'])) { - /* status changed to enable */ - ovpn_crl_dirty($ovpncrl['crlname']); - } - } - - if (!$input_errors) { - - $crlent = array(); - - if (isset($id) && $ovpncrl[$id]) - $crlent = $ovpncrl[$id]; - - $crlent['crlname'] = $_POST['crlname']; - $crlent['descr'] = $_POST['descr']; - $crlent['enable'] = $_POST['disabled'] ? false : true; - - /* file upload? */ - if ($_POST['crlname'] && is_uploaded_file($_FILES['filename']['tmp_name'])) - $crlent['crl_list'] = base64_encode(file_get_contents($_FILES['filename']['tmp_name'])); - else if (!empty($_POST['crl_list'])) - $crlent['crl_list'] = base64_encode($_POST['crl_list']); - - if (isset($id) && $ovpncrl[$id]) - $ovpncrl[$id] = $crlent; - else - $ovpncrl[] = $crlent; - - write_config(); - ovpn_crl_dirty($ovpncrl['crlname']); - - header("Location: vpn_openvpn_crl.php"); - exit; - - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['crl_list'] = base64_encode($_POST['crl_list']); - } -} - -$pgtitle = array("VPN","OpenVPN","Edit CRL"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.crlname.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.crl_list.disabled = endis; - document.iform.filename.disabled = endis; - -} - -//--> -</script> -<form action="vpn_openvpn_crl_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this X.509 CRL list</strong><br> - <span class="vexpl">Set this option to on to disable this X.509 CRL file - without removing it from the list.</span></td> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Name</td> - <td width="78%" class="vtable"> - <input name="crlname" type="text" class="formfld" id="crlname" size="40" value="<?=htmlspecialchars($pconfig['crlname']);?>"> - <br><span class="vexpl">Enter a unique name here, to describe the X.509 CRL list.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br><span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td valign="top" class="vncellreq">X.509 CRL file content</td> - <td class="vtable"> - <textarea name="crl_list" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['crl_list']));?></textarea> - <br> - Paste the contents of a X.509 CRL file in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">X.509 CRL file</td> - <td class="vtable"> - <input name="filename" type="file" class="formfld" id="filename"><br> - Instead of pasting the contents of a X.509 CRL file above, - you can upload a X.509 CRL file in PEM format here. It will - overwrite the values entered in the "X.509 CRL file content" - field. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> diff --git a/usr/local/www/vpn_openvpn_csc.php b/usr/local/www/vpn_openvpn_csc.php new file mode 100644 index 0000000..1866f75 --- /dev/null +++ b/usr/local/www/vpn_openvpn_csc.php @@ -0,0 +1,730 @@ +<?php +/* + vpn_openvpn_csc.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-csc +##|*NAME=OpenVPN: Client Specific Override page +##|*DESCR=Allow access to the 'OpenVPN: Client Specific Override' page. +##|*MATCH=vpn_openvpn_csc.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Client Specific Override"); + +if (!is_array($config['openvpn']['openvpn-csc'])) + $config['openvpn']['openvpn-csc'] = array(); + +$a_csc = &$config['openvpn']['openvpn-csc']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_csc[$id]) { + pfSenseHeader("vpn_openvpn_csc.php"); + exit; + } + + openvpn_delete_csc($id); + unset($a_csc[$id]); + write_config(); + $savemsg = gettext("Client Specific Override successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_csc[$id]) { + + $pconfig['disable'] = $a_csc[$id]['disable']; + $pconfig['common_name'] = $a_csc[$id]['common_name']; + $pconfig['block'] = $a_csc[$id]['block']; + $pconfig['description'] = $a_csc[$id]['description']; + + $pconfig['tunnel_network'] = $a_csc[$id]['tunnel_network']; + $pconfig['gwredir'] = $a_csc[$id]['gwredir']; + + $pconfig['push_reset'] = $a_csc[$id]['push_reset']; + + $pconfig['dns_domain'] = $a_csc[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + $pconfig['dns_server1'] = $a_csc[$id]['dns_server1']; + $pconfig['dns_server2'] = $a_csc[$id]['dns_server2']; + $pconfig['dns_server3'] = $a_csc[$id]['dns_server3']; + $pconfig['dns_server4'] = $a_csc[$id]['dns_server4']; + if ($pconfig['dns_server1'] || + $pconfig['dns_server2'] || + $pconfig['dns_server3'] || + $pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + $pconfig['ntp_server1'] = $a_csc[$id]['ntp_server1']; + $pconfig['ntp_server2'] = $a_csc[$id]['ntp_server2']; + if ($pconfig['ntp_server1'] || + $pconfig['ntp_server2']) + $pconfig['ntp_server_enable'] = true; + + $pconfig['netbios_enable'] = $a_csc[$id]['netbios_enable']; + $pconfig['netbios_ntype'] = $a_csc[$id]['netbios_ntype']; + $pconfig['netbios_scope'] = $a_csc[$id]['netbios_scope']; + + $pconfig['wins_server1'] = $a_csc[$id]['wins_server1']; + $pconfig['wins_server2'] = $a_csc[$id]['wins_server2']; + if ($pconfig['wins_server1'] || + $pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + $pconfig['nbdd_server1'] = $a_csc[$id]['nbdd_server1']; + if ($pconfig['nbdd_server1']) + $pconfig['nbdd_server_enable'] = true; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($pconfig['dns_server_enable']) { + if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) + $input_errors[] = "The field 'DNS Server #1' must contain a valid IP address"; + if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) + $input_errors[] = "The field 'DNS Server #2' must contain a valid IP address"; + if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) + $input_errors[] = "The field 'DNS Server #3' must contain a valid IP address"; + if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) + $input_errors[] = "The field 'DNS Server #4' must contain a valid IP address"; + } + + if ($pconfig['ntp_server_enable']) { + if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) + $input_errors[] = "The field 'NTP Server #1' must contain a valid IP address"; + if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) + $input_errors[] = "The field 'NTP Server #2' must contain a valid IP address"; + if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) + $input_errors[] = "The field 'NTP Server #3' must contain a valid IP address"; + if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) + $input_errors[] = "The field 'NTP Server #4' must contain a valid IP address"; + } + + if ($pconfig['netbios_enable']) { + if ($pconfig['wins_server_enable']) { + if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) + $input_errors[] = "The field 'WINS Server #1' must contain a valid IP address"; + if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) + $input_errors[] = "The field 'WINS Server #2' must contain a valid IP address"; + } + if ($pconfig['nbdd_server_enable']) + if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) + $input_errors[] = "The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"; + } + + $reqfields[] = 'common_name'; + $reqfieldsn[] = 'Common name'; + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $csc = array(); + + $csc['disable'] = $pconfig['disable']; + $csc['common_name'] = $pconfig['common_name']; + $csc['block'] = $pconfig['block']; + $csc['description'] = $pconfig['description']; + + $csc['tunnel_network'] = $pconfig['tunnel_network']; + $csc['gwredir'] = $pconfig['gwredir']; + + $csc['push_reset'] = $pconfig['push_reset']; + + if ($pconfig['dns_domain_enable']) + $csc['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $csc['dns_server1'] = $pconfig['dns_server1']; + $csc['dns_server2'] = $pconfig['dns_server2']; + $csc['dns_server3'] = $pconfig['dns_server3']; + $csc['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['ntp_server_enable']) { + $csc['ntp_server1'] = $pconfig['ntp_server1']; + $csc['ntp_server2'] = $pconfig['ntp_server2']; + } + + $csc['netbios_enable'] = $pconfig['netbios_enable']; + $csc['netbios_ntype'] = $pconfig['netbios_ntype']; + $csc['netbios_scope'] = $pconfig['netbios_scope']; + + if ($pconfig['netbios_enable']) { + + if ($pconfig['wins_server_enable']) { + $csc['wins_server1'] = $pconfig['wins_server1']; + $csc['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['dns_server_enable']) + $csc['nbdd_server1'] = $pconfig['nbdd_server1']; + } + + if (isset($id) && $a_csc[$id]) + $a_csc[$id] = $csc; + else + $a_csc[] = $csc; + + openvpn_resync_csc($id); + write_config(); + + header("Location: vpn_openvpn_csc.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function dns_domain_change() { + + if (document.iform.dns_domain_enable.checked) + document.getElementById("dns_domain_data").style.display=""; + else + document.getElementById("dns_domain_data").style.display="none"; +} + +function dns_server_change() { + + if (document.iform.dns_server_enable.checked) + document.getElementById("dns_server_data").style.display=""; + else + document.getElementById("dns_server_data").style.display="none"; +} + +function wins_server_change() { + + if (document.iform.wins_server_enable.checked) + document.getElementById("wins_server_data").style.display=""; + else + document.getElementById("wins_server_data").style.display="none"; +} + +function ntp_server_change() { + + if (document.iform.ntp_server_enable.checked) + document.getElementById("ntp_server_data").style.display=""; + else + document.getElementById("ntp_server_data").style.display="none"; +} + +function netbios_change() { + + if (document.iform.netbios_enable.checked) { + document.getElementById("netbios_data").style.display=""; + document.getElementById("wins_opts").style.display=""; + } else { + document.getElementById("netbios_data").style.display="none"; + document.getElementById("wins_opts").style.display="none"; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), true, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_csc.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this override</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this client specific override without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Common name</td> + <td width="78%" class="vtable"> + <input name="common_name" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['common_name']);?>"> + <br> + Enter the client's X.509 common name here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Connection blocking</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['block'],$chk); ?> + <input name="block" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Block this client connection based on its common name. + </span> + </td> + </tr> + </table> + Don't use this option to permenently disable a + client due to a compromised key or password. + Use a CRL (certificate revocation list) instead. + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this client and the + server expressed using CIDR (eg. 10.0.8.0/24). + The first network address is assumed to be the + server address and the second network address + will be assigned to the client virtual + interface. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Redirect Gateway</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['gwredir'],$chk); ?> + <input name="gwredir" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Force all client generated traffic through the tunnel. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Client Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Server Definitions</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['push_reset'],$chk); ?> + <input name="push_reset" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Prevent this client from receiving any server defined client settings. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Default Domain</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_domain_enable'],$chk); ?> + <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=$chk;?> onClick="dns_domain_change()"> + </td> + <td> + <span class="vexpl"> + Provide a default domain name to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_domain_data"> + <tr> + <td> + <input name="dns_domain" type="text" class="formfld unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_server_enable'],$chk); ?> + <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=$chk;?> onClick="dns_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a DNS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #3: + </span> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #4: + </span> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NTP Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['ntp_server_enable'],$chk); ?> + <input name="ntp_server_enable" type="checkbox" id="ntp_server_enable" value="yes" <?=$chk;?> onClick="ntp_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a NTP server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="ntp_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NetBIOS Options</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['netbios_enable'],$chk); ?> + <input name="netbios_enable" type="checkbox" id="netbios_enable" value="yes" <?=$chk;?> onClick="netbios_change()"> + </td> + <td> + <span class="vexpl"> + Enable NetBIOS over TCP/IP<br> + </span> + </td> + </tr> + </table> + If this option is not set, all Netbios-over-TCP/IP options (includeing WINS) will be disabled. + <br/> + <table border="0" cellpadding="2" cellspacing="0" id="netbios_data"> + <tr> + <td> + <br/> + <span class="vexpl"> + Node Type: + </span> + <select name='netbios_ntype' class="formselect"> + <?php + foreach ($netbios_nodetypes as $type => $name): + $selected = ""; + if ($pconfig['netbios_ntype'] == $type) + $selected = "selected"; + ?> + <option value="<?=$type;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + <br/> + Possible options: b-node (broadcasts), p-node + (point-to-point name queries to a WINS server), + m-node (broadcast then query name server), and + h-node (query name server, then broadcast). + </td> + </tr> + <tr> + <td> + <br/> + <span class="vexpl"> + Scope ID: + </span> + <input name="netbios_scope" type="text" class="formfld unknown" id="netbios_scope" size="30" value="<?=htmlspecialchars($pconfig['netbios_scope']);?>"> + <br/> + A NetBIOS Scope ID provides an extended naming + service for NetBIOS over TCP/IP. The NetBIOS + scope ID isolates NetBIOS traffic on a single + network to only those nodes with the same + NetBIOS scope ID. + </td> + </tr> + </table> + </td> + </tr> + <tr id="wins_opts"> + <td width="22%" valign="top" class="vncell">WINS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['wins_server_enable'],$chk); ?> + <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=$chk;?> onClick="wins_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a WINS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="wins_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_csc[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="40%" class="listhdrr">Common Name</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_csc as $csc): + $disabled = "NO"; + if ($csc['disable']) + $disabled = "YES"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($csc['common_name']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($csc['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_csc.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit csc" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_csc.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this csc?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete csc" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <a href="vpn_openvpn_csc.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add csc" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="3"> + <p> + <?=gettext("Additional OpenVPN client specific overrides can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +dns_domain_change(); +dns_server_change(); +wins_server_change(); +ntp_server_change(); +netbios_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php new file mode 100644 index 0000000..0de0cef --- /dev/null +++ b/usr/local/www/vpn_openvpn_server.php @@ -0,0 +1,998 @@ +<?php +/* + vpn_openvpn_server.php + + Copyright (C) 2008 Shrew Soft Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +##|+PRIV +##|*IDENT=page-openvpn-server +##|*NAME=OpenVPN: Server page +##|*DESCR=Allow access to the 'OpenVPN: Server' page. +##|*MATCH=vpn_openvpn_server.php* +##|-PRIV + + +require("guiconfig.inc"); + +$pgtitle = array("OpenVPN", "Server"); + +if (!is_array($config['openvpn']['openvpn-server'])) + $config['openvpn']['openvpn-server'] = array(); + +$a_server = &$config['openvpn']['openvpn-server']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_server[$id]) { + pfSenseHeader("vpn_openvpn_server.php"); + exit; + } + + openvpn_delete('server', $id); + unset($a_server[$id]); + write_config(); + $savemsg = gettext("Server successfully deleted")."<br/>"; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_server[$id]) { + + $pconfig['disable'] = $a_server[$id]['disable']; + $pconfig['protocol'] = $a_server[$id]['protocol']; + $pconfig['interface'] = $a_server[$id]['interface']; + $pconfig['local_port'] = $a_server[$id]['local_port']; + $pconfig['description'] = $a_server[$id]['description']; + + $pconfig['auth_method'] = $a_server[$id]['auth_method']; + if ($pconfig['auth_method'] == "shared_key") + $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); + else { + $pconfig['caref'] = $a_server[$id]['caref']; + $pconfig['certref'] = $a_server[$id]['certref']; + } + $pconfig['crypto'] = $a_server[$id]['crypto']; + + $pconfig['tunnel_network'] = $a_server[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_server[$id]['remote_network']; + $pconfig['gwredir'] = $a_server[$id]['gwredir']; + $pconfig['local_network'] = $a_server[$id]['local_network']; + $pconfig['maxclients'] = $a_server[$id]['maxclients']; + $pconfig['compression'] = $a_server[$id]['compression']; + $pconfig['settos'] = $a_server[$id]['settos']; + $pconfig['client2client'] = $a_server[$id]['client2client']; + + $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; + + $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + $pconfig['dns_server1'] = $a_server[$id]['dns_server1']; + $pconfig['dns_server2'] = $a_server[$id]['dns_server2']; + $pconfig['dns_server3'] = $a_server[$id]['dns_server3']; + $pconfig['dns_server4'] = $a_server[$id]['dns_server4']; + if ($pconfig['dns_server1'] || + $pconfig['dns_server2'] || + $pconfig['dns_server3'] || + $pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + $pconfig['ntp_server1'] = $a_server[$id]['ntp_server1']; + $pconfig['ntp_server2'] = $a_server[$id]['ntp_server2']; + if ($pconfig['ntp_server1'] || + $pconfig['ntp_server2']) + $pconfig['ntp_server_enable'] = true; + + $pconfig['netbios_enable'] = $a_server[$id]['netbios_enable']; + $pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype']; + $pconfig['netbios_scope'] = $a_server[$id]['netbios_scope']; + + $pconfig['wins_server1'] = $a_server[$id]['wins_server1']; + $pconfig['wins_server2'] = $a_server[$id]['wins_server2']; + if ($pconfig['wins_server1'] || + $pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + $pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1']; + if ($pconfig['nbdd_server1']) + $pconfig['nbdd_server_enable'] = true; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['local_network'], 'Local network')) + $input_errors[] = $result; + + if ($pconfig['auth_method'] == 'shared_key') + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = "The field 'Shared Key' does not appear to be valid"; + + if ($pconfig['dns_server_enable']) { + if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) + $input_errors[] = "The field 'DNS Server #1' must contain a valid IP address"; + if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) + $input_errors[] = "The field 'DNS Server #2' must contain a valid IP address"; + if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) + $input_errors[] = "The field 'DNS Server #3' must contain a valid IP address"; + if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) + $input_errors[] = "The field 'DNS Server #4' must contain a valid IP address"; + } + + if ($pconfig['ntp_server_enable']) { + if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) + $input_errors[] = "The field 'NTP Server #1' must contain a valid IP address"; + if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) + $input_errors[] = "The field 'NTP Server #2' must contain a valid IP address"; + if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) + $input_errors[] = "The field 'NTP Server #3' must contain a valid IP address"; + if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) + $input_errors[] = "The field 'NTP Server #4' must contain a valid IP address"; + } + + if ($pconfig['netbios_enable']) { + if ($pconfig['wins_server_enable']) { + if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) + $input_errors[] = "The field 'WINS Server #1' must contain a valid IP address"; + if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) + $input_errors[] = "The field 'WINS Server #2' must contain a valid IP address"; + } + if ($pconfig['nbdd_server_enable']) + if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) + $input_errors[] = "The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"; + } + + if ($pconfig['maxclients'] && !is_numeric($pconfig['maxclients'])) + $input_errors[] = "The field 'Concurrent connections' must be numeric."; + + if ($pconfig['auth_method'] == 'shared_key') { + $reqfields[] = 'shared_key'; + $reqfieldsn[] = 'Shared key'; + } else { + $reqfields[] = explode(" ", "caref certref"); + $reqfieldsn[] = explode(",", "Certificate Authority,Certificate");; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $server = array(); + + if (isset($id) && $a_server[$id]) { + $server['dh_params'] = $a_server[$id]['dh_params']; + $server['vpnid'] = $a_server[$id]['vpnid']; + } else + $server['vpnid'] = openvpn_vpnid_next(); + + $server['disable'] = $pconfig['disable']; + $server['protocol'] = $pconfig['protocol']; + $server['interface'] = $pconfig['interface']; + $server['local_port'] = $pconfig['local_port']; + $server['description'] = $pconfig['description']; + + $server['auth_method'] = $pconfig['auth_method']; + if ($server['auth_method'] == "shared_key") + $server['shared_key'] = base64_encode($pconfig['shared_key']); + else { + $server['caref'] = $pconfig['caref']; + $server['certref'] = $pconfig['certref']; + } + $server['crypto'] = $pconfig['crypto']; + + $server['tunnel_network'] = $pconfig['tunnel_network']; + $server['remote_network'] = $pconfig['remote_network']; + $server['gwredir'] = $pconfig['gwredir']; + $server['local_network'] = $pconfig['local_network']; + $server['maxclients'] = $pconfig['maxclients']; + $server['compression'] = $pconfig['compression']; + $server['client2client'] = $pconfig['client2client']; + + $server['pool_enable'] = $pconfig['pool_enable']; + + if ($pconfig['dns_domain_enable']) + $server['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $server['dns_server1'] = $pconfig['dns_server1']; + $server['dns_server2'] = $pconfig['dns_server2']; + $server['dns_server3'] = $pconfig['dns_server3']; + $server['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['ntp_server_enable']) { + $server['ntp_server1'] = $pconfig['ntp_server1']; + $server['ntp_server2'] = $pconfig['ntp_server2']; + } + + $server['netbios_enable'] = $pconfig['netbios_enable']; + $server['netbios_ntype'] = $pconfig['netbios_ntype']; + $server['netbios_scope'] = $pconfig['netbios_scope']; + + if ($pconfig['netbios_enable']) { + + if ($pconfig['wins_server_enable']) { + $server['wins_server1'] = $pconfig['wins_server1']; + $server['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['dns_server_enable']) + $server['nbdd_server1'] = $pconfig['nbdd_server1']; + } + + if (isset($id) && $a_server[$id]) + $a_server[$id] = $server; + else + $a_server[] = $server; + + openvpn_resync('server', $id); + write_config(); + + header("Location: vpn_openvpn_server.php"); + exit; + } +} + +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function method_change() { + index = document.iform.auth_method.selectedIndex; + value = document.iform.auth_method.options[index].value; + switch(value) { + case "pki": + document.getElementById("pki_ca").style.display=""; + document.getElementById("pki_cert").style.display=""; + document.getElementById("psk").style.display="none"; + break; + case "shared_key": + document.getElementById("pki_ca").style.display="none"; + document.getElementById("pki_cert").style.display="none"; + document.getElementById("psk").style.display=""; + break; + } +} + +function gwredir_change() { + + if (document.iform.gwredir.checked) + document.getElementById("local_opts").style.display="none"; + else + document.getElementById("local_opts").style.display=""; +} + +function dns_domain_change() { + + if (document.iform.dns_domain_enable.checked) + document.getElementById("dns_domain_data").style.display=""; + else + document.getElementById("dns_domain_data").style.display="none"; +} + +function dns_server_change() { + + if (document.iform.dns_server_enable.checked) + document.getElementById("dns_server_data").style.display=""; + else + document.getElementById("dns_server_data").style.display="none"; +} + +function wins_server_change() { + + if (document.iform.wins_server_enable.checked) + document.getElementById("wins_server_data").style.display=""; + else + document.getElementById("wins_server_data").style.display="none"; +} + +function ntp_server_change() { + + if (document.iform.ntp_server_enable.checked) + document.getElementById("ntp_server_data").style.display=""; + else + document.getElementById("ntp_server_data").style.display="none"; +} + +function netbios_change() { + + if (document.iform.netbios_enable.checked) { + document.getElementById("netbios_data").style.display=""; + document.getElementById("wins_opts").style.display=""; + } else { + document.getElementById("netbios_data").style.display="none"; + document.getElementById("wins_opts").style.display="none"; + } +} + +//--> +</script> +<?php + if ($input_errors) + print_input_errors($input_errors); + if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Server"), true, "vpn_openvpn_server.php"); + $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); + $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); + display_top_tabs($tab_array); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="vpn_openvpn_server.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong>Disable this server</strong><br> + </span> + </td> + </tr> + </table> + Set this option to disable this server without removing it from the list. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol");?></td> + <td width="78%" class="vtable"> + <select name='protocol' class="formselect"> + <?php + foreach ($openvpn_prots as $prot): + $selected = ""; + if ($pconfig['protocol'] == $prot) + $selected = "selected"; + ?> + <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Local port");?></td> + <td width="78%" class="vtable"> + <input name="local_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['local_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + You may enter a description here for your reference (not parsed). + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Cryptographic Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication Method</td> + <td width="78%" class="vtable"> + <select name='auth_method' id='auth_method' class="formselect" onchange='method_change()'> + <?php + foreach ($openvpn_auth_methods as $method => $name): + $selected = ""; + if ($pconfig['auth_method'] == $method) + $selected = "selected"; + ?> + <option value="<?=$method;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_ca"> + <td width="22%" valign="top" class="vncellreq">Certificate Authority</td> + <td width="78%" class="vtable"> + <select name='caref' class="formselect"> + <?php + foreach ($config['system']['ca'] as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="pki_cert"> + <td width="22%" valign="top" class="vncellreq">Certificate</td> + <td width="78%" class="vtable"> + <select name='certref' class="formselect"> + <?php + foreach ($config['system']['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="psk"> + <td width="22%" valign="top" class="vncellreq">Shared Key</td> + <td width="78%" class="vtable"> + <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['shared_key']);?></textarea> + <br/> + Paste your shared key here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="crypto" class="formselect"> + <?php + $cipherlist = openvpn_get_cipherlist(); + foreach ($cipherlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['crypto']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Tunnel Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Tunnel Network</td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + This is the virtual network used for private + communications between this server and client + hosts expressed using CIDR (eg. 10.0.8.0/24). + The first network address will be assigned to + the server virtual interface. The remaining + network addresses can optionally be assigned + to connecting clients. (see Address Pool) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Remote Network</td> + <td width="78%" class="vtable"> + <input name="remote_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['remote_network']);?>"> + <br> + This is a network that will be routed through + the tunnel, so that a site-to-site VPN can be + established without manually changing the + routing tables. Expressed as a CIDR range. If + this is a site-to-site VPN, enter here the + remote LAN here. You may leave this blank if + you don't want a site-to-site VPN. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Redirect Gateway</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['gwredir'],$chk); ?> + <input name="gwredir" type="checkbox" value="yes" <?=$chk;?> onClick="gwredir_change()"/> + </td> + <td> + <span class="vexpl"> + Force all client generated traffic through the tunnel. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr id="local_opts"> + <td width="22%" valign="top" class="vncell">Local Network</td> + <td width="78%" class="vtable"> + <input name="local_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['local_network']);?>"> + <br> + This is the network that will be accessable + from the remote endpoint. Expressed as a CIDR + range. You may leave this blank if you don't + want to add a route to the local network + through this tunnel on the remote machine. + This is generally set to your LAN network. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Concurrent connections");?></td> + <td width="78%" class="vtable"> + <input name="maxclients" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['maxclients']);?>"/> + <br/> + Specify the maximum number of clients allowed to concurrently connect to this server. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Compression</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['compression'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Compress tunnel packets using the LZO algorithm. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Type-of-Service</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['settos'],$chk); ?> + <input name="settos" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + Set the TOS IP header value of tunnel packets to match the encapsulated packet value. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Inter-client communication</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['client2client'],$chk); ?> + <input name="client2client" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + <span class="vexpl"> + Allow communication between clients connected to this server + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Client Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Address Pool</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['pool_enable'],$chk); ?> + <input name="pool_enable" type="checkbox" id="pool_enable" value="yes" <?=$chk;?>"> + </td> + <td> + <span class="vexpl"> + Provide a virtual adapter IP address to clients (see Tunnel Network)<br> + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Default Domain</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_domain_enable'],$chk); ?> + <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=$chk;?> onClick="dns_domain_change()"> + </td> + <td> + <span class="vexpl"> + Provide a default domain name to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_domain_data"> + <tr> + <td> + <input name="dns_domain" type="text" class="formfld unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">DNS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_server_enable'],$chk); ?> + <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=$chk;?> onClick="dns_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a DNS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="dns_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #3: + </span> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #4: + </span> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NTP Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['ntp_server_enable'],$chk); ?> + <input name="ntp_server_enable" type="checkbox" id="ntp_server_enable" value="yes" <?=$chk;?> onClick="ntp_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a NTP server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="ntp_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NetBIOS Options</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['netbios_enable'],$chk); ?> + <input name="netbios_enable" type="checkbox" id="netbios_enable" value="yes" <?=$chk;?> onClick="netbios_change()"> + </td> + <td> + <span class="vexpl"> + Enable NetBIOS over TCP/IP<br> + </span> + </td> + </tr> + </table> + If this option is not set, all Netbios-over-TCP/IP options (includeing WINS) will be disabled. + <br/> + <table border="0" cellpadding="2" cellspacing="0" id="netbios_data"> + <tr> + <td> + <br/> + <span class="vexpl"> + Node Type: + </span> + <select name='netbios_ntype' class="formselect"> + <?php + foreach ($netbios_nodetypes as $type => $name): + $selected = ""; + if ($pconfig['netbios_ntype'] == $type) + $selected = "selected"; + ?> + <option value="<?=$type;?>" <?=$selected;?>><?=$name;?></option> + <?php endforeach; ?> + </select> + <br/> + Possible options: b-node (broadcasts), p-node + (point-to-point name queries to a WINS server), + m-node (broadcast then query name server), and + h-node (query name server, then broadcast). + </td> + </tr> + <tr> + <td> + <br/> + <span class="vexpl"> + Scope ID: + </span> + <input name="netbios_scope" type="text" class="formfld unknown" id="netbios_scope" size="30" value="<?=htmlspecialchars($pconfig['netbios_scope']);?>"> + <br/> + A NetBIOS Scope ID provides an extended naming + service for NetBIOS over TCP/IP. The NetBIOS + scope ID isolates NetBIOS traffic on a single + network to only those nodes with the same + NetBIOS scope ID. + </td> + </tr> + </table> + </td> + </tr> + <tr id="wins_opts"> + <td width="22%" valign="top" class="vncell">WINS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['wins_server_enable'],$chk); ?> + <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=$chk;?> onClick="wins_server_change()"> + </td> + <td> + <span class="vexpl"> + Provide a WINS server list to clients<br> + </span> + </td> + </tr> + </table> + <table border="0" cellpadding="2" cellspacing="0" id="wins_server_data"> + <tr> + <td> + <span class="vexpl"> + Server #1: + </span> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + </td> + </tr> + <tr> + <td> + <span class="vexpl"> + Server #2: + </span> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="Save"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_server[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="10%" class="listhdrr">Disabled</td> + <td width="10%" class="listhdrr">Protocol</td> + <td width="30%" class="listhdrr">Tunnel Network</td> + <td width="40%" class="listhdrr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php + $i = 0; + foreach($a_server as $server): + $disabled = "NO"; + if ($server['disable']) + $disabled = "YES"; + ?> + <tr> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['protocol']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['tunnel_network']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="vpn_openvpn_server.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="edit server" width="17" height="17" border="0"> + </a> + + <a href="vpn_openvpn_server.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this server?')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="delete server" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <a href="vpn_openvpn_server.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="add server" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="4"> + <p> + <?=gettext("Additional OpenVPN servers can be added here.");?> + </p> + </td> + </tr> + </table> + + <? endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +method_change(); +gwredir_change(); +dns_domain_change(); +dns_server_change(); +wins_server_change(); +ntp_server_change(); +netbios_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_openvpn_srv.php b/usr/local/www/vpn_openvpn_srv.php deleted file mode 100755 index 2d194af..0000000 --- a/usr/local/www/vpn_openvpn_srv.php +++ /dev/null @@ -1,198 +0,0 @@ -<?php -/* - vpn_openvpn_srv.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} - -$ovpnsrv = &$config['ovpn']['server']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if ($_POST['apply']) { - $retval = 0; - if (file_exists($d_sysrebootreqd_path)) { - /* Rewrite interface definitions */ - $retval = ovpn_server_iface(); - } else { - ovpn_lock(); - $retval = ovpn_server_iface(); - $retval = ovpn_config_server(false); - ovpn_unlock(); - } - if (file_exists($d_ovpnsrvdirty_path)) - unlink($d_ovpnsrvdirty_path); - $savemsg = get_std_save_message($retval); -} - -if ($_GET['act'] == "del") { - if ($ovpnsrv[$id]) { - $ovpnent = $ovpnsrv[$id]; - unset($ovpnsrv[$id]); - - /* Kill running processes */ - ovpn_server_kill($ovpnent['tun_iface']); - - /* Remove old certs & keys */ - ovpn_server_certs_del($ovpnent['tun_iface']); - - /* Remove interface from list of optional interfaces */ - ovpn_server_iface_del($ovpnent['tun_iface']); - - write_config(); - //touch($d_sysrebootreqd_path); - header("Location: vpn_openvpn_srv.php"); - exit; - } -} - -$pgtitle = array("VPN","OpenVPN"); -include("head.inc"); - -?> -<?php include("fbegin.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_sysrebootreqd_path) && !file_exists($d_ovpnsrvdirty_path)) print_info_box(get_std_save_message(0)); ?> - -<form action="vpn_openvpn_srv.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php if (file_exists($d_ovpnsrvdirty_path)): ?><p> -<?php print_info_box_np("The OpenVPN server configuration has been changed.<br>You must apply the changes in order for them to take effect.");?> -</p> -<?php endif; ?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Server", true, "vpn_openvpn_srv.php"); - $tab_array[] = array("Client", false, "vpn_openvpn_cli.php"); - $tab_array[] = array("Client-specific Configuration", false, "vpn_openvpn_ccd.php"); - $tab_array[] = array("CRL", false, "vpn_openvpn_crl.php"); - display_top_tabs($tab_array); -?> - </td></tr> - - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading. - </span></strong> - </td> - </tr> - </table> - - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="5%" class="listhdrr">Interface</td> - <td width="5%" class="listhdrr">Protocol</td> - <td width="5%" class="listhdrr">Socket</td> - <td width="25%" class="listhdrr">IP Block</td> - <td width="15%" class="listhdrr">Crypto</td> - <td width="35%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - - <?php $i = 0; foreach ($ovpnsrv as $server): - if (!isset($server['enable'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - - if ($server['bind_iface'] == 'all') - $ipaddr = "0.0.0.0"; - else - $ipaddr = ovpn_get_ip($server['bind_iface']); - ?> - - <tr> - <td class="listlr"><?=$spans;?> - <?php if ($interface = ovpn_get_opt_interface($server['tun_iface'])) - $iface = $config['interfaces'][$interface]['descr']; - else $iface = strtoupper($server['tun_iface']);?> - <?= $iface;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= strtoupper($server['proto']);?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $ipaddr.":".$server['port'];?> - <?=$spane;?></td> - <td nowrap class="listr"><?=$spans;?> - <?php if ($server['authentication_method'] == "pre_shared_key") { - if ($server['type'] == "tun") { - $ipblock = $server['lipaddr'] . " / " . $server['ripaddr']; - } else { - $ipblock = $server['lipaddr'] . "/" . $server['netmask']; - } - } else if (!$server['bridge']) - $ipblock = $server['ipblock'] . "/" . $server['prefix']; - else if ($server['range_from']) - $ipblock = $server['range_from'] . " - " . $server['range_to']; - else - $ipblock = "--";?> - <?= $ipblock;?> - <?=$spane;?></td> - <td class="listr"><?=$spans;?> - <?= $server['crypto'];?> - <?=$spane;?></td> - <td class="listbg"><?=$spans;?> - <?= htmlspecialchars($server['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> <a href="vpn_openvpn_srv_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit server configuration" width="17" height="17" border="0"></a> - <a href="vpn_openvpn_srv.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this server configuration?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete server configuration" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"> </td> - <td class="list"> <a href="vpn_openvpn_srv_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add server configuration" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_openvpn_srv_edit.php b/usr/local/www/vpn_openvpn_srv_edit.php deleted file mode 100755 index 35d4249..0000000 --- a/usr/local/www/vpn_openvpn_srv_edit.php +++ /dev/null @@ -1,1213 +0,0 @@ -<?php -/* - vpn_openvpn_srv_edit.php - - Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). - Copyright (C) 2005 Peter Allgeyer (allgeyer@web.de). - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-openvpn-editserver -##|*NAME=VPN: OpenVPN: Edit server page -##|*DESCR=Allow access to the 'VPN: OpenVPN: Edit server' page. -##|*MATCH=vpn_openvpn_srv_edit.php* -##|-PRIV - - -require("guiconfig.inc"); -require_once("openvpn.inc"); - -if (!is_array($config['ovpn'])) - $config['ovpn'] = array(); -if (!is_array($config['ovpn']['server'])){ - $config['ovpn']['server'] = array(); - $config['ovpn']['server']['tunnel'] = array(); -} - -$ovpnsrv =& $config['ovpn']['server']['tunnel']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $ovpnsrv[$id]) { - $pconfig = $config['ovpn']['server']['tunnel'][$id]; - if (isset($ovpnsrv[$id]['enable'])) - $pconfig['enable'] = true; - if (!isset($ovpnsrv[$id]['method'])) - $pconfig['method'] = "ovpn"; - if (is_array($ovpnsrv[$id]['expertmode'])) { - $pconfig['expertmode_options'] = ""; - foreach ($ovpnsrv[$id]['expertmode']['option'] as $optent) { - $pconfig['expertmode_options'] .= $optent . "\n"; - } - $pconfig['expertmode_options'] = rtrim($pconfig['expertmode_options']); - } - -} else { - /* creating - set defaults */ - $pconfig = array(); - $pconfig['type'] = "tun"; - $pconfig['psh_options'] = array(); - /* Initialise with some sensible defaults */ - $pconfig['authentication_method'] = "rsasig"; - $pconfig['port'] = getnxt_port(); - $pconfig['proto'] = 'udp'; - $pconfig['method'] = 'ovpn'; - $pconfig['maxcli'] = ''; - $pconfig['crypto'] = 'BF-CBC'; - $pconfig['dupcn'] = false; - $pconfig['verb'] = 1; - $pconfig['enable'] = true; -} - -if ($_POST) { - - unset($input_errors); - unset($check_ipblock); - - /* input validation */ - $reqdfields = explode(" ", "type bind_iface"); - $reqdfieldsn = explode(",", "Tunnel type,Interface binding"); - - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = array_merge($reqdfields, explode(" ", "lipaddr pre-shared-key")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Local IP address,Pre-shared secret")); - - if ($_POST['type'] == "tun") { - /* tun */ - $reqdfields = array_merge($reqdfields, explode(" ", "ripaddr")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Remote IP address")); - - /* subnet or ip address */ - if ($_POST['ripaddr']) { - if (!is_ipaddr($_POST['ripaddr'])) - $input_errors[] = "A valid static remote IP address must be specified."; - else if (ip2long($_POST['lipaddr']) == ip2long($_POST['ripaddr'])) - $input_errors[] = "Local IP address and remote IP address are the same."; - } - if ($_POST['lipaddr']) - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid local static IP address must be specified."; - - } else { - /* tap */ - if ($_POST['lipaddr']) { - if (!is_ipaddr($_POST['lipaddr'])) - $input_errors[] = "A valid local static IP address must be specified."; - if (gen_subnet($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is subnet address."; - if (gen_subnet_max($_POST['lipaddr'], $_POST['netmask']) == $_POST['lipaddr']) - $input_errors[] = "Local IP address is broadcast address."; - } - } - - if (intval($_POST['maxcli']) > 1) - $input_errors[] = "Maximum number of simultaneous clients should not be greater than \"1\"."; - - /* checked also by javascript */ - if ($_POST['method'] != "static") - $input_errors[] = "Only static address assignment is supported."; - - } else { - /* rsa */ - $reqdfields = array_merge($reqdfields, explode(" ", "ca_cert srv_cert srv_key dh_param")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "CA certificate,Server certificate,Server key,DH parameters")); - - if ($_POST['type'] == "tap") { - /* tap*/ - if (!$_POST['bridge']) { - if ($_POST['method'] == "ovpn") { - $reqdfields = array_merge($reqdfields, "ipblock"); - $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); - - $check_ipblock = 1; - } else { - $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; - } - } else { - if ($_POST['method'] == "ovpn") { - $reqdfields = array_merge($reqdfields, explode(" ", "range_from range_to gateway")); - $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Range begin,Range end,Gateway")); - if (intval($_POST['maxcli']) > (ip2long($_POST['range_to']) - ip2long($_POST['range_from']) + 1)) - $input_errors[] = "IP range to small for maximum number of simultaneous clients."; - - } else if ($_POST['method'] != "dhcp") { - $input_errors[] = "Wrong or emtpy OpenVPN address assignment."; - } - } - - } else { - /* tun*/ - $reqdfields = array_merge($reqdfields, "ipblock"); - $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); - - /* checked also by javascript */ - if ($_POST['method'] != "ovpn") - $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; - - $check_ipblock = 1; - } - - - /* valid IP */ - if ($_POST['ipblock'] && $check_ipblock) { - if (!is_ipaddr($_POST['ipblock'])) { - $input_errors[] = "A valid IP netblock must be specified."; - } else if ($_POST['type'] == "tun" && intval($_POST['prefix']) > 29) { - $input_errors[] = "Network mask too high for tun-style tunnels."; - } else { - $network = ip2long(gen_subnet($_POST['ipblock'], $_POST['prefix'])); - $broadcast = ip2long(gen_subnet_max($_POST['ipblock'], $_POST['prefix'])); - - if ($_POST['maxcli']) { - if ($_POST['type'] == "tap") { - if (intval($_POST['maxcli']) > ($broadcast - $network - 3)) - $input_errors[] = "Maximum number of simultaneous clients too high"; - } else { - if (intval($_POST['maxcli']) > floor(($broadcast - $network) / 4)) - $input_errors[] = "Maximum number of simultaneous clients too high"; - } - } - } - } - - /* Sort out the cert+key files */ - if (!empty($_POST['ca_cert']) && - (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['ca_cert'], "END CERTIFICATE"))) - $input_errors[] = "The CA certificate does not appear to be valid."; - - if (!empty($_POST['srv_cert']) && - (!strstr($_POST['srv_cert'], "BEGIN CERTIFICATE") || - !strstr($_POST['srv_cert'], "END CERTIFICATE"))) - $input_errors[] = "The server certificate does not appear to be valid."; - - if (!empty($_POST['srv_key']) && - (!strstr($_POST['srv_key'], "BEGIN RSA PRIVATE KEY") || - !strstr($_POST['srv_key'], "END RSA PRIVATE KEY"))) - $input_errors[] = "The server key does not appear to be valid."; - - if (!empty($_POST['dh_param']) && - (!strstr($_POST['dh_param'], "BEGIN DH PARAMETERS") || - !strstr($_POST['dh_param'], "END DH PARAMETERS"))) - $input_errors[] = "The DH parameters do not appear to be valid."; - - if (isset($_POST['tlsauth']) && empty($_POST['pre-shared-key'])) - $input_errors[] = "The field 'Pre-shared secret' is required."; - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (($_POST['range_from'] && !is_ipaddr($_POST['range_from']))) - $input_errors[] = "A valid range must be specified."; - - if (($_POST['range_to'] && !is_ipaddr($_POST['range_to']))) - $input_errors[] = "A valid range must be specified."; - - if ($_POST['gateway'] && !is_ipaddr($_POST['gateway'])) - $input_errors[] = "A valid gateway IP address must be specified."; - - /* make sure the range lies within the bridged subnet */ - if ($_POST['bridge']) { - if ($_POST['method'] == "ovpn") { - - $ipaddr = $config['interfaces'][$_POST['bridge']]['ipaddr']; - $subnet = $config['interfaces'][$_POST['bridge']]['subnet']; - - $subnet_start = (ip2long($ipaddr) & gen_subnet_mask_long($subnet)); - $subnet_end = (ip2long($ipaddr) | (~gen_subnet_mask_long($subnet))); - - if (!ip_in_subnet($_POST['gateway'], gen_subnet($ipaddr, $subnet) . "/" . $subnet)) - $input_errors[] = "The specified gateway lies outside of the bridged subnet."; - - if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || - (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { - $input_errors[] = "The specified range lies outside of the bridged subnet."; - } - - if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) - $input_errors[] = "The range is invalid (first element higher than second element)."; - } - } - - /* valid Port */ - if (empty($_POST['port'])) - $input_errors[] = "You must provide a server in between 1 and 65535."; - else if (!is_port($_POST['port'])) - $input_errors[] = "The server port must be an integer between 1 and 65535."; - - /* check if dynip is set correctly */ - if ($_POST['dynip'] && $_POST['bind_iface'] != 'all') - $input_errors[] = "Dynamic IP address can only be set with interface binding set to ALL."; - - if (!empty($_POST['pre-shared-key'])) - if (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || - !strstr($_POST['pre-shared-key'], "END OpenVPN Static key")) - $input_errors[] = "Pre-shared secret does not appear to be valid."; - - if ($_POST['psh_pingrst'] && $_POST['psh_pingexit']) - $input_errors[] = "Ping-restart and Ping-exit are mutually exclusive and cannot be used together"; - - if ($_POST['psh_rtedelay'] && !is_numeric($_POST['psh_rtedelay_int'])) - $input_errors[] = "Route-delay needs a numerical interval setting."; - - if ($_POST['psh_inact'] && !is_numeric($_POST['psh_inact_int'])) - $input_errors[] = "Inactive needs a numerical interval setting."; - - if ($_POST['psh_ping'] && !is_numeric($_POST['psh_ping_int'])) - $input_errors[] = "Ping needs a numerical interval setting."; - - if ($_POST['psh_pingexit'] && !is_numeric($_POST['psh_pingexit_int'])) - $input_errors[] = "Ping-exit needs a numerical interval setting."; - - if ($_POST['psh_pingrst'] && !is_numeric($_POST['psh_pingrst_int'])) - $input_errors[] = "Ping-restart needs a numerical interval setting."; - - /* Editing an existing entry? */ - if (isset($id) && $ovpnsrv[$id]) { - $ovpnent = $ovpnsrv[$id]; - - /* bridging changed */ - if ($ovpnent['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - - /* port number syntactically valid, so lets check, if it is free */ - if (isset($ovpnent['enable']) && - !isset($_POST['disabled']) && - $ovpnent['port'] != $_POST['port']) { - /* port number has changed */ - - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - - /* return interfaces bind to this port */ - $bind_list = used_bind_list($_POST['port']); - - /* check if binding is in use */ - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list) || - in_array($_POST['bind_iface'], $bind_list) ) { - $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; - } - } - } - - /* binding free? */ - if (isset($ovpnent['enable']) && - !isset($_POST['disabled']) && - $ovpnent['bind_iface'] != $_POST['bind_iface']) { - /* binding has changed, remove existing old entry from list */ - $entry = array(); - array_push($entry, $ovpnent['bind_iface']); - $bind_list = array_diff(used_bind_list($_POST['port']), $entry); - - if (count($bind_list)) { - if ($_POST['bind_iface'] == "all") - $input_errors[] = "Interface binding is already in use."; - else if (in_array("all", $bind_list) || - in_array($_POST['bind_iface'], $bind_list)) - $input_errors[] = "Interface binding is already in use."; - } - } - - /* Test Server type hasn't changed */ - if ($ovpnent['type'] != $_POST['type']) { - $input_errors[] = "Delete this interface first before changing the type of the tunnel to " . strtoupper($_POST['type']) ."."; - - } - - /* status changed to enable */ - if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { - - /* check if port number is free */ - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - - /* return interfaces bind to this port */ - $bind_list = used_bind_list($_POST['port']); - - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list ) || - in_array($_POST['bind_iface'], $bind_list) ) { - /* binding in use */ - $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; - } - } - } - - } else { - /* Creating a new entry */ - $ovpnent = array(); - - /* port number syntactically valid, so lets check, if it is free */ - if ($_POST['port']) { - /* new port number */ - $bind_list = used_bind_list($_POST['port']); - - if (in_array($_POST['port'], used_port_list())) { - /* port in use, check binding */ - if (($_POST['bind_iface'] == "all") || - in_array("all", $bind_list ) || - in_array($_POST['bind_iface'], $bind_list) ) { - /* binding in use */ - $input_errors[] = "Port {$_POST['port']} is already used for another interface."; - } - } - } - - if (!($ovpnent['tun_iface'] = getnxt_if($_POST['type']))) - $input_errors[] = "Run out of devices for a tunnel of type {$_POST['type']}"; - - /* double bridging? */ - if ($ovpnent['bridge'] != $_POST['bridge']) { - /* double bridging? */ - if ($_POST['bridge'] && - $_POST['type'] == "tap" && - $_POST['authentication_method'] == "rsasig") - $retval = check_bridging($_POST['bridge']); - - if (!empty($retval)) - $input_errors[] = $retval; - } - } - - if (!$input_errors) { - - $ovpnent['enable'] = isset($_POST['disabled']) ? false : true; - $ovpnent['bind_iface'] = $_POST['bind_iface']; - $ovpnent['port'] = $_POST['port']; - $ovpnent['proto'] = $_POST['proto']; - $ovpnent['type'] = $_POST['type']; - $ovpnent['method'] = $_POST['method']; - $ovpnent['authentication_method'] = $_POST['authentication_method']; - - /* convert IP address block to a correct network IP address */ - $ovpnent['ipblock'] = gen_subnet($_POST['ipblock'], $_POST['prefix']); - $ovpnent['prefix'] = $_POST['prefix']; - $ovpnent['lipaddr'] = $_POST['lipaddr']; - $ovpnent['ripaddr'] = $_POST['ripaddr']; - $ovpnent['netmask'] = $_POST['netmask']; - $ovpnent['range_from'] = $_POST['range_from']; - $ovpnent['range_to'] = $_POST['range_to']; - $ovpnent['gateway'] = $_POST['gateway']; - $ovpnent['bridge'] = $_POST['bridge']; - - $ovpnent['descr'] = $_POST['descr']; - $ovpnent['verb'] = $_POST['verb']; - $ovpnent['maxcli'] = $_POST['maxcli']; - $ovpnent['crypto'] = $_POST['crypto']; - $ovpnent['comp_method'] = $_POST['comp_method']; - $ovpnent['cli2cli'] = $_POST['cli2cli'] ? true : false; - $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; - $ovpnent['dynip'] = $_POST['dynip'] ? true : false; - $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; - $ovpnent['crlname'] = $_POST['crlname']; - - unset($ovpnent['pre-shared-key']); - if ($_POST['pre-shared-key']) - $ovpnent['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - - $ovpnent['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; - $ovpnent['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; - $ovpnent['psh_options']['rtedelay'] = $_POST['psh_rtedelay'] ? true : false; - $ovpnent['psh_options']['inact'] = $_POST['psh_inact'] ? true : false; - $ovpnent['psh_options']['ping'] = $_POST['psh_ping'] ? true : false; - $ovpnent['psh_options']['pingrst'] = $_POST['psh_pingrst'] ? true : false; - $ovpnent['psh_options']['pingexit'] = $_POST['psh_pingexit'] ? true : false; - - unset($ovpnent['psh_options']['rtedelay_int']); - unset($ovpnent['psh_options']['inact_int']); - unset($ovpnent['psh_options']['ping_int']); - unset($ovpnent['psh_options']['pingrst_int']); - unset($ovpnent['psh_options']['pingexit_int']); - - if ($_POST['psh_rtedelay_int']) - $ovpnent['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - if ($_POST['psh_inact_int']) - $ovpnent['psh_options']['inact_int'] = $_POST['psh_inact_int']; - if ($_POST['psh_ping_int']) - $ovpnent['psh_options']['ping_int'] = $_POST['psh_ping_int']; - if ($_POST['psh_pingrst_int']) - $ovpnent['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - if ($_POST['psh_pingexit_int']) - $ovpnent['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - - $ovpnent['ca_cert'] = base64_encode($_POST['ca_cert']); - $ovpnent['srv_cert'] = base64_encode($_POST['srv_cert']); - $ovpnent['srv_key'] = base64_encode($_POST['srv_key']); - $ovpnent['dh_param'] = base64_encode($_POST['dh_param']); - - /* expertmode params */ - $ovpnent['expertmode_enabled'] = $_POST['expertmode_enabled'] ? true : false; - - if (!is_array($options)) - $options = array(); - if (!is_array($ovpnent['expertmode'])) - $ovpnent['expertmode'] = array(); - - $options['option'] = array_map('trim', explode("\n", trim($_POST['expertmode_options']))); - $ovpnent['expertmode'] = $options; - - if (isset($id) && $ovpnsrv[$id]) - $ovpnsrv[$id] = $ovpnent; - else - $ovpnsrv[] = $ovpnent; - - write_config(); - ovpn_srv_dirty($ovpnent['tun_iface']); - - header("Location: vpn_openvpn_srv.php"); - exit; - } else { - - $pconfig = $_POST; - - $pconfig['enable'] = "true"; - if (isset($_POST['disabled'])) - unset($pconfig['enable']); - - $pconfig['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); - $pconfig['ca_cert'] = base64_encode($_POST['ca_cert']); - $pconfig['srv_cert'] = base64_encode($_POST['srv_cert']); - $pconfig['srv_key'] = base64_encode($_POST['srv_key']); - $pconfig['dh_param'] = base64_encode($_POST['dh_param']); - - $pconfig['psh_options']['redir'] = $_POST['psh_redir']; - $pconfig['psh_options']['redir_loc'] = $_POST['psh_redir_loc']; - $pconfig['psh_options']['rtedelay'] = $_POST['psh_rtedelay']; - $pconfig['psh_options']['inact'] = $_POST['psh_inact']; - $pconfig['psh_options']['ping'] = $_POST['psh_ping']; - $pconfig['psh_options']['pingrst'] = $_POST['psh_pingrst']; - $pconfig['psh_options']['pingexit'] = $_POST['psh_pingexit']; - - $pconfig['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; - $pconfig['psh_options']['inact_int'] = $_POST['psh_inact_int']; - $pconfig['psh_options']['ping_int'] = $_POST['psh_ping_int']; - $pconfig['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; - $pconfig['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; - } -} - -$pgtitle = array("VPN","OpenVPN","Edit server"); -include("head.inc"); - -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors);?> -<script language="JavaScript"> -function enable_change(enable_over) { - var endis; - endis = !(!document.iform.disabled.checked || enable_over); - - document.iform.proto[0].disabled = endis; - document.iform.proto[1].disabled = endis; - document.iform.port.disabled = endis; - document.iform.bind_iface.disabled = endis; - document.iform.dynip.disabled = endis; - document.iform.descr.disabled = endis; - document.iform.authentication_method.disabled = endis; - document.iform.ca_cert.disabled = endis; - document.iform.srv_cert.disabled = endis; - document.iform.srv_key.disabled = endis; - document.iform.dh_param.disabled = endis; - document.iform.crypto.disabled = endis; - document.iform.tlsauth.disabled = endis; - document.iform.crlname.disabled = endis; - document.iform.psk.disabled = endis; - document.iform.type[0].disabled = endis; - document.iform.type[1].disabled = endis; - document.iform.bridge.disabled = endis; - document.iform.method[0].disabled = endis; - document.iform.method[1].disabled = endis; - document.iform.method[2].disabled = endis; - document.iform.maxcli.disabled = endis; - document.iform.ipblock.disabled = endis; - document.iform.prefix.disabled = endis; - document.iform.range_from.disabled = endis; - document.iform.range_to.disabled = endis; - document.iform.gateway.disabled = endis; - document.iform.lipaddr.disabled = endis; - document.iform.ripaddr.disabled = endis; - document.iform.netmask.disabled = endis; - document.iform.cli2cli.disabled = endis; - document.iform.dupcn.disabled = endis; - document.iform.comp_method.disabled = endis; - document.iform.psh_redir.disabled = endis; - document.iform.psh_redir_loc.disabled = endis; - document.iform.psh_rtedelay.disabled = endis; - document.iform.psh_rtedelay_int.disabled = endis; - document.iform.psh_inact.disabled = endis; - document.iform.psh_inact_int.disabled = endis; - document.iform.psh_ping.disabled = endis; - document.iform.psh_ping_int.disabled = endis; - document.iform.psh_pingexit.disabled = endis; - document.iform.psh_pingexit_int.disabled = endis; - document.iform.psh_pingrst.disabled = endis; - document.iform.psh_pingrst_int.disabled = endis; - document.iform.expertmode_enabled.disabled = endis; - document.iform.expertmode_options.disabled = endis; - - if (!document.iform.disabled.checked) { - type_change(); - tls_change(enable_over); - expertmode_change(enable_over); - methodsel_change(enable_over); - } -} - -function type_change() { - switch (document.iform.bind_iface.selectedIndex) { - /* ALL */ - case 0: - document.iform.dynip.disabled = 0; - break; - default: - document.iform.dynip.disabled = 1; - } -} - -function tls_change(enable_over) { - var endis; - endis = !(document.iform.tlsauth.checked || enable_over); - - document.iform.psk.disabled = endis; -} - -function expertmode_change(enable_over) { - var endis; - endis = !(document.iform.expertmode_enabled.checked || enable_over); - - document.iform.expertmode_options.disabled = endis; -} - -function methodsel_change(enable_over) { - var endis; - - switch (document.iform.authentication_method.selectedIndex) { - case 1: /* rsa */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - - endis = !((document.iform.bridge.selectedIndex == 0) || enable_over); - - if (document.iform.bridge.selectedIndex == 0) - document.iform.method[0].checked = 1; - - document.iform.method[0].disabled = 0; - document.iform.method[1].disabled = !endis; - document.iform.method[2].disabled = 1; - document.iform.method[2].checked = 0; - document.iform.bridge.disabled = 0; - - if (get_radio_value(document.iform.method) == "ovpn") { - document.iform.ipblock.disabled = endis; - document.iform.prefix.disabled = endis; - document.iform.range_from.disabled = !endis; - document.iform.range_to.disabled = !endis; - document.iform.gateway.disabled = !endis; - } else if (get_radio_value(document.iform.method) == "dhcp") { - document.iform.ipblock.disabled = 1; - document.iform.prefix.disabled = 1; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - } - } else { - /* tun */ - document.iform.method[0].disabled = 0; - document.iform.method[0].checked = 1; - document.iform.method[1].disabled = 1; - document.iform.method[2].disabled = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.ipblock.disabled = 0; - document.iform.prefix.disabled = 0; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - } - - document.iform.psk.disabled = 1; - document.iform.ca_cert.disabled = 0; - document.iform.srv_cert.disabled = 0; - document.iform.srv_key.disabled = 0; - document.iform.dh_param.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.crlname.disabled = 0; - document.iform.maxcli.disabled = 0; - document.iform.dupcn.disabled = 0; - document.iform.lipaddr.disabled = 1; - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 1; - document.iform.cli2cli.disabled = 0; - document.iform.psh_redir.disabled = 0; - document.iform.psh_redir_loc.disabled = 0; - document.iform.psh_rtedelay.disabled = 0; - document.iform.psh_rtedelay_int.disabled = 0; - document.iform.psh_inact.disabled = 0; - document.iform.psh_inact_int.disabled = 0; - document.iform.psh_ping.disabled = 0; - document.iform.psh_ping_int.disabled = 0; - document.iform.psh_pingexit.disabled = 0; - document.iform.psh_pingexit_int.disabled = 0; - document.iform.psh_pingrst.disabled = 0; - document.iform.psh_pingrst_int.disabled = 0; - tls_change(); - break; - default: /* pre-shared */ - if (get_radio_value(document.iform.type) == "tap") { - /* tap */ - document.iform.ripaddr.disabled = 1; - document.iform.netmask.disabled = 0; - } else { - /* tun */ - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 1; - } - - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 1; - document.iform.srv_cert.disabled = 1; - document.iform.srv_key.disabled = 1; - document.iform.dh_param.disabled = 1; - document.iform.tlsauth.disabled = 1; - document.iform.crlname.disabled = 1; - - document.iform.method[0].disabled = 1; - document.iform.method[1].disabled = 1; - document.iform.method[2].disabled = 0; - document.iform.method[2].checked = 1; - document.iform.bridge.disabled = 1; - document.iform.bridge.selectedIndex = 0; - document.iform.ipblock.disabled = 1; - document.iform.prefix.disabled = 1; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - document.iform.gateway.disabled = 1; - document.iform.lipaddr.disabled = 0; - document.iform.maxcli.disabled = 1; - document.iform.maxcli.value = ""; - document.iform.dupcn.disabled = 1; - document.iform.dupcn.checked = 0; - document.iform.cli2cli.disabled = 1; - document.iform.cli2cli.checked = 0; - document.iform.psh_redir.disabled = 1; - document.iform.psh_redir_loc.disabled = 1; - document.iform.psh_rtedelay.disabled = 1; - document.iform.psh_rtedelay_int.disabled = 1; - document.iform.psh_inact.disabled = 1; - document.iform.psh_inact_int.disabled = 1; - document.iform.psh_ping.disabled = 1; - document.iform.psh_ping_int.disabled = 1; - document.iform.psh_pingexit.disabled = 1; - document.iform.psh_pingexit_int.disabled = 1; - document.iform.psh_pingrst.disabled = 1; - document.iform.psh_pingrst_int.disabled = 1; - break; - } - - if (enable_over) { - document.iform.psk.disabled = 0; - document.iform.ca_cert.disabled = 0; - document.iform.srv_cert.disabled = 0; - document.iform.srv_key.disabled = 0; - document.iform.dh_param.disabled = 0; - document.iform.tlsauth.disabled = 0; - document.iform.crlname.disabled = 0; - document.iform.bridge.disabled = 0; - document.iform.ipblock.disabled = 0; - document.iform.prefix.disabled = 0; - document.iform.range_from.disabled = 0; - document.iform.range_to.disabled = 0; - document.iform.gateway.disabled = 0; - document.iform.lipaddr.disabled = 0; - document.iform.ripaddr.disabled = 0; - document.iform.netmask.disabled = 0; - document.iform.maxcli.disabled = 0; - document.iform.method[0].disabled = 0; - document.iform.method[1].disabled = 0; - document.iform.method[2].disabled = 0; - } -} - -function get_radio_value(obj) { - for (i = 0; i < obj.length; i++) { - if (obj[i].checked) - return obj[i].value; - } - return null; -} - -//--> -</script> -<form action="vpn_openvpn_srv_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<strong><span class="red">WARNING: This feature is experimental and modifies your optional interface configuration. - Backup your configuration before using OpenVPN, and restore it before upgrading.<br> <br> -</span></strong> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" value="yes" onclick="enable_change(false)" <?php if (!isset($pconfig['enable'])) echo "checked"; ?>> - <strong>Disable this server</strong><br> - <span class="vexpl">Set this option to disable this server without removing it from the list.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">OpenVPN protocol/port</td> - <td width="78%" class="vtable"> - <input type="radio" name="proto" class="formfld" value="udp" <?php if ($pconfig['proto'] == 'udp') echo "checked"; ?>> - UDP - <input type="radio" name="proto" class="formfld" value="tcp" <?php if ($pconfig['proto'] == 'tcp') echo "checked"; ?>> - TCP<br><br> - Port: - <input name="port" type="text" class="formfld" size="5" maxlength="5" value="<?= $pconfig['port']; ?>"><br> - Enter the port number to use for the server (default is 1194).</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Interface binding</td> - <td width="78%" class="vtable"> - <select name="bind_iface" class="formfld" onchange="type_change()"> - <?php - $interfaces = ovpn_real_interface_list(); - foreach ($interfaces as $key => $iface): - ?> - <option value="<?=$key;?>" <?php if ($key == $pconfig['bind_iface']) echo "selected"; ?>> <?= $iface;?> - </option> - <?php endforeach;?> - </select> - <span class="vexpl"><br> - Choose an interface for the OpenVPN server to listen on.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Dynamic IP address</td> - <td width="78%" class="vtable"> - <input name="dynip" type="checkbox" value="yes" <?php if (isset($pconfig['dynip'])) echo "checked"; ?>> - <strong>Dynamic IP address</strong><br> - Set this option to on, if your IP addresses are being assigned dynamically. Can only be used with interface binding set to ALL.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Cryptographic options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="authentication_method" class="formfld" onChange="methodsel_change(false)"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting chosen on the remote side.</span></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">CA certificate</td> - <td width="78%" class="vtable"> - <textarea name="ca_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['ca_cert']));?></textarea> - <br> - Paste a CA certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server certificate</td> - <td width="78%" class="vtable"> - <textarea name="srv_cert" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_cert']));?></textarea> - <br> - Paste a server certificate in X.509 PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Server key</td> - <td width="78%" class="vtable"> - <textarea name="srv_key" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['srv_key']));?></textarea> - <br>Paste the server RSA private key here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">DH parameters</td> - <td width="78%" class="vtable"> - <textarea name="dh_param" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['dh_param']));?></textarea> - <br> - Paste the Diffie-Hellman parameters in PEM format here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Crypto</td> - <td width="78%" class="vtable"> - <select name="crypto" class="formfld"> - <?php $cipher_list = ovpn_get_cipher_list(); - foreach($cipher_list as $key => $value){ - ?> - <option value="<?= $key ?>" <?php if ($pconfig['crypto'] == $key) echo "selected"; ?>> - <?= $value ?> - </option> - <?php - } - ?> - </select> - <br> - Select a data channel encryption cipher.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">TLS auth</td> - <td width="78%" class="vtable"> - <input name="tlsauth" type="checkbox" value="yes" <?php if (isset($pconfig['tlsauth'])) echo "checked";?> onclick="tls_change(false)"> - <strong>TLS auth</strong><br> - The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-shared secret</td> - <td width="78%" class="vtable"> - <textarea name="pre-shared-key" id="psk" cols="65" rows="4" class="formpre"><?=htmlspecialchars(base64_decode($pconfig['pre-shared-key']));?></textarea> - <br> - Paste your own pre-shared secret here.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">CRL</td> - <td width="78%" class="vtable"> - <select name="crlname" class="formfld" id="crlname"> - <option <?php if (!$pconfig['crlname']) echo "selected";?> value="">none</option> - <?php $crl_list = ovpn_get_crl_list(); - foreach($crl_list as $crlname): ?> - <option value="<?=$crlname;?>" <?php if ($crlname == $pconfig['crlname']) echo "selected";?>> - <?=htmlspecialchars($crlname);?> - </option> - <?php endforeach; ?> - </select> - <br> <span class="vexpl"> - You can choose a CRL (certificate revocation list) file in PEM format here. - Each peer certificate is checked against this file.</span></td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">IP configuration</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Tunnel type</td> - <td width="78%" class="vtable"> - <input type="radio" name="type" class="formfld" value="tun" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tun') echo "checked"; ?>> - TUN - <input type="radio" name="type" class="formfld" value="tap" onclick="methodsel_change(false)" <?php if ($pconfig['type'] == 'tap') echo "checked"; ?>> - TAP - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">Bridge with</td> - <td width="78%" class="vtable"> - <select name="bridge" class="formfld" id="bridge" onChange="methodsel_change(false)"> - <option <?php if (!$pconfig['bridge']) echo "selected";?> value="">none</option> - <?php $iflist = get_configured_interface_with_descr(); - foreach ($iflist as $if => $ifdesc) { - if (!($config['interfaces'][$if]['ovpn'])) - $opts[$if] = "Optional " . $if . " (" . $ifdesc . ")"; - } - foreach ($opts as $opt => $optname): ?> - <option <?php if ($opt == $pconfig['bridge']) echo "selected";?> value="<?=htmlspecialchars($opt);?>"> - <?=htmlspecialchars($optname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Only supported with authentication method set to RSA signature.</span> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncellreq">OpenVPN address assignment</td> - <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="ovpn" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "ovpn" || $pconfig['type'] == "tun") echo "checked"; ?>> - Managed by OpenVPN - </td> - </tr> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="dhcp" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "dhcp") echo "checked"; ?>> - Configure manually or by DHCP Server - </td> - </tr> - <tr> - <td colspan="2"><input name="method" type="radio" id="method" value="static" onclick="methodsel_change(false)" <?php if($pconfig['method'] == "static") echo "checked"; ?>> - Static assignment - </td> - </tr> - <tr> - <td> </td> - <td> </td> - </tr> - <tr> - <td>Maximum number of simultaneous clients: <br>(leave blank to disable)</td> - <td valign="top"> - <input name="maxcli" type="text" class="formfld" size="3" maxlength="3" value="<?=htmlspecialchars($pconfig['maxcli']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"></td> - <td width="78%" class="vtable"> - When using OpenVPN for address assignment, set aside a pool of subnets to be - dynamically allocated to connecting clients, similar to a DHCP server.<br> - <br> - For tun-style tunnels, each client will be given a /30 subnet - (for interoperability with Windows clients).<br> - For tap-style tunnels, individual addresses will be allocated, and the optional - netmask parameter will also be pushed to clients.<br> - <br> - - <table cellpadding="0" cellspacing="0"> - <tr> - <td>IP address block: </td> - <td valign="top"><input name="ipblock" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ipblock']);?>"> - / - <select name="prefix" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['prefix']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"></td> - <td width="78%" class="vtable"> - For bridges interfaces OpenVPN will allocate - an IP range in the bridged subnet to connecting clients.<br><br> - The gateway and netmask parameters - can be set to either the IP of the bridge interface, or to - the IP of the default gateway/router on the bridged subnet.<br> - <br> - - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Range: </td> - <td valign="top"><input name="range_from" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['range_from']);?>"> - to <input name="range_to" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['range_to']);?>"> - </td> - </tr> - - <tr> - <td>Gateway: </td> - <td valign="top"><input name="gateway" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['gateway']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - When using pre-shared keys, enter the IP address and subnet mask - of the local and remote VPN endpoint here. For TAP devices, only the - IP address of the local VPN endpoint is needed. The netmask is the subnet mask - of the virtual ethernet segment which is being created or connected to.<br> - <br> - <table cellpadding="0" cellspacing="0"> - <tr> - <td>Local IP address: </td> - <td valign="top"><input name="lipaddr" id="lipaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['lipaddr']);?>"> - / - <select name="netmask" id="netmask" class="formfld"> - <?php for ($i = 30; $i > 19; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['netmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - - <tr> - <td>Remote IP address: </td> - <td valign="top"><input name="ripaddr" id="ripaddr" type="text" class="formfld" size="20" value="<?=htmlspecialchars($pconfig['ripaddr']);?>"> - </td> - </tr> - </table> - </td> - </tr> - - <tr> - <td colspan="2" valign="top" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Server Options</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Internal routing mode</td> - <td width="78%" class="vtable"> - <input name="cli2cli" type="checkbox" value="yes" <?php if (isset($pconfig['cli2cli'])) echo "checked"; ?>> - <strong>Enable client-to-client routing</strong><br> - If this option is on, clients are allowed to talk to each other.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client authentication</td> - <td width="78%" class="vtable"> - <input name="dupcn" type="checkbox" value="yes" <?php if (isset($pconfig['dupcn'])) echo "checked"; ?>> - <strong>Permit duplicate client certificates</strong><br> - If this option is on, clients with duplicate certificates will not be disconnected.</td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Compression method</td> - <td width="78%" class="vtable"> - <select name="comp_method" class="formfld" id="comp_method"> - <option <?php if (!$pconfig['comp_method']) echo "selected";?> value="">none</option> - <?php $compression_method = array('lzo' => 'LZO', 'noadapt' => 'LZO (no adaptive)'); - foreach($compression_method as $comp_method => $comp_methodname): ?> - <option value="<?=$comp_method;?>" - <?php if ($comp_method == $pconfig['comp_method']) echo "selected";?>> - <?=htmlspecialchars($comp_methodname);?> - </option> - <?php endforeach; ?> - </select> - <br> - Choose which compression method to use.<br> - <br> - LZO compression generally improves performance on slow links, - but may add up to 1 byte per packet for incompressible data.<br> - <br> - With adaptive compression, OpenVPN will periodically sample the - compression process to measure its efficiency. If the data being - sent over the tunnel is already compressed, the compression - efficiency will be very low. Choose 'LZO (no adaptive)' - to disable OpenVPN's adaptive compression algorithm. - </td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Client-push options</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><input type="checkbox" name="psh_redir" value="yes" <?php if (isset($pconfig['psh_options']['redir'])) echo "checked"; ?>> - Redirect-gateway</td> - <td> </td> - <td><input type="checkbox" name="psh_redir_loc" value="yes" <?php if (isset($pconfig['psh_options']['redir_loc'])) echo "checked"; ?>> - Local</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_rtedelay" value="yes" <?php if (isset($pconfig['psh_options']['rtedelay'])) echo "checked"; ?>> Route-delay</td> - <td width="16"> </td> - <td><input type="text" name="psh_rtedelay_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['rtedelay_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_inact" value="yes" <?php if (isset($pconfig['psh_options']['inact'])) echo "checked"; ?>> - Inactive</td> - <td> </td> - <td><input type="text" name="psh_inact_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['inact_int']?>"> - seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_ping" value="yes" <?php if (isset($pconfig['psh_options']['ping'])) echo "checked"; ?>> Ping</td> - <td> </td> - <td>Interval: <input type="text" name="psh_ping_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['ping_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingexit" value="yes" <?php if (isset($pconfig['psh_options']['pingexit'])) echo "checked"; ?>> Ping-exit</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingexit_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingexit_int']?>"> seconds</td> - </tr> - <tr> - <td><input type="checkbox" name="psh_pingrst" value="yes" <?php if (isset($pconfig['psh_options']['pingrst'])) echo "checked"; ?>> Ping-restart</td> - <td> </td> - <td>Interval: <input type="text" name="psh_pingrst_int" class="formfld" size="4" value="<?= $pconfig['psh_options']['pingrst_int']?>"> seconds</td> - </tr> - </table></td> - </tr> - - <tr> - <td width="22%" valign="top" class="vncell">Expert mode</td> - <td width="78%" class="vtable"> - <input name="expertmode_enabled" type="checkbox" value="yes" onclick="expertmode_change(false);" <?php if (isset($pconfig['expertmode_enabled'])) echo "checked"; ?>> - <strong>Enable expert OpenVPN mode</strong><br> - If this option is on, you can specify your own extra commands for the OpenVPN server.<br/> - <textarea name="expertmode_options" id="expertmode_options" cols="65" rows="4" class="formpre"><?=htmlspecialchars($pconfig['expertmode_options']);?></textarea> - <strong><span class="red">Note:</span></strong><br> - Commands in expert mode aren't supported. - </td> - </tr> - - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onclick="methodsel_change(true);tls_change(true);expertmode_change(true);enable_change(true)"> - <input name="verb" type="hidden" value="<?=$pconfig['verb'];?>"> - <?php if (isset($id)): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> -</table> -</form> -<script language="JavaScript"> -<!-- -type_change(); -tls_change(false); -methodsel_change(false); -expertmode_change(false); -enable_change(false); -//--> -</script> -<?php include("fend.inc"); -?> |