"; } if ($_GET['act'] == "new") { $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; $pconfig['interface'] = "wan"; $pconfig['server_port'] = 1194; $pconfig['verbosity_level'] = 1; // Default verbosity is 1 // OpenVPN Defaults to SHA1 $pconfig['digest'] = "SHA1"; } global $simplefields; $simplefields = array('auth_user', 'auth_pass'); if ($_GET['act'] == "edit") { if (isset($id) && $a_client[$id]) { foreach ($simplefields as $stat) { $pconfig[$stat] = $a_client[$id][$stat]; } $pconfig['disable'] = isset($a_client[$id]['disable']); $pconfig['mode'] = $a_client[$id]['mode']; $pconfig['protocol'] = $a_client[$id]['protocol']; $pconfig['interface'] = $a_client[$id]['interface']; if (!empty($a_client[$id]['ipaddr'])) { $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr']; } $pconfig['local_port'] = $a_client[$id]['local_port']; $pconfig['server_addr'] = $a_client[$id]['server_addr']; $pconfig['server_port'] = $a_client[$id]['server_port']; $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; $pconfig['proxy_user'] = $a_client[$id]['proxy_user']; $pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd']; $pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype']; $pconfig['description'] = $a_client[$id]['description']; $pconfig['custom_options'] = $a_client[$id]['custom_options']; $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; if ($pconfig['mode'] != "p2p_shared_key") { $pconfig['caref'] = $a_client[$id]['caref']; $pconfig['certref'] = $a_client[$id]['certref']; if ($a_client[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_client[$id]['tls']); } } else { $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); } $pconfig['crypto'] = $a_client[$id]['crypto']; // OpenVPN Defaults to SHA1 if unset $pconfig['digest'] = !empty($a_client[$id]['digest']) ? $a_client[$id]['digest'] : "SHA1"; $pconfig['engine'] = $a_client[$id]['engine']; $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; $pconfig['tunnel_networkv6'] = $a_client[$id]['tunnel_networkv6']; $pconfig['remote_network'] = $a_client[$id]['remote_network']; $pconfig['remote_networkv6'] = $a_client[$id]['remote_networkv6']; $pconfig['use_shaper'] = $a_client[$id]['use_shaper']; $pconfig['compression'] = $a_client[$id]['compression']; $pconfig['passtos'] = $a_client[$id]['passtos']; // just in case the modes switch $pconfig['autokey_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; $pconfig['no_tun_ipv6'] = $a_client[$id]['no_tun_ipv6']; $pconfig['route_no_pull'] = $a_client[$id]['route_no_pull']; $pconfig['route_no_exec'] = $a_client[$id]['route_no_exec']; if (isset($a_client[$id]['verbosity_level'])) { $pconfig['verbosity_level'] = $a_client[$id]['verbosity_level']; } else { $pconfig['verbosity_level'] = 1; // Default verbosity is 1 } } } if ($_POST) { unset($input_errors); $pconfig = $_POST; if (isset($id) && $a_client[$id]) { $vpnid = $a_client[$id]['vpnid']; } else { $vpnid = 0; } list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address."); } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address."); } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) { $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address."); } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) { $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address."); } if ($pconfig['mode'] != "p2p_shared_key") { $tls_mode = true; } else { $tls_mode = false; } /* input validation */ if ($pconfig['local_port']) { if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) { $input_errors[] = $result; } $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid); if (($portused != $vpnid) && ($portused != 0)) { $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); } } if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) { $input_errors[] = $result; } if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) { $input_errors[] = $result; } if ($pconfig['proxy_addr']) { if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) { $input_errors[] = $result; } if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) { $input_errors[] = $result; } if ($pconfig['proxy_authtype'] != "none") { if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) { $input_errors[] = gettext("User name and password are required for proxy with authentication."); } } } if ($pconfig['tunnel_network']) { if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) { $input_errors[] = $result; } } if ($pconfig['tunnel_networkv6']) { if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { $input_errors[] = $result; } } if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) { $input_errors[] = $result; } if (!empty($pconfig['use_shaper']) && (!is_numeric($pconfig['use_shaper']) || ($pconfig['use_shaper'] <= 0))) { $input_errors[] = gettext("The bandwidth limit must be a positive numeric value."); } if ($pconfig['autokey_enable']) { $pconfig['shared_key'] = openvpn_create_key(); } if (!$tls_mode && !$pconfig['autokey_enable']) { if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) { $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); } } if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); } } /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { $reqdfields = explode(" ", "caref"); $reqdfieldsn = array(gettext("Certificate Authority")); } elseif (!$pconfig['autokey_enable']) { /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ $reqdfields = array('shared_key'); $reqdfieldsn = array(gettext('Shared key')); } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) { $input_errors[] = gettext("If no Client Certificate is selected, a username and/or password must be entered."); } if (!$input_errors) { $client = array(); foreach ($simplefields as $stat) { update_if_changed($stat, $client[$stat], $_POST[$stat]); } if ($vpnid) { $client['vpnid'] = $vpnid; } else { $client['vpnid'] = openvpn_vpnid_next(); } if ($_POST['disable'] == "yes") { $client['disable'] = true; } $client['protocol'] = $pconfig['protocol']; $client['dev_mode'] = $pconfig['dev_mode']; list($client['interface'], $client['ipaddr']) = explode ("|", $pconfig['interface']); $client['local_port'] = $pconfig['local_port']; $client['server_addr'] = $pconfig['server_addr']; $client['server_port'] = $pconfig['server_port']; $client['resolve_retry'] = $pconfig['resolve_retry']; $client['proxy_addr'] = $pconfig['proxy_addr']; $client['proxy_port'] = $pconfig['proxy_port']; $client['proxy_authtype'] = $pconfig['proxy_authtype']; $client['proxy_user'] = $pconfig['proxy_user']; $client['proxy_passwd'] = $pconfig['proxy_passwd']; $client['description'] = $pconfig['description']; $client['mode'] = $pconfig['mode']; $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); if ($tls_mode) { $client['caref'] = $pconfig['caref']; $client['certref'] = $pconfig['certref']; if ($pconfig['tlsauth_enable']) { if ($pconfig['autotls_enable']) { $pconfig['tls'] = openvpn_create_key(); } $client['tls'] = base64_encode($pconfig['tls']); } } else { $client['shared_key'] = base64_encode($pconfig['shared_key']); } $client['crypto'] = $pconfig['crypto']; $client['digest'] = $pconfig['digest']; $client['engine'] = $pconfig['engine']; $client['tunnel_network'] = $pconfig['tunnel_network']; $client['tunnel_networkv6'] = $pconfig['tunnel_networkv6']; $client['remote_network'] = $pconfig['remote_network']; $client['remote_networkv6'] = $pconfig['remote_networkv6']; $client['use_shaper'] = $pconfig['use_shaper']; $client['compression'] = $pconfig['compression']; $client['passtos'] = $pconfig['passtos']; $client['no_tun_ipv6'] = $pconfig['no_tun_ipv6']; $client['route_no_pull'] = $pconfig['route_no_pull']; $client['route_no_exec'] = $pconfig['route_no_exec']; $client['verbosity_level'] = $pconfig['verbosity_level']; if (isset($id) && $a_client[$id]) { $a_client[$id] = $client; } else { $a_client[] = $client; } openvpn_resync('client', $client); write_config(); header("Location: vpn_openvpn_client.php"); exit; } } include("head.inc"); if (!$savemsg) $savemsg = ""; if ($input_errors) print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg, 'success'); $tab_array = array(); $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php"); $tab_array[] = array(gettext("Client"), true, "vpn_openvpn_client.php"); $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); $tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml"); add_package_tabs("OpenVPN", $tab_array); display_top_tabs($tab_array); if($act=="new" || $act=="edit") : $form = new Form(); $section = new Form_Section('General Information'); $section->addInput(new Form_Checkbox( 'disable', 'Disabled', 'Disable this server', $pconfig['disable'] ))->setHelp('Set this option to disable this client without removing it from the list'); $section->addInput(new Form_Select( 'mode', 'Server mode', $pconfig['mode'], $openvpn_client_modes )); $section->addInput(new Form_Select( 'protocol', 'Protocol', $pconfig['protocol'], array_combine($openvpn_prots, $openvpn_prots) )); $section->addInput(new Form_Select( 'dev_mode', 'Device mode', empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'], array_combine($openvpn_dev_mode, $openvpn_dev_mode) )); $section->addInput(new Form_Select( 'interface', 'Interface', $pconfig['interface'], openvpn_build_if_list() )); $section->addInput(new Form_Input( 'local_port', 'Local port', 'number', $pconfig['local_port'] ))->setHelp('Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.'); $section->addInput(new Form_Input( 'server_addr', 'Server host or address', 'text', $pconfig['server_addr'] )); $section->addInput(new Form_Input( 'server_port', 'Server port', 'number', $pconfig['server_port'] )); $section->addInput(new Form_Input( 'proxy_addr', 'Proxy host or address', 'text', $pconfig['proxy_addr'] )); $section->addInput(new Form_Select( 'proxy_authtype', 'Proxy Auth. - Extra options', $pconfig['proxy_authtype'], array('none' => 'none', 'basic' => 'basic', 'ntlm' => 'ntlm') )); $section->addInput(new Form_Input( 'proxy_user', 'Username', 'text', $pconfig['proxy_user'] )); $section->addInput(new Form_Input( 'proxy_passwd', 'Password', 'password', $pconfig['proxy_passwd'] )); $section->addInput(new Form_Checkbox( 'resolve_retry', 'Server hostname resolution', 'Infinitely resolve server ', $pconfig['resolve_retry'] ))->setHelp('Continuously attempt to resolve the server host name. ' . 'Useful when communicating with a server that is not permanently connected to the Internet.'); $section->addInput(new Form_Input( 'description', 'Description', 'text', $pconfig['description'] ))->setHelp('You may enter a description here for your reference (not parsed).'); $form->add($section); $section = new Form_Section('User Authentication settings'); $section->addClass('authentication'); $section->addInput(new Form_Input( 'auth_user', 'Username', 'text', $pconfig['auth_user'] ))->setHelp('Leave empty when no user name is needed'); $section->addInput(new Form_Input( 'auth_pass', 'Password', 'password', $pconfig['auth_pass'] ))->setHelp('Leave empty when no password is needed'); $form->add($section); $section = new Form_Section('Cryptographic settings'); $section->addInput(new Form_Checkbox( 'tlsauth_enable', 'TLS authentication', 'Enable authentication of TLS packets.', $pconfig['tlsauth_enable'] )); if (!$pconfig['tls']) { $section->addInput(new Form_Checkbox( 'autotls_enable', null, 'Automatically generate a shared TLS authentication key.', $pconfig['autotls_enable'] )); } $section->addInput(new Form_Textarea( 'tls', 'Key', $pconfig['tls'] ))->setHelp('Paste your shared key here'); if (count($a_ca)) { $list = array(); foreach ($a_ca as $ca) $list[$ca['refid']] = $ca['descr']; $section->addInput(new Form_Select( 'caref', 'Peer Certificate Authority', $pconfig['caref'], $list )); } else { $section->addInput(new Form_StaticText( 'Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', 'System > Cert Manager') )); } if (count($a_crl)) { $section->addInput(new Form_Select( 'crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], openvpn_build_crl_list() )); } else { $section->addInput(new Form_StaticText( 'Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', 'System > Cert Manager') )); } $section->addInput(new Form_Checkbox( 'autokey_enable', 'Auto generate', 'Automatically generate a shared key', $pconfig['autokey_enable'] && empty($pconfig['shared_key']) )); $section->addInput(new Form_Textarea( 'shared_key', 'Shared Key', $pconfig['shared_key'] ))->setHelp('Paste your shared key here'); $section->addInput(new Form_Select( 'certref', 'Client Certificate', $pconfig['certref'], openvpn_build_cert_list(true) )); $section->addInput(new Form_Select( 'crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() )); $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist() ))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select( 'engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines() )); $form->add($section); $section = new Form_Section('Tunnel settings'); $section->addInput(new Form_Input( 'tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network'] ))->setHelp('This is the IPv4 virtual network used for private communications between this client and the sercer ' . 'expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the client virtual interface.'); $section->addInput(new Form_Input( 'tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6'] ))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this client and the server expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface.'); $section->addInput(new Form_Input( 'remote_network', 'IPv4 Remote network(s)', 'text', $pconfig['remote_network'] ))->setHelp('IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input( 'remote_networkv6', 'IPv6 Remote network(s)', 'text', $pconfig['remote_networkv6'] ))->setHelp('These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input( 'use_shaper', 'Limit outgoing bandwidth', 'number', $pconfig['use_shaper'], ['min' => 100, 'max' => 100000000, 'placeholder' => 'Between 100 and 100,000,000 bytes/sec'] ))->setHelp('Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).'); $section->addInput(new Form_Select( 'compression', 'Compression', $pconfig['compression'], $openvpn_compression_modes ))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.'); $section->addInput(new Form_Checkbox( 'passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', $pconfig['passtos'] )); $section->addInput(new Form_Checkbox( 'no_tun_ipv6', 'Disable IPv6', 'Don\'t forward IPv6 traffic. ', $pconfig['no_tun_ipv6'] )); $section->addInput(new Form_Checkbox( 'route_no_pull', 'Don\'t pull routes', 'Bars the server from adding routes to the client\'s routing table', $pconfig['route_no_pull'] ))->setHelp('This option still allows the server to set the TCP/IP properties of the client\'s TUN/TAP interface. '); $section->addInput(new Form_Checkbox( 'route_no_exec', 'Don\'t add/remove routes', 'Don\'t add or remove routes automatically', $pconfig['route_no_exec'] ))->setHelp('Pass routes to --route-upscript using environmental variables'); $form->add($section); $section = new Form_Section('Advanced Configuration'); $section->addClass('advanced'); $section->addInput(new Form_Textarea( 'custom_options', 'Custom options', $pconfig['custom_options'] ))->setHelp('Enter any additional options you would like to add to the OpenVPN server configuration here, separated by semicolon' . '
' . 'EXAMPLE: push "route 10.0.0.0 255.255.255.0"'); $section->addInput(new Form_Select( 'verbosity_level', 'Verbosity level', $pconfig['verbosity_level'], $openvpn_verbosity_level ))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what\'s happening without being swamped by output' . '

' . 'None: Only fatal errors' . '
' . 'Default: Normal usage range' . '
' . '5: Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets' .'
' . '6: Debug info range'); $section->addInput(new Form_Input( 'act', null, 'hidden', $act )); if (isset($id) && $a_server[$id]) { $section->addInput(new Form_Input( 'id', null, 'hidden', $id )); } $form->add($section); print($form); else: ?>

>