$a_client[$id]['dev_mode']) {
/*
* delete old interface so a new TUN or TAP interface
* can be created.
*/
openvpn_delete('client', $a_client[$id]);
}
foreach ($simplefields as $stat) {
if (($stat == 'auth_pass') && ($_POST[$stat] == DMYPWD)) {
$client[$stat] = $a_client[$id]['auth_pass'];
} else {
update_if_changed($stat, $client[$stat], $_POST[$stat]);
}
}
if ($vpnid) {
$client['vpnid'] = $vpnid;
} else {
$client['vpnid'] = openvpn_vpnid_next();
}
if ($_POST['disable'] == "yes") {
$client['disable'] = true;
}
$client['protocol'] = $pconfig['protocol'];
$client['dev_mode'] = $pconfig['dev_mode'];
list($client['interface'], $client['ipaddr']) = explode ("|", $pconfig['interface']);
$client['local_port'] = $pconfig['local_port'];
$client['server_addr'] = $pconfig['server_addr'];
$client['server_port'] = $pconfig['server_port'];
$client['resolve_retry'] = $pconfig['resolve_retry'];
$client['proxy_addr'] = $pconfig['proxy_addr'];
$client['proxy_port'] = $pconfig['proxy_port'];
$client['proxy_authtype'] = $pconfig['proxy_authtype'];
$client['proxy_user'] = $pconfig['proxy_user'];
if ($pconfig['proxy_passwd'] != DMYPWD) {
$client['proxy_passwd'] = $pconfig['proxy_passwd'];
}
$client['description'] = $pconfig['description'];
$client['mode'] = $pconfig['mode'];
$client['topology'] = $pconfig['topology'];
$client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
if ($tls_mode) {
$client['caref'] = $pconfig['caref'];
$client['certref'] = $pconfig['certref'];
if ($pconfig['tlsauth_enable']) {
if ($pconfig['autotls_enable']) {
$pconfig['tls'] = openvpn_create_key();
}
$client['tls'] = base64_encode($pconfig['tls']);
$client['tls_type'] = $pconfig['tls_type'];
}
} else {
$client['shared_key'] = base64_encode($pconfig['shared_key']);
}
$client['crypto'] = $pconfig['crypto'];
$client['digest'] = $pconfig['digest'];
$client['engine'] = $pconfig['engine'];
$client['tunnel_network'] = $pconfig['tunnel_network'];
$client['tunnel_networkv6'] = $pconfig['tunnel_networkv6'];
$client['remote_network'] = $pconfig['remote_network'];
$client['remote_networkv6'] = $pconfig['remote_networkv6'];
$client['use_shaper'] = $pconfig['use_shaper'];
$client['compression'] = $pconfig['compression'];
$client['passtos'] = $pconfig['passtos'];
$client['route_no_pull'] = $pconfig['route_no_pull'];
$client['route_no_exec'] = $pconfig['route_no_exec'];
$client['verbosity_level'] = $pconfig['verbosity_level'];
if (!empty($pconfig['ncp-ciphers'])) {
$client['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
$client['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled";
if (isset($id) && $a_client[$id]) {
$a_client[$id] = $client;
} else {
$a_client[] = $client;
}
write_config();
openvpn_resync('client', $client);
header("Location: vpn_openvpn_client.php");
exit;
}
if (!empty($pconfig['ncp-ciphers'])) {
$pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
}
$pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Clients"));
$pglinks = array("", "vpn_openvpn_server.php", "vpn_openvpn_client.php");
if ($act=="new" || $act=="edit") {
$pgtitle[] = gettext('Edit');
$pglinks[] = "@self";
}
$shortcut_section = "openvpn";
include("head.inc");
if (!$savemsg) {
$savemsg = "";
}
if ($input_errors) {
print_input_errors($input_errors);
}
if ($savemsg) {
print_info_box($savemsg, 'success');
}
$tab_array = array();
$tab_array[] = array(gettext("Servers"), false, "vpn_openvpn_server.php");
$tab_array[] = array(gettext("Clients"), true, "vpn_openvpn_client.php");
$tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php");
$tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml");
add_package_tabs("OpenVPN", $tab_array);
display_top_tabs($tab_array);
if ($act=="new" || $act=="edit"):
$form = new Form();
$section = new Form_Section('General Information');
$section->addInput(new Form_Checkbox(
'disable',
'Disabled',
'Disable this client',
$pconfig['disable']
))->setHelp('Set this option to disable this client without removing it from the list.');
$section->addInput(new Form_Select(
'mode',
'*Server mode',
$pconfig['mode'],
$openvpn_client_modes
));
$section->addInput(new Form_Select(
'protocol',
'*Protocol',
$pconfig['protocol'],
$openvpn_prots
));
$section->addInput(new Form_Select(
'dev_mode',
'*Device mode',
empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
$openvpn_dev_mode
))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." .
"
\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)");
$section->addInput(new Form_Select(
'interface',
'*Interface',
$pconfig['interface'],
openvpn_build_if_list()
))->setHelp("The interface used by the firewall to originate this OpenVPN client connection");
$section->addInput(new Form_Input(
'local_port',
'Local port',
'number',
$pconfig['local_port'],
['min' => '0']
))->setHelp('Set this option to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.');
$section->addInput(new Form_Input(
'server_addr',
'*Server host or address',
'text',
$pconfig['server_addr']
))->setHelp("The IP address or hostname of the OpenVPN server.");
$section->addInput(new Form_Checkbox(
'resolve_retry',
'Server hostname resolution',
'Infinitely resolve server ',
$pconfig['resolve_retry']
))->setHelp('Continuously attempt to resolve the server host name. ' .
'Useful when communicating with a server that is not permanently connected to the Internet.');
$section->addInput(new Form_Input(
'server_port',
'*Server port',
'number',
$pconfig['server_port']
))->setHelp("The port used by the server to receive client connections.");
$section->addInput(new Form_Input(
'proxy_addr',
'Proxy host or address',
'text',
$pconfig['proxy_addr']
))->setHelp("The address for an HTTP Proxy this client can use to connect to a remote server." .
"
TCP must be used for the client and server protocol.");
$section->addInput(new Form_Input(
'proxy_port',
'Proxy port',
number,
$pconfig['proxy_port']
));
$section->addInput(new Form_Select(
'proxy_authtype',
'Proxy Authentication',
$pconfig['proxy_authtype'],
array('none' => gettext('none'), 'basic' => gettext('basic'), 'ntlm' => gettext('ntlm'))
))->setHelp("The type of authentication used by the proxy server.");
$section->addInput(new Form_Input(
'proxy_user',
'Username',
'text',
$pconfig['proxy_user']
));
$section->addPassword(new Form_Input(
'proxy_passwd',
'Password',
'password',
$pconfig['proxy_passwd']
));
$section->addInput(new Form_Input(
'description',
'Description',
'text',
$pconfig['description']
))->setHelp('A description may be entered here for administrative reference (not parsed).');
$form->add($section);
$section = new Form_Section('User Authentication Settings');
$section->addClass('authentication');
$section->addInput(new Form_Input(
'auth_user',
'Username',
'text',
$pconfig['auth_user']
))->setHelp('Leave empty when no user name is needed');
$section->addPassword(new Form_Input(
'auth_pass',
'Password',
'password',
$pconfig['auth_pass']
))->setHelp('Leave empty when no password is needed');
$form->add($section);
$section = new Form_Section('Cryptographic Settings');
$section->addInput(new Form_Checkbox(
'tlsauth_enable',
'TLS Configuration',
'Use a TLS Key',
$pconfig['tlsauth_enable']
))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " .
"This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." .
"The TLS Key does not have any effect on tunnel data.");
if (!$pconfig['tls']) {
$section->addInput(new Form_Checkbox(
'autotls_enable',
null,
'Automatically generate a TLS Key.',
$pconfig['autotls_enable']
));
}
$section->addInput(new Form_Textarea(
'tls',
'*TLS Key',
$pconfig['tls']
))->setHelp("Paste the TLS key here." .
"
" .
"This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ");
$section->addInput(new Form_Select(
'tls_type',
'*TLS Key Usage Mode',
empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'],
$openvpn_tls_modes
))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " .
"
" .
"Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.");
if (count($a_ca)) {
$list = array();
foreach ($a_ca as $ca) {
$list[$ca['refid']] = $ca['descr'];
}
$section->addInput(new Form_Select(
'caref',
'*Peer Certificate Authority',
$pconfig['caref'],
$list
));
} else {
$section->addInput(new Form_StaticText(
'*Peer Certificate Authority',
sprintf('No Certificate Authorities defined. One may be created here: %s', 'System > Cert. Manager')
));
}
if (count($a_crl)) {
$section->addInput(new Form_Select(
'crlref',
'Peer Certificate Revocation list',
$pconfig['crlref'],
openvpn_build_crl_list()
));
} else {
$section->addInput(new Form_StaticText(
'Peer Certificate Revocation list',
sprintf('No Certificate Revocation Lists defined. One may be created here: %s', 'System > Cert. Manager > Certificate Revocation')
));
}
$section->addInput(new Form_Checkbox(
'autokey_enable',
'Auto generate',
'Automatically generate a shared key',
$pconfig['autokey_enable'] && empty($pconfig['shared_key'])
));
$section->addInput(new Form_Textarea(
'shared_key',
'*Shared Key',
$pconfig['shared_key']
))->setHelp('Paste the shared key here');
$cl = openvpn_build_cert_list(true);
$section->addInput(new Form_Select(
'certref',
'Client Certificate',
$pconfig['certref'],
$cl['server']
));
$section->addInput(new Form_Select(
'crypto',
'*Encryption Algorithm',
$pconfig['crypto'],
openvpn_get_cipherlist()
))->setHelp('The Encryption Algorithm used for data channel packets when Negotiable Cryptographic Parameter (NCP) support is not available.');
$section->addInput(new Form_Checkbox(
'ncp_enable',
'Enable NCP',
'Enable Negotiable Cryptographic Parameters',
($pconfig['ncp_enable'] == "enabled")
))->setHelp( 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
'Encryption Algorithms from those selected in the NCP Algorithms list below.' .
'