$acrl) {
if (!isset($acrl['refid'])) {
unset ($a_crl[$cid]);
}
}
if (isset($_REQUEST['id']) && is_numericint($_REQUEST['id'])) {
$id = $_REQUEST['id'];
}
if (isset($_REQUEST['act'])) {
$act = $_REQUEST['act'];
}
if (isset($id) && $a_server[$id]) {
$vpnid = $a_server[$id]['vpnid'];
} else {
$vpnid = 0;
}
if ($_POST['act'] == "del") {
if (!isset($a_server[$id])) {
pfSenseHeader("vpn_openvpn_server.php");
exit;
}
if (!empty($a_server[$id])) {
openvpn_delete('server', $a_server[$id]);
$wc_msg = sprintf(gettext('Deleted OpenVPN server from %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($a_server[$id]['interface']), $a_server[$id]['local_port'], $a_server[$id]['description']);
} else {
$wc_msg = gettext('Deleted empty OpenVPN server');
}
unset($a_server[$id]);
write_config($wc_msg);
$savemsg = gettext("Server successfully deleted.");
}
if ($act == "new") {
$pconfig['ncp_enable'] = "enabled";
$pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM";
$pconfig['autokey_enable'] = "yes";
$pconfig['tlsauth_enable'] = "yes";
$pconfig['autotls_enable'] = "yes";
$pconfig['dh_length'] = 1024;
$pconfig['dev_mode'] = "tun";
$pconfig['interface'] = "wan";
$pconfig['local_port'] = openvpn_port_next('UDP');
$pconfig['cert_depth'] = 1;
$pconfig['verbosity_level'] = 1; // Default verbosity is 1
// OpenVPN Defaults to SHA1
$pconfig['digest'] = "SHA1";
}
if ($act == "edit") {
if (isset($id) && $a_server[$id]) {
$pconfig['disable'] = isset($a_server[$id]['disable']);
$pconfig['mode'] = $a_server[$id]['mode'];
$pconfig['protocol'] = $a_server[$id]['protocol'];
$pconfig['authmode'] = $a_server[$id]['authmode'];
if (isset($a_server[$id]['ncp-ciphers'])) {
$pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers'];
} else {
$pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM";
}
if (isset($a_server[$id]['ncp_enable'])) {
$pconfig['ncp_enable'] = $a_server[$id]['ncp_enable'];
} else {
$pconfig['ncp_enable'] = "enabled";
}
$pconfig['dev_mode'] = $a_server[$id]['dev_mode'];
$pconfig['interface'] = $a_server[$id]['interface'];
if (!empty($a_server[$id]['ipaddr'])) {
$pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$id]['ipaddr'];
}
$pconfig['local_port'] = $a_server[$id]['local_port'];
$pconfig['description'] = $a_server[$id]['description'];
$pconfig['custom_options'] = $a_server[$id]['custom_options'];
if ($pconfig['mode'] != "p2p_shared_key") {
if ($a_server[$id]['tls']) {
$pconfig['tlsauth_enable'] = "yes";
$pconfig['tls'] = base64_decode($a_server[$id]['tls']);
$pconfig['tls_type'] = $a_server[$id]['tls_type'];
}
$pconfig['caref'] = $a_server[$id]['caref'];
$pconfig['crlref'] = $a_server[$id]['crlref'];
$pconfig['certref'] = $a_server[$id]['certref'];
$pconfig['dh_length'] = $a_server[$id]['dh_length'];
$pconfig['ecdh_curve'] = $a_server[$id]['ecdh_curve'];
if (isset($a_server[$id]['cert_depth'])) {
$pconfig['cert_depth'] = $a_server[$id]['cert_depth'];
} else {
$pconfig['cert_depth'] = 1;
}
if ($pconfig['mode'] == "server_tls_user") {
$pconfig['strictusercn'] = $a_server[$id]['strictusercn'];
}
} else {
$pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']);
}
$pconfig['crypto'] = $a_server[$id]['crypto'];
// OpenVPN Defaults to SHA1 if unset
$pconfig['digest'] = !empty($a_server[$id]['digest']) ? $a_server[$id]['digest'] : "SHA1";
$pconfig['engine'] = $a_server[$id]['engine'];
$pconfig['tunnel_network'] = $a_server[$id]['tunnel_network'];
$pconfig['tunnel_networkv6'] = $a_server[$id]['tunnel_networkv6'];
$pconfig['remote_network'] = $a_server[$id]['remote_network'];
$pconfig['remote_networkv6'] = $a_server[$id]['remote_networkv6'];
$pconfig['gwredir'] = $a_server[$id]['gwredir'];
$pconfig['local_network'] = $a_server[$id]['local_network'];
$pconfig['local_networkv6'] = $a_server[$id]['local_networkv6'];
$pconfig['maxclients'] = $a_server[$id]['maxclients'];
$pconfig['compression'] = $a_server[$id]['compression'];
$pconfig['compression_push'] = $a_server[$id]['compression_push'];
$pconfig['passtos'] = $a_server[$id]['passtos'];
$pconfig['client2client'] = $a_server[$id]['client2client'];
$pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip'];
$pconfig['topology'] = $a_server[$id]['topology'];
$pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp'];
$pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface'];
$pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start'];
$pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end'];
$pconfig['dns_domain'] = $a_server[$id]['dns_domain'];
if ($pconfig['dns_domain']) {
$pconfig['dns_domain_enable'] = true;
}
$pconfig['dns_server1'] = $a_server[$id]['dns_server1'];
$pconfig['dns_server2'] = $a_server[$id]['dns_server2'];
$pconfig['dns_server3'] = $a_server[$id]['dns_server3'];
$pconfig['dns_server4'] = $a_server[$id]['dns_server4'];
if ($pconfig['dns_server1'] ||
$pconfig['dns_server2'] ||
$pconfig['dns_server3'] ||
$pconfig['dns_server4']) {
$pconfig['dns_server_enable'] = true;
}
$pconfig['ntp_server1'] = $a_server[$id]['ntp_server1'];
$pconfig['ntp_server2'] = $a_server[$id]['ntp_server2'];
if ($pconfig['ntp_server1'] ||
$pconfig['ntp_server2']) {
$pconfig['ntp_server_enable'] = true;
}
$pconfig['netbios_enable'] = $a_server[$id]['netbios_enable'];
$pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype'];
$pconfig['netbios_scope'] = $a_server[$id]['netbios_scope'];
$pconfig['wins_server1'] = $a_server[$id]['wins_server1'];
$pconfig['wins_server2'] = $a_server[$id]['wins_server2'];
if ($pconfig['wins_server1'] ||
$pconfig['wins_server2']) {
$pconfig['wins_server_enable'] = true;
}
$pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1'];
if ($pconfig['nbdd_server1']) {
$pconfig['nbdd_server_enable'] = true;
}
// just in case the modes switch
$pconfig['autokey_enable'] = "yes";
$pconfig['autotls_enable'] = "yes";
$pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']);
if (isset($a_server[$id]['verbosity_level'])) {
$pconfig['verbosity_level'] = $a_server[$id]['verbosity_level'];
} else {
$pconfig['verbosity_level'] = 1; // Default verbosity is 1
}
$pconfig['push_blockoutsidedns'] = $a_server[$id]['push_blockoutsidedns'];
$pconfig['udp_fast_io'] = $a_server[$id]['udp_fast_io'];
$pconfig['sndrcvbuf'] = $a_server[$id]['sndrcvbuf'];
$pconfig['push_register_dns'] = $a_server[$id]['push_register_dns'];
}
}
if ($_POST['save']) {
unset($input_errors);
$pconfig = $_POST;
if (isset($id) && $a_server[$id]) {
$vpnid = $a_server[$id]['vpnid'];
} else {
$vpnid = 0;
}
$cipher_validation_list = array_keys(openvpn_get_cipherlist());
if (!in_array($pconfig['crypto'], $cipher_validation_list)) {
$input_errors[] = gettext("The selected Encryption Algorithm is not valid.");
}
list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']);
if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected.");
} elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv4 protocol and an IPv6 IP address cannot be selected.");
} elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
// If an underlying interface to be used by this server uses DHCP, then it may not have received an IP address yet.
// So in that case we do not report a problem.
if (!interface_has_dhcp($iv_iface, 4)) {
$input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
}
} elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
// If an underlying interface to be used by this server uses DHCP6, then it may not have received an IP address yet.
// So in that case we do not report a problem.
if (!interface_has_dhcp($iv_iface, 6)) {
$input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
}
}
if ($pconfig['mode'] != "p2p_shared_key") {
$tls_mode = true;
} else {
$tls_mode = false;
}
if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
$input_errors[] = gettext("A Backend for Authentication must be selected if the server mode requires User Auth.");
}
/* input validation */
if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port', 1)) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6")) {
$input_errors[] = $result;
}
$portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
if (($portused != $vpnid) && ($portused != 0)) {
$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
}
if ($pconfig['autokey_enable']) {
$pconfig['shared_key'] = openvpn_create_key();
}
if (!$tls_mode && !$pconfig['autokey_enable']) {
if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
!strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) {
$input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
}
}
if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) {
if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
!strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) {
$input_errors[] = gettext("The field 'TLS Key' does not appear to be valid");
}
if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) {
$input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid");
}
}
if ($pconfig['dns_server_enable']) {
if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) {
$input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) {
$input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) {
$input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IPv4 or IPv6 address");
}
}
if ($pconfig['ntp_server_enable']) {
if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) {
$input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) {
$input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) {
$input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) {
$input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address");
}
}
if ($pconfig['netbios_enable']) {
if ($pconfig['wins_server_enable']) {
if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) {
$input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address");
}
if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) {
$input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address");
}
}
if ($pconfig['nbdd_server_enable']) {
if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {
$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address");
}
}
}
if ($pconfig['maxclients'] && !is_numericint($pconfig['maxclients'])) {
$input_errors[] = gettext("The field 'Concurrent connections' must be numeric.");
}
if (!array_key_exists($pconfig['topology'], $openvpn_topologies)) {
$input_errors[] = gettext("The field 'Topology' contains an invalid selection");
}
/* If we are not in shared key mode, then we need the CA/Cert. */
if ($pconfig['mode'] != "p2p_shared_key") {
if (empty(trim($pconfig['certref']))) {
$input_errors[] = gettext("The selected certificate is not valid");
}
if (!empty($pconfig['dh_length']) && !in_array($pconfig['dh_length'], array_keys($openvpn_dh_lengths))) {
$input_errors[] = gettext("The specified DH Parameter length is invalid or the DH file does not exist.");
}
if (!empty($pconfig['ecdh_curve']) && !openvpn_validate_curve($pconfig['ecdh_curve'])) {
$input_errors[] = gettext("The specified ECDH Curve is invalid.");
}
if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) {
foreach ($pconfig['ncp-ciphers'] as $ncpc) {
if (!in_array(trim($ncpc), $cipher_validation_list)) {
$input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid.");
}
}
}
$reqdfields = explode(" ", "caref certref");
$reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate"));
} elseif (!$pconfig['autokey_enable']) {
/* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
$reqdfields = array('shared_key');
$reqdfieldsn = array(gettext('Shared key'));
}
if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) {
$input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode.");
}
if ($pconfig['dev_mode'] != "tap") {
$reqdfields[] = 'tunnel_network';
$reqdfieldsn[] = gettext('IPv4 Tunnel network');
} else {
if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) {
$input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
}
if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) ||
(!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
}
if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) {
$input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
}
if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) {
$input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
}
if (ip_greater_than($pconfig['serverbridge_dhcp_start'], $pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
}
}
/* UDP Fast I/O is not compatible with TCP, so toss the option out when
submitted since it can't be set this way legitimately. This also avoids
having to perform any more trickery on the stored option to not preserve
the value when changing modes. */
if ($pconfig['udp_fast_io'] && (strtolower(substr($pconfig['protocol'], 0, 3)) != "udp")) {
unset($pconfig['udp_fast_io']);
}
if (!empty($pconfig['sndrcvbuf']) && !array_key_exists($pconfig['sndrcvbuf'], openvpn_get_buffer_values())) {
$input_errors[] = gettext("The supplied Send/Receive Buffer size is invalid.");
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (!$input_errors) {
$server = array();
if (isset($id) && $a_server[$id] &&
$pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) {
/*
* delete old interface so a new TUN or TAP interface
* can be created.
*/
openvpn_delete('server', $a_server[$id]);
}
if ($vpnid) {
$server['vpnid'] = $vpnid;
} else {
$server['vpnid'] = openvpn_vpnid_next();
}
if ($_POST['disable'] == "yes") {
$server['disable'] = true;
}
$server['mode'] = $pconfig['mode'];
if (!empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
$server['authmode'] = implode(",", $pconfig['authmode']);
}
$server['protocol'] = $pconfig['protocol'];
$server['dev_mode'] = $pconfig['dev_mode'];
list($server['interface'], $server['ipaddr']) = explode ("|", $pconfig['interface']);
$server['local_port'] = $pconfig['local_port'];
$server['description'] = $pconfig['description'];
$server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
if ($tls_mode) {
if ($pconfig['tlsauth_enable']) {
if ($pconfig['autotls_enable']) {
$pconfig['tls'] = openvpn_create_key();
}
$server['tls'] = base64_encode($pconfig['tls']);
$server['tls_type'] = $pconfig['tls_type'];
}
$server['caref'] = $pconfig['caref'];
$server['crlref'] = $pconfig['crlref'];
$server['certref'] = $pconfig['certref'];
$server['dh_length'] = $pconfig['dh_length'];
$server['ecdh_curve'] = $pconfig['ecdh_curve'];
$server['cert_depth'] = $pconfig['cert_depth'];
if ($pconfig['mode'] == "server_tls_user") {
$server['strictusercn'] = $pconfig['strictusercn'];
}
} else {
$server['shared_key'] = base64_encode($pconfig['shared_key']);
}
$server['crypto'] = $pconfig['crypto'];
$server['digest'] = $pconfig['digest'];
$server['engine'] = $pconfig['engine'];
$server['tunnel_network'] = trim($pconfig['tunnel_network']);
$server['tunnel_networkv6'] = trim($pconfig['tunnel_networkv6']);
$server['remote_network'] = $pconfig['remote_network'];
$server['remote_networkv6'] = $pconfig['remote_networkv6'];
$server['gwredir'] = $pconfig['gwredir'];
$server['local_network'] = $pconfig['local_network'];
$server['local_networkv6'] = $pconfig['local_networkv6'];
$server['maxclients'] = $pconfig['maxclients'];
$server['compression'] = $pconfig['compression'];
$server['compression_push'] = $pconfig['compression_push'];
$server['passtos'] = $pconfig['passtos'];
$server['client2client'] = $pconfig['client2client'];
$server['dynamic_ip'] = $pconfig['dynamic_ip'];
$server['topology'] = $pconfig['topology'];
$server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp'];
$server['serverbridge_interface'] = $pconfig['serverbridge_interface'];
$server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start'];
$server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end'];
if ($pconfig['dns_domain_enable']) {
$server['dns_domain'] = $pconfig['dns_domain'];
}
if ($pconfig['dns_server_enable']) {
$server['dns_server1'] = $pconfig['dns_server1'];
$server['dns_server2'] = $pconfig['dns_server2'];
$server['dns_server3'] = $pconfig['dns_server3'];
$server['dns_server4'] = $pconfig['dns_server4'];
}
if ($pconfig['push_blockoutsidedns']) {
$server['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];
}
if ($pconfig['udp_fast_io']) {
$server['udp_fast_io'] = $pconfig['udp_fast_io'];
}
$server['sndrcvbuf'] = $pconfig['sndrcvbuf'];
if ($pconfig['push_register_dns']) {
$server['push_register_dns'] = $pconfig['push_register_dns'];
}
if ($pconfig['ntp_server_enable']) {
$server['ntp_server1'] = $pconfig['ntp_server1'];
$server['ntp_server2'] = $pconfig['ntp_server2'];
}
$server['netbios_enable'] = $pconfig['netbios_enable'];
$server['netbios_ntype'] = $pconfig['netbios_ntype'];
$server['netbios_scope'] = $pconfig['netbios_scope'];
$server['verbosity_level'] = $pconfig['verbosity_level'];
if ($pconfig['netbios_enable']) {
if ($pconfig['wins_server_enable']) {
$server['wins_server1'] = $pconfig['wins_server1'];
$server['wins_server2'] = $pconfig['wins_server2'];
}
if ($pconfig['dns_server_enable']) {
$server['nbdd_server1'] = $pconfig['nbdd_server1'];
}
}
if ($_POST['duplicate_cn'] == "yes") {
$server['duplicate_cn'] = true;
}
if (!empty($pconfig['ncp-ciphers'])) {
$server['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
$server['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled";
if (isset($id) && $a_server[$id]) {
$a_server[$id] = $server;
$wc_msg = sprintf(gettext('Updated OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
} else {
$a_server[] = $server;
$wc_msg = sprintf(gettext('Added OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
}
write_config($wc_msg);
openvpn_resync('server', $server);
openvpn_resync_csc_all();
header("Location: vpn_openvpn_server.php");
exit;
}
if (!empty($pconfig['ncp-ciphers'])) {
$pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
if (!empty($pconfig['authmode'])) {
$pconfig['authmode'] = implode(",", $pconfig['authmode']);
}
}
$pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Servers"));
$pglinks = array("", "vpn_openvpn_server.php", "vpn_openvpn_server.php");
if ($act=="new" || $act=="edit") {
$pgtitle[] = gettext('Edit');
$pglinks[] = "@self";
}
$shortcut_section = "openvpn";
include("head.inc");
if (!$savemsg) {
$savemsg = "";
}
if ($input_errors) {
print_input_errors($input_errors);
}
if ($savemsg) {
print_info_box($savemsg, 'success');
}
$tab_array = array();
$tab_array[] = array(gettext("Servers"), true, "vpn_openvpn_server.php");
$tab_array[] = array(gettext("Clients"), false, "vpn_openvpn_client.php");
$tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php");
$tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml");
add_package_tabs("OpenVPN", $tab_array);
display_top_tabs($tab_array);
$form = new Form();
if ($act=="new" || $act=="edit"):
$section = new Form_Section('General Information');
$section->addInput(new Form_Checkbox(
'disable',
'Disabled',
'Disable this server',
$pconfig['disable']
))->setHelp('Set this option to disable this server without removing it from the list.');
$section->addInput(new Form_Select(
'mode',
'*Server mode',
$pconfig['mode'],
openvpn_build_mode_list()
));
$options = array();
$authmodes = array();
$authmodes = explode(",", $pconfig['authmode']);
$auth_servers = auth_get_authserver_list();
foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) {
$ncp_ciphers_list[$cipher] = $cipher;
}
// If no authmodes set then default to selecting the first entry in auth_servers
if (empty($authmodes[0]) && !empty(key($auth_servers))) {
$authmodes[0] = key($auth_servers);
}
foreach ($auth_servers as $auth_server_key => $auth_server) {
$options[$auth_server_key] = $auth_server['name'];
}
$section->addInput(new Form_Select(
'authmode',
'*Backend for authentication',
$authmodes,
$options,
true
))->addClass('authmode');
$section->addInput(new Form_Select(
'protocol',
'*Protocol',
$pconfig['protocol'],
$openvpn_prots
));
$section->addInput(new Form_Select(
'dev_mode',
'*Device mode',
empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
$openvpn_dev_mode
))->setHelp('"tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.%1$s' .
'"tap" mode is capable of carrying 802.3 (OSI Layer 2.)', '
');
$section->addInput(new Form_Select(
'interface',
'*Interface',
$pconfig['interface'],
openvpn_build_if_list()
))->setHelp("The interface or Virtual IP address where OpenVPN will receive client connections.");
$section->addInput(new Form_Input(
'local_port',
'*Local port',
'number',
$pconfig['local_port'],
['min' => '0']
))->setHelp("The port used by OpenVPN to receive client connections.");
$section->addInput(new Form_Input(
'description',
'Description',
'text',
$pconfig['description']
))->setHelp('A description may be entered here for administrative reference (not parsed).');
$form->add($section);
$section = new Form_Section('Cryptographic Settings');
$section->addInput(new Form_Checkbox(
'tlsauth_enable',
'TLS Configuration',
'Use a TLS Key',
$pconfig['tlsauth_enable']
))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " .
"This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." .
"The TLS Key does not have any effect on tunnel data.");
if (!$pconfig['tls']) {
$section->addInput(new Form_Checkbox(
'autotls_enable',
null,
'Automatically generate a TLS Key.',
$pconfig['autotls_enable']
));
}
$section->addInput(new Form_Textarea(
'tls',
'*TLS Key',
$pconfig['tls']
))->setHelp('Paste the TLS key here.%1$s' .
'This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ',
'
');
$section->addInput(new Form_Select(
'tls_type',
'*TLS Key Usage Mode',
empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'],
$openvpn_tls_modes
))->setHelp('In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. %1$s' .
'Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.',
'
');
if (count($a_ca)) {
$list = array();
foreach ($a_ca as $ca) {
$list[$ca['refid']] = $ca['descr'];
}
$section->addInput(new Form_Select(
'caref',
'*Peer Certificate Authority',
$pconfig['caref'],
$list
));
} else {
$section->addInput(new Form_StaticText(
'*Peer Certificate Authority',
sprintf('No Certificate Authorities defined. One may be created here: %s', 'System > Cert. Manager')
));
}
if (count($a_crl)) {
$section->addInput(new Form_Select(
'crlref',
'Peer Certificate Revocation list',
$pconfig['crlref'],
openvpn_build_crl_list()
));
} else {
$section->addInput(new Form_StaticText(
'Peer Certificate Revocation list',
sprintf('No Certificate Revocation Lists defined. One may be created here: %s', 'System > Cert. Manager')
));
}
$certhelp = '';
if (count($a_cert)) {
if (!empty(trim($pconfig['certref']))) {
$thiscert = lookup_cert($pconfig['certref']);
$purpose = cert_get_purpose($thiscert['crt'], true);
if ($purpose['server'] != "Yes") {
$certhelp = '' . gettext("Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected") . ' ';
}
}
} else {
$certhelp = sprintf(gettext('No Certificates defined. One may be created here: %1$s%2$s%3$s'), '', '' . gettext("System > Cert. Manager") . '', '');
}
$cl = openvpn_build_cert_list(false, true);
//Save the number of server certs for use at run-time
$servercerts = count($cl['server']);
$section->addInput(new Form_Select(
'certref',
'*Server certificate',
$pconfig['certref'],
$cl['server'] + $cl['non-server']
))->setHelp($certhelp);
$section->addInput(new Form_Select(
'dh_length',
'*DH Parameter Length',
$pconfig['dh_length'],
$openvpn_dh_lengths
))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.%1$s%2$s%3$s',
'