$acrl) {
if (!isset($acrl['refid'])) {
unset ($a_crl[$cid]);
}
}
if (isset($_REQUEST['id']) && is_numericint($_REQUEST['id'])) {
$id = $_REQUEST['id'];
}
if (isset($_REQUEST['act'])) {
$act = $_REQUEST['act'];
}
if (isset($id) && $a_server[$id]) {
$vpnid = $a_server[$id]['vpnid'];
} else {
$vpnid = 0;
}
if ($_POST['act'] == "del") {
if (!isset($a_server[$id])) {
pfSenseHeader("vpn_openvpn_server.php");
exit;
}
if (!empty($a_server[$id])) {
openvpn_delete('server', $a_server[$id]);
$wc_msg = sprintf(gettext('Deleted OpenVPN server from %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($a_server[$id]['interface']), $a_server[$id]['local_port'], $a_server[$id]['description']);
} else {
$wc_msg = gettext('Deleted empty OpenVPN server');
}
unset($a_server[$id]);
write_config($wc_msg);
$savemsg = gettext("Server successfully deleted.");
}
if ($act == "new") {
$pconfig['ncp_enable'] = "enabled";
$pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM";
$pconfig['autokey_enable'] = "yes";
$pconfig['tlsauth_enable'] = "yes";
$pconfig['autotls_enable'] = "yes";
$pconfig['dh_length'] = 1024;
$pconfig['dev_mode'] = "tun";
$pconfig['interface'] = "wan";
$pconfig['local_port'] = openvpn_port_next('UDP');
$pconfig['pool_enable'] = "yes";
$pconfig['cert_depth'] = 1;
$pconfig['verbosity_level'] = 1; // Default verbosity is 1
// OpenVPN Defaults to SHA1
$pconfig['digest'] = "SHA1";
}
if ($act == "edit") {
if (isset($id) && $a_server[$id]) {
$pconfig['disable'] = isset($a_server[$id]['disable']);
$pconfig['mode'] = $a_server[$id]['mode'];
$pconfig['protocol'] = $a_server[$id]['protocol'];
$pconfig['authmode'] = $a_server[$id]['authmode'];
if (isset($a_server[$id]['ncp-ciphers'])) {
$pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers'];
} else {
$pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM";
}
if (isset($a_server[$id]['ncp_enable'])) {
$pconfig['ncp_enable'] = $a_server[$id]['ncp_enable'];
} else {
$pconfig['ncp_enable'] = "enabled";
}
$pconfig['dev_mode'] = $a_server[$id]['dev_mode'];
$pconfig['interface'] = $a_server[$id]['interface'];
if (!empty($a_server[$id]['ipaddr'])) {
$pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$id]['ipaddr'];
}
$pconfig['local_port'] = $a_server[$id]['local_port'];
$pconfig['description'] = $a_server[$id]['description'];
$pconfig['custom_options'] = $a_server[$id]['custom_options'];
if ($pconfig['mode'] != "p2p_shared_key") {
if ($a_server[$id]['tls']) {
$pconfig['tlsauth_enable'] = "yes";
$pconfig['tls'] = base64_decode($a_server[$id]['tls']);
$pconfig['tls_type'] = $a_server[$id]['tls_type'];
}
$pconfig['caref'] = $a_server[$id]['caref'];
$pconfig['crlref'] = $a_server[$id]['crlref'];
$pconfig['certref'] = $a_server[$id]['certref'];
$pconfig['dh_length'] = $a_server[$id]['dh_length'];
$pconfig['ecdh_curve'] = $a_server[$id]['ecdh_curve'];
if (isset($a_server[$id]['cert_depth'])) {
$pconfig['cert_depth'] = $a_server[$id]['cert_depth'];
} else {
$pconfig['cert_depth'] = 1;
}
if ($pconfig['mode'] == "server_tls_user") {
$pconfig['strictusercn'] = $a_server[$id]['strictusercn'];
}
} else {
$pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']);
}
$pconfig['crypto'] = $a_server[$id]['crypto'];
// OpenVPN Defaults to SHA1 if unset
$pconfig['digest'] = !empty($a_server[$id]['digest']) ? $a_server[$id]['digest'] : "SHA1";
$pconfig['engine'] = $a_server[$id]['engine'];
$pconfig['tunnel_network'] = $a_server[$id]['tunnel_network'];
$pconfig['tunnel_networkv6'] = $a_server[$id]['tunnel_networkv6'];
$pconfig['remote_network'] = $a_server[$id]['remote_network'];
$pconfig['remote_networkv6'] = $a_server[$id]['remote_networkv6'];
$pconfig['gwredir'] = $a_server[$id]['gwredir'];
$pconfig['local_network'] = $a_server[$id]['local_network'];
$pconfig['local_networkv6'] = $a_server[$id]['local_networkv6'];
$pconfig['maxclients'] = $a_server[$id]['maxclients'];
$pconfig['compression'] = $a_server[$id]['compression'];
$pconfig['compression_push'] = $a_server[$id]['compression_push'];
$pconfig['passtos'] = $a_server[$id]['passtos'];
$pconfig['client2client'] = $a_server[$id]['client2client'];
$pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip'];
$pconfig['pool_enable'] = $a_server[$id]['pool_enable'];
$pconfig['topology'] = $a_server[$id]['topology'];
$pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp'];
$pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface'];
$pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start'];
$pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end'];
$pconfig['dns_domain'] = $a_server[$id]['dns_domain'];
if ($pconfig['dns_domain']) {
$pconfig['dns_domain_enable'] = true;
}
$pconfig['dns_server1'] = $a_server[$id]['dns_server1'];
$pconfig['dns_server2'] = $a_server[$id]['dns_server2'];
$pconfig['dns_server3'] = $a_server[$id]['dns_server3'];
$pconfig['dns_server4'] = $a_server[$id]['dns_server4'];
if ($pconfig['dns_server1'] ||
$pconfig['dns_server2'] ||
$pconfig['dns_server3'] ||
$pconfig['dns_server4']) {
$pconfig['dns_server_enable'] = true;
}
$pconfig['ntp_server1'] = $a_server[$id]['ntp_server1'];
$pconfig['ntp_server2'] = $a_server[$id]['ntp_server2'];
if ($pconfig['ntp_server1'] ||
$pconfig['ntp_server2']) {
$pconfig['ntp_server_enable'] = true;
}
$pconfig['netbios_enable'] = $a_server[$id]['netbios_enable'];
$pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype'];
$pconfig['netbios_scope'] = $a_server[$id]['netbios_scope'];
$pconfig['wins_server1'] = $a_server[$id]['wins_server1'];
$pconfig['wins_server2'] = $a_server[$id]['wins_server2'];
if ($pconfig['wins_server1'] ||
$pconfig['wins_server2']) {
$pconfig['wins_server_enable'] = true;
}
$pconfig['client_mgmt_port'] = $a_server[$id]['client_mgmt_port'];
if ($pconfig['client_mgmt_port']) {
$pconfig['client_mgmt_port_enable'] = true;
}
$pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1'];
if ($pconfig['nbdd_server1']) {
$pconfig['nbdd_server_enable'] = true;
}
// just in case the modes switch
$pconfig['autokey_enable'] = "yes";
$pconfig['autotls_enable'] = "yes";
$pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']);
if (isset($a_server[$id]['verbosity_level'])) {
$pconfig['verbosity_level'] = $a_server[$id]['verbosity_level'];
} else {
$pconfig['verbosity_level'] = 1; // Default verbosity is 1
}
$pconfig['push_blockoutsidedns'] = $a_server[$id]['push_blockoutsidedns'];
$pconfig['push_register_dns'] = $a_server[$id]['push_register_dns'];
}
}
if ($_POST['save']) {
unset($input_errors);
$pconfig = $_POST;
if (isset($id) && $a_server[$id]) {
$vpnid = $a_server[$id]['vpnid'];
} else {
$vpnid = 0;
}
$cipher_validation_list = array_keys(openvpn_get_cipherlist());
if (!in_array($pconfig['crypto'], $cipher_validation_list)) {
$input_errors[] = gettext("The selected Encryption Algorithm is not valid.");
}
list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']);
if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected.");
} elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv4 protocol and an IPv6 IP address cannot be selected.");
} elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
// If an underlying interface to be used by this server uses DHCP, then it may not have received an IP address yet.
// So in that case we do not report a problem.
if (!interface_has_dhcp($iv_iface, 4)) {
$input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
}
} elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
// If an underlying interface to be used by this server uses DHCP6, then it may not have received an IP address yet.
// So in that case we do not report a problem.
if (!interface_has_dhcp($iv_iface, 6)) {
$input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
}
}
if ($pconfig['mode'] != "p2p_shared_key") {
$tls_mode = true;
} else {
$tls_mode = false;
}
if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
$input_errors[] = gettext("A Backend for Authentication must be selected if the server mode requires User Auth.");
}
/* input validation */
if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6")) {
$input_errors[] = $result;
}
$portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
if (($portused != $vpnid) && ($portused != 0)) {
$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
}
if ($pconfig['autokey_enable']) {
$pconfig['shared_key'] = openvpn_create_key();
}
if (!$tls_mode && !$pconfig['autokey_enable']) {
if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
!strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) {
$input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
}
}
if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) {
if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
!strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) {
$input_errors[] = gettext("The field 'TLS Key' does not appear to be valid");
}
if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) {
$input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid");
}
}
if ($pconfig['dns_server_enable']) {
if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) {
$input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) {
$input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IPv4 or IPv6 address");
}
if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) {
$input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IPv4 or IPv6 address");
}
}
if ($pconfig['ntp_server_enable']) {
if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) {
$input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) {
$input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) {
$input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address");
}
if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) {
$input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address");
}
}
if ($pconfig['netbios_enable']) {
if ($pconfig['wins_server_enable']) {
if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) {
$input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address");
}
if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) {
$input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address");
}
}
if ($pconfig['nbdd_server_enable']) {
if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {
$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address");
}
}
}
if ($pconfig['client_mgmt_port_enable']) {
if ($result = openvpn_validate_port($pconfig['client_mgmt_port'], 'Client management port')) {
$input_errors[] = $result;
}
}
if ($pconfig['maxclients'] && !is_numericint($pconfig['maxclients'])) {
$input_errors[] = gettext("The field 'Concurrent connections' must be numeric.");
}
if (!array_key_exists($pconfig['topology'], $openvpn_topologies)) {
$input_errors[] = gettext("The field 'Topology' contains an invalid selection");
}
/* If we are not in shared key mode, then we need the CA/Cert. */
if ($pconfig['mode'] != "p2p_shared_key") {
if (empty(trim($pconfig['certref']))) {
$input_errors[] = gettext("The selected certificate is not valid");
}
if (!empty($pconfig['dh_length']) && !in_array($pconfig['dh_length'], array_keys($openvpn_dh_lengths))) {
$input_errors[] = gettext("The specified DH Parameter length is invalid or the DH file does not exist.");
}
if (!empty($pconfig['ecdh_curve']) && !openvpn_validate_curve($pconfig['ecdh_curve'])) {
$input_errors[] = gettext("The specified ECDH Curve is invalid.");
}
if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) {
foreach ($pconfig['ncp-ciphers'] as $ncpc) {
if (!in_array(trim($ncpc), $cipher_validation_list)) {
$input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid.");
}
}
}
$reqdfields = explode(" ", "caref certref");
$reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate"));
} elseif (!$pconfig['autokey_enable']) {
/* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
$reqdfields = array('shared_key');
$reqdfieldsn = array(gettext('Shared key'));
}
if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) {
$input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode.");
}
if ($pconfig['dev_mode'] != "tap") {
$reqdfields[] = 'tunnel_network';
$reqdfieldsn[] = gettext('IPv4 Tunnel network');
} else {
if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) {
$input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
}
if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) ||
(!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
}
if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) {
$input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
}
if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) {
$input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
}
if (ip_greater_than($pconfig['serverbridge_dhcp_start'], $pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
}
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (!$input_errors) {
$server = array();
if (isset($id) && $a_server[$id] &&
$pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) {
/*
* delete old interface so a new TUN or TAP interface
* can be created.
*/
openvpn_delete('server', $a_server[$id]);
}
if ($vpnid) {
$server['vpnid'] = $vpnid;
} else {
$server['vpnid'] = openvpn_vpnid_next();
}
if ($_POST['disable'] == "yes") {
$server['disable'] = true;
}
$server['mode'] = $pconfig['mode'];
if (!empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
$server['authmode'] = implode(",", $pconfig['authmode']);
}
$server['protocol'] = $pconfig['protocol'];
$server['dev_mode'] = $pconfig['dev_mode'];
list($server['interface'], $server['ipaddr']) = explode ("|", $pconfig['interface']);
$server['local_port'] = $pconfig['local_port'];
$server['description'] = $pconfig['description'];
$server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
if ($tls_mode) {
if ($pconfig['tlsauth_enable']) {
if ($pconfig['autotls_enable']) {
$pconfig['tls'] = openvpn_create_key();
}
$server['tls'] = base64_encode($pconfig['tls']);
$server['tls_type'] = $pconfig['tls_type'];
}
$server['caref'] = $pconfig['caref'];
$server['crlref'] = $pconfig['crlref'];
$server['certref'] = $pconfig['certref'];
$server['dh_length'] = $pconfig['dh_length'];
$server['ecdh_curve'] = $pconfig['ecdh_curve'];
$server['cert_depth'] = $pconfig['cert_depth'];
if ($pconfig['mode'] == "server_tls_user") {
$server['strictusercn'] = $pconfig['strictusercn'];
}
} else {
$server['shared_key'] = base64_encode($pconfig['shared_key']);
}
$server['crypto'] = $pconfig['crypto'];
$server['digest'] = $pconfig['digest'];
$server['engine'] = $pconfig['engine'];
$server['tunnel_network'] = trim($pconfig['tunnel_network']);
$server['tunnel_networkv6'] = trim($pconfig['tunnel_networkv6']);
$server['remote_network'] = $pconfig['remote_network'];
$server['remote_networkv6'] = $pconfig['remote_networkv6'];
$server['gwredir'] = $pconfig['gwredir'];
$server['local_network'] = $pconfig['local_network'];
$server['local_networkv6'] = $pconfig['local_networkv6'];
$server['maxclients'] = $pconfig['maxclients'];
$server['compression'] = $pconfig['compression'];
$server['compression_push'] = $pconfig['compression_push'];
$server['passtos'] = $pconfig['passtos'];
$server['client2client'] = $pconfig['client2client'];
$server['dynamic_ip'] = $pconfig['dynamic_ip'];
$server['pool_enable'] = $pconfig['pool_enable'];
$server['topology'] = $pconfig['topology'];
$server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp'];
$server['serverbridge_interface'] = $pconfig['serverbridge_interface'];
$server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start'];
$server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end'];
if ($pconfig['dns_domain_enable']) {
$server['dns_domain'] = $pconfig['dns_domain'];
}
if ($pconfig['dns_server_enable']) {
$server['dns_server1'] = $pconfig['dns_server1'];
$server['dns_server2'] = $pconfig['dns_server2'];
$server['dns_server3'] = $pconfig['dns_server3'];
$server['dns_server4'] = $pconfig['dns_server4'];
}
if ($pconfig['push_blockoutsidedns']) {
$server['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];
}
if ($pconfig['push_register_dns']) {
$server['push_register_dns'] = $pconfig['push_register_dns'];
}
if ($pconfig['ntp_server_enable']) {
$server['ntp_server1'] = $pconfig['ntp_server1'];
$server['ntp_server2'] = $pconfig['ntp_server2'];
}
$server['netbios_enable'] = $pconfig['netbios_enable'];
$server['netbios_ntype'] = $pconfig['netbios_ntype'];
$server['netbios_scope'] = $pconfig['netbios_scope'];
$server['verbosity_level'] = $pconfig['verbosity_level'];
if ($pconfig['netbios_enable']) {
if ($pconfig['wins_server_enable']) {
$server['wins_server1'] = $pconfig['wins_server1'];
$server['wins_server2'] = $pconfig['wins_server2'];
}
if ($pconfig['dns_server_enable']) {
$server['nbdd_server1'] = $pconfig['nbdd_server1'];
}
}
if ($pconfig['client_mgmt_port_enable']) {
$server['client_mgmt_port'] = $pconfig['client_mgmt_port'];
}
if ($_POST['duplicate_cn'] == "yes") {
$server['duplicate_cn'] = true;
}
if (!empty($pconfig['ncp-ciphers'])) {
$server['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
$server['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled";
if (isset($id) && $a_server[$id]) {
$a_server[$id] = $server;
$wc_msg = sprintf(gettext('Updated OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
} else {
$a_server[] = $server;
$wc_msg = sprintf(gettext('Added OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
}
write_config($wc_msg);
openvpn_resync('server', $server);
openvpn_resync_csc_all();
header("Location: vpn_openvpn_server.php");
exit;
}
if (!empty($pconfig['ncp-ciphers'])) {
$pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']);
}
if (!empty($pconfig['authmode'])) {
$pconfig['authmode'] = implode(",", $pconfig['authmode']);
}
}
$pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Servers"));
$pglinks = array("", "vpn_openvpn_server.php", "vpn_openvpn_server.php");
if ($act=="new" || $act=="edit") {
$pgtitle[] = gettext('Edit');
$pglinks[] = "@self";
}
$shortcut_section = "openvpn";
include("head.inc");
if (!$savemsg) {
$savemsg = "";
}
if ($input_errors) {
print_input_errors($input_errors);
}
if ($savemsg) {
print_info_box($savemsg, 'success');
}
$tab_array = array();
$tab_array[] = array(gettext("Servers"), true, "vpn_openvpn_server.php");
$tab_array[] = array(gettext("Clients"), false, "vpn_openvpn_client.php");
$tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php");
$tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml");
add_package_tabs("OpenVPN", $tab_array);
display_top_tabs($tab_array);
$form = new Form();
if ($act=="new" || $act=="edit"):
$section = new Form_Section('General Information');
$section->addInput(new Form_Checkbox(
'disable',
'Disabled',
'Disable this server',
$pconfig['disable']
))->setHelp('Set this option to disable this server without removing it from the list.');
$section->addInput(new Form_Select(
'mode',
'*Server mode',
$pconfig['mode'],
openvpn_build_mode_list()
));
$options = array();
$authmodes = array();
$authmodes = explode(",", $pconfig['authmode']);
$auth_servers = auth_get_authserver_list();
foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) {
$ncp_ciphers_list[$cipher] = $cipher;
}
// If no authmodes set then default to selecting the first entry in auth_servers
if (empty($authmodes[0]) && !empty(key($auth_servers))) {
$authmodes[0] = key($auth_servers);
}
foreach ($auth_servers as $auth_server_key => $auth_server) {
$options[$auth_server_key] = $auth_server['name'];
}
$section->addInput(new Form_Select(
'authmode',
'*Backend for authentication',
$authmodes,
$options,
true
))->addClass('authmode');
$section->addInput(new Form_Select(
'protocol',
'*Protocol',
$pconfig['protocol'],
$openvpn_prots
));
$section->addInput(new Form_Select(
'dev_mode',
'*Device mode',
empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
$openvpn_dev_mode
))->setHelp('"tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.%1$s' .
'"tap" mode is capable of carrying 802.3 (OSI Layer 2.)', '
');
$section->addInput(new Form_Select(
'interface',
'*Interface',
$pconfig['interface'],
openvpn_build_if_list()
))->setHelp("The interface or Virtual IP address where OpenVPN will receive client connections.");
$section->addInput(new Form_Input(
'local_port',
'*Local port',
'number',
$pconfig['local_port'],
['min' => '0']
))->setHelp("The port used by OpenVPN to receive client connections.");
$section->addInput(new Form_Input(
'description',
'Description',
'text',
$pconfig['description']
))->setHelp('A description may be entered here for administrative reference (not parsed).');
$form->add($section);
$section = new Form_Section('Cryptographic Settings');
$section->addInput(new Form_Checkbox(
'tlsauth_enable',
'TLS Configuration',
'Use a TLS Key',
$pconfig['tlsauth_enable']
))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " .
"This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." .
"The TLS Key does not have any effect on tunnel data.");
if (!$pconfig['tls']) {
$section->addInput(new Form_Checkbox(
'autotls_enable',
null,
'Automatically generate a TLS Key.',
$pconfig['autotls_enable']
));
}
$section->addInput(new Form_Textarea(
'tls',
'*TLS Key',
$pconfig['tls']
))->setHelp('Paste the TLS key here.%1$s' .
'This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ',
'
');
$section->addInput(new Form_Select(
'tls_type',
'*TLS Key Usage Mode',
empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'],
$openvpn_tls_modes
))->setHelp('In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. %1$s' .
'Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.',
'
');
if (count($a_ca)) {
$list = array();
foreach ($a_ca as $ca) {
$list[$ca['refid']] = $ca['descr'];
}
$section->addInput(new Form_Select(
'caref',
'*Peer Certificate Authority',
$pconfig['caref'],
$list
));
} else {
$section->addInput(new Form_StaticText(
'*Peer Certificate Authority',
sprintf('No Certificate Authorities defined. One may be created here: %s', 'System > Cert. Manager')
));
}
if (count($a_crl)) {
$section->addInput(new Form_Select(
'crlref',
'Peer Certificate Revocation list',
$pconfig['crlref'],
openvpn_build_crl_list()
));
} else {
$section->addInput(new Form_StaticText(
'Peer Certificate Revocation list',
sprintf('No Certificate Revocation Lists defined. One may be created here: %s', 'System > Cert. Manager')
));
}
$certhelp = '';
if (count($a_cert)) {
if (!empty(trim($pconfig['certref']))) {
$thiscert = lookup_cert($pconfig['certref']);
$purpose = cert_get_purpose($thiscert['crt'], true);
if ($purpose['server'] != "Yes") {
$certhelp = '' . gettext("Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected") . ' ';
}
}
} else {
$certhelp = sprintf(gettext('No Certificates defined. One may be created here: %1$s%2$s%3$s'), '', '' . gettext("System > Cert. Manager") . '', '');
}
$cl = openvpn_build_cert_list(false, true);
//Save the number of server certs for use at run-time
$servercerts = count($cl['server']);
$section->addInput(new Form_Select(
'certref',
'*Server certificate',
$pconfig['certref'],
$cl['server'] + $cl['non-server']
))->setHelp($certhelp);
$section->addInput(new Form_Select(
'dh_length',
'*DH Parameter Length',
$pconfig['dh_length'],
$openvpn_dh_lengths
))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.%1$s%2$s%3$s',
'