$acrl) { if (!isset($acrl['refid'])) { unset ($a_crl[$cid]); } } if (is_numericint($_GET['id'])) { $id = $_GET['id']; } if (isset($_POST['id']) && is_numericint($_POST['id'])) { $id = $_POST['id']; } $act = $_GET['act']; if (isset($_POST['act'])) { $act = $_POST['act']; } if (isset($id) && $a_server[$id]) { $vpnid = $a_server[$id]['vpnid']; } else { $vpnid = 0; } if ($_GET['act'] == "del") { if (!isset($a_server[$id])) { pfSenseHeader("vpn_openvpn_server.php"); exit; } if (!empty($a_server[$id])) { openvpn_delete('server', $a_server[$id]); } unset($a_server[$id]); write_config(); $savemsg = gettext("Server successfully deleted")."
"; } if ($_GET['act'] == "new") { $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; $pconfig['dh_length'] = 1024; $pconfig['dev_mode'] = "tun"; $pconfig['interface'] = "wan"; $pconfig['local_port'] = openvpn_port_next('UDP'); $pconfig['pool_enable'] = "yes"; $pconfig['cert_depth'] = 1; $pconfig['verbosity_level'] = 1; // Default verbosity is 1 // OpenVPN Defaults to SHA1 $pconfig['digest'] = "SHA1"; } if ($_GET['act'] == "edit") { if (isset($id) && $a_server[$id]) { $pconfig['disable'] = isset($a_server[$id]['disable']); $pconfig['mode'] = $a_server[$id]['mode']; $pconfig['protocol'] = $a_server[$id]['protocol']; $pconfig['authmode'] = $a_server[$id]['authmode']; $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; $pconfig['interface'] = $a_server[$id]['interface']; if (!empty($a_server[$id]['ipaddr'])) { $pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$id]['ipaddr']; } $pconfig['local_port'] = $a_server[$id]['local_port']; $pconfig['description'] = $a_server[$id]['description']; $pconfig['custom_options'] = $a_server[$id]['custom_options']; if ($pconfig['mode'] != "p2p_shared_key") { if ($a_server[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_server[$id]['tls']); } $pconfig['caref'] = $a_server[$id]['caref']; $pconfig['crlref'] = $a_server[$id]['crlref']; $pconfig['certref'] = $a_server[$id]['certref']; $pconfig['dh_length'] = $a_server[$id]['dh_length']; if (isset($a_server[$id]['cert_depth'])) { $pconfig['cert_depth'] = $a_server[$id]['cert_depth']; } else { $pconfig['cert_depth'] = 1; } if ($pconfig['mode'] == "server_tls_user") { $pconfig['strictusercn'] = $a_server[$id]['strictusercn']; } } else { $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); } $pconfig['crypto'] = $a_server[$id]['crypto']; // OpenVPN Defaults to SHA1 if unset $pconfig['digest'] = !empty($a_server[$id]['digest']) ? $a_server[$id]['digest'] : "SHA1"; $pconfig['engine'] = $a_server[$id]['engine']; $pconfig['tunnel_network'] = $a_server[$id]['tunnel_network']; $pconfig['tunnel_networkv6'] = $a_server[$id]['tunnel_networkv6']; $pconfig['remote_network'] = $a_server[$id]['remote_network']; $pconfig['remote_networkv6'] = $a_server[$id]['remote_networkv6']; $pconfig['gwredir'] = $a_server[$id]['gwredir']; $pconfig['local_network'] = $a_server[$id]['local_network']; $pconfig['local_networkv6'] = $a_server[$id]['local_networkv6']; $pconfig['maxclients'] = $a_server[$id]['maxclients']; $pconfig['compression'] = $a_server[$id]['compression']; $pconfig['passtos'] = $a_server[$id]['passtos']; $pconfig['client2client'] = $a_server[$id]['client2client']; $pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip']; $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; $pconfig['topology_subnet'] = $a_server[$id]['topology_subnet']; $pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp']; $pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface']; $pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start']; $pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end']; $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; if ($pconfig['dns_domain']) { $pconfig['dns_domain_enable'] = true; } $pconfig['dns_server1'] = $a_server[$id]['dns_server1']; $pconfig['dns_server2'] = $a_server[$id]['dns_server2']; $pconfig['dns_server3'] = $a_server[$id]['dns_server3']; $pconfig['dns_server4'] = $a_server[$id]['dns_server4']; if ($pconfig['dns_server1'] || $pconfig['dns_server2'] || $pconfig['dns_server3'] || $pconfig['dns_server4']) { $pconfig['dns_server_enable'] = true; } $pconfig['ntp_server1'] = $a_server[$id]['ntp_server1']; $pconfig['ntp_server2'] = $a_server[$id]['ntp_server2']; if ($pconfig['ntp_server1'] || $pconfig['ntp_server2']) { $pconfig['ntp_server_enable'] = true; } $pconfig['netbios_enable'] = $a_server[$id]['netbios_enable']; $pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype']; $pconfig['netbios_scope'] = $a_server[$id]['netbios_scope']; $pconfig['wins_server1'] = $a_server[$id]['wins_server1']; $pconfig['wins_server2'] = $a_server[$id]['wins_server2']; if ($pconfig['wins_server1'] || $pconfig['wins_server2']) { $pconfig['wins_server_enable'] = true; } $pconfig['client_mgmt_port'] = $a_server[$id]['client_mgmt_port']; if ($pconfig['client_mgmt_port']) { $pconfig['client_mgmt_port_enable'] = true; } $pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1']; if ($pconfig['nbdd_server1']) { $pconfig['nbdd_server_enable'] = true; } // just in case the modes switch $pconfig['autokey_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; $pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']); $pconfig['no_tun_ipv6'] = $a_server[$id]['no_tun_ipv6']; if (isset($a_server[$id]['verbosity_level'])) { $pconfig['verbosity_level'] = $a_server[$id]['verbosity_level']; } else { $pconfig['verbosity_level'] = 1; // Default verbosity is 1 } $pconfig['push_register_dns'] = $a_server[$id]['push_register_dns']; } } if ($_POST) { unset($input_errors); $pconfig = $_POST; if (isset($id) && $a_server[$id]) { $vpnid = $a_server[$id]['vpnid']; } else { $vpnid = 0; } list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address."); } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address."); } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) { $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address."); } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) { $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address."); } if ($pconfig['mode'] != "p2p_shared_key") { $tls_mode = true; } else { $tls_mode = false; } if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) { $input_errors[] = gettext("You must select a Backend for Authentication if the server mode requires User Auth."); } /* input validation */ if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) { $input_errors[] = $result; } if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6")) { $input_errors[] = $result; } $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid); if (($portused != $vpnid) && ($portused != 0)) { $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); } if ($pconfig['autokey_enable']) { $pconfig['shared_key'] = openvpn_create_key(); } if (!$tls_mode && !$pconfig['autokey_enable']) { if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) { $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); } } if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); } } if ($pconfig['dns_server_enable']) { if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) { $input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address"); } if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) { $input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IP address"); } if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) { $input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IP address"); } if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) { $input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IP address"); } } if ($pconfig['ntp_server_enable']) { if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) { $input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address"); } if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) { $input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address"); } if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) { $input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address"); } if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) { $input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address"); } } if ($pconfig['netbios_enable']) { if ($pconfig['wins_server_enable']) { if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) { $input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address"); } if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) { $input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address"); } } if ($pconfig['nbdd_server_enable']) { if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) { $input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"); } } } if ($pconfig['client_mgmt_port_enable']) { if ($result = openvpn_validate_port($pconfig['client_mgmt_port'], 'Client management port')) { $input_errors[] = $result; } } if ($pconfig['maxclients'] && !is_numeric($pconfig['maxclients'])) { $input_errors[] = gettext("The field 'Concurrent connections' must be numeric."); } /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { $reqdfields = explode(" ", "caref certref"); $reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate")); } elseif (!$pconfig['autokey_enable']) { /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ $reqdfields = array('shared_key'); $reqdfieldsn = array(gettext('Shared key')); } if ($pconfig['dev_mode'] != "tap") { $reqdfields[] = 'tunnel_network'; $reqdfieldsn[] = gettext('Tunnel network'); } else { if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) { $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); } if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) { $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); } if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) { $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); } if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) { $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); } if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) { $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); } } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (!$input_errors) { $server = array(); if ($id && $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { openvpn_delete('server', $a_server[$id]);// delete(rename) old interface so a new TUN or TAP interface can be created. } if ($vpnid) { $server['vpnid'] = $vpnid; } else { $server['vpnid'] = openvpn_vpnid_next(); } if ($_POST['disable'] == "yes") { $server['disable'] = true; } $server['mode'] = $pconfig['mode']; if (!empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) { $server['authmode'] = implode(",", $pconfig['authmode']); } $server['protocol'] = $pconfig['protocol']; $server['dev_mode'] = $pconfig['dev_mode']; list($server['interface'], $server['ipaddr']) = explode ("|", $pconfig['interface']); $server['local_port'] = $pconfig['local_port']; $server['description'] = $pconfig['description']; $server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); if ($tls_mode) { if ($pconfig['tlsauth_enable']) { if ($pconfig['autotls_enable']) { $pconfig['tls'] = openvpn_create_key(); } $server['tls'] = base64_encode($pconfig['tls']); } $server['caref'] = $pconfig['caref']; $server['crlref'] = $pconfig['crlref']; $server['certref'] = $pconfig['certref']; $server['dh_length'] = $pconfig['dh_length']; $server['cert_depth'] = $pconfig['cert_depth']; if ($pconfig['mode'] == "server_tls_user") { $server['strictusercn'] = $pconfig['strictusercn']; } } else { $server['shared_key'] = base64_encode($pconfig['shared_key']); } $server['crypto'] = $pconfig['crypto']; $server['digest'] = $pconfig['digest']; $server['engine'] = $pconfig['engine']; $server['tunnel_network'] = $pconfig['tunnel_network']; $server['tunnel_networkv6'] = $pconfig['tunnel_networkv6']; $server['remote_network'] = $pconfig['remote_network']; $server['remote_networkv6'] = $pconfig['remote_networkv6']; $server['gwredir'] = $pconfig['gwredir']; $server['local_network'] = $pconfig['local_network']; $server['local_networkv6'] = $pconfig['local_networkv6']; $server['maxclients'] = $pconfig['maxclients']; $server['compression'] = $pconfig['compression']; $server['passtos'] = $pconfig['passtos']; $server['client2client'] = $pconfig['client2client']; $server['dynamic_ip'] = $pconfig['dynamic_ip']; $server['pool_enable'] = $pconfig['pool_enable']; $server['topology_subnet'] = $pconfig['topology_subnet']; $server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp']; $server['serverbridge_interface'] = $pconfig['serverbridge_interface']; $server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start']; $server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end']; if ($pconfig['dns_domain_enable']) { $server['dns_domain'] = $pconfig['dns_domain']; } if ($pconfig['dns_server_enable']) { $server['dns_server1'] = $pconfig['dns_server1']; $server['dns_server2'] = $pconfig['dns_server2']; $server['dns_server3'] = $pconfig['dns_server3']; $server['dns_server4'] = $pconfig['dns_server4']; } if ($pconfig['push_register_dns']) { $server['push_register_dns'] = $pconfig['push_register_dns']; } if ($pconfig['ntp_server_enable']) { $server['ntp_server1'] = $pconfig['ntp_server1']; $server['ntp_server2'] = $pconfig['ntp_server2']; } $server['netbios_enable'] = $pconfig['netbios_enable']; $server['netbios_ntype'] = $pconfig['netbios_ntype']; $server['netbios_scope'] = $pconfig['netbios_scope']; $server['no_tun_ipv6'] = $pconfig['no_tun_ipv6']; $server['verbosity_level'] = $pconfig['verbosity_level']; if ($pconfig['netbios_enable']) { if ($pconfig['wins_server_enable']) { $server['wins_server1'] = $pconfig['wins_server1']; $server['wins_server2'] = $pconfig['wins_server2']; } if ($pconfig['dns_server_enable']) { $server['nbdd_server1'] = $pconfig['nbdd_server1']; } } if ($pconfig['client_mgmt_port_enable']) { $server['client_mgmt_port'] = $pconfig['client_mgmt_port']; } if ($_POST['duplicate_cn'] == "yes") { $server['duplicate_cn'] = true; } if (isset($id) && $a_server[$id]) { $a_server[$id] = $server; } else { $a_server[] = $server; } openvpn_resync('server', $server); write_config(); header("Location: vpn_openvpn_server.php"); exit; } if (!empty($pconfig['authmode'])) { $pconfig['authmode'] = implode(",", $pconfig['authmode']); } } $pgtitle = array(gettext("OpenVPN"), gettext("Server")); $shortcut_section = "openvpn"; include("head.inc"); ?> ">

/>   . $desc): $selected = ""; if ($pconfig['mode'] == $name) { $selected = "selected=\"selected\""; } ?> > $auth_server): $selected = ""; if (in_array($auth_server_key, $authmodes)) { $selected = "selected=\"selected\""; } ?> > > > $carpip) { $interfaces[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")"; } $aliaslist = get_configured_ip_aliases_list(); foreach ($aliaslist as $aliasip => $aliasif) { $interfaces[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; } $grouplist = return_gateway_groups_array(); foreach ($grouplist as $name => $group) { if ($group['ipprotocol'] != inet) { continue; } if ($group[0]['vip'] <> "") { $vipif = $group[0]['vip']; } else { $vipif = $group[0]['int']; } $interfaces[$name] = "GW Group {$name}"; } $interfaces['lo0'] = "Localhost"; $interfaces['any'] = "any"; foreach ($interfaces as $iface => $ifacename): $selected = ""; if ($iface == $pconfig['interface']) { $selected = "selected=\"selected\""; } ?> > . onclick="tlsauth_change()" /> . onclick="autotls_change()" /> . <?=htmlspecialchars($pconfig['tls']);?> . > No Certificate Authorities defined. Create one under System > Cert Manager. None > No Certificate Revocation Lists (CRLs) defined. Create one under System > Cert Manager. > No Certificates defined. Create one under System > Cert Manager. > onclick="autokey_change()" /> . <?=htmlspecialchars($pconfig['shared_key']);?> . $desc): $selected = ""; if ($name == $pconfig['crypto']) { $selected = " selected=\"selected\""; } ?> > $desc): $selected = ""; if ($name == $pconfig['digest']) { $selected = " selected=\"selected\""; } ?> > $desc): $selected = ""; if ($name == $pconfig['engine']) { $selected = " selected=\"selected\""; } ?> > Do Not Check $depthdesc): $selected = ""; if ($depth == $pconfig['cert_depth']) { $selected = " selected=\"selected\""; } ?> > /> onchange="tuntap_change()" /> $carpip) { $serverbridge_interface[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")"; } $aliaslist = get_configured_ip_aliases_list(); foreach ($aliaslist as $aliasip => $aliasif) { $serverbridge_interface[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; } foreach ($serverbridge_interface as $iface => $ifacename): $selected = ""; if ($iface == $pconfig['serverbridge_interface']) { $selected = "selected=\"selected\""; } ?> > onclick="gwredir_change()" /> . . . . . . $cmodedesc): $selected = ""; if ($cmode == $pconfig['compression']) { $selected = " selected=\"selected\""; } ?> > . /> . /> /> NOTE: This is not generally recommended, but may be needed for some scenarios."); ?> /> . /> . /> />   onclick="dns_domain_change()" /> onclick="dns_server_change()" /> #1:  #2:  #3:  #4:  /> onclick="ntp_server_change()" /> #1:  #2:  onclick="netbios_change()" /> . :  $name): $selected = ""; if ($pconfig['netbios_ntype'] == $type) { $selected = "selected=\"selected\""; } ?> > . :  . onclick="wins_server_change()" /> #1:  #2:  onclick="client_mgmt_port_change()" /> <?=htmlspecialchars($pconfig['custom_options']);?> ; $verb_desc): $selected = ""; if ($pconfig['verbosity_level'] == $verb_value) { $selected = "selected=\"selected\""; } ?> > . none -- . default-4 -- . 5 -- . 6-11 -- .   " /> " width="17" height="17" border="0" alt="add" /> / " width="17" height="17" border="0" alt="edit" />   ')"> " width="17" height="17" border="0" alt="delete" />