/* $Id$ */
/*
part of pfSense (http://www.pfsense.org/)
Copyright (C) 2010 Ermal Lui
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
121OpenVPN Wizard: Authentication Type SelectionOpenVPN Remote Access Server Setup WizardonlisttopicSelect an Authentication Backend TypeselectType of Serverauthtype<br/><b>NOTE:</b> If you are unsure, leave this set to "Local User Aceess."ovpnserver->step1->typeNextsubmitstep1_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc2OpenVPN Wizard: LDAP Server SelectionOpenVPN Remote Access Server Setup WizardonlisttopicLDAP Authentication Server ListauthservLDAP serversselectovpnserver->step2->authservsubmitAdd new LDAP serversubmitNextstep2_stepbeforeformdisplay();step2_submitphpaction();enablechange();/usr/local/www/wizards/openvpn_wizard.inc3OpenVPN Wizard: Add LDAP ServerOpenVPN Remote Access Server Setup WizardonlisttopicLDAP Authentication Server ParametersnameNameinputovpnserver->step2->authtypeDescriptive server name, for your own reference.ipHostname or IP addressinputovpnserver->step2->ipAddress of the LDAP server.portPortinput8ovpnserver->step2->portLDAP Server port, leave blank for the default (389 for TCP, 636 for SSL).transportTransportselectovpnserver->step2->transport<br/>The protocol used by your LDAP server. It can either be standard TCP or SSL encrypted.scopeSearch Scope Levelselectovpnserver->step2->scopebasednSearch Scope Base DNinput40ovpnserver->step2->basednauthscopeAuthentication Containersinput40ovpnserver->step2->authscopeSemi-Colon separated. This will be prepended to the search base dn above or you can specify full container path.<br/>EXAMPLE: CN=Users;DC=example<br/>EXAMPLE: CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com userdnLDAP Bind User DNinput20If left blank, an anonymous bind will be done.ovpnserver->step2->userdnpassdnLDAP Bind Passwordpassword20ovpnserver->step2->passdnIf a user DN was supplied above, this password will also be used when performing a bind operation.nameattrUser Naming Attributeinputovpnserver->step2->nameattrTypically "cn" (OpenLDAP, Novell eDirectory), "samAccountName" (Microsoft AD)groupattrGroup Naming Attributeinputovpnserver->step2->groupattrTypically "cn" (OpenLDAP, Microsoft AD, and Novell eDirectory)memberattrMember Naming Attributeinputovpnserver->step2->memberattrTypically "member" (OpenLDAP), "memberOf" (Microsoft AD), "uniqueMember" (Novell eDirectory)submitAdd new Serverstep3_submitphpaction();enablechange();/usr/local/www/wizards/openvpn_wizard.inc4OpenVPN Wizard: RADIUS Server SelectionOpenVPN Remote Access Server Setup WizardonlisttopicRADIUS Authentication Server ListauthservRADIUS serversselectovpnserver->step2->authservsubmitAdd new RADIUS serversubmitNextstep4_stepbeforeformdisplay();step4_submitphpaction();enablechange();/usr/local/www/wizards/openvpn_wizard.inc5OpenVPN Wizard: Add RADIUS ServerOpenVPN Remote Access Server Setup WizardonlisttopicRADIUS Authentication Server ParametersnameNameinputovpnserver->step2->authtypeDescriptive name for the RADIUS server, for your reference.ipHostname or IP addressinputovpnserver->step2->ipAddress of the RADIUS server.portAuthentication Portinput8ovpnserver->step2->portPort used by the RADIUS server for accepting Authentication requests, typically 1812.secretShared Secretpassword20ovpnserver->step2->passwordAdd new Serversubmitstep5_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc6OpenVPN Wizard: Certificate Authority SelectionOpenVPN Remote Access Server Setup WizardonChoose a Certificate Authority (CA)listtopiccertca_selectioncertcaCertificate Authorityovpnserver->step6->authcertcasubmitAdd new CANextsubmitstep6_stepbeforeformdisplay();step6_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc7OpenVPN Wizard: Add Certificate AuthorityOpenVPN Remote Access Server Setup WizardonCreate a New Certificate Authority (CA) CertificatelisttopicnameDescriptive nameA name for your reference, to identify this certificate. This is the same as common-name field for other Certificates.inputovpnserver->step6->certcakeylengthKey length<br/>Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use.select2048ovpnserver->step6->keylengthlifetimeLifetimeinput103650Lifetime in days. This is commonly set to 3650 (Approximately 10 years.)ovpnserver->step6->lifetimecountryCountry CodeTwo-letter ISO country code (e.g. US, AU, CA) input5ovpnserver->step6->countrystateState or ProvinceFull State of Province name, not abbreviated (e.g. Kentucky, Indiana, Ontario).input30ovpnserver->step6->statecityCityCity or other Locality name (e.g. Louisville, Indianapolis, Toronto).input30ovpnserver->step6->cityorganizationOrganizationOrganization name, often the Company or Group name.input30ovpnserver->step6->organizationemailE-mailE-mail address for the Certificate contact. Often the e-mail of the person generating the certificate (i.e. You.)input30ovpnserver->step6->emailAdd new CAsubmitstep7_submitphpaction();/usr/local/www/wizards/openvpn_wizard.incenablechange();8OpenVPN Wizard: Server Certificate SelectionOpenVPN Remote Access Server Setup WizardonChoose a Server Certificatelisttopiccert_selectioncertnameCertificateovpnserver->step9->authcertnamesubmitAdd new CertificateNextsubmitstep8_stepbeforeformdisplay();step8_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc9OpenVPN Wizard: Add a Server CertificateOpenVPN Remote Access Server Setup WizardonCreate a New Server CertificatelisttopicnameDescriptive nameA name for your reference, to identify this certificate. This is also known as the certificate's "Common Name."inputovpnserver->step9->certnamekeylengthKey length<br/>Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use.select2048ovpnserver->step9->keylengthlifetimeLifetimeLifetime in days. This is commonly set to 3650 (Approximately 10 years.)input103650ovpnserver->step9->lifetimecountryCountry CodeTwo-letter ISO country code (e.g. US, AU, CA) input5ovpnserver->step9->countrystateState or ProvinceFull State of Province name, not abbreviated (e.g. Kentucky, Indiana, Ontario).input30ovpnserver->step9->statecityCityCity or other Locality name (e.g. Louisville, Indianapolis, Toronto).input30ovpnserver->step9->cityorganizationOrganizationOrganization name, often the Company or Group name.input30ovpnserver->step9->organizationemailE-mailE-mail address for the Certificate contact. Often the e-mail of the person generating the certificate (i.e. You.)input30ovpnserver->step9->emailCreate new Certificatesubmitstep9_stepbeforeformdisplay();step9_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc10OpenVPN Wizard: Server SetupOpenVPN Remote Access Server Setup WizardonlisttopicGeneral OpenVPN Server Informationinterfaceinterfaces_selectionThe interface where OpenVPN will listen for incoming connections (typically WAN.)Interfaceovpnserver->step10->interfaceProtocolselectovpnserver->step10->protocol<br/>Protocol to use for OpenVPN connections. If you are unsure, leave this set to UDP.localportLocal PortLocal port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank unless you need to use a different port.input10ovpnserver->step10->localportdescriptionDescriptionA name for this OpenVPN instance, for your reference. It can be set however you like, but is often used to distinguish the purpose of the service (e.g. "Remote Technical Staff").input30ovpnserver->step10->descrlisttopicCryptographic SettingsTLS AuthenticationcheckboxonEnable authentication of TLS packets.ovpnserver->step10->tlsauthGenerate TLS KeygeneratetlskeytlssharedkeyoncheckboxAutomatically generate a shared TLS authentication key.ovpnserver->step10->gentlskeyTLS Shared KeytlssharedkeyPaste in a shared TLS key if one has already been generated.textarea305ovpnserver->step10->tlskeyDH Parameters Lengthdhparametersselectovpnserver->step10->dhkey<br/>Length of Diffie-Hellman (DH) key exchange parameters, used for establishing a secure communications channel. As with other such settings, the larger values are more secure, but may be slower in operation.cryptoselectEncryption Algorithmovpnserver->step10->crypto<br/>The method used to encrypt traffic between endpoints. This setting must match on the client and server side, but is otherwise set however you like. Certain algorithms will perform better on different hardware, depending on the availability of supported VPN accelerator chips.listtopicTunnel SettingsTunnel Networktunnelnetinput20ovpnserver->step10->tunnelnetThis is the virtual network used for private communications between this server and client hosts expressed using CIDR notation (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)Redirect GatewayredirectgwcheckboxForce all client generated traffic through the tunnel.ovpnserver->step10->rdrgwLocal Networklocalnetinput20ovpnserver->step10->localnetThis is the network that will be accessible from the remote endpoint, expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.Remote Networkremotenetinput20ovpnserver->step10->remotenetThis is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter the remote LAN here. You may leave this blank if you don't want a site-to-site VPN.Concurrent ConnectionsconcurrentconSpecify the maximum number of clients allowed to concurrently connect to this server.input10ovpnserver->step10->concurrentconCompressioncompressioncheckboxCompress tunnel packets using the LZO algorithm.ovpnserver->step10->compressionType-of-ServicetoscheckboxSet the TOS IP header value of tunnel packets to match the encapsulated packet value.ovpnserver->step10->tosInter-Client CommunicationinterclientcheckboxAllow communication between clients connected to this server.ovpnserver->step10->interclientlisttopicClient SettingsDynamic IPdynipcheckboxonAllow connected clients to retain their connections if their IP address changes.ovpnserver->step10->dynipAddress PooladdrpoolcheckboxonProvide a virtual adapter IP address to clients (see Tunnel Network).ovpnserver->step10->addrpoolDNS Default DomaindefaultdomaininputProvide a default domain name to clients.ovpnserver->step10->defaultdomainDNS Server 1dnsserver1inputovpnserver->step10->dns1DNS server to provide for connecting client systems.DNS Server 2dnserver2inputovpnserver->step10->dns2DNS server to provide for connecting client systems.DNS Server 3dnserver3inputovpnserver->step10->dns3DNS server to provide for connecting client systems.DNS Server 4dnserver4inputovpnserver->step10->dns4DNS server to provide for connecting client systems.NTP Serverntpserver1inputovpnserver->step10->ntp1Network Time Protocol server to provide for connecting client systems.NTP Server 2ntpserver2inputovpnserver->step10->ntp2Network Time Protocol server to provide for connecting client systems.nbtenablecheckboxNetBIOS OptionsEnable NetBIOS over TCP/IP. <br/>If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled. NetBIOS Node Typenbttypeselectovpnserver->step10->nbttype<br/>Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).NetBIOS Scope IDnbtscopeinputovpnserver->step10->nbtscopeA NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.WINS Server 1winsserver1inputovpnserver->step10->wins1A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server.WINS Server 2winsserver2inputovpnserver->step10->wins2A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server.Advancedtextarea305Enter any additional options you would like to add to the OpenVPN server configuration here, separated by a semicolon. EXAMPLE: push "route 10.0.0.0 255.255.255.0"ovpnserver->step10->advancedNextsubmitstep10_stepbeforeformdisplay();step10_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc11OpenVPN Wizard: Firewall Rule ConfigurationOpenVPN Remote Access Server Setup WizardonlisttopicFirewall Rule ConfigurationtextFirewall Rules control what network traffic is permitted. You must add rules to allow traffic to the OpenVPN server's IP and port, as well as allowing traffic from connected clients through the tunnel. These rules can be automtically added here, or configured manually after completing the wizard.listtopicTraffic from clients to serverovpnruleFirewall RuleAdd a rule to permit traffic from clients on the Internet to the OpenVPN server process.checkboxovpnserver->step11->ovpnrulelisttopicTraffic from clients through VPNovpnallowOpenVPN ruleAdd a rule to allow all traffic from connected clients to pass across the VPN tunnel.checkboxovpnserver->step11->ovpnallowNextsubmit12OpenVPN Wizard: Finished!OpenVPN Remote Access Server Setup WizardonlisttopicConfiguration Complete!textYour configuration is now complete.textTo be able to export client configurations, browse to System->Packages and install the OpenVPN Client Export package.submitFinishstep12_submitphpaction();/usr/local/www/wizards/openvpn_wizard.inc