###
use CGI;
use CGI qw/:standard/;
+use Imager::QRCode;
+use MIME::Base32;
+use MIME::Base64;
use Net::DNS;
use Net::Ping;
use Net::Telnet;
require "${General::swroot}/location-functions.pl";
# enable only the following on debugging purpose
-use warnings;
-use CGI::Carp 'fatalsToBrowser';
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
#workaround to suppress a warning when a variable is used only once
my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
undef (@dummy);
}
print CONF "tls-verify /usr/lib/openvpn/verify\n";
print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
- print CONF "auth-user-pass-verify \"/usr/lib/openvpn/otp-verify\" via-file\n";
print CONF "auth-user-pass-optional\n";
print CONF "reneg-sec 86400\n";
print CONF "user nobody\n";
print CONF "# Log clients connecting/disconnecting\n";
print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
+ print CONF "\n";
+
+ print CONF "# Enable Management Socket\n";
+ print CONF "management /var/run/openvpn.sock unix\n";
+ print CONF "management-client-auth\n";
# Print server.conf.local if entries exist to server.conf
if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
}
- if ($confighash{$cgiparams{'KEY'}}[43] eq 'on') {
- print CLIENTCONF "auth-nocache\r\n";
- print CLIENTCONF "auth-user-pass credentials\r\n";
- print CLIENTCONF "static-challenge \"One Time Password (OTP): \" 1\r\n";
- open(CLIENTCREDS, ">$tempdir/credentials") or die "Unable to open tempfile: $!";
- print CLIENTCREDS "user\r\n";
- print CLIENTCREDS "password";
- close(CLIENTCREDS);
- $zip->addFile( "$tempdir/credentials", "credentials") or die "Can't add file credentials\n";
- }
+ # Disable storing any credentials in memory
+ print CLIENTCONF "auth-nocache\r\n";
+
+ # Set a fake user name for authentication
+ print CLIENTCONF "auth-token-user USER\r\n";
+ print CLIENTCONF "auth-token TOTP\r\n";
+
+ # If the server is asking for TOTP this needs to happen interactively
+ print CLIENTCONF "auth-retry interact\r\n";
if ($include_certs) {
print CLIENTCONF "\r\n";
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show otp qrcode'}) {
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- use MIME::Base32;
- use MIME::Base64;
- use Imager::QRCode;
my $qrcode = Imager::QRCode->new(
size => 6,
margin => 0,
$confighash{$key}[42] = 'HOTP/T30/6';
$confighash{$key}[43] = $cgiparams{'OTP_STATE'};
- if (($confighash{$key}[43] == 'on') && ($confighash{$key}[44] == '')) {
+ if (($confighash{$key}[43] eq 'on') && ($confighash{$key}[44] eq '')) {
my @otp_secret = &General::system_output("/usr/bin/openssl", "rand", "-hex", "20");
$confighash{$key}[44] = $otp_secret[0];
- } elsif ($confighash{$key}[43] == '') {
+ } elsif ($confighash{$key}[43] eq '') {
$confighash{$key}[44] = '';
}