]> git.ipfire.org Git - ipfire-2.x.git/blame - html/cgi-bin/ovpnmain.cgi
projects / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl...
[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
CommitLineData
6e13d0a5 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
a201764e 5# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
818dde8e 21
6e13d0a5
MT		 22use CGI;
23use CGI qw/:standard/;
c63a54f0
MT		 24use Imager::QRCode;
25use MIME::Base32;
26use MIME::Base64;
3740b7ad 27use URI::Encode qw(uri_encode uri_decode);;
6e13d0a5 28use Net::DNS;
ce9abb66 29use Net::Ping;
54fd0535 30use Net::Telnet;
6e13d0a5
MT		 31use File::Copy;
32use File::Temp qw/ tempfile tempdir /;
33use strict;
34use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
eff2dbf8 35use Sort::Naturally;
498134e5 36use Date::Parse;
6e13d0a5 37require '/var/ipfire/general-functions.pl';
6e13d0a5
MT		 38require "${General::swroot}/lang.pl";
39require "${General::swroot}/header.pl";
40require "${General::swroot}/countries.pl";
e2e270e1 41require "${General::swroot}/location-functions.pl";
6e13d0a5
MT		 42
43# enable only the following on debugging purpose
2050be20
MT		 44#use warnings;
45#use CGI::Carp 'fatalsToBrowser';
46
6e13d0a5 47#workaround to suppress a warning when a variable is used only once
8c877a82 48my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
6e13d0a5
MT		 49undef (@dummy);
50
f2fdd0c1
CS		 51my %color = ();
52my %mainsettings = ();
53&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 54&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
6e13d0a5
MT		 55
56###
57### Initialize variables
58###
e81be1e1
AM		 59my %ccdconfhash=();
60my %ccdroutehash=();
61my %ccdroute2hash=();
6e13d0a5
MT		 62my %netsettings=();
63my %cgiparams=();
64my %vpnsettings=();
65my %checked=();
66my %confighash=();
67my %cahash=();
68my %selected=();
69my $warnmessage = '';
70my $errormessage = '';
400c8afd
EK		 71my $cryptoerror = '';
72my $cryptowarning = '';
6e13d0a5 73my %settings=();
54fd0535 74my $routes_push_file = '';
df9b48b7
AM		 75my $confighost="${General::swroot}/fwhosts/customhosts";
76my $configgrp="${General::swroot}/fwhosts/customgroups";
77my $customnet="${General::swroot}/fwhosts/customnetworks";
78my $name;
99bfa85c 79my $col="";
ffbe77c8
EK		 80my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
81my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
35494eac 82my $dhparameter = "/etc/ssl/ffdhe4096.pem";
ffbe77c8 83
6e13d0a5
MT		 84&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
85$cgiparams{'ENABLED'} = 'off';
86$cgiparams{'ENABLED_BLUE'} = 'off';
87$cgiparams{'ENABLED_ORANGE'} = 'off';
88$cgiparams{'EDIT_ADVANCED'} = 'off';
89$cgiparams{'NAT'} = 'off';
90$cgiparams{'COMPRESSION'} = 'off';
91$cgiparams{'ONLY_PROPOSED'} = 'off';
92$cgiparams{'ACTION'} = '';
93$cgiparams{'CA_NAME'} = '';
94$cgiparams{'DHCP_DOMAIN'} = '';
95$cgiparams{'DHCP_DNS'} = '';
96$cgiparams{'DHCP_WINS'} = '';
54fd0535 97$cgiparams{'ROUTES_PUSH'} = '';
6e13d0a5 98$cgiparams{'DCOMPLZO'} = 'off';
a79fa1d6 99$cgiparams{'MSSFIX'} = '';
8c877a82 100$cgiparams{'number'} = '';
4c962356 101$cgiparams{'DCIPHER'} = '';
49abe7af
EK		 102$cgiparams{'DAUTH'} = '';
103$cgiparams{'TLSAUTH'} = '';
54fd0535 104$routes_push_file = "${General::swroot}/ovpn/routes_push";
400c8afd
EK		 105# Perform crypto and configration test
106&pkiconfigcheck;
ffbe77c8
EK		 107
108# Add CCD files if not already presant
109unless (-e $routes_push_file) {
110 open(RPF, ">$routes_push_file");
111 close(RPF);
112}
113unless (-e "${General::swroot}/ovpn/ccd.conf") {
114 open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
115 close (CCDC);
116}
117unless (-e "${General::swroot}/ovpn/ccdroute") {
118 open(CCDR, ">${General::swroot}/ovpn/ccdroute");
119 close (CCDR);
120}
121unless (-e "${General::swroot}/ovpn/ccdroute2") {
122 open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
123 close (CCDRT);
124}
125# Add additional configs if not already presant
126unless (-e "$local_serverconf") {
127 open(LSC, ">$local_serverconf");
128 close (LSC);
129}
130unless (-e "$local_clientconf") {
131 open(LCC, ">$local_clientconf");
132 close (LCC);
133}
ce9abb66 134
6e13d0a5
MT		 135&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
136
137# prepare openvpn config file
138###
139### Useful functions
140###
c6c9630e
MT		 141sub haveOrangeNet
142{
13211b21
CS		 143 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
144 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 145 return 0;
146}
147
148sub haveBlueNet
149{
13211b21 150 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
c6c9630e 151 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 152 return 0;
153}
154
155sub sizeformat{
156 my $bytesize = shift;
157 my $i = 0;
158
159 while(abs($bytesize) >= 1024){
160 $bytesize=$bytesize/1024;
161 $i++;
162 last if($i==6);
163 }
164
165 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
166 my $newsize=(int($bytesize*100 +0.5))/100;
167 return("$newsize $units[$i]");
168}
169
c6c9630e
MT		 170sub cleanssldatabase
171{
172 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
173 print FILE "01";
174 close FILE;
175 }
176 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
177 print FILE "";
178 close FILE;
179 }
e6f7f8e7
EK		 180 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
181 print FILE "";
182 close FILE;
183 }
c6c9630e 184 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 185 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 186 unlink ("${General::swroot}/ovpn/certs/serial.old");
187 unlink ("${General::swroot}/ovpn/certs/01.pem");
188}
189
190sub newcleanssldatabase
191{
192 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
193 open(FILE, ">${General::swroot}(ovpn/certs/serial");
194 print FILE "01";
195 close FILE;
196 }
197 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
2feacd98 198 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
c6c9630e 199 }
e6f7f8e7 200 if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
2feacd98 201 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
e6f7f8e7 202 }
c6c9630e 203 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 204 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 205 unlink ("${General::swroot}/ovpn/certs/serial.old");
206}
207
208sub deletebackupcert
209{
210 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
211 my $hexvalue = <FILE>;
212 chomp $hexvalue;
213 close FILE;
214 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
215 }
216}
4c962356 217
400c8afd
EK		 218###
219### Check for PKI and configure problems
220###
221
222sub pkiconfigcheck
223{
400c8afd
EK		 224 # Warning if md5 is in usage
225 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 226 my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
227 if (grep(/md5WithRSAEncryption/, @signature) ) {
400c8afd
EK		 228 $cryptoerror = "$Lang::tr{'ovpn error md5'}";
229 goto CRYPTO_ERROR;
230 }
231 }
232
233 CRYPTO_ERROR:
234
235 # Warning if certificate is not compliant to RFC3280 TLS rules
236 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 237 my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
238 if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
400c8afd
EK		 239 $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
240 goto CRYPTO_WARNING;
241 }
242 }
243
244 CRYPTO_WARNING:
245}
246
c6c9630e 247sub writeserverconf {
66c36198
PM		 248 my %sovpnsettings = ();
249 my @temp = ();
c6c9630e 250 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
54fd0535 251 &read_routepushfile;
66c36198 252
c6c9630e
MT		 253 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
254 flock CONF, 2;
255 print CONF "#OpenVPN Server conf\n";
256 print CONF "\n";
257 print CONF "daemon openvpnserver\n";
258 print CONF "writepid /var/run/openvpn.pid\n";
afabe9f7 259 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
c6c9630e 260 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
79e7688b 261 print CONF "dev tun\n";
c6c9630e
MT		 262 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
263 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
a4fd2325 264 print CONF "script-security 3\n";
07675dc3 265 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
6140e7e0 266 print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
c6c9630e 267 print CONF "tls-server\n";
4c962356
EK		 268 print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
269 print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
270 print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
35494eac 271 print CONF "dh $dhparameter\n";
c6c9630e
MT		 272 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
273 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
8c877a82 274 #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
4c962356 275
d6989b4b 276 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
2ee746be 277
54fd0535 278 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
8c877a82
AM		 279 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
280 foreach (@temp)
281 {
282 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
283 print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n";
284 }
54fd0535 285 }
8c877a82
AM		 286# a.marx ccd
287 my %ccdconfhash=();
288 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
289 foreach my $key (keys %ccdconfhash) {
290 my $a=$ccdconfhash{$key}[1];
291 my ($b,$c) = split (/\//, $a);
292 print CONF "route $b ".&General::cidrtosub($c)."\n";
293 }
294 my %ccdroutehash=();
295 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
296 foreach my $key (keys %ccdroutehash) {
297 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
298 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
299 print CONF "route $a $b\n";
300 }
301 }
302# ccd end
54fd0535 303
8c877a82 304 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
c6c9630e
MT		 305 print CONF "client-to-client\n";
306 }
1de5c945 307 if ($sovpnsettings{MSSFIX} eq 'on') {
4c962356 308 print CONF "mssfix\n";
d6989b4b
MT		 309 } else {
310 print CONF "mssfix 0\n";
1de5c945
EK		 311 }
312 if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
4c962356 313 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
a79fa1d6 314 }
2ee746be 315
66c36198 316 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
c6c9630e 317 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
66c36198 318 }
c6c9630e 319 print CONF "status-version 1\n";
87fe47e9 320 print CONF "status /var/run/ovpnserver.log 30\n";
a4fd2325 321 print CONF "ncp-disable\n";
c6c9630e 322 print CONF "cipher $sovpnsettings{DCIPHER}\n";
49abe7af 323 print CONF "auth $sovpnsettings{'DAUTH'}\n";
942446b5
EK		 324 # Set TLSv2 as minimum
325 print CONF "tls-version-min 1.2\n";
86308adb 326
49abe7af 327 if ($sovpnsettings{'TLSAUTH'} eq 'on') {
4be45949 328 print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
49abe7af 329 }
c6c9630e
MT		 330 if ($sovpnsettings{DCOMPLZO} eq 'on') {
331 print CONF "comp-lzo\n";
332 }
333 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
334 print CONF "push \"redirect-gateway def1\"\n";
335 }
336 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
337 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
338 }
339
340 if ($sovpnsettings{DHCP_DNS} ne '') {
341 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
342 }
343
344 if ($sovpnsettings{DHCP_WINS} ne '') {
345 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
346 }
66c36198 347
fa527476 348 if ($sovpnsettings{MAX_CLIENTS} eq '') {
c6c9630e 349 print CONF "max-clients 100\n";
a79fa1d6 350 }
fa527476 351 if ($sovpnsettings{MAX_CLIENTS} ne '') {
c6c9630e 352 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
66c36198 353 }
1d0a260a 354 print CONF "tls-verify /usr/lib/openvpn/verify\n";
c6c9630e 355 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
e1e10515
TE		 356 print CONF "auth-user-pass-optional\n";
357 print CONF "reneg-sec 86400\n";
c6c9630e
MT		 358 print CONF "user nobody\n";
359 print CONF "group nobody\n";
360 print CONF "persist-key\n";
361 print CONF "persist-tun\n";
362 if ($sovpnsettings{LOG_VERB} ne '') {
363 print CONF "verb $sovpnsettings{LOG_VERB}\n";
364 } else {
365 print CONF "verb 3\n";
ffbe77c8 366 }
708f2b73
MT		 367
368 print CONF "# Log clients connecting/disconnecting\n";
369 print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
370 print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
5111dc3d
MT		 371 print CONF "\n";
372
373 print CONF "# Enable Management Socket\n";
374 print CONF "management /var/run/openvpn.sock unix\n";
375 print CONF "management-client-auth\n";
708f2b73 376
ffbe77c8
EK		 377 # Print server.conf.local if entries exist to server.conf
378 if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
379 open (LSC, "$local_serverconf");
380 print CONF "\n#---------------------------\n";
381 print CONF "# Start of custom directives\n";
382 print CONF "# from server.conf.local\n";
383 print CONF "#---------------------------\n\n";
384 while (<LSC>) {
385 print CONF $_;
386 }
387 print CONF "\n#-----------------------------\n";
388 print CONF "# End of custom directives\n";
389 print CONF "#-----------------------------\n";
390 close (LSC);
391 }
c6c9630e 392 print CONF "\n";
66c36198 393
c6c9630e 394 close(CONF);
66c36198 395}
8c877a82 396
c6c9630e 397sub emptyserverlog{
87fe47e9 398 if (open(FILE, ">/var/run/ovpnserver.log")) {
c6c9630e
MT		 399 flock FILE, 2;
400 print FILE "";
401 close FILE;
402 }
403
404}
405
66c36198 406sub delccdnet
8c877a82
AM		 407{
408 my %ccdconfhash = ();
409 my %ccdhash = ();
410 my $ccdnetname=$_[0];
411 if (-f "${General::swroot}/ovpn/ovpnconfig"){
412 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
413 foreach my $key (keys %ccdhash) {
414 if ($ccdhash{$key}[32] eq $ccdnetname) {
415 $errormessage=$Lang::tr{'ccd err hostinnet'};
416 return;
417 }
418 }
419 }
420 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
421 foreach my $key (keys %ccdconfhash) {
422 if ($ccdconfhash{$key}[0] eq $ccdnetname){
423 delete $ccdconfhash{$key};
424 }
425 }
426 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
66c36198 427
8c877a82
AM		 428 &writeserverconf;
429 return 0;
430}
431
432sub addccdnet
433{
434 my %ccdconfhash=();
435 my @ccdconf=();
436 my $ccdname=$_[0];
437 my $ccdnet=$_[1];
8c877a82
AM		 438 my $subcidr;
439 my @ip2=();
440 my $checkup;
441 my $ccdip;
442 my $baseaddress;
66c36198
PM		 443
444
445 #check name
446 if ($ccdname eq '')
290007b3
AM		 447 {
448 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
449 return
450 }
66c36198 451
dcc2f7e0 452 if(!&General::validccdname($ccdname))
290007b3 453 {
8c877a82
AM		 454 $errormessage=$Lang::tr{'ccd err invalidname'};
455 return;
456 }
66c36198 457
290007b3
AM		 458 ($ccdip,$subcidr) = split (/\//,$ccdnet);
459 $subcidr=&General::iporsubtocidr($subcidr);
460 #check subnet
461 if ($subcidr > 30)
462 {
8c877a82
AM		 463 $errormessage=$Lang::tr{'ccd err invalidnet'};
464 return;
465 }
290007b3
AM		 466 #check ip
467 if (!&General::validipandmask($ccdnet)){
468 $errormessage=$Lang::tr{'ccd err invalidnet'};
469 return;
8c877a82 470 }
b6c60092 471
8c877a82
AM		 472 if (!$errormessage) {
473 my %ccdconfhash=();
474 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
475 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
476 my $key = &General::findhasharraykey (\%ccdconfhash);
477 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
478 $ccdconfhash{$key}[0] = $ccdname;
479 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
480 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
481 &writeserverconf;
482 $cgiparams{'ccdname'}='';
483 $cgiparams{'ccdsubnet'}='';
484 return 1;
485 }
486}
487
488sub modccdnet
489{
66c36198 490
8c877a82
AM		 491 my $newname=$_[0];
492 my $oldname=$_[1];
493 my %ccdconfhash=();
494 my %ccdhash=();
7ad653cc
SS		 495
496 # Check if the new name is valid.
497 if(!&General::validhostname($newname)) {
498 $errormessage=$Lang::tr{'ccd err invalidname'};
499 return;
500 }
501
8c877a82
AM		 502 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
503 foreach my $key (keys %ccdconfhash) {
504 if ($ccdconfhash{$key}[0] eq $oldname) {
505 foreach my $key1 (keys %ccdconfhash) {
506 if ($ccdconfhash{$key1}[0] eq $newname){
507 $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
508 return;
509 }else{
510 $ccdconfhash{$key}[0]= $newname;
511 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
512 last;
513 }
514 }
515 }
516 }
66c36198 517
8c877a82
AM		 518 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
519 foreach my $key (keys %ccdhash) {
520 if ($ccdhash{$key}[32] eq $oldname) {
521 $ccdhash{$key}[32]=$newname;
522 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
523 last;
524 }
525 }
66c36198 526
8c877a82
AM		 527 return 0;
528}
529sub ccdmaxclients
530{
531 my $ccdnetwork=$_[0];
532 my @octets=();
533 my @subnet=();
534 @octets=split("\/",$ccdnetwork);
535 @subnet= split /\./, &General::cidrtosub($octets[1]);
536 my ($a,$b,$c,$d,$e);
537 $a=256-$subnet[0];
538 $b=256-$subnet[1];
539 $c=256-$subnet[2];
540 $d=256-$subnet[3];
541 $e=($a*$b*$c*$d)/4;
542 return $e-1;
543}
544
66c36198 545sub getccdadresses
8c877a82
AM		 546{
547 my $ipin=$_[0];
548 my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin;
549 my $cidr=$_[1];
550 chomp($cidr);
551 my $count=$_[2];
552 my $hasip=$_[3];
553 chomp($hasip);
554 my @iprange=();
555 my %ccdhash=();
556 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
d9fe5693 557 $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
ac87f371 558 for (my $i=1;$i<=$count;$i++) {
8c877a82
AM		 559 my $tmpip=$iprange[$i-1];
560 my $stepper=$i*4;
561 $iprange[$i]= &General::getnextip($tmpip,4);
562 }
563 my $r=0;
564 foreach my $key (keys %ccdhash) {
565 $r=0;
566 foreach my $tmp (@iprange){
567 my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
568 if ($net eq $tmp) {
569 if ( $hasip ne $ccdhash{$key}[33] ){
570 splice (@iprange,$r,1);
571 }
572 }
573 $r++;
574 }
575 }
576 return @iprange;
577}
578
579sub fillselectbox
580{
581 my $boxname=$_[1];
66c36198 582 my ($ccdip,$subcidr) = split("/",$_[0]);
8c877a82
AM		 583 my $tz=$_[2];
584 my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
585 print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
586 foreach (@allccdips) {
587 my $ip=$_."/30";
588 chomp($ip);
589 print "<option value='$ip' ";
590 if ( $ip eq $cgiparams{$boxname} ){
591 print"selected";
592 }
593 print ">$ip</option>";
594 }
595 print "</select>";
596}
597
598sub hostsinnet
599{
600 my $name=$_[0];
601 my %ccdhash=();
602 my $i=0;
603 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
604 foreach my $key (keys %ccdhash) {
605 if ($ccdhash{$key}[32] eq $name){ $i++;}
606 }
607 return $i;
608}
609
610sub check_routes_push
611{
612 my $val=$_[0];
613 my ($ip,$cidr) = split (/\//, $val);
614 ##check for existing routes in routes_push
615 if (-e "${General::swroot}/ovpn/routes_push") {
616 open(FILE,"${General::swroot}/ovpn/routes_push");
617 while (<FILE>) {
618 $_=~s/\s*$//g;
66c36198 619
8c877a82
AM		 620 my ($ip2,$cidr2) = split (/\//,"$_");
621 my $val2=$ip2."/".&General::iporsubtodec($cidr2);
66c36198 622
8c877a82
AM		 623 if($val eq $val2){
624 return 0;
625 }
626 #subnetcheck
627 if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
628 return 0;
629 }
630 };
631 close(FILE);
632 }
633 return 1;
634}
635
636sub check_ccdroute
637{
638 my %ccdroutehash=();
639 my $val=$_[0];
640 my ($ip,$cidr) = split (/\//, $val);
641 #check for existing routes in ccdroute
642 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
643 foreach my $key (keys %ccdroutehash) {
644 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
645 if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
646 return 0;
647 }
648 my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
649 #subnetcheck
650 if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
651 return 0;
652 }
653 }
654 }
655 return 1;
656}
657sub check_ccdconf
658{
659 my %ccdconfhash=();
660 my $val=$_[0];
661 my ($ip,$cidr) = split (/\//, $val);
662 #check for existing routes in ccdroute
663 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
664 foreach my $key (keys %ccdconfhash) {
665 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
666 return 0;
667 }
668 my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
669 #subnetcheck
670 if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
671 return 0;
672 }
66c36198 673
8c877a82
AM		 674 }
675 return 1;
676}
677
7c1d9faf
AH		 678###
679# m.a.d net2net
680###
681
682sub validdotmask
683{
684 my $ipdotmask = $_[0];
685 if (&General::validip($ipdotmask)) { return 0; }
686 if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { }
687 my $mask = $2;
66c36198 688 if (($mask =~ /\./ )) { return 0; }
7c1d9faf
AH		 689 return 1;
690}
54fd0535
MT		 691
692# -------------------------------------------------------------------
693
694sub write_routepushfile
695{
696 open(FILE, ">$routes_push_file");
697 flock(FILE, 2);
698 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
699 print FILE $vpnsettings{'ROUTES_PUSH'};
700 }
66c36198 701 close(FILE);
54fd0535
MT		 702}
703
704sub read_routepushfile
705{
706 if (-e "$routes_push_file") {
707 open(FILE,"$routes_push_file");
708 delete $vpnsettings{'ROUTES_PUSH'};
709 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
710 close(FILE);
711 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
66c36198 712
54fd0535
MT		 713 }
714}
7c1d9faf 715
775b4494
AM		 716sub writecollectdconf {
717 my $vpncollectd;
718 my %ccdhash=();
719
720 open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
721 print COLLECTDVPN "Loadplugin openvpn\n";
722 print COLLECTDVPN "\n";
723 print COLLECTDVPN "<Plugin openvpn>\n";
724 print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
725
726 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
727 foreach my $key (keys %ccdhash) {
728 if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
729 print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
730 }
731 }
732
733 print COLLECTDVPN "</Plugin>\n";
734 close(COLLECTDVPN);
735
736 # Reload collectd afterwards
2feacd98 737 &General::system("/usr/local/bin/collectdctrl", "restart");
775b4494 738}
7c1d9faf 739
c6c9630e
MT		 740#hier die refresh page
741if ( -e "${General::swroot}/ovpn/gencanow") {
742 my $refresh = '';
743 $refresh = "<meta http-equiv='refresh' content='15;' />";
744 &Header::showhttpheaders();
745 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
746 &Header::openbigbox('100%', 'center');
747 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
748 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
749 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
750 &Header::closebox();
751 &Header::closebigbox();
752 &Header::closepage();
753 exit (0);
754}
755##hier die refresh page
756
6e13d0a5
MT		 757
758###
759### OpenVPN Server Control
760###
761if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
762 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
763 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
6e13d0a5
MT		 764 #start openvpn server
765 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
c6c9630e 766 &emptyserverlog();
2feacd98 767 &General::system("/usr/local/bin/openvpnctrl", "-s");
66c36198 768 }
6e13d0a5
MT		 769 #stop openvpn server
770 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
2feacd98 771 &General::system("/usr/local/bin/openvpnctrl", "-k");
66c36198
PM		 772 &emptyserverlog();
773 }
6e13d0a5 774# #restart openvpn server
8c877a82 775# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
66c36198
PM		 776#workarund, till SIGHUP also works when running as nobody
777# system('/usr/local/bin/openvpnctrl', '-r');
778# &emptyserverlog();
779# }
6e13d0a5
MT		 780}
781
782###
783### Save Advanced options
784###
785
786if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
787 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
788 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
789 #DAN this value has to leave.
790#new settings for daemon
791 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
792 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
793 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
794 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
795 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
796 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
6a9d9ff4 797 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
ffbe77c8 798 $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
6e13d0a5
MT		 799 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
800 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
801 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
54fd0535
MT		 802 $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
803 my @temp=();
66c36198 804
a79fa1d6
JPT		 805 if ($cgiparams{'FRAGMENT'} eq '') {
806 delete $vpnsettings{'FRAGMENT'};
807 } else {
66c36198 808 if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
a79fa1d6
JPT		 809 $errormessage = "Incorrect value, please insert only numbers.";
810 goto ADV_ERROR;
811 } else {
812 $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
813 }
814 }
49abe7af 815
a79fa1d6 816 if ($cgiparams{'MSSFIX'} ne 'on') {
1de5c945 817 delete $vpnsettings{'MSSFIX'};
a79fa1d6
JPT		 818 } else {
819 $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
820 }
2ee746be 821
6e13d0a5 822 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
81da1b01 823 unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
6e13d0a5
MT		 824 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
825 goto ADV_ERROR;
826 }
827 }
828 if ($cgiparams{'DHCP_DNS'} ne ''){
829 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
830 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
831 goto ADV_ERROR;
832 }
833 }
834 if ($cgiparams{'DHCP_WINS'} ne ''){
835 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
836 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
54fd0535
MT		 837 goto ADV_ERROR;
838 }
839 }
840 if ($cgiparams{'ROUTES_PUSH'} ne ''){
841 @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
842 undef $vpnsettings{'ROUTES_PUSH'};
66c36198 843
8c877a82 844 foreach my $tmpip (@temp)
54fd0535
MT		 845 {
846 s/^\s+//g; s/\s+$//g;
66c36198 847
8c877a82 848 if ($tmpip)
54fd0535 849 {
66c36198 850 $tmpip=~s/\s*$//g;
8c877a82
AM		 851 unless (&General::validipandmask($tmpip)) {
852 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
853 goto ADV_ERROR;
54fd0535 854 }
8c877a82 855 my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
66c36198 856
54fd0535
MT		 857 if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
858 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
8c877a82
AM		 859 goto ADV_ERROR;
860 }
66c36198 861# a.marx ccd
8c877a82
AM		 862 my %ccdroutehash=();
863 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
864 foreach my $key (keys %ccdroutehash) {
66c36198 865 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
8c877a82
AM		 866 if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
867 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
868 goto ADV_ERROR;
869 }
870 my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
871 if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
872 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
873 goto ADV_ERROR;
874 }
875 }
54fd0535 876 }
66c36198 877
8c877a82 878# ccd end
66c36198 879
8c877a82 880 $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
54fd0535 881 }
8c877a82
AM		 882 }
883 &write_routepushfile;
54fd0535 884 undef $vpnsettings{'ROUTES_PUSH'};
8e148dc3
NP		 885 }
886 else {
887 undef $vpnsettings{'ROUTES_PUSH'};
888 &write_routepushfile;
6e13d0a5 889 }
ba50f66d 890 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
6e13d0a5
MT		 891 $errormessage = $Lang::tr{'invalid input for max clients'};
892 goto ADV_ERROR;
893 }
894 if ($cgiparams{'KEEPALIVE_1'} ne '') {
66c36198 895 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 896 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
897 goto ADV_ERROR;
898 }
899 }
900 if ($cgiparams{'KEEPALIVE_2'} ne ''){
66c36198 901 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 902 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
903 goto ADV_ERROR;
904 }
905 }
906 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
907 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
66c36198 908 goto ADV_ERROR;
6e13d0a5 909 }
6e13d0a5 910 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 911 &writeserverconf();#hier ok
6e13d0a5
MT		 912}
913
ce9abb66 914###
7c1d9faf 915# m.a.d net2net
ce9abb66
AH		 916###
917
918if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
919{
c6c9630e 920
ce9abb66
AH		 921my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
922my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 923my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
d96c89eb 924my $tunmtu = '';
531f0835
AH		 925
926unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 927unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 928
929 open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 930
ce9abb66 931 flock SERVERCONF, 2;
66c36198
PM		 932 print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n";
933 print SERVERCONF "\n";
b278daf3 934 print SERVERCONF "# User Security\n";
ce9abb66
AH		 935 print SERVERCONF "user nobody\n";
936 print SERVERCONF "group nobody\n";
937 print SERVERCONF "persist-tun\n";
938 print SERVERCONF "persist-key\n";
7c1d9faf 939 print SERVERCONF "script-security 2\n";
66c36198 940 print SERVERCONF "# IP/DNS for remote Server Gateway\n";
c125d8a2
SS		 941
942 if ($cgiparams{'REMOTE'} ne '') {
ce9abb66 943 print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
c125d8a2
SS		 944 }
945
b278daf3 946 print SERVERCONF "float\n";
66c36198
PM		 947 print SERVERCONF "# IP adresses of the VPN Subnet\n";
948 print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
949 print SERVERCONF "# Client Gateway Network\n";
54fd0535 950 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
2913185a 951 print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 952 print SERVERCONF "# tun Device\n";
953 print SERVERCONF "dev tun\n";
5795fc1b
AM		 954 print SERVERCONF "#Logfile for statistics\n";
955 print SERVERCONF "status-version 1\n";
87fe47e9 956 print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 957 print SERVERCONF "# Port and Protokol\n";
958 print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
5795fc1b 959
60f396d7 960 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 961 print SERVERCONF "proto tcp4-server\n";
60f396d7 962 print SERVERCONF "# Packet size\n";
d96c89eb 963 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 964 print SERVERCONF "tun-mtu $tunmtu\n";
d96c89eb 965 }
66c36198 966
60f396d7 967 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 968 print SERVERCONF "proto udp4\n";
60f396d7
AH		 969 print SERVERCONF "# Paketsize\n";
970 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
971 print SERVERCONF "tun-mtu $tunmtu\n";
66c36198 972 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 973 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
d96c89eb 974 }
1647059d 975
66c36198
PM		 976 print SERVERCONF "# Auth. Server\n";
977 print SERVERCONF "tls-server\n";
978 print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
979 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
980 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
19a417c2 981 print SERVERCONF "dh $dhparameter\n";
66c36198 982 print SERVERCONF "# Cipher\n";
4c962356 983 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
52f61e49
EKD		 984
985 # If GCM cipher is used, do not use --auth
986 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
987 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
988 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
989 print SERVERCONF unless "# HMAC algorithm\n";
990 print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 991 } else {
52f61e49
EKD		 992 print SERVERCONF "# HMAC algorithm\n";
993 print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 994 }
52f61e49 995
942446b5
EK		 996 # Set TLSv1.2 as minimum
997 print SERVERCONF "tls-version-min 1.2\n";
998
ce9abb66 999 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1000 print SERVERCONF "# Enable Compression\n";
66298ef2 1001 print SERVERCONF "comp-lzo\n";
b278daf3 1002 }
66c36198
PM		 1003 print SERVERCONF "# Debug Level\n";
1004 print SERVERCONF "verb 3\n";
1005 print SERVERCONF "# Tunnel check\n";
1006 print SERVERCONF "keepalive 10 60\n";
1007 print SERVERCONF "# Start as daemon\n";
1008 print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n";
1009 print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1010 print SERVERCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1011 if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1012 else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66
AH		 1013 close(SERVERCONF);
1014
1015}
1016
1017###
7c1d9faf 1018# m.a.d net2net
ce9abb66 1019###
7c1d9faf 1020
ce9abb66
AH		 1021if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
1022{
4c962356 1023
ce9abb66 1024 my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 1025 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 1026 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
d96c89eb 1027 my $tunmtu = '';
66c36198 1028
531f0835
AH		 1029unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
1030unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
66c36198 1031
ce9abb66 1032 open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 1033
ce9abb66 1034 flock CLIENTCONF, 2;
7c1d9faf 1035 print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
66c36198 1036 print CLIENTCONF "#\n";
b278daf3 1037 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 1038 print CLIENTCONF "user nobody\n";
1039 print CLIENTCONF "group nobody\n";
1040 print CLIENTCONF "persist-tun\n";
1041 print CLIENTCONF "persist-key\n";
7c1d9faf 1042 print CLIENTCONF "script-security 2\n";
66c36198 1043 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
ce9abb66 1044 print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
b278daf3 1045 print CLIENTCONF "float\n";
66c36198
PM		 1046 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
1047 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
1048 print CLIENTCONF "# Server Gateway Network\n";
1049 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
ebcecb4b 1050 print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 1051 print CLIENTCONF "# tun Device\n";
1052 print CLIENTCONF "dev tun\n";
35a21a25
AM		 1053 print CLIENTCONF "#Logfile for statistics\n";
1054 print CLIENTCONF "status-version 1\n";
1055 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 1056 print CLIENTCONF "# Port and Protokol\n";
1057 print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
60f396d7
AH		 1058
1059 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 1060 print CLIENTCONF "proto tcp4-client\n";
60f396d7 1061 print CLIENTCONF "# Packet size\n";
d96c89eb 1062 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 1063 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 1064 }
66c36198 1065
60f396d7 1066 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 1067 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 1068 print CLIENTCONF "# Paketsize\n";
1069 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
1070 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 1071 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 1072 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
d96c89eb 1073 }
1647059d 1074
b66b02ab
EK		 1075 # Check host certificate if X509 is RFC3280 compliant.
1076 # If not, old --ns-cert-type directive will be used.
1077 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 1078 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1079 if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 1080 print CLIENTCONF "ns-cert-type server\n";
1081 } else {
1082 print CLIENTCONF "remote-cert-tls server\n";
1083 }
66c36198
PM		 1084 print CLIENTCONF "# Auth. Client\n";
1085 print CLIENTCONF "tls-client\n";
1086 print CLIENTCONF "# Cipher\n";
4c962356 1087 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
ce9abb66 1088 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
52f61e49
EKD		 1089
1090 # If GCM cipher is used, do not use --auth
1091 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1092 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1093 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1094 print CLIENTCONF unless "# HMAC algorithm\n";
1095 print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1096 } else {
52f61e49
EKD		 1097 print CLIENTCONF "# HMAC algorithm\n";
1098 print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1099 }
52f61e49 1100
942446b5
EK		 1101 # Set TLSv1.2 as minimum
1102 print CLIENTCONF "tls-version-min 1.2\n";
1103
ce9abb66 1104 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1105 print CLIENTCONF "# Enable Compression\n";
66298ef2 1106 print CLIENTCONF "comp-lzo\n";
4c962356 1107 }
66c36198
PM		 1108 print CLIENTCONF "# Debug Level\n";
1109 print CLIENTCONF "verb 3\n";
1110 print CLIENTCONF "# Tunnel check\n";
1111 print CLIENTCONF "keepalive 10 60\n";
1112 print CLIENTCONF "# Start as daemon\n";
ce9abb66 1113 print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
66c36198
PM		 1114 print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1115 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1116 if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1117 else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
0b216134 1118 print CLIENTCONF "providers legacy default\n";
ce9abb66 1119 close(CLIENTCONF);
c6c9630e 1120
ce9abb66 1121}
400c8afd 1122
6e13d0a5
MT		 1123###
1124### Save main settings
1125###
ce9abb66 1126
6e13d0a5
MT		 1127if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1128 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5
MT		 1129 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1130 #DAN this value has to leave.
1131 if ($cgiparams{'ENABLED'} eq 'on'){
1132 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1133 $errormessage = $Lang::tr{'invalid input for hostname'};
c6c9630e 1134 goto SETTINGS_ERROR;
6e13d0a5
MT		 1135 }
1136 }
f7fb5bc5 1137
6e13d0a5 1138 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
c6c9630e 1139 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
4c962356 1140 goto SETTINGS_ERROR;
c6c9630e
MT		 1141 }
1142 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
66c36198
PM		 1143
1144 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
c6c9630e
MT		 1145 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1146 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1147 goto SETTINGS_ERROR;
1148 }
66c36198
PM		 1149
1150 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
c6c9630e
MT		 1151 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1152 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1153 goto SETTINGS_ERROR;
1154 }
1155
66c36198 1156 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
c6c9630e
MT		 1157 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1158 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1159 goto SETTINGS_ERROR;
1160 }
66c36198
PM		 1161
1162 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
c6c9630e
MT		 1163 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1164 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1165 goto SETTINGS_ERROR;
1166 }
1167 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1168 while (<ALIASES>)
1169 {
1170 chomp($_);
1171 my @tempalias = split(/\,/,$_);
1172 if ($tempalias[1] eq 'on') {
66c36198 1173 if (&General::IpInSubnet ($tempalias[0] ,
c6c9630e
MT		 1174 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1175 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
66c36198 1176 }
c6c9630e
MT		 1177 }
1178 }
1179 close(ALIASES);
6e13d0a5 1180 if ($errormessage ne ''){
c6c9630e 1181 goto SETTINGS_ERROR;
6e13d0a5
MT		 1182 }
1183 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1184 $errormessage = $Lang::tr{'invalid input'};
1185 goto SETTINGS_ERROR;
1186 }
1187 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1188 $errormessage = $Lang::tr{'invalid mtu input'};
1189 goto SETTINGS_ERROR;
1190 }
66c36198 1191
6e13d0a5 1192 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
c6c9630e
MT		 1193 $errormessage = $Lang::tr{'invalid port'};
1194 goto SETTINGS_ERROR;
6e13d0a5 1195 }
8c252e6a 1196
b21a6319
EK		 1197 # Create ta.key for tls-auth if not presant
1198 if ($cgiparams{'TLSAUTH'} eq 'on') {
1199 if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
2feacd98 1200 # This system call is safe, because all arguements are passed as an array.
acbd6ff4 1201 system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
b21a6319
EK		 1202 if ($?) {
1203 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1204 goto SETTINGS_ERROR;
1205 }
1206 }
1207 }
1208
6e13d0a5
MT		 1209 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1210 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1211 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1212 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1213#new settings for daemon
1214 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
6e13d0a5
MT		 1215 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1216 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1217 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1218 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1219 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
86308adb 1220 $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
0c4ffc69 1221 $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
3ffee04b
CS		 1222#wrtie enable
1223
2feacd98
SS		 1224 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
1225 &General::system("touch", "${General::swroot}/ovpn/enable_blue");
1226 } else {
274ca65b 1227 unlink("${General::swroot}/ovpn/enable_blue");
2feacd98
SS		 1228 }
1229
1230 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
1231 &General::system("touch", "${General::swroot}/ovpn/enable_orange");
1232 } else {
1233 unlink("${General::swroot}/ovpn/enable_orange");
1234 }
1235
1236 if ( $vpnsettings{'ENABLED'} eq 'on' ) {
1237 &General::system("touch", "${General::swroot}/ovpn/enable");
1238 } else {
1239 unlink("${General::swroot}/ovpn/enable");
1240 }
1241
66c36198 1242#new settings for daemon
6e13d0a5 1243 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 1244 &writeserverconf();#hier ok
6e13d0a5
MT		 1245SETTINGS_ERROR:
1246###
1247### Reset all step 2
1248###
4c962356 1249}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
6e13d0a5
MT		 1250 my $file = '';
1251 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1252
1e499e90 1253 # Kill all N2N connections
2feacd98 1254 &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
1e499e90 1255
6e13d0a5 1256 foreach my $key (keys %confighash) {
2f36a7b4
MT		 1257 my $name = $confighash{$cgiparams{'$key'}}[1];
1258
c6c9630e
MT		 1259 if ($confighash{$key}[4] eq 'cert') {
1260 delete $confighash{$cgiparams{'$key'}};
1261 }
2f36a7b4 1262
2feacd98 1263 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
6e13d0a5
MT		 1264 }
1265 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
49abe7af 1266 unlink $file;
6e13d0a5
MT		 1267 }
1268 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
49abe7af 1269 unlink $file;
6e13d0a5
MT		 1270 }
1271 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
49abe7af 1272 unlink $file;
6e13d0a5 1273 }
4c962356 1274 &cleanssldatabase();
6e13d0a5
MT		 1275 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1276 print FILE "";
1277 close FILE;
1278 }
49abe7af
EK		 1279 if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1280 print FILE "";
1281 close FILE;
1282 }
1283 if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1284 print FILE "";
1285 close FILE;
1286 }
1287 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1288 unlink $file
1289 }
5795fc1b
AM		 1290 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1291 unlink $file
1292 }
49abe7af
EK		 1293 if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1294 print FILE "";
1295 close FILE;
1296 }
1297 if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1298 print FILE "";
1299 close FILE;
1300 }
1301 while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
2feacd98 1302 unlink($file);
49abe7af
EK		 1303 }
1304
2f36a7b4
MT		 1305 # Remove everything from the collectd configuration
1306 &writecollectdconf();
1307
c6c9630e 1308 #&writeserverconf();
6e13d0a5
MT		 1309###
1310### Reset all step 1
1311###
4c962356 1312}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
6e13d0a5 1313 &Header::showhttpheaders();
4c962356
EK		 1314 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1315 &Header::openbigbox('100%', 'left', '', '');
1316 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1317 print <<END;
1318 <form method='post'>
1319 <table width='100%'>
1320 <tr>
1321 <td align='center'>
1322 <input type='hidden' name='AREUSURE' value='yes' />
49abe7af 1323 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
4c962356
EK		 1324 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1325 </tr>
1326 <tr>
1327 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1328 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1329 </tr>
1330 </table>
1331 </form>
6e13d0a5
MT		 1332END
1333 ;
1334 &Header::closebox();
1335 &Header::closebigbox();
1336 &Header::closepage();
1337 exit (0);
1338
4c962356 1339###
6e13d0a5
MT		 1340### Upload CA Certificate
1341###
1342} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1343 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1344
1345 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1346 $errormessage = $Lang::tr{'name must only contain characters'};
1347 goto UPLOADCA_ERROR;
1348 }
1349
1350 if (length($cgiparams{'CA_NAME'}) >60) {
1351 $errormessage = $Lang::tr{'name too long'};
1352 goto VPNCONF_ERROR;
1353 }
1354
1355 if ($cgiparams{'CA_NAME'} eq 'ca') {
1356 $errormessage = $Lang::tr{'name is invalid'};
4c962356 1357 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1358 }
1359
1360 # Check if there is no other entry with this name
1361 foreach my $key (keys %cahash) {
c6c9630e
MT		 1362 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1363 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1364 goto UPLOADCA_ERROR;
1365 }
6e13d0a5
MT		 1366 }
1367
2ad1b18b 1368 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 1369 $errormessage = $Lang::tr{'there was no file upload'};
1370 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1371 }
1372 # Move uploaded ca to a temporary file
1373 (my $fh, my $filename) = tempfile( );
1374 if (copy ($cgiparams{'FH'}, $fh) != 1) {
c6c9630e
MT		 1375 $errormessage = $!;
1376 goto UPLOADCA_ERROR;
6e13d0a5 1377 }
2feacd98
SS		 1378 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
1379 if ( ! grep(/CA:TRUE/i, @temp )) {
c6c9630e
MT		 1380 $errormessage = $Lang::tr{'not a valid ca certificate'};
1381 unlink ($filename);
1382 goto UPLOADCA_ERROR;
6e13d0a5 1383 } else {
cc79d281 1384 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem")) {
c6c9630e
MT		 1385 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1386 unlink ($filename);
1387 goto UPLOADCA_ERROR;
1388 }
6e13d0a5
MT		 1389 }
1390
274ca65b 1391 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
2feacd98
SS		 1392 my $casubject;
1393
1394 foreach my $line (@casubject) {
1395 if ($line =~ /Subject: (.*)[\n]/) {
1396 $casubject = $1;
1397 $casubject =~ s+/Email+, E+;
1398 $casubject =~ s/ ST=/ S=/;
1399
1400 last;
1401 }
1402 }
1403
6e13d0a5
MT		 1404 $casubject = &Header::cleanhtml($casubject);
1405
1406 my $key = &General::findhasharraykey (\%cahash);
1407 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1408 $cahash{$key}[1] = $casubject;
1409 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e
MT		 1410# system('/usr/local/bin/ipsecctrl', 'R');
1411
6e13d0a5
MT		 1412 UPLOADCA_ERROR:
1413
1414###
1415### Display ca certificate
1416###
1417} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
c6c9630e
MT		 1418 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1419
1420 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1421 &Header::showhttpheaders();
4c962356 1422 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1423 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1424 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
2feacd98 1425 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
8c946d1c
MT		 1426 my $output = &Header::cleanhtml(join("", @output),"y");
1427 print "<pre>$output</pre>\n";
c6c9630e
MT		 1428 &Header::closebox();
1429 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1430 &Header::closebigbox();
1431 &Header::closepage();
1432 exit(0);
1433 } else {
1434 $errormessage = $Lang::tr{'invalid key'};
1435 }
1436
6e13d0a5
MT		 1437###
1438### Download ca certificate
1439###
1440} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1441 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1442
1443 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1444 print "Content-Type: application/octet-stream\r\n";
1445 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
2feacd98
SS		 1446
1447 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
f158e71e 1448 print @tmp;
2feacd98 1449
6e13d0a5
MT		 1450 exit(0);
1451 } else {
1452 $errormessage = $Lang::tr{'invalid key'};
1453 }
1454
1455###
1456### Remove ca certificate (step 2)
1457###
1458} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1459 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1460 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1461
1462 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1463 foreach my $key (keys %confighash) {
2feacd98
SS		 1464 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1465 if (grep(/: OK/, @test)) {
c6c9630e
MT		 1466 # Delete connection
1467# if ($vpnsettings{'ENABLED'} eq 'on' ||
1468# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1469# system('/usr/local/bin/ipsecctrl', 'D', $key);
1470# }
6e13d0a5
MT		 1471 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1472 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1473 delete $confighash{$key};
1474 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 1475# &writeipsecfiles();
6e13d0a5
MT		 1476 }
1477 }
1478 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1479 delete $cahash{$cgiparams{'KEY'}};
1480 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e 1481# system('/usr/local/bin/ipsecctrl', 'R');
6e13d0a5
MT		 1482 } else {
1483 $errormessage = $Lang::tr{'invalid key'};
1484 }
1485###
1486### Remove ca certificate (step 1)
1487###
1488} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1489 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1490 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1491
1492 my $assignedcerts = 0;
1493 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1494 foreach my $key (keys %confighash) {
2feacd98
SS		 1495 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1496 if (grep(/: OK/, @test)) {
6e13d0a5
MT		 1497 $assignedcerts++;
1498 }
1499 }
1500 if ($assignedcerts) {
1501 &Header::showhttpheaders();
4c962356 1502 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1503 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1504 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
4c962356 1505 print <<END;
6e13d0a5
MT		 1506 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1507 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1508 <tr><td align='center'>
1509 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1510 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
1511 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1512 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1513 </form></table>
1514END
1515 ;
1516 &Header::closebox();
1517 &Header::closebigbox();
1518 &Header::closepage();
1519 exit (0);
1520 } else {
1521 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1522 delete $cahash{$cgiparams{'KEY'}};
1523 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1524# system('/usr/local/bin/ipsecctrl', 'R');
1525 }
1526 } else {
1527 $errormessage = $Lang::tr{'invalid key'};
1528 }
1529
1530###
1531### Display root certificate
1532###
c6c9630e
MT		 1533}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1534 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
2feacd98 1535 my @output;
c6c9630e 1536 &Header::showhttpheaders();
4c962356 1537 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1538 &Header::openbigbox('100%', 'LEFT', '', '');
1539 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1540 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
2feacd98 1541 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
c6c9630e
MT		 1542 } else {
1543 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
2feacd98 1544 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1545 }
8c946d1c
MT		 1546 my $output = &Header::cleanhtml(join("", @output), "y");
1547 print "<pre>$output</pre>\n";
c6c9630e
MT		 1548 &Header::closebox();
1549 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1550 &Header::closebigbox();
1551 &Header::closepage();
1552 exit(0);
1553
6e13d0a5
MT		 1554###
1555### Download root certificate
1556###
1557}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1558 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1559 print "Content-Type: application/octet-stream\r\n";
1560 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
2feacd98
SS		 1561
1562 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
f158e71e 1563 print @tmp;
2feacd98 1564
6e13d0a5
MT		 1565 exit(0);
1566 }
66c36198 1567
6e13d0a5
MT		 1568###
1569### Download host certificate
1570###
1571}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1572 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1573 print "Content-Type: application/octet-stream\r\n";
1574 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
2feacd98
SS		 1575
1576 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
f158e71e 1577 print @tmp;
2feacd98 1578
6e13d0a5
MT		 1579 exit(0);
1580 }
f7fb5bc5 1581
fd5ccb2d
EK		 1582###
1583### Download tls-auth key
1584###
1585}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
1586 if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
1587 print "Content-Type: application/octet-stream\r\n";
1588 print "Content-Disposition: filename=ta.key\r\n\r\n";
2feacd98
SS		 1589
1590 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
1591 my @tmp = <FILE>;
1592 close(FILE);
1593
f158e71e 1594 print @tmp;
2feacd98 1595
fd5ccb2d
EK		 1596 exit(0);
1597 }
1598
6e13d0a5
MT		 1599###
1600### Form for generating a root certificate
1601###
1602}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1603 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1604
1605 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1606 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1607 $errormessage = $Lang::tr{'valid root certificate already exists'};
1608 $cgiparams{'ACTION'} = '';
1609 goto ROOTCERT_ERROR;
1610 }
1611
1612 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1613 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1614 my $ipaddr = <IPADDR>;
1615 close IPADDR;
1616 chomp ($ipaddr);
1617 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1618 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1619 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1620 }
1621 }
1622 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
2ad1b18b 1623 unless (ref ($cgiparams{'FH'})) {
6e13d0a5
MT		 1624 $errormessage = $Lang::tr{'there was no file upload'};
1625 goto ROOTCERT_ERROR;
1626 }
1627
1628 # Move uploaded certificate request to a temporary file
1629 (my $fh, my $filename) = tempfile( );
1630 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1631 $errormessage = $!;
1632 goto ROOTCERT_ERROR;
1633 }
1634
1635 # Create a temporary dirctory
1636 my $tempdir = tempdir( CLEANUP => 1 );
1637
1638 # Extract the CA certificate from the file
1639 my $pid = open(OPENSSL, "|-");
1640 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1641 if ($pid) { # parent
1642 if ($cgiparams{'P12_PASS'} ne '') {
1643 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1644 }
1645 close (OPENSSL);
1646 if ($?) {
1647 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1648 unlink ($filename);
1649 goto ROOTCERT_ERROR;
1650 }
1651 } else { # child
0b216134 1652 unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
6e13d0a5
MT		 1653 '-in', $filename,
1654 '-out', "$tempdir/cacert.pem")) {
1655 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1656 unlink ($filename);
1657 goto ROOTCERT_ERROR;
1658 }
1659 }
1660
1661 # Extract the Host certificate from the file
1662 $pid = open(OPENSSL, "|-");
1663 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1664 if ($pid) { # parent
1665 if ($cgiparams{'P12_PASS'} ne '') {
1666 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1667 }
1668 close (OPENSSL);
1669 if ($?) {
1670 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1671 unlink ($filename);
1672 goto ROOTCERT_ERROR;
1673 }
1674 } else { # child
0b216134 1675 unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
6e13d0a5
MT		 1676 '-in', $filename,
1677 '-out', "$tempdir/hostcert.pem")) {
1678 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1679 unlink ($filename);
1680 goto ROOTCERT_ERROR;
1681 }
1682 }
1683
1684 # Extract the Host key from the file
1685 $pid = open(OPENSSL, "|-");
1686 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1687 if ($pid) { # parent
1688 if ($cgiparams{'P12_PASS'} ne '') {
1689 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1690 }
1691 close (OPENSSL);
1692 if ($?) {
1693 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1694 unlink ($filename);
1695 goto ROOTCERT_ERROR;
1696 }
1697 } else { # child
0b216134 1698 unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
6e13d0a5
MT		 1699 '-nodes',
1700 '-in', $filename,
1701 '-out', "$tempdir/serverkey.pem")) {
1702 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1703 unlink ($filename);
1704 goto ROOTCERT_ERROR;
1705 }
1706 }
1707
cc79d281 1708 unless(move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem")) {
6e13d0a5
MT		 1709 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1710 unlink ($filename);
1711 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1712 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1713 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1714 goto ROOTCERT_ERROR;
1715 }
1716
cc79d281 1717 unless(move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem")) {
6e13d0a5
MT		 1718 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1719 unlink ($filename);
1720 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1721 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1722 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1723 goto ROOTCERT_ERROR;
1724 }
1725
cc79d281 1726 unless(move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem")) {
6e13d0a5
MT		 1727 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1728 unlink ($filename);
1729 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1730 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1731 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1732 goto ROOTCERT_ERROR;
1733 }
1734
1735 goto ROOTCERT_SUCCESS;
1736
1737 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1738
1739 # Validate input since the form was submitted
1740 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1741 $errormessage = $Lang::tr{'organization cant be empty'};
1742 goto ROOTCERT_ERROR;
1743 }
1744 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1745 $errormessage = $Lang::tr{'organization too long'};
1746 goto ROOTCERT_ERROR;
1747 }
1748 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1749 $errormessage = $Lang::tr{'invalid input for organization'};
1750 goto ROOTCERT_ERROR;
1751 }
1752 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1753 $errormessage = $Lang::tr{'hostname cant be empty'};
1754 goto ROOTCERT_ERROR;
1755 }
1756 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1757 $errormessage = $Lang::tr{'invalid input for hostname'};
1758 goto ROOTCERT_ERROR;
1759 }
1760 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1761 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1762 goto ROOTCERT_ERROR;
1763 }
1764 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1765 $errormessage = $Lang::tr{'e-mail address too long'};
1766 goto ROOTCERT_ERROR;
1767 }
1768 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1769 $errormessage = $Lang::tr{'invalid input for department'};
1770 goto ROOTCERT_ERROR;
1771 }
1772 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1773 $errormessage = $Lang::tr{'invalid input for city'};
1774 goto ROOTCERT_ERROR;
1775 }
1776 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1777 $errormessage = $Lang::tr{'invalid input for state or province'};
1778 goto ROOTCERT_ERROR;
1779 }
1780 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1781 $errormessage = $Lang::tr{'invalid input for country'};
1782 goto ROOTCERT_ERROR;
1783 }
1784
1785 # Copy the cgisettings to vpnsettings and save the configfile
1786 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1787 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1788 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1789 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1790 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1791 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1792 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1793 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1794
1795 # Replace empty strings with a .
1796 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1797 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1798 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1799
1800 # refresh
c6c9630e 1801 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
66c36198 1802
6e13d0a5
MT		 1803 # Create the CA certificate
1804 my $pid = open(OPENSSL, "|-");
1805 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1806 if ($pid) { # parent
1807 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1808 print OPENSSL "$state\n";
1809 print OPENSSL "$city\n";
1810 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1811 print OPENSSL "$ou\n";
1812 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1813 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1814 close (OPENSSL);
1815 if ($?) {
1816 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1817 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1818 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1819 goto ROOTCERT_ERROR;
1820 }
1821 } else { # child
badd8c1c 1822 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
49abe7af 1823 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
6e13d0a5
MT		 1824 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1825 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1826 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1827 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1828 goto ROOTCERT_ERROR;
1829 }
1830 }
1831
1832 # Create the Host certificate request
1833 $pid = open(OPENSSL, "|-");
1834 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1835 if ($pid) { # parent
1836 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1837 print OPENSSL "$state\n";
1838 print OPENSSL "$city\n";
1839 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1840 print OPENSSL "$ou\n";
1841 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1842 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1843 print OPENSSL ".\n";
1844 print OPENSSL ".\n";
1845 close (OPENSSL);
1846 if ($?) {
1847 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1848 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1849 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1850 goto ROOTCERT_ERROR;
1851 }
1852 } else { # child
badd8c1c 1853 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
818dde8e 1854 '-newkey', 'rsa:4096',
6e13d0a5
MT		 1855 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1856 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1857 '-extensions', 'server',
1858 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1859 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1860 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1861 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1862 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1863 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1864 goto ROOTCERT_ERROR;
1865 }
1866 }
66c36198 1867
6e13d0a5 1868 # Sign the host certificate request
2feacd98 1869 # This system call is safe, because all argeuments are passed as an array.
6e13d0a5
MT		 1870 system('/usr/bin/openssl', 'ca', '-days', '999999',
1871 '-batch', '-notext',
1872 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1873 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1874 '-extensions', 'server',
1875 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1876 if ($?) {
1877 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1878 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1879 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1880 unlink ("${General::swroot}/ovpn/serverkey.pem");
1881 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1882 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1883 &newcleanssldatabase();
6e13d0a5
MT		 1884 goto ROOTCERT_ERROR;
1885 } else {
1886 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
c6c9630e 1887 &deletebackupcert();
6e13d0a5
MT		 1888 }
1889
1890 # Create an empty CRL
2feacd98 1891 # System call is safe, because all arguments are passed as array.
6e13d0a5
MT		 1892 system('/usr/bin/openssl', 'ca', '-gencrl',
1893 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1894 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1895 if ($?) {
1896 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1897 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1898 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1899 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
66c36198 1900 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
c6c9630e 1901 &cleanssldatabase();
6e13d0a5 1902 goto ROOTCERT_ERROR;
c6c9630e
MT		 1903# } else {
1904# &cleanssldatabase();
6e13d0a5 1905 }
ae04d0a3 1906 # Create ta.key for tls-auth
2feacd98 1907 # This system call is safe, because all arguments are passed as an array.
acbd6ff4 1908 system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key");
ae04d0a3
EK		 1909 if ($?) {
1910 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1911 &cleanssldatabase();
1912 goto ROOTCERT_ERROR;
1913 }
6e13d0a5
MT		 1914 goto ROOTCERT_SUCCESS;
1915 }
1916 ROOTCERT_ERROR:
1917 if ($cgiparams{'ACTION'} ne '') {
1918 &Header::showhttpheaders();
4c962356 1919 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1920 &Header::openbigbox('100%', 'LEFT', '', '');
1921 if ($errormessage) {
1922 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1923 print "<class name='base'>$errormessage";
1924 print "&nbsp;</class>";
1925 &Header::closebox();
1926 }
1927 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
49abe7af 1928 print <<END;
6e13d0a5
MT		 1929 <form method='post' enctype='multipart/form-data'>
1930 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
e3edceeb 1931 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 1932 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1933 <td width='35%' colspan='2'>&nbsp;</td></tr>
e3edceeb 1934 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 1935 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1936 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 1937 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
6e13d0a5
MT		 1938 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1939 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 1940 <tr><td class='base'>$Lang::tr{'your department'}:</td>
6e13d0a5
MT		 1941 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1942 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 1943 <tr><td class='base'>$Lang::tr{'city'}:</td>
6e13d0a5
MT		 1944 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1945 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 1946 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
6e13d0a5
MT		 1947 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1948 <td colspan='2'>&nbsp;</td></tr>
1949 <tr><td class='base'>$Lang::tr{'country'}:</td>
66c36198 1950 <td class='base'><select name='ROOTCERT_COUNTRY'>
6e13d0a5
MT		 1951
1952END
1953 ;
1954 foreach my $country (sort keys %{Countries::countries}) {
1955 print "<option value='$Countries::countries{$country}'";
1956 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1957 print " selected='selected'";
1958 }
1959 print ">$country</option>";
1960 }
49abe7af 1961 print <<END;
6e13d0a5 1962 </select></td>
4c962356 1963
6e13d0a5
MT		 1964 <tr><td>&nbsp;</td>
1965 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
66c36198 1966 <td>&nbsp;</td><td>&nbsp;</td></tr>
6e13d0a5 1967 <tr><td class='base' colspan='4' align='left'>
e3edceeb 1968 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
49abe7af 1969 <tr><td colspan='2'><br></td></tr>
49abe7af 1970 </table>
4c962356 1971
49abe7af 1972 <table width='100%'>
4c962356 1973 <tr><td colspan='4'><hr></td></tr>
e3edceeb 1974 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 1975 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1976 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 1977 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
6e13d0a5
MT		 1978 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1979 <td colspan='2'>&nbsp;</td></tr>
1980 <tr><td>&nbsp;</td>
1981 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1982 <td colspan='2'>&nbsp;</td></tr>
1983 <tr><td class='base' colspan='4' align='left'>
e3edceeb 1984 <img src='/blob.gif' valign='top' alt='*' >&nbsp;$Lang::tr{'required field'}</td>
4c962356 1985 </tr>
6e13d0a5
MT		 1986 </form></table>
1987END
1988 ;
1989 &Header::closebox();
4c962356 1990 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 1991 &Header::closebigbox();
1992 &Header::closepage();
1993 exit(0)
1994 }
1995
1996 ROOTCERT_SUCCESS:
2feacd98 1997 &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
c6c9630e
MT		 1998# if ($vpnsettings{'ENABLED'} eq 'on' ||
1999# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
2000# system('/usr/local/bin/ipsecctrl', 'S');
2001# }
6e13d0a5
MT		 2002
2003###
2004### Enable/Disable connection
2005###
ce9abb66
AH		 2006
2007###
7c1d9faf 2008# m.a.d net2net
ce9abb66
AH		 2009###
2010
6e13d0a5 2011}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 2012
c6c9630e 2013 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5 2014 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2feacd98
SS		 2015 my $n2nactive = '';
2016 my @ps = &General::system_output("/bin/ps", "ax");
2017
2018 if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
2019 $n2nactive = "1";
2020 }
66c36198 2021
6e13d0a5 2022 if ($confighash{$cgiparams{'KEY'}}) {
8c877a82
AM		 2023 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2024 $confighash{$cgiparams{'KEY'}}[0] = 'on';
2025 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2026
8c877a82 2027 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2feacd98 2028 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494 2029 &writecollectdconf();
8c877a82
AM		 2030 }
2031 } else {
ce9abb66 2032
8c877a82
AM		 2033 $confighash{$cgiparams{'KEY'}}[0] = 'off';
2034 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2035
8c877a82 2036 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
775b4494 2037 if ($n2nactive ne '') {
2feacd98 2038 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494
AM		 2039 &writecollectdconf();
2040 }
8c877a82 2041 }
775b4494 2042 }
ce9abb66 2043 }
6e13d0a5
MT		 2044
2045###
2046### Download OpenVPN client package
2047###
ce9abb66
AH		 2048
2049
6e13d0a5
MT		 2050} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
2051 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2052 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2053 my $file = '';
2054 my $clientovpn = '';
2055 my @fileholder;
2056 my $tempdir = tempdir( CLEANUP => 1 );
2057 my $zippath = "$tempdir/";
ce9abb66
AH		 2058
2059###
7c1d9faf
AH		 2060# m.a.d net2net
2061###
ce9abb66
AH		 2062
2063if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
66c36198 2064
ce9abb66
AH		 2065 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2066 my $zippathname = "$zippath$zipname";
66c36198 2067 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";
ce9abb66 2068 my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
54fd0535 2069 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
66c36198 2070 my $tunmtu = '';
7c1d9faf 2071 my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
54fd0535 2072 my $n2nfragment = '';
66c36198 2073
ce9abb66
AH		 2074 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2075 flock CLIENTCONF, 2;
66c36198 2076
ce9abb66 2077 my $zip = Archive::Zip->new();
7c1d9faf 2078 print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 2079 print CLIENTCONF "# \n";
b278daf3 2080 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 2081 print CLIENTCONF "user nobody\n";
2082 print CLIENTCONF "group nobody\n";
2083 print CLIENTCONF "persist-tun\n";
2084 print CLIENTCONF "persist-key\n";
7c1d9faf 2085 print CLIENTCONF "script-security 2\n";
66c36198 2086 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
531f0835 2087 print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
b278daf3 2088 print CLIENTCONF "float\n";
66c36198
PM		 2089 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
2090 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
2091 print CLIENTCONF "# Server Gateway Network\n";
7c1d9faf 2092 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
66c36198
PM		 2093 print CLIENTCONF "# tun Device\n";
2094 print CLIENTCONF "dev tun\n";
35a21a25
AM		 2095 print CLIENTCONF "#Logfile for statistics\n";
2096 print CLIENTCONF "status-version 1\n";
2097 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 2098 print CLIENTCONF "# Port and Protokoll\n";
2099 print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
2100
60f396d7 2101 if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
1580d3b1 2102 print CLIENTCONF "proto tcp4-client\n";
60f396d7 2103 print CLIENTCONF "# Packet size\n";
d96c89eb 2104 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
60f396d7 2105 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 2106 }
66c36198 2107
60f396d7 2108 if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
1580d3b1 2109 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 2110 print CLIENTCONF "# Paketsize\n";
2111 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2112 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 2113 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
d6989b4b 2114 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
d96c89eb 2115 }
b66b02ab
EK		 2116 # Check host certificate if X509 is RFC3280 compliant.
2117 # If not, old --ns-cert-type directive will be used.
2118 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2119 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2120 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2121 print CLIENTCONF "ns-cert-type server\n";
2122 } else {
2123 print CLIENTCONF "remote-cert-tls server\n";
2124 }
66c36198
PM		 2125 print CLIENTCONF "# Auth. Client\n";
2126 print CLIENTCONF "tls-client\n";
49abe7af 2127 print CLIENTCONF "# Cipher\n";
4c962356 2128 print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
66c36198 2129 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
ce9abb66
AH		 2130 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2131 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
49abe7af 2132 }
52f61e49
EKD		 2133
2134 # If GCM cipher is used, do not use --auth
2135 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
2136 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
2137 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
2138 print CLIENTCONF unless "# HMAC algorithm\n";
2139 print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2140 } else {
52f61e49
EKD		 2141 print CLIENTCONF "# HMAC algorithm\n";
2142 print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2143 }
52f61e49 2144
4c962356 2145 if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
b278daf3 2146 print CLIENTCONF "# Enable Compression\n";
66298ef2 2147 print CLIENTCONF "comp-lzo\n";
b278daf3 2148 }
66c36198
PM		 2149 print CLIENTCONF "# Debug Level\n";
2150 print CLIENTCONF "verb 3\n";
2151 print CLIENTCONF "# Tunnel check\n";
2152 print CLIENTCONF "keepalive 10 60\n";
2153 print CLIENTCONF "# Start as daemon\n";
2154 print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n";
2155 print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n";
2156 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 2157 if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2158 else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
ce9abb66 2159 print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
0b216134 2160 print CLIENTCONF "providers legacy default\n";
66c36198 2161
ce9abb66
AH		 2162
2163 close(CLIENTCONF);
66c36198 2164
ce9abb66
AH		 2165 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2166 my $status = $zip->writeToFileNamed($zippathname);
2167
2168 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2169 @fileholder = <DLFILE>;
2170 print "Content-Type:application/x-download\n";
2171 print "Content-Disposition:attachment;filename=$zipname\n\n";
2172 print @fileholder;
2173 exit (0);
2174}
2175else
2176{
2177 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2178 my $zippathname = "$zippath$zipname";
2179 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2180
2181###
7c1d9faf 2182# m.a.d net2net
ce9abb66 2183###
66c36198 2184
c6c9630e 2185 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
6e13d0a5 2186 flock CLIENTCONF, 2;
66c36198 2187
6e13d0a5 2188 my $zip = Archive::Zip->new();
66c36198 2189
8c877a82 2190 print CLIENTCONF "#OpenVPN Client conf\r\n";
6e13d0a5
MT		 2191 print CLIENTCONF "tls-client\r\n";
2192 print CLIENTCONF "client\r\n";
4f6e3ae3 2193 print CLIENTCONF "nobind\r\n";
79e7688b 2194 print CLIENTCONF "dev tun\r\n";
c6c9630e 2195 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
d6989b4b 2196 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
2ee746be 2197
6e13d0a5
MT		 2198 if ( $vpnsettings{'ENABLED'} eq 'on'){
2199 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
66c36198 2200 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
574f4538 2201 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Blue interface\r\n";
c6c9630e
MT		 2202 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2203 }
2204 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2205 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2206 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2207 }
2208 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2209 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2210 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2211 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2212 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2213 }
2214 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2215 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
6e13d0a5 2216 }
66c36198 2217
71af643c
MT		 2218 my $file_crt = new File::Temp( UNLINK => 1 );
2219 my $file_key = new File::Temp( UNLINK => 1 );
b22d8aaf 2220 my $include_certs = 0;
71af643c 2221
66c36198 2222 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
71af643c 2223 if ($cgiparams{'MODE'} eq 'insecure') {
b22d8aaf
MT		 2224 $include_certs = 1;
2225
71af643c 2226 # Add the CA
b22d8aaf 2227 print CLIENTCONF ";ca cacert.pem\r\n";
71af643c
MT		 2228 $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2229
2230 # Extract the certificate
2feacd98 2231 # This system call is safe, because all arguments are passed as an array.
c847846c 2232 system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
71af643c
MT		 2233 '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
2234 if ($?) {
2235 die "openssl error: $?";
2236 }
2237
2238 $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
b22d8aaf 2239 print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
71af643c
MT		 2240
2241 # Extract the key
2feacd98 2242 # This system call is safe, because all arguments are passed as an array.
c847846c 2243 system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
71af643c
MT		 2244 '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
2245 if ($?) {
2246 die "openssl error: $?";
2247 }
2248
2249 $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
b22d8aaf 2250 print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
71af643c
MT		 2251 } else {
2252 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2253 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2254 }
6e13d0a5 2255 } else {
c6c9630e
MT		 2256 print CLIENTCONF "ca cacert.pem\r\n";
2257 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2258 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2259 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
66c36198 2260 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
6e13d0a5
MT		 2261 }
2262 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
49abe7af 2263 print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
86308adb 2264
49abe7af 2265 if ($vpnsettings{'TLSAUTH'} eq 'on') {
b22d8aaf
MT		 2266 if ($cgiparams{'MODE'} eq 'insecure') {
2267 print CLIENTCONF ";";
2268 }
4be45949
EK		 2269 print CLIENTCONF "tls-auth ta.key\r\n";
2270 $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
49abe7af 2271 }
6e13d0a5
MT		 2272 if ($vpnsettings{DCOMPLZO} eq 'on') {
2273 print CLIENTCONF "comp-lzo\r\n";
2274 }
2275 print CLIENTCONF "verb 3\r\n";
b66b02ab
EK		 2276 # Check host certificate if X509 is RFC3280 compliant.
2277 # If not, old --ns-cert-type directive will be used.
2278 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2279 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2280 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2281 print CLIENTCONF "ns-cert-type server\r\n";
2282 } else {
2283 print CLIENTCONF "remote-cert-tls server\r\n";
2284 }
964700d4 2285 print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
a79fa1d6
JPT		 2286 if ($vpnsettings{MSSFIX} eq 'on') {
2287 print CLIENTCONF "mssfix\r\n";
d6989b4b
MT		 2288 } else {
2289 print CLIENTCONF "mssfix 0\r\n";
a79fa1d6 2290 }
74225cce 2291 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
a79fa1d6
JPT		 2292 print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2293 }
a9998867
MT		 2294
2295 # Disable storing any credentials in memory
2296 print CLIENTCONF "auth-nocache\r\n";
2297
2298 # Set a fake user name for authentication
2299 print CLIENTCONF "auth-token-user USER\r\n";
2300 print CLIENTCONF "auth-token TOTP\r\n";
2301
2302 # If the server is asking for TOTP this needs to happen interactively
2303 print CLIENTCONF "auth-retry interact\r\n";
1647059d 2304
b22d8aaf
MT		 2305 if ($include_certs) {
2306 print CLIENTCONF "\r\n";
2307
2308 # CA
2309 open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
2310 print CLIENTCONF "<ca>\r\n";
2311 while (<FILE>) {
2312 chomp($_);
2313 print CLIENTCONF "$_\r\n";
2314 }
2315 print CLIENTCONF "</ca>\r\n\r\n";
2316 close(FILE);
2317
2318 # Cert
2319 open(FILE, "<$file_crt");
2320 print CLIENTCONF "<cert>\r\n";
2321 while (<FILE>) {
2322 chomp($_);
2323 print CLIENTCONF "$_\r\n";
2324 }
2325 print CLIENTCONF "</cert>\r\n\r\n";
2326 close(FILE);
2327
2328 # Key
2329 open(FILE, "<$file_key");
2330 print CLIENTCONF "<key>\r\n";
2331 while (<FILE>) {
2332 chomp($_);
2333 print CLIENTCONF "$_\r\n";
2334 }
2335 print CLIENTCONF "</key>\r\n\r\n";
2336 close(FILE);
2337
2338 # TLS auth
2339 if ($vpnsettings{'TLSAUTH'} eq 'on') {
2340 open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
2341 print CLIENTCONF "<tls-auth>\r\n";
2342 while (<FILE>) {
2343 chomp($_);
2344 print CLIENTCONF "$_\r\n";
2345 }
2346 print CLIENTCONF "</tls-auth>\r\n\r\n";
2347 close(FILE);
2348 }
2349 }
2350
ffbe77c8
EK		 2351 # Print client.conf.local if entries exist to client.ovpn
2352 if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
2353 open (LCC, "$local_clientconf");
2354 print CLIENTCONF "\n#---------------------------\n";
2355 print CLIENTCONF "# Start of custom directives\n";
2356 print CLIENTCONF "# from client.conf.local\n";
2357 print CLIENTCONF "#---------------------------\n\n";
2358 while (<LCC>) {
2359 print CLIENTCONF $_;
2360 }
2361 print CLIENTCONF "\n#---------------------------\n";
2362 print CLIENTCONF "# End of custom directives\n";
2363 print CLIENTCONF "#---------------------------\n\n";
2364 close (LCC);
2365 }
6e13d0a5 2366 close(CLIENTCONF);
66c36198 2367
6e13d0a5
MT		 2368 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2369 my $status = $zip->writeToFileNamed($zippathname);
2370
2371 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2372 @fileholder = <DLFILE>;
2373 print "Content-Type:application/x-download\n";
2374 print "Content-Disposition:attachment;filename=$zipname\n\n";
2375 print @fileholder;
2376 exit (0);
ce9abb66 2377 }
66c36198
PM		 2378
2379
2380
6e13d0a5
MT		 2381###
2382### Remove connection
2383###
ce9abb66
AH		 2384
2385
6e13d0a5 2386} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
323be7c4
AM		 2387 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2388 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 2389
323be7c4 2390 if ($confighash{$cgiparams{'KEY'}}) {
fde9c9dd 2391 # Revoke certificate if certificate was deleted and rewrite the CRL
274ca65b 2392 &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
2feacd98 2393 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
ce9abb66
AH		 2394
2395###
7c1d9faf 2396# m.a.d net2net
ce9abb66 2397###
7c1d9faf 2398
323be7c4 2399 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1e499e90 2400 # Stop the N2N connection before it is removed
2feacd98 2401 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
1e499e90 2402
323be7c4
AM		 2403 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2404 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2405 unlink ($certfile);
2406 unlink ($conffile);
8e6a8fd5 2407
323be7c4
AM		 2408 if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2409 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2410 }
323be7c4 2411 }
ce9abb66 2412
323be7c4
AM		 2413 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2414 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
8c877a82
AM		 2415
2416# A.Marx CCD delete ccd files and routes
2417
323be7c4
AM		 2418 if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2419 {
2420 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
8c877a82 2421 }
66c36198 2422
323be7c4
AM		 2423 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2424 foreach my $key (keys %ccdroutehash) {
2425 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2426 delete $ccdroutehash{$key};
2427 }
8c877a82 2428 }
323be7c4 2429 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
66c36198 2430
323be7c4
AM		 2431 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2432 foreach my $key (keys %ccdroute2hash) {
2433 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2434 delete $ccdroute2hash{$key};
2435 }
2436 }
2437 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2438 &writeserverconf;
8c877a82 2439
323be7c4
AM		 2440# CCD end
2441 # Update collectd configuration and delete all RRD files of the removed connection
2442 &writecollectdconf();
2feacd98 2443 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
8c877a82 2444
323be7c4 2445 delete $confighash{$cgiparams{'KEY'}};
2feacd98 2446 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
323be7c4
AM		 2447 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2448
2449 } else {
2450 $errormessage = $Lang::tr{'invalid key'};
2451 }
b2e75449 2452 &General::firewall_reload();
ce9abb66 2453
6e13d0a5
MT		 2454###
2455### Download PKCS12 file
2456###
2457} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2458 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2459
2460 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2461 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 2462
2463 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2464 my @tmp = <FILE>;
2465 close(FILE);
2466
f158e71e 2467 print @tmp;
6e13d0a5
MT		 2468 exit (0);
2469
2470###
2471### Display certificate
2472###
2473} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2474 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2475
2476 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e 2477 &Header::showhttpheaders();
4c962356 2478 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 2479 &Header::openbigbox('100%', 'LEFT', '', '');
2480 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2feacd98 2481 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
8c946d1c
MT		 2482 my $output = &Header::cleanhtml(join("", @output), "y");
2483 print "<pre>$output</pre>\n";
c6c9630e
MT		 2484 &Header::closebox();
2485 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2486 &Header::closebigbox();
2487 &Header::closepage();
2488 exit(0);
6e13d0a5 2489 }
4c962356 2490
e1e10515
TE		 2491###
2492### Display OTP QRCode
2493###
2494} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show otp qrcode'}) {
2495 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2496
e1e10515
TE		 2497 my $qrcode = Imager::QRCode->new(
2498 size => 6,
2499 margin => 0,
2500 version => 0,
2501 level => 'M',
2502 mode => '8-bit',
2503 casesensitive => 1,
2504 lightcolor => Imager::Color->new(255, 255, 255),
2505 darkcolor => Imager::Color->new(0, 0, 0),
2506 );
3740b7ad 2507 my $cn = uri_encode($confighash{$cgiparams{'KEY'}}[2]);
10b32d38 2508 my $secret = encode_base32(pack('H*', $confighash{$cgiparams{'KEY'}}[44]));
3740b7ad 2509 my $issuer = uri_encode("$mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}");
e1e10515
TE		 2510 my $qrcodeimg = $qrcode->plot("otpauth://totp/$cn?secret=$secret&issuer=$issuer");
2511 my $qrcodeimgdata;
2512 $qrcodeimg->write(data => \$qrcodeimgdata, type=> 'png')
2513 or die $qrcodeimg->errstr;
2514 $qrcodeimgdata = encode_base64($qrcodeimgdata, '');
2515
2516 &Header::showhttpheaders();
2517 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2518 &Header::openbigbox('100%', 'LEFT', '', '');
2519 &Header::openbox('100%', 'LEFT', "$Lang::tr{'otp qrcode'}:");
2520 print <<END;
2521$Lang::tr{'secret'}:&nbsp;$secret</br></br>
2522<img alt="$Lang::tr{'otp qrcode'}" src="data:image/png;base64,$qrcodeimgdata">
2523END
2524 &Header::closebox();
2525 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2526 &Header::closebigbox();
2527 &Header::closepage();
2528 exit(0);
2529
4c962356
EK		 2530###
2531### Display Diffie-Hellman key
2532###
2533} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2534
35494eac 2535 if (! -e "$dhparameter") {
49abe7af 2536 $errormessage = $Lang::tr{'not present'};
4c962356
EK		 2537 } else {
2538 &Header::showhttpheaders();
2539 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2540 &Header::openbigbox('100%', 'LEFT', '', '');
2541 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
35494eac 2542 my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
8c946d1c
MT		 2543 my $output = &Header::cleanhtml(join("", @output) ,"y");
2544 print "<pre>$output</pre>\n";
4c962356
EK		 2545 &Header::closebox();
2546 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2547 &Header::closebigbox();
2548 &Header::closepage();
2549 exit(0);
2550 }
2551
fd5ccb2d
EK		 2552###
2553### Display tls-auth key
2554###
2555} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
2556
2557 if (! -e "${General::swroot}/ovpn/certs/ta.key") {
2558 $errormessage = $Lang::tr{'not present'};
2559 } else {
2560 &Header::showhttpheaders();
2561 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2562 &Header::openbigbox('100%', 'LEFT', '', '');
2563 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
2feacd98
SS		 2564
2565 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
2566 my @output = <FILE>;
2567 close(FILE);
2568
8c946d1c
MT		 2569 my $output = &Header::cleanhtml(join("", @output),"y");
2570 print "<pre>$output</pre>\n";
fd5ccb2d
EK		 2571 &Header::closebox();
2572 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2573 &Header::closebigbox();
2574 &Header::closepage();
2575 exit(0);
2576 }
2577
6e13d0a5
MT		 2578###
2579### Display Certificate Revoke List
2580###
2581} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
c6c9630e
MT		 2582# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2583
49abe7af
EK		 2584 if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2585 $errormessage = $Lang::tr{'not present'};
2586 } else {
b2e75449
MT		 2587 &Header::showhttpheaders();
2588 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2589 &Header::openbigbox('100%', 'LEFT', '', '');
2590 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2feacd98 2591 my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
8c946d1c
MT		 2592 my $output = &Header::cleanhtml(join("", @output), "y");
2593 print "<pre>$output</pre>\n";
b2e75449
MT		 2594 &Header::closebox();
2595 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2596 &Header::closebigbox();
2597 &Header::closepage();
2598 exit(0);
6e13d0a5
MT		 2599 }
2600
2601###
2602### Advanced Server Settings
2603###
2604
2605} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2606 %cgiparams = ();
2607 %cahash = ();
2608 %confighash = ();
8c877a82 2609 my $disabled;
6e13d0a5 2610 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
54fd0535 2611 read_routepushfile;
66c36198
PM		 2612
2613
c6c9630e 2614# if ($cgiparams{'CLIENT2CLIENT'} eq '') {
66c36198 2615# $cgiparams{'CLIENT2CLIENT'} = 'on';
c6c9630e 2616# }
6e13d0a5
MT		 2617ADV_ERROR:
2618 if ($cgiparams{'MAX_CLIENTS'} eq '') {
4c962356 2619 $cgiparams{'MAX_CLIENTS'} = '100';
6e13d0a5 2620 }
6e13d0a5 2621 if ($cgiparams{'KEEPALIVE_1'} eq '') {
4c962356 2622 $cgiparams{'KEEPALIVE_1'} = '10';
6e13d0a5
MT		 2623 }
2624 if ($cgiparams{'KEEPALIVE_2'} eq '') {
4c962356 2625 $cgiparams{'KEEPALIVE_2'} = '60';
6e13d0a5
MT		 2626 }
2627 if ($cgiparams{'LOG_VERB'} eq '') {
4c962356 2628 $cgiparams{'LOG_VERB'} = '3';
ae9f6139 2629 }
f527e53f 2630 if ($cgiparams{'TLSAUTH'} eq '') {
754066e6 2631 $cgiparams{'TLSAUTH'} = 'off';
f527e53f 2632 }
6e13d0a5
MT		 2633 $checked{'CLIENT2CLIENT'}{'off'} = '';
2634 $checked{'CLIENT2CLIENT'}{'on'} = '';
2635 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2636 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2637 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2638 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
13389777
EK		 2639 $checked{'DCOMPLZO'}{'off'} = '';
2640 $checked{'DCOMPLZO'}{'on'} = '';
2641 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
ffbe77c8
EK		 2642 $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
2643 $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
2644 $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
a79fa1d6
JPT		 2645 $checked{'MSSFIX'}{'off'} = '';
2646 $checked{'MSSFIX'}{'on'} = '';
2647 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
49abe7af 2648 $selected{'LOG_VERB'}{'0'} = '';
6e13d0a5
MT		 2649 $selected{'LOG_VERB'}{'1'} = '';
2650 $selected{'LOG_VERB'}{'2'} = '';
2651 $selected{'LOG_VERB'}{'3'} = '';
2652 $selected{'LOG_VERB'}{'4'} = '';
2653 $selected{'LOG_VERB'}{'5'} = '';
2654 $selected{'LOG_VERB'}{'6'} = '';
2655 $selected{'LOG_VERB'}{'7'} = '';
2656 $selected{'LOG_VERB'}{'8'} = '';
2657 $selected{'LOG_VERB'}{'9'} = '';
2658 $selected{'LOG_VERB'}{'10'} = '';
2659 $selected{'LOG_VERB'}{'11'} = '';
6e13d0a5 2660 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
66c36198 2661
6e13d0a5
MT		 2662 &Header::showhttpheaders();
2663 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
66c36198 2664 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 2665 if ($errormessage) {
c6c9630e
MT		 2666 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2667 print "<class name='base'>$errormessage\n";
2668 print "&nbsp;</class>\n";
2669 &Header::closebox();
6e13d0a5
MT		 2670 }
2671 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
4c962356 2672 print <<END;
b376fae4 2673 <form method='post' enctype='multipart/form-data'>
b2e75449 2674<table width='100%' border=0>
4c962356
EK		 2675 <tr>
2676 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
6e13d0a5
MT		 2677 </tr>
2678 <tr>
4c962356 2679 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
66c36198
PM		 2680 </tr>
2681 <tr>
4c962356 2682 <td class='base'>Domain</td>
8c877a82 2683 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
6e13d0a5 2684 </tr>
66c36198 2685 <tr>
4c962356
EK		 2686 <td class='base'>DNS</td>
2687 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
66c36198
PM		 2688 </tr>
2689 <tr>
4c962356
EK		 2690 <td class='base'>WINS</td>
2691 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2692 </tr>
54fd0535 2693 <tr>
4c962356 2694 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
54fd0535 2695 </tr>
66c36198 2696 <tr>
4c962356
EK		 2697 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2698 <td colspan='2'>
2699 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
54fd0535
MT		 2700END
2701;
2702
2703if ($cgiparams{'ROUTES_PUSH'} ne '')
2704{
2705 print $cgiparams{'ROUTES_PUSH'};
2706}
2707
8c877a82 2708print <<END;
54fd0535
MT		 2709</textarea></td>
2710</tr>
6e13d0a5
MT		 2711 </tr>
2712</table>
2713<hr size='1'>
4c962356 2714<table width='100%'>
ffbe77c8 2715 <tr>
f99ed824 2716 <td class='base'><b>$Lang::tr{'misc-options'}</b></td>
ffbe77c8
EK		 2717 </tr>
2718
2719 <tr>
d2de0a00 2720 <td width='20%'></td> <td width='15%'> </td><td width='35%'> </td><td width='20%'></td><td width='35%'></td>
ffbe77c8
EK		 2721 </tr>
2722
2723 <tr>
4c962356
EK		 2724 <td class='base'>Client-To-Client</td>
2725 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
ffbe77c8
EK		 2726 </tr>
2727
2728 <tr>
4c962356
EK		 2729 <td class='base'>Redirect-Gateway def1</td>
2730 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
ffbe77c8
EK		 2731 </tr>
2732
13389777
EK		 2733 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2734 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2735 <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
2736 </tr>
2737
4c962356 2738 <tr>
ffbe77c8
EK		 2739 <td class='base'>$Lang::tr{'ovpn add conf'}</td>
2740 <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
2741 <td>$Lang::tr{'openvpn default'}: off</td>
2742 </tr>
2743
2744 <tr>
2745 <td class='base'>mssfix</td>
2746 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2747 <td>$Lang::tr{'openvpn default'}: off</td>
2748 </tr>
2749
4c962356 2750 <tr>
ffbe77c8
EK		 2751 <td class='base'>fragment <br></td>
2752 <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2753 </tr>
2754
2755
2756 <tr>
2757 <td class='base'>Max-Clients</td>
2758 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2759 </tr>
2760 <tr>
2761 <td class='base'>Keepalive <br />
2762 (ping/ping-restart)</td>
2763 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2764 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2765 </tr>
a79fa1d6
JPT		 2766</table>
2767
a79fa1d6 2768<hr size='1'>
4c962356 2769<table width='100%'>
a79fa1d6 2770 <tr>
f99ed824 2771 <td class='base'><b>$Lang::tr{'log-options'}</b></td>
a79fa1d6
JPT		 2772 </tr>
2773 <tr>
49abe7af 2774 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
4c962356
EK		 2775 </tr>
2776
2777 <tr><td class='base'>VERB</td>
2778 <td><select name='LOG_VERB'>
49abe7af
EK		 2779 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option>
2780 <option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
2781 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
2782 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
2783 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
2784 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
2785 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
2786 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
2787 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
2788 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
2789 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2790 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2791 </td></select>
2792 </table>
4c962356 2793
6e13d0a5 2794<hr size='1'>
8c877a82
AM		 2795END
2796
2797if ( -e "/var/run/openvpn.pid"){
2798print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2799 $Lang::tr{'server restart'}<br><br>
2800 <hr>";
49abe7af 2801 print<<END;
52d08bcb
AM		 2802<table width='100%'>
2803<tr>
2804 <td>&nbsp;</td>
2805 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2806 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2807 <td>&nbsp;</td>
52d08bcb 2808</tr>
66c36198 2809</table>
52d08bcb
AM		 2810</form>
2811END
66c36198
PM		 2812;
2813
2814
52d08bcb 2815}else{
8c877a82 2816
49abe7af 2817 print<<END;
6e13d0a5
MT		 2818<table width='100%'>
2819<tr>
2820 <td>&nbsp;</td>
2821 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2822 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2823 <td>&nbsp;</td>
6e13d0a5 2824</tr>
66c36198 2825</table>
6e13d0a5
MT		 2826</form>
2827END
66c36198 2828;
52d08bcb 2829}
6e13d0a5 2830 &Header::closebox();
c6c9630e 2831# print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2832 &Header::closebigbox();
2833 &Header::closepage();
2834 exit(0);
66c36198 2835
8c877a82
AM		 2836
2837# A.Marx CCD Add,delete or edit CCD net
2838
66c36198
PM		 2839} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
2840 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||
2841 $cgiparams{'ACTION'} eq "kill" ||
8c877a82
AM		 2842 $cgiparams{'ACTION'} eq "edit" ||
2843 $cgiparams{'ACTION'} eq 'editsave'){
2844 &Header::showhttpheaders();
2845 &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2846 &Header::openbigbox('100%', 'LEFT', '', '');
2847
2848 if ($cgiparams{'ACTION'} eq "kill"){
2849 &delccdnet($cgiparams{'net'});
2850 }
66c36198 2851
8c877a82
AM		 2852 if ($cgiparams{'ACTION'} eq 'editsave'){
2853 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
2854 if ( $a ne $b){ &modccdnet($a,$b);}
5068ac38
AM		 2855 $cgiparams{'ccdname'}='';
2856 $cgiparams{'ccdsubnet'}='';
8c877a82 2857 }
66c36198 2858
8c877a82 2859 if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
e2429e8d 2860 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
8c877a82
AM		 2861 }
2862 if ($errormessage) {
2863 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2864 print "<class name='base'>$errormessage";
2865 print "&nbsp;</class>";
66c36198 2866 &Header::closebox();
8c877a82
AM		 2867 }
2868if ($cgiparams{'ACTION'} eq "edit"){
66c36198 2869
8c877a82
AM		 2870 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
2871
49abe7af 2872 print <<END;
631b67b7 2873 <table width='100%' border='0'>
8c877a82
AM		 2874 <tr><form method='post'>
2875 <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
a9fb14d0 2876 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
8c877a82
AM		 2877 <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
2878 <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
2879 </td></tr>
2880 </table></form>
2881END
2882;
2883 &Header::closebox();
2884
2885 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
49abe7af 2886 print <<END;
8c877a82
AM		 2887 <table width='100%' border='0' cellpadding='0' cellspacing='1'>
2888 <tr>
2889 <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
2890END
2891;
2892}
2893else{
2894 if (! -e "/var/run/openvpn.pid"){
2895 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
49abe7af 2896 print <<END;
8c877a82
AM		 2897 <table width='100%' border='0'>
2898 <tr><form method='post'>
2899 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
2900 <tr>
2901 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
2902 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
2903 <tr><td colspan=4><hr /></td></tr><tr>
2904 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
2905 </table></form>
2906END
66c36198 2907
8c877a82
AM		 2908 &Header::closebox();
2909}
2910 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
5068ac38
AM		 2911 if ( -e "/var/run/openvpn.pid"){
2912 print "<b>$Lang::tr{'attention'}:</b><br>";
2913 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
2914 }
66c36198 2915
4c962356 2916 print <<END;
99bfa85c 2917 <table width='100%' cellpadding='0' cellspacing='1'>
8c877a82
AM		 2918 <tr>
2919 <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
2920END
2921;
2922}
66c36198
PM		 2923 my %ccdconfhash=();
2924 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
8c877a82
AM		 2925 my @ccdconf=();
2926 my $count=0;
df9b48b7 2927 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 2928 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
2929 $count++;
2930 my $ccdhosts = &hostsinnet($ccdconf[0]);
2931 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
2932 else{ print" <tr bgcolor='$color{'color20'}'>";}
2933 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
4c962356 2934 print <<END;
8c877a82 2935 <form method='post' />
1638682b 2936 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
8c877a82
AM		 2937 <input type='hidden' name='ACTION' value='edit'/>
2938 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
2939 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
2940 </form></td>
2941 <form method='post' />
2942 <td><input type='hidden' name='ACTION' value='kill'/>
2943 <input type='hidden' name='number' value='$count' />
2944 <input type='hidden' name='net' value='$ccdconf[0]' />
1638682b 2945 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
8c877a82
AM		 2946END
2947;
66c36198 2948 }
8c877a82
AM		 2949 print "</table></form>";
2950 &Header::closebox();
2951 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2952 &Header::closebigbox();
2953 &Header::closepage();
2954 exit(0);
66c36198 2955
8c877a82
AM		 2956#END CCD
2957
6e13d0a5
MT		 2958###
2959### Openvpn Connections Statistics
2960###
2961} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
2962 &Header::showhttpheaders();
2963 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
2964 &Header::openbigbox('100%', 'LEFT', '', '');
2965 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
2966
2967#
2968# <td><b>$Lang::tr{'protocol'}</b></td>
66c36198 2969# protocol temp removed
4c962356 2970 print <<END;
99bfa85c 2971 <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
6e13d0a5 2972 <tr>
99bfa85c
AM		 2973 <th><b>$Lang::tr{'common name'}</b></th>
2974 <th><b>$Lang::tr{'real address'}</b></th>
d8ef6a95 2975 <th><b>$Lang::tr{'country'}</b></th>
99bfa85c
AM		 2976 <th><b>$Lang::tr{'virtual address'}</b></th>
2977 <th><b>$Lang::tr{'loged in at'}</b></th>
2978 <th><b>$Lang::tr{'bytes sent'}</b></th>
2979 <th><b>$Lang::tr{'bytes received'}</b></th>
2980 <th><b>$Lang::tr{'last activity'}</b></th>
6e13d0a5
MT		 2981 </tr>
2982END
2983;
87fe47e9 2984 my $filename = "/var/run/ovpnserver.log";
6e13d0a5
MT		 2985 open(FILE, $filename) or die 'Unable to open config file.';
2986 my @current = <FILE>;
2987 close(FILE);
2988 my @users =();
2989 my $status;
2990 my $uid = 0;
2991 my $cn;
2992 my @match = ();
2993 my $proto = "udp";
2994 my $address;
2995 my %userlookup = ();
2996 foreach my $line (@current)
2997 {
2998 chomp($line);
2999 if ( $line =~ /^Updated,(.+)/){
66c36198 3000 @match = split( /^Updated,(.+)/, $line);
6e13d0a5
MT		 3001 $status = $match[1];
3002 }
66c36198 3003#gian
6e13d0a5
MT		 3004 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
3005 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
3006 if ($match[1] ne "Common Name") {
3007 $cn = $match[1];
3008 $userlookup{$match[2]} = $uid;
3009 $users[$uid]{'CommonName'} = $match[1];
3010 $users[$uid]{'RealAddress'} = $match[2];
c6c9630e
MT		 3011 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
3012 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
6e13d0a5
MT		 3013 $users[$uid]{'Since'} = $match[5];
3014 $users[$uid]{'Proto'} = $proto;
d8ef6a95
PM		 3015
3016 # get country code for "RealAddress"...
07e42be9 3017 my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
e2e270e1 3018 my $flag_icon = &Location::Functions::get_flag_icon($ccode);
d8ef6a95 3019 $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
6e13d0a5 3020 $uid++;
66c36198 3021 }
6e13d0a5
MT		 3022 }
3023 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
3024 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
3025 if ($match[1] ne "Virtual Address") {
3026 $address = $match[3];
3027 #find the uid in the lookup table
3028 $uid = $userlookup{$address};
3029 $users[$uid]{'VirtualAddress'} = $match[1];
3030 $users[$uid]{'LastRef'} = $match[4];
3031 }
3032 }
3033 }
3034 my $user2 = @users;
3035 if ($user2 >= 1){
99bfa85c 3036 for (my $idx = 1; $idx <= $user2; $idx++){
6e13d0a5 3037 if ($idx % 2) {
99bfa85c
AM		 3038 print "<tr>";
3039 $col="bgcolor='$color{'color22'}'";
3040 } else {
3041 print "<tr>";
3042 $col="bgcolor='$color{'color20'}'";
6e13d0a5 3043 }
99bfa85c
AM		 3044 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
3045 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
d8ef6a95
PM		 3046 print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
3047 print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
99bfa85c
AM		 3048 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
3049 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
3050 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
3051 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
3052 }
3053 }
66c36198 3054
6e13d0a5 3055 print "</table>";
49abe7af 3056 print <<END;
6e13d0a5
MT		 3057 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
3058 <tr><td></td></tr>
3059 <tr><td></td></tr>
3060 <tr><td></td></tr>
3061 <tr><td></td></tr>
3062 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
3063 </table>
3064END
66c36198 3065;
6e13d0a5
MT		 3066 &Header::closebox();
3067 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3068 &Header::closebigbox();
3069 &Header::closepage();
3070 exit(0);
3071
3072###
3073### Download Certificate
3074###
3075} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
3076 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 3077
6e13d0a5 3078 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e
MT		 3079 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
3080 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 3081
3082 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
3083 my @tmp = <FILE>;
3084 close(FILE);
3085
f158e71e 3086 print @tmp;
c6c9630e
MT		 3087 exit (0);
3088 }
3089
3090###
3091### Enable/Disable connection
3092###
ce9abb66 3093
c6c9630e 3094} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 3095
c6c9630e
MT		 3096 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3097 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3098
3099 if ($confighash{$cgiparams{'KEY'}}) {
ce9abb66 3100 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
c6c9630e
MT		 3101 $confighash{$cgiparams{'KEY'}}[0] = 'on';
3102 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3103 #&writeserverconf();
3104# if ($vpnsettings{'ENABLED'} eq 'on' ||
3105# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3106# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3107# }
3108 } else {
3109 $confighash{$cgiparams{'KEY'}}[0] = 'off';
3110# if ($vpnsettings{'ENABLED'} eq 'on' ||
3111# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3112# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
3113# }
3114 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3115 #&writeserverconf();
3116 }
3117 } else {
3118 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3119 }
3120
3121###
3122### Restart connection
3123###
3124} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
3125 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3126 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3127
3128 if ($confighash{$cgiparams{'KEY'}}) {
c6c9630e
MT		 3129# if ($vpnsettings{'ENABLED'} eq 'on' ||
3130# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3131# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3132# }
6e13d0a5 3133 } else {
c6c9630e 3134 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3135 }
3136
ce9abb66 3137###
7c1d9faf 3138# m.a.d net2net
ce9abb66
AH		 3139###
3140
3141} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
3142 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3143 &Header::showhttpheaders();
4c962356 3144 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
ce9abb66
AH		 3145 &Header::openbigbox('100%', 'LEFT', '', '');
3146 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
b278daf3
AH		 3147
3148if ( -s "${General::swroot}/ovpn/settings") {
3149
49abe7af 3150 print <<END;
ce9abb66 3151 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3152 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
ce9abb66
AH		 3153 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
3154 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
3155 <tr><td><input type='radio' name='TYPE' value='net' /></td>
3156 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
66c36198 3157 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>
ce9abb66
AH		 3158 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
3159 <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
e3edceeb 3160 <tr><td>&nbsp;</td><td>Import Connection Name</td></tr>
040b8b0c 3161 <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
54fd0535 3162 <tr><td colspan='3'><hr /></td></tr>
8c877a82 3163 <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
ce9abb66
AH		 3164 </form></table>
3165END
3166 ;
66c36198 3167
ce9abb66 3168
b278daf3 3169} else {
49abe7af 3170 print <<END;
b278daf3 3171 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3172 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
b278daf3 3173 <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
8c877a82 3174 <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
b278daf3
AH		 3175 </form></table>
3176END
3177 ;
3178
3179}
3180
ce9abb66 3181 &Header::closebox();
4c962356 3182 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
ce9abb66
AH		 3183 &Header::closebigbox();
3184 &Header::closepage();
3185 exit (0);
3186
3187###
7c1d9faf 3188# m.a.d net2net
ce9abb66
AH		 3189###
3190
3191} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3192
3193 my @firen2nconf;
3194 my @confdetails;
3195 my $uplconffilename ='';
54fd0535 3196 my $uplconffilename2 ='';
ce9abb66 3197 my $uplp12name = '';
54fd0535 3198 my $uplp12name2 = '';
ce9abb66
AH		 3199 my @rem_subnet;
3200 my @rem_subnet2;
66c36198 3201 my @tmposupnet3;
ce9abb66 3202 my $key;
54fd0535 3203 my @n2nname;
ce9abb66 3204
66c36198 3205 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 3206
2ad1b18b
MT		 3207 # Check if a file is uploaded
3208 unless (ref ($cgiparams{'FH'})) {
ce9abb66
AH		 3209 $errormessage = $Lang::tr{'there was no file upload'};
3210 goto N2N_ERROR;
3211 }
3212
3213# Move uploaded IPfire n2n package to temporary file
3214
3215 (my $fh, my $filename) = tempfile( );
3216 if (copy ($cgiparams{'FH'}, $fh) != 1) {
3217 $errormessage = $!;
3218 goto N2N_ERROR;
3219 }
3220
3221 my $zip = Archive::Zip->new();
3222 my $zipName = $filename;
3223 my $status = $zip->read( $zipName );
66c36198 3224 if ($status != AZ_OK) {
ce9abb66
AH		 3225 $errormessage = "Read of $zipName failed\n";
3226 goto N2N_ERROR;
3227 }
3228
3229 my $tempdir = tempdir( CLEANUP => 1 );
3230 my @files = $zip->memberNames();
3231 for(@files) {
3232 $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3233 }
3234 my $countfiles = @files;
3235
3236# Check if we have not more then 2 files
3237
3238 if ( $countfiles == 2){
3239 foreach (@files){
3240 if ( $_ =~ /.conf$/){
3241 $uplconffilename = $_;
3242 }
3243 if ( $_ =~ /.p12$/){
3244 $uplp12name = $_;
66c36198 3245 }
ce9abb66
AH		 3246 }
3247 if (($uplconffilename eq '') || ($uplp12name eq '')){
3248 $errormessage = "Either no *.conf or no *.p12 file found\n";
3249 goto N2N_ERROR;
3250 }
3251
3252 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3253 @firen2nconf = <FILE>;
3254 close (FILE);
3255 chomp(@firen2nconf);
ce9abb66
AH		 3256 } else {
3257
3258 $errormessage = "Filecount does not match only 2 files are allowed\n";
3259 goto N2N_ERROR;
3260 }
3261
7c1d9faf
AH		 3262###
3263# m.a.d net2net
ce9abb66 3264###
66c36198 3265
54fd0535
MT		 3266 if ($cgiparams{'n2nname'} ne ''){
3267
66c36198
PM		 3268 $uplconffilename2 = "$cgiparams{'n2nname'}.conf";
3269 $uplp12name2 = "$cgiparams{'n2nname'}.p12";
54fd0535
MT		 3270 $n2nname[0] = $cgiparams{'n2nname'};
3271 my @n2nname2 = split(/\./,$uplconffilename);
3272 $n2nname2[0] =~ s/\n|\r//g;
3273 my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3274 my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3275 my $input2 = "$n2nname2[0]n2n";
3276 my $output2 = "$n2nname[0]n2n";
3277 my $filename = "$tempdir/$uplconffilename";
3278 open(FILE, "< $filename") or die 'Unable to open config file.';
3279 my @current = <FILE>;
3280 close(FILE);
3281 foreach (@current) {s/$input1/$output1/g;}
3282 foreach (@current) {s/$input2/$output2/g;}
3283 open (OUT, "> $filename") || die 'Unable to open config file.';
3284 print OUT @current;
3285 close OUT;
ce9abb66 3286
54fd0535
MT		 3287 }else{
3288 $uplconffilename2 = $uplconffilename;
3289 $uplp12name2 = $uplp12name;
3290 @n2nname = split(/\./,$uplconffilename);
ce9abb66 3291 $n2nname[0] =~ s/\n|\r//g;
66c36198 3292 }
7c1d9faf 3293 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 3294 unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
ce9abb66 3295
7dfcaef0
AM		 3296 #Add collectd settings to configfile
3297 open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
3298 print FILE "# Logfile\n";
3299 print FILE "status-version 1\n";
3300 print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
0b216134 3301 print FILE "providers legacy default\n";
7dfcaef0
AM		 3302 close FILE;
3303
cc79d281 3304 unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
ce9abb66
AH		 3305 $errormessage = "*.conf move failed: $!";
3306 unlink ($filename);
3307 goto N2N_ERROR;
3308 }
66c36198 3309
cc79d281 3310 unless(move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2")) {
ce9abb66
AH		 3311 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3312 unlink ($filename);
3313 goto N2N_ERROR;
cc79d281
SS		 3314 }
3315
3316 chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
66c36198 3317
ce9abb66 3318my $complzoactive;
d96c89eb 3319my $mssfixactive;
4c962356 3320my $authactive;
d96c89eb 3321my $n2nfragment;
60f396d7 3322my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
54fd0535 3323my @n2nproto = split(/-/, $n2nproto2[1]);
ce9abb66
AH		 3324my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3325my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3326my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
66c36198 3327if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}
d96c89eb
AH		 3328my @n2nmssfix = grep { /^mssfix/ } @firen2nconf;
3329if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
54fd0535 3330#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
d96c89eb 3331my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
ce9abb66
AH		 3332my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3333my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3334my @n2novpnsub = split(/\./,$n2novpnsuball[1]);
3335my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
54fd0535 3336my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]);
ce9abb66 3337my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
4c962356 3338my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
f527e53f 3339my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
60f396d7 3340
ce9abb66
AH		 3341###
3342# m.a.d delete CR and LF from arrays for this chomp doesnt work
3343###
3344
ce9abb66 3345$n2nremote[1] =~ s/\n|\r//g;
ce9abb66
AH		 3346$n2novpnsub[0] =~ s/\n|\r//g;
3347$n2novpnsub[1] =~ s/\n|\r//g;
3348$n2novpnsub[2] =~ s/\n|\r//g;
60f396d7 3349$n2nproto[0] =~ s/\n|\r//g;
ce9abb66
AH		 3350$n2nport[1] =~ s/\n|\r//g;
3351$n2ntunmtu[1] =~ s/\n|\r//g;
3352$n2nremsub[1] =~ s/\n|\r//g;
b278daf3 3353$n2nremsub[2] =~ s/\n|\r//g;
ce9abb66 3354$n2nlocalsub[2] =~ s/\n|\r//g;
d96c89eb 3355$n2nfragment[1] =~ s/\n|\r//g;
54fd0535 3356$n2nmgmt[2] =~ s/\n|\r//g;
4c962356
EK		 3357$n2ncipher[1] =~ s/\n|\r//g;
3358$n2nauth[1] =~ s/\n|\r//g;
ce9abb66 3359chomp ($complzoactive);
d96c89eb 3360chomp ($mssfixactive);
ce9abb66
AH		 3361
3362###
7c1d9faf 3363# m.a.d net2net
ce9abb66
AH		 3364###
3365
3366###
3367# Check if there is no other entry with this name
3368###
3369
3370 foreach my $dkey (keys %confighash) {
3371 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3372 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3373 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3374 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3375 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3376 goto N2N_ERROR;
ce9abb66
AH		 3377 }
3378 }
3379
d96c89eb
AH		 3380###
3381# Check if OpenVPN Subnet is valid
3382###
3383
3384foreach my $dkey (keys %confighash) {
3385 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3386 $errormessage = 'The OpenVPN Subnet is already in use';
b278daf3
AH		 3387 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3388 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3389 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3390 goto N2N_ERROR;
d96c89eb
AH		 3391 }
3392 }
3393
3394###
4c962356 3395# Check if Dest Port is vaild
d96c89eb
AH		 3396###
3397
3398foreach my $dkey (keys %confighash) {
3399 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3400 $errormessage = 'The OpenVPN Port is already in use';
b278daf3
AH		 3401 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3402 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3403 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3404 goto N2N_ERROR;
d96c89eb
AH		 3405 }
3406 }
66c36198
PM		 3407
3408
3409
ce9abb66
AH		 3410 $key = &General::findhasharraykey (\%confighash);
3411
49abe7af 3412 foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
350f2980 3413
ce9abb66
AH		 3414 $confighash{$key}[0] = 'off';
3415 $confighash{$key}[1] = $n2nname[0];
66c36198 3416 $confighash{$key}[2] = $n2nname[0];
ce9abb66 3417 $confighash{$key}[3] = 'net';
66c36198
PM		 3418 $confighash{$key}[4] = 'cert';
3419 $confighash{$key}[6] = 'client';
ce9abb66 3420 $confighash{$key}[8] = $n2nlocalsub[2];
350f2980 3421 $confighash{$key}[10] = $n2nremote[1];
66c36198 3422 $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";
54fd0535 3423 $confighash{$key}[22] = $n2nmgmt[2];
350f2980 3424 $confighash{$key}[23] = $mssfixactive;
d96c89eb 3425 $confighash{$key}[24] = $n2nfragment[1];
350f2980 3426 $confighash{$key}[25] = 'IPFire n2n Client';
ce9abb66 3427 $confighash{$key}[26] = 'red';
350f2980
SS		 3428 $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3429 $confighash{$key}[28] = $n2nproto[0];
3430 $confighash{$key}[29] = $n2nport[1];
3431 $confighash{$key}[30] = $complzoactive;
3432 $confighash{$key}[31] = $n2ntunmtu[1];
4c962356
EK		 3433 $confighash{$key}[39] = $n2nauth[1];
3434 $confighash{$key}[40] = $n2ncipher[1];
49abe7af 3435 $confighash{$key}[41] = 'disabled';
ce9abb66
AH		 3436
3437 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 3438
ce9abb66 3439 N2N_ERROR:
66c36198 3440
ce9abb66
AH		 3441 &Header::showhttpheaders();
3442 &Header::openpage('Validate imported configuration', 1, '');
3443 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3444 if ($errormessage) {
3445 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3446 print "<class name='base'>$errormessage";
3447 print "&nbsp;</class>";
66c36198 3448 &Header::closebox();
ce9abb66 3449
66c36198
PM		 3450 } else
3451 {
ce9abb66
AH		 3452 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3453 }
3454 if ($errormessage eq ''){
49abe7af 3455 print <<END;
ce9abb66
AH		 3456 <!-- ipfire net2net config gui -->
3457 <table width='100%'>
3458 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3459 <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
66c36198
PM		 3460 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3461 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>
ce9abb66
AH		 3462 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3463 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
4c962356 3464 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
ce9abb66
AH		 3465 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3466 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3467 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3468 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
4c962356
EK		 3469 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3470 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
ce9abb66 3471 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
54fd0535 3472 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
0c4ffc69 3473 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn tls auth'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
4c962356 3474 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
66c36198 3475 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
ce9abb66
AH		 3476 </table>
3477END
66c36198 3478;
ce9abb66
AH		 3479 &Header::closebox();
3480 }
3481
3482 if ($errormessage) {
3483 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
66c36198
PM		 3484 } else {
3485 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";
ce9abb66 3486 print "<input type='hidden' name='TYPE' value='net2netakn' />";
66c36198 3487 print "<input type='hidden' name='KEY' value='$key' />";
ce9abb66 3488 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
66c36198 3489 }
ce9abb66
AH		 3490 &Header::closebigbox();
3491 &Header::closepage();
4c962356 3492 exit(0);
ce9abb66
AH		 3493
3494
3495##
3496### Accept IPFire n2n Package Settings
3497###
3498
3499 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3500
3501###
3502### Discard and Rollback IPFire n2n Package Settings
3503###
3504
3505 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
66c36198 3506
ce9abb66
AH		 3507 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3508
3509if ($confighash{$cgiparams{'KEY'}}) {
3510
3511 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3512 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3513 unlink ($certfile) or die "Removing $certfile fail: $!";
3514 unlink ($conffile) or die "Removing $conffile fail: $!";
3515 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3516 delete $confighash{$cgiparams{'KEY'}};
66c36198 3517 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66
AH		 3518
3519 } else {
3520 $errormessage = $Lang::tr{'invalid key'};
66c36198
PM		 3521 }
3522
ce9abb66
AH		 3523
3524###
7c1d9faf 3525# m.a.d net2net
ce9abb66
AH		 3526###
3527
3528
3529###
3530### Adding a new connection
3531###
6e13d0a5
MT		 3532} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3533 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3534 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
66c36198 3535
6e13d0a5
MT		 3536 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3537 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3538 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3539
3540 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
8c877a82
AM		 3541 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3542 $errormessage = $Lang::tr{'invalid key'};
3543 goto VPNCONF_END;
3544 }
4c962356
EK		 3545 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
3546 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
3547 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
3548 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
3549 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
3550 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
3551 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
3552 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
8c877a82 3553 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
4c962356
EK		 3554 $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
3555 $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
3556 $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
3557 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
3558 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
3559 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
3560 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
3561 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
3562 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
3563 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
3564 $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32];
df9b48b7 3565 $name=$cgiparams{'CHECK1'} ;
4c962356
EK		 3566 $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33];
3567 $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34];
3568 $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
3569 $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
3570 $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
4c962356
EK		 3571 $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
3572 $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
49abe7af 3573 $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
e1e10515 3574 $cgiparams{'OTP_STATE'} = $confighash{$cgiparams{'KEY'}}[43];
8c877a82 3575 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
c6c9630e 3576 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
66c36198 3577
8c877a82 3578#A.Marx CCD check iroute field and convert it to decimal
52d08bcb 3579if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 3580 my @temp=();
3581 my %ccdroutehash=();
3582 my $keypoint=0;
5068ac38
AM		 3583 my $ip;
3584 my $cidr;
8c877a82
AM		 3585 if ($cgiparams{'IR'} ne ''){
3586 @temp = split("\n",$cgiparams{'IR'});
3587 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3588 #find key to use
3589 foreach my $key (keys %ccdroutehash) {
3590 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3591 $keypoint=$key;
3592 delete $ccdroutehash{$key};
3593 }else{
3594 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3595 }
3596 }
3597 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3598 my $i=1;
3599 my $val=0;
3600 foreach $val (@temp){
3601 chomp($val);
66c36198 3602 $val=~s/\s*$//g;
5068ac38 3603 #check if iroute exists in ccdroute or if new iroute is part of an existing one
8c877a82
AM		 3604 foreach my $key (keys %ccdroutehash) {
3605 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
5068ac38
AM		 3606 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3607 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3608 goto VPNCONF_ERROR;
3609 }
3610 my ($ip1,$cidr1) = split (/\//, $val);
82c809c7 3611 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
5068ac38
AM		 3612 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3613 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3614 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3615 goto VPNCONF_ERROR;
66c36198
PM		 3616 }
3617
8c877a82
AM		 3618 }
3619 }
5068ac38
AM		 3620 if (!&General::validipandmask($val)){
3621 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3622 goto VPNCONF_ERROR;
3623 }else{
3624 ($ip,$cidr) = split(/\//,$val);
3625 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3626 $cidr=&General::iporsubtodec($cidr);
3627 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
66c36198 3628
5068ac38 3629 }
66c36198 3630
8c877a82 3631 #check for existing network IP's
52d08bcb
AM		 3632 if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3633 {
3634 $errormessage=$Lang::tr{'ccd err green'};
3635 goto VPNCONF_ERROR;
3636 }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3637 {
3638 $errormessage=$Lang::tr{'ccd err red'};
3639 goto VPNCONF_ERROR;
3640 }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3641 {
3642 $errormessage=$Lang::tr{'ccd err blue'};
3643 goto VPNCONF_ERROR;
3644 }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3645 {
3646 $errormessage=$Lang::tr{'ccd err orange'};
8c877a82
AM		 3647 goto VPNCONF_ERROR;
3648 }
66c36198 3649
8c877a82
AM		 3650 if (&General::validipandmask($val)){
3651 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3652 }else{
3653 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3654 goto VPNCONF_ERROR;
3655 }
3656 $i++;
3657 }
3658 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3659 &writeserverconf;
3660 }else{
3661 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3662 foreach my $key (keys %ccdroutehash) {
3663 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3664 delete $ccdroutehash{$key};
3665 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3666 &writeserverconf;
3667 }
66c36198 3668 }
8c877a82
AM		 3669 }
3670 undef @temp;
3671 #check route field and convert it to decimal
8c877a82
AM		 3672 my $val=0;
3673 my $i=1;
8c877a82 3674 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
52d08bcb
AM		 3675 #find key to use
3676 foreach my $key (keys %ccdroute2hash) {
3677 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3678 $keypoint=$key;
3679 delete $ccdroute2hash{$key};
3680 }else{
3681 $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3682 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3683 &writeserverconf;
8c877a82 3684 }
52d08bcb
AM		 3685 }
3686 $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3687 if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3688 @temp = split(/\|/,$cgiparams{'IFROUTE'});
3689 my %ownnet=();
3690 &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3691 foreach $val (@temp){
3692 chomp($val);
66c36198 3693 $val=~s/\s*$//g;
52d08bcb
AM		 3694 if ($val eq $Lang::tr{'green'})
3695 {
3696 $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3697 }
3698 if ($val eq $Lang::tr{'blue'})
3699 {
3700 $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3701 }
3702 if ($val eq $Lang::tr{'orange'})
3703 {
3704 $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3705 }
3706 my ($ip,$cidr) = split (/\//, $val);
66c36198 3707
52d08bcb 3708 if ($val ne $Lang::tr{'ccd none'})
66c36198 3709 {
8c877a82
AM		 3710 if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3711 if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3712 if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3713 if (&General::validipandmask($val)){
3714 $val=$ip."/".&General::iporsubtodec($cidr);
3715 $ccdroute2hash{$keypoint}[$i] = $val;
3716 }else{
3717 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3718 goto VPNCONF_ERROR;
3719 }
52d08bcb
AM		 3720 }else{
3721 $ccdroute2hash{$keypoint}[$i]='';
3722 }
3723 $i++;
66c36198 3724 }
52d08bcb
AM		 3725 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3726
8c877a82
AM		 3727 #check dns1 ip
3728 if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) {
3729 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3730 goto VPNCONF_ERROR;
3731 }
3732 #check dns2 ip
3733 if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) {
3734 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3735 goto VPNCONF_ERROR;
3736 }
3737 #check wins ip
3738 if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) {
3739 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3740 goto VPNCONF_ERROR;
3741 }
52d08bcb 3742}
8c877a82
AM		 3743
3744#CCD End
52d08bcb 3745
66c36198 3746
73735ad9
EK		 3747 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3748 $errormessage = $Lang::tr{'connection type is invalid'};
3749 if ($cgiparams{'TYPE'} eq 'net') {
3750 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3751 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3752 goto VPNCONF_ERROR;
3753 }
3754 goto VPNCONF_ERROR;
c6c9630e
MT		 3755 }
3756
c6c9630e 3757 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
73735ad9
EK		 3758 $errormessage = $Lang::tr{'name must only contain characters'};
3759 if ($cgiparams{'TYPE'} eq 'net') {
3760 goto VPNCONF_ERROR;
3761 }
3762 goto VPNCONF_ERROR;
3763 }
c6c9630e
MT		 3764
3765 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
73735ad9
EK		 3766 $errormessage = $Lang::tr{'name is invalid'};
3767 if ($cgiparams{'TYPE'} eq 'net') {
3768 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3769 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3770 goto VPNCONF_ERROR;
3771 }
3772 goto VPNCONF_ERROR;
c6c9630e
MT		 3773 }
3774
3775 if (length($cgiparams{'NAME'}) >60) {
73735ad9
EK		 3776 $errormessage = $Lang::tr{'name too long'};
3777 if ($cgiparams{'TYPE'} eq 'net') {
3778 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3779 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3780 goto VPNCONF_ERROR;
3781 }
3782 goto VPNCONF_ERROR;
c6c9630e
MT		 3783 }
3784
d96c89eb 3785###
7c1d9faf 3786# m.a.d net2net
d96c89eb
AH		 3787###
3788
7c1d9faf 3789if ($cgiparams{'TYPE'} eq 'net') {
ab4cf06c 3790 if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) {
cd0c0a0d 3791 $errormessage = $Lang::tr{'openvpn destination port used'};
b278daf3
AH		 3792 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3793 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3794 goto VPNCONF_ERROR;
d96c89eb 3795 }
ab4cf06c
AM		 3796 #Bugfix 10357
3797 foreach my $key (sort keys %confighash){
3798 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
54fd0535
MT		 3799 $errormessage = $Lang::tr{'openvpn destination port used'};
3800 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3801 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3802 goto VPNCONF_ERROR;
ab4cf06c
AM		 3803 }
3804 }
3805 if ($cgiparams{'DEST_PORT'} eq '') {
3806 $errormessage = $Lang::tr{'invalid port'};
3807 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3808 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3809 goto VPNCONF_ERROR;
54fd0535 3810 }
d96c89eb 3811
f48074ba
SS		 3812 # Check if the input for the transfer net is valid.
3813 if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3814 $errormessage = $Lang::tr{'ccd err invalidnet'};
3815 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3816 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3817 goto VPNCONF_ERROR;
3818 }
3819
d96c89eb 3820 if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) {
cd0c0a0d 3821 $errormessage = $Lang::tr{'openvpn subnet is used'};
b278daf3
AH		 3822 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3823 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3824 goto VPNCONF_ERROR;
d96c89eb
AH		 3825 }
3826
3827 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
cd0c0a0d 3828 $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
b278daf3
AH		 3829 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3830 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3831 goto VPNCONF_ERROR;
3832 }
66c36198 3833
d96c89eb 3834 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
cd0c0a0d 3835 $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
b278daf3
AH		 3836 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3837 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3838 goto VPNCONF_ERROR;
3839 }
d96c89eb 3840
7c1d9faf 3841 if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
cd0c0a0d 3842 $errormessage = $Lang::tr{'openvpn prefix local subnet'};
b278daf3
AH		 3843 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3844 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3845 goto VPNCONF_ERROR;
66c36198
PM		 3846 }
3847
7c1d9faf 3848 if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) {
cd0c0a0d 3849 $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
b278daf3
AH		 3850 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3851 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3852 goto VPNCONF_ERROR;
66c36198
PM		 3853 }
3854
7c1d9faf 3855 if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) {
cd0c0a0d 3856 $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
b278daf3
AH		 3857 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3858 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3859 goto VPNCONF_ERROR;
8c252e6a 3860 }
66c36198 3861
8c252e6a
EK		 3862 if ($cgiparams{'DEST_PORT'} <= 1023) {
3863 $errormessage = $Lang::tr{'ovpn port in root range'};
3864 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3865 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3866 goto VPNCONF_ERROR;
3867 }
54fd0535 3868
4c962356 3869 if ($cgiparams{'OVPN_MGMT'} eq '') {
66c36198 3870 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};
8c252e6a 3871 }
66c36198 3872
8c252e6a
EK		 3873 if ($cgiparams{'OVPN_MGMT'} <= 1023) {
3874 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
3875 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3876 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3877 goto VPNCONF_ERROR;
b2e75449
MT		 3878 }
3879 #Check if remote subnet is used elsewhere
3880 my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
3881 $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
3882 if ($warnmessage){
3883 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
3884 }
7c1d9faf 3885}
d96c89eb 3886
ce9abb66
AH		 3887# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
3888# $errormessage = $Lang::tr{'ipfire side is invalid'};
3889# goto VPNCONF_ERROR;
3890# }
3891
c6c9630e
MT		 3892 # Check if there is no other entry with this name
3893 if (! $cgiparams{'KEY'}) {
3894 foreach my $key (keys %confighash) {
3895 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
3896 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3897 if ($cgiparams{'TYPE'} eq 'net') {
3898 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3899 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3900 }
c6c9630e 3901 goto VPNCONF_ERROR;
6e13d0a5 3902 }
c6c9630e
MT		 3903 }
3904 }
3905
c125d8a2 3906 # Check if a remote host/IP has been set for the client.
86228a56
MT		 3907 if ($cgiparams{'TYPE'} eq 'net') {
3908 if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') {
3909 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 3910
86228a56
MT		 3911 # Check if this is a N2N connection and drop temporary config.
3912 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3913 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ce9abb66 3914
86228a56
MT		 3915 goto VPNCONF_ERROR;
3916 }
c125d8a2 3917
86228a56
MT		 3918 # Check if a remote host/IP has been configured - the field can be empty on the server side.
3919 if ($cgiparams{'REMOTE'} ne '') {
3920 # Check if the given IP is valid - otherwise check if it is a valid domain.
3921 if (! &General::validip($cgiparams{'REMOTE'})) {
3922 # Check for a valid domain.
3923 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
3924 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 3925
86228a56
MT		 3926 # Check if this is a N2N connection and drop temporary config.
3927 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3928 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
c125d8a2 3929
86228a56
MT		 3930 goto VPNCONF_ERROR;
3931 }
3932 }
6e13d0a5 3933 }
c6c9630e 3934 }
c125d8a2 3935
c6c9630e
MT		 3936 if ($cgiparams{'TYPE'} ne 'host') {
3937 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
66c36198 3938 $errormessage = $Lang::tr{'local subnet is invalid'};
b278daf3
AH		 3939 if ($cgiparams{'TYPE'} eq 'net') {
3940 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3941 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3942 }
c6c9630e
MT		 3943 goto VPNCONF_ERROR;}
3944 }
3945 # Check if there is no other entry without IP-address and PSK
3946 if ($cgiparams{'REMOTE'} eq '') {
3947 foreach my $key (keys %confighash) {
66c36198
PM		 3948 if(($cgiparams{'KEY'} ne $key) &&
3949 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
c6c9630e
MT		 3950 $confighash{$key}[10] eq '') {
3951 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
3952 goto VPNCONF_ERROR;
6e13d0a5 3953 }
c6c9630e
MT		 3954 }
3955 }
ce9abb66
AH		 3956 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
3957 $errormessage = $Lang::tr{'remote subnet is invalid'};
b278daf3
AH		 3958 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3959 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3960 goto VPNCONF_ERROR;
ce9abb66 3961 }
c6c9630e 3962
425465ed
EK		 3963 # Check for N2N that OpenSSL maximum of valid days will not be exceeded
3964 if ($cgiparams{'TYPE'} eq 'net') {
3965 if ($cgiparams{'DAYS_VALID'} >= '999999') {
3966 $errormessage = $Lang::tr{'invalid input for valid till days'};
3967 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3968 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3969 goto VPNCONF_ERROR;
3970 }
3971 }
3972
c6c9630e
MT		 3973 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
3974 $errormessage = $Lang::tr{'invalid input'};
3975 goto VPNCONF_ERROR;
3976 }
3977 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
3978 $errormessage = $Lang::tr{'invalid input'};
3979 goto VPNCONF_ERROR;
3980 }
3981
3982#fixplausi
3983 if ($cgiparams{'AUTH'} eq 'psk') {
3984# if (! length($cgiparams{'PSK'}) ) {
3985# $errormessage = $Lang::tr{'pre-shared key is too short'};
3986# goto VPNCONF_ERROR;
3987# }
3988# if ($cgiparams{'PSK'} =~ /['",&]/) {
3989# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
3990# goto VPNCONF_ERROR;
3991# }
3992 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
3993 if ($cgiparams{'KEY'}) {
3994 $errormessage = $Lang::tr{'cant change certificates'};
3995 goto VPNCONF_ERROR;
3996 }
2ad1b18b 3997 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 3998 $errormessage = $Lang::tr{'there was no file upload'};
3999 goto VPNCONF_ERROR;
4000 }
4001
4002 # Move uploaded certificate request to a temporary file
4003 (my $fh, my $filename) = tempfile( );
4004 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4005 $errormessage = $!;
4006 goto VPNCONF_ERROR;
4007 }
6e13d0a5 4008
c6c9630e
MT		 4009 # Sign the certificate request and move it
4010 # Sign the host certificate request
2feacd98 4011 # The system call is safe, because all arguments are passed as an array.
f6e12093 4012 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4013 '-batch', '-notext',
4014 '-in', $filename,
4015 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4016 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4017 if ($?) {
4018 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4019 unlink ($filename);
4020 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4021 &newcleanssldatabase();
4022 goto VPNCONF_ERROR;
4023 } else {
4024 unlink ($filename);
4025 &deletebackupcert();
4026 }
4027
2feacd98
SS		 4028 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4029 my $temp;
4030
4031 foreach my $line (@temp) {
4032 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4033 $temp = $1;
4034 $temp =~ s+/Email+, E+;
4035 $temp =~ s/ ST=/ S=/;
4036
4037 last;
4038 }
4039 }
66c36198 4040
c6c9630e
MT		 4041 $cgiparams{'CERT_NAME'} = $temp;
4042 $cgiparams{'CERT_NAME'} =~ s/,//g;
4043 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4044 if ($cgiparams{'CERT_NAME'} eq '') {
4045 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4046 goto VPNCONF_ERROR;
4047 }
4048 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
4049 if ($cgiparams{'KEY'}) {
4050 $errormessage = $Lang::tr{'cant change certificates'};
4051 goto VPNCONF_ERROR;
4052 }
2ad1b18b 4053 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4054 $errormessage = $Lang::tr{'there was no file upload'};
4055 goto VPNCONF_ERROR;
4056 }
4057 # Move uploaded certificate to a temporary file
4058 (my $fh, my $filename) = tempfile( );
4059 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4060 $errormessage = $!;
4061 goto VPNCONF_ERROR;
4062 }
4063
4064 # Verify the certificate has a valid CA and move it
4065 my $validca = 0;
2feacd98
SS		 4066 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
4067 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4068 $validca = 1;
4069 } else {
4070 foreach my $key (keys %cahash) {
2feacd98
SS		 4071 @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
4072 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4073 $validca = 1;
4074 }
6e13d0a5 4075 }
c6c9630e
MT		 4076 }
4077 if (! $validca) {
4078 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
4079 unlink ($filename);
4080 goto VPNCONF_ERROR;
4081 } else {
cc79d281 4082 unless(move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem")) {
c6c9630e
MT		 4083 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
4084 unlink ($filename);
4085 goto VPNCONF_ERROR;
6e13d0a5 4086 }
c6c9630e
MT		 4087 }
4088
2feacd98
SS		 4089 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4090 my $temp;
4091
4092 foreach my $line (@temp) {
4093 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4094 $temp = $1;
4095 $temp =~ s+/Email+, E+;
4096 $temp =~ s/ ST=/ S=/;
4097
4098 last;
4099 }
4100 }
4101
c6c9630e
MT		 4102 $cgiparams{'CERT_NAME'} = $temp;
4103 $cgiparams{'CERT_NAME'} =~ s/,//g;
4104 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4105 if ($cgiparams{'CERT_NAME'} eq '') {
4106 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4107 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4108 goto VPNCONF_ERROR;
4109 }
4110 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
4111 if ($cgiparams{'KEY'}) {
4112 $errormessage = $Lang::tr{'cant change certificates'};
4113 goto VPNCONF_ERROR;
4114 }
4115 # Validate input since the form was submitted
4116 if (length($cgiparams{'CERT_NAME'}) >60) {
4117 $errormessage = $Lang::tr{'name too long'};
4118 goto VPNCONF_ERROR;
4119 }
194314b2 4120 if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
c6c9630e
MT		 4121 $errormessage = $Lang::tr{'invalid input for name'};
4122 goto VPNCONF_ERROR;
4123 }
4124 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
4125 $errormessage = $Lang::tr{'invalid input for e-mail address'};
4126 goto VPNCONF_ERROR;
4127 }
4128 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
4129 $errormessage = $Lang::tr{'e-mail address too long'};
4130 goto VPNCONF_ERROR;
4131 }
4132 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4133 $errormessage = $Lang::tr{'invalid input for department'};
4134 goto VPNCONF_ERROR;
4135 }
4136 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
4137 $errormessage = $Lang::tr{'organization too long'};
4138 goto VPNCONF_ERROR;
4139 }
4140 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
4141 $errormessage = $Lang::tr{'invalid input for organization'};
4142 goto VPNCONF_ERROR;
4143 }
4144 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4145 $errormessage = $Lang::tr{'invalid input for city'};
4146 goto VPNCONF_ERROR;
4147 }
4148 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4149 $errormessage = $Lang::tr{'invalid input for state or province'};
4150 goto VPNCONF_ERROR;
4151 }
4152 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
4153 $errormessage = $Lang::tr{'invalid input for country'};
4154 goto VPNCONF_ERROR;
4155 }
4156 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
4157 if (length($cgiparams{'CERT_PASS1'}) < 5) {
4158 $errormessage = $Lang::tr{'password too short'};
4159 goto VPNCONF_ERROR;
6e13d0a5 4160 }
66c36198 4161 }
c6c9630e
MT		 4162 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
4163 $errormessage = $Lang::tr{'passwords do not match'};
4164 goto VPNCONF_ERROR;
4165 }
425465ed 4166 if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
f4fbb935
EK		 4167 $errormessage = $Lang::tr{'invalid input for valid till days'};
4168 goto VPNCONF_ERROR;
4169 }
c6c9630e 4170
425465ed
EK		 4171 # Check for RW that OpenSSL maximum of valid days will not be exceeded
4172 if ($cgiparams{'TYPE'} eq 'host') {
4173 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4174 $errormessage = $Lang::tr{'invalid input for valid till days'};
4175 goto VPNCONF_ERROR;
4176 }
4177 }
4178
beac479f
EK		 4179 # Check for RW if client name is already set
4180 if ($cgiparams{'TYPE'} eq 'host') {
4181 foreach my $key (keys %confighash) {
4182 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4183 $errormessage = $Lang::tr{'a connection with this name already exists'};
4184 goto VPNCONF_ERROR;
4185 }
4186 }
4187 }
4188
c6c9630e
MT		 4189 # Replace empty strings with a .
4190 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
4191 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
4192 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
4193
4194 # Create the Host certificate request client
4195 my $pid = open(OPENSSL, "|-");
4196 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
4197 if ($pid) { # parent
4198 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
4199 print OPENSSL "$state\n";
4200 print OPENSSL "$city\n";
4201 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
4202 print OPENSSL "$ou\n";
4203 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
4204 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
4205 print OPENSSL ".\n";
4206 print OPENSSL ".\n";
4207 close (OPENSSL);
4208 if ($?) {
4209 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4210 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
4211 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
4212 goto VPNCONF_ERROR;
6e13d0a5 4213 }
c6c9630e 4214 } else { # child
badd8c1c 4215 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
818dde8e 4216 '-newkey', 'rsa:4096',
c6c9630e
MT		 4217 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4218 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4219 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
4220 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
4221 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4222 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4223 goto VPNCONF_ERROR;
6e13d0a5 4224 }
c6c9630e 4225 }
66c36198 4226
c6c9630e 4227 # Sign the host certificate request
2feacd98 4228 # The system call is safe, because all arguments are passed as an array.
f6e12093 4229 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4230 '-batch', '-notext',
4231 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4232 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4233 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4234 if ($?) {
4235 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4236 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4237 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4238 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4239 &newcleanssldatabase();
4240 goto VPNCONF_ERROR;
4241 } else {
4242 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4243 &deletebackupcert();
4244 }
4245
4246 # Create the pkcs12 file
2feacd98 4247 # The system call is safe, because all arguments are passed as an array.
0b216134 4248 system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
c6c9630e
MT		 4249 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4250 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4251 '-name', $cgiparams{'NAME'},
4252 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
66c36198 4253 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
c6c9630e
MT		 4254 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
4255 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4256 if ($?) {
4257 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4258 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4259 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4260 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4261 goto VPNCONF_ERROR;
4262 } else {
4263 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4264 }
4265 } elsif ($cgiparams{'AUTH'} eq 'cert') {
4266 ;# Nothing, just editing
4267 } else {
4268 $errormessage = $Lang::tr{'invalid input for authentication method'};
4269 goto VPNCONF_ERROR;
4270 }
4271
4272 # Check if there is no other entry with this common name
4273 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
4274 foreach my $key (keys %confighash) {
4275 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
4276 $errormessage = $Lang::tr{'a connection with this common name already exists'};
4277 goto VPNCONF_ERROR;
6e13d0a5 4278 }
c6c9630e
MT		 4279 }
4280 }
4281
ab4cf06c 4282 # Save the config
c6c9630e 4283 my $key = $cgiparams{'KEY'};
66c36198 4284
c6c9630e
MT		 4285 if (! $key) {
4286 $key = &General::findhasharraykey (\%confighash);
49abe7af 4287 foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";}
c6c9630e 4288 }
8c877a82
AM		 4289 $confighash{$key}[0] = $cgiparams{'ENABLED'};
4290 $confighash{$key}[1] = $cgiparams{'NAME'};
c6c9630e 4291 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
8c877a82 4292 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
c6c9630e 4293 }
66c36198 4294
8c877a82 4295 $confighash{$key}[3] = $cgiparams{'TYPE'};
c6c9630e 4296 if ($cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4297 $confighash{$key}[4] = 'psk';
4298 $confighash{$key}[5] = $cgiparams{'PSK'};
c6c9630e 4299 } else {
8c877a82 4300 $confighash{$key}[4] = 'cert';
c6c9630e 4301 }
ce9abb66 4302 if ($cgiparams{'TYPE'} eq 'net') {
8c877a82
AM		 4303 $confighash{$key}[6] = $cgiparams{'SIDE'};
4304 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
ce9abb66 4305 }
4c962356 4306 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
8c877a82 4307 $confighash{$key}[10] = $cgiparams{'REMOTE'};
4c962356 4308 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c877a82 4309 $confighash{$key}[22] = $confighash{$key}[29];
4c962356 4310 } else {
8c877a82 4311 $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
4c962356 4312 }
8c877a82
AM		 4313 $confighash{$key}[23] = $cgiparams{'MSSFIX'};
4314 $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
4315 $confighash{$key}[25] = $cgiparams{'REMARK'};
4316 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
66c36198 4317# new fields
8c877a82
AM		 4318 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
4319 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
4320 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
4321 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
4322 $confighash{$key}[31] = $cgiparams{'MTU'};
4323 $confighash{$key}[32] = $cgiparams{'CHECK1'};
df9b48b7 4324 $name=$cgiparams{'CHECK1'};
8c877a82
AM		 4325 $confighash{$key}[33] = $cgiparams{$name};
4326 $confighash{$key}[34] = $cgiparams{'RG'};
4327 $confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
4328 $confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
4329 $confighash{$key}[37] = $cgiparams{'CCD_WINS'};
4c962356
EK		 4330 $confighash{$key}[39] = $cgiparams{'DAUTH'};
4331 $confighash{$key}[40] = $cgiparams{'DCIPHER'};
350f2980 4332
28b9c976
MT		 4333 if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
4334 $confighash{$key}[41] = "no-pass";
71af643c
MT		 4335 }
4336
e1e10515
TE		 4337 $confighash{$key}[42] = 'HOTP/T30/6';
4338 $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
16d4a5c2 4339 if (($confighash{$key}[43] eq 'on') && ($confighash{$key}[44] eq '')) {
e1e10515 4340 my @otp_secret = &General::system_output("/usr/bin/openssl", "rand", "-hex", "20");
209d62f0 4341 chomp($otp_secret[0]);
e1e10515 4342 $confighash{$key}[44] = $otp_secret[0];
16d4a5c2 4343 } elsif ($confighash{$key}[43] eq '') {
e1e10515
TE		 4344 $confighash{$key}[44] = '';
4345 }
4346
c6c9630e 4347 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4348
8c877a82 4349 if ($cgiparams{'CHECK1'} ){
66c36198 4350
8c877a82
AM		 4351 my ($ccdip,$ccdsub)=split "/",$cgiparams{$name};
4352 my ($a,$b,$c,$d) = split (/\./,$ccdip);
df9b48b7
AM		 4353 if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){
4354 unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";
4355 }
8c877a82 4356 open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!";
82c809c7 4357 print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n";
8c877a82
AM		 4358 if($cgiparams{'CHECK1'} eq 'dynamic'){
4359 print CCDRWCONF "#This client uses the dynamic pool\n";
4360 }else{
82c809c7 4361 print CCDRWCONF "#Ip address client and server\n";
8c877a82
AM		 4362 print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n";
4363 }
4364 if ($confighash{$key}[34] eq 'on'){
4365 print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n";
4366 print CCDRWCONF "push redirect-gateway\n";
4367 }
52d08bcb 4368 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 4369 if ($cgiparams{'IR'} ne ''){
82c809c7 4370 print CCDRWCONF "\n#Client routes these networks (behind Client)\n";
8c877a82
AM		 4371 foreach my $key (keys %ccdroutehash){
4372 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){
4373 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
4374 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
4375 print CCDRWCONF "iroute $a $b\n";
4376 }
4377 }
4378 }
4379 }
52d08bcb 4380 if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';}
8c877a82 4381 if ($cgiparams{'IFROUTE'} ne ''){
82c809c7 4382 print CCDRWCONF "\n#Client gets routes to these networks (behind IPFire)\n";
8c877a82
AM		 4383 foreach my $key (keys %ccdroute2hash){
4384 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4385 foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){
4386 if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){
4387 my %blue=();
4388 &General::readhash("${General::swroot}/ethernet/settings", \%blue);
52d08bcb 4389 print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n";
8c877a82
AM		 4390 }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){
4391 my %orange=();
4392 &General::readhash("${General::swroot}/ethernet/settings", \%orange);
4393 print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n";
4394 }else{
4395 my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]);
4396 print CCDRWCONF "push \"route $a $b\"\n";
4397 }
4398 }
4399 }
4400 }
4401 }
4402 if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';}
4403 if($cgiparams{'CCD_DNS1'} ne ''){
82c809c7 4404 print CCDRWCONF "\n#Client gets these nameservers\n";
8c877a82
AM		 4405 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n";
4406 }
4407 if($cgiparams{'CCD_DNS2'} ne ''){
4408 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n";
4409 }
4410 if($cgiparams{'CCD_WINS'} ne ''){
4411 print CCDRWCONF "\n#Client gets this WINS server\n";
4412 print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n";
4413 }
4414 close CCDRWCONF;
4415 }
18837a6a
AH		 4416
4417###
4418# m.a.d n2n begin
4419###
66c36198 4420
18837a6a 4421 if ($cgiparams{'TYPE'} eq 'net') {
66c36198 4422
2feacd98
SS		 4423 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
4424 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
66c36198 4425
2feacd98
SS		 4426 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
4427 my $key = $cgiparams{'KEY'};
4428 if (! $key) {
4429 $key = &General::findhasharraykey (\%confighash);
4430 foreach my $i (0 .. 31) {
4431 $confighash{$key}[$i] = "";
4432 }
4433 }
4434
4435 $confighash{$key}[0] = 'on';
4436 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4437
2feacd98
SS		 4438 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
4439 }
4440 }
18837a6a
AH		 4441
4442###
4443# m.a.d n2n end
66c36198 4444###
18837a6a 4445
c6c9630e
MT		 4446 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
4447 $cgiparams{'KEY'} = $key;
4448 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
4449 }
4450 goto VPNCONF_END;
6e13d0a5 4451 } else {
c6c9630e 4452 $cgiparams{'ENABLED'} = 'on';
54fd0535
MT		 4453###
4454# m.a.d n2n begin
66c36198 4455###
54fd0535
MT		 4456 $cgiparams{'MSSFIX'} = 'on';
4457 $cgiparams{'FRAGMENT'} = '1300';
70900745 4458 $cgiparams{'DAUTH'} = 'SHA512';
54fd0535
MT		 4459###
4460# m.a.d n2n end
66c36198 4461###
4c962356 4462 $cgiparams{'SIDE'} = 'left';
c6c9630e
MT		 4463 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
4464 $cgiparams{'AUTH'} = 'psk';
4465 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
4466 $cgiparams{'AUTH'} = 'certfile';
4467 } else {
6e13d0a5 4468 $cgiparams{'AUTH'} = 'certgen';
c6c9630e
MT		 4469 }
4470 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
4471 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
4472 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
4473 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
4474 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
c0a7c9b2 4475 $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
6e13d0a5 4476 }
c6c9630e 4477
6e13d0a5 4478 VPNCONF_ERROR:
6e13d0a5
MT		 4479 $checked{'ENABLED'}{'off'} = '';
4480 $checked{'ENABLED'}{'on'} = '';
4481 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
4482 $checked{'ENABLED_BLUE'}{'off'} = '';
4483 $checked{'ENABLED_BLUE'}{'on'} = '';
4484 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
4485 $checked{'ENABLED_ORANGE'}{'off'} = '';
4486 $checked{'ENABLED_ORANGE'}{'on'} = '';
4487 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 4488
4489
6e13d0a5
MT		 4490 $checked{'EDIT_ADVANCED'}{'off'} = '';
4491 $checked{'EDIT_ADVANCED'}{'on'} = '';
4492 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
c6c9630e 4493
6e13d0a5
MT		 4494 $selected{'SIDE'}{'server'} = '';
4495 $selected{'SIDE'}{'client'} = '';
4496 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
66c36198 4497
d96c89eb
AH		 4498 $selected{'PROTOCOL'}{'udp'} = '';
4499 $selected{'PROTOCOL'}{'tcp'} = '';
4500 $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
4501
c6c9630e 4502
6e13d0a5
MT		 4503 $checked{'AUTH'}{'psk'} = '';
4504 $checked{'AUTH'}{'certreq'} = '';
4505 $checked{'AUTH'}{'certgen'} = '';
4506 $checked{'AUTH'}{'certfile'} = '';
4507 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
c6c9630e 4508
6e13d0a5 4509 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
66c36198 4510
6e13d0a5
MT		 4511 $checked{'COMPLZO'}{'off'} = '';
4512 $checked{'COMPLZO'}{'on'} = '';
4513 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
c6c9630e 4514
d96c89eb
AH		 4515 $checked{'MSSFIX'}{'off'} = '';
4516 $checked{'MSSFIX'}{'on'} = '';
4517 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
4518
52f61e49
EKD		 4519 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
4520 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
4521 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 4522 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
4523 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
4524 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
4525 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
4526 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
4527 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
4528 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4529 $selected{'DCIPHER'}{'SEED-CBC'} = '';
4530 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
4531 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
4532 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
4533 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 4534 $selected{'DCIPHER'}{'DES-CBC'} = '';
49abe7af
EK		 4535 # If no cipher has been chossen yet, select
4536 # the old default (AES-256-CBC) for compatiblity reasons.
4537 if ($cgiparams{'DCIPHER'} eq '') {
4538 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
4539 }
4c962356 4540 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
49abe7af
EK		 4541 $selected{'DAUTH'}{'whirlpool'} = '';
4542 $selected{'DAUTH'}{'SHA512'} = '';
4543 $selected{'DAUTH'}{'SHA384'} = '';
4544 $selected{'DAUTH'}{'SHA256'} = '';
4545 $selected{'DAUTH'}{'SHA1'} = '';
49abe7af 4546 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
0c4ffc69
EK		 4547 $checked{'TLSAUTH'}{'off'} = '';
4548 $checked{'TLSAUTH'}{'on'} = '';
4549 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
49abe7af 4550
6e13d0a5
MT		 4551 if (1) {
4552 &Header::showhttpheaders();
4c962356 4553 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 4554 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
4555 if ($errormessage) {
4556 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
4557 print "<class name='base'>$errormessage";
4558 print "&nbsp;</class>";
4559 &Header::closebox();
4560 }
c6c9630e 4561
6e13d0a5
MT		 4562 if ($warnmessage) {
4563 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
4564 print "<class name='base'>$warnmessage";
4565 print "&nbsp;</class>";
4566 &Header::closebox();
4567 }
c6c9630e 4568
6e13d0a5 4569 print "<form method='post' enctype='multipart/form-data'>";
ce9abb66 4570 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
c6c9630e 4571
6e13d0a5
MT		 4572 if ($cgiparams{'KEY'}) {
4573 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
4574 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
6e13d0a5 4575 }
c6c9630e 4576
6e13d0a5 4577 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
8c877a82 4578 print "<table width='100%' border='0'>\n";
4c962356 4579
e3edceeb 4580 print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>";
66c36198 4581
ce9abb66 4582 if ($cgiparams{'TYPE'} eq 'host') {
6e13d0a5 4583 if ($cgiparams{'KEY'}) {
8c877a82 4584 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
6e13d0a5
MT		 4585 } else {
4586 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
4587 }
c6c9630e
MT		 4588# print "<tr><td>$Lang::tr{'interface'}</td>";
4589# print "<td><select name='INTERFACE'>";
4590# print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
4c962356
EK		 4591# if ($netsettings{'BLUE_DEV'} ne '') {
4592# print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
4593# }
4594# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
4595# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
4596# print "</select></td></tr>";
4597# print <<END;
ce9abb66
AH		 4598 } else {
4599 print "<input type='hidden' name='INTERFACE' value='red' />";
4600 if ($cgiparams{'KEY'}) {
4601 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
4602 } else {
4603 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
4604 }
52f61e49
EKD		 4605
4606 # If GCM ciphers are in usage, HMAC menu is disabled
4607 my $hmacdisabled;
4608 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
4609 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
4610 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
4611 $hmacdisabled = "disabled='disabled'";
4612 };
4613
4c962356 4614 print <<END;
ce9abb66 4615 <td width='25%'>&nbsp;</td>
66c36198 4616 <td width='25%'>&nbsp;</td></tr>
f527e53f
EK		 4617 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
4618 <td><select name='SIDE'>
4619 <option value='server' $selected{'SIDE'}{'server'}>$Lang::tr{'openvpn server'}</option>
4620 <option value='client' $selected{'SIDE'}{'client'}>$Lang::tr{'openvpn client'}</option>
4621 </select>
4622 </td>
4c962356 4623
f527e53f
EK		 4624 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
4625 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
4626 </tr>
4c962356 4627
e3edceeb 4628 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4629 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
4c962356 4630
e3edceeb 4631 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f
EK		 4632 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
4633 </tr>
4c962356 4634
e3edceeb 4635 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4636 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
49abe7af 4637
f527e53f
EK		 4638 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
4639 <td><select name='PROTOCOL'>
4640 <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
4641 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
4642 </tr>
66c36198 4643
f527e53f 4644 <tr>
e3edceeb 4645 <td class='boldbase'>$Lang::tr{'destination port'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4646 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
4c962356 4647
e3edceeb 4648 <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
f527e53f
EK		 4649 <td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
4650 </tr>
49abe7af 4651
f527e53f 4652 <tr><td colspan=4><hr /></td></tr><tr>
66c36198 4653
f527e53f 4654 <tr>
f99ed824 4655 <td class='base'><b>$Lang::tr{'MTU settings'}</b></td>
f527e53f 4656 </tr>
49abe7af 4657
e3edceeb 4658 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
f527e53f
EK		 4659 <td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
4660 <td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
4661 </tr>
4c962356 4662
e3edceeb 4663 <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
f527e53f
EK		 4664 <td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
4665 <td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
4666 </tr>
4c962356 4667
e3edceeb 4668 <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
f527e53f
EK		 4669 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
4670 <td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
4671 </tr>
4c962356 4672
e3edceeb 4673 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
f527e53f
EK		 4674 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
4675 </tr>
2ee746be 4676
f527e53f
EK		 4677<tr><td colspan=4><hr /></td></tr><tr>
4678 <tr>
f99ed824 4679 <td class='base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
f527e53f
EK		 4680 </tr>
4681
4682 <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
52f61e49
EKD		 4683 <td><select name='DCIPHER' id="n2ncipher" required>
4684 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
4685 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
4686 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
f527e53f
EK		 4687 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
4688 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4689 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
f7fb5bc5 4690 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
f527e53f
EK		 4691 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
4692 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 4693 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
4694 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4695 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4696 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4697 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4698 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4699 </select>
4700 </td>
4701
4702 <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
52f61e49 4703 <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
f527e53f
EK		 4704 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
4705 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
4706 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
4707 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
f3dfb261 4708 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4709 </select>
4710 </td>
4711 </tr>
4712 <tr><td colspan=4><hr /></td></tr><tr>
4713
ce9abb66 4714END
8c877a82 4715;
ce9abb66 4716 }
52f61e49
EKD		 4717
4718#### JAVA SCRIPT ####
4719# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
4720print<<END;
4721 <script>
4722 var disable_options = false;
4723 document.getElementById('n2ncipher').onchange = function () {
4724 if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
4725 document.getElementById('n2nhmac').setAttribute('disabled', true);
4726 } else {
4727 document.getElementById('n2nhmac').removeAttribute('disabled');
4728 }
4729 }
4730 </script>
4731END
4732
2ee746be 4733#jumper
e3edceeb 4734 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
8c877a82 4735 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
66c36198 4736
ce9abb66 4737 if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4738 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>";
66c36198 4739 }
ce9abb66 4740
8c877a82 4741 print"</tr></table><br><br>";
66c36198
PM		 4742#A.Marx CCD new client
4743if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4744 print "<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td colspan='3'><hr><br><b>$Lang::tr{'ccd choose net'}</td></tr><tr><td height='20' colspan='3'></td></tr>";
8c877a82
AM		 4745 my %vpnnet=();
4746 my $vpnip;
4747 &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet);
4748 $vpnip=$vpnnet{'DOVPN_SUBNET'};
4749 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
4750 my @ccdconf=();
4751 my $count=0;
4752 my $checked;
4753 $checked{'check1'}{'off'} = '';
4754 $checked{'check1'}{'on'} = '';
4755 $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED';
4756 print"<tr><td align='center' width='1%' valign='top'><input type='radio' name='CHECK1' value='dynamic' checked /></td><td align='left' valign='top' width='35%'>$Lang::tr{'ccd dynrange'} ($vpnip)</td><td width='30%'>";
4757 print"</td></tr></table><br><br>";
4758 my $name=$cgiparams{'CHECK1'};
4759 $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
e1e10515 4760 $checked{'OTP_STATE'}{$cgiparams{'OTP_STATE'}} = 'CHECKED';
66c36198
PM		 4761
4762 if (! -z "${General::swroot}/ovpn/ccd.conf"){
8c877a82 4763 print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
df9b48b7 4764 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 4765 $count++;
4766 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
4767 if ($count % 2){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
4768 print"<td align='center' width='1%'><input type='radio' name='CHECK1' value='$ccdconf[0]' $checked{'check1'}{$ccdconf[0]}/></td><td>$ccdconf[0]</td><td width='40%' align='center'>$ccdconf[1]</td><td align='left' width='10%'>";
4769 &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name});
4770 print"</td></tr>";
4771 }
4772 print "</table><br><br><hr><br><br>";
4773 }
e81be1e1 4774}
8c877a82 4775# ccd end
6e13d0a5
MT		 4776 &Header::closebox();
4777 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
66c36198 4778
8c877a82 4779 } elsif (! $cgiparams{'KEY'}) {
66c36198
PM		 4780
4781
6e13d0a5
MT		 4782 my $disabled='';
4783 my $cakeydisabled='';
4784 my $cacrtdisabled='';
4785 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
4786 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
66c36198 4787
6e13d0a5 4788 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
66c36198
PM		 4789
4790
ce9abb66
AH		 4791 if ($cgiparams{'TYPE'} eq 'host') {
4792
49abe7af 4793 print <<END;
6e13d0a5 4794 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4795
ce9abb66
AH		 4796 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td><td class='base'>$Lang::tr{'upload a certificate request'}</td><td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
4797 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td><td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
54fd0535
MT		 4798 <tr><td colspan='3'>&nbsp;</td></tr>
4799 <tr><td colspan='3'><hr /></td></tr>
4800 <tr><td colspan='3'>&nbsp;</td></tr>
ce9abb66 4801 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4802 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4803 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4804 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4805 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4806 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4807 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4808 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
6e13d0a5 4809END
ce9abb66
AH		 4810;
4811
4812###
7c1d9faf 4813# m.a.d net2net
ce9abb66
AH		 4814###
4815
4816} else {
4817
49abe7af 4818 print <<END;
ce9abb66 4819 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4820
ce9abb66 4821 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4822 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4823 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4824 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4825 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4826 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4827 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4828 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
66c36198
PM		 4829
4830
ce9abb66
AH		 4831END
4832;
4833
4834}
4835
4836###
7c1d9faf 4837# m.a.d net2net
ce9abb66 4838###
c6c9630e 4839
6e13d0a5
MT		 4840 foreach my $country (sort keys %{Countries::countries}) {
4841 print "<option value='$Countries::countries{$country}'";
4842 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
4843 print " selected='selected'";
4844 }
4845 print ">$country</option>";
4846 }
ce9abb66 4847###
7c1d9faf 4848# m.a.d net2net
ce9abb66
AH		 4849###
4850
4851if ($cgiparams{'TYPE'} eq 'host') {
49abe7af 4852 print <<END;
f4fbb935 4853 </select></td></tr>
425465ed 4854 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4855 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4856 <tr><td>&nbsp;</td>
6e13d0a5
MT		 4857 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
4858 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
f4fbb935 4859 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
6e13d0a5 4860 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
f4fbb935
EK		 4861 <tr><td colspan='3'>&nbsp;</td></tr>
4862 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4863 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
f4fbb935 4864 </table>
ce9abb66
AH		 4865END
4866}else{
49abe7af 4867 print <<END;
f4fbb935 4868 </select></td></tr>
425465ed 4869 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4870 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4871 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4872 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4873 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4874 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
ce9abb66 4875 </table>
66c36198 4876
c6c9630e 4877END
ce9abb66
AH		 4878}
4879
4880###
7c1d9faf 4881# m.a.d net2net
ce9abb66 4882###
c6c9630e
MT		 4883 ;
4884 &Header::closebox();
66c36198 4885
8c877a82 4886 }
e81be1e1 4887
66c36198 4888#A.Marx CCD new client
e81be1e1 4889if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 4890 print"<br><br>";
4891 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:");
4892
66c36198 4893
8c877a82
AM		 4894 print <<END;
4895 <table border='0' width='100%'>
e1e10515 4896 <tr><td width='20%'>$Lang::tr{'enable otp'}:</td><td colspan='3'><input type='checkbox' name='OTP_STATE' $checked{'OTP_STATE'}{'on'} /></td></tr>
8c877a82
AM		 4897 <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
4898 <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
4899 <tr><td colspan='4'>&nbsp</td></tr>
4900 <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
4901END
66c36198 4902
8c877a82
AM		 4903 if ($cgiparams{'IR'} ne ''){
4904 print $cgiparams{'IR'};
4905 }else{
4906 &General::readhasharray ("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
4907 foreach my $key (keys %ccdroutehash) {
4908 if( $cgiparams{'NAME'} eq $ccdroutehash{$key}[0]){
4909 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
4910 if ($ccdroutehash{$key}[$i] ne ''){
4911 print $ccdroutehash{$key}[$i]."\n";
4912 }
4913 $cgiparams{'IR'} .= $ccdroutehash{$key}[$i];
4914 }
4915 }
4916 }
c6c9630e 4917 }
66c36198 4918
8c877a82
AM		 4919 print <<END;
4920</textarea></td><td valign='top' colspan='2'>$Lang::tr{'ccd iroutehint'}</td></tr>
4921 <tr><td colspan='4'><br></td></tr>
4922 <tr><td valign='top' rowspan='3'>$Lang::tr{'ccd iroute2'}</td><td align='left' valign='top' rowspan='3'><select name='IFROUTE' style="width: 205px"; size='6' multiple>
4923END
66c36198 4924
52d08bcb
AM		 4925 my $set=0;
4926 my $selorange=0;
4927 my $selblue=0;
4928 my $selgreen=0;
4929 my $helpblue=0;
4930 my $helporange=0;
4931 my $other=0;
df9b48b7 4932 my $none=0;
52d08bcb 4933 my @temp=();
66c36198 4934
8c877a82 4935 our @current = ();
52d08bcb
AM		 4936 open(FILE, "${General::swroot}/main/routing") ;
4937 @current = <FILE>;
4938 close (FILE);
66c36198 4939 &General::readhasharray ("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
df9b48b7
AM		 4940 #check for "none"
4941 foreach my $key (keys %ccdroute2hash) {
4942 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4943 if ($ccdroute2hash{$key}[1] eq ''){
4944 $none=1;
4945 last;
4946 }
4947 }
4948 }
4949 if ($none ne '1'){
4950 print"<option>$Lang::tr{'ccd none'}</option>";
4951 }else{
4952 print"<option selected>$Lang::tr{'ccd none'}</option>";
4953 }
52d08bcb
AM		 4954 #check if static routes are defined for client
4955 foreach my $line (@current) {
66c36198 4956 chomp($line);
52d08bcb
AM		 4957 $line=~s/\s*$//g; # remove newline
4958 @temp=split(/\,/,$line);
4959 $temp[1] = '' unless defined $temp[1]; # not always populated
4960 my ($a,$b) = split(/\//,$temp[1]);
4961 $temp[1] = $a."/".&General::iporsubtocidr($b);
4962 foreach my $key (keys %ccdroute2hash) {
4963 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4964 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
4965 if($ccdroute2hash{$key}[$i] eq $a."/".&General::iporsubtodec($b)){
4966 $set=1;
8c877a82
AM		 4967 }
4968 }
8c877a82 4969 }
52d08bcb
AM		 4970 }
4971 if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
66c36198 4972 }
3a445974
MT		 4973
4974 my %vpnconfig = ();
4975 &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
4976 foreach my $vpn (keys %vpnconfig) {
4977 # Skip all disabled VPN connections
4978 my $enabled = $vpnconfig{$vpn}[0];
4979 next unless ($enabled eq "on");
4980
4981 my $name = $vpnconfig{$vpn}[1];
4982
4983 # Remote subnets
4984 my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
4985 foreach my $network (@networks) {
4986 my $selected = "";
4987
4988 foreach my $key (keys %ccdroute2hash) {
4989 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
4990 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
4991 if ($ccdroute2hash{$key}[$i] eq $network) {
4992 $selected = "selected";
4993 }
4994 }
4995 }
4996 }
4997
4998 print "<option value=\"$network\" $selected>$name ($network)</option>\n";
4999 }
5000 }
5001
52d08bcb
AM		 5002 #check if green,blue,orange are defined for client
5003 foreach my $key (keys %ccdroute2hash) {
5004 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5005 $other=1;
5006 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5007 if ($ccdroute2hash{$key}[$i] eq $netsettings{'GREEN_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'GREEN_NETMASK'})){
5008 $selgreen=1;
5009 }
5010 if (&haveBlueNet()){
5011 if( $ccdroute2hash{$key}[$i] eq $netsettings{'BLUE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'BLUE_NETMASK'})) {
5012 $selblue=1;
5013 }
5014 }
5015 if (&haveOrangeNet()){
5016 if( $ccdroute2hash{$key}[$i] eq $netsettings{'ORANGE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'ORANGE_NETMASK'}) ) {
5017 $selorange=1;
5018 }
5019 }
5020 }
5021 }
5022 }
5023 if (&haveBlueNet() && $selblue == '1'){ print"<option selected>$Lang::tr{'blue'}</option>";$selblue=0;}elsif(&haveBlueNet() && $selblue == '0'){print"<option>$Lang::tr{'blue'}</option>";}
66c36198 5024 if (&haveOrangeNet() && $selorange == '1'){ print"<option selected>$Lang::tr{'orange'}</option>";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"<option>$Lang::tr{'orange'}</option>";}
52d08bcb 5025 if ($selgreen == '1' || $other == '0'){ print"<option selected>$Lang::tr{'green'}</option>";$set=0;}else{print"<option>$Lang::tr{'green'}</option>";};
66c36198 5026
49abe7af 5027 print<<END;
8c877a82
AM		 5028 </select></td><td valign='top'>DNS1:</td><td valign='top'><input type='TEXT' name='CCD_DNS1' value='$cgiparams{'CCD_DNS1'}' size='30' /></td></tr>
5029 <tr valign='top'><td>DNS2:</td><td><input type='TEXT' name='CCD_DNS2' value='$cgiparams{'CCD_DNS2'}' size='30' /></td></tr>
5030 <tr valign='top'><td valign='top'>WINS:</td><td><input type='TEXT' name='CCD_WINS' value='$cgiparams{'CCD_WINS'}' size='30' /></td></tr></table><br><hr>
66c36198 5031
8c877a82
AM		 5032END
5033;
5034 &Header::closebox();
e81be1e1 5035}
c6c9630e
MT		 5036 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5037 if ($cgiparams{'KEY'}) {
5038# print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
5039 }
5040 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
5041 &Header::closebigbox();
5042 &Header::closepage();
5043 exit (0);
6e13d0a5 5044 }
c6c9630e 5045 VPNCONF_END:
6e13d0a5 5046}
c6c9630e
MT		 5047
5048# SETTINGS_ERROR:
6e13d0a5
MT		 5049###
5050### Default status page
5051###
c6c9630e
MT		 5052 %cgiparams = ();
5053 %cahash = ();
5054 %confighash = ();
5055 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
5056 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
5057 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
5058
2feacd98
SS		 5059 open(FILE, "/var/run/ovpnserver.log");
5060 my @status = <FILE>;
5061 close(FILE);
c6c9630e
MT		 5062
5063 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
8c877a82
AM		 5064 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
5065 my $ipaddr = <IPADDR>;
5066 close IPADDR;
5067 chomp ($ipaddr);
5068 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
5069 if ($cgiparams{'VPN_IP'} eq '') {
5070 $cgiparams{'VPN_IP'} = $ipaddr;
5071 }
5072 }
c6c9630e 5073 }
66c36198 5074
6e13d0a5 5075#default setzen
c6c9630e 5076 if ($cgiparams{'DCIPHER'} eq '') {
4c962356 5077 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
c6c9630e 5078 }
c6c9630e 5079 if ($cgiparams{'DDEST_PORT'} eq '') {
4c962356 5080 $cgiparams{'DDEST_PORT'} = '1194';
c6c9630e
MT		 5081 }
5082 if ($cgiparams{'DMTU'} eq '') {
4c962356
EK		 5083 $cgiparams{'DMTU'} = '1400';
5084 }
5085 if ($cgiparams{'MSSFIX'} eq '') {
5086 $cgiparams{'MSSFIX'} = 'off';
5087 }
5088 if ($cgiparams{'DAUTH'} eq '') {
86308adb
EK		 5089 if (-z "${General::swroot}/ovpn/ovpnconfig") {
5090 $cgiparams{'DAUTH'} = 'SHA512';
5091 }
5092 foreach my $key (keys %confighash) {
5093 if ($confighash{$key}[3] ne 'host') {
5094 $cgiparams{'DAUTH'} = 'SHA512';
5095 } else {
5096 $cgiparams{'DAUTH'} = 'SHA1';
5097 }
5098 }
5099 }
0c4ffc69
EK		 5100 if ($cgiparams{'TLSAUTH'} eq '') {
5101 $cgiparams{'TLSAUTH'} = 'off';
5102 }
c6c9630e 5103 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
4c962356 5104 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
c6c9630e 5105 }
4c962356 5106 $checked{'ENABLED'}{'off'} = '';
c6c9630e
MT		 5107 $checked{'ENABLED'}{'on'} = '';
5108 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
5109 $checked{'ENABLED_BLUE'}{'off'} = '';
5110 $checked{'ENABLED_BLUE'}{'on'} = '';
5111 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
5112 $checked{'ENABLED_ORANGE'}{'off'} = '';
5113 $checked{'ENABLED_ORANGE'}{'on'} = '';
5114 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 5115
5116 $selected{'DPROTOCOL'}{'udp'} = '';
5117 $selected{'DPROTOCOL'}{'tcp'} = '';
5118 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
4c962356 5119
52f61e49
EKD		 5120 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
5121 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
5122 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 5123 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
5124 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
5125 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
5126 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
5127 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
5128 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
c6c9630e
MT		 5129 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
5130 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4c962356
EK		 5131 $selected{'DCIPHER'}{'SEED-CBC'} = '';
5132 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
5133 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
5134 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 5135 $selected{'DCIPHER'}{'DES-CBC'} = '';
c6c9630e 5136 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
4c962356
EK		 5137
5138 $selected{'DAUTH'}{'whirlpool'} = '';
5139 $selected{'DAUTH'}{'SHA512'} = '';
5140 $selected{'DAUTH'}{'SHA384'} = '';
5141 $selected{'DAUTH'}{'SHA256'} = '';
4c962356
EK		 5142 $selected{'DAUTH'}{'SHA1'} = '';
5143 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
5144
0c4ffc69
EK		 5145 $checked{'TLSAUTH'}{'off'} = '';
5146 $checked{'TLSAUTH'}{'on'} = '';
5147 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
5148
c6c9630e
MT		 5149 $checked{'DCOMPLZO'}{'off'} = '';
5150 $checked{'DCOMPLZO'}{'on'} = '';
5151 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
4c962356 5152
d96c89eb
AH		 5153# m.a.d
5154 $checked{'MSSFIX'}{'off'} = '';
5155 $checked{'MSSFIX'}{'on'} = '';
5156 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
6e13d0a5 5157#new settings
c6c9630e
MT		 5158 &Header::showhttpheaders();
5159 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
5160 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 5161
c6c9630e 5162 if ($errormessage) {
6e13d0a5
MT		 5163 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
5164 print "<class name='base'>$errormessage\n";
5165 print "&nbsp;</class>\n";
5166 &Header::closebox();
c6c9630e 5167 }
6e13d0a5 5168
400c8afd
EK		 5169 if ($cryptoerror) {
5170 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
5171 print "<class name='base'>$cryptoerror";
5172 print "&nbsp;</class>";
5173 &Header::closebox();
5174 }
5175
5176 if ($cryptowarning) {
5177 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
5178 print "<class name='base'>$cryptowarning";
5179 print "&nbsp;</class>";
5180 &Header::closebox();
5181 }
5182
b2e75449
MT		 5183 if ($warnmessage) {
5184 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
5185 print "$warnmessage<br>";
5186 print "$Lang::tr{'fwdfw warn1'}<br>";
5187 &Header::closebox();
5188 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
5189 &Header::closepage();
5190 exit 0;
5191 }
4d81e0f3 5192
c6c9630e
MT		 5193 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
5194 my $srunning = "no";
5195 my $activeonrun = "";
5196 if ( -e "/var/run/openvpn.pid"){
6e13d0a5
MT		 5197 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
5198 $srunning ="yes";
5199 $activeonrun = "";
c6c9630e 5200 } else {
6e13d0a5 5201 $activeonrun = "disabled='disabled'";
66c36198
PM		 5202 }
5203 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
4c962356 5204 print <<END;
631b67b7 5205 <table width='100%' border='0'>
c6c9630e
MT		 5206 <form method='post'>
5207 <td width='25%'>&nbsp;</td>
5208 <td width='25%'>&nbsp;</td>
5209 <td width='25%'>&nbsp;</td></tr>
5210 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
5211 <td align='left'>$sactive</td>
5212 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
8c877a82 5213 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
c6c9630e
MT		 5214END
5215;
5216 if (&haveBlueNet()) {
5217 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
5218 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
5219 }
66c36198 5220 if (&haveOrangeNet()) {
c6c9630e
MT		 5221 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
5222 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
86308adb
EK		 5223 }
5224
5225 print <<END;
5226
5227 <tr><td colspan='4'><br></td></tr>
5228 <tr>
f99ed824 5229 <td class='base'><b>$Lang::tr{'net config'}:</b></td>
86308adb
EK		 5230 </tr>
5231 <tr><td colspan='1'><br></td></tr>
5232
4e17adad
CS		 5233 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
5234 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
c6c9630e
MT		 5235 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
5236 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
66c36198 5237 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
c6c9630e
MT		 5238 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
5239 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
5240 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
bc2b3e94 5241 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
86308adb
EK		 5242 </tr>
5243
5244 <tr><td colspan='4'><br></td></tr>
5245 <tr>
f99ed824 5246 <td class='base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
86308adb
EK		 5247 </tr>
5248 <tr><td colspan='1'><br></td></tr>
5249
5250 <tr>
5251 <td class='base'>$Lang::tr{'ovpn ha'}</td>
5252 <td><select name='DAUTH'>
5253 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
5254 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
5255 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
5256 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
5257 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5258 </select>
5259 </td>
f527e53f 5260
4c962356
EK		 5261 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
5262 <td><select name='DCIPHER'>
52f61e49
EKD		 5263 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
5264 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
5265 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
4c962356 5266 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
f527e53f 5267 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4c962356
EK		 5268 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
5269 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
5270 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
5271 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
4c962356 5272 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 5273 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5274 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5275 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5276 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5277 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4c962356
EK		 5278 </select>
5279 </td>
4c962356 5280 </tr>
0c4ffc69
EK		 5281
5282 <tr><td colspan='4'><br></td></tr>
5283 <tr>
5284 <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
5285 <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
5286 </tr>
5287
f7edf97a 5288 <tr><td colspan='4'><br><br></td></tr>
c6c9630e 5289END
66c36198
PM		 5290;
5291
c6c9630e 5292 if ( $srunning eq "yes" ) {
8c877a82
AM		 5293 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
5294 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
66c36198 5295 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
8c877a82 5296 print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
c6c9630e 5297 } else{
8c877a82
AM		 5298 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5299 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5300 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
c6c9630e 5301 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
35494eac 5302 -e "$dhparameter" &&
c6c9630e
MT		 5303 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
5304 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
66c36198 5305 (( $cgiparams{'ENABLED'} eq 'on') ||
c6c9630e
MT		 5306 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
5307 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
8c877a82 5308 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td></tr>";
c6c9630e 5309 } else {
66c36198
PM		 5310 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td></tr>";
5311 }
c6c9630e
MT		 5312 }
5313 print "</form></table>";
5314 &Header::closebox();
6e13d0a5 5315
c6c9630e 5316 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
ce9abb66 5317###
7c1d9faf 5318# m.a.d net2net
54fd0535 5319#<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
ce9abb66
AH		 5320###
5321
4c962356 5322 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
c6c9630e 5323 ;
99bfa85c
AM		 5324 my $id = 0;
5325 my $gif;
f7edf97a 5326 my $col1="";
5b942f7f 5327 my $lastnet;
c8b51e28 5328 foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
5b942f7f
AM		 5329 if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
5330 if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
5331 if($id == 0){
5332 print"<b>$confighash{$key}[32]</b>";
5333 print <<END;
5334 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5335<tr>
5336 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5337 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5338 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5339 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5340 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5341</tr>
5342END
5343 }
5344 if ($id > 0 && $lastnet ne $confighash{$key}[32]){
5345 print "</table><br>";
5346 print"<b>$confighash{$key}[32]</b>";
5347 print <<END;
5348 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5349<tr>
5350 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5351 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5352 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5353 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5354 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5355</tr>
5356END
5357 }
eff2dbf8 5358 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
2feacd98 5359
a201764e
PM		 5360 # Create some simple booleans to check the status
5361 my $hasExpired;
5362 my $expiresSoon;
498134e5 5363
a201764e
PM		 5364 # Fetch information about the certificate for non-N2N connections only
5365 if ($confighash{$key}[3] ne 'net') {
5366 my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text",
5367 "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
498134e5 5368
a201764e
PM		 5369 my $expiryDate = 0;
5370
5371 # Parse the certificate information
5372 foreach my $line (@cavalid) {
5373 if ($line =~ /Not After : (.*)[\n]/) {
5374 $expiryDate = &Date::Parse::str2time($1);
5375 last;
5376 }
2feacd98 5377 }
2feacd98 5378
a201764e
PM		 5379 # Calculate the remaining time
5380 my $remainingTime = $expiryDate - time();
498134e5 5381
a201764e
PM		 5382 # Determine whether the certificate has already expired, or will so soon
5383 $hasExpired = ($remainingTime <= 0);
5384 $expiresSoon = ($remainingTime <= 30 * 24 * 3600);
5385
5386 } else {
5387 # Populate booleans with dummy values for N2N connections (#13066)
5388 $hasExpired = 0;
5389 $expiresSoon = 0;
5390 }
498134e5
MT		 5391
5392 print "<tr>";
5393
5394 if ($hasExpired || $expiresSoon) {
5395 $col="bgcolor='$color{'color14'}'";
5396 } elsif ($id % 2) {
5397 $col="bgcolor='$color{'color20'}'";
5398 } else {
5399 $col="bgcolor='$color{'color22'}'";
5400 }
5401 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]";
5402 if ($hasExpired) {
5403 print " ($Lang::tr{'openvpn cert has expired'})";
5404 } elsif ($expiresSoon) {
5405 print " ($Lang::tr{'openvpn cert expires soon'})";
5406 }
5407 print "</td>";
5408 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
99bfa85c 5409 print "<td align='center' $col>$confighash{$key}[25]</td>";
f7edf97a
AM		 5410 $col1="bgcolor='${Header::colourred}'";
5411 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
ce9abb66 5412
c6c9630e 5413 if ($confighash{$key}[0] eq 'off') {
f7edf97a
AM		 5414 $col1="bgcolor='${Header::colourblue}'";
5415 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
c6c9630e 5416 } else {
ce9abb66
AH		 5417
5418###
7c1d9faf 5419# m.a.d net2net
f7edf97a
AM		 5420###
5421
b278daf3 5422 if ($confighash{$key}[3] eq 'net') {
54fd0535
MT		 5423
5424 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
5425 my @output = "";
5426 my @tustate = "";
5427 my $tport = $confighash{$key}[22];
66c36198 5428 my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport);
54fd0535
MT		 5429 if ($tport ne '') {
5430 $tnet->open('127.0.0.1');
5431 @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/');
5432 @tustate = split(/\,/, $output[1]);
5433###
5434#CONNECTING -- OpenVPN's initial state.
5435#WAIT -- (Client only) Waiting for initial response from server.
5436#AUTH -- (Client only) Authenticating with server.
5437#GET_CONFIG -- (Client only) Downloading configuration options from server.
5438#ASSIGN_IP -- Assigning IP address to virtual network interface.
5439#ADD_ROUTES -- Adding routes to system.
5440#CONNECTED -- Initialization Sequence Completed.
5441#RECONNECTING -- A restart has occurred.
5442#EXITING -- A graceful exit is in progress.
5443####
5444
ed4b4c19 5445 if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
f7edf97a
AM		 5446 $col1="bgcolor='${Header::colourgreen}'";
5447 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5448 }else {
5449 $col1="bgcolor='${Header::colourred}'";
5450 $active = "<b><font color='#FFFFFF'>$tustate[1]</font></b>";
5451 }
54fd0535 5452 }
54fd0535 5453 }
f7edf97a
AM		 5454 }else {
5455
5456 my $cn;
5457 my @match = ();
5458 foreach my $line (@status) {
5459 chomp($line);
5460 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
5461 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
5462 if ($match[1] ne "Common Name") {
5463 $cn = $match[1];
5464 }
5465 $cn =~ s/[_]/ /g;
5466 if ($cn eq "$confighash{$key}[2]") {
5467 $col1="bgcolor='${Header::colourgreen}'";
5468 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5469 }
5470 }
5471 }
c6c9630e 5472 }
7c1d9faf 5473}
ce9abb66
AH		 5474
5475
28b9c976
MT		 5476 print <<END;
5477 <td align='center' $col1>$active</td>
66c36198 5478
28b9c976
MT		 5479 <form method='post' name='frm${key}a'><td align='center' $col>
5480 <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
5481 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5482 <input type='hidden' name='KEY' value='$key' />
5483 </td></form>
c6c9630e 5484END
28b9c976 5485 ;
71af643c 5486
28b9c976 5487 if ($confighash{$key}[41] eq "no-pass") {
71af643c 5488 print <<END;
28b9c976 5489 <form method='post' name='frm${key}g'><td align='center' $col>
71af643c
MT		 5490 <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
5491 alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
5492 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5493 <input type='hidden' name='MODE' value='insecure' />
5494 <input type='hidden' name='KEY' value='$key' />
5495 </td></form>
5496END
28b9c976 5497 } else {
71af643c
MT		 5498 print "<td $col>&nbsp;</td>";
5499 }
5500
c6c9630e 5501 if ($confighash{$key}[4] eq 'cert') {
4c962356 5502 print <<END;
99bfa85c 5503 <form method='post' name='frm${key}b'><td align='center' $col>
c6c9630e
MT		 5504 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
5505 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
5506 <input type='hidden' name='KEY' value='$key' />
5507 </td></form>
5508END
5509 ; } else {
5510 print "<td>&nbsp;</td>";
5511 }
e1e10515
TE		 5512
5513 if ($confighash{$key}[43] eq 'on') {
5514 print <<END;
5515<form method='post' name='frm${key}o'><td align='center' $col>
5516<input type='image' name='$Lang::tr{'show otp qrcode'}' src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}' title='$Lang::tr{'show otp qrcode'}' border='0' />
5517<input type='hidden' name='ACTION' value='$Lang::tr{'show otp qrcode'}' />
5518<input type='hidden' name='KEY' value='$key' />
5519</td></form>
5520END
5521; } else {
5522 print "<td $col>&nbsp;</td>";
5523 }
5524
66c36198 5525 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
4c962356 5526 print <<END;
99bfa85c 5527 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5528 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
c6c9630e
MT		 5529 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
5530 <input type='hidden' name='KEY' value='$key' />
5531 </td></form>
5532END
5533 ; } elsif ($confighash{$key}[4] eq 'cert') {
4c962356 5534 print <<END;
99bfa85c 5535 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5536 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
c6c9630e
MT		 5537 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
5538 <input type='hidden' name='KEY' value='$key' />
5539 </td></form>
5540END
5541 ; } else {
5542 print "<td>&nbsp;</td>";
5543 }
5544 print <<END
99bfa85c 5545 <form method='post' name='frm${key}d'><td align='center' $col>
c6c9630e
MT		 5546 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
5547 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
5548 <input type='hidden' name='KEY' value='$key' />
5549 </td></form>
5550
99bfa85c 5551 <form method='post' name='frm${key}e'><td align='center' $col>
c6c9630e
MT		 5552 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
5553 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
5554 <input type='hidden' name='KEY' value='$key' />
5555 </td></form>
99bfa85c 5556 <form method='post' name='frm${key}f'><td align='center' $col>
c6c9630e
MT		 5557 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
5558 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
5559 <input type='hidden' name='KEY' value='$key' />
5560 </td></form>
5561 </tr>
5562END
5563 ;
5564 $id++;
5b942f7f 5565 $lastnet = $confighash{$key}[32];
c6c9630e 5566 }
5b942f7f 5567 print"</table>";
c6c9630e
MT		 5568 ;
5569
5570 # If the config file contains entries, print Key to action icons
5571 if ( $id ) {
4c962356 5572 print <<END;
28b9c976
MT		 5573 <table border='0'>
5574 <tr>
4c962356 5575 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
28b9c976
MT		 5576 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
5577 <td class='base'>$Lang::tr{'click to disable'}</td>
4c962356
EK		 5578 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5579 <td class='base'>$Lang::tr{'show certificate'}</td>
5580 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
5581 <td class='base'>$Lang::tr{'edit'}</td>
5582 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
5583 <td class='base'>$Lang::tr{'remove'}</td>
28b9c976
MT		 5584 </tr>
5585 <tr>
5586 <td>&nbsp; </td>
5587 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
5588 <td class='base'>$Lang::tr{'click to enable'}</td>
5589 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
5590 <td class='base'>$Lang::tr{'download certificate'}</td>
5591 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
5592 <td class='base'>$Lang::tr{'dl client arch'}</td>
5593 <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
5594 <td class='base'>$Lang::tr{'show otp qrcode'}</td>
5595 </tr>
5596 </table><br>
c6c9630e
MT		 5597END
5598 ;
5599 }
5600
4c962356 5601 print <<END;
c6c9630e
MT		 5602 <table width='100%'>
5603 <form method='post'>
4c962356
EK		 5604 <tr><td align='right'>
5605 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
5606 <input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td>
5607 </tr>
c6c9630e
MT		 5608 </form>
5609 </table>
5610END
4c962356
EK		 5611 ;
5612 &Header::closebox();
5613 }
fd5ccb2d
EK		 5614
5615 # CA/key listing
4c962356
EK		 5616 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
5617 print <<END;
5618 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5619 <tr>
5620 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5621 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
5622 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
5623 </tr>
5624END
5625 ;
5626 my $col1="bgcolor='$color{'color22'}'";
f7fb5bc5 5627 my $col2="bgcolor='$color{'color20'}'";
c8f50356 5628 # DH parameter line
f7fb5bc5 5629 my $col3="bgcolor='$color{'color22'}'";
fd5ccb2d
EK		 5630 # ta.key line
5631 my $col4="bgcolor='$color{'color20'}'";
f7fb5bc5 5632
4c962356 5633 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2feacd98
SS		 5634 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
5635 my $casubject;
5636
5637 foreach my $line (@casubject) {
5638 if ($line =~ /Subject: (.*)[\n]/) {
5639 $casubject = $1;
5640 $casubject =~ s+/Email+, E+;
5641 $casubject =~ s/ ST=/ S=/;
5642
5643 last;
5644 }
5645 }
5646
4c962356
EK		 5647 print <<END;
5648 <tr>
5649 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
5650 <td class='base' $col1>$casubject</td>
c8f50356 5651 <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
4c962356
EK		 5652 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
5653 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5654 </form>
5655 <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
4c962356
EK		 5656 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
5657 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
c8f50356
EK		 5658 </form>
5659 <td width='4%' $col1>&nbsp;</td>
5660 </tr>
4c962356
EK		 5661END
5662 ;
5663 } else {
5664 # display rootcert generation buttons
5665 print <<END;
5666 <tr>
5667 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
5668 <td class='base' $col1>$Lang::tr{'not present'}</td>
c8f50356
EK		 5669 <td colspan='3' $col1>&nbsp;</td>
5670 </tr>
4c962356
EK		 5671END
5672 ;
5673 }
5674
5675 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 5676 my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
5677 my $hostsubject;
5678
5679 foreach my $line (@hostsubject) {
5680 if ($line =~ /Subject: (.*)[\n]/) {
5681 $hostsubject = $1;
5682 $hostsubject =~ s+/Email+, E+;
5683 $hostsubject =~ s/ ST=/ S=/;
5684
5685 last;
5686 }
5687 }
4c962356
EK		 5688
5689 print <<END;
5690 <tr>
5691 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
5692 <td class='base' $col2>$hostsubject</td>
c8f50356 5693 <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
4c962356
EK		 5694 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
5695 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5696 </form>
5697 <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
4c962356
EK		 5698 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
5699 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
c8f50356
EK		 5700 </td></form>
5701 <td width='4%' $col2>&nbsp;</td>
5702 </tr>
4c962356
EK		 5703END
5704 ;
5705 } else {
5706 # Nothing
5707 print <<END;
5708 <tr>
5709 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
5710 <td class='base' $col2>$Lang::tr{'not present'}</td>
c8f50356
EK		 5711 </td><td colspan='3' $col2>&nbsp;</td>
5712 </tr>
4c962356
EK		 5713END
5714 ;
5715 }
ce9abb66 5716
f7fb5bc5 5717 # Adding DH parameter to chart
35494eac
PM		 5718 if (-f "$dhparameter") {
5719 my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
2feacd98 5720 my $dhsubject;
f7fb5bc5 5721
2feacd98
SS		 5722 foreach my $line (@dhsubject) {
5723 if ($line =~ / (.*)[\n]/) {
5724 $dhsubject = $1;
5725
5726 last;
5727 }
5728 }
f7fb5bc5
EK		 5729
5730 print <<END;
5731 <tr>
19a417c2 5732 <td class='base' $col3>$Lang::tr{'dh'}</td>
f7fb5bc5 5733 <td class='base' $col3>$dhsubject</td>
c8f50356 5734 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
f7fb5bc5
EK		 5735 <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
5736 <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
c8f50356
EK		 5737 </form>
5738 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
c8f50356
EK		 5739 </form>
5740 <td width='4%' $col3>&nbsp;</td>
5741 </tr>
f7fb5bc5
EK		 5742END
5743 ;
5744 } else {
5745 # Nothing
5746 print <<END;
5747 <tr>
a3e8b9bb 5748 <td width='25%' class='base' $col3>$Lang::tr{'dh'}:</td>
f7fb5bc5 5749 <td class='base' $col3>$Lang::tr{'not present'}</td>
c8f50356
EK		 5750 </td><td colspan='3' $col3>&nbsp;</td>
5751 </tr>
f7fb5bc5
EK		 5752END
5753 ;
5754 }
5755
fd5ccb2d
EK		 5756 # Adding ta.key to chart
5757 if (-f "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 5758 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
5759 my @tasubject = <FILE>;
5760 close(FILE);
5761
5762 my $tasubject;
5763 foreach my $line (@tasubject) {
5764 if($line =~ /# (.*)[\n]/) {
5765 $tasubject = $1;
5766
5767 last;
5768 }
5769 }
5770
fd5ccb2d
EK		 5771 print <<END;
5772
5773 <tr>
5774 <td class='base' $col4>$Lang::tr{'ta key'}</td>
5775 <td class='base' $col4>$tasubject</td>
5776 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5777 <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
5778 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
5779 </form>
5780 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5781 <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
5782 <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
5783 </form>
5784 <td width='4%' $col4>&nbsp;</td>
5785 </tr>
5786END
5787 ;
5788 } else {
5789 # Nothing
5790 print <<END;
5791 <tr>
5792 <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
5793 <td class='base' $col4>$Lang::tr{'not present'}</td>
5794 <td colspan='3' $col4>&nbsp;</td>
5795 </tr>
5796END
5797 ;
5798 }
5799
4c962356
EK		 5800 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
5801 print "<tr><td colspan='5' align='center'><form method='post'>";
5802 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
5803 print "</form></td></tr>\n";
5804 }
5805
5806 if (keys %cahash > 0) {
5807 foreach my $key (keys %cahash) {
5808 if (($key + 1) % 2) {
5809 print "<tr bgcolor='$color{'color20'}'>\n";
5810 } else {
5811 print "<tr bgcolor='$color{'color22'}'>\n";
5812 }
5813 print "<td class='base'>$cahash{$key}[0]</td>\n";
5814 print "<td class='base'>$cahash{$key}[1]</td>\n";
5815 print <<END;
5816 <form method='post' name='cafrm${key}a'><td align='center'>
5817 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
5818 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
5819 <input type='hidden' name='KEY' value='$key' />
5820 </td></form>
5821 <form method='post' name='cafrm${key}b'><td align='center'>
5822 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
5823 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
5824 <input type='hidden' name='KEY' value='$key' />
5825 </td></form>
5826 <form method='post' name='cafrm${key}c'><td align='center'>
5827 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
5828 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
5829 <input type='hidden' name='KEY' value='$key' />
5830 </td></form></tr>
5831END
5832 ;
5833 }
5834 }
5835
5836 print "</table>";
5837
5838 # If the file contains entries, print Key to action icons
5839 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
5840 print <<END;
5841 <table>
5842 <tr>
5843 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5844 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5845 <td class='base'>$Lang::tr{'show certificate'}</td>
5846 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
5847 <td class='base'>$Lang::tr{'download certificate'}</td>
5848 </tr>
5849 </table>
5850END
5851 ;
5852 }
ce9abb66 5853
4c962356 5854 print <<END
578f23c8
SS		 5855
5856 <br><hr><br>
5857
4c962356 5858 <form method='post' enctype='multipart/form-data'>
578f23c8
SS		 5859 <table border='0' width='100%'>
5860 <tr>
5861 <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
5862 </tr>
4c962356 5863
578f23c8
SS		 5864 <tr>
5865 <td width='10%'>$Lang::tr{'ca name'}:</td>
5866 <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
5867 <td width='30%'><input type='file' name='FH' size='25'>
5868 <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
5869 </tr>
f527e53f 5870
578f23c8
SS		 5871 <tr>
5872 <td colspan='3'>&nbsp;</td>
5873 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
5874 </tr>
5875 </table>
578f23c8 5876 </form>
66c36198 5877
578f23c8 5878 <br><hr>
4c962356
EK		 5879END
5880 ;
5881
5882 if ( $srunning eq "yes" ) {
5883 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' disabled='disabled' /></div></form>\n";
5884 } else {
5885 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></div></form>\n";
5886 }
5887 &Header::closebox();
5888END
5889 ;
5890
5891&Header::closepage();
ce9abb66 5892
IPFire 2.x development tree