]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ovpnmain.cgi: Fix typos.
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
CommitLineData
6e13d0a5 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
49abe7af 5# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
54fd0535 21###
f527e53f 22# Based on IPFireCore 77
54fd0535 23###
6e13d0a5
MT		 24use CGI;
25use CGI qw/:standard/;
26use Net::DNS;
ce9abb66 27use Net::Ping;
54fd0535 28use Net::Telnet;
6e13d0a5
MT		 29use File::Copy;
30use File::Temp qw/ tempfile tempdir /;
31use strict;
32use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
eff2dbf8 33use Sort::Naturally;
6e13d0a5 34require '/var/ipfire/general-functions.pl';
6e13d0a5
MT		 35require "${General::swroot}/lang.pl";
36require "${General::swroot}/header.pl";
37require "${General::swroot}/countries.pl";
e2e270e1 38require "${General::swroot}/location-functions.pl";
6e13d0a5
MT		 39
40# enable only the following on debugging purpose
8c877a82
AM		 41#use warnings;
42#use CGI::Carp 'fatalsToBrowser';
6e13d0a5 43#workaround to suppress a warning when a variable is used only once
8c877a82 44my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
6e13d0a5
MT		 45undef (@dummy);
46
f2fdd0c1
CS		 47my %color = ();
48my %mainsettings = ();
49&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 50&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
6e13d0a5
MT		 51
52###
53### Initialize variables
54###
e81be1e1
AM		 55my %ccdconfhash=();
56my %ccdroutehash=();
57my %ccdroute2hash=();
6e13d0a5
MT		 58my %netsettings=();
59my %cgiparams=();
60my %vpnsettings=();
61my %checked=();
62my %confighash=();
63my %cahash=();
64my %selected=();
65my $warnmessage = '';
66my $errormessage = '';
400c8afd
EK		 67my $cryptoerror = '';
68my $cryptowarning = '';
6e13d0a5 69my %settings=();
54fd0535 70my $routes_push_file = '';
df9b48b7
AM		 71my $confighost="${General::swroot}/fwhosts/customhosts";
72my $configgrp="${General::swroot}/fwhosts/customgroups";
73my $customnet="${General::swroot}/fwhosts/customnetworks";
74my $name;
99bfa85c 75my $col="";
ffbe77c8
EK		 76my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
77my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
78
6e13d0a5
MT		 79&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
80$cgiparams{'ENABLED'} = 'off';
81$cgiparams{'ENABLED_BLUE'} = 'off';
82$cgiparams{'ENABLED_ORANGE'} = 'off';
83$cgiparams{'EDIT_ADVANCED'} = 'off';
84$cgiparams{'NAT'} = 'off';
85$cgiparams{'COMPRESSION'} = 'off';
86$cgiparams{'ONLY_PROPOSED'} = 'off';
87$cgiparams{'ACTION'} = '';
88$cgiparams{'CA_NAME'} = '';
4c962356
EK		 89$cgiparams{'DH_NAME'} = 'dh1024.pem';
90$cgiparams{'DHLENGHT'} = '';
6e13d0a5
MT		 91$cgiparams{'DHCP_DOMAIN'} = '';
92$cgiparams{'DHCP_DNS'} = '';
93$cgiparams{'DHCP_WINS'} = '';
54fd0535 94$cgiparams{'ROUTES_PUSH'} = '';
6e13d0a5 95$cgiparams{'DCOMPLZO'} = 'off';
a79fa1d6 96$cgiparams{'MSSFIX'} = '';
8c877a82 97$cgiparams{'number'} = '';
4c962356 98$cgiparams{'DCIPHER'} = '';
49abe7af
EK		 99$cgiparams{'DAUTH'} = '';
100$cgiparams{'TLSAUTH'} = '';
54fd0535 101$routes_push_file = "${General::swroot}/ovpn/routes_push";
400c8afd
EK		 102# Perform crypto and configration test
103&pkiconfigcheck;
ffbe77c8
EK		 104
105# Add CCD files if not already presant
106unless (-e $routes_push_file) {
107 open(RPF, ">$routes_push_file");
108 close(RPF);
109}
110unless (-e "${General::swroot}/ovpn/ccd.conf") {
111 open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
112 close (CCDC);
113}
114unless (-e "${General::swroot}/ovpn/ccdroute") {
115 open(CCDR, ">${General::swroot}/ovpn/ccdroute");
116 close (CCDR);
117}
118unless (-e "${General::swroot}/ovpn/ccdroute2") {
119 open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
120 close (CCDRT);
121}
122# Add additional configs if not already presant
123unless (-e "$local_serverconf") {
124 open(LSC, ">$local_serverconf");
125 close (LSC);
126}
127unless (-e "$local_clientconf") {
128 open(LCC, ">$local_clientconf");
129 close (LCC);
130}
ce9abb66 131
6e13d0a5
MT		 132&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
133
134# prepare openvpn config file
135###
136### Useful functions
137###
c6c9630e
MT		 138sub haveOrangeNet
139{
13211b21
CS		 140 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
141 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 142 return 0;
143}
144
145sub haveBlueNet
146{
13211b21 147 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
c6c9630e 148 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 149 return 0;
150}
151
152sub sizeformat{
153 my $bytesize = shift;
154 my $i = 0;
155
156 while(abs($bytesize) >= 1024){
157 $bytesize=$bytesize/1024;
158 $i++;
159 last if($i==6);
160 }
161
162 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
163 my $newsize=(int($bytesize*100 +0.5))/100;
164 return("$newsize $units[$i]");
165}
166
c6c9630e
MT		 167sub cleanssldatabase
168{
169 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
170 print FILE "01";
171 close FILE;
172 }
173 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
174 print FILE "";
175 close FILE;
176 }
e6f7f8e7
EK		 177 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
178 print FILE "";
179 close FILE;
180 }
c6c9630e 181 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 182 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 183 unlink ("${General::swroot}/ovpn/certs/serial.old");
184 unlink ("${General::swroot}/ovpn/certs/01.pem");
185}
186
187sub newcleanssldatabase
188{
189 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
190 open(FILE, ">${General::swroot}(ovpn/certs/serial");
191 print FILE "01";
192 close FILE;
193 }
194 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
2feacd98 195 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
c6c9630e 196 }
e6f7f8e7 197 if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
2feacd98 198 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
e6f7f8e7 199 }
c6c9630e 200 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 201 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 202 unlink ("${General::swroot}/ovpn/certs/serial.old");
203}
204
205sub deletebackupcert
206{
207 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
208 my $hexvalue = <FILE>;
209 chomp $hexvalue;
210 close FILE;
211 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
212 }
213}
4c962356 214
400c8afd
EK		 215###
216### Check for PKI and configure problems
217###
218
219sub pkiconfigcheck
220{
221 # Warning if DH parameter is 1024 bit
222 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
2feacd98 223 my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
f5604080 224 my $dhbit;
2feacd98 225
f5604080 226 # Loop through the output and search for the DH bit lenght.
2feacd98 227 foreach my $line (@dhparameter) {
f5604080
SS		 228 if ($line =~ (/(\d+)/)) {
229 # Assign match to dhbit value.
230 $dhbit = $1;
231
232 last;
2feacd98 233 }
400c8afd 234 }
f5604080
SS		 235
236 # Check if the used key lenght is at least 2048 bit.
237 if ($dhbit < 2048) {
238 $cryptoerror = "$Lang::tr{'ovpn error dh'}";
239 goto CRYPTO_ERROR;
240 }
400c8afd
EK		 241 }
242
243 # Warning if md5 is in usage
244 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 245 my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
246 if (grep(/md5WithRSAEncryption/, @signature) ) {
400c8afd
EK		 247 $cryptoerror = "$Lang::tr{'ovpn error md5'}";
248 goto CRYPTO_ERROR;
249 }
250 }
251
252 CRYPTO_ERROR:
253
254 # Warning if certificate is not compliant to RFC3280 TLS rules
255 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 256 my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
257 if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
400c8afd
EK		 258 $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
259 goto CRYPTO_WARNING;
260 }
261 }
262
263 CRYPTO_WARNING:
264}
265
c6c9630e 266sub writeserverconf {
54fd0535
MT		 267 my %sovpnsettings = ();
268 my @temp = ();
c6c9630e 269 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
54fd0535
MT		 270 &read_routepushfile;
271
c6c9630e
MT		 272 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
273 flock CONF, 2;
274 print CONF "#OpenVPN Server conf\n";
275 print CONF "\n";
276 print CONF "daemon openvpnserver\n";
277 print CONF "writepid /var/run/openvpn.pid\n";
afabe9f7 278 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
c6c9630e 279 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
79e7688b 280 print CONF "dev tun\n";
c6c9630e
MT		 281 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
282 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
a4fd2325 283 print CONF "script-security 3\n";
07675dc3 284 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
6140e7e0 285 print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
c6c9630e 286 print CONF "tls-server\n";
4c962356
EK		 287 print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
288 print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
289 print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 290 print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
c6c9630e
MT		 291 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
292 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
8c877a82 293 #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
4c962356 294
d6989b4b 295 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
2ee746be 296
54fd0535 297 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
8c877a82
AM		 298 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
299 foreach (@temp)
300 {
301 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
302 print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n";
303 }
54fd0535 304 }
8c877a82
AM		 305# a.marx ccd
306 my %ccdconfhash=();
307 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
308 foreach my $key (keys %ccdconfhash) {
309 my $a=$ccdconfhash{$key}[1];
310 my ($b,$c) = split (/\//, $a);
311 print CONF "route $b ".&General::cidrtosub($c)."\n";
312 }
313 my %ccdroutehash=();
314 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
315 foreach my $key (keys %ccdroutehash) {
316 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
317 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
318 print CONF "route $a $b\n";
319 }
320 }
321# ccd end
54fd0535 322
8c877a82 323 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
c6c9630e
MT		 324 print CONF "client-to-client\n";
325 }
1de5c945 326 if ($sovpnsettings{MSSFIX} eq 'on') {
4c962356 327 print CONF "mssfix\n";
d6989b4b
MT		 328 } else {
329 print CONF "mssfix 0\n";
1de5c945
EK		 330 }
331 if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
4c962356 332 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
a79fa1d6 333 }
2ee746be 334
c6c9630e
MT		 335 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
336 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
337 }
338 print CONF "status-version 1\n";
87fe47e9 339 print CONF "status /var/run/ovpnserver.log 30\n";
a4fd2325 340 print CONF "ncp-disable\n";
c6c9630e 341 print CONF "cipher $sovpnsettings{DCIPHER}\n";
49abe7af 342 print CONF "auth $sovpnsettings{'DAUTH'}\n";
942446b5
EK		 343 # Set TLSv2 as minimum
344 print CONF "tls-version-min 1.2\n";
86308adb 345
49abe7af 346 if ($sovpnsettings{'TLSAUTH'} eq 'on') {
4be45949 347 print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
49abe7af 348 }
c6c9630e
MT		 349 if ($sovpnsettings{DCOMPLZO} eq 'on') {
350 print CONF "comp-lzo\n";
351 }
352 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
353 print CONF "push \"redirect-gateway def1\"\n";
354 }
355 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
356 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
357 }
358
359 if ($sovpnsettings{DHCP_DNS} ne '') {
360 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
361 }
362
363 if ($sovpnsettings{DHCP_WINS} ne '') {
364 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
365 }
366
fa527476 367 if ($sovpnsettings{MAX_CLIENTS} eq '') {
c6c9630e 368 print CONF "max-clients 100\n";
a79fa1d6 369 }
fa527476 370 if ($sovpnsettings{MAX_CLIENTS} ne '') {
c6c9630e
MT		 371 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
372 }
1d0a260a 373 print CONF "tls-verify /usr/lib/openvpn/verify\n";
c6c9630e
MT		 374 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
375 print CONF "user nobody\n";
376 print CONF "group nobody\n";
377 print CONF "persist-key\n";
378 print CONF "persist-tun\n";
379 if ($sovpnsettings{LOG_VERB} ne '') {
380 print CONF "verb $sovpnsettings{LOG_VERB}\n";
381 } else {
382 print CONF "verb 3\n";
ffbe77c8 383 }
708f2b73
MT		 384
385 print CONF "# Log clients connecting/disconnecting\n";
386 print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
387 print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
388
ffbe77c8
EK		 389 # Print server.conf.local if entries exist to server.conf
390 if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
391 open (LSC, "$local_serverconf");
392 print CONF "\n#---------------------------\n";
393 print CONF "# Start of custom directives\n";
394 print CONF "# from server.conf.local\n";
395 print CONF "#---------------------------\n\n";
396 while (<LSC>) {
397 print CONF $_;
398 }
399 print CONF "\n#-----------------------------\n";
400 print CONF "# End of custom directives\n";
401 print CONF "#-----------------------------\n";
402 close (LSC);
403 }
c6c9630e
MT		 404 print CONF "\n";
405
406 close(CONF);
407}
8c877a82 408
c6c9630e 409sub emptyserverlog{
87fe47e9 410 if (open(FILE, ">/var/run/ovpnserver.log")) {
c6c9630e
MT		 411 flock FILE, 2;
412 print FILE "";
413 close FILE;
414 }
415
416}
417
8c877a82
AM		 418sub delccdnet
419{
420 my %ccdconfhash = ();
421 my %ccdhash = ();
422 my $ccdnetname=$_[0];
423 if (-f "${General::swroot}/ovpn/ovpnconfig"){
424 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
425 foreach my $key (keys %ccdhash) {
426 if ($ccdhash{$key}[32] eq $ccdnetname) {
427 $errormessage=$Lang::tr{'ccd err hostinnet'};
428 return;
429 }
430 }
431 }
432 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
433 foreach my $key (keys %ccdconfhash) {
434 if ($ccdconfhash{$key}[0] eq $ccdnetname){
435 delete $ccdconfhash{$key};
436 }
437 }
438 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
439
440 &writeserverconf;
441 return 0;
442}
443
444sub addccdnet
445{
446 my %ccdconfhash=();
447 my @ccdconf=();
448 my $ccdname=$_[0];
449 my $ccdnet=$_[1];
8c877a82
AM		 450 my $subcidr;
451 my @ip2=();
452 my $checkup;
453 my $ccdip;
454 my $baseaddress;
290007b3
AM		 455
456
457 #check name
458 if ($ccdname eq '')
459 {
460 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
461 return
462 }
463
464 if(!&General::validhostname($ccdname))
465 {
8c877a82
AM		 466 $errormessage=$Lang::tr{'ccd err invalidname'};
467 return;
468 }
290007b3
AM		 469
470 ($ccdip,$subcidr) = split (/\//,$ccdnet);
471 $subcidr=&General::iporsubtocidr($subcidr);
472 #check subnet
473 if ($subcidr > 30)
474 {
8c877a82
AM		 475 $errormessage=$Lang::tr{'ccd err invalidnet'};
476 return;
477 }
290007b3
AM		 478 #check ip
479 if (!&General::validipandmask($ccdnet)){
480 $errormessage=$Lang::tr{'ccd err invalidnet'};
481 return;
8c877a82 482 }
b6c60092 483
8c877a82
AM		 484 if (!$errormessage) {
485 my %ccdconfhash=();
486 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
487 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
488 my $key = &General::findhasharraykey (\%ccdconfhash);
489 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
490 $ccdconfhash{$key}[0] = $ccdname;
491 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
492 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
493 &writeserverconf;
494 $cgiparams{'ccdname'}='';
495 $cgiparams{'ccdsubnet'}='';
496 return 1;
497 }
498}
499
500sub modccdnet
501{
502
503 my $newname=$_[0];
504 my $oldname=$_[1];
505 my %ccdconfhash=();
506 my %ccdhash=();
7ad653cc
SS		 507
508 # Check if the new name is valid.
509 if(!&General::validhostname($newname)) {
510 $errormessage=$Lang::tr{'ccd err invalidname'};
511 return;
512 }
513
8c877a82
AM		 514 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
515 foreach my $key (keys %ccdconfhash) {
516 if ($ccdconfhash{$key}[0] eq $oldname) {
517 foreach my $key1 (keys %ccdconfhash) {
518 if ($ccdconfhash{$key1}[0] eq $newname){
519 $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
520 return;
521 }else{
522 $ccdconfhash{$key}[0]= $newname;
523 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
524 last;
525 }
526 }
527 }
528 }
529
530 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
531 foreach my $key (keys %ccdhash) {
532 if ($ccdhash{$key}[32] eq $oldname) {
533 $ccdhash{$key}[32]=$newname;
534 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
535 last;
536 }
537 }
538
539 return 0;
540}
541sub ccdmaxclients
542{
543 my $ccdnetwork=$_[0];
544 my @octets=();
545 my @subnet=();
546 @octets=split("\/",$ccdnetwork);
547 @subnet= split /\./, &General::cidrtosub($octets[1]);
548 my ($a,$b,$c,$d,$e);
549 $a=256-$subnet[0];
550 $b=256-$subnet[1];
551 $c=256-$subnet[2];
552 $d=256-$subnet[3];
553 $e=($a*$b*$c*$d)/4;
554 return $e-1;
555}
556
557sub getccdadresses
558{
559 my $ipin=$_[0];
560 my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin;
561 my $cidr=$_[1];
562 chomp($cidr);
563 my $count=$_[2];
564 my $hasip=$_[3];
565 chomp($hasip);
566 my @iprange=();
567 my %ccdhash=();
568 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
d9fe5693 569 $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
ac87f371 570 for (my $i=1;$i<=$count;$i++) {
8c877a82
AM		 571 my $tmpip=$iprange[$i-1];
572 my $stepper=$i*4;
573 $iprange[$i]= &General::getnextip($tmpip,4);
574 }
575 my $r=0;
576 foreach my $key (keys %ccdhash) {
577 $r=0;
578 foreach my $tmp (@iprange){
579 my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
580 if ($net eq $tmp) {
581 if ( $hasip ne $ccdhash{$key}[33] ){
582 splice (@iprange,$r,1);
583 }
584 }
585 $r++;
586 }
587 }
588 return @iprange;
589}
590
591sub fillselectbox
592{
593 my $boxname=$_[1];
594 my ($ccdip,$subcidr) = split("/",$_[0]);
595 my $tz=$_[2];
596 my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
597 print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
598 foreach (@allccdips) {
599 my $ip=$_."/30";
600 chomp($ip);
601 print "<option value='$ip' ";
602 if ( $ip eq $cgiparams{$boxname} ){
603 print"selected";
604 }
605 print ">$ip</option>";
606 }
607 print "</select>";
608}
609
610sub hostsinnet
611{
612 my $name=$_[0];
613 my %ccdhash=();
614 my $i=0;
615 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
616 foreach my $key (keys %ccdhash) {
617 if ($ccdhash{$key}[32] eq $name){ $i++;}
618 }
619 return $i;
620}
621
622sub check_routes_push
623{
624 my $val=$_[0];
625 my ($ip,$cidr) = split (/\//, $val);
626 ##check for existing routes in routes_push
627 if (-e "${General::swroot}/ovpn/routes_push") {
628 open(FILE,"${General::swroot}/ovpn/routes_push");
629 while (<FILE>) {
630 $_=~s/\s*$//g;
631
632 my ($ip2,$cidr2) = split (/\//,"$_");
633 my $val2=$ip2."/".&General::iporsubtodec($cidr2);
634
635 if($val eq $val2){
636 return 0;
637 }
638 #subnetcheck
639 if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
640 return 0;
641 }
642 };
643 close(FILE);
644 }
645 return 1;
646}
647
648sub check_ccdroute
649{
650 my %ccdroutehash=();
651 my $val=$_[0];
652 my ($ip,$cidr) = split (/\//, $val);
653 #check for existing routes in ccdroute
654 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
655 foreach my $key (keys %ccdroutehash) {
656 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
657 if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
658 return 0;
659 }
660 my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
661 #subnetcheck
662 if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
663 return 0;
664 }
665 }
666 }
667 return 1;
668}
669sub check_ccdconf
670{
671 my %ccdconfhash=();
672 my $val=$_[0];
673 my ($ip,$cidr) = split (/\//, $val);
674 #check for existing routes in ccdroute
675 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
676 foreach my $key (keys %ccdconfhash) {
677 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
678 return 0;
679 }
680 my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
681 #subnetcheck
682 if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
683 return 0;
684 }
685
686 }
687 return 1;
688}
689
7c1d9faf
AH		 690###
691# m.a.d net2net
692###
693
694sub validdotmask
695{
696 my $ipdotmask = $_[0];
697 if (&General::validip($ipdotmask)) { return 0; }
698 if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { }
699 my $mask = $2;
700 if (($mask =~ /\./ )) { return 0; }
701 return 1;
702}
54fd0535
MT		 703
704# -------------------------------------------------------------------
705
706sub write_routepushfile
707{
708 open(FILE, ">$routes_push_file");
709 flock(FILE, 2);
710 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
711 print FILE $vpnsettings{'ROUTES_PUSH'};
712 }
713 close(FILE);
714}
715
716sub read_routepushfile
717{
718 if (-e "$routes_push_file") {
719 open(FILE,"$routes_push_file");
720 delete $vpnsettings{'ROUTES_PUSH'};
721 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
722 close(FILE);
723 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
8c877a82 724
54fd0535
MT		 725 }
726}
7c1d9faf 727
775b4494
AM		 728sub writecollectdconf {
729 my $vpncollectd;
730 my %ccdhash=();
731
732 open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
733 print COLLECTDVPN "Loadplugin openvpn\n";
734 print COLLECTDVPN "\n";
735 print COLLECTDVPN "<Plugin openvpn>\n";
736 print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
737
738 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
739 foreach my $key (keys %ccdhash) {
740 if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
741 print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
742 }
743 }
744
745 print COLLECTDVPN "</Plugin>\n";
746 close(COLLECTDVPN);
747
748 # Reload collectd afterwards
2feacd98 749 &General::system("/usr/local/bin/collectdctrl", "restart");
775b4494 750}
7c1d9faf 751
c6c9630e
MT		 752#hier die refresh page
753if ( -e "${General::swroot}/ovpn/gencanow") {
754 my $refresh = '';
755 $refresh = "<meta http-equiv='refresh' content='15;' />";
756 &Header::showhttpheaders();
757 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
758 &Header::openbigbox('100%', 'center');
759 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
760 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
761 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
762 &Header::closebox();
763 &Header::closebigbox();
764 &Header::closepage();
765 exit (0);
766}
767##hier die refresh page
768
6e13d0a5
MT		 769
770###
771### OpenVPN Server Control
772###
773if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
774 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
775 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
6e13d0a5
MT		 776 #start openvpn server
777 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
c6c9630e 778 &emptyserverlog();
2feacd98 779 &General::system("/usr/local/bin/openvpnctrl", "-s");
6e13d0a5
MT		 780 }
781 #stop openvpn server
782 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
2feacd98 783 &General::system("/usr/local/bin/openvpnctrl", "-k");
c6c9630e 784 &emptyserverlog();
6e13d0a5
MT		 785 }
786# #restart openvpn server
8c877a82 787# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
6e13d0a5 788#workarund, till SIGHUP also works when running as nobody
8c877a82
AM		 789# system('/usr/local/bin/openvpnctrl', '-r');
790# &emptyserverlog();
791# }
6e13d0a5
MT		 792}
793
794###
795### Save Advanced options
796###
797
798if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
799 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
800 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
801 #DAN this value has to leave.
802#new settings for daemon
803 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
804 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
805 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
806 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
807 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
808 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
6a9d9ff4 809 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
ffbe77c8 810 $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
6e13d0a5
MT		 811 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
812 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
813 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
54fd0535
MT		 814 $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
815 my @temp=();
6e13d0a5 816
a79fa1d6
JPT		 817 if ($cgiparams{'FRAGMENT'} eq '') {
818 delete $vpnsettings{'FRAGMENT'};
819 } else {
820 if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
821 $errormessage = "Incorrect value, please insert only numbers.";
822 goto ADV_ERROR;
823 } else {
824 $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
825 }
826 }
49abe7af 827
a79fa1d6 828 if ($cgiparams{'MSSFIX'} ne 'on') {
1de5c945 829 delete $vpnsettings{'MSSFIX'};
a79fa1d6
JPT		 830 } else {
831 $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
832 }
2ee746be 833
6e13d0a5 834 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
81da1b01 835 unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
6e13d0a5
MT		 836 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
837 goto ADV_ERROR;
838 }
839 }
840 if ($cgiparams{'DHCP_DNS'} ne ''){
841 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
842 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
843 goto ADV_ERROR;
844 }
845 }
846 if ($cgiparams{'DHCP_WINS'} ne ''){
847 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
848 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
54fd0535
MT		 849 goto ADV_ERROR;
850 }
851 }
852 if ($cgiparams{'ROUTES_PUSH'} ne ''){
853 @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
854 undef $vpnsettings{'ROUTES_PUSH'};
8c877a82
AM		 855
856 foreach my $tmpip (@temp)
54fd0535
MT		 857 {
858 s/^\s+//g; s/\s+$//g;
8c877a82
AM		 859
860 if ($tmpip)
54fd0535 861 {
8c877a82
AM		 862 $tmpip=~s/\s*$//g;
863 unless (&General::validipandmask($tmpip)) {
864 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
865 goto ADV_ERROR;
54fd0535 866 }
8c877a82
AM		 867 my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
868
54fd0535
MT		 869 if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
870 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
8c877a82
AM		 871 goto ADV_ERROR;
872 }
873# a.marx ccd
874 my %ccdroutehash=();
875 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
876 foreach my $key (keys %ccdroutehash) {
877 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
878 if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
879 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
880 goto ADV_ERROR;
881 }
882 my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
883 if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
884 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
885 goto ADV_ERROR;
886 }
887 }
54fd0535 888 }
8c877a82
AM		 889
890# ccd end
891
892 $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
54fd0535 893 }
8c877a82
AM		 894 }
895 &write_routepushfile;
54fd0535 896 undef $vpnsettings{'ROUTES_PUSH'};
8e148dc3
NP		 897 }
898 else {
899 undef $vpnsettings{'ROUTES_PUSH'};
900 &write_routepushfile;
6e13d0a5 901 }
ba50f66d 902 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
6e13d0a5
MT		 903 $errormessage = $Lang::tr{'invalid input for max clients'};
904 goto ADV_ERROR;
905 }
906 if ($cgiparams{'KEEPALIVE_1'} ne '') {
907 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
908 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
909 goto ADV_ERROR;
910 }
911 }
912 if ($cgiparams{'KEEPALIVE_2'} ne ''){
913 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
914 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
915 goto ADV_ERROR;
916 }
917 }
918 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
919 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
920 goto ADV_ERROR;
921 }
6e13d0a5 922 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 923 &writeserverconf();#hier ok
6e13d0a5
MT		 924}
925
ce9abb66 926###
7c1d9faf 927# m.a.d net2net
ce9abb66
AH		 928###
929
930if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
931{
c6c9630e 932
ce9abb66
AH		 933my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
934my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 935my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
d96c89eb 936my $tunmtu = '';
531f0835
AH		 937
938unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
939unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 940
941 open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
942
943 flock SERVERCONF, 2;
7c1d9faf 944 print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n";
ce9abb66 945 print SERVERCONF "\n";
b278daf3 946 print SERVERCONF "# User Security\n";
ce9abb66
AH		 947 print SERVERCONF "user nobody\n";
948 print SERVERCONF "group nobody\n";
949 print SERVERCONF "persist-tun\n";
950 print SERVERCONF "persist-key\n";
7c1d9faf 951 print SERVERCONF "script-security 2\n";
60f396d7 952 print SERVERCONF "# IP/DNS for remote Server Gateway\n";
c125d8a2
SS		 953
954 if ($cgiparams{'REMOTE'} ne '') {
ce9abb66 955 print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
c125d8a2
SS		 956 }
957
b278daf3 958 print SERVERCONF "float\n";
60f396d7 959 print SERVERCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 960 print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
60f396d7 961 print SERVERCONF "# Client Gateway Network\n";
54fd0535 962 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
2913185a 963 print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
60f396d7 964 print SERVERCONF "# tun Device\n";
ce9abb66 965 print SERVERCONF "dev tun\n";
5795fc1b
AM		 966 print SERVERCONF "#Logfile for statistics\n";
967 print SERVERCONF "status-version 1\n";
87fe47e9 968 print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 969 print SERVERCONF "# Port and Protokol\n";
ce9abb66 970 print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
5795fc1b 971
60f396d7
AH		 972 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
973 print SERVERCONF "proto tcp-server\n";
974 print SERVERCONF "# Packet size\n";
d96c89eb 975 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 976 print SERVERCONF "tun-mtu $tunmtu\n";
d96c89eb 977 }
60f396d7
AH		 978
979 if ($cgiparams{'PROTOCOL'} eq 'udp') {
980 print SERVERCONF "proto udp\n";
981 print SERVERCONF "# Paketsize\n";
982 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
983 print SERVERCONF "tun-mtu $tunmtu\n";
54fd0535 984 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 985 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
d96c89eb 986 }
1647059d 987
60f396d7 988 print SERVERCONF "# Auth. Server\n";
ce9abb66
AH		 989 print SERVERCONF "tls-server\n";
990 print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
991 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
992 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 993 print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
b278daf3 994 print SERVERCONF "# Cipher\n";
4c962356 995 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
52f61e49
EKD		 996
997 # If GCM cipher is used, do not use --auth
998 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
999 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1000 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1001 print SERVERCONF unless "# HMAC algorithm\n";
1002 print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1003 } else {
52f61e49
EKD		 1004 print SERVERCONF "# HMAC algorithm\n";
1005 print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1006 }
52f61e49 1007
942446b5
EK		 1008 # Set TLSv1.2 as minimum
1009 print SERVERCONF "tls-version-min 1.2\n";
1010
ce9abb66 1011 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1012 print SERVERCONF "# Enable Compression\n";
66298ef2 1013 print SERVERCONF "comp-lzo\n";
b278daf3 1014 }
60f396d7 1015 print SERVERCONF "# Debug Level\n";
ce9abb66 1016 print SERVERCONF "verb 3\n";
b278daf3 1017 print SERVERCONF "# Tunnel check\n";
ce9abb66 1018 print SERVERCONF "keepalive 10 60\n";
60f396d7 1019 print SERVERCONF "# Start as daemon\n";
ce9abb66
AH		 1020 print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n";
1021 print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
60f396d7 1022 print SERVERCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1023 if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1024 else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66
AH		 1025 close(SERVERCONF);
1026
1027}
1028
1029###
7c1d9faf 1030# m.a.d net2net
ce9abb66 1031###
7c1d9faf 1032
ce9abb66
AH		 1033if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
1034{
4c962356 1035
ce9abb66 1036 my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 1037 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 1038 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
d96c89eb 1039 my $tunmtu = '';
54fd0535 1040
531f0835
AH		 1041unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
1042unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 1043
1044 open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
1045
1046 flock CLIENTCONF, 2;
7c1d9faf 1047 print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 1048 print CLIENTCONF "#\n";
b278daf3 1049 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 1050 print CLIENTCONF "user nobody\n";
1051 print CLIENTCONF "group nobody\n";
1052 print CLIENTCONF "persist-tun\n";
1053 print CLIENTCONF "persist-key\n";
7c1d9faf 1054 print CLIENTCONF "script-security 2\n";
60f396d7 1055 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
ce9abb66 1056 print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
b278daf3 1057 print CLIENTCONF "float\n";
60f396d7 1058 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 1059 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
60f396d7 1060 print CLIENTCONF "# Server Gateway Network\n";
54fd0535 1061 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
ebcecb4b 1062 print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
60f396d7 1063 print CLIENTCONF "# tun Device\n";
ce9abb66 1064 print CLIENTCONF "dev tun\n";
35a21a25
AM		 1065 print CLIENTCONF "#Logfile for statistics\n";
1066 print CLIENTCONF "status-version 1\n";
1067 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 1068 print CLIENTCONF "# Port and Protokol\n";
ce9abb66 1069 print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
60f396d7
AH		 1070
1071 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1072 print CLIENTCONF "proto tcp-client\n";
1073 print CLIENTCONF "# Packet size\n";
d96c89eb 1074 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 1075 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 1076 }
60f396d7
AH		 1077
1078 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1079 print CLIENTCONF "proto udp\n";
1080 print CLIENTCONF "# Paketsize\n";
1081 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
1082 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 1083 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 1084 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
d96c89eb 1085 }
1647059d 1086
b66b02ab
EK		 1087 # Check host certificate if X509 is RFC3280 compliant.
1088 # If not, old --ns-cert-type directive will be used.
1089 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 1090 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1091 if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 1092 print CLIENTCONF "ns-cert-type server\n";
1093 } else {
1094 print CLIENTCONF "remote-cert-tls server\n";
1095 }
ce9abb66
AH		 1096 print CLIENTCONF "# Auth. Client\n";
1097 print CLIENTCONF "tls-client\n";
b278daf3 1098 print CLIENTCONF "# Cipher\n";
4c962356 1099 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
ce9abb66 1100 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
52f61e49
EKD		 1101
1102 # If GCM cipher is used, do not use --auth
1103 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1104 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1105 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1106 print CLIENTCONF unless "# HMAC algorithm\n";
1107 print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1108 } else {
52f61e49
EKD		 1109 print CLIENTCONF "# HMAC algorithm\n";
1110 print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1111 }
52f61e49 1112
942446b5
EK		 1113 # Set TLSv1.2 as minimum
1114 print CLIENTCONF "tls-version-min 1.2\n";
1115
ce9abb66 1116 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1117 print CLIENTCONF "# Enable Compression\n";
66298ef2 1118 print CLIENTCONF "comp-lzo\n";
4c962356 1119 }
ce9abb66
AH		 1120 print CLIENTCONF "# Debug Level\n";
1121 print CLIENTCONF "verb 3\n";
b278daf3 1122 print CLIENTCONF "# Tunnel check\n";
ce9abb66 1123 print CLIENTCONF "keepalive 10 60\n";
60f396d7 1124 print CLIENTCONF "# Start as daemon\n";
ce9abb66
AH		 1125 print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
1126 print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
60f396d7 1127 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1128 if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1129 else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66 1130 close(CLIENTCONF);
c6c9630e 1131
ce9abb66 1132}
400c8afd 1133
6e13d0a5
MT		 1134###
1135### Save main settings
1136###
ce9abb66 1137
6e13d0a5
MT		 1138if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1139 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5
MT		 1140 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1141 #DAN this value has to leave.
1142 if ($cgiparams{'ENABLED'} eq 'on'){
1143 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1144 $errormessage = $Lang::tr{'invalid input for hostname'};
c6c9630e 1145 goto SETTINGS_ERROR;
6e13d0a5
MT		 1146 }
1147 }
f7fb5bc5 1148
6e13d0a5 1149 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
c6c9630e 1150 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
4c962356 1151 goto SETTINGS_ERROR;
c6c9630e
MT		 1152 }
1153 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
1154
1155 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
1156 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1157 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1158 goto SETTINGS_ERROR;
1159 }
1160
1161 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
1162 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1163 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1164 goto SETTINGS_ERROR;
1165 }
1166
1167 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
1168 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1169 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1170 goto SETTINGS_ERROR;
1171 }
1172
1173 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
1174 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1175 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1176 goto SETTINGS_ERROR;
1177 }
1178 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1179 while (<ALIASES>)
1180 {
1181 chomp($_);
1182 my @tempalias = split(/\,/,$_);
1183 if ($tempalias[1] eq 'on') {
1184 if (&General::IpInSubnet ($tempalias[0] ,
1185 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1186 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
1187 }
1188 }
1189 }
1190 close(ALIASES);
6e13d0a5 1191 if ($errormessage ne ''){
c6c9630e 1192 goto SETTINGS_ERROR;
6e13d0a5
MT		 1193 }
1194 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1195 $errormessage = $Lang::tr{'invalid input'};
1196 goto SETTINGS_ERROR;
1197 }
1198 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1199 $errormessage = $Lang::tr{'invalid mtu input'};
1200 goto SETTINGS_ERROR;
1201 }
1202
1203 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
c6c9630e
MT		 1204 $errormessage = $Lang::tr{'invalid port'};
1205 goto SETTINGS_ERROR;
6e13d0a5 1206 }
8c252e6a 1207
b21a6319
EK		 1208 # Create ta.key for tls-auth if not presant
1209 if ($cgiparams{'TLSAUTH'} eq 'on') {
1210 if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 1211 # This system call is safe, because all arguements are passed as an array.
1212 system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key");
b21a6319
EK		 1213 if ($?) {
1214 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1215 goto SETTINGS_ERROR;
1216 }
1217 }
1218 }
1219
6e13d0a5
MT		 1220 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1221 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1222 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1223 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1224#new settings for daemon
1225 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
6e13d0a5
MT		 1226 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1227 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1228 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1229 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1230 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
86308adb 1231 $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
0c4ffc69 1232 $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
3ffee04b
CS		 1233#wrtie enable
1234
2feacd98
SS		 1235 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
1236 &General::system("touch", "${General::swroot}/ovpn/enable_blue");
1237 } else {
274ca65b 1238 unlink("${General::swroot}/ovpn/enable_blue");
2feacd98
SS		 1239 }
1240
1241 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
1242 &General::system("touch", "${General::swroot}/ovpn/enable_orange");
1243 } else {
1244 unlink("${General::swroot}/ovpn/enable_orange");
1245 }
1246
1247 if ( $vpnsettings{'ENABLED'} eq 'on' ) {
1248 &General::system("touch", "${General::swroot}/ovpn/enable");
1249 } else {
1250 unlink("${General::swroot}/ovpn/enable");
1251 }
1252
6e13d0a5
MT		 1253#new settings for daemon
1254 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 1255 &writeserverconf();#hier ok
6e13d0a5
MT		 1256SETTINGS_ERROR:
1257###
1258### Reset all step 2
1259###
4c962356 1260}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
6e13d0a5
MT		 1261 my $file = '';
1262 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1263
1e499e90 1264 # Kill all N2N connections
2feacd98 1265 &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
1e499e90 1266
6e13d0a5 1267 foreach my $key (keys %confighash) {
2f36a7b4
MT		 1268 my $name = $confighash{$cgiparams{'$key'}}[1];
1269
c6c9630e
MT		 1270 if ($confighash{$key}[4] eq 'cert') {
1271 delete $confighash{$cgiparams{'$key'}};
1272 }
2f36a7b4 1273
2feacd98 1274 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
6e13d0a5
MT		 1275 }
1276 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
49abe7af 1277 unlink $file;
6e13d0a5
MT		 1278 }
1279 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
49abe7af 1280 unlink $file;
6e13d0a5
MT		 1281 }
1282 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
49abe7af 1283 unlink $file;
6e13d0a5 1284 }
4c962356 1285 &cleanssldatabase();
6e13d0a5
MT		 1286 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1287 print FILE "";
1288 close FILE;
1289 }
49abe7af
EK		 1290 if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1291 print FILE "";
1292 close FILE;
1293 }
1294 if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1295 print FILE "";
1296 close FILE;
1297 }
1298 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1299 unlink $file
1300 }
5795fc1b
AM		 1301 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1302 unlink $file
1303 }
49abe7af
EK		 1304 if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1305 print FILE "";
1306 close FILE;
1307 }
1308 if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1309 print FILE "";
1310 close FILE;
1311 }
1312 while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
2feacd98 1313 unlink($file);
49abe7af
EK		 1314 }
1315
2f36a7b4
MT		 1316 # Remove everything from the collectd configuration
1317 &writecollectdconf();
1318
c6c9630e 1319 #&writeserverconf();
6e13d0a5
MT		 1320###
1321### Reset all step 1
1322###
4c962356 1323}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
6e13d0a5 1324 &Header::showhttpheaders();
4c962356
EK		 1325 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1326 &Header::openbigbox('100%', 'left', '', '');
1327 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1328 print <<END;
1329 <form method='post'>
1330 <table width='100%'>
1331 <tr>
1332 <td align='center'>
1333 <input type='hidden' name='AREUSURE' value='yes' />
49abe7af 1334 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
4c962356
EK		 1335 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1336 </tr>
1337 <tr>
1338 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1339 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1340 </tr>
1341 </table>
1342 </form>
6e13d0a5
MT		 1343END
1344 ;
1345 &Header::closebox();
1346 &Header::closebigbox();
1347 &Header::closepage();
1348 exit (0);
1349
4c962356
EK		 1350###
1351### Generate DH key step 2
1352###
1353} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
49abe7af 1354 # Delete if old key exists
4c962356
EK		 1355 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1356 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1357 }
1358 # Create Diffie Hellmann Parameter
2feacd98
SS		 1359 # The system call is safe, because all arguments are passed as an array.
1360 system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
4c962356
EK		 1361 if ($?) {
1362 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1363 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1364 }
1365
1366###
1367### Generate DH key step 1
1368###
1369} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
1370 &Header::showhttpheaders();
1371 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1372 &Header::openbigbox('100%', 'LEFT', '', '');
1373 &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
1374 print <<END;
1375 <table width='100%'>
1376 <tr>
f527e53f 1377 <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
49abe7af 1378 </tr>
4c962356
EK		 1379 <tr>
1380 <td class='base'>$Lang::tr{'ovpn dh'}:</td>
1381 <td align='center'>
1382 <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1383 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1384 <select name='DHLENGHT'>
4c962356
EK		 1385 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1386 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1387 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1388 </select>
1389 </td>
1390 </tr>
1391 <tr><td colspan='4'><br></td></tr>
1392 </table>
1393 <table width='100%'>
1394 <tr>
49abe7af 1395 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
4c962356 1396 </tr>
49abe7af
EK		 1397 <tr>
1398 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1399 </tr>
1400 <tr><td colspan='2'><br></td></tr>
4c962356
EK		 1401 <tr>
1402 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
1403 </form>
1404 </tr>
1405 </table>
1406
1407END
1408 ;
1409 &Header::closebox();
1410 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1411 &Header::closebigbox();
1412 &Header::closepage();
1413 exit (0);
1414
1415###
1416### Upload DH key
1417###
1418} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
2ad1b18b 1419 unless (ref ($cgiparams{'FH'})) {
4c962356
EK		 1420 $errormessage = $Lang::tr{'there was no file upload'};
1421 goto UPLOADCA_ERROR;
1422 }
49abe7af 1423 # Move uploaded dh key to a temporary file
4c962356
EK		 1424 (my $fh, my $filename) = tempfile( );
1425 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1426 $errormessage = $!;
49abe7af 1427 goto UPLOADCA_ERROR;
4c962356 1428 }
2feacd98
SS		 1429 my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
1430 if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
4c962356
EK		 1431 $errormessage = $Lang::tr{'not a valid dh key'};
1432 unlink ($filename);
1433 goto UPLOADCA_ERROR;
1434 } else {
1435 # Delete if old key exists
1436 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1437 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1438 }
1439 move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
49abe7af
EK		 1440 if ($? ne 0) {
1441 $errormessage = "$Lang::tr{'dh key move failed'}: $!";
1442 unlink ($filename);
1443 goto UPLOADCA_ERROR;
1444 }
4c962356
EK		 1445 }
1446
6e13d0a5
MT		 1447###
1448### Upload CA Certificate
1449###
1450} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1451 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1452
1453 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1454 $errormessage = $Lang::tr{'name must only contain characters'};
1455 goto UPLOADCA_ERROR;
1456 }
1457
1458 if (length($cgiparams{'CA_NAME'}) >60) {
1459 $errormessage = $Lang::tr{'name too long'};
1460 goto VPNCONF_ERROR;
1461 }
1462
1463 if ($cgiparams{'CA_NAME'} eq 'ca') {
1464 $errormessage = $Lang::tr{'name is invalid'};
4c962356 1465 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1466 }
1467
1468 # Check if there is no other entry with this name
1469 foreach my $key (keys %cahash) {
c6c9630e
MT		 1470 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1471 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1472 goto UPLOADCA_ERROR;
1473 }
6e13d0a5
MT		 1474 }
1475
2ad1b18b 1476 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 1477 $errormessage = $Lang::tr{'there was no file upload'};
1478 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1479 }
1480 # Move uploaded ca to a temporary file
1481 (my $fh, my $filename) = tempfile( );
1482 if (copy ($cgiparams{'FH'}, $fh) != 1) {
c6c9630e
MT		 1483 $errormessage = $!;
1484 goto UPLOADCA_ERROR;
6e13d0a5 1485 }
2feacd98
SS		 1486 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
1487 if ( ! grep(/CA:TRUE/i, @temp )) {
c6c9630e
MT		 1488 $errormessage = $Lang::tr{'not a valid ca certificate'};
1489 unlink ($filename);
1490 goto UPLOADCA_ERROR;
6e13d0a5 1491 } else {
c6c9630e
MT		 1492 move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
1493 if ($? ne 0) {
1494 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1495 unlink ($filename);
1496 goto UPLOADCA_ERROR;
1497 }
6e13d0a5
MT		 1498 }
1499
274ca65b 1500 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
2feacd98
SS		 1501 my $casubject;
1502
1503 foreach my $line (@casubject) {
1504 if ($line =~ /Subject: (.*)[\n]/) {
1505 $casubject = $1;
1506 $casubject =~ s+/Email+, E+;
1507 $casubject =~ s/ ST=/ S=/;
1508
1509 last;
1510 }
1511 }
1512
6e13d0a5
MT		 1513 $casubject = &Header::cleanhtml($casubject);
1514
1515 my $key = &General::findhasharraykey (\%cahash);
1516 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1517 $cahash{$key}[1] = $casubject;
1518 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e
MT		 1519# system('/usr/local/bin/ipsecctrl', 'R');
1520
6e13d0a5
MT		 1521 UPLOADCA_ERROR:
1522
1523###
1524### Display ca certificate
1525###
1526} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
c6c9630e
MT		 1527 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1528
1529 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1530 &Header::showhttpheaders();
4c962356 1531 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1532 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1533 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
2feacd98
SS		 1534 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1535 @output = &Header::cleanhtml(@output,"y");
1536 print "<pre>@output</pre>\n";
c6c9630e
MT		 1537 &Header::closebox();
1538 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1539 &Header::closebigbox();
1540 &Header::closepage();
1541 exit(0);
1542 } else {
1543 $errormessage = $Lang::tr{'invalid key'};
1544 }
1545
6e13d0a5
MT		 1546###
1547### Download ca certificate
1548###
1549} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1550 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1551
1552 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1553 print "Content-Type: application/octet-stream\r\n";
1554 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
2feacd98
SS		 1555
1556 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1557 print "@tmp";
1558
6e13d0a5
MT		 1559 exit(0);
1560 } else {
1561 $errormessage = $Lang::tr{'invalid key'};
1562 }
1563
1564###
1565### Remove ca certificate (step 2)
1566###
1567} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1568 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1569 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1570
1571 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1572 foreach my $key (keys %confighash) {
2feacd98
SS		 1573 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1574 if (grep(/: OK/, @test)) {
c6c9630e
MT		 1575 # Delete connection
1576# if ($vpnsettings{'ENABLED'} eq 'on' ||
1577# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1578# system('/usr/local/bin/ipsecctrl', 'D', $key);
1579# }
6e13d0a5
MT		 1580 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1581 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1582 delete $confighash{$key};
1583 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 1584# &writeipsecfiles();
6e13d0a5
MT		 1585 }
1586 }
1587 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1588 delete $cahash{$cgiparams{'KEY'}};
1589 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e 1590# system('/usr/local/bin/ipsecctrl', 'R');
6e13d0a5
MT		 1591 } else {
1592 $errormessage = $Lang::tr{'invalid key'};
1593 }
1594###
1595### Remove ca certificate (step 1)
1596###
1597} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1598 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1599 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1600
1601 my $assignedcerts = 0;
1602 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1603 foreach my $key (keys %confighash) {
2feacd98
SS		 1604 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1605 if (grep(/: OK/, @test)) {
6e13d0a5
MT		 1606 $assignedcerts++;
1607 }
1608 }
1609 if ($assignedcerts) {
1610 &Header::showhttpheaders();
4c962356 1611 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1612 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1613 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
4c962356 1614 print <<END;
6e13d0a5
MT		 1615 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1616 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1617 <tr><td align='center'>
1618 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1619 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
1620 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1621 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1622 </form></table>
1623END
1624 ;
1625 &Header::closebox();
1626 &Header::closebigbox();
1627 &Header::closepage();
1628 exit (0);
1629 } else {
1630 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1631 delete $cahash{$cgiparams{'KEY'}};
1632 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1633# system('/usr/local/bin/ipsecctrl', 'R');
1634 }
1635 } else {
1636 $errormessage = $Lang::tr{'invalid key'};
1637 }
1638
1639###
1640### Display root certificate
1641###
c6c9630e
MT		 1642}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1643 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
2feacd98 1644 my @output;
c6c9630e 1645 &Header::showhttpheaders();
4c962356 1646 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1647 &Header::openbigbox('100%', 'LEFT', '', '');
1648 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1649 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
2feacd98 1650 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
c6c9630e
MT		 1651 } else {
1652 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
2feacd98 1653 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1654 }
2feacd98
SS		 1655 @output = &Header::cleanhtml(@output,"y");
1656 print "<pre>@output</pre>\n";
c6c9630e
MT		 1657 &Header::closebox();
1658 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1659 &Header::closebigbox();
1660 &Header::closepage();
1661 exit(0);
1662
6e13d0a5
MT		 1663###
1664### Download root certificate
1665###
1666}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1667 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1668 print "Content-Type: application/octet-stream\r\n";
1669 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
2feacd98
SS		 1670
1671 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
1672 print "@tmp";
1673
6e13d0a5
MT		 1674 exit(0);
1675 }
1676
1677###
1678### Download host certificate
1679###
1680}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1681 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1682 print "Content-Type: application/octet-stream\r\n";
1683 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
2feacd98
SS		 1684
1685 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1686 print "@tmp";
1687
6e13d0a5
MT		 1688 exit(0);
1689 }
f7fb5bc5 1690
fd5ccb2d
EK		 1691###
1692### Download tls-auth key
1693###
1694}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
1695 if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
1696 print "Content-Type: application/octet-stream\r\n";
1697 print "Content-Disposition: filename=ta.key\r\n\r\n";
2feacd98
SS		 1698
1699 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
1700 my @tmp = <FILE>;
1701 close(FILE);
1702
1703 print "@tmp";
1704
fd5ccb2d
EK		 1705 exit(0);
1706 }
1707
6e13d0a5
MT		 1708###
1709### Form for generating a root certificate
1710###
1711}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1712 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1713
1714 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1715 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1716 $errormessage = $Lang::tr{'valid root certificate already exists'};
1717 $cgiparams{'ACTION'} = '';
1718 goto ROOTCERT_ERROR;
1719 }
1720
1721 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1722 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1723 my $ipaddr = <IPADDR>;
1724 close IPADDR;
1725 chomp ($ipaddr);
1726 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1727 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1728 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1729 }
1730 }
1731 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
2ad1b18b 1732 unless (ref ($cgiparams{'FH'})) {
6e13d0a5
MT		 1733 $errormessage = $Lang::tr{'there was no file upload'};
1734 goto ROOTCERT_ERROR;
1735 }
1736
1737 # Move uploaded certificate request to a temporary file
1738 (my $fh, my $filename) = tempfile( );
1739 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1740 $errormessage = $!;
1741 goto ROOTCERT_ERROR;
1742 }
1743
1744 # Create a temporary dirctory
1745 my $tempdir = tempdir( CLEANUP => 1 );
1746
1747 # Extract the CA certificate from the file
1748 my $pid = open(OPENSSL, "|-");
1749 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1750 if ($pid) { # parent
1751 if ($cgiparams{'P12_PASS'} ne '') {
1752 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1753 }
1754 close (OPENSSL);
1755 if ($?) {
1756 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1757 unlink ($filename);
1758 goto ROOTCERT_ERROR;
1759 }
1760 } else { # child
1761 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1762 '-in', $filename,
1763 '-out', "$tempdir/cacert.pem")) {
1764 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1765 unlink ($filename);
1766 goto ROOTCERT_ERROR;
1767 }
1768 }
1769
1770 # Extract the Host certificate from the file
1771 $pid = open(OPENSSL, "|-");
1772 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1773 if ($pid) { # parent
1774 if ($cgiparams{'P12_PASS'} ne '') {
1775 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1776 }
1777 close (OPENSSL);
1778 if ($?) {
1779 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1780 unlink ($filename);
1781 goto ROOTCERT_ERROR;
1782 }
1783 } else { # child
1784 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1785 '-in', $filename,
1786 '-out', "$tempdir/hostcert.pem")) {
1787 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1788 unlink ($filename);
1789 goto ROOTCERT_ERROR;
1790 }
1791 }
1792
1793 # Extract the Host key from the file
1794 $pid = open(OPENSSL, "|-");
1795 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1796 if ($pid) { # parent
1797 if ($cgiparams{'P12_PASS'} ne '') {
1798 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1799 }
1800 close (OPENSSL);
1801 if ($?) {
1802 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1803 unlink ($filename);
1804 goto ROOTCERT_ERROR;
1805 }
1806 } else { # child
1807 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1808 '-nodes',
1809 '-in', $filename,
1810 '-out', "$tempdir/serverkey.pem")) {
1811 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1812 unlink ($filename);
1813 goto ROOTCERT_ERROR;
1814 }
1815 }
1816
1817 move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
1818 if ($? ne 0) {
1819 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1820 unlink ($filename);
1821 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1822 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1823 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1824 goto ROOTCERT_ERROR;
1825 }
1826
1827 move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
1828 if ($? ne 0) {
1829 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1830 unlink ($filename);
1831 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1832 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1833 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1834 goto ROOTCERT_ERROR;
1835 }
1836
1837 move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
1838 if ($? ne 0) {
1839 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1840 unlink ($filename);
1841 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1842 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1843 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1844 goto ROOTCERT_ERROR;
1845 }
1846
1847 goto ROOTCERT_SUCCESS;
1848
1849 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1850
1851 # Validate input since the form was submitted
1852 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1853 $errormessage = $Lang::tr{'organization cant be empty'};
1854 goto ROOTCERT_ERROR;
1855 }
1856 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1857 $errormessage = $Lang::tr{'organization too long'};
1858 goto ROOTCERT_ERROR;
1859 }
1860 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1861 $errormessage = $Lang::tr{'invalid input for organization'};
1862 goto ROOTCERT_ERROR;
1863 }
1864 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1865 $errormessage = $Lang::tr{'hostname cant be empty'};
1866 goto ROOTCERT_ERROR;
1867 }
1868 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1869 $errormessage = $Lang::tr{'invalid input for hostname'};
1870 goto ROOTCERT_ERROR;
1871 }
1872 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1873 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1874 goto ROOTCERT_ERROR;
1875 }
1876 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1877 $errormessage = $Lang::tr{'e-mail address too long'};
1878 goto ROOTCERT_ERROR;
1879 }
1880 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1881 $errormessage = $Lang::tr{'invalid input for department'};
1882 goto ROOTCERT_ERROR;
1883 }
1884 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1885 $errormessage = $Lang::tr{'invalid input for city'};
1886 goto ROOTCERT_ERROR;
1887 }
1888 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1889 $errormessage = $Lang::tr{'invalid input for state or province'};
1890 goto ROOTCERT_ERROR;
1891 }
1892 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1893 $errormessage = $Lang::tr{'invalid input for country'};
1894 goto ROOTCERT_ERROR;
1895 }
1896
1897 # Copy the cgisettings to vpnsettings and save the configfile
1898 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1899 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1900 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1901 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1902 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1903 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1904 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1905 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1906
1907 # Replace empty strings with a .
1908 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1909 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1910 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1911
1912 # refresh
c6c9630e 1913 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
6e13d0a5
MT		 1914
1915 # Create the CA certificate
1916 my $pid = open(OPENSSL, "|-");
1917 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1918 if ($pid) { # parent
1919 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1920 print OPENSSL "$state\n";
1921 print OPENSSL "$city\n";
1922 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1923 print OPENSSL "$ou\n";
1924 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1925 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1926 close (OPENSSL);
1927 if ($?) {
1928 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1929 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1930 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1931 goto ROOTCERT_ERROR;
1932 }
1933 } else { # child
badd8c1c 1934 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
49abe7af 1935 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
6e13d0a5
MT		 1936 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1937 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1938 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1939 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1940 goto ROOTCERT_ERROR;
1941 }
1942 }
1943
1944 # Create the Host certificate request
1945 $pid = open(OPENSSL, "|-");
1946 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1947 if ($pid) { # parent
1948 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1949 print OPENSSL "$state\n";
1950 print OPENSSL "$city\n";
1951 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1952 print OPENSSL "$ou\n";
1953 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1954 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1955 print OPENSSL ".\n";
1956 print OPENSSL ".\n";
1957 close (OPENSSL);
1958 if ($?) {
1959 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1960 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1961 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1962 goto ROOTCERT_ERROR;
1963 }
1964 } else { # child
badd8c1c 1965 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 1966 '-newkey', 'rsa:2048',
6e13d0a5
MT		 1967 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1968 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1969 '-extensions', 'server',
1970 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1971 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1972 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1973 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1974 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1975 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1976 goto ROOTCERT_ERROR;
1977 }
1978 }
1979
1980 # Sign the host certificate request
2feacd98 1981 # This system call is safe, because all argeuments are passed as an array.
6e13d0a5
MT		 1982 system('/usr/bin/openssl', 'ca', '-days', '999999',
1983 '-batch', '-notext',
1984 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1985 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1986 '-extensions', 'server',
1987 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1988 if ($?) {
1989 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1990 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1991 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1992 unlink ("${General::swroot}/ovpn/serverkey.pem");
1993 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1994 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1995 &newcleanssldatabase();
6e13d0a5
MT		 1996 goto ROOTCERT_ERROR;
1997 } else {
1998 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
c6c9630e 1999 &deletebackupcert();
6e13d0a5
MT		 2000 }
2001
2002 # Create an empty CRL
2feacd98 2003 # System call is safe, because all arguments are passed as array.
6e13d0a5
MT		 2004 system('/usr/bin/openssl', 'ca', '-gencrl',
2005 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
2006 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
2007 if ($?) {
2008 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2009 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2010 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2011 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2012 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
c6c9630e 2013 &cleanssldatabase();
6e13d0a5 2014 goto ROOTCERT_ERROR;
c6c9630e
MT		 2015# } else {
2016# &cleanssldatabase();
6e13d0a5 2017 }
ae04d0a3 2018 # Create ta.key for tls-auth
2feacd98 2019 # This system call is safe, because all arguments are passed as an array.
ae04d0a3
EK		 2020 system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
2021 if ($?) {
2022 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2023 &cleanssldatabase();
2024 goto ROOTCERT_ERROR;
2025 }
6e13d0a5 2026 # Create Diffie Hellmann Parameter
2feacd98 2027 # The system call is safe, because all arguments are passed as an array.
badd8c1c 2028 system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
6e13d0a5
MT		 2029 if ($?) {
2030 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2031 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2032 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2033 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2034 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
2035 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
c6c9630e 2036 &cleanssldatabase();
6e13d0a5 2037 goto ROOTCERT_ERROR;
c6c9630e
MT		 2038# } else {
2039# &cleanssldatabase();
4be45949 2040 }
6e13d0a5
MT		 2041 goto ROOTCERT_SUCCESS;
2042 }
2043 ROOTCERT_ERROR:
2044 if ($cgiparams{'ACTION'} ne '') {
2045 &Header::showhttpheaders();
4c962356 2046 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 2047 &Header::openbigbox('100%', 'LEFT', '', '');
2048 if ($errormessage) {
2049 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2050 print "<class name='base'>$errormessage";
2051 print "&nbsp;</class>";
2052 &Header::closebox();
2053 }
2054 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
49abe7af 2055 print <<END;
6e13d0a5
MT		 2056 <form method='post' enctype='multipart/form-data'>
2057 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
e3edceeb 2058 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2059 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
2060 <td width='35%' colspan='2'>&nbsp;</td></tr>
e3edceeb 2061 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2062 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
2063 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2064 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
6e13d0a5
MT		 2065 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
2066 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2067 <tr><td class='base'>$Lang::tr{'your department'}:</td>
6e13d0a5
MT		 2068 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
2069 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2070 <tr><td class='base'>$Lang::tr{'city'}:</td>
6e13d0a5
MT		 2071 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
2072 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2073 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
6e13d0a5
MT		 2074 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
2075 <td colspan='2'>&nbsp;</td></tr>
2076 <tr><td class='base'>$Lang::tr{'country'}:</td>
2077 <td class='base'><select name='ROOTCERT_COUNTRY'>
2078
2079END
2080 ;
2081 foreach my $country (sort keys %{Countries::countries}) {
2082 print "<option value='$Countries::countries{$country}'";
2083 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
2084 print " selected='selected'";
2085 }
2086 print ">$country</option>";
2087 }
49abe7af 2088 print <<END;
6e13d0a5 2089 </select></td>
4c962356
EK		 2090 <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
2091 <td class='base'><select name='DHLENGHT'>
4c962356
EK		 2092 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
2093 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
2094 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
2095 </select>
2096 </td>
2097 </tr>
2098
6e13d0a5
MT		 2099 <tr><td>&nbsp;</td>
2100 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
2101 <td>&nbsp;</td><td>&nbsp;</td></tr>
2102 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2103 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
49abe7af
EK		 2104 <tr><td colspan='2'><br></td></tr>
2105 <table width='100%'>
2106 <tr>
2107 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
2108 <td class='base'>$Lang::tr{'dh key warn'}</td>
4c962356 2109 </tr>
49abe7af
EK		 2110 <tr>
2111 <td class='base'>$Lang::tr{'dh key warn1'}</td>
4c962356 2112 </tr>
49abe7af
EK		 2113 <tr><td colspan='2'><br></td></tr>
2114 <tr>
2115 </table>
4c962356 2116
49abe7af 2117 <table width='100%'>
4c962356 2118 <tr><td colspan='4'><hr></td></tr>
e3edceeb 2119 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2120 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
2121 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2122 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
6e13d0a5
MT		 2123 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
2124 <td colspan='2'>&nbsp;</td></tr>
2125 <tr><td>&nbsp;</td>
2126 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
2127 <td colspan='2'>&nbsp;</td></tr>
2128 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2129 <img src='/blob.gif' valign='top' alt='*' >&nbsp;$Lang::tr{'required field'}</td>
4c962356 2130 </tr>
6e13d0a5
MT		 2131 </form></table>
2132END
2133 ;
2134 &Header::closebox();
4c962356 2135 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2136 &Header::closebigbox();
2137 &Header::closepage();
2138 exit(0)
2139 }
2140
2141 ROOTCERT_SUCCESS:
2feacd98 2142 &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
c6c9630e
MT		 2143# if ($vpnsettings{'ENABLED'} eq 'on' ||
2144# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
2145# system('/usr/local/bin/ipsecctrl', 'S');
2146# }
6e13d0a5
MT		 2147
2148###
2149### Enable/Disable connection
2150###
ce9abb66
AH		 2151
2152###
7c1d9faf 2153# m.a.d net2net
ce9abb66
AH		 2154###
2155
6e13d0a5 2156}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
c6c9630e
MT		 2157
2158 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5 2159 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2feacd98
SS		 2160 my $n2nactive = '';
2161 my @ps = &General::system_output("/bin/ps", "ax");
2162
2163 if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
2164 $n2nactive = "1";
2165 }
ce9abb66 2166
6e13d0a5 2167 if ($confighash{$cgiparams{'KEY'}}) {
8c877a82
AM		 2168 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2169 $confighash{$cgiparams{'KEY'}}[0] = 'on';
2170 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2171
8c877a82 2172 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2feacd98 2173 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494 2174 &writecollectdconf();
8c877a82
AM		 2175 }
2176 } else {
ce9abb66 2177
8c877a82
AM		 2178 $confighash{$cgiparams{'KEY'}}[0] = 'off';
2179 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2180
8c877a82 2181 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
775b4494 2182 if ($n2nactive ne '') {
2feacd98 2183 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494
AM		 2184 &writecollectdconf();
2185 }
ce9abb66 2186
8c877a82 2187 } else {
775b4494 2188 $errormessage = $Lang::tr{'invalid key'};
8c877a82 2189 }
775b4494 2190 }
ce9abb66 2191 }
6e13d0a5
MT		 2192
2193###
2194### Download OpenVPN client package
2195###
ce9abb66
AH		 2196
2197
6e13d0a5
MT		 2198} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
2199 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2200 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2201 my $file = '';
2202 my $clientovpn = '';
2203 my @fileholder;
2204 my $tempdir = tempdir( CLEANUP => 1 );
2205 my $zippath = "$tempdir/";
ce9abb66
AH		 2206
2207###
7c1d9faf
AH		 2208# m.a.d net2net
2209###
ce9abb66
AH		 2210
2211if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2212
2213 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2214 my $zippathname = "$zippath$zipname";
2215 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";
2216 my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
54fd0535 2217 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 2218 my $tunmtu = '';
7c1d9faf 2219 my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
54fd0535 2220 my $n2nfragment = '';
ce9abb66
AH		 2221
2222 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2223 flock CLIENTCONF, 2;
2224
2225 my $zip = Archive::Zip->new();
7c1d9faf 2226 print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 2227 print CLIENTCONF "# \n";
b278daf3 2228 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 2229 print CLIENTCONF "user nobody\n";
2230 print CLIENTCONF "group nobody\n";
2231 print CLIENTCONF "persist-tun\n";
2232 print CLIENTCONF "persist-key\n";
7c1d9faf 2233 print CLIENTCONF "script-security 2\n";
60f396d7 2234 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
531f0835 2235 print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
b278daf3 2236 print CLIENTCONF "float\n";
60f396d7 2237 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 2238 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
b278daf3 2239 print CLIENTCONF "# Server Gateway Network\n";
7c1d9faf 2240 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
b278daf3 2241 print CLIENTCONF "# tun Device\n";
79e7688b 2242 print CLIENTCONF "dev tun\n";
35a21a25
AM		 2243 print CLIENTCONF "#Logfile for statistics\n";
2244 print CLIENTCONF "status-version 1\n";
2245 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 2246 print CLIENTCONF "# Port and Protokoll\n";
ce9abb66 2247 print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
60f396d7
AH		 2248
2249 if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
2250 print CLIENTCONF "proto tcp-client\n";
2251 print CLIENTCONF "# Packet size\n";
d96c89eb 2252 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
60f396d7 2253 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 2254 }
60f396d7
AH		 2255
2256 if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
2257 print CLIENTCONF "proto udp\n";
2258 print CLIENTCONF "# Paketsize\n";
2259 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2260 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 2261 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
d6989b4b 2262 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
d96c89eb 2263 }
b66b02ab
EK		 2264 # Check host certificate if X509 is RFC3280 compliant.
2265 # If not, old --ns-cert-type directive will be used.
2266 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2267 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2268 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2269 print CLIENTCONF "ns-cert-type server\n";
2270 } else {
2271 print CLIENTCONF "remote-cert-tls server\n";
2272 }
ce9abb66
AH		 2273 print CLIENTCONF "# Auth. Client\n";
2274 print CLIENTCONF "tls-client\n";
49abe7af 2275 print CLIENTCONF "# Cipher\n";
4c962356 2276 print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
ce9abb66
AH		 2277 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
2278 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2279 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
49abe7af 2280 }
52f61e49
EKD		 2281
2282 # If GCM cipher is used, do not use --auth
2283 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
2284 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
2285 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
2286 print CLIENTCONF unless "# HMAC algorithm\n";
2287 print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2288 } else {
52f61e49
EKD		 2289 print CLIENTCONF "# HMAC algorithm\n";
2290 print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2291 }
52f61e49 2292
4c962356 2293 if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
b278daf3 2294 print CLIENTCONF "# Enable Compression\n";
66298ef2 2295 print CLIENTCONF "comp-lzo\n";
b278daf3 2296 }
ce9abb66
AH		 2297 print CLIENTCONF "# Debug Level\n";
2298 print CLIENTCONF "verb 3\n";
b278daf3 2299 print CLIENTCONF "# Tunnel check\n";
ce9abb66 2300 print CLIENTCONF "keepalive 10 60\n";
b278daf3 2301 print CLIENTCONF "# Start as daemon\n";
ce9abb66
AH		 2302 print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n";
2303 print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n";
b278daf3 2304 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 2305 if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2306 else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
ce9abb66 2307 print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
531f0835 2308
ce9abb66
AH		 2309
2310 close(CLIENTCONF);
2311
2312 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2313 my $status = $zip->writeToFileNamed($zippathname);
2314
2315 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2316 @fileholder = <DLFILE>;
2317 print "Content-Type:application/x-download\n";
2318 print "Content-Disposition:attachment;filename=$zipname\n\n";
2319 print @fileholder;
2320 exit (0);
2321}
2322else
2323{
2324 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2325 my $zippathname = "$zippath$zipname";
2326 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2327
2328###
7c1d9faf 2329# m.a.d net2net
ce9abb66
AH		 2330###
2331
c6c9630e 2332 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
6e13d0a5
MT		 2333 flock CLIENTCONF, 2;
2334
2335 my $zip = Archive::Zip->new();
2336
8c877a82 2337 print CLIENTCONF "#OpenVPN Client conf\r\n";
6e13d0a5
MT		 2338 print CLIENTCONF "tls-client\r\n";
2339 print CLIENTCONF "client\r\n";
4f6e3ae3 2340 print CLIENTCONF "nobind\r\n";
79e7688b 2341 print CLIENTCONF "dev tun\r\n";
c6c9630e 2342 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
d6989b4b 2343 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
2ee746be 2344
6e13d0a5
MT		 2345 if ( $vpnsettings{'ENABLED'} eq 'on'){
2346 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
c6c9630e
MT		 2347 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2348 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";
2349 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2350 }
2351 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2352 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
2353 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2354 }
2355 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2356 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2357 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2358 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
2359 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2360 }
2361 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2362 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
6e13d0a5
MT		 2363 }
2364
71af643c
MT		 2365 my $file_crt = new File::Temp( UNLINK => 1 );
2366 my $file_key = new File::Temp( UNLINK => 1 );
b22d8aaf 2367 my $include_certs = 0;
71af643c 2368
6e13d0a5 2369 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
71af643c 2370 if ($cgiparams{'MODE'} eq 'insecure') {
b22d8aaf
MT		 2371 $include_certs = 1;
2372
71af643c 2373 # Add the CA
b22d8aaf 2374 print CLIENTCONF ";ca cacert.pem\r\n";
71af643c
MT		 2375 $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2376
2377 # Extract the certificate
2feacd98 2378 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2379 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2380 '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
2381 if ($?) {
2382 die "openssl error: $?";
2383 }
2384
2385 $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
b22d8aaf 2386 print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
71af643c
MT		 2387
2388 # Extract the key
2feacd98 2389 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2390 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2391 '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
2392 if ($?) {
2393 die "openssl error: $?";
2394 }
2395
2396 $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
b22d8aaf 2397 print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
71af643c
MT		 2398 } else {
2399 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2400 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2401 }
6e13d0a5 2402 } else {
c6c9630e
MT		 2403 print CLIENTCONF "ca cacert.pem\r\n";
2404 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2405 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2406 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2407 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
6e13d0a5
MT		 2408 }
2409 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
49abe7af 2410 print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
86308adb 2411
49abe7af 2412 if ($vpnsettings{'TLSAUTH'} eq 'on') {
b22d8aaf
MT		 2413 if ($cgiparams{'MODE'} eq 'insecure') {
2414 print CLIENTCONF ";";
2415 }
4be45949
EK		 2416 print CLIENTCONF "tls-auth ta.key\r\n";
2417 $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
49abe7af 2418 }
6e13d0a5
MT		 2419 if ($vpnsettings{DCOMPLZO} eq 'on') {
2420 print CLIENTCONF "comp-lzo\r\n";
2421 }
2422 print CLIENTCONF "verb 3\r\n";
b66b02ab
EK		 2423 # Check host certificate if X509 is RFC3280 compliant.
2424 # If not, old --ns-cert-type directive will be used.
2425 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2426 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2427 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2428 print CLIENTCONF "ns-cert-type server\r\n";
2429 } else {
2430 print CLIENTCONF "remote-cert-tls server\r\n";
2431 }
964700d4 2432 print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
a79fa1d6
JPT		 2433 if ($vpnsettings{MSSFIX} eq 'on') {
2434 print CLIENTCONF "mssfix\r\n";
d6989b4b
MT		 2435 } else {
2436 print CLIENTCONF "mssfix 0\r\n";
a79fa1d6 2437 }
74225cce 2438 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
a79fa1d6
JPT		 2439 print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2440 }
1647059d 2441
b22d8aaf
MT		 2442 if ($include_certs) {
2443 print CLIENTCONF "\r\n";
2444
2445 # CA
2446 open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
2447 print CLIENTCONF "<ca>\r\n";
2448 while (<FILE>) {
2449 chomp($_);
2450 print CLIENTCONF "$_\r\n";
2451 }
2452 print CLIENTCONF "</ca>\r\n\r\n";
2453 close(FILE);
2454
2455 # Cert
2456 open(FILE, "<$file_crt");
2457 print CLIENTCONF "<cert>\r\n";
2458 while (<FILE>) {
2459 chomp($_);
2460 print CLIENTCONF "$_\r\n";
2461 }
2462 print CLIENTCONF "</cert>\r\n\r\n";
2463 close(FILE);
2464
2465 # Key
2466 open(FILE, "<$file_key");
2467 print CLIENTCONF "<key>\r\n";
2468 while (<FILE>) {
2469 chomp($_);
2470 print CLIENTCONF "$_\r\n";
2471 }
2472 print CLIENTCONF "</key>\r\n\r\n";
2473 close(FILE);
2474
2475 # TLS auth
2476 if ($vpnsettings{'TLSAUTH'} eq 'on') {
2477 open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
2478 print CLIENTCONF "<tls-auth>\r\n";
2479 while (<FILE>) {
2480 chomp($_);
2481 print CLIENTCONF "$_\r\n";
2482 }
2483 print CLIENTCONF "</tls-auth>\r\n\r\n";
2484 close(FILE);
2485 }
2486 }
2487
ffbe77c8
EK		 2488 # Print client.conf.local if entries exist to client.ovpn
2489 if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
2490 open (LCC, "$local_clientconf");
2491 print CLIENTCONF "\n#---------------------------\n";
2492 print CLIENTCONF "# Start of custom directives\n";
2493 print CLIENTCONF "# from client.conf.local\n";
2494 print CLIENTCONF "#---------------------------\n\n";
2495 while (<LCC>) {
2496 print CLIENTCONF $_;
2497 }
2498 print CLIENTCONF "\n#---------------------------\n";
2499 print CLIENTCONF "# End of custom directives\n";
2500 print CLIENTCONF "#---------------------------\n\n";
2501 close (LCC);
2502 }
6e13d0a5 2503 close(CLIENTCONF);
ce9abb66 2504
6e13d0a5
MT		 2505 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2506 my $status = $zip->writeToFileNamed($zippathname);
2507
2508 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2509 @fileholder = <DLFILE>;
2510 print "Content-Type:application/x-download\n";
2511 print "Content-Disposition:attachment;filename=$zipname\n\n";
2512 print @fileholder;
2513 exit (0);
ce9abb66
AH		 2514 }
2515
2516
2517
6e13d0a5
MT		 2518###
2519### Remove connection
2520###
ce9abb66
AH		 2521
2522
6e13d0a5 2523} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
323be7c4
AM		 2524 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2525 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 2526
323be7c4 2527 if ($confighash{$cgiparams{'KEY'}}) {
fde9c9dd 2528 # Revoke certificate if certificate was deleted and rewrite the CRL
274ca65b 2529 &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
2feacd98 2530 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
ce9abb66
AH		 2531
2532###
7c1d9faf 2533# m.a.d net2net
ce9abb66 2534###
7c1d9faf 2535
323be7c4 2536 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1e499e90 2537 # Stop the N2N connection before it is removed
2feacd98 2538 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
1e499e90 2539
323be7c4
AM		 2540 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2541 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2542 unlink ($certfile);
2543 unlink ($conffile);
8e6a8fd5 2544
323be7c4
AM		 2545 if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2546 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2547 }
323be7c4 2548 }
ce9abb66 2549
323be7c4
AM		 2550 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2551 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
8c877a82
AM		 2552
2553# A.Marx CCD delete ccd files and routes
2554
323be7c4
AM		 2555 if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2556 {
2557 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
8c877a82 2558 }
e81be1e1 2559
323be7c4
AM		 2560 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2561 foreach my $key (keys %ccdroutehash) {
2562 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2563 delete $ccdroutehash{$key};
2564 }
8c877a82 2565 }
323be7c4 2566 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 2567
323be7c4
AM		 2568 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2569 foreach my $key (keys %ccdroute2hash) {
2570 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2571 delete $ccdroute2hash{$key};
2572 }
2573 }
2574 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2575 &writeserverconf;
8c877a82 2576
323be7c4
AM		 2577# CCD end
2578 # Update collectd configuration and delete all RRD files of the removed connection
2579 &writecollectdconf();
2feacd98 2580 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
8c877a82 2581
323be7c4 2582 delete $confighash{$cgiparams{'KEY'}};
2feacd98 2583 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
323be7c4
AM		 2584 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2585
2586 } else {
2587 $errormessage = $Lang::tr{'invalid key'};
2588 }
b2e75449 2589 &General::firewall_reload();
ce9abb66 2590
6e13d0a5
MT		 2591###
2592### Download PKCS12 file
2593###
2594} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2595 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2596
2597 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2598 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 2599
2600 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2601 my @tmp = <FILE>;
2602 close(FILE);
2603
2604 print "@tmp";
6e13d0a5
MT		 2605 exit (0);
2606
2607###
2608### Display certificate
2609###
2610} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2611 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2612
2613 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e 2614 &Header::showhttpheaders();
4c962356 2615 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 2616 &Header::openbigbox('100%', 'LEFT', '', '');
2617 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2feacd98
SS		 2618 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2619 @output = &Header::cleanhtml(@output,"y");
2620 print "<pre>@output</pre>\n";
c6c9630e
MT		 2621 &Header::closebox();
2622 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2623 &Header::closebigbox();
2624 &Header::closepage();
2625 exit(0);
6e13d0a5 2626 }
4c962356
EK		 2627
2628###
2629### Display Diffie-Hellman key
2630###
2631} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2632
2633 if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
49abe7af 2634 $errormessage = $Lang::tr{'not present'};
4c962356
EK		 2635 } else {
2636 &Header::showhttpheaders();
2637 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2638 &Header::openbigbox('100%', 'LEFT', '', '');
2639 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
2feacd98
SS		 2640 my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
2641 @output = &Header::cleanhtml(@output,"y");
2642 print "<pre>@output</pre>\n";
4c962356
EK		 2643 &Header::closebox();
2644 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2645 &Header::closebigbox();
2646 &Header::closepage();
2647 exit(0);
2648 }
2649
fd5ccb2d
EK		 2650###
2651### Display tls-auth key
2652###
2653} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
2654
2655 if (! -e "${General::swroot}/ovpn/certs/ta.key") {
2656 $errormessage = $Lang::tr{'not present'};
2657 } else {
2658 &Header::showhttpheaders();
2659 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2660 &Header::openbigbox('100%', 'LEFT', '', '');
2661 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
2feacd98
SS		 2662
2663 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
2664 my @output = <FILE>;
2665 close(FILE);
2666
2667 @output = &Header::cleanhtml(@output,"y");
2668 print "<pre>@output</pre>\n";
fd5ccb2d
EK		 2669 &Header::closebox();
2670 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2671 &Header::closebigbox();
2672 &Header::closepage();
2673 exit(0);
2674 }
2675
6e13d0a5
MT		 2676###
2677### Display Certificate Revoke List
2678###
2679} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
c6c9630e
MT		 2680# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2681
49abe7af
EK		 2682 if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2683 $errormessage = $Lang::tr{'not present'};
2684 } else {
b2e75449
MT		 2685 &Header::showhttpheaders();
2686 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2687 &Header::openbigbox('100%', 'LEFT', '', '');
2688 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2feacd98
SS		 2689 my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
2690 @output = &Header::cleanhtml(@output,"y");
2691 print "<pre>@output</pre>\n";
b2e75449
MT		 2692 &Header::closebox();
2693 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2694 &Header::closebigbox();
2695 &Header::closepage();
2696 exit(0);
6e13d0a5
MT		 2697 }
2698
2699###
2700### Advanced Server Settings
2701###
2702
2703} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2704 %cgiparams = ();
2705 %cahash = ();
2706 %confighash = ();
8c877a82 2707 my $disabled;
6e13d0a5 2708 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
54fd0535 2709 read_routepushfile;
8c877a82
AM		 2710
2711
c6c9630e
MT		 2712# if ($cgiparams{'CLIENT2CLIENT'} eq '') {
2713# $cgiparams{'CLIENT2CLIENT'} = 'on';
2714# }
6e13d0a5
MT		 2715ADV_ERROR:
2716 if ($cgiparams{'MAX_CLIENTS'} eq '') {
4c962356 2717 $cgiparams{'MAX_CLIENTS'} = '100';
6e13d0a5 2718 }
6e13d0a5 2719 if ($cgiparams{'KEEPALIVE_1'} eq '') {
4c962356 2720 $cgiparams{'KEEPALIVE_1'} = '10';
6e13d0a5
MT		 2721 }
2722 if ($cgiparams{'KEEPALIVE_2'} eq '') {
4c962356 2723 $cgiparams{'KEEPALIVE_2'} = '60';
6e13d0a5
MT		 2724 }
2725 if ($cgiparams{'LOG_VERB'} eq '') {
4c962356 2726 $cgiparams{'LOG_VERB'} = '3';
ae9f6139 2727 }
f527e53f 2728 if ($cgiparams{'TLSAUTH'} eq '') {
754066e6 2729 $cgiparams{'TLSAUTH'} = 'off';
f527e53f 2730 }
6e13d0a5
MT		 2731 $checked{'CLIENT2CLIENT'}{'off'} = '';
2732 $checked{'CLIENT2CLIENT'}{'on'} = '';
2733 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2734 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2735 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2736 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
13389777
EK		 2737 $checked{'DCOMPLZO'}{'off'} = '';
2738 $checked{'DCOMPLZO'}{'on'} = '';
2739 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
ffbe77c8
EK		 2740 $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
2741 $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
2742 $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
a79fa1d6
JPT		 2743 $checked{'MSSFIX'}{'off'} = '';
2744 $checked{'MSSFIX'}{'on'} = '';
2745 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
49abe7af 2746 $selected{'LOG_VERB'}{'0'} = '';
6e13d0a5
MT		 2747 $selected{'LOG_VERB'}{'1'} = '';
2748 $selected{'LOG_VERB'}{'2'} = '';
2749 $selected{'LOG_VERB'}{'3'} = '';
2750 $selected{'LOG_VERB'}{'4'} = '';
2751 $selected{'LOG_VERB'}{'5'} = '';
2752 $selected{'LOG_VERB'}{'6'} = '';
2753 $selected{'LOG_VERB'}{'7'} = '';
2754 $selected{'LOG_VERB'}{'8'} = '';
2755 $selected{'LOG_VERB'}{'9'} = '';
2756 $selected{'LOG_VERB'}{'10'} = '';
2757 $selected{'LOG_VERB'}{'11'} = '';
6e13d0a5 2758 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
f527e53f 2759
6e13d0a5
MT		 2760 &Header::showhttpheaders();
2761 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
2762 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2763 if ($errormessage) {
c6c9630e
MT		 2764 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2765 print "<class name='base'>$errormessage\n";
2766 print "&nbsp;</class>\n";
2767 &Header::closebox();
6e13d0a5
MT		 2768 }
2769 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
4c962356 2770 print <<END;
b376fae4 2771 <form method='post' enctype='multipart/form-data'>
b2e75449 2772<table width='100%' border=0>
4c962356
EK		 2773 <tr>
2774 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
6e13d0a5
MT		 2775 </tr>
2776 <tr>
4c962356 2777 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
6e13d0a5
MT		 2778 </tr>
2779 <tr>
4c962356 2780 <td class='base'>Domain</td>
8c877a82 2781 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
6e13d0a5
MT		 2782 </tr>
2783 <tr>
4c962356
EK		 2784 <td class='base'>DNS</td>
2785 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
6e13d0a5
MT		 2786 </tr>
2787 <tr>
4c962356
EK		 2788 <td class='base'>WINS</td>
2789 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2790 </tr>
54fd0535 2791 <tr>
4c962356 2792 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
54fd0535
MT		 2793 </tr>
2794 <tr>
4c962356
EK		 2795 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2796 <td colspan='2'>
2797 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
54fd0535
MT		 2798END
2799;
2800
2801if ($cgiparams{'ROUTES_PUSH'} ne '')
2802{
2803 print $cgiparams{'ROUTES_PUSH'};
2804}
2805
8c877a82 2806print <<END;
54fd0535
MT		 2807</textarea></td>
2808</tr>
6e13d0a5
MT		 2809 </tr>
2810</table>
2811<hr size='1'>
4c962356 2812<table width='100%'>
ffbe77c8 2813 <tr>
4c962356 2814 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
ffbe77c8
EK		 2815 </tr>
2816
2817 <tr>
d2de0a00 2818 <td width='20%'></td> <td width='15%'> </td><td width='35%'> </td><td width='20%'></td><td width='35%'></td>
ffbe77c8
EK		 2819 </tr>
2820
2821 <tr>
4c962356
EK		 2822 <td class='base'>Client-To-Client</td>
2823 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
ffbe77c8
EK		 2824 </tr>
2825
2826 <tr>
4c962356
EK		 2827 <td class='base'>Redirect-Gateway def1</td>
2828 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
ffbe77c8
EK		 2829 </tr>
2830
13389777
EK		 2831 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2832 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2833 <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
2834 </tr>
2835
4c962356 2836 <tr>
ffbe77c8
EK		 2837 <td class='base'>$Lang::tr{'ovpn add conf'}</td>
2838 <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
2839 <td>$Lang::tr{'openvpn default'}: off</td>
2840 </tr>
2841
2842 <tr>
2843 <td class='base'>mssfix</td>
2844 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2845 <td>$Lang::tr{'openvpn default'}: off</td>
2846 </tr>
2847
4c962356 2848 <tr>
ffbe77c8
EK		 2849 <td class='base'>fragment <br></td>
2850 <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2851 </tr>
2852
2853
2854 <tr>
2855 <td class='base'>Max-Clients</td>
2856 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2857 </tr>
2858 <tr>
2859 <td class='base'>Keepalive <br />
2860 (ping/ping-restart)</td>
2861 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2862 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2863 </tr>
a79fa1d6
JPT		 2864</table>
2865
a79fa1d6 2866<hr size='1'>
4c962356 2867<table width='100%'>
a79fa1d6 2868 <tr>
49abe7af 2869 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
a79fa1d6
JPT		 2870 </tr>
2871 <tr>
49abe7af 2872 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
4c962356
EK		 2873 </tr>
2874
2875 <tr><td class='base'>VERB</td>
2876 <td><select name='LOG_VERB'>
49abe7af
EK		 2877 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option>
2878 <option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
2879 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
2880 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
2881 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
2882 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
2883 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
2884 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
2885 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
2886 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
2887 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2888 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2889 </td></select>
2890 </table>
4c962356 2891
6e13d0a5 2892<hr size='1'>
8c877a82
AM		 2893END
2894
2895if ( -e "/var/run/openvpn.pid"){
2896print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2897 $Lang::tr{'server restart'}<br><br>
2898 <hr>";
49abe7af 2899 print<<END;
52d08bcb
AM		 2900<table width='100%'>
2901<tr>
2902 <td>&nbsp;</td>
2903 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2904 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2905 <td>&nbsp;</td>
2906</tr>
2907</table>
2908</form>
2909END
2910;
2911
2912
2913}else{
8c877a82 2914
49abe7af 2915 print<<END;
6e13d0a5
MT		 2916<table width='100%'>
2917<tr>
2918 <td>&nbsp;</td>
2919 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2920 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2921 <td>&nbsp;</td>
2922</tr>
2923</table>
2924</form>
2925END
2926;
52d08bcb 2927}
6e13d0a5 2928 &Header::closebox();
c6c9630e 2929# print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2930 &Header::closebigbox();
2931 &Header::closepage();
2932 exit(0);
2933
8c877a82
AM		 2934
2935# A.Marx CCD Add,delete or edit CCD net
2936
2937} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
2938 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||
2939 $cgiparams{'ACTION'} eq "kill" ||
2940 $cgiparams{'ACTION'} eq "edit" ||
2941 $cgiparams{'ACTION'} eq 'editsave'){
2942 &Header::showhttpheaders();
2943 &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2944 &Header::openbigbox('100%', 'LEFT', '', '');
2945
2946 if ($cgiparams{'ACTION'} eq "kill"){
2947 &delccdnet($cgiparams{'net'});
2948 }
2949
2950 if ($cgiparams{'ACTION'} eq 'editsave'){
2951 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
2952 if ( $a ne $b){ &modccdnet($a,$b);}
5068ac38
AM		 2953 $cgiparams{'ccdname'}='';
2954 $cgiparams{'ccdsubnet'}='';
8c877a82
AM		 2955 }
2956
2957 if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
e2429e8d 2958 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
8c877a82
AM		 2959 }
2960 if ($errormessage) {
2961 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2962 print "<class name='base'>$errormessage";
2963 print "&nbsp;</class>";
2964 &Header::closebox();
2965 }
2966if ($cgiparams{'ACTION'} eq "edit"){
2967
2968 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
2969
49abe7af 2970 print <<END;
631b67b7 2971 <table width='100%' border='0'>
8c877a82
AM		 2972 <tr><form method='post'>
2973 <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
a9fb14d0 2974 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
8c877a82
AM		 2975 <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
2976 <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
2977 </td></tr>
2978 </table></form>
2979END
2980;
2981 &Header::closebox();
2982
2983 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
49abe7af 2984 print <<END;
8c877a82
AM		 2985 <table width='100%' border='0' cellpadding='0' cellspacing='1'>
2986 <tr>
2987 <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
2988END
2989;
2990}
2991else{
2992 if (! -e "/var/run/openvpn.pid"){
2993 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
49abe7af 2994 print <<END;
8c877a82
AM		 2995 <table width='100%' border='0'>
2996 <tr><form method='post'>
2997 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
2998 <tr>
2999 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
3000 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
3001 <tr><td colspan=4><hr /></td></tr><tr>
3002 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
3003 </table></form>
3004END
3005
3006 &Header::closebox();
3007}
3008 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
5068ac38
AM		 3009 if ( -e "/var/run/openvpn.pid"){
3010 print "<b>$Lang::tr{'attention'}:</b><br>";
3011 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
3012 }
3013
4c962356 3014 print <<END;
99bfa85c 3015 <table width='100%' cellpadding='0' cellspacing='1'>
8c877a82
AM		 3016 <tr>
3017 <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
3018END
3019;
3020}
3021 my %ccdconfhash=();
3022 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
3023 my @ccdconf=();
3024 my $count=0;
df9b48b7 3025 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 3026 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
3027 $count++;
3028 my $ccdhosts = &hostsinnet($ccdconf[0]);
3029 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
3030 else{ print" <tr bgcolor='$color{'color20'}'>";}
3031 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
4c962356 3032 print <<END;
8c877a82 3033 <form method='post' />
1638682b 3034 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
8c877a82
AM		 3035 <input type='hidden' name='ACTION' value='edit'/>
3036 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
3037 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
3038 </form></td>
3039 <form method='post' />
3040 <td><input type='hidden' name='ACTION' value='kill'/>
3041 <input type='hidden' name='number' value='$count' />
3042 <input type='hidden' name='net' value='$ccdconf[0]' />
1638682b 3043 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
8c877a82
AM		 3044END
3045;
3046 }
3047 print "</table></form>";
3048 &Header::closebox();
3049 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3050 &Header::closebigbox();
3051 &Header::closepage();
3052 exit(0);
3053
3054#END CCD
3055
6e13d0a5
MT		 3056###
3057### Openvpn Connections Statistics
3058###
3059} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
3060 &Header::showhttpheaders();
3061 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
3062 &Header::openbigbox('100%', 'LEFT', '', '');
3063 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
3064
3065#
3066# <td><b>$Lang::tr{'protocol'}</b></td>
3067# protocol temp removed
4c962356 3068 print <<END;
99bfa85c 3069 <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
6e13d0a5 3070 <tr>
99bfa85c
AM		 3071 <th><b>$Lang::tr{'common name'}</b></th>
3072 <th><b>$Lang::tr{'real address'}</b></th>
d8ef6a95 3073 <th><b>$Lang::tr{'country'}</b></th>
99bfa85c
AM		 3074 <th><b>$Lang::tr{'virtual address'}</b></th>
3075 <th><b>$Lang::tr{'loged in at'}</b></th>
3076 <th><b>$Lang::tr{'bytes sent'}</b></th>
3077 <th><b>$Lang::tr{'bytes received'}</b></th>
3078 <th><b>$Lang::tr{'last activity'}</b></th>
6e13d0a5
MT		 3079 </tr>
3080END
3081;
87fe47e9 3082 my $filename = "/var/run/ovpnserver.log";
6e13d0a5
MT		 3083 open(FILE, $filename) or die 'Unable to open config file.';
3084 my @current = <FILE>;
3085 close(FILE);
3086 my @users =();
3087 my $status;
3088 my $uid = 0;
3089 my $cn;
3090 my @match = ();
3091 my $proto = "udp";
3092 my $address;
3093 my %userlookup = ();
3094 foreach my $line (@current)
3095 {
3096 chomp($line);
3097 if ( $line =~ /^Updated,(.+)/){
3098 @match = split( /^Updated,(.+)/, $line);
3099 $status = $match[1];
3100 }
c6c9630e 3101#gian
6e13d0a5
MT		 3102 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
3103 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
3104 if ($match[1] ne "Common Name") {
3105 $cn = $match[1];
3106 $userlookup{$match[2]} = $uid;
3107 $users[$uid]{'CommonName'} = $match[1];
3108 $users[$uid]{'RealAddress'} = $match[2];
c6c9630e
MT		 3109 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
3110 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
6e13d0a5
MT		 3111 $users[$uid]{'Since'} = $match[5];
3112 $users[$uid]{'Proto'} = $proto;
d8ef6a95
PM		 3113
3114 # get country code for "RealAddress"...
07e42be9 3115 my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
e2e270e1 3116 my $flag_icon = &Location::Functions::get_flag_icon($ccode);
d8ef6a95 3117 $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
6e13d0a5
MT		 3118 $uid++;
3119 }
3120 }
3121 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
3122 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
3123 if ($match[1] ne "Virtual Address") {
3124 $address = $match[3];
3125 #find the uid in the lookup table
3126 $uid = $userlookup{$address};
3127 $users[$uid]{'VirtualAddress'} = $match[1];
3128 $users[$uid]{'LastRef'} = $match[4];
3129 }
3130 }
3131 }
3132 my $user2 = @users;
3133 if ($user2 >= 1){
99bfa85c 3134 for (my $idx = 1; $idx <= $user2; $idx++){
6e13d0a5 3135 if ($idx % 2) {
99bfa85c
AM		 3136 print "<tr>";
3137 $col="bgcolor='$color{'color22'}'";
3138 } else {
3139 print "<tr>";
3140 $col="bgcolor='$color{'color20'}'";
6e13d0a5 3141 }
99bfa85c
AM		 3142 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
3143 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
d8ef6a95
PM		 3144 print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
3145 print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
99bfa85c
AM		 3146 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
3147 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
3148 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
3149 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
3150 }
3151 }
6e13d0a5
MT		 3152
3153 print "</table>";
49abe7af 3154 print <<END;
6e13d0a5
MT		 3155 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
3156 <tr><td></td></tr>
3157 <tr><td></td></tr>
3158 <tr><td></td></tr>
3159 <tr><td></td></tr>
3160 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
3161 </table>
3162END
3163;
3164 &Header::closebox();
3165 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3166 &Header::closebigbox();
3167 &Header::closepage();
3168 exit(0);
3169
3170###
3171### Download Certificate
3172###
3173} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
3174 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 3175
6e13d0a5 3176 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e
MT		 3177 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
3178 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 3179
3180 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
3181 my @tmp = <FILE>;
3182 close(FILE);
3183
3184 print "@tmp";
c6c9630e
MT		 3185 exit (0);
3186 }
3187
3188###
3189### Enable/Disable connection
3190###
ce9abb66 3191
c6c9630e
MT		 3192} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
3193
3194 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3195 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3196
3197 if ($confighash{$cgiparams{'KEY'}}) {
ce9abb66 3198 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
c6c9630e
MT		 3199 $confighash{$cgiparams{'KEY'}}[0] = 'on';
3200 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3201 #&writeserverconf();
3202# if ($vpnsettings{'ENABLED'} eq 'on' ||
3203# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3204# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3205# }
3206 } else {
3207 $confighash{$cgiparams{'KEY'}}[0] = 'off';
3208# if ($vpnsettings{'ENABLED'} eq 'on' ||
3209# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3210# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
3211# }
3212 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3213 #&writeserverconf();
3214 }
3215 } else {
3216 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3217 }
3218
3219###
3220### Restart connection
3221###
3222} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
3223 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3224 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3225
3226 if ($confighash{$cgiparams{'KEY'}}) {
c6c9630e
MT		 3227# if ($vpnsettings{'ENABLED'} eq 'on' ||
3228# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3229# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3230# }
6e13d0a5 3231 } else {
c6c9630e 3232 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3233 }
3234
ce9abb66 3235###
7c1d9faf 3236# m.a.d net2net
ce9abb66
AH		 3237###
3238
3239} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
3240 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3241 &Header::showhttpheaders();
4c962356 3242 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
ce9abb66
AH		 3243 &Header::openbigbox('100%', 'LEFT', '', '');
3244 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
b278daf3
AH		 3245
3246if ( -s "${General::swroot}/ovpn/settings") {
3247
49abe7af 3248 print <<END;
ce9abb66 3249 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3250 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
ce9abb66
AH		 3251 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
3252 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
3253 <tr><td><input type='radio' name='TYPE' value='net' /></td>
3254 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
3255 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>
3256 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
3257 <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
e3edceeb 3258 <tr><td>&nbsp;</td><td>Import Connection Name</td></tr>
040b8b0c 3259 <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
54fd0535 3260 <tr><td colspan='3'><hr /></td></tr>
8c877a82 3261 <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
ce9abb66
AH		 3262 </form></table>
3263END
3264 ;
8c877a82 3265
ce9abb66 3266
b278daf3 3267} else {
49abe7af 3268 print <<END;
b278daf3 3269 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3270 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
b278daf3 3271 <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
8c877a82 3272 <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
b278daf3
AH		 3273 </form></table>
3274END
3275 ;
3276
3277}
3278
ce9abb66 3279 &Header::closebox();
4c962356 3280 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
ce9abb66
AH		 3281 &Header::closebigbox();
3282 &Header::closepage();
3283 exit (0);
3284
3285###
7c1d9faf 3286# m.a.d net2net
ce9abb66
AH		 3287###
3288
3289} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3290
3291 my @firen2nconf;
3292 my @confdetails;
3293 my $uplconffilename ='';
54fd0535 3294 my $uplconffilename2 ='';
ce9abb66 3295 my $uplp12name = '';
54fd0535 3296 my $uplp12name2 = '';
ce9abb66
AH		 3297 my @rem_subnet;
3298 my @rem_subnet2;
3299 my @tmposupnet3;
3300 my $key;
54fd0535 3301 my @n2nname;
ce9abb66
AH		 3302
3303 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3304
2ad1b18b
MT		 3305 # Check if a file is uploaded
3306 unless (ref ($cgiparams{'FH'})) {
ce9abb66
AH		 3307 $errormessage = $Lang::tr{'there was no file upload'};
3308 goto N2N_ERROR;
3309 }
3310
3311# Move uploaded IPfire n2n package to temporary file
3312
3313 (my $fh, my $filename) = tempfile( );
3314 if (copy ($cgiparams{'FH'}, $fh) != 1) {
3315 $errormessage = $!;
3316 goto N2N_ERROR;
3317 }
3318
3319 my $zip = Archive::Zip->new();
3320 my $zipName = $filename;
3321 my $status = $zip->read( $zipName );
3322 if ($status != AZ_OK) {
3323 $errormessage = "Read of $zipName failed\n";
3324 goto N2N_ERROR;
3325 }
3326
3327 my $tempdir = tempdir( CLEANUP => 1 );
3328 my @files = $zip->memberNames();
3329 for(@files) {
3330 $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3331 }
3332 my $countfiles = @files;
3333
3334# Check if we have not more then 2 files
3335
3336 if ( $countfiles == 2){
3337 foreach (@files){
3338 if ( $_ =~ /.conf$/){
3339 $uplconffilename = $_;
3340 }
3341 if ( $_ =~ /.p12$/){
3342 $uplp12name = $_;
3343 }
3344 }
3345 if (($uplconffilename eq '') || ($uplp12name eq '')){
3346 $errormessage = "Either no *.conf or no *.p12 file found\n";
3347 goto N2N_ERROR;
3348 }
3349
3350 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3351 @firen2nconf = <FILE>;
3352 close (FILE);
3353 chomp(@firen2nconf);
ce9abb66
AH		 3354 } else {
3355
3356 $errormessage = "Filecount does not match only 2 files are allowed\n";
3357 goto N2N_ERROR;
3358 }
3359
7c1d9faf
AH		 3360###
3361# m.a.d net2net
ce9abb66 3362###
54fd0535
MT		 3363
3364 if ($cgiparams{'n2nname'} ne ''){
3365
3366 $uplconffilename2 = "$cgiparams{'n2nname'}.conf";
3367 $uplp12name2 = "$cgiparams{'n2nname'}.p12";
3368 $n2nname[0] = $cgiparams{'n2nname'};
3369 my @n2nname2 = split(/\./,$uplconffilename);
3370 $n2nname2[0] =~ s/\n|\r//g;
3371 my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3372 my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3373 my $input2 = "$n2nname2[0]n2n";
3374 my $output2 = "$n2nname[0]n2n";
3375 my $filename = "$tempdir/$uplconffilename";
3376 open(FILE, "< $filename") or die 'Unable to open config file.';
3377 my @current = <FILE>;
3378 close(FILE);
3379 foreach (@current) {s/$input1/$output1/g;}
3380 foreach (@current) {s/$input2/$output2/g;}
3381 open (OUT, "> $filename") || die 'Unable to open config file.';
3382 print OUT @current;
3383 close OUT;
ce9abb66 3384
54fd0535
MT		 3385 }else{
3386 $uplconffilename2 = $uplconffilename;
3387 $uplp12name2 = $uplp12name;
3388 @n2nname = split(/\./,$uplconffilename);
ce9abb66 3389 $n2nname[0] =~ s/\n|\r//g;
54fd0535 3390 }
7c1d9faf
AH		 3391 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
3392 unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
ce9abb66 3393
7dfcaef0
AM		 3394 #Add collectd settings to configfile
3395 open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
3396 print FILE "# Logfile\n";
3397 print FILE "status-version 1\n";
3398 print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
3399 close FILE;
3400
54fd0535 3401 move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
ce9abb66
AH		 3402
3403 if ($? ne 0) {
3404 $errormessage = "*.conf move failed: $!";
3405 unlink ($filename);
3406 goto N2N_ERROR;
3407 }
3408
54fd0535 3409 move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2");
b278daf3
AH		 3410 chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
3411
ce9abb66
AH		 3412 if ($? ne 0) {
3413 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3414 unlink ($filename);
3415 goto N2N_ERROR;
3416 }
3417
3418my $complzoactive;
d96c89eb 3419my $mssfixactive;
4c962356 3420my $authactive;
d96c89eb 3421my $n2nfragment;
60f396d7 3422my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
54fd0535 3423my @n2nproto = split(/-/, $n2nproto2[1]);
ce9abb66
AH		 3424my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3425my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3426my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
3427if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}
d96c89eb
AH		 3428my @n2nmssfix = grep { /^mssfix/ } @firen2nconf;
3429if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
54fd0535 3430#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
d96c89eb 3431my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
ce9abb66
AH		 3432my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3433my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3434my @n2novpnsub = split(/\./,$n2novpnsuball[1]);
3435my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
54fd0535 3436my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]);
ce9abb66 3437my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
4c962356 3438my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
f527e53f 3439my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
60f396d7 3440
ce9abb66
AH		 3441###
3442# m.a.d delete CR and LF from arrays for this chomp doesnt work
3443###
3444
ce9abb66 3445$n2nremote[1] =~ s/\n|\r//g;
ce9abb66
AH		 3446$n2novpnsub[0] =~ s/\n|\r//g;
3447$n2novpnsub[1] =~ s/\n|\r//g;
3448$n2novpnsub[2] =~ s/\n|\r//g;
60f396d7 3449$n2nproto[0] =~ s/\n|\r//g;
ce9abb66
AH		 3450$n2nport[1] =~ s/\n|\r//g;
3451$n2ntunmtu[1] =~ s/\n|\r//g;
3452$n2nremsub[1] =~ s/\n|\r//g;
b278daf3 3453$n2nremsub[2] =~ s/\n|\r//g;
ce9abb66 3454$n2nlocalsub[2] =~ s/\n|\r//g;
d96c89eb 3455$n2nfragment[1] =~ s/\n|\r//g;
54fd0535 3456$n2nmgmt[2] =~ s/\n|\r//g;
4c962356
EK		 3457$n2ncipher[1] =~ s/\n|\r//g;
3458$n2nauth[1] =~ s/\n|\r//g;
ce9abb66 3459chomp ($complzoactive);
d96c89eb 3460chomp ($mssfixactive);
ce9abb66
AH		 3461
3462###
7c1d9faf 3463# m.a.d net2net
ce9abb66
AH		 3464###
3465
3466###
3467# Check if there is no other entry with this name
3468###
3469
3470 foreach my $dkey (keys %confighash) {
3471 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3472 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3473 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3474 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3475 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
ce9abb66
AH		 3476 goto N2N_ERROR;
3477 }
3478 }
3479
d96c89eb
AH		 3480###
3481# Check if OpenVPN Subnet is valid
3482###
3483
3484foreach my $dkey (keys %confighash) {
3485 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3486 $errormessage = 'The OpenVPN Subnet is already in use';
b278daf3
AH		 3487 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3488 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3489 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
d96c89eb
AH		 3490 goto N2N_ERROR;
3491 }
3492 }
3493
3494###
4c962356 3495# Check if Dest Port is vaild
d96c89eb
AH		 3496###
3497
3498foreach my $dkey (keys %confighash) {
3499 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3500 $errormessage = 'The OpenVPN Port is already in use';
b278daf3
AH		 3501 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3502 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3503 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
d96c89eb
AH		 3504 goto N2N_ERROR;
3505 }
3506 }
3507
3508
3509
ce9abb66
AH		 3510 $key = &General::findhasharraykey (\%confighash);
3511
49abe7af 3512 foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
350f2980 3513
ce9abb66
AH		 3514 $confighash{$key}[0] = 'off';
3515 $confighash{$key}[1] = $n2nname[0];
350f2980 3516 $confighash{$key}[2] = $n2nname[0];
ce9abb66
AH		 3517 $confighash{$key}[3] = 'net';
3518 $confighash{$key}[4] = 'cert';
3519 $confighash{$key}[6] = 'client';
3520 $confighash{$key}[8] = $n2nlocalsub[2];
350f2980
SS		 3521 $confighash{$key}[10] = $n2nremote[1];
3522 $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";
54fd0535 3523 $confighash{$key}[22] = $n2nmgmt[2];
350f2980 3524 $confighash{$key}[23] = $mssfixactive;
d96c89eb 3525 $confighash{$key}[24] = $n2nfragment[1];
350f2980 3526 $confighash{$key}[25] = 'IPFire n2n Client';
ce9abb66 3527 $confighash{$key}[26] = 'red';
350f2980
SS		 3528 $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3529 $confighash{$key}[28] = $n2nproto[0];
3530 $confighash{$key}[29] = $n2nport[1];
3531 $confighash{$key}[30] = $complzoactive;
3532 $confighash{$key}[31] = $n2ntunmtu[1];
4c962356
EK		 3533 $confighash{$key}[39] = $n2nauth[1];
3534 $confighash{$key}[40] = $n2ncipher[1];
49abe7af 3535 $confighash{$key}[41] = 'disabled';
ce9abb66
AH		 3536
3537 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
d96c89eb 3538
ce9abb66
AH		 3539 N2N_ERROR:
3540
3541 &Header::showhttpheaders();
3542 &Header::openpage('Validate imported configuration', 1, '');
3543 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3544 if ($errormessage) {
3545 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3546 print "<class name='base'>$errormessage";
3547 print "&nbsp;</class>";
3548 &Header::closebox();
3549
3550 } else
3551 {
3552 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3553 }
3554 if ($errormessage eq ''){
49abe7af 3555 print <<END;
ce9abb66
AH		 3556 <!-- ipfire net2net config gui -->
3557 <table width='100%'>
3558 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3559 <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
3560 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3561 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>
3562 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3563 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
4c962356 3564 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
ce9abb66
AH		 3565 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3566 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3567 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3568 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
4c962356
EK		 3569 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3570 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
ce9abb66 3571 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
54fd0535 3572 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
0c4ffc69 3573 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn tls auth'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
4c962356 3574 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
ce9abb66
AH		 3575 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3576 </table>
3577END
3578;
3579 &Header::closebox();
3580 }
3581
3582 if ($errormessage) {
3583 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3584 } else {
3585 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";
3586 print "<input type='hidden' name='TYPE' value='net2netakn' />";
3587 print "<input type='hidden' name='KEY' value='$key' />";
3588 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
3589 }
3590 &Header::closebigbox();
3591 &Header::closepage();
4c962356 3592 exit(0);
ce9abb66
AH		 3593
3594
3595##
3596### Accept IPFire n2n Package Settings
3597###
3598
3599 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3600
3601###
3602### Discard and Rollback IPFire n2n Package Settings
3603###
3604
3605 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3606
3607 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3608
3609if ($confighash{$cgiparams{'KEY'}}) {
3610
3611 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3612 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3613 unlink ($certfile) or die "Removing $certfile fail: $!";
3614 unlink ($conffile) or die "Removing $conffile fail: $!";
3615 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3616 delete $confighash{$cgiparams{'KEY'}};
3617 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3618
3619 } else {
3620 $errormessage = $Lang::tr{'invalid key'};
3621 }
3622
3623
3624###
7c1d9faf 3625# m.a.d net2net
ce9abb66
AH		 3626###
3627
3628
3629###
3630### Adding a new connection
3631###
6e13d0a5
MT		 3632} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3633 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3634 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
8c877a82 3635
6e13d0a5
MT		 3636 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3637 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3638 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3639
3640 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
8c877a82
AM		 3641 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3642 $errormessage = $Lang::tr{'invalid key'};
3643 goto VPNCONF_END;
3644 }
4c962356
EK		 3645 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
3646 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
3647 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
3648 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
3649 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
3650 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
3651 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
3652 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
8c877a82 3653 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
4c962356
EK		 3654 $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
3655 $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
3656 $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
3657 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
3658 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
3659 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
3660 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
3661 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
3662 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
3663 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
3664 $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32];
df9b48b7 3665 $name=$cgiparams{'CHECK1'} ;
4c962356
EK		 3666 $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33];
3667 $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34];
3668 $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
3669 $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
3670 $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
4c962356
EK		 3671 $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
3672 $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
49abe7af 3673 $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
8c877a82 3674 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
c6c9630e 3675 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
18837a6a 3676
8c877a82 3677#A.Marx CCD check iroute field and convert it to decimal
52d08bcb 3678if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 3679 my @temp=();
3680 my %ccdroutehash=();
3681 my $keypoint=0;
5068ac38
AM		 3682 my $ip;
3683 my $cidr;
8c877a82
AM		 3684 if ($cgiparams{'IR'} ne ''){
3685 @temp = split("\n",$cgiparams{'IR'});
3686 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3687 #find key to use
3688 foreach my $key (keys %ccdroutehash) {
3689 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3690 $keypoint=$key;
3691 delete $ccdroutehash{$key};
3692 }else{
3693 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3694 }
3695 }
3696 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3697 my $i=1;
3698 my $val=0;
3699 foreach $val (@temp){
3700 chomp($val);
3701 $val=~s/\s*$//g;
5068ac38 3702 #check if iroute exists in ccdroute or if new iroute is part of an existing one
8c877a82
AM		 3703 foreach my $key (keys %ccdroutehash) {
3704 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
5068ac38
AM		 3705 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3706 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3707 goto VPNCONF_ERROR;
3708 }
3709 my ($ip1,$cidr1) = split (/\//, $val);
82c809c7 3710 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
5068ac38
AM		 3711 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3712 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3713 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3714 goto VPNCONF_ERROR;
3715 }
3716
8c877a82
AM		 3717 }
3718 }
5068ac38
AM		 3719 if (!&General::validipandmask($val)){
3720 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3721 goto VPNCONF_ERROR;
3722 }else{
3723 ($ip,$cidr) = split(/\//,$val);
3724 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3725 $cidr=&General::iporsubtodec($cidr);
3726 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3727
3728 }
8c877a82
AM		 3729
3730 #check for existing network IP's
52d08bcb
AM		 3731 if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3732 {
3733 $errormessage=$Lang::tr{'ccd err green'};
3734 goto VPNCONF_ERROR;
3735 }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3736 {
3737 $errormessage=$Lang::tr{'ccd err red'};
3738 goto VPNCONF_ERROR;
3739 }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3740 {
3741 $errormessage=$Lang::tr{'ccd err blue'};
3742 goto VPNCONF_ERROR;
3743 }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3744 {
3745 $errormessage=$Lang::tr{'ccd err orange'};
8c877a82
AM		 3746 goto VPNCONF_ERROR;
3747 }
52d08bcb 3748
8c877a82
AM		 3749 if (&General::validipandmask($val)){
3750 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3751 }else{
3752 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3753 goto VPNCONF_ERROR;
3754 }
3755 $i++;
3756 }
3757 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3758 &writeserverconf;
3759 }else{
3760 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3761 foreach my $key (keys %ccdroutehash) {
3762 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3763 delete $ccdroutehash{$key};
3764 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3765 &writeserverconf;
3766 }
3767 }
3768 }
3769 undef @temp;
3770 #check route field and convert it to decimal
8c877a82
AM		 3771 my $val=0;
3772 my $i=1;
8c877a82 3773 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
52d08bcb
AM		 3774 #find key to use
3775 foreach my $key (keys %ccdroute2hash) {
3776 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3777 $keypoint=$key;
3778 delete $ccdroute2hash{$key};
3779 }else{
3780 $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3781 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3782 &writeserverconf;
8c877a82 3783 }
52d08bcb
AM		 3784 }
3785 $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3786 if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3787 @temp = split(/\|/,$cgiparams{'IFROUTE'});
3788 my %ownnet=();
3789 &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3790 foreach $val (@temp){
3791 chomp($val);
3792 $val=~s/\s*$//g;
3793 if ($val eq $Lang::tr{'green'})
3794 {
3795 $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3796 }
3797 if ($val eq $Lang::tr{'blue'})
3798 {
3799 $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3800 }
3801 if ($val eq $Lang::tr{'orange'})
3802 {
3803 $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3804 }
3805 my ($ip,$cidr) = split (/\//, $val);
3806
3807 if ($val ne $Lang::tr{'ccd none'})
3808 {
8c877a82
AM		 3809 if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3810 if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3811 if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3812 if (&General::validipandmask($val)){
3813 $val=$ip."/".&General::iporsubtodec($cidr);
3814 $ccdroute2hash{$keypoint}[$i] = $val;
3815 }else{
3816 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3817 goto VPNCONF_ERROR;
3818 }
52d08bcb
AM		 3819 }else{
3820 $ccdroute2hash{$keypoint}[$i]='';
3821 }
3822 $i++;
3823 }
3824 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3825
8c877a82
AM		 3826 #check dns1 ip
3827 if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) {
3828 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3829 goto VPNCONF_ERROR;
3830 }
3831 #check dns2 ip
3832 if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) {
3833 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3834 goto VPNCONF_ERROR;
3835 }
3836 #check wins ip
3837 if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) {
3838 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3839 goto VPNCONF_ERROR;
3840 }
52d08bcb 3841}
8c877a82
AM		 3842
3843#CCD End
52d08bcb 3844
8c877a82 3845
73735ad9
EK		 3846 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3847 $errormessage = $Lang::tr{'connection type is invalid'};
3848 if ($cgiparams{'TYPE'} eq 'net') {
3849 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3850 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3851 goto VPNCONF_ERROR;
3852 }
3853 goto VPNCONF_ERROR;
c6c9630e
MT		 3854 }
3855
c6c9630e 3856 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
73735ad9
EK		 3857 $errormessage = $Lang::tr{'name must only contain characters'};
3858 if ($cgiparams{'TYPE'} eq 'net') {
3859 goto VPNCONF_ERROR;
3860 }
3861 goto VPNCONF_ERROR;
3862 }
c6c9630e
MT		 3863
3864 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
73735ad9
EK		 3865 $errormessage = $Lang::tr{'name is invalid'};
3866 if ($cgiparams{'TYPE'} eq 'net') {
3867 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3868 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3869 goto VPNCONF_ERROR;
3870 }
3871 goto VPNCONF_ERROR;
c6c9630e
MT		 3872 }
3873
3874 if (length($cgiparams{'NAME'}) >60) {
73735ad9
EK		 3875 $errormessage = $Lang::tr{'name too long'};
3876 if ($cgiparams{'TYPE'} eq 'net') {
3877 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3878 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3879 goto VPNCONF_ERROR;
3880 }
3881 goto VPNCONF_ERROR;
c6c9630e
MT		 3882 }
3883
d96c89eb 3884###
7c1d9faf 3885# m.a.d net2net
d96c89eb
AH		 3886###
3887
7c1d9faf 3888if ($cgiparams{'TYPE'} eq 'net') {
ab4cf06c 3889 if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) {
cd0c0a0d 3890 $errormessage = $Lang::tr{'openvpn destination port used'};
b278daf3
AH		 3891 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3892 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3893 goto VPNCONF_ERROR;
d96c89eb 3894 }
ab4cf06c
AM		 3895 #Bugfix 10357
3896 foreach my $key (sort keys %confighash){
3897 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
54fd0535
MT		 3898 $errormessage = $Lang::tr{'openvpn destination port used'};
3899 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3900 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ab4cf06c
AM		 3901 goto VPNCONF_ERROR;
3902 }
3903 }
3904 if ($cgiparams{'DEST_PORT'} eq '') {
3905 $errormessage = $Lang::tr{'invalid port'};
3906 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3907 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
54fd0535
MT		 3908 goto VPNCONF_ERROR;
3909 }
d96c89eb 3910
f48074ba
SS		 3911 # Check if the input for the transfer net is valid.
3912 if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3913 $errormessage = $Lang::tr{'ccd err invalidnet'};
3914 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3915 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3916 goto VPNCONF_ERROR;
3917 }
3918
d96c89eb 3919 if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) {
cd0c0a0d 3920 $errormessage = $Lang::tr{'openvpn subnet is used'};
b278daf3
AH		 3921 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3922 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3923 goto VPNCONF_ERROR;
3924 }
3925
3926 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
cd0c0a0d 3927 $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
b278daf3
AH		 3928 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3929 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3930 goto VPNCONF_ERROR;
3931 }
3932
3933 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
cd0c0a0d 3934 $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
b278daf3
AH		 3935 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3936 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3937 goto VPNCONF_ERROR;
3938 }
d96c89eb 3939
7c1d9faf 3940 if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
cd0c0a0d 3941 $errormessage = $Lang::tr{'openvpn prefix local subnet'};
b278daf3
AH		 3942 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3943 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3944 goto VPNCONF_ERROR;
7c1d9faf
AH		 3945 }
3946
3947 if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) {
cd0c0a0d 3948 $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
b278daf3
AH		 3949 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3950 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3951 goto VPNCONF_ERROR;
7c1d9faf
AH		 3952 }
3953
3954 if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) {
cd0c0a0d 3955 $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
b278daf3
AH		 3956 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3957 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3958 goto VPNCONF_ERROR;
8c252e6a
EK		 3959 }
3960
3961 if ($cgiparams{'DEST_PORT'} <= 1023) {
3962 $errormessage = $Lang::tr{'ovpn port in root range'};
3963 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3964 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3965 goto VPNCONF_ERROR;
3966 }
54fd0535 3967
4c962356 3968 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c252e6a
EK		 3969 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};
3970 }
3971
3972 if ($cgiparams{'OVPN_MGMT'} <= 1023) {
3973 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
3974 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3975 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3976 goto VPNCONF_ERROR;
b2e75449
MT		 3977 }
3978 #Check if remote subnet is used elsewhere
3979 my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
3980 $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
3981 if ($warnmessage){
3982 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
3983 }
7c1d9faf 3984}
d96c89eb 3985
ce9abb66
AH		 3986# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
3987# $errormessage = $Lang::tr{'ipfire side is invalid'};
3988# goto VPNCONF_ERROR;
3989# }
3990
c6c9630e
MT		 3991 # Check if there is no other entry with this name
3992 if (! $cgiparams{'KEY'}) {
3993 foreach my $key (keys %confighash) {
3994 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
3995 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3996 if ($cgiparams{'TYPE'} eq 'net') {
3997 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3998 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3999 }
c6c9630e 4000 goto VPNCONF_ERROR;
6e13d0a5 4001 }
c6c9630e
MT		 4002 }
4003 }
4004
c125d8a2 4005 # Check if a remote host/IP has been set for the client.
86228a56
MT		 4006 if ($cgiparams{'TYPE'} eq 'net') {
4007 if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') {
4008 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4009
86228a56
MT		 4010 # Check if this is a N2N connection and drop temporary config.
4011 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4012 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ce9abb66 4013
86228a56
MT		 4014 goto VPNCONF_ERROR;
4015 }
c125d8a2 4016
86228a56
MT		 4017 # Check if a remote host/IP has been configured - the field can be empty on the server side.
4018 if ($cgiparams{'REMOTE'} ne '') {
4019 # Check if the given IP is valid - otherwise check if it is a valid domain.
4020 if (! &General::validip($cgiparams{'REMOTE'})) {
4021 # Check for a valid domain.
4022 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
4023 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4024
86228a56
MT		 4025 # Check if this is a N2N connection and drop temporary config.
4026 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4027 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
c125d8a2 4028
86228a56
MT		 4029 goto VPNCONF_ERROR;
4030 }
4031 }
6e13d0a5 4032 }
c6c9630e 4033 }
c125d8a2 4034
c6c9630e
MT		 4035 if ($cgiparams{'TYPE'} ne 'host') {
4036 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
4037 $errormessage = $Lang::tr{'local subnet is invalid'};
b278daf3
AH		 4038 if ($cgiparams{'TYPE'} eq 'net') {
4039 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4040 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4041 }
c6c9630e
MT		 4042 goto VPNCONF_ERROR;}
4043 }
4044 # Check if there is no other entry without IP-address and PSK
4045 if ($cgiparams{'REMOTE'} eq '') {
4046 foreach my $key (keys %confighash) {
4047 if(($cgiparams{'KEY'} ne $key) &&
4048 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
4049 $confighash{$key}[10] eq '') {
4050 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
4051 goto VPNCONF_ERROR;
6e13d0a5 4052 }
c6c9630e
MT		 4053 }
4054 }
ce9abb66
AH		 4055 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
4056 $errormessage = $Lang::tr{'remote subnet is invalid'};
b278daf3
AH		 4057 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4058 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4059 goto VPNCONF_ERROR;
ce9abb66 4060 }
c6c9630e 4061
425465ed
EK		 4062 # Check for N2N that OpenSSL maximum of valid days will not be exceeded
4063 if ($cgiparams{'TYPE'} eq 'net') {
4064 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4065 $errormessage = $Lang::tr{'invalid input for valid till days'};
4066 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4067 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4068 goto VPNCONF_ERROR;
4069 }
4070 }
4071
c6c9630e
MT		 4072 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
4073 $errormessage = $Lang::tr{'invalid input'};
4074 goto VPNCONF_ERROR;
4075 }
4076 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
4077 $errormessage = $Lang::tr{'invalid input'};
4078 goto VPNCONF_ERROR;
4079 }
4080
4081#fixplausi
4082 if ($cgiparams{'AUTH'} eq 'psk') {
4083# if (! length($cgiparams{'PSK'}) ) {
4084# $errormessage = $Lang::tr{'pre-shared key is too short'};
4085# goto VPNCONF_ERROR;
4086# }
4087# if ($cgiparams{'PSK'} =~ /['",&]/) {
4088# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
4089# goto VPNCONF_ERROR;
4090# }
4091 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
4092 if ($cgiparams{'KEY'}) {
4093 $errormessage = $Lang::tr{'cant change certificates'};
4094 goto VPNCONF_ERROR;
4095 }
2ad1b18b 4096 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4097 $errormessage = $Lang::tr{'there was no file upload'};
4098 goto VPNCONF_ERROR;
4099 }
4100
4101 # Move uploaded certificate request to a temporary file
4102 (my $fh, my $filename) = tempfile( );
4103 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4104 $errormessage = $!;
4105 goto VPNCONF_ERROR;
4106 }
6e13d0a5 4107
c6c9630e
MT		 4108 # Sign the certificate request and move it
4109 # Sign the host certificate request
2feacd98 4110 # The system call is safe, because all arguments are passed as an array.
f6e12093 4111 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4112 '-batch', '-notext',
4113 '-in', $filename,
4114 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4115 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4116 if ($?) {
4117 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4118 unlink ($filename);
4119 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4120 &newcleanssldatabase();
4121 goto VPNCONF_ERROR;
4122 } else {
4123 unlink ($filename);
4124 &deletebackupcert();
4125 }
4126
2feacd98
SS		 4127 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4128 my $temp;
4129
4130 foreach my $line (@temp) {
4131 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4132 $temp = $1;
4133 $temp =~ s+/Email+, E+;
4134 $temp =~ s/ ST=/ S=/;
4135
4136 last;
4137 }
4138 }
4139
c6c9630e
MT		 4140 $cgiparams{'CERT_NAME'} = $temp;
4141 $cgiparams{'CERT_NAME'} =~ s/,//g;
4142 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4143 if ($cgiparams{'CERT_NAME'} eq '') {
4144 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4145 goto VPNCONF_ERROR;
4146 }
4147 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
4148 if ($cgiparams{'KEY'}) {
4149 $errormessage = $Lang::tr{'cant change certificates'};
4150 goto VPNCONF_ERROR;
4151 }
2ad1b18b 4152 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4153 $errormessage = $Lang::tr{'there was no file upload'};
4154 goto VPNCONF_ERROR;
4155 }
4156 # Move uploaded certificate to a temporary file
4157 (my $fh, my $filename) = tempfile( );
4158 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4159 $errormessage = $!;
4160 goto VPNCONF_ERROR;
4161 }
4162
4163 # Verify the certificate has a valid CA and move it
4164 my $validca = 0;
2feacd98
SS		 4165 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
4166 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4167 $validca = 1;
4168 } else {
4169 foreach my $key (keys %cahash) {
2feacd98
SS		 4170 @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
4171 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4172 $validca = 1;
4173 }
6e13d0a5 4174 }
c6c9630e
MT		 4175 }
4176 if (! $validca) {
4177 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
4178 unlink ($filename);
4179 goto VPNCONF_ERROR;
4180 } else {
4181 move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4182 if ($? ne 0) {
4183 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
4184 unlink ($filename);
4185 goto VPNCONF_ERROR;
6e13d0a5 4186 }
c6c9630e
MT		 4187 }
4188
2feacd98
SS		 4189 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4190 my $temp;
4191
4192 foreach my $line (@temp) {
4193 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4194 $temp = $1;
4195 $temp =~ s+/Email+, E+;
4196 $temp =~ s/ ST=/ S=/;
4197
4198 last;
4199 }
4200 }
4201
c6c9630e
MT		 4202 $cgiparams{'CERT_NAME'} = $temp;
4203 $cgiparams{'CERT_NAME'} =~ s/,//g;
4204 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4205 if ($cgiparams{'CERT_NAME'} eq '') {
4206 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4207 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4208 goto VPNCONF_ERROR;
4209 }
4210 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
4211 if ($cgiparams{'KEY'}) {
4212 $errormessage = $Lang::tr{'cant change certificates'};
4213 goto VPNCONF_ERROR;
4214 }
4215 # Validate input since the form was submitted
4216 if (length($cgiparams{'CERT_NAME'}) >60) {
4217 $errormessage = $Lang::tr{'name too long'};
4218 goto VPNCONF_ERROR;
4219 }
194314b2 4220 if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
c6c9630e
MT		 4221 $errormessage = $Lang::tr{'invalid input for name'};
4222 goto VPNCONF_ERROR;
4223 }
4224 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
4225 $errormessage = $Lang::tr{'invalid input for e-mail address'};
4226 goto VPNCONF_ERROR;
4227 }
4228 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
4229 $errormessage = $Lang::tr{'e-mail address too long'};
4230 goto VPNCONF_ERROR;
4231 }
4232 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4233 $errormessage = $Lang::tr{'invalid input for department'};
4234 goto VPNCONF_ERROR;
4235 }
4236 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
4237 $errormessage = $Lang::tr{'organization too long'};
4238 goto VPNCONF_ERROR;
4239 }
4240 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
4241 $errormessage = $Lang::tr{'invalid input for organization'};
4242 goto VPNCONF_ERROR;
4243 }
4244 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4245 $errormessage = $Lang::tr{'invalid input for city'};
4246 goto VPNCONF_ERROR;
4247 }
4248 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4249 $errormessage = $Lang::tr{'invalid input for state or province'};
4250 goto VPNCONF_ERROR;
4251 }
4252 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
4253 $errormessage = $Lang::tr{'invalid input for country'};
4254 goto VPNCONF_ERROR;
4255 }
4256 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
4257 if (length($cgiparams{'CERT_PASS1'}) < 5) {
4258 $errormessage = $Lang::tr{'password too short'};
4259 goto VPNCONF_ERROR;
6e13d0a5 4260 }
c6c9630e
MT		 4261 }
4262 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
4263 $errormessage = $Lang::tr{'passwords do not match'};
4264 goto VPNCONF_ERROR;
4265 }
425465ed 4266 if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
f4fbb935
EK		 4267 $errormessage = $Lang::tr{'invalid input for valid till days'};
4268 goto VPNCONF_ERROR;
4269 }
c6c9630e 4270
425465ed
EK		 4271 # Check for RW that OpenSSL maximum of valid days will not be exceeded
4272 if ($cgiparams{'TYPE'} eq 'host') {
4273 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4274 $errormessage = $Lang::tr{'invalid input for valid till days'};
4275 goto VPNCONF_ERROR;
4276 }
4277 }
4278
beac479f
EK		 4279 # Check for RW if client name is already set
4280 if ($cgiparams{'TYPE'} eq 'host') {
4281 foreach my $key (keys %confighash) {
4282 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4283 $errormessage = $Lang::tr{'a connection with this name already exists'};
4284 goto VPNCONF_ERROR;
4285 }
4286 }
4287 }
4288
c6c9630e
MT		 4289 # Replace empty strings with a .
4290 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
4291 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
4292 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
4293
4294 # Create the Host certificate request client
4295 my $pid = open(OPENSSL, "|-");
4296 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
4297 if ($pid) { # parent
4298 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
4299 print OPENSSL "$state\n";
4300 print OPENSSL "$city\n";
4301 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
4302 print OPENSSL "$ou\n";
4303 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
4304 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
4305 print OPENSSL ".\n";
4306 print OPENSSL ".\n";
4307 close (OPENSSL);
4308 if ($?) {
4309 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4310 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
4311 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
4312 goto VPNCONF_ERROR;
6e13d0a5 4313 }
c6c9630e 4314 } else { # child
badd8c1c 4315 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 4316 '-newkey', 'rsa:2048',
c6c9630e
MT		 4317 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4318 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4319 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
4320 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
4321 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4322 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4323 goto VPNCONF_ERROR;
6e13d0a5 4324 }
c6c9630e
MT		 4325 }
4326
4327 # Sign the host certificate request
2feacd98 4328 # The system call is safe, because all arguments are passed as an array.
f6e12093 4329 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4330 '-batch', '-notext',
4331 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4332 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4333 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4334 if ($?) {
4335 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4336 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4337 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4338 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4339 &newcleanssldatabase();
4340 goto VPNCONF_ERROR;
4341 } else {
4342 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4343 &deletebackupcert();
4344 }
4345
4346 # Create the pkcs12 file
2feacd98 4347 # The system call is safe, because all arguments are passed as an array.
c6c9630e
MT		 4348 system('/usr/bin/openssl', 'pkcs12', '-export',
4349 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4350 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4351 '-name', $cgiparams{'NAME'},
4352 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
4353 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
4354 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
4355 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4356 if ($?) {
4357 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4358 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4359 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4360 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4361 goto VPNCONF_ERROR;
4362 } else {
4363 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4364 }
4365 } elsif ($cgiparams{'AUTH'} eq 'cert') {
4366 ;# Nothing, just editing
4367 } else {
4368 $errormessage = $Lang::tr{'invalid input for authentication method'};
4369 goto VPNCONF_ERROR;
4370 }
4371
4372 # Check if there is no other entry with this common name
4373 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
4374 foreach my $key (keys %confighash) {
4375 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
4376 $errormessage = $Lang::tr{'a connection with this common name already exists'};
4377 goto VPNCONF_ERROR;
6e13d0a5 4378 }
c6c9630e
MT		 4379 }
4380 }
4381
ab4cf06c 4382 # Save the config
c6c9630e 4383 my $key = $cgiparams{'KEY'};
8c877a82 4384
c6c9630e
MT		 4385 if (! $key) {
4386 $key = &General::findhasharraykey (\%confighash);
49abe7af 4387 foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";}
c6c9630e 4388 }
8c877a82
AM		 4389 $confighash{$key}[0] = $cgiparams{'ENABLED'};
4390 $confighash{$key}[1] = $cgiparams{'NAME'};
c6c9630e 4391 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
8c877a82 4392 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
c6c9630e 4393 }
8c877a82
AM		 4394
4395 $confighash{$key}[3] = $cgiparams{'TYPE'};
c6c9630e 4396 if ($cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4397 $confighash{$key}[4] = 'psk';
4398 $confighash{$key}[5] = $cgiparams{'PSK'};
c6c9630e 4399 } else {
8c877a82 4400 $confighash{$key}[4] = 'cert';
c6c9630e 4401 }
ce9abb66 4402 if ($cgiparams{'TYPE'} eq 'net') {
8c877a82
AM		 4403 $confighash{$key}[6] = $cgiparams{'SIDE'};
4404 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
ce9abb66 4405 }
4c962356 4406 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
8c877a82 4407 $confighash{$key}[10] = $cgiparams{'REMOTE'};
4c962356 4408 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c877a82 4409 $confighash{$key}[22] = $confighash{$key}[29];
4c962356 4410 } else {
8c877a82 4411 $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
4c962356 4412 }
8c877a82
AM		 4413 $confighash{$key}[23] = $cgiparams{'MSSFIX'};
4414 $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
4415 $confighash{$key}[25] = $cgiparams{'REMARK'};
4416 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
c6c9630e 4417# new fields
8c877a82
AM		 4418 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
4419 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
4420 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
4421 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
4422 $confighash{$key}[31] = $cgiparams{'MTU'};
4423 $confighash{$key}[32] = $cgiparams{'CHECK1'};
df9b48b7 4424 $name=$cgiparams{'CHECK1'};
8c877a82
AM		 4425 $confighash{$key}[33] = $cgiparams{$name};
4426 $confighash{$key}[34] = $cgiparams{'RG'};
4427 $confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
4428 $confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
4429 $confighash{$key}[37] = $cgiparams{'CCD_WINS'};
4c962356
EK		 4430 $confighash{$key}[39] = $cgiparams{'DAUTH'};
4431 $confighash{$key}[40] = $cgiparams{'DCIPHER'};
350f2980 4432
71af643c
MT		 4433 if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
4434 $confighash{$key}[41] = "no-pass";
4435 }
4436
c6c9630e 4437 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
8c877a82
AM		 4438
4439 if ($cgiparams{'CHECK1'} ){
4440
4441 my ($ccdip,$ccdsub)=split "/",$cgiparams{$name};
4442 my ($a,$b,$c,$d) = split (/\./,$ccdip);
df9b48b7
AM		 4443 if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){
4444 unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";
4445 }
8c877a82 4446 open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!";
82c809c7 4447 print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n";
8c877a82
AM		 4448 if($cgiparams{'CHECK1'} eq 'dynamic'){
4449 print CCDRWCONF "#This client uses the dynamic pool\n";
4450 }else{
82c809c7 4451 print CCDRWCONF "#Ip address client and server\n";
8c877a82
AM		 4452 print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n";
4453 }
4454 if ($confighash{$key}[34] eq 'on'){
4455 print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n";
4456 print CCDRWCONF "push redirect-gateway\n";
4457 }
52d08bcb 4458 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 4459 if ($cgiparams{'IR'} ne ''){
82c809c7 4460 print CCDRWCONF "\n#Client routes these networks (behind Client)\n";
8c877a82
AM		 4461 foreach my $key (keys %ccdroutehash){
4462 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){
4463 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
4464 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
4465 print CCDRWCONF "iroute $a $b\n";
4466 }
4467 }
4468 }
4469 }
52d08bcb 4470 if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';}
8c877a82 4471 if ($cgiparams{'IFROUTE'} ne ''){
82c809c7 4472 print CCDRWCONF "\n#Client gets routes to these networks (behind IPFire)\n";
8c877a82
AM		 4473 foreach my $key (keys %ccdroute2hash){
4474 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4475 foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){
4476 if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){
4477 my %blue=();
4478 &General::readhash("${General::swroot}/ethernet/settings", \%blue);
52d08bcb 4479 print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n";
8c877a82
AM		 4480 }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){
4481 my %orange=();
4482 &General::readhash("${General::swroot}/ethernet/settings", \%orange);
4483 print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n";
4484 }else{
4485 my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]);
4486 print CCDRWCONF "push \"route $a $b\"\n";
4487 }
4488 }
4489 }
4490 }
4491 }
4492 if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';}
4493 if($cgiparams{'CCD_DNS1'} ne ''){
82c809c7 4494 print CCDRWCONF "\n#Client gets these nameservers\n";
8c877a82
AM		 4495 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n";
4496 }
4497 if($cgiparams{'CCD_DNS2'} ne ''){
4498 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n";
4499 }
4500 if($cgiparams{'CCD_WINS'} ne ''){
4501 print CCDRWCONF "\n#Client gets this WINS server\n";
4502 print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n";
4503 }
4504 close CCDRWCONF;
4505 }
18837a6a
AH		 4506
4507###
4508# m.a.d n2n begin
4509###
4510
4511 if ($cgiparams{'TYPE'} eq 'net') {
4512
2feacd98
SS		 4513 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
4514 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
18837a6a 4515
2feacd98
SS		 4516 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
4517 my $key = $cgiparams{'KEY'};
4518 if (! $key) {
4519 $key = &General::findhasharraykey (\%confighash);
4520 foreach my $i (0 .. 31) {
4521 $confighash{$key}[$i] = "";
4522 }
4523 }
4524
4525 $confighash{$key}[0] = 'on';
4526 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
18837a6a 4527
2feacd98
SS		 4528 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
4529 }
4530 }
18837a6a
AH		 4531
4532###
4533# m.a.d n2n end
4534###
4535
c6c9630e
MT		 4536 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
4537 $cgiparams{'KEY'} = $key;
4538 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
4539 }
4540 goto VPNCONF_END;
6e13d0a5 4541 } else {
c6c9630e 4542 $cgiparams{'ENABLED'} = 'on';
54fd0535
MT		 4543###
4544# m.a.d n2n begin
4545###
4546 $cgiparams{'MSSFIX'} = 'on';
4547 $cgiparams{'FRAGMENT'} = '1300';
70900745 4548 $cgiparams{'DAUTH'} = 'SHA512';
54fd0535
MT		 4549###
4550# m.a.d n2n end
4551###
4c962356 4552 $cgiparams{'SIDE'} = 'left';
c6c9630e
MT		 4553 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
4554 $cgiparams{'AUTH'} = 'psk';
4555 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
4556 $cgiparams{'AUTH'} = 'certfile';
4557 } else {
6e13d0a5 4558 $cgiparams{'AUTH'} = 'certgen';
c6c9630e
MT		 4559 }
4560 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
4561 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
4562 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
4563 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
4564 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
c0a7c9b2 4565 $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
6e13d0a5 4566 }
c6c9630e 4567
6e13d0a5 4568 VPNCONF_ERROR:
6e13d0a5
MT		 4569 $checked{'ENABLED'}{'off'} = '';
4570 $checked{'ENABLED'}{'on'} = '';
4571 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
4572 $checked{'ENABLED_BLUE'}{'off'} = '';
4573 $checked{'ENABLED_BLUE'}{'on'} = '';
4574 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
4575 $checked{'ENABLED_ORANGE'}{'off'} = '';
4576 $checked{'ENABLED_ORANGE'}{'on'} = '';
4577 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 4578
4579
6e13d0a5
MT		 4580 $checked{'EDIT_ADVANCED'}{'off'} = '';
4581 $checked{'EDIT_ADVANCED'}{'on'} = '';
4582 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
c6c9630e 4583
6e13d0a5
MT		 4584 $selected{'SIDE'}{'server'} = '';
4585 $selected{'SIDE'}{'client'} = '';
4586 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
d96c89eb
AH		 4587
4588 $selected{'PROTOCOL'}{'udp'} = '';
4589 $selected{'PROTOCOL'}{'tcp'} = '';
4590 $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
4591
c6c9630e 4592
6e13d0a5
MT		 4593 $checked{'AUTH'}{'psk'} = '';
4594 $checked{'AUTH'}{'certreq'} = '';
4595 $checked{'AUTH'}{'certgen'} = '';
4596 $checked{'AUTH'}{'certfile'} = '';
4597 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
c6c9630e 4598
6e13d0a5 4599 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
c6c9630e 4600
6e13d0a5
MT		 4601 $checked{'COMPLZO'}{'off'} = '';
4602 $checked{'COMPLZO'}{'on'} = '';
4603 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
c6c9630e 4604
d96c89eb
AH		 4605 $checked{'MSSFIX'}{'off'} = '';
4606 $checked{'MSSFIX'}{'on'} = '';
4607 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
4608
52f61e49
EKD		 4609 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
4610 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
4611 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 4612 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
4613 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
4614 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
4615 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
4616 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
4617 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
4618 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4619 $selected{'DCIPHER'}{'SEED-CBC'} = '';
4620 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
4621 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
4622 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
4623 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 4624 $selected{'DCIPHER'}{'DES-CBC'} = '';
49abe7af
EK		 4625 # If no cipher has been chossen yet, select
4626 # the old default (AES-256-CBC) for compatiblity reasons.
4627 if ($cgiparams{'DCIPHER'} eq '') {
4628 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
4629 }
4c962356 4630 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
49abe7af
EK		 4631 $selected{'DAUTH'}{'whirlpool'} = '';
4632 $selected{'DAUTH'}{'SHA512'} = '';
4633 $selected{'DAUTH'}{'SHA384'} = '';
4634 $selected{'DAUTH'}{'SHA256'} = '';
4635 $selected{'DAUTH'}{'SHA1'} = '';
49abe7af 4636 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
0c4ffc69
EK		 4637 $checked{'TLSAUTH'}{'off'} = '';
4638 $checked{'TLSAUTH'}{'on'} = '';
4639 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
49abe7af 4640
6e13d0a5
MT		 4641 if (1) {
4642 &Header::showhttpheaders();
4c962356 4643 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 4644 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
4645 if ($errormessage) {
4646 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
4647 print "<class name='base'>$errormessage";
4648 print "&nbsp;</class>";
4649 &Header::closebox();
4650 }
c6c9630e 4651
6e13d0a5
MT		 4652 if ($warnmessage) {
4653 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
4654 print "<class name='base'>$warnmessage";
4655 print "&nbsp;</class>";
4656 &Header::closebox();
4657 }
c6c9630e 4658
6e13d0a5 4659 print "<form method='post' enctype='multipart/form-data'>";
ce9abb66 4660 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
c6c9630e 4661
6e13d0a5
MT		 4662 if ($cgiparams{'KEY'}) {
4663 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
4664 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
6e13d0a5 4665 }
c6c9630e 4666
6e13d0a5 4667 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
8c877a82 4668 print "<table width='100%' border='0'>\n";
4c962356 4669
e3edceeb 4670 print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>";
8c877a82 4671
ce9abb66 4672 if ($cgiparams{'TYPE'} eq 'host') {
6e13d0a5 4673 if ($cgiparams{'KEY'}) {
8c877a82 4674 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
6e13d0a5
MT		 4675 } else {
4676 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
4677 }
c6c9630e
MT		 4678# print "<tr><td>$Lang::tr{'interface'}</td>";
4679# print "<td><select name='INTERFACE'>";
4680# print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
4c962356
EK		 4681# if ($netsettings{'BLUE_DEV'} ne '') {
4682# print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
4683# }
4684# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
4685# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
4686# print "</select></td></tr>";
4687# print <<END;
ce9abb66
AH		 4688 } else {
4689 print "<input type='hidden' name='INTERFACE' value='red' />";
4690 if ($cgiparams{'KEY'}) {
4691 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
4692 } else {
4693 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
4694 }
52f61e49
EKD		 4695
4696 # If GCM ciphers are in usage, HMAC menu is disabled
4697 my $hmacdisabled;
4698 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
4699 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
4700 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
4701 $hmacdisabled = "disabled='disabled'";
4702 };
4703
4c962356 4704 print <<END;
ce9abb66 4705 <td width='25%'>&nbsp;</td>
f527e53f
EK		 4706 <td width='25%'>&nbsp;</td></tr>
4707 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
4708 <td><select name='SIDE'>
4709 <option value='server' $selected{'SIDE'}{'server'}>$Lang::tr{'openvpn server'}</option>
4710 <option value='client' $selected{'SIDE'}{'client'}>$Lang::tr{'openvpn client'}</option>
4711 </select>
4712 </td>
4c962356 4713
f527e53f
EK		 4714 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
4715 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
4716 </tr>
4c962356 4717
e3edceeb 4718 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4719 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
4c962356 4720
e3edceeb 4721 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f
EK		 4722 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
4723 </tr>
4c962356 4724
e3edceeb 4725 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4726 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
49abe7af 4727
f527e53f
EK		 4728 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
4729 <td><select name='PROTOCOL'>
4730 <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
4731 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
4732 </tr>
4733
4734 <tr>
e3edceeb 4735 <td class='boldbase'>$Lang::tr{'destination port'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4736 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
4c962356 4737
e3edceeb 4738 <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
f527e53f
EK		 4739 <td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
4740 </tr>
49abe7af 4741
f527e53f
EK		 4742 <tr><td colspan=4><hr /></td></tr><tr>
4743
4744 <tr>
4745 <td class'base'><b>$Lang::tr{'MTU settings'}</b></td>
4746 </tr>
49abe7af 4747
e3edceeb 4748 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
f527e53f
EK		 4749 <td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
4750 <td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
4751 </tr>
4c962356 4752
e3edceeb 4753 <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
f527e53f
EK		 4754 <td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
4755 <td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
4756 </tr>
4c962356 4757
e3edceeb 4758 <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
f527e53f
EK		 4759 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
4760 <td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
4761 </tr>
4c962356 4762
e3edceeb 4763 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
f527e53f
EK		 4764 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
4765 </tr>
2ee746be 4766
f527e53f
EK		 4767<tr><td colspan=4><hr /></td></tr><tr>
4768 <tr>
4769 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
4770 </tr>
4771
4772 <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
52f61e49
EKD		 4773 <td><select name='DCIPHER' id="n2ncipher" required>
4774 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
4775 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
4776 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
f527e53f
EK		 4777 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
4778 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4779 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
f7fb5bc5 4780 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
f527e53f
EK		 4781 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
4782 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 4783 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
4784 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4785 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4786 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4787 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4788 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4789 </select>
4790 </td>
4791
4792 <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
52f61e49 4793 <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
f527e53f
EK		 4794 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
4795 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
4796 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
4797 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
f3dfb261 4798 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4799 </select>
4800 </td>
4801 </tr>
4802 <tr><td colspan=4><hr /></td></tr><tr>
4803
ce9abb66 4804END
8c877a82 4805;
ce9abb66 4806 }
52f61e49
EKD		 4807
4808#### JAVA SCRIPT ####
4809# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
4810print<<END;
4811 <script>
4812 var disable_options = false;
4813 document.getElementById('n2ncipher').onchange = function () {
4814 if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
4815 document.getElementById('n2nhmac').setAttribute('disabled', true);
4816 } else {
4817 document.getElementById('n2nhmac').removeAttribute('disabled');
4818 }
4819 }
4820 </script>
4821END
4822
2ee746be 4823#jumper
e3edceeb 4824 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
8c877a82 4825 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
c6c9630e 4826
ce9abb66 4827 if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 4828 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>";
4829 }
ce9abb66 4830
8c877a82
AM		 4831 print"</tr></table><br><br>";
4832#A.Marx CCD new client
e81be1e1 4833if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4834 print "<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td colspan='3'><hr><br><b>$Lang::tr{'ccd choose net'}</td></tr><tr><td height='20' colspan='3'></td></tr>";
8c877a82
AM		 4835 my %vpnnet=();
4836 my $vpnip;
4837 &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet);
4838 $vpnip=$vpnnet{'DOVPN_SUBNET'};
4839 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
4840 my @ccdconf=();
4841 my $count=0;
4842 my $checked;
4843 $checked{'check1'}{'off'} = '';
4844 $checked{'check1'}{'on'} = '';
4845 $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED';
4846 print"<tr><td align='center' width='1%' valign='top'><input type='radio' name='CHECK1' value='dynamic' checked /></td><td align='left' valign='top' width='35%'>$Lang::tr{'ccd dynrange'} ($vpnip)</td><td width='30%'>";
4847 print"</td></tr></table><br><br>";
4848 my $name=$cgiparams{'CHECK1'};
4849 $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
4850
4851 if (! -z "${General::swroot}/ovpn/ccd.conf"){
4852 print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
df9b48b7 4853 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 4854 $count++;
4855 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
4856 if ($count % 2){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
4857 print"<td align='center' width='1%'><input type='radio' name='CHECK1' value='$ccdconf[0]' $checked{'check1'}{$ccdconf[0]}/></td><td>$ccdconf[0]</td><td width='40%' align='center'>$ccdconf[1]</td><td align='left' width='10%'>";
4858 &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name});
4859 print"</td></tr>";
4860 }
4861 print "</table><br><br><hr><br><br>";
4862 }
e81be1e1 4863}
8c877a82 4864# ccd end
6e13d0a5
MT		 4865 &Header::closebox();
4866 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4867
4868 } elsif (! $cgiparams{'KEY'}) {
4869
4870
6e13d0a5
MT		 4871 my $disabled='';
4872 my $cakeydisabled='';
4873 my $cacrtdisabled='';
4874 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
4875 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
8c877a82 4876
6e13d0a5 4877 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
ce9abb66
AH		 4878
4879
4880 if ($cgiparams{'TYPE'} eq 'host') {
4881
49abe7af 4882 print <<END;
6e13d0a5 4883 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
54fd0535 4884
ce9abb66
AH		 4885 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td><td class='base'>$Lang::tr{'upload a certificate request'}</td><td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
4886 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td><td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
54fd0535
MT		 4887 <tr><td colspan='3'>&nbsp;</td></tr>
4888 <tr><td colspan='3'><hr /></td></tr>
4889 <tr><td colspan='3'>&nbsp;</td></tr>
ce9abb66 4890 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4891 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4892 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4893 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4894 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4895 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4896 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4897 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
6e13d0a5 4898END
ce9abb66
AH		 4899;
4900
4901###
7c1d9faf 4902# m.a.d net2net
ce9abb66
AH		 4903###
4904
4905} else {
4906
49abe7af 4907 print <<END;
ce9abb66
AH		 4908 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
4909
4910 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4911 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4912 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4913 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4914 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4915 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4916 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4917 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
54fd0535
MT		 4918
4919
ce9abb66
AH		 4920END
4921;
4922
4923}
4924
4925###
7c1d9faf 4926# m.a.d net2net
ce9abb66 4927###
c6c9630e 4928
6e13d0a5
MT		 4929 foreach my $country (sort keys %{Countries::countries}) {
4930 print "<option value='$Countries::countries{$country}'";
4931 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
4932 print " selected='selected'";
4933 }
4934 print ">$country</option>";
4935 }
ce9abb66 4936###
7c1d9faf 4937# m.a.d net2net
ce9abb66
AH		 4938###
4939
4940if ($cgiparams{'TYPE'} eq 'host') {
49abe7af 4941 print <<END;
f4fbb935 4942 </select></td></tr>
425465ed 4943 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4944 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4945 <tr><td>&nbsp;</td>
6e13d0a5
MT		 4946 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
4947 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
f4fbb935 4948 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
6e13d0a5 4949 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
f4fbb935
EK		 4950 <tr><td colspan='3'>&nbsp;</td></tr>
4951 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4952 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
f4fbb935 4953 </table>
ce9abb66
AH		 4954END
4955}else{
49abe7af 4956 print <<END;
f4fbb935 4957 </select></td></tr>
425465ed 4958 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4959 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4960 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4961 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4962 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4963 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
ce9abb66
AH		 4964 </table>
4965
c6c9630e 4966END
ce9abb66
AH		 4967}
4968
4969###
7c1d9faf 4970# m.a.d net2net
ce9abb66 4971###
c6c9630e
MT		 4972 ;
4973 &Header::closebox();
8c877a82
AM		 4974
4975 }
e81be1e1
AM		 4976
4977#A.Marx CCD new client
4978if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 4979 print"<br><br>";
4980 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:");
4981
8c877a82
AM		 4982
4983 print <<END;
4984 <table border='0' width='100%'>
4985 <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
4986 <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
4987 <tr><td colspan='4'>&nbsp</td></tr>
4988 <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
4989END
4990
4991 if ($cgiparams{'IR'} ne ''){
4992 print $cgiparams{'IR'};
4993 }else{
4994 &General::readhasharray ("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
4995 foreach my $key (keys %ccdroutehash) {
4996 if( $cgiparams{'NAME'} eq $ccdroutehash{$key}[0]){
4997 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
4998 if ($ccdroutehash{$key}[$i] ne ''){
4999 print $ccdroutehash{$key}[$i]."\n";
5000 }
5001 $cgiparams{'IR'} .= $ccdroutehash{$key}[$i];
5002 }
5003 }
5004 }
c6c9630e 5005 }
8c877a82
AM		 5006
5007 print <<END;
5008</textarea></td><td valign='top' colspan='2'>$Lang::tr{'ccd iroutehint'}</td></tr>
5009 <tr><td colspan='4'><br></td></tr>
5010 <tr><td valign='top' rowspan='3'>$Lang::tr{'ccd iroute2'}</td><td align='left' valign='top' rowspan='3'><select name='IFROUTE' style="width: 205px"; size='6' multiple>
5011END
52d08bcb
AM		 5012
5013 my $set=0;
5014 my $selorange=0;
5015 my $selblue=0;
5016 my $selgreen=0;
5017 my $helpblue=0;
5018 my $helporange=0;
5019 my $other=0;
df9b48b7 5020 my $none=0;
52d08bcb
AM		 5021 my @temp=();
5022
8c877a82 5023 our @current = ();
52d08bcb
AM		 5024 open(FILE, "${General::swroot}/main/routing") ;
5025 @current = <FILE>;
5026 close (FILE);
5027 &General::readhasharray ("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
df9b48b7
AM		 5028 #check for "none"
5029 foreach my $key (keys %ccdroute2hash) {
5030 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5031 if ($ccdroute2hash{$key}[1] eq ''){
5032 $none=1;
5033 last;
5034 }
5035 }
5036 }
5037 if ($none ne '1'){
5038 print"<option>$Lang::tr{'ccd none'}</option>";
5039 }else{
5040 print"<option selected>$Lang::tr{'ccd none'}</option>";
5041 }
52d08bcb
AM		 5042 #check if static routes are defined for client
5043 foreach my $line (@current) {
5044 chomp($line);
5045 $line=~s/\s*$//g; # remove newline
5046 @temp=split(/\,/,$line);
5047 $temp[1] = '' unless defined $temp[1]; # not always populated
5048 my ($a,$b) = split(/\//,$temp[1]);
5049 $temp[1] = $a."/".&General::iporsubtocidr($b);
5050 foreach my $key (keys %ccdroute2hash) {
5051 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5052 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5053 if($ccdroute2hash{$key}[$i] eq $a."/".&General::iporsubtodec($b)){
5054 $set=1;
8c877a82
AM		 5055 }
5056 }
8c877a82 5057 }
52d08bcb
AM		 5058 }
5059 if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
5060 }
3a445974
MT		 5061
5062 my %vpnconfig = ();
5063 &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
5064 foreach my $vpn (keys %vpnconfig) {
5065 # Skip all disabled VPN connections
5066 my $enabled = $vpnconfig{$vpn}[0];
5067 next unless ($enabled eq "on");
5068
5069 my $name = $vpnconfig{$vpn}[1];
5070
5071 # Remote subnets
5072 my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
5073 foreach my $network (@networks) {
5074 my $selected = "";
5075
5076 foreach my $key (keys %ccdroute2hash) {
5077 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
5078 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5079 if ($ccdroute2hash{$key}[$i] eq $network) {
5080 $selected = "selected";
5081 }
5082 }
5083 }
5084 }
5085
5086 print "<option value=\"$network\" $selected>$name ($network)</option>\n";
5087 }
5088 }
5089
52d08bcb
AM		 5090 #check if green,blue,orange are defined for client
5091 foreach my $key (keys %ccdroute2hash) {
5092 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5093 $other=1;
5094 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5095 if ($ccdroute2hash{$key}[$i] eq $netsettings{'GREEN_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'GREEN_NETMASK'})){
5096 $selgreen=1;
5097 }
5098 if (&haveBlueNet()){
5099 if( $ccdroute2hash{$key}[$i] eq $netsettings{'BLUE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'BLUE_NETMASK'})) {
5100 $selblue=1;
5101 }
5102 }
5103 if (&haveOrangeNet()){
5104 if( $ccdroute2hash{$key}[$i] eq $netsettings{'ORANGE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'ORANGE_NETMASK'}) ) {
5105 $selorange=1;
5106 }
5107 }
5108 }
5109 }
5110 }
5111 if (&haveBlueNet() && $selblue == '1'){ print"<option selected>$Lang::tr{'blue'}</option>";$selblue=0;}elsif(&haveBlueNet() && $selblue == '0'){print"<option>$Lang::tr{'blue'}</option>";}
5112 if (&haveOrangeNet() && $selorange == '1'){ print"<option selected>$Lang::tr{'orange'}</option>";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"<option>$Lang::tr{'orange'}</option>";}
5113 if ($selgreen == '1' || $other == '0'){ print"<option selected>$Lang::tr{'green'}</option>";$set=0;}else{print"<option>$Lang::tr{'green'}</option>";};
5114
49abe7af 5115 print<<END;
8c877a82
AM		 5116 </select></td><td valign='top'>DNS1:</td><td valign='top'><input type='TEXT' name='CCD_DNS1' value='$cgiparams{'CCD_DNS1'}' size='30' /></td></tr>
5117 <tr valign='top'><td>DNS2:</td><td><input type='TEXT' name='CCD_DNS2' value='$cgiparams{'CCD_DNS2'}' size='30' /></td></tr>
5118 <tr valign='top'><td valign='top'>WINS:</td><td><input type='TEXT' name='CCD_WINS' value='$cgiparams{'CCD_WINS'}' size='30' /></td></tr></table><br><hr>
5119
5120END
5121;
5122 &Header::closebox();
e81be1e1 5123}
c6c9630e
MT		 5124 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5125 if ($cgiparams{'KEY'}) {
5126# print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
5127 }
5128 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
5129 &Header::closebigbox();
5130 &Header::closepage();
5131 exit (0);
6e13d0a5 5132 }
c6c9630e 5133 VPNCONF_END:
6e13d0a5 5134}
c6c9630e
MT		 5135
5136# SETTINGS_ERROR:
6e13d0a5
MT		 5137###
5138### Default status page
5139###
c6c9630e
MT		 5140 %cgiparams = ();
5141 %cahash = ();
5142 %confighash = ();
5143 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
5144 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
5145 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
5146
2feacd98
SS		 5147 open(FILE, "/var/run/ovpnserver.log");
5148 my @status = <FILE>;
5149 close(FILE);
c6c9630e
MT		 5150
5151 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
8c877a82
AM		 5152 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
5153 my $ipaddr = <IPADDR>;
5154 close IPADDR;
5155 chomp ($ipaddr);
5156 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
5157 if ($cgiparams{'VPN_IP'} eq '') {
5158 $cgiparams{'VPN_IP'} = $ipaddr;
5159 }
5160 }
c6c9630e
MT		 5161 }
5162
6e13d0a5 5163#default setzen
c6c9630e 5164 if ($cgiparams{'DCIPHER'} eq '') {
4c962356 5165 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
c6c9630e 5166 }
c6c9630e 5167 if ($cgiparams{'DDEST_PORT'} eq '') {
4c962356 5168 $cgiparams{'DDEST_PORT'} = '1194';
c6c9630e
MT		 5169 }
5170 if ($cgiparams{'DMTU'} eq '') {
4c962356
EK		 5171 $cgiparams{'DMTU'} = '1400';
5172 }
5173 if ($cgiparams{'MSSFIX'} eq '') {
5174 $cgiparams{'MSSFIX'} = 'off';
5175 }
5176 if ($cgiparams{'DAUTH'} eq '') {
86308adb
EK		 5177 if (-z "${General::swroot}/ovpn/ovpnconfig") {
5178 $cgiparams{'DAUTH'} = 'SHA512';
5179 }
5180 foreach my $key (keys %confighash) {
5181 if ($confighash{$key}[3] ne 'host') {
5182 $cgiparams{'DAUTH'} = 'SHA512';
5183 } else {
5184 $cgiparams{'DAUTH'} = 'SHA1';
5185 }
5186 }
5187 }
0c4ffc69
EK		 5188 if ($cgiparams{'TLSAUTH'} eq '') {
5189 $cgiparams{'TLSAUTH'} = 'off';
5190 }
c6c9630e 5191 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
4c962356 5192 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
c6c9630e 5193 }
4c962356 5194 $checked{'ENABLED'}{'off'} = '';
c6c9630e
MT		 5195 $checked{'ENABLED'}{'on'} = '';
5196 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
5197 $checked{'ENABLED_BLUE'}{'off'} = '';
5198 $checked{'ENABLED_BLUE'}{'on'} = '';
5199 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
5200 $checked{'ENABLED_ORANGE'}{'off'} = '';
5201 $checked{'ENABLED_ORANGE'}{'on'} = '';
5202 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 5203
5204 $selected{'DPROTOCOL'}{'udp'} = '';
5205 $selected{'DPROTOCOL'}{'tcp'} = '';
5206 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
4c962356 5207
52f61e49
EKD		 5208 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
5209 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
5210 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 5211 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
5212 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
5213 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
5214 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
5215 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
5216 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
c6c9630e
MT		 5217 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
5218 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4c962356
EK		 5219 $selected{'DCIPHER'}{'SEED-CBC'} = '';
5220 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
5221 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
5222 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 5223 $selected{'DCIPHER'}{'DES-CBC'} = '';
c6c9630e 5224 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
4c962356
EK		 5225
5226 $selected{'DAUTH'}{'whirlpool'} = '';
5227 $selected{'DAUTH'}{'SHA512'} = '';
5228 $selected{'DAUTH'}{'SHA384'} = '';
5229 $selected{'DAUTH'}{'SHA256'} = '';
4c962356
EK		 5230 $selected{'DAUTH'}{'SHA1'} = '';
5231 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
5232
0c4ffc69
EK		 5233 $checked{'TLSAUTH'}{'off'} = '';
5234 $checked{'TLSAUTH'}{'on'} = '';
5235 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
5236
c6c9630e
MT		 5237 $checked{'DCOMPLZO'}{'off'} = '';
5238 $checked{'DCOMPLZO'}{'on'} = '';
5239 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
4c962356 5240
d96c89eb
AH		 5241# m.a.d
5242 $checked{'MSSFIX'}{'off'} = '';
5243 $checked{'MSSFIX'}{'on'} = '';
5244 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
6e13d0a5 5245#new settings
c6c9630e
MT		 5246 &Header::showhttpheaders();
5247 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
5248 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 5249
c6c9630e 5250 if ($errormessage) {
6e13d0a5
MT		 5251 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
5252 print "<class name='base'>$errormessage\n";
5253 print "&nbsp;</class>\n";
5254 &Header::closebox();
c6c9630e 5255 }
6e13d0a5 5256
400c8afd
EK		 5257 if ($cryptoerror) {
5258 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
5259 print "<class name='base'>$cryptoerror";
5260 print "&nbsp;</class>";
5261 &Header::closebox();
5262 }
5263
5264 if ($cryptowarning) {
5265 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
5266 print "<class name='base'>$cryptowarning";
5267 print "&nbsp;</class>";
5268 &Header::closebox();
5269 }
5270
b2e75449
MT		 5271 if ($warnmessage) {
5272 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
5273 print "$warnmessage<br>";
5274 print "$Lang::tr{'fwdfw warn1'}<br>";
5275 &Header::closebox();
5276 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
5277 &Header::closepage();
5278 exit 0;
5279 }
4d81e0f3 5280
c6c9630e
MT		 5281 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
5282 my $srunning = "no";
5283 my $activeonrun = "";
5284 if ( -e "/var/run/openvpn.pid"){
6e13d0a5
MT		 5285 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
5286 $srunning ="yes";
5287 $activeonrun = "";
c6c9630e 5288 } else {
6e13d0a5 5289 $activeonrun = "disabled='disabled'";
c6c9630e 5290 }
afabe9f7 5291 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
4c962356 5292 print <<END;
631b67b7 5293 <table width='100%' border='0'>
c6c9630e
MT		 5294 <form method='post'>
5295 <td width='25%'>&nbsp;</td>
5296 <td width='25%'>&nbsp;</td>
5297 <td width='25%'>&nbsp;</td></tr>
5298 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
5299 <td align='left'>$sactive</td>
5300 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
8c877a82 5301 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
c6c9630e
MT		 5302END
5303;
5304 if (&haveBlueNet()) {
5305 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
5306 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
5307 }
5308 if (&haveOrangeNet()) {
5309 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
5310 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
86308adb
EK		 5311 }
5312
5313 print <<END;
5314
5315 <tr><td colspan='4'><br></td></tr>
5316 <tr>
5317 <td class'base'><b>$Lang::tr{'net config'}:</b></td>
5318 </tr>
5319 <tr><td colspan='1'><br></td></tr>
5320
4e17adad
CS		 5321 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
5322 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
c6c9630e
MT		 5323 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
5324 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
5325 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
5326 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
5327 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
5328 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
bc2b3e94 5329 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
86308adb
EK		 5330 </tr>
5331
5332 <tr><td colspan='4'><br></td></tr>
5333 <tr>
5334 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
5335 </tr>
5336 <tr><td colspan='1'><br></td></tr>
5337
5338 <tr>
5339 <td class='base'>$Lang::tr{'ovpn ha'}</td>
5340 <td><select name='DAUTH'>
5341 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
5342 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
5343 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
5344 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
5345 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5346 </select>
5347 </td>
f527e53f 5348
4c962356
EK		 5349 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
5350 <td><select name='DCIPHER'>
52f61e49
EKD		 5351 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
5352 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
5353 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
4c962356 5354 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
f527e53f 5355 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4c962356
EK		 5356 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
5357 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
5358 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
5359 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
4c962356 5360 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 5361 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5362 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5363 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5364 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5365 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4c962356
EK		 5366 </select>
5367 </td>
4c962356 5368 </tr>
0c4ffc69
EK		 5369
5370 <tr><td colspan='4'><br></td></tr>
5371 <tr>
5372 <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
5373 <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
5374 </tr>
5375
f7edf97a 5376 <tr><td colspan='4'><br><br></td></tr>
c6c9630e
MT		 5377END
5378;
5379
5380 if ( $srunning eq "yes" ) {
8c877a82
AM		 5381 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
5382 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5383 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
5384 print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
c6c9630e 5385 } else{
8c877a82
AM		 5386 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5387 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5388 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
c6c9630e
MT		 5389 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
5390 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
5391 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
5392 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
5393 (( $cgiparams{'ENABLED'} eq 'on') ||
5394 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
5395 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
8c877a82 5396 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td></tr>";
c6c9630e 5397 } else {
8c877a82 5398 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td></tr>";
c6c9630e
MT		 5399 }
5400 }
5401 print "</form></table>";
5402 &Header::closebox();
6e13d0a5 5403
c6c9630e 5404 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
ce9abb66 5405###
7c1d9faf 5406# m.a.d net2net
54fd0535 5407#<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
ce9abb66
AH		 5408###
5409
4c962356 5410 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
c6c9630e 5411 ;
99bfa85c
AM		 5412 my $id = 0;
5413 my $gif;
f7edf97a 5414 my $col1="";
5b942f7f 5415 my $lastnet;
c8b51e28 5416 foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
5b942f7f
AM		 5417 if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
5418 if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
5419 if($id == 0){
5420 print"<b>$confighash{$key}[32]</b>";
5421 print <<END;
5422 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5423<tr>
5424 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5425 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5426 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5427 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
71af643c 5428 <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5429</tr>
5430END
5431 }
5432 if ($id > 0 && $lastnet ne $confighash{$key}[32]){
5433 print "</table><br>";
5434 print"<b>$confighash{$key}[32]</b>";
5435 print <<END;
5436 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5437<tr>
5438 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5439 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5440 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5441 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
71af643c 5442 <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5443</tr>
5444END
5445 }
eff2dbf8 5446 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
c6c9630e 5447 if ($id % 2) {
99bfa85c
AM		 5448 print "<tr>";
5449 $col="bgcolor='$color{'color20'}'";
bb89e92a 5450 } else {
99bfa85c
AM		 5451 print "<tr>";
5452 $col="bgcolor='$color{'color22'}'";
c6c9630e 5453 }
99bfa85c
AM		 5454 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
5455 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
8c877a82
AM		 5456 #if ($confighash{$key}[4] eq 'cert') {
5457 #print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
5458 #} else {
5459 #print "<td align='left'>&nbsp;</td>";
5460 #}
2feacd98
SS		 5461 my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
5462 my $cavalid;
5463
5464 foreach my $line (@cavalid) {
5465 if ($line =~ /Not After : (.*)[\n]/) {
5466 $cavalid = $1;
5467
5468 last;
5469 }
5470 }
5471
99bfa85c 5472 print "<td align='center' $col>$confighash{$key}[25]</td>";
f7edf97a
AM		 5473 $col1="bgcolor='${Header::colourred}'";
5474 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
ce9abb66 5475
c6c9630e 5476 if ($confighash{$key}[0] eq 'off') {
f7edf97a
AM		 5477 $col1="bgcolor='${Header::colourblue}'";
5478 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
c6c9630e 5479 } else {
ce9abb66
AH		 5480
5481###
7c1d9faf 5482# m.a.d net2net
f7edf97a
AM		 5483###
5484
b278daf3 5485 if ($confighash{$key}[3] eq 'net') {
54fd0535
MT		 5486
5487 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
5488 my @output = "";
5489 my @tustate = "";
5490 my $tport = $confighash{$key}[22];
5491 my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport);
5492 if ($tport ne '') {
5493 $tnet->open('127.0.0.1');
5494 @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/');
5495 @tustate = split(/\,/, $output[1]);
5496###
5497#CONNECTING -- OpenVPN's initial state.
5498#WAIT -- (Client only) Waiting for initial response from server.
5499#AUTH -- (Client only) Authenticating with server.
5500#GET_CONFIG -- (Client only) Downloading configuration options from server.
5501#ASSIGN_IP -- Assigning IP address to virtual network interface.
5502#ADD_ROUTES -- Adding routes to system.
5503#CONNECTED -- Initialization Sequence Completed.
5504#RECONNECTING -- A restart has occurred.
5505#EXITING -- A graceful exit is in progress.
5506####
5507
ed4b4c19 5508 if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
f7edf97a
AM		 5509 $col1="bgcolor='${Header::colourgreen}'";
5510 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5511 }else {
5512 $col1="bgcolor='${Header::colourred}'";
5513 $active = "<b><font color='#FFFFFF'>$tustate[1]</font></b>";
5514 }
54fd0535 5515 }
54fd0535 5516 }
f7edf97a
AM		 5517 }else {
5518
5519 my $cn;
5520 my @match = ();
5521 foreach my $line (@status) {
5522 chomp($line);
5523 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
5524 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
5525 if ($match[1] ne "Common Name") {
5526 $cn = $match[1];
5527 }
5528 $cn =~ s/[_]/ /g;
5529 if ($cn eq "$confighash{$key}[2]") {
5530 $col1="bgcolor='${Header::colourgreen}'";
5531 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5532 }
5533 }
5534 }
c6c9630e 5535 }
7c1d9faf 5536}
ce9abb66
AH		 5537
5538
4c962356 5539 print <<END;
f7edf97a 5540 <td align='center' $col1>$active</td>
c6c9630e 5541
99bfa85c 5542 <form method='post' name='frm${key}a'><td align='center' $col>
96096995
AM		 5543 <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
5544 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5545 <input type='hidden' name='KEY' value='$key' />
c6c9630e
MT		 5546 </td></form>
5547END
5548 ;
71af643c
MT		 5549
5550 if ($confighash{$key}[41] eq "no-pass") {
5551 print <<END;
5552 <form method='post' name='frm${key}g'><td align='center' $col>
5553 <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
5554 alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
5555 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5556 <input type='hidden' name='MODE' value='insecure' />
5557 <input type='hidden' name='KEY' value='$key' />
5558 </td></form>
5559END
5560 } else {
5561 print "<td $col>&nbsp;</td>";
5562 }
5563
c6c9630e 5564 if ($confighash{$key}[4] eq 'cert') {
4c962356 5565 print <<END;
99bfa85c 5566 <form method='post' name='frm${key}b'><td align='center' $col>
c6c9630e
MT		 5567 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
5568 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
5569 <input type='hidden' name='KEY' value='$key' />
5570 </td></form>
5571END
5572 ; } else {
5573 print "<td>&nbsp;</td>";
5574 }
5575 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
4c962356 5576 print <<END;
99bfa85c 5577 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5578 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
c6c9630e
MT		 5579 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
5580 <input type='hidden' name='KEY' value='$key' />
5581 </td></form>
5582END
5583 ; } elsif ($confighash{$key}[4] eq 'cert') {
4c962356 5584 print <<END;
99bfa85c 5585 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5586 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
c6c9630e
MT		 5587 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
5588 <input type='hidden' name='KEY' value='$key' />
5589 </td></form>
5590END
5591 ; } else {
5592 print "<td>&nbsp;</td>";
5593 }
5594 print <<END
99bfa85c 5595 <form method='post' name='frm${key}d'><td align='center' $col>
c6c9630e
MT		 5596 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
5597 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
5598 <input type='hidden' name='KEY' value='$key' />
5599 </td></form>
5600
99bfa85c 5601 <form method='post' name='frm${key}e'><td align='center' $col>
c6c9630e
MT		 5602 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
5603 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
5604 <input type='hidden' name='KEY' value='$key' />
5605 </td></form>
99bfa85c 5606 <form method='post' name='frm${key}f'><td align='center' $col>
c6c9630e
MT		 5607 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
5608 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
5609 <input type='hidden' name='KEY' value='$key' />
5610 </td></form>
5611 </tr>
5612END
5613 ;
5614 $id++;
5b942f7f 5615 $lastnet = $confighash{$key}[32];
c6c9630e 5616 }
5b942f7f 5617 print"</table>";
c6c9630e
MT		 5618 ;
5619
5620 # If the config file contains entries, print Key to action icons
5621 if ( $id ) {
4c962356 5622 print <<END;
8c877a82 5623 <table border='0'>
c6c9630e 5624 <tr>
4c962356
EK		 5625 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5626 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
5627 <td class='base'>$Lang::tr{'click to disable'}</td>
5628 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5629 <td class='base'>$Lang::tr{'show certificate'}</td>
5630 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
5631 <td class='base'>$Lang::tr{'edit'}</td>
5632 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
5633 <td class='base'>$Lang::tr{'remove'}</td>
c6c9630e
MT		 5634 </tr>
5635 <tr>
4c962356
EK		 5636 <td>&nbsp; </td>
5637 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
5638 <td class='base'>$Lang::tr{'click to enable'}</td>
5639 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
5640 <td class='base'>$Lang::tr{'download certificate'}</td>
5641 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
5642 <td class='base'>$Lang::tr{'dl client arch'}</td>
5643 </tr>
f7edf97a 5644 </table><br>
c6c9630e
MT		 5645END
5646 ;
5647 }
5648
4c962356 5649 print <<END;
c6c9630e
MT		 5650 <table width='100%'>
5651 <form method='post'>
4c962356
EK		 5652 <tr><td align='right'>
5653 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
5654 <input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td>
5655 </tr>
c6c9630e
MT		 5656 </form>
5657 </table>
5658END
4c962356
EK		 5659 ;
5660 &Header::closebox();
5661 }
fd5ccb2d
EK		 5662
5663 # CA/key listing
4c962356
EK		 5664 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
5665 print <<END;
5666 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5667 <tr>
5668 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5669 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
5670 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
5671 </tr>
5672END
5673 ;
5674 my $col1="bgcolor='$color{'color22'}'";
f7fb5bc5 5675 my $col2="bgcolor='$color{'color20'}'";
c8f50356 5676 # DH parameter line
f7fb5bc5 5677 my $col3="bgcolor='$color{'color22'}'";
fd5ccb2d
EK		 5678 # ta.key line
5679 my $col4="bgcolor='$color{'color20'}'";
f7fb5bc5 5680
4c962356 5681 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2feacd98
SS		 5682 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
5683 my $casubject;
5684
5685 foreach my $line (@casubject) {
5686 if ($line =~ /Subject: (.*)[\n]/) {
5687 $casubject = $1;
5688 $casubject =~ s+/Email+, E+;
5689 $casubject =~ s/ ST=/ S=/;
5690
5691 last;
5692 }
5693 }
5694
4c962356
EK		 5695 print <<END;
5696 <tr>
5697 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
5698 <td class='base' $col1>$casubject</td>
c8f50356 5699 <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
4c962356
EK		 5700 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
5701 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5702 </form>
5703 <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
4c962356
EK		 5704 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
5705 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
c8f50356
EK		 5706 </form>
5707 <td width='4%' $col1>&nbsp;</td>
5708 </tr>
4c962356
EK		 5709END
5710 ;
5711 } else {
5712 # display rootcert generation buttons
5713 print <<END;
5714 <tr>
5715 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
5716 <td class='base' $col1>$Lang::tr{'not present'}</td>
c8f50356
EK		 5717 <td colspan='3' $col1>&nbsp;</td>
5718 </tr>
4c962356
EK		 5719END
5720 ;
5721 }
5722
5723 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 5724 my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
5725 my $hostsubject;
5726
5727 foreach my $line (@hostsubject) {
5728 if ($line =~ /Subject: (.*)[\n]/) {
5729 $hostsubject = $1;
5730 $hostsubject =~ s+/Email+, E+;
5731 $hostsubject =~ s/ ST=/ S=/;
5732
5733 last;
5734 }
5735 }
4c962356
EK		 5736
5737 print <<END;
5738 <tr>
5739 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
5740 <td class='base' $col2>$hostsubject</td>
c8f50356 5741 <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
4c962356
EK		 5742 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
5743 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5744 </form>
5745 <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
4c962356
EK		 5746 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
5747 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
c8f50356
EK		 5748 </td></form>
5749 <td width='4%' $col2>&nbsp;</td>
5750 </tr>
4c962356
EK		 5751END
5752 ;
5753 } else {
5754 # Nothing
5755 print <<END;
5756 <tr>
5757 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
5758 <td class='base' $col2>$Lang::tr{'not present'}</td>
c8f50356
EK		 5759 </td><td colspan='3' $col2>&nbsp;</td>
5760 </tr>
4c962356
EK		 5761END
5762 ;
5763 }
ce9abb66 5764
f7fb5bc5
EK		 5765 # Adding DH parameter to chart
5766 if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
b959b9f5 5767 my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
2feacd98 5768 my $dhsubject;
f7fb5bc5 5769
2feacd98
SS		 5770 foreach my $line (@dhsubject) {
5771 if ($line =~ / (.*)[\n]/) {
5772 $dhsubject = $1;
5773
5774 last;
5775 }
5776 }
f7fb5bc5
EK		 5777
5778 print <<END;
5779 <tr>
5780 <td class='base' $col3>$Lang::tr{'dh parameter'}</td>
5781 <td class='base' $col3>$dhsubject</td>
c8f50356 5782 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
f7fb5bc5
EK		 5783 <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
5784 <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
c8f50356
EK		 5785 </form>
5786 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
c8f50356
EK		 5787 </form>
5788 <td width='4%' $col3>&nbsp;</td>
5789 </tr>
f7fb5bc5
EK		 5790END
5791 ;
5792 } else {
5793 # Nothing
5794 print <<END;
5795 <tr>
5796 <td width='25%' class='base' $col3>$Lang::tr{'dh parameter'}:</td>
5797 <td class='base' $col3>$Lang::tr{'not present'}</td>
c8f50356
EK		 5798 </td><td colspan='3' $col3>&nbsp;</td>
5799 </tr>
f7fb5bc5
EK		 5800END
5801 ;
5802 }
5803
fd5ccb2d
EK		 5804 # Adding ta.key to chart
5805 if (-f "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 5806 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
5807 my @tasubject = <FILE>;
5808 close(FILE);
5809
5810 my $tasubject;
5811 foreach my $line (@tasubject) {
5812 if($line =~ /# (.*)[\n]/) {
5813 $tasubject = $1;
5814
5815 last;
5816 }
5817 }
5818
fd5ccb2d
EK		 5819 print <<END;
5820
5821 <tr>
5822 <td class='base' $col4>$Lang::tr{'ta key'}</td>
5823 <td class='base' $col4>$tasubject</td>
5824 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5825 <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
5826 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
5827 </form>
5828 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5829 <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
5830 <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
5831 </form>
5832 <td width='4%' $col4>&nbsp;</td>
5833 </tr>
5834END
5835 ;
5836 } else {
5837 # Nothing
5838 print <<END;
5839 <tr>
5840 <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
5841 <td class='base' $col4>$Lang::tr{'not present'}</td>
5842 <td colspan='3' $col4>&nbsp;</td>
5843 </tr>
5844END
5845 ;
5846 }
5847
4c962356
EK		 5848 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
5849 print "<tr><td colspan='5' align='center'><form method='post'>";
5850 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
5851 print "</form></td></tr>\n";
5852 }
5853
5854 if (keys %cahash > 0) {
5855 foreach my $key (keys %cahash) {
5856 if (($key + 1) % 2) {
5857 print "<tr bgcolor='$color{'color20'}'>\n";
5858 } else {
5859 print "<tr bgcolor='$color{'color22'}'>\n";
5860 }
5861 print "<td class='base'>$cahash{$key}[0]</td>\n";
5862 print "<td class='base'>$cahash{$key}[1]</td>\n";
5863 print <<END;
5864 <form method='post' name='cafrm${key}a'><td align='center'>
5865 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
5866 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
5867 <input type='hidden' name='KEY' value='$key' />
5868 </td></form>
5869 <form method='post' name='cafrm${key}b'><td align='center'>
5870 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
5871 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
5872 <input type='hidden' name='KEY' value='$key' />
5873 </td></form>
5874 <form method='post' name='cafrm${key}c'><td align='center'>
5875 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
5876 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
5877 <input type='hidden' name='KEY' value='$key' />
5878 </td></form></tr>
5879END
5880 ;
5881 }
5882 }
5883
5884 print "</table>";
5885
5886 # If the file contains entries, print Key to action icons
5887 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
5888 print <<END;
5889 <table>
5890 <tr>
5891 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5892 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5893 <td class='base'>$Lang::tr{'show certificate'}</td>
5894 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
5895 <td class='base'>$Lang::tr{'download certificate'}</td>
5896 </tr>
5897 </table>
5898END
5899 ;
5900 }
ce9abb66 5901
4c962356 5902 print <<END
578f23c8
SS		 5903
5904 <br><hr><br>
5905
4c962356 5906 <form method='post' enctype='multipart/form-data'>
578f23c8
SS		 5907 <table border='0' width='100%'>
5908 <tr>
5909 <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
5910 </tr>
4c962356 5911
578f23c8
SS		 5912 <tr>
5913 <td width='10%'>$Lang::tr{'ca name'}:</td>
5914 <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
5915 <td width='30%'><input type='file' name='FH' size='25'>
5916 <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
5917 </tr>
f527e53f 5918
578f23c8
SS		 5919 <tr>
5920 <td colspan='3'>&nbsp;</td>
5921 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
5922 </tr>
5923 </table>
f527e53f 5924
578f23c8
SS		 5925 <br>
5926
5927 <table border='0' width='100%'>
5928 <tr>
5929 <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
5930 </tr>
5931
5932 <tr>
5933 <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
5934 <td width='30%'><input type='file' name='FH' size='25'>
5935 <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
5936 </tr>
5937
5938 <tr>
5939 <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
5940 <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
5941 </tr>
5942 </table>
5943 </form>
f527e53f 5944
578f23c8 5945 <br><hr>
4c962356
EK		 5946END
5947 ;
5948
5949 if ( $srunning eq "yes" ) {
5950 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' disabled='disabled' /></div></form>\n";
5951 } else {
5952 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></div></form>\n";
5953 }
5954 &Header::closebox();
5955END
5956 ;
5957
5958&Header::closepage();
ce9abb66 5959
Peter's tree of IPFire 2.x