print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
print SERVERCONF "# Client Gateway Network\n";
print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
print SERVERCONF "# tun Device\n";
print SERVERCONF "dev tun\n";
print SERVERCONF "#Logfile for statistics\n";
print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
print CLIENTCONF "# Server Gateway Network\n";
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
print CLIENTCONF "# tun Device\n";
print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokol\n";
print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
}
}
}
-
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
print CLIENTCONF "# tun Device\n";
print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokoll\n";
print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
}
}
}
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
}
+ my $file_crt = new File::Temp( UNLINK => 1 );
+ my $file_key = new File::Temp( UNLINK => 1 );
+ my $include_certs = 0;
+
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
- print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
- $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ $include_certs = 1;
+
+ # Add the CA
+ print CLIENTCONF ";ca cacert.pem\r\n";
+ $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
+
+ # Extract the certificate
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+ print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+ # Extract the key
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+ print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ } else {
+ print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ }
} else {
print CLIENTCONF "ca cacert.pem\r\n";
print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
}
if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
print CLIENTCONF "tls-auth ta.key\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
- print CLIENTCONF "ns-cert-type server\r\n";
- print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }
+ print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
}
print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
}
}
+
+ if ($include_certs) {
+ print CLIENTCONF "\r\n";
+
+ # CA
+ open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
+ print CLIENTCONF "<ca>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</ca>\r\n\r\n";
+ close(FILE);
+
+ # Cert
+ open(FILE, "<$file_crt");
+ print CLIENTCONF "<cert>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</cert>\r\n\r\n";
+ close(FILE);
+
+ # Key
+ open(FILE, "<$file_key");
+ print CLIENTCONF "<key>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</key>\r\n\r\n";
+ close(FILE);
+
+ # TLS auth
+ if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
+ print CLIENTCONF "<tls-auth>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</tls-auth>\r\n\r\n";
+ close(FILE);
+ }
+ }
+
# Print client.conf.local if entries exist to client.ovpn
if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
open (LCC, "$local_clientconf");
$cgiparams{'PMTU_DISCOVERY'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'TLSAUTH'} eq '') {
$cgiparams{'TLSAUTH'} = 'off';
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+ $confighash{$key}[41] = "no-pass";
+ }
+
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($cgiparams{'CHECK1'} ){
$cgiparams{'MSSFIX'} = 'on';
$cgiparams{'FRAGMENT'} = '1300';
$cgiparams{'PMTU_DISCOVERY'} = 'off';
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
###
# m.a.d n2n end
###
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
</tr>
}
if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
}
+
+ my %vpnconfig = ();
+ &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+ foreach my $vpn (keys %vpnconfig) {
+ # Skip all disabled VPN connections
+ my $enabled = $vpnconfig{$vpn}[0];
+ next unless ($enabled eq "on");
+
+ my $name = $vpnconfig{$vpn}[1];
+
+ # Remote subnets
+ my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
+ foreach my $network (@networks) {
+ my $selected = "";
+
+ foreach my $key (keys %ccdroute2hash) {
+ if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
+ foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
+ if ($ccdroute2hash{$key}[$i] eq $network) {
+ $selected = "selected";
+ }
+ }
+ }
+ }
+
+ print "<option value=\"$network\" $selected>$name ($network)</option>\n";
+ }
+ }
+
#check if green,blue,orange are defined for client
foreach my $key (keys %ccdroute2hash) {
if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
$cgiparams{'MSSFIX'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
<th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
<th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
</tr>
END
}
<th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
<th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
</tr>
END
}
</td></form>
END
;
+
+ if ($confighash{$key}[41] eq "no-pass") {
+ print <<END;
+ <form method='post' name='frm${key}g'><td align='center' $col>
+ <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+ alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+ <input type='hidden' name='MODE' value='insecure' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ } else {
+ print "<td $col> </td>";
+ }
+
if ($confighash{$key}[4] eq 'cert') {
print <<END;
<form method='post' name='frm${key}b'><td align='center' $col>