require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
require "${General::swroot}/countries.pl";
-require "${General::swroot}/geoip-functions.pl";
+require "${General::swroot}/location-functions.pl";
# enable only the following on debugging purpose
#use warnings;
my %color = ();
my %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
###
### Initialize variables
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
- # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
- # If we doesn't use one of them, we can use the configured mtu value.
- if ($sovpnsettings{'MSSFIX'} eq 'on')
- { print CONF "tun-mtu 1500\n"; }
- elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp')
- { print CONF "tun-mtu 1500\n"; }
- else
- { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
+ print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
if ($vpnsettings{'ROUTES_PUSH'} ne '') {
@temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
}
if ($sovpnsettings{MSSFIX} eq 'on') {
print CONF "mssfix\n";
+ } else {
+ print CONF "mssfix 0\n";
}
if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
+ # Set TLSv2 as minimum
+ print CONF "tls-version-min 1.2\n";
if ($sovpnsettings{'TLSAUTH'} eq 'on') {
print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
}
- if ($sovpnsettings{DHCP_WINS} eq '') {
+ if ($sovpnsettings{MAX_CLIENTS} eq '') {
print CONF "max-clients 100\n";
}
- if ($sovpnsettings{DHCP_WINS} ne '') {
+ if ($sovpnsettings{MAX_CLIENTS} ne '') {
print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
}
print CONF "tls-verify /usr/lib/openvpn/verify\n";
} else {
print CONF "verb 3\n";
}
+
+ print CONF "# Log clients connecting/disconnecting\n";
+ print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
+ print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
+
# Print server.conf.local if entries exist to server.conf
if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
open (LSC, "$local_serverconf");
my $oldname=$_[1];
my %ccdconfhash=();
my %ccdhash=();
+
+ # Check if the new name is valid.
+ if(!&General::validhostname($newname)) {
+ $errormessage=$Lang::tr{'ccd err invalidname'};
+ return;
+ }
+
&General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
foreach my $key (keys %ccdconfhash) {
if ($ccdconfhash{$key}[0] eq $oldname) {
$vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
$vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
$vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
- $vpnsettings{'COMPLZO'} = $cgiparams{'DCOMPLZO'};
+ $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
$vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
$vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
undef $vpnsettings{'ROUTES_PUSH'};
&write_routepushfile;
}
- if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
+ if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
$errormessage = $Lang::tr{'invalid input for max clients'};
goto ADV_ERROR;
}
$errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
goto ADV_ERROR;
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- goto ADV_ERROR;
- }
- }
- }
-
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
}
if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
print SERVERCONF "tun-mtu $tunmtu\n";
if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
- if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; };
+ if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
}
print SERVERCONF "# Auth. Server\n";
print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
}
+ # Set TLSv1.2 as minimum
+ print SERVERCONF "tls-version-min 1.2\n";
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print SERVERCONF "# Enable Compression\n";
print SERVERCONF "comp-lzo\n";
if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
print CLIENTCONF "tun-mtu $tunmtu\n";
if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
- if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; };
+ if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
}
# Check host certificate if X509 is RFC3280 compliant.
print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
}
+ # Set TLSv1.2 as minimum
+ print CLIENTCONF "tls-version-min 1.2\n";
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\n";
goto SETTINGS_ERROR;
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto SETTINGS_ERROR;
+ }
+ }
+ }
+
$vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
$vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
### Upload DH key
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto UPLOADCA_ERROR;
}
}
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto UPLOADCA_ERROR;
}
}
}
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
-
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto ROOTCERT_ERROR;
}
# } else {
# &cleanssldatabase();
}
+ # Create ta.key for tls-auth
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ }
# Create Diffie Hellmann Parameter
system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
if ($?) {
# } else {
# &cleanssldatabase();
}
- # Create ta.key for tls-auth
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- &cleanssldatabase();
- goto ROOTCERT_ERROR;
- }
goto ROOTCERT_SUCCESS;
}
ROOTCERT_ERROR:
if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
print CLIENTCONF "tun-mtu $tunmtu\n";
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
- if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
+ if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
}
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
print CLIENTCONF "nobind\r\n";
print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
-
- # Check if we are using fragment, mssfix and set MTU to 1500
- # or use configured value.
- if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
- elsif ($vpnsettings{MSSFIX} eq 'on')
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
- else
- { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
+ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
if ( $vpnsettings{'ENABLED'} eq 'on'){
print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
+ } else {
+ print CLIENTCONF "mssfix 0\r\n";
}
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
# Stop the N2N connection before it is removed
- system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null");
+ system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
# CCD end
# Update collectd configuration and delete all RRD files of the removed connection
&writecollectdconf();
- system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]");
+ system ('/usr/local/bin/openvpnctrl', '-drrd', $confighash{$cgiparams{'KEY'}}[1]);
delete $confighash{$cgiparams{'KEY'}};
my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
$users[$uid]{'Proto'} = $proto;
# get country code for "RealAddress"...
- my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]);
- my $flag_icon = &GeoIP::get_flag_icon($ccode);
+ my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
+ my $flag_icon = &Location::Functions::get_flag_icon($ccode);
$users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
$uid++;
}
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
-# Check if a file is uploaded
-
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ # Check if a file is uploaded
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto N2N_ERROR;
}
#CCD End
- if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
- $errormessage = $Lang::tr{'connection type is invalid'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
+ $errormessage = $Lang::tr{'connection type is invalid'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
-
if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
- $errormessage = $Lang::tr{'name must only contain characters'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
- }
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
+ }
if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
- $errormessage = $Lang::tr{'name is invalid'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ $errormessage = $Lang::tr{'name is invalid'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
if (length($cgiparams{'NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ $errormessage = $Lang::tr{'name too long'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
###
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}