]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/vpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
amazon-ssm-agent: Enable build for aarch64
[ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 2b523bbc4d7641b1b6e4793a39210f5838737317..3652627e9b3e48d17de98e822ef774e04488c565 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel";
 $cgiparams{'INTERFACE_MODE'} = "";
 $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 my %APPLE_CIPHERS = (
@@ -207,10 +208,12 @@ sub newcleanssldatabase {
                close FILE;
        }
        if (! -s ">${General::swroot}/certs/index.txt") {
-               system ("touch ${General::swroot}/certs/index.txt");
+               open(FILE, ">${General::swroot}/certs/index.txt");
+               close(FILE);
        }
        if (! -s ">${General::swroot}/certs/index.txt.attr") {
-               system ("touch ${General::swroot}/certs/index.txt.attr");
+               open(FILE, ">${General::swroot}/certs/index.txt.attr");
+               close(FILE);
        }
        unlink ("${General::swroot}/certs/index.txt.old");
        unlink ("${General::swroot}/certs/index.txt.attr.old");
@@ -349,6 +352,12 @@ sub writeipsecfiles {
 
                print CONF "\tleftfirewall=yes\n";
                print CONF "\tlefthostaccess=yes\n";
+
+               # Always send the host certificate
+               if ($lconfighash{$key}[3] eq 'host') {
+                       print CONF "\tleftsendcert=always\n";
+               }
+
                print CONF "\tright=$lconfighash{$key}[10]\n";
 
                if ($lconfighash{$key}[3] eq 'net') {
@@ -511,6 +520,13 @@ sub writeipsecfiles {
                # Fragmentation
                print CONF "\tfragmentation=yes\n";
 
+               # DNS Servers for RW
+               if ($lconfighash{$key}[3] eq 'host') {
+                       my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+                       print CONF "\trightdns=" . join(",", @servers) . "\n";
+               }
+
                print CONF "\n";
        } #foreach key
 
@@ -554,9 +570,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
        &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
        &writeipsecfiles();
        if (&vpnenabled) {
-               system('/usr/local/bin/ipsecctrl', 'S');
+               &General::system('/usr/local/bin/ipsecctrl', 'S');
        } else {
-               system('/usr/local/bin/ipsecctrl', 'D');
+               &General::system('/usr/local/bin/ipsecctrl', 'D');
        }
        sleep $sleepDelay;
        SAVE_ERROR:
@@ -581,7 +597,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
        }
        &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
        &writeipsecfiles();
-       system('/usr/local/bin/ipsecctrl', 'R');
+       &General::system('/usr/local/bin/ipsecctrl', 'R');
        sleep $sleepDelay;
 
 ###
@@ -659,8 +675,7 @@ END
                unlink ($filename);
                goto UPLOADCA_ERROR;
        } else {
-               move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
-               if ($? ne 0) {
+               unless(move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) {
                        $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
                        unlink ($filename);
                        goto UPLOADCA_ERROR;
@@ -672,7 +687,7 @@ END
        $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
        &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
 
-       system('/usr/local/bin/ipsecctrl', 'R');
+       &General::system('/usr/local/bin/ipsecctrl', 'R');
        sleep $sleepDelay;
 
        UPLOADCA_ERROR:
@@ -688,8 +703,8 @@ END
                &Header::openpage($Lang::tr{'ipsec'}, 1, '');
                &Header::openbigbox('100%', 'left', '', '');
                &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
-               my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
-               $output = &Header::cleanhtml($output,"y");
+               my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+               my $output = &Header::cleanhtml(join("", @output) ,"y");
                print "<pre>$output</pre>\n";
                &Header::closebox();
                print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
@@ -710,7 +725,9 @@ END
                print "Content-Type: application/force-download\n";
                print "Content-Type: application/octet-stream\r\n";
                print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
-               print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+
+               my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+               print "@cert";
                exit(0);
        } else {
                $errormessage = $Lang::tr{'invalid key'};
@@ -725,21 +742,21 @@ END
 
        if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
                foreach my $key (keys %confighash) {
-                       my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-                       if ($test =~ /: OK/) {
+                       my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+                       if (grep(/: OK/, @test)) {
                                # Delete connection
                                unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
                                unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
                                delete $confighash{$key};
                                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                                &writeipsecfiles();
-                               system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
+                               &General::system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
                        }
                }
                unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
                delete $cahash{$cgiparams{'KEY'}};
                &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-               system('/usr/local/bin/ipsecctrl', 'R');
+               &General::system('/usr/local/bin/ipsecctrl', 'R');
                sleep $sleepDelay;
        } else {
                $errormessage = $Lang::tr{'invalid key'};
@@ -754,8 +771,8 @@ END
        my $assignedcerts = 0;
        if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
                foreach my $key (keys %confighash) {
-                       my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-                       if ($test =~ /: OK/) {
+                       my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+                       if (grep(/: OK/, @test)) {
                                $assignedcerts++;
                        }
                }
@@ -791,7 +808,7 @@ END
                        unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
                        delete $cahash{$cgiparams{'KEY'}};
                        &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-                       system('/usr/local/bin/ipsecctrl', 'R');
+                       &General::system('/usr/local/bin/ipsecctrl', 'R');
                        sleep $sleepDelay;
                }
        } else {
@@ -803,18 +820,18 @@ END
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
        $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
-       my $output;
+       my @output;
        &Header::showhttpheaders();
        &Header::openpage($Lang::tr{'ipsec'}, 1, '');
        &Header::openbigbox('100%', 'left', '', '');
        if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
                &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
-               $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+               @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/cacert.pem");
        } else {
                &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
-               $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+               @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/hostcert.pem");
        }
-       $output = &Header::cleanhtml($output,"y");
+       my $output = &Header::cleanhtml(join("", @output) ,"y");
        print "<pre>$output</pre>\n";
        &Header::closebox();
        print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
@@ -829,7 +846,9 @@ END
        if ( -f "${General::swroot}/ca/cacert.pem" ) {
                print "Content-Type: application/force-download\n";
                print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
-               print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
+
+               my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/cacert.pem");
+               print join("", @cert);
                exit(0);
        }
 ###
@@ -839,7 +858,9 @@ END
        if ( -f "${General::swroot}/certs/hostcert.pem" ) {
                print "Content-Type: application/force-download\n";
                print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
-               print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
+
+               my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/certs/hostcert.pem");
+               print join("", @cert);
                exit(0);
        }
 ###
@@ -925,20 +946,23 @@ END
 
                if (!$errormessage) {
                        &General::log("ipsec", "Moving cacert...");
-                       move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem");
-                       $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+                       unless(move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem")) {
+                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                       }
                }
 
                if (!$errormessage) {
                        &General::log("ipsec", "Moving host cert...");
-                       move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem");
-                       $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+                       unless(move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem")) {
+                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                       }
                }
 
                if (!$errormessage) {
                        &General::log("ipsec", "Moving private key...");
-                       move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem");
-                       $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+                       unless(move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem")) {
+                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                       }
                }
 
                #cleanup temp files
@@ -1202,7 +1226,7 @@ END
 
        ROOTCERT_SUCCESS:
        if (&vpnenabled) {
-               system('/usr/local/bin/ipsecctrl', 'S');
+               &General::system('/usr/local/bin/ipsecctrl', 'S');
                sleep $sleepDelay;
        }
        ROOTCERT_SKIP:
@@ -1214,7 +1238,12 @@ END
        print "Content-Type: application/force-download\n";
        print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
        print "Content-Type: application/octet-stream\r\n\r\n";
-       print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+
+       open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+       my @p12 = <FILE>;
+       close(FILE);
+       print join("", @p12);
+
        exit (0);
 
 # Export Apple profile to browser
@@ -1232,13 +1261,23 @@ END
        my $uuid1 = $uuid->create_str();
        my $uuid2 = $uuid->create_str();
 
+       my $ca = "";
+       my $ca_uuid = $uuid->create_str();
+
        my $cert = "";
        my $cert_uuid = $uuid->create_str();
 
-       # Read and encode certificate
+       # Read and encode the CA & certificate
        if ($confighash{$key}[4] eq "cert") {
+               my $ca_path = "${General::swroot}/ca/cacert.pem";
                my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
 
+               # Read the CA and encode it into Base64
+               open(CA, "<${ca_path}");
+               local($/) = undef; # slurp
+               $ca = MIME::Base64::encode_base64(<CA>);
+               close(CA);
+
                # Read certificate and encode it into Base64
                open(CERT, "<${cert_path}");
                local($/) = undef; # slurp
@@ -1376,14 +1415,28 @@ END
 
        # Left ID
        if ($confighash{$key}[9]) {
+               my $leftid = $confighash{$key}[9];
+
+               # Strip leading @ from FQDNs
+               if ($leftid =~ m/^@(.*)$/) {
+                       $leftid = $1;
+               }
+
                print "                                 <key>LocalIdentifier</key>\n";
-               print "                                 <string>$confighash{$key}[9]</string>\n";
+               print "                                 <string>$leftid</string>\n";
        }
 
        # Right ID
        if ($confighash{$key}[7]) {
+               my $rightid = $confighash{$key}[7];
+
+               # Strip leading @ from FQDNs
+               if ($rightid =~ m/^@(.*)$/) {
+                       $rightid = $1;
+               }
+
                print "                                 <key>RemoteIdentifier</key>\n";
-               print "                                 <string>$confighash{$key}[7]</string>\n";
+               print "                                 <string>$rightid</string>\n";
        }
 
        if ($confighash{$key}[4] eq "cert") {
@@ -1414,6 +1467,8 @@ END
                print "                 <dict>\n";
                print "                         <key>PayloadIdentifier</key>\n";
                print "                         <string>org.example.vpn1.client</string>\n";
+               print "                         <key>PayloadDisplayName</key>\n";
+               print "                         <string>$confighash{$key}[1]</string>\n";
                print "                         <key>PayloadUUID</key>\n";
                print "                         <string>${cert_uuid}</string>\n";
                print "                         <key>PayloadType</key>\n";
@@ -1429,6 +1484,25 @@ END
 
                print "                         </data>\n";
                print "                 </dict>\n";
+
+               print "                 <dict>\n";
+               print "                         <key>PayloadIdentifier</key>\n";
+               print "                         <string>org.example.ca</string>\n";
+               print "                         <key>PayloadUUID</key>\n";
+               print "                         <string>${ca_uuid}</string>\n";
+               print "                         <key>PayloadType</key>\n";
+               print "                         <string>com.apple.security.root</string>\n";
+               print "                         <key>PayloadVersion</key>\n";
+               print "                         <integer>1</integer>\n";
+               print "                         <key>PayloadContent</key>\n";
+               print "                         <data>\n";
+
+               foreach (split /\n/,${ca}) {
+                       print "                                 $_\n";
+               }
+
+               print "                         </data>\n";
+               print "                 </dict>\n";
        }
 
        print "         </array>\n";
@@ -1448,8 +1522,8 @@ END
                &Header::openpage($Lang::tr{'ipsec'}, 1, '');
                &Header::openbigbox('100%', 'left', '', '');
                &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
-               my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
-               $output = &Header::cleanhtml($output,"y");
+               my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+               my $output = &Header::cleanhtml(join("", @output) ,"y");
                print "<pre>$output</pre>\n";
                &Header::closebox();
                print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
@@ -1467,7 +1541,12 @@ END
        if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
                print "Content-Type: application/force-download\n";
                print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
-               print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+
+               open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+               my @pem = <FILE>;
+               close(FILE);
+               print "@pem";
+
                exit (0);
        }
 
@@ -1484,12 +1563,12 @@ END
                        $confighash{$cgiparams{'KEY'}}[0] = 'on';
                        &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                        &writeipsecfiles();
-                       system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
+                       &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
                } else {
                        $confighash{$cgiparams{'KEY'}}[0] = 'off';
                        &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                        &writeipsecfiles();
-                       system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+                       &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
                }
                sleep $sleepDelay;
        } else {
@@ -1505,7 +1584,7 @@ END
 
        if ($confighash{$cgiparams{'KEY'}}) {
                if (&vpnenabled) {
-                       system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+                       &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
                        sleep $sleepDelay;
                }
        } else {
@@ -1525,7 +1604,7 @@ END
                delete $confighash{$cgiparams{'KEY'}};
                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                &writeipsecfiles();
-               system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+               &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
        } else {
                $errormessage = $Lang::tr{'invalid key'};
        }
@@ -1612,6 +1691,7 @@ END
                $cgiparams{'INTERFACE_MODE'}            = $confighash{$cgiparams{'KEY'}}[36];
                $cgiparams{'INTERFACE_ADDRESS'}         = $confighash{$cgiparams{'KEY'}}[37];
                $cgiparams{'INTERFACE_MTU'}             = $confighash{$cgiparams{'KEY'}}[38];
+               $cgiparams{'DNS_SERVERS'}               = $confighash{$cgiparams{'KEY'}}[39];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -1745,6 +1825,16 @@ END
                        }
                }
 
+               if ($cgiparams{'TYPE'} eq 'host') {
+                       my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+                       foreach my $server (@servers) {
+                               unless (&Network::check_ip_address($server)) {
+                                       $errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+                                       goto VPNCONF_ERROR;
+                               }
+                       }
+               }
+
                if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
                        $errormessage = $Lang::tr{'invalid input'};
                        goto VPNCONF_ERROR;
@@ -1882,8 +1972,8 @@ END
                                unshift (@names,$cahash{$x}[0]);
                        }
                        if ($casubject) { # a new one!
-                               my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
-                               if ($temp !~ /CA:TRUE/i) {
+                               my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "/tmp/newcacert");
+                               if (! grep(/CA:TRUE/, @temp)) {
                                        $errormessage = $Lang::tr{'not a valid ca certificate'};
                                } else {
                                        #compute a name for it
@@ -1891,22 +1981,26 @@ END
                                        while (grep(/Imported-$idx/, @names) ) {$idx++};
                                        $cgiparams{'CA_NAME'}="Imported-$idx";
                                        $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert'));
-                                       move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
-                                       $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+
+                                       unless(move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) {
+                                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                                       }
+
                                        if (!$errormessage) {
                                                my $key = &General::findhasharraykey (\%cahash);
                                                $cahash{$key}[0] = $cgiparams{'CA_NAME'};
                                                $cahash{$key}[1] = $casubject;
                                                &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-                                               system('/usr/local/bin/ipsecctrl', 'R');
+                                               &General::system('/usr/local/bin/ipsecctrl', 'R');
                                        }
                                }
                        }
                }
                if (!$errormessage) {
                        &General::log("ipsec", "Moving host cert...");
-                       move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
-                       $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+                       unless(move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) {
+                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                       }
                }
 
                #cleanup temp files
@@ -1938,12 +2032,12 @@ END
                # Verify the certificate has a valid CA and move it
                &General::log("ipsec", "Validating imported cert against our known CA...");
                my $validca = 1; #assume ok
-               my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
-               if ($test !~ /: OK/) {
+               my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename");
+               if (! grep(/: OK/, @test)) {
                        my $validca = 0;
                        foreach my $key (keys %cahash) {
-                               $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
-                               if ($test =~ /: OK/) {
+                               @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$key}[0]cert.pem", "$filename");
+                               if (grep(/: OK/, @test)) {
                                        $validca = 1;
                                        last;
                                }
@@ -1954,9 +2048,8 @@ END
                        unlink ($filename);
                        goto VPNCONF_ERROR;
                } else {
-                       move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
-                       if ($? ne 0) {
-                               $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+                       unless (move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) {
+                               $errormessage = "$Lang::tr{'certificate file move failed'} ($filename): $!";
                                unlink ($filename);
                                goto VPNCONF_ERROR;
                        }
@@ -2147,7 +2240,7 @@ END
        my $key = $cgiparams{'KEY'};
        if (! $key) {
                $key = &General::findhasharraykey (\%confighash);
-               foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
+               foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
        }
        $confighash{$key}[0] = $cgiparams{'ENABLED'};
        $confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2198,6 +2291,7 @@ END
        $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
        $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
        $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+       $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
 
        # free unused fields!
        $confighash{$key}[15] = 'off';
@@ -2205,7 +2299,7 @@ END
        &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
        &writeipsecfiles();
        if (&vpnenabled) {
-               system('/usr/local/bin/ipsecctrl', 'S', $key);
+               &General::system('/usr/local/bin/ipsecctrl', 'S', $key);
                sleep $sleepDelay;
        }
        if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
@@ -2266,11 +2360,11 @@ END
        #use default advanced value
        $cgiparams{'IKE_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
        $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256'; #[19];
-       $cgiparams{'IKE_GROUPTYPE'}             = 'curve25519|curve448|4096|3072|2048'; #[20];
+       $cgiparams{'IKE_GROUPTYPE'}             = 'curve448|curve25519|4096|3072|2048'; #[20];
        $cgiparams{'IKE_LIFETIME'}              = '3'; #[16];
        $cgiparams{'ESP_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
        $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256'; #[22];
-       $cgiparams{'ESP_GROUPTYPE'}             = 'curve25519|curve448|4096|3072|2048'; #[23];
+       $cgiparams{'ESP_GROUPTYPE'}             = 'curve448|curve25519|4096|3072|2048'; #[23];
        $cgiparams{'ESP_KEYLIFE'}               = '1'; #[17];
        $cgiparams{'COMPRESSION'}               = 'off'; #[13];
        $cgiparams{'ONLY_PROPOSED'}             = 'on'; #[24];
@@ -2280,6 +2374,7 @@ END
        $cgiparams{'INTERFACE_MODE'}            = "";
        $cgiparams{'INTERFACE_ADDRESS'}         = "";
        $cgiparams{'INTERFACE_MTU'}             = 1500;
+       $cgiparams{'DNS_SERVERS'}               = "";
 }
 
 VPNCONF_ERROR:
@@ -2376,11 +2471,8 @@ END
 EOF
        }
 
-       my $disabled;
-       my $blob;
-       if ($cgiparams{'TYPE'} eq 'host') {
-               $disabled = "disabled='disabled'";
-       } elsif ($cgiparams{'TYPE'} eq 'net') {
+       my $blob = "";
+       if ($cgiparams{'TYPE'} eq 'net') {
                $blob = "<img src='/blob.gif' alt='*' />";
        };
 
@@ -2390,6 +2482,9 @@ EOF
        my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
        my $remote_subnets = join(",", @remote_subnets);
 
+       my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+       my $dns_servers = join(",", @dns_servers);
+
        print <<END;
        <tr>
                <td width='20%'>$Lang::tr{'enabled'}</td>
@@ -2425,10 +2520,26 @@ END
                <td width='30%'>
                        <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
                </td>
-               <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
+END
+
+       if ($cgiparams{'TYPE'} eq "net") {
+               print <<END;
+               <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
+               <td width='30%'>
+                       <input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+               </td>
+END
+
+       } elsif ($cgiparams{'TYPE'} eq "host") {
+               print <<END;
+               <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
                <td width='30%'>
-                       <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+                       <input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
                </td>
+END
+       }
+
+       print <<END;
        </tr>
        <tr>
                <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
@@ -2634,7 +2745,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
+                       if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2675,7 +2786,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
+                       if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2734,7 +2845,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                &writeipsecfiles();
                if (&vpnenabled) {
-                       system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+                       &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
                        sleep $sleepDelay;
                }
                goto ADVANCED_END;
@@ -2764,6 +2875,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                $cgiparams{'INTERFACE_MODE'}            = $confighash{$cgiparams{'KEY'}}[36];
                $cgiparams{'INTERFACE_ADDRESS'}         = $confighash{$cgiparams{'KEY'}}[37];
                $cgiparams{'INTERFACE_MTU'}             = $confighash{$cgiparams{'KEY'}}[38];
+               $cgiparams{'DNS_SERVERS'}               = $confighash{$cgiparams{'KEY'}}[39];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -2814,8 +2926,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
        @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
        foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
-       $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
        $checked{'IKE_GROUPTYPE'}{'curve448'} = '';
+       $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
        $checked{'IKE_GROUPTYPE'}{'768'} = '';
        $checked{'IKE_GROUPTYPE'}{'1024'} = '';
        $checked{'IKE_GROUPTYPE'}{'1536'} = '';
@@ -2854,8 +2966,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
        @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
        foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
-       $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
        $checked{'ESP_GROUPTYPE'}{'curve448'} = '';
+       $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
        $checked{'ESP_GROUPTYPE'}{'768'} = '';
        $checked{'ESP_GROUPTYPE'}{'1024'} = '';
        $checked{'ESP_GROUPTYPE'}{'1536'} = '';
@@ -3019,8 +3131,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
                        <td class='boldbase'>
                                <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
-                                       <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
                                        <option value='curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
+                                       <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
                                        <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
                                        <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
                                        <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -3042,8 +3154,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        </td>
                        <td class='boldbase'>
                                <select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
-                                       <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
                                        <option value='curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
+                                       <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
                                        <option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
                                        <option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
                                        <option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -3182,7 +3294,7 @@ EOF
        &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
        $cgiparams{'CA_NAME'} = '';
 
-       my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
+       my @status = &General::system_output("/usr/local/bin/ipsecctrl", "I");
 
        $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
 
@@ -3616,7 +3728,7 @@ sub make_algos($$$$$) {
 
                                        if ($grp =~ m/^e(.*)$/) {
                                                push(@algo, "ecp$1");
-                                       } elsif ($grp =~ m/curve(25519|448)/) {
+                                       } elsif ($grp =~ m/curve(448|25519)/) {
                                                push(@algo, "$grp");
                                        } else {
                                                push(@algo, "modp$grp");
@@ -3633,7 +3745,7 @@ sub make_algos($$$$$) {
                                                # noop
                                        } elsif ($grp =~ m/^e(.*)$/) {
                                                push(@algo, "ecp$1");
-                                       } elsif ($grp =~ m/curve(25519|448)/) {
+                                       } elsif ($grp =~ m/curve(448|25519)/) {
                                                push(@algo, "$grp");
                                        } else {
                                                push(@algo, "modp$grp");
IPFire 2.x development tree