X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=755589fa52b44c0501c43f25f801554edc2d25fc;hb=775b44943135f15dc9b242ceacf708ecc9653e4a;hp=13ecbd5a9c1fb8381047f06686c5ac62a6ddc082;hpb=5795fc1b5536b6506c26a976c3024114e88cbcb8;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 13ecbd5a9c..755589fa52 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -70,6 +70,9 @@ my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col=""; +my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; +my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; + &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -94,10 +97,33 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -unless (-e $routes_push_file) { system("touch $routes_push_file"); } -unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } -unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); } -unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); } + +# Add CCD files if not already presant +unless (-e $routes_push_file) { + open(RPF, ">$routes_push_file"); + close(RPF); +} +unless (-e "${General::swroot}/ovpn/ccd.conf") { + open(CCDC, ">${General::swroot}/ovpn/ccd.conf"); + close (CCDC); +} +unless (-e "${General::swroot}/ovpn/ccdroute") { + open(CCDR, ">${General::swroot}/ovpn/ccdroute"); + close (CCDR); +} +unless (-e "${General::swroot}/ovpn/ccdroute2") { + open(CCDRT, ">${General::swroot}/ovpn/ccdroute2"); + close (CCDRT); +} +# Add additional configs if not already presant +unless (-e "$local_serverconf") { + open(LSC, ">$local_serverconf"); + close (LSC); +} +unless (-e "$local_clientconf") { + open(LCC, ">$local_clientconf"); + close (LCC); +} &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -262,7 +288,7 @@ sub writeserverconf { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } print CONF "status-version 1\n"; - print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; @@ -306,14 +332,29 @@ sub writeserverconf { print CONF "verb $sovpnsettings{LOG_VERB}\n"; } else { print CONF "verb 3\n"; - } + } + # Print server.conf.local if entries exist to server.conf + if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LSC, "$local_serverconf"); + print CONF "\n#---------------------------\n"; + print CONF "# Start of custom directives\n"; + print CONF "# from server.conf.local\n"; + print CONF "#---------------------------\n\n"; + while () { + print CONF $_; + } + print CONF "\n#-----------------------------\n"; + print CONF "# End of custom directives\n"; + print CONF "#-----------------------------\n"; + close (LSC); + } print CONF "\n"; close(CONF); } sub emptyserverlog{ - if (open(FILE, ">/var/log/ovpnserver.log")) { + if (open(FILE, ">/var/run/ovpnserver.log")) { flock FILE, 2; print FILE ""; close FILE; @@ -627,6 +668,29 @@ sub read_routepushfile } } +sub writecollectdconf { + my $vpncollectd; + my %ccdhash=(); + + open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!"; + print COLLECTDVPN "Loadplugin openvpn\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n"; + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') { + print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n"; + } + } + + print COLLECTDVPN "\n"; + close(COLLECTDVPN); + + # Reload collectd afterwards + system("/usr/local/bin/collectdctrl restart &>/dev/null"); +} #hier die refresh page if ( -e "${General::swroot}/ovpn/gencanow") { @@ -685,6 +749,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; @@ -865,7 +930,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "dev tun\n"; print SERVERCONF "#Logfile for statistics\n"; print SERVERCONF "status-version 1\n"; - print SERVERCONF "status /var/log/openvpn/$cgiparams{'NAME'}-n2n 10\n"; + print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print SERVERCONF "# Port and Protokol\n"; print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; @@ -1214,8 +1279,7 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1768,7 +1832,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", @@ -1799,7 +1863,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", @@ -1851,8 +1915,7 @@ END # &cleanssldatabase(); } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2001,7 +2064,8 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); } } else { @@ -2009,14 +2073,15 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + if ($n2nactive ne '') { + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); + } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } - } + } } ### @@ -2237,6 +2302,21 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + # Print client.conf.local if entries exist to client.ovpn + if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LCC, "$local_clientconf"); + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# Start of custom directives\n"; + print CLIENTCONF "# from client.conf.local\n"; + print CLIENTCONF "#---------------------------\n\n"; + while () { + print CLIENTCONF $_; + } + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# End of custom directives\n"; + print CLIENTCONF "#---------------------------\n\n"; + close (LCC); + } close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; @@ -2315,15 +2395,13 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { # CCD end -### -### Delete all RRD's for client -### - system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); + # Update collectd configuration and delete all RRD files of the removed connection + &writecollectdconf(); + system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -2472,6 +2550,9 @@ ADV_ERROR: $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $checked{'ADDITIONAL_CONFIGS'}{'off'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{'on'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; @@ -2552,39 +2633,52 @@ print <
- + - - + + + - - + + + - - + + + - - - - - + + - - - - + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + @@ -2840,7 +2934,7 @@ END END ; - my $filename = "/var/log/ovpnserver.log"; + my $filename = "/var/run/ovpnserver.log"; open(FILE, $filename) or die 'Unable to open config file.'; my @current = ; close(FILE); @@ -2997,6 +3091,10 @@ END unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); delete $confighash{$cgiparams{'KEY'}}; + + # Delete RRD's for collectd + system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]", "&>/dev/null"); + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); #&writeserverconf(); } else { @@ -4028,6 +4126,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; } + if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; @@ -4055,7 +4157,7 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", @@ -4298,6 +4400,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'}; } VPNCONF_ERROR: @@ -4659,27 +4762,28 @@ END if ($cgiparams{'TYPE'} eq 'host') { print < - - - - + + + + - + - - - -
$Lang::tr{'misc-options'}
Client-To-Client
Redirect-Gateway def1
Max-Clients
Keepalive
- (ping/ping-restart)
$Lang::tr{'ovpn add conf'}$Lang::tr{'openvpn default'}: off
mssfix$Lang::tr{'openvpn default'}: off
fragment
fragment
mssfix$Lang::tr{'openvpn default'}: off
Max-Clients
Keepalive
+ (ping/ping-restart)
$Lang::tr{'ovpn mtu-disc'}
 $Lang::tr{'valid till'} (days):
 
 $Lang::tr{'valid till'} (days):
  $Lang::tr{'pkcs12 file password'}:
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 
* $Lang::tr{'this field may be blank'}
+   +
+ * $Lang::tr{'this field may be blank'} + END }else{ print < -     -     -
- * $Lang::tr{'this field may be blank'} + +  $Lang::tr{'valid till'} (days): + +     +     +
+ * $Lang::tr{'this field may be blank'} END @@ -4834,7 +4938,7 @@ END &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my @status = `/bin/cat /var/log/ovpnserver.log`; + my @status = `/bin/cat /var/run/ovpnserver.log`; if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {