X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=927616a55d2217f9b30c30a5c5e6cc8f7db6f2d8;hb=e3c3a6ba5bae10987336ce8170f1d0359c6e8efb;hp=df5f9ece2a3a0732c8d21fe07ec471310028e6cc;hpb=dbe2a1cc36f78e1cf48150dc4e1756be1d04abce;p=people%2Fpmueller%2Fipfire-2.x.git
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index df5f9ece2a..927616a55d 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -19,6 +19,7 @@
# #
###############################################################################
###
+# Based on IPFireCore 77
###
use CGI;
use CGI qw/:standard/;
@@ -92,7 +93,6 @@ $cgiparams{'PMTU_DISCOVERY'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
-$cgiparams{'ENGINES'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
unless (-e $routes_push_file) { system("touch $routes_push_file"); }
unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); }
@@ -172,105 +172,6 @@ sub deletebackupcert
unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
}
}
-sub checkportfw {
- my $DPORT = shift;
- my $DPROT = shift;
- my %natconfig =();
- my $confignat = "${General::swroot}/firewall/config";
- $DPROT= uc ($DPROT);
- &General::readhasharray($confignat, \%natconfig);
- foreach my $key (sort keys %natconfig){
- my @portarray = split (/\|/,$natconfig{$key}[30]);
- foreach my $value (@portarray){
- if ($value =~ /:/i){
- my ($a,$b) = split (":",$value);
- if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }else{
- if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }
- }
- }
- return;
-}
-
-sub checkportoverlap
-{
- my $portrange1 = $_[0]; # New port range
- my $portrange2 = $_[1]; # existing port range
- my @tempr1 = split(/\:/,$portrange1);
- my @tempr2 = split(/\:/,$portrange2);
-
- unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
- unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
-
- unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
- unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
-
- return 1; # Everything checks out!
-}
-
-# Darren Critchley - we want to make sure that a port entry is not within an already existing range
-sub checkportinc
-{
- my $port1 = $_[0]; # Port
- my $portrange2 = $_[1]; # Port range
- my @tempr1 = split(/\:/,$portrange2);
-
- if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
- return 1;
- } else {
- return 0;
- }
-}
-
-# Darren Critchley - certain ports are reserved for IPFire
-# TCP 67,68,81,222,444
-# UDP 67,68
-# Params passed in -> port, rangeyn, protocol
-sub disallowreserved
-{
- # port 67 and 68 same for tcp and udp, don't bother putting in an array
- my $msg = "";
- my @tcp_reserved = (81,222,444);
- my $prt = $_[0]; # the port or range
- my $ryn = $_[1]; # tells us whether or not it is a port range
- my $prot = $_[2]; # protocol
- my $srcdst = $_[3]; # source or destination
- if ($ryn) { # disect port range
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'rsvd src port overlap'}";
- } else {
- $msg = "$Lang::tr{'rsvd dst port overlap'}";
- }
- my @tmprng = split(/\:/,$prt);
- unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
- unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
- }
- }
- } else {
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'reserved src port'}";
- } else {
- $msg = "$Lang::tr{'reserved dst port'}";
- }
- if ($prt == 67) { $errormessage="$msg 67"; return; }
- if ($prt == 68) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- if ($prange == $prt) { $errormessage="$msg $prange"; return; }
- }
- }
- }
- return;
-}
-
sub writeserverconf {
my %sovpnsettings = ();
@@ -369,12 +270,7 @@ sub writeserverconf {
print CONF "auth $sovpnsettings{'DAUTH'}\n";
}
if ($sovpnsettings{'TLSAUTH'} eq 'on') {
- print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n";
- }
- if ($sovpnsettings{ENGINES} eq 'disabled') {
- print CONF "";
- } else {
- print CONF "engine $sovpnsettings{ENGINES}\n";
+ print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
}
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
@@ -572,7 +468,7 @@ sub getccdadresses
my @iprange=();
my %ccdhash=();
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
- $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2;
+ $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
for (my $i=1;$i<=$count;$i++) {
my $tmpip=$iprange[$i-1];
my $stepper=$i*4;
@@ -796,7 +692,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
- $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'};
my @temp=();
if ($cgiparams{'FRAGMENT'} eq '') {
@@ -816,13 +711,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/ca/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key")
- }
- }
-
if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
@@ -921,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
goto ADV_ERROR;
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ERROR;
+ }
+ }
+ }
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
@@ -1008,12 +906,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "# HMAC algorithm\n";
print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
}
- if ($cgiparams{'ENGINES'} eq 'disabled') {
- print SERVERCONF "";
- } else {
- print SERVERCONF "# Crypto engine\n";
- print SERVERCONF "engine $cgiparams{'ENGINES'}\n";
- }
if ($cgiparams{'COMPLZO'} eq 'on') {
print SERVERCONF "# Enable Compression\n";
print SERVERCONF "comp-lzo\r\n";
@@ -1109,12 +1001,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "# HMAC algorithm\n";
print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
}
- if ($cgiparams{'ENGINES'} eq 'disabled') {
- print CLIENTCONF "";
- } else {
- print CLIENTCONF "# Crypto engine\n";
- print CLIENTCONF "engine $cgiparams{'ENGINES'}\n";
- }
if ($cgiparams{'COMPLZO'} eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\r\n";
@@ -1137,7 +1023,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
### Save main settings
###
-
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
#DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
@@ -1148,13 +1033,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SETTINGS_ERROR;
}
}
- if ($errormessage) { goto SETTINGS_ERROR; }
- if ($cgiparams{'ENABLED'} eq 'on'){
- &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'});
- }
- if ($errormessage) { goto SETTINGS_ERROR; }
-
if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
$errormessage = $Lang::tr{'ovpn subnet is invalid'};
goto SETTINGS_ERROR;
@@ -1299,7 +1178,6 @@ SETTINGS_ERROR:
- $Lang::tr{'capswarning'}:
$Lang::tr{'capswarning'}:
$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}