X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=c52e8bae91973b1a5fdd598b8a6fa51ac61912cc;hb=9434bffaf23228be1774a63ad19d4751339e663c;hp=235ece5f8bf3ba25af3e2fb09afc8e3325dd5427;hpb=aa15b6b2567f1282a19f3c1d8a1c29e0b17f1bdc;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 235ece5f8b..c52e8bae91 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -213,10 +213,10 @@ sub writeserverconf { print CONF "writepid /var/run/openvpn.pid\n"; print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; print CONF ";local $sovpnsettings{'VPN_IP'}\n"; - print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -231,15 +231,15 @@ sub writeserverconf { # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } else - { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } + { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } if ($vpnsettings{'ROUTES_PUSH'} ne '') { @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); @@ -288,7 +288,8 @@ sub writeserverconf { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } print CONF "status-version 1\n"; - print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; @@ -354,7 +355,7 @@ sub writeserverconf { } sub emptyserverlog{ - if (open(FILE, ">/var/log/ovpnserver.log")) { + if (open(FILE, ">/var/run/ovpnserver.log")) { flock FILE, 2; print FILE ""; close FILE; @@ -668,6 +669,29 @@ sub read_routepushfile } } +sub writecollectdconf { + my $vpncollectd; + my %ccdhash=(); + + open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!"; + print COLLECTDVPN "Loadplugin openvpn\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n"; + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') { + print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n"; + } + } + + print COLLECTDVPN "\n"; + close(COLLECTDVPN); + + # Reload collectd afterwards + system("/usr/local/bin/collectdctrl restart &>/dev/null"); +} #hier die refresh page if ( -e "${General::swroot}/ovpn/gencanow") { @@ -903,11 +927,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; print SERVERCONF "# Client Gateway Network\n"; print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "up \"/etc/init.d/static-routes start\"\n"; print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; + print SERVERCONF "#Logfile for statistics\n"; + print SERVERCONF "status-version 1\n"; + print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print SERVERCONF "# Port and Protokol\n"; print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; - + if ($cgiparams{'PROTOCOL'} eq 'tcp') { print SERVERCONF "proto tcp-server\n"; print SERVERCONF "# Packet size\n"; @@ -999,8 +1027,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n"; print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev tun\n"; + print CLIENTCONF "#Logfile for statistics\n"; + print CLIENTCONF "status-version 1\n"; + print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print CLIENTCONF "# Port and Protokol\n"; print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; @@ -1030,8 +1062,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } } } - - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -1141,7 +1180,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; #new settings for daemon $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'}; - $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'}; $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'}; $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; @@ -1163,10 +1201,17 @@ SETTINGS_ERROR: my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + # Kill all N2N connections + system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null"); + foreach my $key (keys %confighash) { + my $name = $confighash{$cgiparams{'$key'}}[1]; + if ($confighash{$key}[4] eq 'cert') { delete $confighash{$cgiparams{'$key'}}; } + + system ("/usr/local/bin/openvpnctrl -drrd $name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1193,6 +1238,9 @@ SETTINGS_ERROR: while ($file = glob("${General::swroot}/ovpn/ccd/*")) { unlink $file } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { print FILE ""; close FILE; @@ -1205,6 +1253,9 @@ SETTINGS_ERROR: system ("rm -rf $file"); } + # Remove everything from the collectd configuration + &writecollectdconf(); + #&writeserverconf(); ### ### Reset all step 1 @@ -1270,7 +1321,7 @@ END
  - $Lang::tr{'ipfires hostname'}: + $Lang::tr{'ipfires hostname'}: *   - $Lang::tr{'your e-mail'}:  + $Lang::tr{'your e-mail'}:   - $Lang::tr{'your department'}:  + $Lang::tr{'your department'}:   - $Lang::tr{'city'}:  + $Lang::tr{'city'}:   - $Lang::tr{'state or province'}:  + $Lang::tr{'state or province'}:   $Lang::tr{'country'}: @@ -1952,7 +2003,7 @@ END $Lang::tr{'ovpn dh'}:    - * $Lang::tr{'this field may be blank'} + * $Lang::tr{'required field'}
@@ -1980,17 +2031,17 @@ END
- + - + + * $Lang::tr{'required field'}
$Lang::tr{'upload p12 file'}:
$Lang::tr{'upload p12 file'}: *  
$Lang::tr{'pkcs12 file password'}: *
$Lang::tr{'pkcs12 file password'}:  
   
-  $Lang::tr{'this field may be blank'}
END @@ -2030,7 +2081,8 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); } } else { @@ -2038,14 +2090,15 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + if ($n2nactive ne '') { + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); + } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } - } + } } ### @@ -2097,7 +2150,10 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; print CLIENTCONF "# tun Device\n"; - print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; + print CLIENTCONF "dev tun\n"; + print CLIENTCONF "#Logfile for statistics\n"; + print CLIENTCONF "status-version 1\n"; + print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print CLIENTCONF "# Port and Protokoll\n"; print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; @@ -2125,7 +2181,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } } } - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -2189,21 +2253,21 @@ else print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; print CLIENTCONF "nobind\r\n"; - print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n"; + print CLIENTCONF "dev tun\r\n"; print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500 # or use configured value. if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif ($vpnsettings{MSSFIX} eq 'on') - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } else - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; } + { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; @@ -2225,9 +2289,41 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + my $include_certs = 0; + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + $include_certs = 1; + + # Add the CA + print CLIENTCONF ";ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -2242,6 +2338,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } @@ -2249,8 +2348,16 @@ else print CLIENTCONF "comp-lzo\r\n"; } print CLIENTCONF "verb 3\r\n"; - print CLIENTCONF "ns-cert-type server\r\n"; - print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\r\n"; + } else { + print CLIENTCONF "remote-cert-tls server\r\n"; + } + print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; if ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "mssfix\r\n"; } @@ -2266,6 +2373,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + + if ($include_certs) { + print CLIENTCONF "\r\n"; + + # CA + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # Cert + open(FILE, "<$file_crt"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # Key + open(FILE, "<$file_key"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + + # TLS auth + if ($vpnsettings{'TLSAUTH'} eq 'on') { + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + } + } + # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { open (LCC, "$local_clientconf"); @@ -2302,72 +2456,71 @@ else } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } -# - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + if ($confighash{$cgiparams{'KEY'}}) { + # Revoke certificate if certificate was deleted and rewrite the CRL + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; ### # m.a.d net2net ### -if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); - my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - unlink ($certfile); - unlink ($conffile); + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { + # Stop the N2N connection before it is removed + system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null"); - if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { - rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; - } -} + my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile); + unlink ($conffile); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + } + } + + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); # A.Marx CCD delete ccd files and routes - - if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") - { - unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; - } - - &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - foreach my $key (keys %ccdroutehash) { - if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroutehash{$key}; + if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") + { + unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - foreach my $key (keys %ccdroute2hash) { - if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroute2hash{$key}; + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroutehash{$key}; + } } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - &writeserverconf; - + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); -# CCD end + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroute2hash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + &writeserverconf; - - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# CCD end + # Update collectd configuration and delete all RRD files of the removed connection + &writecollectdconf(); + system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### @@ -2502,7 +2655,7 @@ ADV_ERROR: $cgiparams{'PMTU_DISCOVERY'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; @@ -2692,7 +2845,7 @@ print <SHA2 (512 $Lang::tr{'bit'}) - + $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) @@ -2897,7 +3050,7 @@ END END ; - my $filename = "/var/log/ovpnserver.log"; + my $filename = "/var/run/ovpnserver.log"; open(FILE, $filename) or die 'Unable to open config file.'; my @current = ; close(FILE); @@ -3039,32 +3192,6 @@ END $errormessage = $Lang::tr{'invalid key'}; } -### -### Remove connection -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } -#test33 - -### -### Choose between adding a host-net or net-net connection -### - ### # m.a.d net2net ### @@ -3088,11 +3215,10 @@ if ( -s "${General::swroot}/ovpn/settings") { $Lang::tr{'net to net vpn'} (Upload Client Package)   -  Import Connection Name +  Import Connection Name  $Lang::tr{'openvpn default'}: Client Packagename
- * $Lang::tr{'this field may be blank'} END ; @@ -3186,7 +3312,6 @@ END @firen2nconf = ; close (FILE); chomp(@firen2nconf); - } else { $errormessage = "Filecount does not match only 2 files are allowed\n"; @@ -3227,6 +3352,13 @@ END unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";} + #Add collectd settings to configfile + open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.'; + print FILE "# Logfile\n"; + print FILE "status-version 1\n"; + print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; + close FILE; + move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2"); if ($? ne 0) { @@ -4233,6 +4365,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($cgiparams{'CHECK1'} ){ @@ -4342,7 +4478,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; ### # m.a.d n2n end ### @@ -4468,7 +4604,7 @@ if ($cgiparams{'TYPE'} eq 'net') { &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:"); print "\n"; - print ""; + print ""; if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'KEY'}) { @@ -4507,14 +4643,14 @@ if ($cgiparams{'TYPE'} eq 'net') { - + - + - + @@ -4524,10 +4660,10 @@ if ($cgiparams{'TYPE'} eq 'net') { - + - + @@ -4537,22 +4673,22 @@ if ($cgiparams{'TYPE'} eq 'net') { - + - + - + - @@ -4578,12 +4714,12 @@ if ($cgiparams{'TYPE'} eq 'net') { - - - - - - + + + + + + @@ -4593,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { - + @@ -4603,7 +4739,7 @@ END ; } #jumper - print ""; + print ""; print "
$Lang::tr{'name'}:
$Lang::tr{'name'}: *
$Lang::tr{'local subnet'}
$Lang::tr{'local subnet'} * $Lang::tr{'remote subnet'}$Lang::tr{'remote subnet'} *
$Lang::tr{'ovpn subnet'}
$Lang::tr{'ovpn subnet'} * $Lang::tr{'protocol'}
$Lang::tr{'destination port'}:$Lang::tr{'destination port'}: * Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):  Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):
$Lang::tr{'MTU settings'}
$Lang::tr{'MTU'} 
$Lang::tr{'MTU'} $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
fragment  
fragment: $Lang::tr{'openvpn default'}: 1300
mssfix  
mssfix: $Lang::tr{'openvpn default'}: on
$Lang::tr{'comp-lzo'}   +
$Lang::tr{'comp-lzo'}
$Lang::tr{'remark title'} 
$Lang::tr{'remark title'}
"; if ($cgiparams{'TYPE'} eq 'host') { @@ -4670,12 +4806,12 @@ if ($cgiparams{'TYPE'} eq 'host') {
  $Lang::tr{'generate a certificate'}  -  $Lang::tr{'users fullname or system hostname'}: -  $Lang::tr{'users email'}:  -  $Lang::tr{'users department'}:  -  $Lang::tr{'organization name'}:  -  $Lang::tr{'city'}:  -  $Lang::tr{'state or province'}:  +  $Lang::tr{'users fullname or system hostname'}: * +  $Lang::tr{'users email'}: +  $Lang::tr{'users department'}: +  $Lang::tr{'organization name'}: +  $Lang::tr{'city'}: +  $Lang::tr{'state or province'}:  $Lang::tr{'country'}:$Lang::tr{'generate a certificate'}  -  $Lang::tr{'users fullname or system hostname'}: -  $Lang::tr{'users email'}:  -  $Lang::tr{'users department'}:  -  $Lang::tr{'organization name'}:  -  $Lang::tr{'city'}:  -  $Lang::tr{'state or province'}:  +  $Lang::tr{'users fullname or system hostname'}: * +  $Lang::tr{'users email'}: +  $Lang::tr{'users department'}: +  $Lang::tr{'organization name'}: +  $Lang::tr{'city'}: +  $Lang::tr{'state or province'}:  $Lang::tr{'country'}:  
- * $Lang::tr{'this field may be blank'} + * $Lang::tr{'required field'} END }else{ @@ -4742,7 +4878,7 @@ END        
- * $Lang::tr{'this field may be blank'} + * $Lang::tr{'required field'} END @@ -4840,6 +4976,35 @@ END } if ($set == '1' && $#temp != -1){ print"";$set=0;}elsif($set == '0' && $#temp != -1){print"";} } + + my %vpnconfig = (); + &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig); + foreach my $vpn (keys %vpnconfig) { + # Skip all disabled VPN connections + my $enabled = $vpnconfig{$vpn}[0]; + next unless ($enabled eq "on"); + + my $name = $vpnconfig{$vpn}[1]; + + # Remote subnets + my @networks = split(/\|/, $vpnconfig{$vpn}[11]); + foreach my $network (@networks) { + my $selected = ""; + + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) { + foreach my $i (1 .. $#{$ccdroute2hash{$key}}) { + if ($ccdroute2hash{$key}[$i] eq $network) { + $selected = "selected"; + } + } + } + } + + print "\n"; + } + } + #check if green,blue,orange are defined for client foreach my $key (keys %ccdroute2hash) { if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){ @@ -4897,7 +5062,7 @@ END &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my @status = `/bin/cat /var/log/ovpnserver.log`; + my @status = `/bin/cat /var/run/ovpnserver.log`; if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { @@ -4925,7 +5090,7 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; @@ -4939,9 +5104,6 @@ END $checked{'ENABLED_ORANGE'}{'off'} = ''; $checked{'ENABLED_ORANGE'}{'on'} = ''; $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; - $selected{'DDEVICE'}{'tun'} = ''; - $selected{'DDEVICE'}{'tap'} = ''; - $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; $selected{'DPROTOCOL'}{'udp'} = ''; $selected{'DPROTOCOL'}{'tcp'} = ''; @@ -5033,10 +5195,6 @@ END print <$Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
- $Lang::tr{'ovpn device'} - @@ -5053,12 +5211,12 @@ END - - - - - + + + + + $Lang::tr{'comp-lzo'} @@ -5116,7 +5274,7 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } @@ -5130,7 +5288,7 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } @@ -5229,6 +5387,21 @@ END END ; + + if ($confighash{$key}[41] eq "no-pass") { + print < + + + + + +END + } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert') { print < @@ -5537,42 +5710,49 @@ END } print < + +

+
- - - - - - - - - +
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}: -
+ + + - - - + + + + + - - - - + + + + +
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}: +
$Lang::tr{'ovpn dh parameters'}
 
- - $Lang::tr{'ovpn dh upload'}: - - - - - - $Lang::tr{'ovpn dh new key'}: - - - - +
+ + + + + + + + + + + + + + + +
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh upload'}: +
$Lang::tr{'ovpn dh new key'}:
+ -
+
END ;