X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=c52e8bae91973b1a5fdd598b8a6fa51ac61912cc;hb=9434bffaf23228be1774a63ad19d4751339e663c;hp=235ece5f8bf3ba25af3e2fb09afc8e3325dd5427;hpb=aa15b6b2567f1282a19f3c1d8a1c29e0b17f1bdc;p=people%2Fpmueller%2Fipfire-2.x.git
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 235ece5f8b..c52e8bae91 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -213,10 +213,10 @@ sub writeserverconf {
print CONF "writepid /var/run/openvpn.pid\n";
print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
print CONF ";local $sovpnsettings{'VPN_IP'}\n";
- print CONF "dev $sovpnsettings{'DDEVICE'}\n";
+ print CONF "dev tun\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
- print CONF "script-security 3 system\n";
+ print CONF "script-security 3\n";
print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
print CONF "tls-server\n";
@@ -231,15 +231,15 @@ sub writeserverconf {
# Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
# If we doesn't use one of them, we can use the configured mtu value.
if ($sovpnsettings{'MSSFIX'} eq 'on')
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
+ { print CONF "tun-mtu 1500\n"; }
elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp')
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
+ { print CONF "tun-mtu 1500\n"; }
elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
+ { print CONF "tun-mtu 1500\n"; }
else
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; }
+ { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
if ($vpnsettings{'ROUTES_PUSH'} ne '') {
@temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
@@ -288,7 +288,8 @@ sub writeserverconf {
print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
}
print CONF "status-version 1\n";
- print CONF "status /var/log/ovpnserver.log 30\n";
+ print CONF "status /var/run/ovpnserver.log 30\n";
+ print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";
@@ -354,7 +355,7 @@ sub writeserverconf {
}
sub emptyserverlog{
- if (open(FILE, ">/var/log/ovpnserver.log")) {
+ if (open(FILE, ">/var/run/ovpnserver.log")) {
flock FILE, 2;
print FILE "";
close FILE;
@@ -668,6 +669,29 @@ sub read_routepushfile
}
}
+sub writecollectdconf {
+ my $vpncollectd;
+ my %ccdhash=();
+
+ open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
+ print COLLECTDVPN "Loadplugin openvpn\n";
+ print COLLECTDVPN "\n";
+ print COLLECTDVPN "\n";
+ print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
+
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
+ foreach my $key (keys %ccdhash) {
+ if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
+ print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
+ }
+ }
+
+ print COLLECTDVPN "\n";
+ close(COLLECTDVPN);
+
+ # Reload collectd afterwards
+ system("/usr/local/bin/collectdctrl restart &>/dev/null");
+}
#hier die refresh page
if ( -e "${General::swroot}/ovpn/gencanow") {
@@ -903,11 +927,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
print SERVERCONF "# Client Gateway Network\n";
print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
print SERVERCONF "# tun Device\n";
print SERVERCONF "dev tun\n";
+ print SERVERCONF "#Logfile for statistics\n";
+ print SERVERCONF "status-version 1\n";
+ print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print SERVERCONF "# Port and Protokol\n";
print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
-
+
if ($cgiparams{'PROTOCOL'} eq 'tcp') {
print SERVERCONF "proto tcp-server\n";
print SERVERCONF "# Packet size\n";
@@ -999,8 +1027,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
print CLIENTCONF "# Server Gateway Network\n";
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
print CLIENTCONF "# tun Device\n";
print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokol\n";
print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
@@ -1030,8 +1062,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
}
}
}
-
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
@@ -1141,7 +1180,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
#new settings for daemon
$vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
- $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
$vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
@@ -1163,10 +1201,17 @@ SETTINGS_ERROR:
my $file = '';
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ # Kill all N2N connections
+ system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null");
+
foreach my $key (keys %confighash) {
+ my $name = $confighash{$cgiparams{'$key'}}[1];
+
if ($confighash{$key}[4] eq 'cert') {
delete $confighash{$cgiparams{'$key'}};
}
+
+ system ("/usr/local/bin/openvpnctrl -drrd $name");
}
while ($file = glob("${General::swroot}/ovpn/ca/*")) {
unlink $file;
@@ -1193,6 +1238,9 @@ SETTINGS_ERROR:
while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
unlink $file
}
+ while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
+ unlink $file
+ }
if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
print FILE "";
close FILE;
@@ -1205,6 +1253,9 @@ SETTINGS_ERROR:
system ("rm -rf $file");
}
+ # Remove everything from the collectd configuration
+ &writecollectdconf();
+
#&writeserverconf();
###
### Reset all step 1
@@ -1270,7 +1321,7 @@ END
END
;
+
+ if ($confighash{$key}[41] eq "no-pass") {
+ print <
+
+
+
+
+ |
+END
+ } else {
+ print " | ";
+ }
+
if ($confighash{$key}[4] eq 'cert') {
print <
@@ -5537,42 +5710,49 @@ END
}
print <
+
+
+
-
|
+
END
;
|