X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=e76a688fe7dcda0b77bf716eb2538342cd775b00;hb=refs%2Fheads%2Fnext;hp=d9e26de2fee0c6f426cefa78ad2809effe735bc0;hpb=40335cecaa67bd8b370e4a90741dd6557a821382;p=ipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi old mode 100644 new mode 100755 index d9e26de2fe..c92d0237d2 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,11 +18,13 @@ # along with this program. If not, see . # # # ############################################################################### -### -# Based on IPFireCore 77 -### + use CGI; use CGI qw/:standard/; +use Imager::QRCode; +use MIME::Base32; +use MIME::Base64; +use URI::Encode qw(uri_encode uri_decode);; use Net::DNS; use Net::Ping; use Net::Telnet; @@ -31,6 +33,7 @@ use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); use Sort::Naturally; +use Date::Parse; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -40,6 +43,7 @@ require "${General::swroot}/location-functions.pl"; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; + #workaround to suppress a warning when a variable is used only once my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} ); undef (@dummy); @@ -75,6 +79,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my $dhparameter = "/etc/ssl/ffdhe4096.pem"; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -86,8 +91,6 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DH_NAME'} = 'dh1024.pem'; -$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -135,6 +138,17 @@ unless (-e "$local_clientconf") { ### ### Useful functions ### +sub iscertlegacy +{ + my $file=$_[0]; + my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes", + "-in", "$file.p12", "-noout", "-passin", "pass:''"); + if (index ($certinfo[0], "MAC: sha1") != -1) { + return 1; + } + return 0; +} + sub haveOrangeNet { if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} @@ -218,28 +232,6 @@ sub deletebackupcert sub pkiconfigcheck { - # Warning if DH parameter is 1024 bit - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - my $dhbit; - - # Loop through the output and search for the DH bit lenght. - foreach my $line (@dhparameter) { - if ($line =~ (/(\d+)/)) { - # Assign match to dhbit value. - $dhbit = $1; - - last; - } - } - - # Check if the used key lenght is at least 2048 bit. - if ($dhbit < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; - } - } - # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); @@ -264,11 +256,11 @@ sub pkiconfigcheck } sub writeserverconf { - my %sovpnsettings = (); - my @temp = (); + my %sovpnsettings = (); + my @temp = (); &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); &read_routepushfile; - + open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!"; flock CONF, 2; print CONF "#OpenVPN Server conf\n"; @@ -287,7 +279,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; + print CONF "dh $dhparameter\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -332,9 +324,9 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { + if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; - } + } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; @@ -363,15 +355,17 @@ sub writeserverconf { if ($sovpnsettings{DHCP_WINS} ne '') { print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; } - + if ($sovpnsettings{MAX_CLIENTS} eq '') { print CONF "max-clients 100\n"; } if ($sovpnsettings{MAX_CLIENTS} ne '') { print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; - } + } print CONF "tls-verify /usr/lib/openvpn/verify\n"; print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; + print CONF "auth-user-pass-optional\n"; + print CONF "reneg-sec 86400\n"; print CONF "user nobody\n"; print CONF "group nobody\n"; print CONF "persist-key\n"; @@ -385,6 +379,11 @@ sub writeserverconf { print CONF "# Log clients connecting/disconnecting\n"; print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n"; print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n"; + print CONF "\n"; + + print CONF "# Enable Management Socket\n"; + print CONF "management /var/run/openvpn.sock unix\n"; + print CONF "management-client-auth\n"; # Print server.conf.local if entries exist to server.conf if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { @@ -402,9 +401,9 @@ sub writeserverconf { close (LSC); } print CONF "\n"; - + close(CONF); -} +} sub emptyserverlog{ if (open(FILE, ">/var/run/ovpnserver.log")) { @@ -415,7 +414,7 @@ sub emptyserverlog{ } -sub delccdnet +sub delccdnet { my %ccdconfhash = (); my %ccdhash = (); @@ -436,7 +435,7 @@ sub delccdnet } } &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); - + &writeserverconf; return 0; } @@ -452,21 +451,21 @@ sub addccdnet my $checkup; my $ccdip; my $baseaddress; - - - #check name - if ($ccdname eq '') + + + #check name + if ($ccdname eq '') { $errormessage=$errormessage.$Lang::tr{'ccd err name'}."
"; return } - - if(!&General::validhostname($ccdname)) + + if(!&General::validccdname($ccdname)) { $errormessage=$Lang::tr{'ccd err invalidname'}; return; } - + ($ccdip,$subcidr) = split (/\//,$ccdnet); $subcidr=&General::iporsubtocidr($subcidr); #check subnet @@ -499,14 +498,14 @@ sub addccdnet sub modccdnet { - + my $newname=$_[0]; my $oldname=$_[1]; my %ccdconfhash=(); my %ccdhash=(); # Check if the new name is valid. - if(!&General::validhostname($newname)) { + if(!&General::validccdname($newname)) { $errormessage=$Lang::tr{'ccd err invalidname'}; return; } @@ -526,7 +525,7 @@ sub modccdnet } } } - + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); foreach my $key (keys %ccdhash) { if ($ccdhash{$key}[32] eq $oldname) { @@ -535,7 +534,7 @@ sub modccdnet last; } } - + return 0; } sub ccdmaxclients @@ -554,7 +553,7 @@ sub ccdmaxclients return $e-1; } -sub getccdadresses +sub getccdadresses { my $ipin=$_[0]; my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin; @@ -591,7 +590,7 @@ sub getccdadresses sub fillselectbox { my $boxname=$_[1]; - my ($ccdip,$subcidr) = split("/",$_[0]); + my ($ccdip,$subcidr) = split("/",$_[0]); my $tz=$_[2]; my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz); print" - - - - -
- - - - $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} - - - - - - - - - -
$Lang::tr{'dh key warn1'}

- -END - ; - &Header::closebox(); - print "
$Lang::tr{'back'}
"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - -### -### Upload DH key -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - unless (ref ($cgiparams{'FH'})) { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded dh key to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); - if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { - $errormessage = $Lang::tr{'not a valid dh key'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'dh key move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } - ### ### Upload CA Certificate ### @@ -1489,15 +1394,14 @@ END unlink ($filename); goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { + unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); goto UPLOADCA_ERROR; } } - @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); my $casubject; foreach my $line (@casubject) { @@ -1532,8 +1436,8 @@ END &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my $output = &Header::cleanhtml(join("", @output),"y"); + print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -1554,7 +1458,7 @@ END print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - print "@tmp"; + print @tmp; exit(0); } else { @@ -1652,8 +1556,8 @@ END &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); } - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my $output = &Header::cleanhtml(join("", @output), "y"); + print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -1669,11 +1573,11 @@ END print "Content-Disposition: filename=cacert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); - print "@tmp"; + print @tmp; exit(0); } - + ### ### Download host certificate ### @@ -1683,7 +1587,7 @@ END print "Content-Disposition: filename=servercert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); - print "@tmp"; + print @tmp; exit(0); } @@ -1700,7 +1604,7 @@ END my @tmp = ; close(FILE); - print "@tmp"; + print @tmp; exit(0); } @@ -1814,8 +1718,7 @@ END } } - move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem"); - if ($? ne 0) { + unless(move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); @@ -1824,8 +1727,7 @@ END goto ROOTCERT_ERROR; } - move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem"); - if ($? ne 0) { + unless(move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); @@ -1834,8 +1736,7 @@ END goto ROOTCERT_ERROR; } - move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem"); - if ($? ne 0) { + unless(move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); @@ -1911,7 +1812,7 @@ END # refresh #system ('/bin/touch', "${General::swroot}/ovpn/gencanow"); - + # Create the CA certificate my $pid = open(OPENSSL, "|-"); $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;}; @@ -1963,7 +1864,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', - '-newkey', 'rsa:2048', + '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -1976,7 +1877,7 @@ END goto ROOTCERT_ERROR; } } - + # Sign the host certificate request # This system call is safe, because all argeuments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', '999999', @@ -2009,7 +1910,7 @@ END unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/servercert.pem"); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); - unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); + unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); &cleanssldatabase(); goto ROOTCERT_ERROR; # } else { @@ -2017,26 +1918,11 @@ END } # Create ta.key for tls-auth # This system call is safe, because all arguments are passed as an array. - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - &cleanssldatabase(); - goto ROOTCERT_ERROR; - } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); - unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - unlink ("${General::swroot}/ovpn/ca/cacert.pem"); - unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); &cleanssldatabase(); goto ROOTCERT_ERROR; -# } else { -# &cleanssldatabase(); } goto ROOTCERT_SUCCESS; } @@ -2074,7 +1960,7 @@ END   $Lang::tr{'country'}: - END ; @@ -2087,31 +1973,13 @@ END } print < - $Lang::tr{'ovpn dh'}: - - -   -    +    * $Lang::tr{'required field'}
- - - $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} - - - - - - -
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

@@ -2154,7 +2022,7 @@ END ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { - + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); my $n2nactive = ''; @@ -2163,7 +2031,7 @@ END if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) { $n2nactive = "1"; } - + if ($confighash{$cgiparams{'KEY'}}) { if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { $confighash{$cgiparams{'KEY'}}[0] = 'on'; @@ -2183,9 +2051,6 @@ END &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); &writecollectdconf(); } - - } else { - $errormessage = $Lang::tr{'invalid key'}; } } } @@ -2209,19 +2074,19 @@ END ### if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip"; my $zippathname = "$zippath$zipname"; - $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf"; + $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf"; my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]); my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; - my $tunmtu = ''; + my $tunmtu = ''; my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]); my $n2nfragment = ''; - + open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; - + my $zip = Archive::Zip->new(); print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n"; print CLIENTCONF "# \n"; @@ -2231,30 +2096,30 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "persist-tun\n"; print CLIENTCONF "persist-key\n"; print CLIENTCONF "script-security 2\n"; - print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; + print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n"; print CLIENTCONF "float\n"; - print CLIENTCONF "# IP adresses of the VPN Subnet\n"; - print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; - print CLIENTCONF "# Server Gateway Network\n"; + print CLIENTCONF "# IP adresses of the VPN Subnet\n"; + print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; + print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; - print CLIENTCONF "# tun Device\n"; - print CLIENTCONF "dev tun\n"; + print CLIENTCONF "# tun Device\n"; + print CLIENTCONF "dev tun\n"; print CLIENTCONF "#Logfile for statistics\n"; print CLIENTCONF "status-version 1\n"; print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; - print CLIENTCONF "# Port and Protokoll\n"; - print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; - + print CLIENTCONF "# Port and Protokoll\n"; + print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; + if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') { - print CLIENTCONF "proto tcp-client\n"; + print CLIENTCONF "proto tcp4-client\n"; print CLIENTCONF "# Packet size\n"; if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; print CLIENTCONF "tun-mtu $tunmtu\n"; } - + if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') { - print CLIENTCONF "proto udp\n"; + print CLIENTCONF "proto udp4\n"; print CLIENTCONF "# Paketsize\n"; if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; print CLIENTCONF "tun-mtu $tunmtu\n"; @@ -2270,11 +2135,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } else { print CLIENTCONF "remote-cert-tls server\n"; } - print CLIENTCONF "# Auth. Client\n"; - print CLIENTCONF "tls-client\n"; + print CLIENTCONF "# Auth. Client\n"; + print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; - if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } @@ -2294,21 +2159,25 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; } - print CLIENTCONF "# Debug Level\n"; - print CLIENTCONF "verb 3\n"; - print CLIENTCONF "# Tunnel check\n"; - print CLIENTCONF "keepalive 10 60\n"; - print CLIENTCONF "# Start as daemon\n"; - print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; - print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; - print CLIENTCONF "# Activate Management Interface and Port\n"; + print CLIENTCONF "# Debug Level\n"; + print CLIENTCONF "verb 3\n"; + print CLIENTCONF "# Tunnel check\n"; + print CLIENTCONF "keepalive 10 60\n"; + print CLIENTCONF "# Start as daemon\n"; + print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; + print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; + print CLIENTCONF "# Activate Management Interface and Port\n"; if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; - + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + print CLIENTCONF "providers legacy default\n"; + } + + close(CLIENTCONF); - + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); @@ -2328,12 +2197,12 @@ else ### # m.a.d net2net ### - + open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; - + my $zip = Archive::Zip->new(); - + print CLIENTCONF "#OpenVPN Client conf\r\n"; print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; @@ -2344,29 +2213,29 @@ else if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Blue interface\r\n"; print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n"; print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n"; print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } - + my $file_crt = new File::Temp( UNLINK => 1 ); my $file_key = new File::Temp( UNLINK => 1 ); my $include_certs = 0; - if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { if ($cgiparams{'MODE'} eq 'insecure') { $include_certs = 1; @@ -2376,10 +2245,18 @@ else # Extract the certificate # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + } else { + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } } $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; @@ -2387,10 +2264,18 @@ else # Extract the key # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", - '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); - if ($?) { - die "openssl error: $?"; + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + } else { + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } } $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; @@ -2404,7 +2289,7 @@ else print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; @@ -2439,6 +2324,21 @@ else print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } + # Disable storing any credentials in memory + print CLIENTCONF "auth-nocache\r\n"; + + # Set a fake user name for authentication + print CLIENTCONF "auth-token-user USER\r\n"; + print CLIENTCONF "auth-token TOTP\r\n"; + + # If the server is asking for TOTP this needs to happen interactively + print CLIENTCONF "auth-retry interact\r\n"; + + # Add provider line if certificate is legacy type + if (&iscertlegacy("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]")) { + print CLIENTCONF "providers legacy default\r\n"; + } + if ($include_certs) { print CLIENTCONF "\r\n"; @@ -2501,7 +2401,7 @@ else close (LCC); } close(CLIENTCONF); - + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); @@ -2512,9 +2412,9 @@ else print @fileholder; exit (0); } - - - + + + ### ### Remove connection ### @@ -2526,7 +2426,7 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf)"; + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); ### @@ -2556,7 +2456,7 @@ else { unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; } - + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); foreach my $key (keys %ccdroutehash) { if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ @@ -2564,7 +2464,7 @@ else } } &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); foreach my $key (keys %ccdroute2hash) { if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ @@ -2601,7 +2501,7 @@ else my @tmp = ; close(FILE); - print "@tmp"; + print @tmp; exit (0); ### @@ -2616,8 +2516,8 @@ else &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my $output = &Header::cleanhtml(join("", @output), "y"); + print "
$output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2625,21 +2525,60 @@ else exit(0); } +### +### Display OTP QRCode +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show otp qrcode'}) { + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + my $qrcode = Imager::QRCode->new( + size => 6, + margin => 0, + version => 0, + level => 'M', + mode => '8-bit', + casesensitive => 1, + lightcolor => Imager::Color->new(255, 255, 255), + darkcolor => Imager::Color->new(0, 0, 0), + ); + my $cn = uri_encode($confighash{$cgiparams{'KEY'}}[2]); + my $secret = encode_base32(pack('H*', $confighash{$cgiparams{'KEY'}}[44])); + my $issuer = uri_encode("$mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}"); + my $qrcodeimg = $qrcode->plot("otpauth://totp/$cn?secret=$secret&issuer=$issuer"); + my $qrcodeimgdata; + $qrcodeimg->write(data => \$qrcodeimgdata, type=> 'png') + or die $qrcodeimg->errstr; + $qrcodeimgdata = encode_base64($qrcodeimgdata, ''); + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'otp qrcode'}:"); + print <
+$Lang::tr{'otp qrcode'} +END + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + ### ### Display Diffie-Hellman key ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { - if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + if (! -e "$dhparameter") { $errormessage = $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); + print "
$output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2664,8 +2603,8 @@ else my @output = ; close(FILE); - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my $output = &Header::cleanhtml(join("", @output),"y"); + print "
$output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2687,8 +2626,8 @@ else &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem"); - @output = &Header::cleanhtml(@output,"y"); - print "
@output
\n"; + my $output = &Header::cleanhtml(join("", @output), "y"); + print "
$output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2707,10 +2646,10 @@ else my $disabled; &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); read_routepushfile; - - + + # if ($cgiparams{'CLIENT2CLIENT'} eq '') { -# $cgiparams{'CLIENT2CLIENT'} = 'on'; +# $cgiparams{'CLIENT2CLIENT'} = 'on'; # } ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { @@ -2756,10 +2695,10 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); print "$errormessage\n"; @@ -2775,23 +2714,23 @@ ADV_ERROR: - - + + - + - - + + - +
Domain
DNS
WINS
$Lang::tr{'ovpn routes push options'}
$Lang::tr{'ovpn routes push'} $Lang::tr{'ccd iroutehint'}

$Lang::tr{'ccd iroute2'}DNS1:
DNS2:
WINS:

- + END ; &Header::closebox(); @@ -5159,7 +5117,7 @@ END } } } - + #default setzen if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; @@ -5287,8 +5245,8 @@ END $activeonrun = ""; } else { $activeonrun = "disabled='disabled'"; - } - &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); print <
@@ -5305,7 +5263,7 @@ END print "$Lang::tr{'ovpn on blue'}"; print ""; } - if (&haveOrangeNet()) { + if (&haveOrangeNet()) { print "$Lang::tr{'ovpn on orange'}"; print ""; } @@ -5314,7 +5272,7 @@ END
- $Lang::tr{'net config'}: + $Lang::tr{'net config'}:
@@ -5322,7 +5280,7 @@ END $Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'} + $Lang::tr{'destination port'}: $Lang::tr{'MTU'}  @@ -5331,7 +5289,7 @@ END
- $Lang::tr{'ovpn crypt options'}: + $Lang::tr{'ovpn crypt options'}:
@@ -5375,28 +5333,28 @@ END

END -; - +; + if ( $srunning eq "yes" ) { print ""; print ""; - print ""; + print ""; print ""; } else{ print ""; print ""; print ""; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "$dhparameter" && -e "${General::swroot}/ovpn/certs/servercert.pem" && -e "${General::swroot}/ovpn/certs/serverkey.pem") && - (( $cgiparams{'ENABLED'} eq 'on') || + (( $cgiparams{'ENABLED'} eq 'on') || ( $cgiparams{'ENABLED_BLUE'} eq 'on') || ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ print ""; } else { - print ""; - } + print ""; + } } print "
"; &Header::closebox(); @@ -5425,7 +5383,7 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } @@ -5439,36 +5397,61 @@ END $Lang::tr{'type'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END } if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - if ($id % 2) { - print ""; + + # Create some simple booleans to check the status + my $hasExpired; + my $expiresSoon; + + # Fetch information about the certificate for non-N2N connections only + if ($confighash{$key}[3] ne 'net') { + my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", + "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + + my $expiryDate = 0; + + # Parse the certificate information + foreach my $line (@cavalid) { + if ($line =~ /Not After : (.*)[\n]/) { + $expiryDate = &Date::Parse::str2time($1); + last; + } + } + + # Calculate the remaining time + my $remainingTime = $expiryDate - time(); + + # Determine whether the certificate has already expired, or will so soon + $hasExpired = ($remainingTime <= 0); + $expiresSoon = ($remainingTime <= 30 * 24 * 3600); + + } else { + # Populate booleans with dummy values for N2N connections (#13066) + $hasExpired = 0; + $expiresSoon = 0; + } + + print ""; + + if ($hasExpired || $expiresSoon) { + $col="bgcolor='$color{'color14'}'"; + } elsif ($id % 2) { $col="bgcolor='$color{'color20'}'"; } else { - print ""; $col="bgcolor='$color{'color22'}'"; } - print "$confighash{$key}[1]"; - print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; - #if ($confighash{$key}[4] eq 'cert') { - #print "$confighash{$key}[2]"; - #} else { - #print " "; - #} - my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); - my $cavalid; - - foreach my $line (@cavalid) { - if ($line =~ /Not After : (.*)[\n]/) { - $cavalid = $1; - - last; - } + print "$confighash{$key}[1]"; + if ($hasExpired) { + print " ($Lang::tr{'openvpn cert has expired'})"; + } elsif ($expiresSoon) { + print " ($Lang::tr{'openvpn cert expires soon'})"; } - + print ""; + print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; print "$confighash{$key}[25]"; $col1="bgcolor='${Header::colourred}'"; my $active = "$Lang::tr{'capsclosed'}"; @@ -5488,7 +5471,7 @@ END my @output = ""; my @tustate = ""; my $tport = $confighash{$key}[22]; - my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport); + my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport); if ($tport ne '') { $tnet->open('127.0.0.1'); @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/'); @@ -5525,7 +5508,6 @@ END if ($match[1] ne "Common Name") { $cn = $match[1]; } - $cn =~ s/[_]/ /g; if ($cn eq "$confighash{$key}[2]") { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; @@ -5536,20 +5518,24 @@ END } - print <$active - -
- - - -
+ if ($confighash{$key}[41] eq "pass") { + print <$active + +
+ + + + +
END - ; - if ($confighash{$key}[41] eq "no-pass") { + ; } elsif ($confighash{$key}[41] eq "no-pass") { print < + $active + +
@@ -5557,7 +5543,7 @@ END
END - } else { + ; } else { print " "; } @@ -5572,7 +5558,20 @@ END ; } else { print " "; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { + + if ($confighash{$key}[43] eq 'on') { + print < + + + + +END +; } else { + print " "; + } + + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { print < @@ -5620,28 +5619,33 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { print < - + + - - + + + + + + + + + + + + + + + + - - - - - - - - - - -
  $Lang::tr{'legend'}:  $Lang::tr{$Lang::tr{'click to disable'}    ?RELOAD$Lang::tr{'dl client arch insecure'}    ?RELOAD$Lang::tr{'dl client arch'}     $Lang::tr{ $Lang::tr{'show certificate'}    $Lang::tr{$Lang::tr{'show otp qrcode'}
      ?FLOPPY$Lang::tr{'download certificate'}  ?OFF$Lang::tr{'click to enable'}  $Lang::tr{$Lang::tr{'click to disable'}    $Lang::tr{ $Lang::tr{'edit'}     $Lang::tr{ $Lang::tr{'remove'}
    ?OFF$Lang::tr{'click to enable'}    ?FLOPPY$Lang::tr{'download certificate'}    ?RELOAD$Lang::tr{'dl client arch'}

+ +
END ; } @@ -5763,8 +5767,8 @@ END } # Adding DH parameter to chart - if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my @dhsubject = &System_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + if (-f "$dhparameter") { + my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); my $dhsubject; foreach my $line (@dhsubject) { @@ -5777,7 +5781,7 @@ END print < - $Lang::tr{'dh parameter'} + $Lang::tr{'dh'} $dhsubject
@@ -5793,7 +5797,7 @@ END # Nothing print < - $Lang::tr{'dh parameter'}: + $Lang::tr{'dh'}: $Lang::tr{'not present'}   @@ -5921,27 +5925,8 @@ END - -
- - - - - - - - - - - - - - - -
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh upload'}: -
$Lang::tr{'ovpn dh new key'}:
- +
END ;