ovpnmain.cgi: Remove unnecessary client configuration options

We should send the most minimal configuration so that we do not
overwrite any sensible defaults.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ddedfd19f098c3ed95e7c4d45c010da85ee14266..cabae236ccd91dd6a8be7384589b6dc7058d6f3a 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -139,6 +139,14 @@ sub iscertlegacy
        return 0;
 }
 
+sub is_cert_rfc3280_compliant($) {
+       my $path = shift;
+
+       my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", $path);
+
+       return grep(/TLS Web Server Authentication/, @output);
+}
+
 sub is_legacy_cipher($) {
        my $cipher = shift;
 
@@ -2352,44 +2360,50 @@ END
                        "Content-Disposition" => "attachment; filename=${name}.ovpn",
                });
 
-               print "#OpenVPN Client conf\n";
-               print "tls-client\n";
+               print "########################################################################\n";
+               print "# IPFire OpenVPN Client Configuration for \"${name}\"\n";
+               print "########################################################################\n";
+
+               # This is a client
                print "client\n";
-               print "nobind\n";
+
+               # This is a layer 3 VPN
                print "dev tun\n";
-               print "proto $vpnsettings{'DPROTOCOL'}\n";
-               print "tun-mtu $vpnsettings{'DMTU'}\n";
 
+               # Point the client to this server
                print "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\n";
+               print "proto $vpnsettings{'DPROTOCOL'}\n";
 
-               # We no longer send any cryptographic configuration since 2.6.
-               # That way, we will be able to push this from the server.
-               # Therefore we always mandate NCP for new clients.
-
-               print "auth $vpnsettings{'DAUTH'}\n";
-
-               print "verb 3\n";
+               # Configure the MTU of the tunnel interface
+               print "tun-mtu $vpnsettings{'DMTU'}\n";
 
                # Check host certificate if X509 is RFC3280 compliant.
                # If not, old --ns-cert-type directive will be used.
                # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
-               my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
-               if (! grep(/TLS Web Server Authentication/, @hostcert)) {
+               unless (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
                        print "ns-cert-type server\n";
                } else {
                        print "remote-cert-tls server\n";
                }
-               print "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\n";
+               print "verify-x509-name $vpnsettings{'ROOTCERT_HOSTNAME'} name\n";
 
-               if ($vpnsettings{MSSFIX} eq 'on') {
+               if ($vpnsettings{'MSSFIX'} eq 'on') {
                        print "mssfix\n";
            } else {
                        print "mssfix 0\n";
            }
-           if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
+           if ($vpnsettings{'FRAGMENT'} ne '' && $vpnsettings{'DPROTOCOL'} ne 'tcp' ) {
                        print "fragment $vpnsettings{'FRAGMENT'}\n";
            }
 
+               # We no longer send any cryptographic configuration since 2.6.
+               # That way, we will be able to push this from the server.
+               # Therefore we always mandate NCP for new clients.
+
+               if ($vpnsettings{'DAUTH'} ne "") {
+                       print "auth $vpnsettings{'DAUTH'}\n";
+               }
+
                # Disable storing any credentials in memory
                print "auth-nocache\n";