16f691f75a6f6fd65c1abf78bca21e9293f5995b
[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 #                                                                             #
4 # IPFire.org - A linux based firewall                                         #
5 # Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
6 #                                                                             #
7 # This program is free software: you can redistribute it and/or modify        #
8 # it under the terms of the GNU General Public License as published by        #
9 # the Free Software Foundation, either version 3 of the License, or           #
10 # (at your option) any later version.                                         #
11 #                                                                             #
12 # This program is distributed in the hope that it will be useful,             #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
15 # GNU General Public License for more details.                                #
16 #                                                                             #
17 # You should have received a copy of the GNU General Public License           #
18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
19 #                                                                             #
20 ###############################################################################
21 ###
22 # Based on IPFireCore 77
23 ###
24 use CGI;
25 use CGI qw/:standard/;
26 use Net::DNS;
27 use Net::Ping;
28 use Net::Telnet;
29 use File::Copy;
30 use File::Temp qw/ tempfile tempdir /;
31 use strict;
32 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
33 use Sort::Naturally;
34 require '/var/ipfire/general-functions.pl';
35 require "${General::swroot}/lang.pl";
36 require "${General::swroot}/header.pl";
37 require "${General::swroot}/countries.pl";
38
39 # enable only the following on debugging purpose
40 #use warnings;
41 #use CGI::Carp 'fatalsToBrowser';
42 #workaround to suppress a warning when a variable is used only once
43 my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
44 undef (@dummy);
45
46 my %color = ();
47 my %mainsettings = ();
48 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
49 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
50
51 ###
52 ### Initialize variables
53 ###
54 my %ccdconfhash=();
55 my %ccdroutehash=();
56 my %ccdroute2hash=();
57 my %netsettings=();
58 my %cgiparams=();
59 my %vpnsettings=();
60 my %checked=();
61 my %confighash=();
62 my %cahash=();
63 my %selected=();
64 my $warnmessage = '';
65 my $errormessage = '';
66 my %settings=();
67 my $routes_push_file = '';
68 my $confighost="${General::swroot}/fwhosts/customhosts";
69 my $configgrp="${General::swroot}/fwhosts/customgroups";
70 my $customnet="${General::swroot}/fwhosts/customnetworks";
71 my $name;
72 my $col="";
73 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
74 $cgiparams{'ENABLED'} = 'off';
75 $cgiparams{'ENABLED_BLUE'} = 'off';
76 $cgiparams{'ENABLED_ORANGE'} = 'off';
77 $cgiparams{'EDIT_ADVANCED'} = 'off';
78 $cgiparams{'NAT'} = 'off';
79 $cgiparams{'COMPRESSION'} = 'off';
80 $cgiparams{'ONLY_PROPOSED'} = 'off';
81 $cgiparams{'ACTION'} = '';
82 $cgiparams{'CA_NAME'} = '';
83 $cgiparams{'DH_NAME'} = 'dh1024.pem';
84 $cgiparams{'DHLENGHT'} = '';
85 $cgiparams{'DHCP_DOMAIN'} = '';
86 $cgiparams{'DHCP_DNS'} = '';
87 $cgiparams{'DHCP_WINS'} = '';
88 $cgiparams{'ROUTES_PUSH'} = '';
89 $cgiparams{'DCOMPLZO'} = 'off';
90 $cgiparams{'MSSFIX'} = '';
91 $cgiparams{'number'} = '';
92 $cgiparams{'PMTU_DISCOVERY'} = '';
93 $cgiparams{'DCIPHER'} = '';
94 $cgiparams{'DAUTH'} = '';
95 $cgiparams{'TLSAUTH'} = '';
96 $routes_push_file = "${General::swroot}/ovpn/routes_push";
97 unless (-e $routes_push_file)    { system("touch $routes_push_file"); }
98 unless (-e "${General::swroot}/ovpn/ccd.conf")    { system("touch ${General::swroot}/ovpn/ccd.conf"); }
99 unless (-e "${General::swroot}/ovpn/ccdroute")    { system("touch ${General::swroot}/ovpn/ccdroute"); }
100 unless (-e "${General::swroot}/ovpn/ccdroute2")    { system("touch ${General::swroot}/ovpn/ccdroute2"); }
101
102 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
103
104 # prepare openvpn config file
105 ###
106 ### Useful functions
107 ###
108 sub haveOrangeNet
109 {
110         if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
111         if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
112         return 0;
113 }
114
115 sub haveBlueNet
116 {
117         if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
118         if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
119         return 0;
120 }
121
122 sub sizeformat{
123     my $bytesize = shift;
124     my $i = 0;
125
126     while(abs($bytesize) >= 1024){
127         $bytesize=$bytesize/1024;
128         $i++;
129         last if($i==6);
130     }
131
132     my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
133     my $newsize=(int($bytesize*100 +0.5))/100;
134     return("$newsize $units[$i]");
135 }
136
137 sub cleanssldatabase
138 {
139     if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
140         print FILE "01";
141         close FILE;
142     }
143     if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
144         print FILE "";
145         close FILE;
146     }
147     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
148     unlink ("${General::swroot}/ovpn/certs/serial.old");
149     unlink ("${General::swroot}/ovpn/certs/01.pem");
150 }
151
152 sub newcleanssldatabase
153 {
154     if (! -s "${General::swroot}/ovpn/certs/serial" )  {
155         open(FILE, ">${General::swroot}(ovpn/certs/serial");
156         print FILE "01";
157         close FILE;
158     }
159     if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
160         system ("touch ${General::swroot}/ovpn/certs/index.txt");
161     }
162     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
163     unlink ("${General::swroot}/ovpn/certs/serial.old");
164 }
165
166 sub deletebackupcert
167 {
168         if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
169                 my $hexvalue = <FILE>;
170                 chomp $hexvalue;
171                 close FILE;
172                 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
173         }
174 }
175
176 sub writeserverconf {
177     my %sovpnsettings = ();  
178     my @temp = ();  
179     &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
180     &read_routepushfile;
181     
182     open(CONF,    ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
183     flock CONF, 2;
184     print CONF "#OpenVPN Server conf\n";
185     print CONF "\n";
186     print CONF "daemon openvpnserver\n";
187     print CONF "writepid /var/run/openvpn.pid\n";
188     print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
189     print CONF ";local $sovpnsettings{'VPN_IP'}\n";
190     print CONF "dev $sovpnsettings{'DDEVICE'}\n";
191     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
192     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
193     print CONF "script-security 3 system\n";
194     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
195     print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
196     print CONF "tls-server\n";
197     print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
198     print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
199     print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
200     print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
201     my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
202     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
203     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
204
205     # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
206     # If we doesn't use one of them, we can use the configured mtu value.
207     if ($sovpnsettings{'MSSFIX'} eq 'on') 
208         { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
209     elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') 
210         { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
211     elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
212         ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
213         ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
214         { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } 
215     else 
216         { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; }
217
218     if ($vpnsettings{'ROUTES_PUSH'} ne '') {
219                 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
220                 foreach (@temp)
221                 {
222                         @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
223                         print CONF "push \"route " . $tempovpnsubnet[0]. " " .  $tempovpnsubnet[1] . "\"\n";
224                 }
225         }
226 # a.marx ccd
227         my %ccdconfhash=();
228         &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
229         foreach my $key (keys %ccdconfhash) {
230                 my $a=$ccdconfhash{$key}[1];
231                 my ($b,$c) = split (/\//, $a);
232                 print CONF "route $b ".&General::cidrtosub($c)."\n";
233         }
234         my %ccdroutehash=();
235         &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
236         foreach my $key (keys %ccdroutehash) {
237                 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
238                         my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
239                         print CONF "route $a $b\n";
240                 }
241         }
242 # ccd end
243
244         if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
245         print CONF "client-to-client\n";
246     }
247     if ($sovpnsettings{MSSFIX} eq 'on') {
248                 print CONF "mssfix\n";
249     }
250     if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
251                 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
252     }
253
254     # Check if a valid operating mode has been choosen and use it.
255     if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
256         ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
257         ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
258                 print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n";
259     }
260
261     if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {   
262         print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
263     }   
264     print CONF "status-version 1\n";
265     print CONF "status /var/log/ovpnserver.log 30\n";
266     print CONF "cipher $sovpnsettings{DCIPHER}\n";
267     if ($sovpnsettings{'DAUTH'} eq '') {
268         print CONF "";
269     } else {
270         print CONF "auth $sovpnsettings{'DAUTH'}\n";
271     }
272     if ($sovpnsettings{'TLSAUTH'} eq 'on') {
273         print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n";
274     }
275     if ($sovpnsettings{DCOMPLZO} eq 'on') {
276         print CONF "comp-lzo\n";
277     }
278     if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
279         print CONF "push \"redirect-gateway def1\"\n";
280     }
281     if ($sovpnsettings{DHCP_DOMAIN} ne '') {
282         print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
283     }
284
285     if ($sovpnsettings{DHCP_DNS} ne '') {
286         print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
287     }
288
289     if ($sovpnsettings{DHCP_WINS} ne '') {
290         print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
291     }
292     
293     if ($sovpnsettings{DHCP_WINS} eq '') {
294         print CONF "max-clients 100\n";
295     }
296     if ($sovpnsettings{DHCP_WINS} ne '') {
297         print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
298     }   
299     print CONF "tls-verify /usr/lib/openvpn/verify\n";
300     print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
301     print CONF "user nobody\n";
302     print CONF "group nobody\n";
303     print CONF "persist-key\n";
304     print CONF "persist-tun\n";
305         if ($sovpnsettings{LOG_VERB} ne '') {
306                 print CONF "verb $sovpnsettings{LOG_VERB}\n";
307         } else {
308                 print CONF "verb 3\n";
309         }       
310     print CONF "\n";
311     
312     close(CONF);
313 }    
314
315 sub emptyserverlog{
316     if (open(FILE, ">/var/log/ovpnserver.log")) {
317         flock FILE, 2;
318         print FILE "";
319         close FILE;
320     }
321
322 }
323
324 sub delccdnet 
325 {
326         my %ccdconfhash = ();
327         my %ccdhash = ();
328         my $ccdnetname=$_[0];
329         if (-f "${General::swroot}/ovpn/ovpnconfig"){
330                 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
331                 foreach my $key (keys %ccdhash) {
332                         if ($ccdhash{$key}[32] eq $ccdnetname) {
333                                 $errormessage=$Lang::tr{'ccd err hostinnet'};
334                                 return;
335                         }
336                 }
337         }
338         &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
339         foreach my $key (keys %ccdconfhash) {
340                         if ($ccdconfhash{$key}[0] eq $ccdnetname){
341                                 delete $ccdconfhash{$key};
342                         }
343         }
344         &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
345         
346         &writeserverconf;
347         return 0;
348 }
349
350 sub addccdnet
351 {
352         my %ccdconfhash=();
353         my @ccdconf=();
354         my $ccdname=$_[0];
355         my $ccdnet=$_[1];
356         my $subcidr;
357         my @ip2=();
358         my $checkup;
359         my $ccdip;
360         my $baseaddress;
361         
362         
363         #check name     
364         if ($ccdname eq '') 
365         {
366                 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
367                 return
368         }
369         
370         if(!&General::validhostname($ccdname))
371         {
372                 $errormessage=$Lang::tr{'ccd err invalidname'};
373                 return;
374         }
375                 
376         ($ccdip,$subcidr) = split (/\//,$ccdnet);
377         $subcidr=&General::iporsubtocidr($subcidr);
378         #check subnet
379         if ($subcidr > 30)
380         {
381                 $errormessage=$Lang::tr{'ccd err invalidnet'};
382                 return;
383         }
384         #check ip
385         if (!&General::validipandmask($ccdnet)){
386                 $errormessage=$Lang::tr{'ccd err invalidnet'};
387                 return;
388         }
389         
390         $errormessage=&General::checksubnets($ccdname,$ccdnet);
391         
392                 
393         if (!$errormessage) {
394                 my %ccdconfhash=();
395                 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
396                 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
397                 my $key = &General::findhasharraykey (\%ccdconfhash);
398                 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
399                 $ccdconfhash{$key}[0] = $ccdname;
400                 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
401                 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
402                 &writeserverconf;
403                 $cgiparams{'ccdname'}='';
404                 $cgiparams{'ccdsubnet'}='';
405                 return 1;
406         }
407 }
408
409 sub modccdnet
410 {
411         
412         my $newname=$_[0];
413         my $oldname=$_[1];
414         my %ccdconfhash=();
415         my %ccdhash=();
416         &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
417         foreach my $key (keys %ccdconfhash) {
418                 if ($ccdconfhash{$key}[0] eq $oldname) {
419                         foreach my $key1 (keys %ccdconfhash) {
420                                 if ($ccdconfhash{$key1}[0] eq $newname){
421                                         $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
422                                         return;
423                                 }else{
424                                         $ccdconfhash{$key}[0]= $newname;
425                                         &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
426                                         last;
427                                 }
428                         }
429                 }
430         }
431         
432         &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
433                 foreach my $key (keys %ccdhash) {
434                         if ($ccdhash{$key}[32] eq $oldname) {
435                                 $ccdhash{$key}[32]=$newname;
436                                 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
437                                 last;
438                         }
439                 }
440         
441         return 0;
442 }
443 sub ccdmaxclients
444 {
445         my $ccdnetwork=$_[0];
446         my @octets=();
447         my @subnet=();
448         @octets=split("\/",$ccdnetwork);
449         @subnet= split /\./, &General::cidrtosub($octets[1]);
450         my ($a,$b,$c,$d,$e);
451         $a=256-$subnet[0];
452         $b=256-$subnet[1];
453         $c=256-$subnet[2];
454         $d=256-$subnet[3];
455         $e=($a*$b*$c*$d)/4;
456         return $e-1;
457 }
458
459 sub getccdadresses 
460 {
461         my $ipin=$_[0];
462         my ($ip1,$ip2,$ip3,$ip4)=split  /\./, $ipin;
463         my $cidr=$_[1];
464         chomp($cidr);
465         my $count=$_[2];
466         my $hasip=$_[3];
467         chomp($hasip);
468         my @iprange=();
469         my %ccdhash=();
470         &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
471         $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
472         for (my $i=1;$i<=$count;$i++) {
473                 my $tmpip=$iprange[$i-1];
474                 my $stepper=$i*4;
475                 $iprange[$i]= &General::getnextip($tmpip,4);
476         }
477         my $r=0;
478         foreach my $key (keys %ccdhash) {
479                 $r=0;
480                 foreach  my $tmp (@iprange){
481                         my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
482                         if ($net eq $tmp) {
483                                 if ( $hasip ne  $ccdhash{$key}[33] ){
484                                         splice (@iprange,$r,1);
485                                 }
486                         }
487                         $r++;
488                 }
489         }
490         return @iprange;
491 }
492
493 sub fillselectbox
494 {
495         my $boxname=$_[1];
496         my ($ccdip,$subcidr) = split("/",$_[0]); 
497         my $tz=$_[2];
498         my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
499         print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
500         foreach (@allccdips) {
501                 my $ip=$_."/30";
502                 chomp($ip);
503                 print "<option value='$ip' ";
504                 if ( $ip eq $cgiparams{$boxname} ){
505                         print"selected";
506                 }
507                 print ">$ip</option>";
508         }
509         print "</select>";
510 }
511
512 sub hostsinnet
513 {
514         my $name=$_[0];
515         my %ccdhash=();
516         my $i=0;
517         &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
518         foreach my $key (keys %ccdhash) {
519                 if ($ccdhash{$key}[32] eq $name){ $i++;}
520         }
521         return $i;
522 }
523
524 sub check_routes_push
525 {
526                         my $val=$_[0];
527                         my ($ip,$cidr) = split (/\//, $val);
528                         ##check for existing routes in routes_push
529                         if (-e "${General::swroot}/ovpn/routes_push") {
530                                 open(FILE,"${General::swroot}/ovpn/routes_push");
531                                 while (<FILE>) {
532                                         $_=~s/\s*$//g;
533                                         
534                                         my ($ip2,$cidr2) = split (/\//,"$_");
535                                         my $val2=$ip2."/".&General::iporsubtodec($cidr2);
536                                         
537                                         if($val eq $val2){
538                                                 return 0;
539                                         }
540                                         #subnetcheck
541                                         if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
542                                                 return 0;
543                                         }
544                                 };
545                                 close(FILE);
546                         }
547         return 1;
548 }
549
550 sub check_ccdroute
551 {
552         my %ccdroutehash=();
553         my $val=$_[0];
554         my ($ip,$cidr) = split (/\//, $val);
555         #check for existing routes in ccdroute
556         &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
557         foreach my $key (keys %ccdroutehash) {
558                 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
559                         if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
560                                 return 0;
561                         }
562                         my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
563                         #subnetcheck
564                         if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
565                                 return 0;
566                         }
567                 }
568         }
569         return 1;
570 }
571 sub check_ccdconf
572 {
573         my %ccdconfhash=();
574         my $val=$_[0];
575         my ($ip,$cidr) = split (/\//, $val);
576         #check for existing routes in ccdroute
577         &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
578         foreach my $key (keys %ccdconfhash) {
579                 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
580                                 return 0;
581                         }
582                         my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
583                         #subnetcheck
584                         if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
585                                 return 0;
586                         }
587                 
588         }
589         return 1;
590 }
591
592 ###
593 # m.a.d net2net
594 ###
595
596 sub validdotmask
597 {
598         my $ipdotmask = $_[0];
599         if (&General::validip($ipdotmask)) { return 0; }
600         if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) {  }
601         my $mask = $2;
602         if (($mask =~ /\./ )) { return 0; }     
603   return 1;
604 }
605
606 # -------------------------------------------------------------------
607
608 sub write_routepushfile
609 {
610         open(FILE, ">$routes_push_file");
611         flock(FILE, 2);
612         if ($vpnsettings{'ROUTES_PUSH'} ne '') {
613                 print FILE $vpnsettings{'ROUTES_PUSH'};
614         }
615         close(FILE); 
616 }
617
618 sub read_routepushfile
619 {
620         if (-e "$routes_push_file") {
621                 open(FILE,"$routes_push_file");
622                 delete $vpnsettings{'ROUTES_PUSH'};
623                 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
624                 close(FILE);
625                 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
626                 
627         }
628 }
629
630
631 #hier die refresh page
632 if ( -e "${General::swroot}/ovpn/gencanow") {
633     my $refresh = '';
634     $refresh = "<meta http-equiv='refresh' content='15;' />";
635     &Header::showhttpheaders();
636     &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
637     &Header::openbigbox('100%', 'center');
638     &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
639     print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
640     print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
641     &Header::closebox();
642     &Header::closebigbox();
643     &Header::closepage();
644     exit (0);
645 }
646 ##hier die refresh page
647
648
649 ###
650 ### OpenVPN Server Control
651 ###
652 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
653     $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
654     $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
655     #start openvpn server
656     if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
657         &emptyserverlog();
658         system('/usr/local/bin/openvpnctrl', '-s');
659     }   
660     #stop openvpn server
661     if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
662         system('/usr/local/bin/openvpnctrl', '-k');
663         &emptyserverlog();      
664     }   
665 #    #restart openvpn server
666 #    if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
667 #workarund, till SIGHUP also works when running as nobody    
668 #       system('/usr/local/bin/openvpnctrl', '-r');     
669 #       &emptyserverlog();      
670 #    }       
671 }
672
673 ###
674 ### Save Advanced options
675 ###
676
677 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
678     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
679     #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
680     #DAN this value has to leave.
681 #new settings for daemon
682     $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
683     $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
684     $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
685     $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
686     $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
687     $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
688     $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
689     $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
690     $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
691     $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
692     $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'};
693     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
694     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
695     my @temp=();
696     
697     if ($cgiparams{'FRAGMENT'} eq '') {
698         delete $vpnsettings{'FRAGMENT'};
699     } else {
700         if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) { 
701             $errormessage = "Incorrect value, please insert only numbers.";
702         goto ADV_ERROR;
703                 } else {
704                         $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
705         }
706     }
707
708     if ($cgiparams{'MSSFIX'} ne 'on') {
709         delete $vpnsettings{'MSSFIX'};
710     } else {
711         $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
712     }
713
714    # Create ta.key for tls-auth if not presant
715    if ($cgiparams{'TLSAUTH'} eq 'on') {
716         if ( ! -e "${General::swroot}/ovpn/ca/ta.key") {
717                 system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key")
718         }
719     }
720
721     if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
722         ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
723         ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
724
725         if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) {
726                 $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
727                 goto ADV_ERROR;
728         }
729     }
730                 
731     if ($cgiparams{'DHCP_DOMAIN'} ne ''){
732         unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
733                 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
734         goto ADV_ERROR;
735         }
736     }
737     if ($cgiparams{'DHCP_DNS'} ne ''){
738         unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
739                 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
740         goto ADV_ERROR;
741         }
742     }
743     if ($cgiparams{'DHCP_WINS'} ne ''){
744         unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
745                 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
746                 goto ADV_ERROR;
747         }
748     }
749     if ($cgiparams{'ROUTES_PUSH'} ne ''){
750         @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
751         undef $vpnsettings{'ROUTES_PUSH'};
752         
753         foreach my $tmpip (@temp)
754         {
755                 s/^\s+//g; s/\s+$//g;
756                 
757                 if ($tmpip)
758                 {
759                         $tmpip=~s/\s*$//g; 
760                         unless (&General::validipandmask($tmpip)) {
761                                 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
762                                 goto ADV_ERROR;
763                         }
764                         my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
765                         
766                         if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
767                                 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
768                                 goto ADV_ERROR;
769                         }
770 # a.marx ccd                    
771                         my %ccdroutehash=();
772                         &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
773                         foreach my $key (keys %ccdroutehash) {
774                                 foreach my $i (1 .. $#{$ccdroutehash{$key}}) { 
775                                         if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
776                                                 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
777                                                 goto ADV_ERROR;
778                                         }
779                                         my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
780                                         if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
781                                                 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
782                                                 goto ADV_ERROR;
783                                         }
784                                 }
785                         }
786                         
787 # ccd end
788                         
789                         $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
790                 }
791         }
792     &write_routepushfile;
793         undef $vpnsettings{'ROUTES_PUSH'};
794     }
795         else {
796         undef $vpnsettings{'ROUTES_PUSH'};
797         &write_routepushfile;
798     }
799     if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
800         $errormessage = $Lang::tr{'invalid input for max clients'};
801         goto ADV_ERROR;
802     }
803     if ($cgiparams{'KEEPALIVE_1'} ne '') {
804         if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) { 
805             $errormessage = $Lang::tr{'invalid input for keepalive 1'};
806         goto ADV_ERROR;
807         }
808     }
809     if ($cgiparams{'KEEPALIVE_2'} ne ''){
810         if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) { 
811             $errormessage = $Lang::tr{'invalid input for keepalive 2'};
812         goto ADV_ERROR;
813         }
814     }
815     if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
816         $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
817         goto ADV_ERROR; 
818     }
819     
820     &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
821     &writeserverconf();#hier ok
822 }
823
824 ###
825 # m.a.d net2net
826 ###
827
828 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
829 {
830
831 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
832 my @ovsubnettemp =  split(/\./,$cgiparams{'OVPN_SUBNET'});
833 my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
834 my $tunmtu =  '';
835
836 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
837 unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}   
838
839   open(SERVERCONF,    ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
840   
841   flock SERVERCONF, 2;
842   print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n"; 
843   print SERVERCONF "\n"; 
844   print SERVERCONF "# User Security\n";
845   print SERVERCONF "user nobody\n";
846   print SERVERCONF "group nobody\n";
847   print SERVERCONF "persist-tun\n";
848   print SERVERCONF "persist-key\n";
849   print SERVERCONF "script-security 2\n";
850   print SERVERCONF "# IP/DNS for remote Server Gateway\n"; 
851
852   if ($cgiparams{'REMOTE'} ne '') {
853   print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
854   }
855
856   print SERVERCONF "float\n";
857   print SERVERCONF "# IP adresses of the VPN Subnet\n"; 
858   print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; 
859   print SERVERCONF "# Client Gateway Network\n"; 
860   print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
861   print SERVERCONF "# tun Device\n"; 
862   print SERVERCONF "dev tun\n"; 
863   print SERVERCONF "# Port and Protokol\n"; 
864   print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; 
865   
866   if ($cgiparams{'PROTOCOL'} eq 'tcp') {
867   print SERVERCONF "proto tcp-server\n";
868   print SERVERCONF "# Packet size\n";
869   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
870   print SERVERCONF "tun-mtu $tunmtu\n";
871   }
872   
873   if ($cgiparams{'PROTOCOL'} eq 'udp') {
874   print SERVERCONF "proto udp\n"; 
875   print SERVERCONF "# Paketsize\n";
876   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
877   print SERVERCONF "tun-mtu $tunmtu\n";
878   if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} 
879   if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; 
880   }
881
882   # Check if a valid operating mode has been choosen and use it.
883   if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
884       ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
885       ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
886         if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
887                 if($cgiparams{'MTU'} eq '1500') {
888                         print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
889                 }
890         }
891   }
892   print SERVERCONF "# Auth. Server\n"; 
893   print SERVERCONF "tls-server\n"; 
894   print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; 
895   print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; 
896   print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; 
897   print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
898   print SERVERCONF "# Cipher\n"; 
899   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
900   if ($cgiparams{'DAUTH'} eq '') {
901         print SERVERCONF "auth SHA1\n";
902   } else {
903         print SERVERCONF "# HMAC algorithm\n";
904         print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
905   }
906   if ($cgiparams{'COMPLZO'} eq 'on') {
907    print SERVERCONF "# Enable Compression\n";
908    print SERVERCONF "comp-lzo\r\n";
909      }
910   print SERVERCONF "# Debug Level\n"; 
911   print SERVERCONF "verb 3\n"; 
912   print SERVERCONF "# Tunnel check\n"; 
913   print SERVERCONF "keepalive 10 60\n"; 
914   print SERVERCONF "# Start as daemon\n"; 
915   print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n"; 
916   print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; 
917   print SERVERCONF "# Activate Management Interface and Port\n"; 
918   if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
919   else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
920   close(SERVERCONF);
921
922 }
923
924 ###
925 # m.a.d net2net
926 ###
927
928 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
929 {
930
931         my @ovsubnettemp =  split(/\./,$cgiparams{'OVPN_SUBNET'});
932         my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
933         my @remsubnet =  split(/\//,$cgiparams{'REMOTE_SUBNET'});
934         my $tunmtu =  '';
935                    
936 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
937 unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
938   
939   open(CLIENTCONF,    ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
940   
941   flock CLIENTCONF, 2;
942   print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
943   print CLIENTCONF "#\n"; 
944   print CLIENTCONF "# User Security\n";
945   print CLIENTCONF "user nobody\n";
946   print CLIENTCONF "group nobody\n";
947   print CLIENTCONF "persist-tun\n";
948   print CLIENTCONF "persist-key\n";
949   print CLIENTCONF "script-security 2\n";
950   print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; 
951   print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
952   print CLIENTCONF "float\n";
953   print CLIENTCONF "# IP adresses of the VPN Subnet\n"; 
954   print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
955   print CLIENTCONF "# Server Gateway Network\n"; 
956   print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; 
957   print CLIENTCONF "# tun Device\n"; 
958   print CLIENTCONF "dev tun\n"; 
959   print CLIENTCONF "# Port and Protokol\n"; 
960   print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; 
961
962   if ($cgiparams{'PROTOCOL'} eq 'tcp') {
963   print CLIENTCONF "proto tcp-client\n";
964   print CLIENTCONF "# Packet size\n";
965   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
966   print CLIENTCONF "tun-mtu $tunmtu\n";
967   }
968   
969   if ($cgiparams{'PROTOCOL'} eq 'udp') {
970   print CLIENTCONF "proto udp\n"; 
971   print CLIENTCONF "# Paketsize\n";
972   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
973   print CLIENTCONF "tun-mtu $tunmtu\n";
974   if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
975   if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; 
976   }
977
978   # Check if a valid operating mode has been choosen and use it.
979   if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
980       ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
981       ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
982         if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
983                 if ($cgiparams{'MTU'} eq '1500') {
984                         print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
985                 }
986         }
987   }
988  
989   print CLIENTCONF "ns-cert-type server\n";   
990   print CLIENTCONF "# Auth. Client\n"; 
991   print CLIENTCONF "tls-client\n"; 
992   print CLIENTCONF "# Cipher\n"; 
993   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
994   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
995   if ($cgiparams{'DAUTH'} eq '') {
996         print CLIENTCONF "auth SHA1\n";
997   } else {
998         print CLIENTCONF "# HMAC algorithm\n";
999         print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
1000   }
1001   if ($cgiparams{'COMPLZO'} eq 'on') {
1002    print CLIENTCONF "# Enable Compression\n";
1003    print CLIENTCONF "comp-lzo\r\n";
1004   }
1005   print CLIENTCONF "# Debug Level\n"; 
1006   print CLIENTCONF "verb 3\n"; 
1007   print CLIENTCONF "# Tunnel check\n"; 
1008   print CLIENTCONF "keepalive 10 60\n"; 
1009   print CLIENTCONF "# Start as daemon\n"; 
1010   print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
1011   print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; 
1012   print CLIENTCONF "# Activate Management Interface and Port\n"; 
1013   if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1014   else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
1015   close(CLIENTCONF);
1016
1017 }
1018   
1019 ###
1020 ### Save main settings
1021 ###
1022
1023
1024 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1025     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1026     #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1027     #DAN this value has to leave.
1028     if ($cgiparams{'ENABLED'} eq 'on'){
1029         unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1030                 $errormessage = $Lang::tr{'invalid input for hostname'};
1031         goto SETTINGS_ERROR;
1032         }
1033     }
1034     if ($errormessage) { goto SETTINGS_ERROR; }
1035     
1036     if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
1037             $errormessage = $Lang::tr{'ovpn subnet is invalid'};
1038                         goto SETTINGS_ERROR;
1039     }
1040     my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
1041     
1042     if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'}, 
1043         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1044         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1045         goto SETTINGS_ERROR;
1046     }
1047     
1048     if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'}, 
1049         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1050         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1051         goto SETTINGS_ERROR;
1052     }
1053
1054     if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'}, 
1055         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1056         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1057         goto SETTINGS_ERROR;
1058     }
1059     
1060     if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'}, 
1061         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1062         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1063         goto SETTINGS_ERROR;
1064     }
1065     open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1066     while (<ALIASES>)
1067     {
1068         chomp($_);
1069         my @tempalias = split(/\,/,$_);
1070         if ($tempalias[1] eq 'on') {
1071             if (&General::IpInSubnet ($tempalias[0] , 
1072                 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1073                 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
1074             }           
1075         }
1076     }
1077     close(ALIASES);
1078     if ($errormessage ne ''){
1079         goto SETTINGS_ERROR;
1080     }
1081     if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1082         $errormessage = $Lang::tr{'invalid input'};
1083         goto SETTINGS_ERROR;
1084     }
1085     if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1086         $errormessage = $Lang::tr{'invalid mtu input'};
1087         goto SETTINGS_ERROR;
1088     }
1089     
1090     unless (&General::validport($cgiparams{'DDEST_PORT'})) {
1091         $errormessage = $Lang::tr{'invalid port'};
1092         goto SETTINGS_ERROR;
1093     }
1094
1095     $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1096     $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1097     $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1098     $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1099 #new settings for daemon
1100     $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
1101     $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
1102     $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1103     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1104     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1105     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1106     $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
1107 #wrtie enable
1108
1109   if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
1110   if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");}
1111   if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");}
1112 #new settings for daemon    
1113     &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1114     &writeserverconf();#hier ok
1115 SETTINGS_ERROR:
1116 ###
1117 ### Reset all step 2
1118 ###
1119 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
1120     my $file = '';
1121     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1122
1123     foreach my $key (keys %confighash) {
1124         if ($confighash{$key}[4] eq 'cert') {
1125             delete $confighash{$cgiparams{'$key'}};
1126         }
1127     }
1128     while ($file = glob("${General::swroot}/ovpn/ca/*")) {
1129         unlink $file;
1130     }
1131     while ($file = glob("${General::swroot}/ovpn/certs/*")) {
1132         unlink $file;
1133     }
1134     while ($file = glob("${General::swroot}/ovpn/crls/*")) {
1135         unlink $file;
1136     }
1137         &cleanssldatabase();
1138     if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1139         print FILE "";
1140         close FILE;
1141     }
1142     if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1143         print FILE "";
1144         close FILE;
1145     }
1146     if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1147         print FILE "";
1148         close FILE;
1149     }
1150     while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1151         unlink $file
1152     }
1153     if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1154         print FILE "";
1155         close FILE;
1156     }
1157     if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1158         print FILE "";
1159         close FILE;
1160     }
1161     while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
1162         system ("rm -rf $file");
1163     }
1164
1165     #&writeserverconf();
1166 ###
1167 ### Reset all step 1
1168 ###
1169 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
1170     &Header::showhttpheaders();
1171     &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1172     &Header::openbigbox('100%', 'left', '', '');
1173     &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1174     print <<END;
1175         <form method='post'>
1176                 <table width='100%'>
1177                         <tr>
1178                                 <td align='center'>
1179                                 <input type='hidden' name='AREUSURE' value='yes' />
1180                                 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1181                                 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1182                         </tr>
1183                         <tr>
1184                                 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1185                                 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1186                         </tr>
1187                 </table>
1188         </form>
1189 END
1190     ;
1191     &Header::closebox();
1192     &Header::closebigbox();
1193     &Header::closepage();
1194     exit (0);
1195
1196 ###
1197 ### Generate DH key step 2
1198 ###
1199 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
1200     # Delete if old key exists
1201     if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1202         unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1203         }
1204         # Create Diffie Hellmann Parameter
1205         system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1206         '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
1207         if ($?) {
1208                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1209                 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1210         }
1211
1212 ###
1213 ### Generate DH key step 1
1214 ###
1215 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
1216         &Header::showhttpheaders();
1217         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1218         &Header::openbigbox('100%', 'LEFT', '', '');
1219         &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
1220         print <<END;
1221         <table width='100%'>
1222         <tr>
1223                 <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
1224         </tr>
1225         <tr>
1226                 <td class='base'>$Lang::tr{'ovpn dh'}:</td>
1227                 <td align='center'>
1228                 <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1229                 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1230                         <select name='DHLENGHT'>
1231                                 <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
1232                                 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1233                                 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1234                                 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1235                         </select>
1236                 </td>
1237         </tr>
1238         <tr><td colspan='4'><br></td></tr>
1239         </table>
1240         <table width='100%'>
1241         <tr>
1242                 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
1243         </tr>
1244         <tr>
1245                 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1246         </tr>
1247         <tr><td colspan='2'><br></td></tr>
1248         <tr>
1249                 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
1250                 </form>
1251         </tr>
1252         </table>
1253
1254 END
1255         ;
1256         &Header::closebox();
1257         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1258         &Header::closebigbox();
1259         &Header::closepage();
1260         exit (0);
1261
1262 ###
1263 ### Upload DH key
1264 ###
1265 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
1266     if (ref ($cgiparams{'FH'}) ne 'Fh') {
1267          $errormessage = $Lang::tr{'there was no file upload'};
1268          goto UPLOADCA_ERROR;
1269     }
1270     # Move uploaded dh key to a temporary file
1271     (my $fh, my $filename) = tempfile( );
1272     if (copy ($cgiparams{'FH'}, $fh) != 1) {
1273         $errormessage = $!;
1274         goto UPLOADCA_ERROR;
1275     }
1276     my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
1277     if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
1278         $errormessage = $Lang::tr{'not a valid dh key'};
1279         unlink ($filename);
1280         goto UPLOADCA_ERROR;
1281     } else {
1282     # Delete if old key exists
1283     if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1284         unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1285         }
1286     move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
1287         if ($? ne 0) {
1288                 $errormessage = "$Lang::tr{'dh key move failed'}: $!";
1289                 unlink ($filename);
1290                 goto UPLOADCA_ERROR;
1291         }
1292     }
1293
1294 ###
1295 ### Upload CA Certificate
1296 ###
1297 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1298     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1299
1300     if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1301         $errormessage = $Lang::tr{'name must only contain characters'};
1302         goto UPLOADCA_ERROR;
1303     }
1304
1305     if (length($cgiparams{'CA_NAME'}) >60) {
1306         $errormessage = $Lang::tr{'name too long'};
1307         goto VPNCONF_ERROR;
1308     }
1309
1310     if ($cgiparams{'CA_NAME'} eq 'ca') {
1311         $errormessage = $Lang::tr{'name is invalid'};
1312         goto UPLOADCA_ERROR;
1313     }
1314
1315     # Check if there is no other entry with this name
1316     foreach my $key (keys %cahash) {
1317         if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1318             $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1319             goto UPLOADCA_ERROR;
1320         }
1321     }
1322
1323     if (ref ($cgiparams{'FH'}) ne 'Fh') {
1324         $errormessage = $Lang::tr{'there was no file upload'};
1325         goto UPLOADCA_ERROR;
1326     }
1327     # Move uploaded ca to a temporary file
1328     (my $fh, my $filename) = tempfile( );
1329     if (copy ($cgiparams{'FH'}, $fh) != 1) {
1330         $errormessage = $!;
1331         goto UPLOADCA_ERROR;
1332     }
1333     my $temp = `/usr/bin/openssl x509 -text -in $filename`;
1334     if ($temp !~ /CA:TRUE/i) {
1335         $errormessage = $Lang::tr{'not a valid ca certificate'};
1336         unlink ($filename);
1337         goto UPLOADCA_ERROR;
1338     } else {
1339         move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
1340         if ($? ne 0) {
1341             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1342             unlink ($filename);
1343             goto UPLOADCA_ERROR;
1344         }
1345     }
1346
1347     my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
1348     $casubject    =~ /Subject: (.*)[\n]/;
1349     $casubject    = $1;
1350     $casubject    =~ s+/Email+, E+;
1351     $casubject    =~ s/ ST=/ S=/;
1352     $casubject    = &Header::cleanhtml($casubject);
1353
1354     my $key = &General::findhasharraykey (\%cahash);
1355     $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1356     $cahash{$key}[1] = $casubject;
1357     &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1358 #    system('/usr/local/bin/ipsecctrl', 'R');
1359
1360     UPLOADCA_ERROR:
1361
1362 ###
1363 ### Display ca certificate
1364 ###
1365 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
1366     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1367
1368     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1369         &Header::showhttpheaders();
1370         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1371         &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1372         &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
1373         my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
1374         $output = &Header::cleanhtml($output,"y");
1375         print "<pre>$output</pre>\n";
1376         &Header::closebox();
1377         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1378         &Header::closebigbox();
1379         &Header::closepage();
1380         exit(0);
1381     } else {
1382         $errormessage = $Lang::tr{'invalid key'};
1383     }
1384
1385 ###
1386 ### Download ca certificate
1387 ###
1388 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1389     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1390
1391     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1392         print "Content-Type: application/octet-stream\r\n";
1393         print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
1394         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
1395         exit(0);
1396     } else {
1397         $errormessage = $Lang::tr{'invalid key'};
1398     }
1399
1400 ###
1401 ### Remove ca certificate (step 2)
1402 ###
1403 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1404     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1405     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1406
1407     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1408         foreach my $key (keys %confighash) {
1409             my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
1410             if ($test =~ /: OK/) {
1411                 # Delete connection
1412 #               if ($vpnsettings{'ENABLED'} eq 'on' ||
1413 #                   $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1414 #                   system('/usr/local/bin/ipsecctrl', 'D', $key);
1415 #               }
1416                 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1417                 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1418                 delete $confighash{$key};
1419                 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1420 #               &writeipsecfiles();
1421             }
1422         }
1423         unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1424         delete $cahash{$cgiparams{'KEY'}};
1425         &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1426 #       system('/usr/local/bin/ipsecctrl', 'R');
1427     } else {
1428         $errormessage = $Lang::tr{'invalid key'};
1429     }
1430 ###
1431 ### Remove ca certificate (step 1)
1432 ###
1433 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1434     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1435     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1436
1437     my $assignedcerts = 0;
1438     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1439         foreach my $key (keys %confighash) {
1440             my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
1441             if ($test =~ /: OK/) {
1442                 $assignedcerts++;
1443             }
1444         }
1445         if ($assignedcerts) {
1446             &Header::showhttpheaders();
1447             &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1448             &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1449             &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
1450             print <<END;
1451                 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1452                        <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1453                     <tr><td align='center'>
1454                         <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1455                         $Lang::tr{'connections are associated with this ca.  deleting the ca will delete these connections as well.'}
1456                     <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1457                         <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1458                 </form></table>
1459 END
1460             ;
1461             &Header::closebox();
1462             &Header::closebigbox();
1463             &Header::closepage();
1464             exit (0);
1465         } else {
1466             unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1467             delete $cahash{$cgiparams{'KEY'}};
1468             &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1469 #           system('/usr/local/bin/ipsecctrl', 'R');
1470         }
1471     } else {
1472         $errormessage = $Lang::tr{'invalid key'};
1473     }
1474
1475 ###
1476 ### Display root certificate
1477 ###
1478 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1479     $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
1480     my $output;
1481     &Header::showhttpheaders();
1482     &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1483     &Header::openbigbox('100%', 'LEFT', '', '');
1484     if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1485         &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
1486         $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
1487     } else {
1488         &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
1489         $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
1490     }
1491     $output = &Header::cleanhtml($output,"y");
1492     print "<pre>$output</pre>\n";
1493     &Header::closebox();
1494     print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1495     &Header::closebigbox();
1496     &Header::closepage();
1497     exit(0);
1498
1499 ###
1500 ### Download root certificate
1501 ###
1502 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1503     if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1504         print "Content-Type: application/octet-stream\r\n";
1505         print "Content-Disposition: filename=cacert.pem\r\n\r\n";
1506         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
1507         exit(0);
1508     }
1509     
1510 ###
1511 ### Download host certificate
1512 ###
1513 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1514     if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1515         print "Content-Type: application/octet-stream\r\n";
1516         print "Content-Disposition: filename=servercert.pem\r\n\r\n";
1517         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
1518         exit(0);
1519     }
1520 ###
1521 ### Form for generating a root certificate
1522 ###
1523 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1524          $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1525
1526     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1527     if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1528         $errormessage = $Lang::tr{'valid root certificate already exists'};
1529         $cgiparams{'ACTION'} = '';
1530         goto ROOTCERT_ERROR;
1531     }
1532
1533     if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1534         if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1535             my $ipaddr = <IPADDR>;
1536             close IPADDR;
1537             chomp ($ipaddr);
1538             $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1539             if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1540                 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1541             }
1542         }
1543     } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1544
1545         if (ref ($cgiparams{'FH'}) ne 'Fh') {
1546             $errormessage = $Lang::tr{'there was no file upload'};
1547             goto ROOTCERT_ERROR;
1548         }
1549
1550         # Move uploaded certificate request to a temporary file
1551         (my $fh, my $filename) = tempfile( );
1552         if (copy ($cgiparams{'FH'}, $fh) != 1) {
1553             $errormessage = $!;
1554             goto ROOTCERT_ERROR;
1555         }
1556
1557         # Create a temporary dirctory
1558         my $tempdir = tempdir( CLEANUP => 1 );
1559
1560         # Extract the CA certificate from the file
1561         my $pid = open(OPENSSL, "|-");
1562         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1563         if ($pid) {     # parent
1564             if ($cgiparams{'P12_PASS'} ne '') {
1565                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1566             }
1567             close (OPENSSL);
1568             if ($?) {
1569                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1570                 unlink ($filename);
1571                 goto ROOTCERT_ERROR;
1572             }
1573         } else {        # child
1574             unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1575                     '-in', $filename,
1576                     '-out', "$tempdir/cacert.pem")) {
1577                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1578                 unlink ($filename);
1579                 goto ROOTCERT_ERROR;
1580             }
1581         }
1582
1583         # Extract the Host certificate from the file
1584         $pid = open(OPENSSL, "|-");
1585         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1586         if ($pid) {     # parent
1587             if ($cgiparams{'P12_PASS'} ne '') {
1588                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1589             }
1590             close (OPENSSL);
1591             if ($?) {
1592                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1593                 unlink ($filename);
1594                 goto ROOTCERT_ERROR;
1595             }
1596         } else {        # child
1597             unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1598                     '-in', $filename,
1599                     '-out', "$tempdir/hostcert.pem")) {
1600                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1601                 unlink ($filename);
1602                 goto ROOTCERT_ERROR;
1603             }
1604         }
1605
1606         # Extract the Host key from the file
1607         $pid = open(OPENSSL, "|-");
1608         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1609         if ($pid) {     # parent
1610             if ($cgiparams{'P12_PASS'} ne '') {
1611                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1612             }
1613             close (OPENSSL);
1614             if ($?) {
1615                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1616                 unlink ($filename);
1617                 goto ROOTCERT_ERROR;
1618             }
1619         } else {        # child
1620             unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1621                     '-nodes',
1622                     '-in', $filename,
1623                     '-out', "$tempdir/serverkey.pem")) {
1624                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1625                 unlink ($filename);
1626                 goto ROOTCERT_ERROR;
1627             }
1628         }
1629
1630         move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
1631         if ($? ne 0) {
1632             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1633             unlink ($filename);
1634             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1635             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1636             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1637             goto ROOTCERT_ERROR;
1638         }
1639
1640         move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
1641         if ($? ne 0) {
1642             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1643             unlink ($filename);
1644             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1645             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1646             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1647             goto ROOTCERT_ERROR;
1648         }
1649
1650         move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
1651         if ($? ne 0) {
1652             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1653             unlink ($filename);
1654             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1655             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1656             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1657             goto ROOTCERT_ERROR;
1658         }
1659
1660         goto ROOTCERT_SUCCESS;
1661
1662     } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1663
1664         # Validate input since the form was submitted
1665         if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1666             $errormessage = $Lang::tr{'organization cant be empty'};
1667             goto ROOTCERT_ERROR;
1668         }
1669         if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1670             $errormessage = $Lang::tr{'organization too long'};
1671             goto ROOTCERT_ERROR;
1672         }
1673         if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1674             $errormessage = $Lang::tr{'invalid input for organization'};
1675             goto ROOTCERT_ERROR;
1676         }
1677         if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1678             $errormessage = $Lang::tr{'hostname cant be empty'};
1679             goto ROOTCERT_ERROR;
1680         }
1681         unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1682             $errormessage = $Lang::tr{'invalid input for hostname'};
1683             goto ROOTCERT_ERROR;
1684         }
1685         if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1686             $errormessage = $Lang::tr{'invalid input for e-mail address'};
1687             goto ROOTCERT_ERROR;
1688         }
1689         if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1690             $errormessage = $Lang::tr{'e-mail address too long'};
1691             goto ROOTCERT_ERROR;
1692         }
1693         if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1694             $errormessage = $Lang::tr{'invalid input for department'};
1695             goto ROOTCERT_ERROR;
1696         }
1697         if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1698             $errormessage = $Lang::tr{'invalid input for city'};
1699             goto ROOTCERT_ERROR;
1700         }
1701         if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1702             $errormessage = $Lang::tr{'invalid input for state or province'};
1703             goto ROOTCERT_ERROR;
1704         }
1705         if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1706             $errormessage = $Lang::tr{'invalid input for country'};
1707             goto ROOTCERT_ERROR;
1708         }
1709
1710         # Copy the cgisettings to vpnsettings and save the configfile
1711         $vpnsettings{'ROOTCERT_ORGANIZATION'}   = $cgiparams{'ROOTCERT_ORGANIZATION'};
1712         $vpnsettings{'ROOTCERT_HOSTNAME'}       = $cgiparams{'ROOTCERT_HOSTNAME'};
1713         $vpnsettings{'ROOTCERT_EMAIL'}          = $cgiparams{'ROOTCERT_EMAIL'};
1714         $vpnsettings{'ROOTCERT_OU'}             = $cgiparams{'ROOTCERT_OU'};
1715         $vpnsettings{'ROOTCERT_CITY'}           = $cgiparams{'ROOTCERT_CITY'};
1716         $vpnsettings{'ROOTCERT_STATE'}          = $cgiparams{'ROOTCERT_STATE'};
1717         $vpnsettings{'ROOTCERT_COUNTRY'}        = $cgiparams{'ROOTCERT_COUNTRY'};
1718         &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1719
1720         # Replace empty strings with a .
1721         (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1722         (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1723         (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1724
1725         # refresh
1726         #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
1727         
1728         # Create the CA certificate
1729         my $pid = open(OPENSSL, "|-");
1730         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1731         if ($pid) {     # parent
1732             print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1733             print OPENSSL "$state\n";
1734             print OPENSSL "$city\n";
1735             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1736             print OPENSSL "$ou\n";
1737             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1738             print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1739             close (OPENSSL);
1740             if ($?) {
1741                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1742                 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1743                 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1744                 goto ROOTCERT_ERROR;
1745             }
1746         } else {        # child
1747             unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1748                         '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
1749                         '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1750                         '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1751                         '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1752                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1753                 goto ROOTCERT_ERROR;
1754             }
1755         }
1756
1757         # Create the Host certificate request
1758         $pid = open(OPENSSL, "|-");
1759         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1760         if ($pid) {     # parent
1761             print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1762             print OPENSSL "$state\n";
1763             print OPENSSL "$city\n";
1764             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1765             print OPENSSL "$ou\n";
1766             print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1767             print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1768             print OPENSSL ".\n";
1769             print OPENSSL ".\n";
1770             close (OPENSSL);
1771             if ($?) {
1772                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1773                 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1774                 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1775                 goto ROOTCERT_ERROR;
1776             }
1777         } else {        # child
1778             unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1779                         '-newkey', 'rsa:2048',
1780                         '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1781                         '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1782                         '-extensions', 'server',
1783                         '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1784                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1785                 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1786                 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1787                 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1788                 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1789                 goto ROOTCERT_ERROR;
1790             }
1791         }
1792         
1793         # Sign the host certificate request
1794         system('/usr/bin/openssl', 'ca', '-days', '999999',
1795                 '-batch', '-notext',
1796                 '-in',  "${General::swroot}/ovpn/certs/serverreq.pem",
1797                 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1798                 '-extensions', 'server',
1799                 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1800         if ($?) {
1801             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1802             unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1803             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1804             unlink ("${General::swroot}/ovpn/serverkey.pem");
1805             unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1806             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1807             &newcleanssldatabase();
1808             goto ROOTCERT_ERROR;
1809         } else {
1810             unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1811             &deletebackupcert();
1812         }
1813
1814         # Create an empty CRL
1815         system('/usr/bin/openssl', 'ca', '-gencrl',
1816                 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1817                 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1818         if ($?) {
1819             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1820             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1821             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1822             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1823             unlink ("${General::swroot}/ovpn/crls/cacrl.pem");      
1824             &cleanssldatabase();
1825             goto ROOTCERT_ERROR;
1826 #       } else {
1827 #           &cleanssldatabase();
1828         }
1829         # Create Diffie Hellmann Parameter
1830         system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1831                '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
1832         if ($?) {
1833             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1834             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1835             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1836             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1837             unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1838             unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1839             &cleanssldatabase();
1840             goto ROOTCERT_ERROR;
1841 #       } else {
1842 #           &cleanssldatabase();
1843         }       
1844         goto ROOTCERT_SUCCESS;
1845     }
1846     ROOTCERT_ERROR:
1847     if ($cgiparams{'ACTION'} ne '') {
1848         &Header::showhttpheaders();
1849         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1850         &Header::openbigbox('100%', 'LEFT', '', '');
1851         if ($errormessage) {
1852             &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1853             print "<class name='base'>$errormessage";
1854             print "&nbsp;</class>";
1855             &Header::closebox();
1856         }
1857         &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
1858         print <<END;
1859         <form method='post' enctype='multipart/form-data'>
1860         <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1861         <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
1862             <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1863             <td width='35%' colspan='2'>&nbsp;</td></tr>
1864         <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
1865             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1866             <td colspan='2'>&nbsp;</td></tr>
1867         <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1868             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1869             <td colspan='2'>&nbsp;</td></tr>
1870         <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1871             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1872             <td colspan='2'>&nbsp;</td></tr>
1873         <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1874             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1875             <td colspan='2'>&nbsp;</td></tr>
1876         <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1877             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1878             <td colspan='2'>&nbsp;</td></tr>
1879         <tr><td class='base'>$Lang::tr{'country'}:</td>
1880             <td class='base'><select name='ROOTCERT_COUNTRY'> 
1881
1882 END
1883         ;
1884         foreach my $country (sort keys %{Countries::countries}) {
1885             print "<option value='$Countries::countries{$country}'";
1886             if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1887                 print " selected='selected'";
1888             }
1889             print ">$country</option>";
1890         }
1891         print <<END;
1892             </select></td>
1893         <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
1894                 <td class='base'><select name='DHLENGHT'>
1895                                 <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
1896                                 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1897                                 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1898                                 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1899                         </select>
1900                 </td>
1901         </tr>
1902
1903         <tr><td>&nbsp;</td>
1904             <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
1905             <td>&nbsp;</td><td>&nbsp;</td></tr> 
1906         <tr><td class='base' colspan='4' align='left'>
1907             <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1908         <tr><td colspan='2'><br></td></tr>
1909         <table width='100%'>
1910         <tr>
1911                 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
1912                 <td class='base'>$Lang::tr{'dh key warn'}</td>
1913         </tr>
1914         <tr>
1915                 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1916         </tr>
1917         <tr><td colspan='2'><br></td></tr>
1918         <tr>
1919         </table>
1920
1921         <table width='100%'>
1922         <tr><td colspan='4'><hr></td></tr>
1923         <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1924             <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1925             <td colspan='2'>&nbsp;</td></tr>
1926         <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' ></td>
1927             <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1928             <td colspan='2'>&nbsp;</td></tr>
1929         <tr><td>&nbsp;</td>
1930             <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1931             <td colspan='2'>&nbsp;</td></tr>
1932         <tr><td class='base' colspan='4' align='left'>
1933             <img src='/blob.gif' valign='top' al='*' >&nbsp;$Lang::tr{'this field may be blank'}</td>
1934         </tr>
1935         </form></table>
1936 END
1937         ;
1938         &Header::closebox();
1939         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1940         &Header::closebigbox();
1941         &Header::closepage();
1942         exit(0)
1943     }
1944
1945     ROOTCERT_SUCCESS:
1946     system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
1947 #    if ($vpnsettings{'ENABLED'} eq 'on' ||
1948 #       $vpnsettings{'ENABLE_BLUE'} eq 'on') {
1949 #       system('/usr/local/bin/ipsecctrl', 'S');
1950 #    }
1951
1952 ###
1953 ### Enable/Disable connection
1954 ###
1955
1956 ###
1957 # m.a.d net2net
1958 ###
1959
1960 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1961     
1962     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1963     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1964 #    my $n2nactive = '';
1965     my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`;
1966     
1967     if ($confighash{$cgiparams{'KEY'}}) {
1968                 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1969                         $confighash{$cgiparams{'KEY'}}[0] = 'on';
1970                         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1971
1972                         if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
1973                  system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
1974                         }
1975                 } else {
1976
1977                         $confighash{$cgiparams{'KEY'}}[0] = 'off';
1978                         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1979
1980                         if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
1981                     if ($n2nactive ne ''){                              
1982                                                 system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
1983                                         }
1984  
1985                         } else {
1986                   $errormessage = $Lang::tr{'invalid key'};
1987                         }
1988       }
1989   }
1990
1991 ###
1992 ### Download OpenVPN client package
1993 ###
1994
1995
1996 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
1997     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1998     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1999     my $file = '';
2000     my $clientovpn = '';
2001     my @fileholder;
2002     my $tempdir = tempdir( CLEANUP => 1 );
2003     my $zippath = "$tempdir/";
2004
2005 ###
2006 # m.a.d net2net
2007 ###
2008
2009 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2010         
2011         my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2012         my $zippathname = "$zippath$zipname";
2013         $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";  
2014         my @ovsubnettemp =  split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
2015         my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
2016         my $tunmtu = ''; 
2017         my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
2018         my $n2nfragment = '';
2019         
2020     open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2021     flock CLIENTCONF, 2;
2022     
2023     my $zip = Archive::Zip->new();
2024    print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
2025    print CLIENTCONF "# \n";
2026    print CLIENTCONF "# User Security\n";
2027    print CLIENTCONF "user nobody\n";
2028    print CLIENTCONF "group nobody\n";
2029    print CLIENTCONF "persist-tun\n";
2030    print CLIENTCONF "persist-key\n";
2031    print CLIENTCONF "script-security 2\n";
2032    print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; 
2033    print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
2034    print CLIENTCONF "float\n";
2035    print CLIENTCONF "# IP adresses of the VPN Subnet\n"; 
2036    print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
2037    print CLIENTCONF "# Server Gateway Network\n"; 
2038    print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
2039    print CLIENTCONF "# tun Device\n"; 
2040    print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; 
2041    print CLIENTCONF "# Port and Protokoll\n"; 
2042    print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; 
2043    
2044    if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
2045    print CLIENTCONF "proto tcp-client\n";
2046    print CLIENTCONF "# Packet size\n";
2047    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2048    print CLIENTCONF "tun-mtu $tunmtu\n";
2049    }
2050   
2051    if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
2052    print CLIENTCONF "proto udp\n"; 
2053    print CLIENTCONF "# Paketsize\n";
2054    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2055    print CLIENTCONF "tun-mtu $tunmtu\n";
2056    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
2057    if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
2058    }
2059    if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
2060        ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
2061        ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
2062         if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
2063                 if ($tunmtu eq '1500' ) {
2064                         print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
2065                 }
2066         }
2067    }
2068    print CLIENTCONF "ns-cert-type server\n";   
2069    print CLIENTCONF "# Auth. Client\n"; 
2070    print CLIENTCONF "tls-client\n"; 
2071    print CLIENTCONF "# Cipher\n";
2072    print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
2073     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
2074          print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2075      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2076    }
2077    if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
2078         print CLIENTCONF "# HMAC algorithm\n";
2079         print CLIENTCONF "auth SHA1\n";
2080    } else {
2081    print CLIENTCONF "# HMAC algorithm\n";
2082    print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
2083    }
2084    if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
2085    print CLIENTCONF "# Enable Compression\n";
2086    print CLIENTCONF "comp-lzo\r\n";
2087      }
2088    print CLIENTCONF "# Debug Level\n"; 
2089    print CLIENTCONF "verb 3\n"; 
2090    print CLIENTCONF "# Tunnel check\n"; 
2091    print CLIENTCONF "keepalive 10 60\n"; 
2092    print CLIENTCONF "# Start as daemon\n"; 
2093    print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; 
2094    print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; 
2095    print CLIENTCONF "# Activate Management Interface and Port\n"; 
2096    if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2097     else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
2098    print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
2099   
2100
2101     close(CLIENTCONF);
2102         
2103     $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2104     my $status = $zip->writeToFileNamed($zippathname);
2105
2106     open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2107     @fileholder = <DLFILE>;
2108     print "Content-Type:application/x-download\n";
2109     print "Content-Disposition:attachment;filename=$zipname\n\n";
2110     print @fileholder;
2111     exit (0);
2112 }
2113 else
2114 {
2115         my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2116         my $zippathname = "$zippath$zipname";
2117         $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2118
2119 ###
2120 # m.a.d net2net
2121 ###
2122   
2123     open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2124     flock CLIENTCONF, 2;
2125     
2126     my $zip = Archive::Zip->new();
2127     
2128     print CLIENTCONF "#OpenVPN Client conf\r\n";
2129     print CLIENTCONF "tls-client\r\n";
2130     print CLIENTCONF "client\r\n";
2131     print CLIENTCONF "nobind\r\n";
2132     print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
2133     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
2134
2135     # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
2136     # or use configured value.
2137     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
2138         { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
2139     elsif ($vpnsettings{MSSFIX} eq 'on')
2140         { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
2141     elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
2142            ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
2143            ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) 
2144         { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
2145     else
2146         { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; }
2147
2148     if ( $vpnsettings{'ENABLED'} eq 'on'){
2149         print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
2150         if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ 
2151             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";     
2152             print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2153         }
2154         if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2155             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";           
2156             print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2157         }
2158     } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2159         print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2160         if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2161             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";           
2162             print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2163         }
2164     } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2165         print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2166     }
2167                         
2168     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
2169         print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2170         $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2171     } else {
2172         print CLIENTCONF "ca cacert.pem\r\n";
2173         print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2174         print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2175         $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
2176         $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
2177     }
2178     print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
2179     if ($vpnsettings{'DAUTH'} eq '') {
2180         print CLIENTCONF "";
2181     } else {
2182         print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
2183     }
2184     if ($vpnsettings{'TLSAUTH'} eq 'on') {
2185         print CLIENTCONF "tls-auth ta.key 1\r\n";
2186         $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key")  or die "Can't add file ta.key\n";
2187     }
2188     if ($vpnsettings{DCOMPLZO} eq 'on') {
2189         print CLIENTCONF "comp-lzo\r\n";
2190     }
2191     print CLIENTCONF "verb 3\r\n";
2192     print CLIENTCONF "ns-cert-type server\r\n";
2193     print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; 
2194     if ($vpnsettings{MSSFIX} eq 'on') {
2195         print CLIENTCONF "mssfix\r\n";
2196     }
2197     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
2198         print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2199     }
2200
2201     # Check if a valid operating mode has been choosen and use it.
2202     if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
2203         ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
2204         ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
2205         if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) {
2206                 print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
2207         }
2208     }
2209     close(CLIENTCONF);
2210         
2211     $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2212     my $status = $zip->writeToFileNamed($zippathname);
2213
2214     open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2215     @fileholder = <DLFILE>;
2216     print "Content-Type:application/x-download\n";
2217     print "Content-Disposition:attachment;filename=$zipname\n\n";
2218     print @fileholder;
2219     exit (0);
2220    }
2221    
2222    
2223    
2224 ###
2225 ### Remove connection
2226 ###
2227
2228
2229 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
2230     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2231     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2232
2233     if ($confighash{$cgiparams{'KEY'}}) {
2234 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
2235 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2236 #           system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
2237 #       }
2238 #
2239         my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
2240
2241 ###
2242 # m.a.d net2net
2243 ###
2244
2245 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
2246         my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2247         my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2248         unlink ($certfile);
2249         unlink ($conffile);
2250
2251         if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2252                 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2253         }
2254 }
2255
2256   unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2257   unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2258
2259 # A.Marx CCD delete ccd files and routes
2260
2261         
2262         if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2263         {
2264                 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
2265         }
2266         
2267         &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2268         foreach my $key (keys %ccdroutehash) {
2269                 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2270                         delete $ccdroutehash{$key};
2271                 }
2272         }
2273         &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2274         
2275         &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2276         foreach my $key (keys %ccdroute2hash) {
2277                 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2278                         delete $ccdroute2hash{$key};
2279                 }
2280         }
2281         &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2282         &writeserverconf;
2283         
2284         
2285 # CCD end 
2286
2287         
2288         delete $confighash{$cgiparams{'KEY'}};
2289         my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
2290         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2291
2292         #&writeserverconf();
2293     } else {
2294         $errormessage = $Lang::tr{'invalid key'};
2295     }
2296         &General::firewall_reload();
2297
2298 ###
2299 ### Download PKCS12 file
2300 ###
2301 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2302     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2303
2304     print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2305     print "Content-Type: application/octet-stream\r\n\r\n";
2306     print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
2307     exit (0);
2308
2309 ###
2310 ### Display certificate
2311 ###
2312 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2313     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2314
2315     if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
2316         &Header::showhttpheaders();
2317         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2318         &Header::openbigbox('100%', 'LEFT', '', '');
2319         &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2320         my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
2321         $output = &Header::cleanhtml($output,"y");
2322         print "<pre>$output</pre>\n";
2323         &Header::closebox();
2324         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2325         &Header::closebigbox();
2326         &Header::closepage();
2327         exit(0);
2328     }
2329
2330 ###
2331 ### Display Diffie-Hellman key
2332 ###
2333 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2334
2335     if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
2336         $errormessage = $Lang::tr{'not present'};
2337         } else {
2338                 &Header::showhttpheaders();
2339                 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2340                 &Header::openbigbox('100%', 'LEFT', '', '');
2341                 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
2342                 my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
2343                 $output = &Header::cleanhtml($output,"y");
2344                 print "<pre>$output</pre>\n";
2345                 &Header::closebox();
2346                 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2347                 &Header::closebigbox();
2348                 &Header::closepage();
2349                 exit(0);
2350     }
2351
2352 ###
2353 ### Display Certificate Revoke List
2354 ###
2355 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
2356 #    &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2357
2358     if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2359         $errormessage = $Lang::tr{'not present'};
2360         } else {
2361         &Header::showhttpheaders();
2362         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2363         &Header::openbigbox('100%', 'LEFT', '', '');
2364         &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2365         my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
2366         $output = &Header::cleanhtml($output,"y");
2367         print "<pre>$output</pre>\n";
2368         &Header::closebox();
2369         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2370         &Header::closebigbox();
2371         &Header::closepage();
2372         exit(0);
2373     }
2374
2375 ###
2376 ### Advanced Server Settings
2377 ###
2378
2379 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2380     %cgiparams = ();
2381     %cahash = ();
2382     %confighash = ();
2383     my $disabled;
2384     &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
2385     read_routepushfile;
2386         
2387         
2388 #    if ($cgiparams{'CLIENT2CLIENT'} eq '') {
2389 #       $cgiparams{'CLIENT2CLIENT'} =  'on';     
2390 #    }
2391 ADV_ERROR:
2392     if ($cgiparams{'MAX_CLIENTS'} eq '') {
2393                 $cgiparams{'MAX_CLIENTS'} =  '100';
2394     }
2395     if ($cgiparams{'KEEPALIVE_1'} eq '') {
2396                 $cgiparams{'KEEPALIVE_1'} =  '10';
2397     }
2398     if ($cgiparams{'KEEPALIVE_2'} eq '') {
2399                 $cgiparams{'KEEPALIVE_2'} =  '60';
2400     }
2401     if ($cgiparams{'LOG_VERB'} eq '') {
2402                 $cgiparams{'LOG_VERB'} =  '3';
2403     }
2404     if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
2405                 $cgiparams{'PMTU_DISCOVERY'} = 'off';
2406     }
2407     if ($cgiparams{'DAUTH'} eq '') {
2408                 $cgiparams{'DAUTH'} = 'SHA1';
2409     }
2410     if ($cgiparams{'TLSAUTH'} eq '') {
2411                 $cgiparams{'TLSAUTH'} = 'off';
2412     }
2413     $checked{'CLIENT2CLIENT'}{'off'} = '';
2414     $checked{'CLIENT2CLIENT'}{'on'} = '';
2415     $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2416     $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2417     $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2418     $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
2419     $checked{'MSSFIX'}{'off'} = '';
2420     $checked{'MSSFIX'}{'on'} = '';
2421     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
2422     $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
2423     $selected{'LOG_VERB'}{'0'} = '';
2424     $selected{'LOG_VERB'}{'1'} = '';
2425     $selected{'LOG_VERB'}{'2'} = '';
2426     $selected{'LOG_VERB'}{'3'} = '';
2427     $selected{'LOG_VERB'}{'4'} = '';
2428     $selected{'LOG_VERB'}{'5'} = '';
2429     $selected{'LOG_VERB'}{'6'} = '';
2430     $selected{'LOG_VERB'}{'7'} = '';
2431     $selected{'LOG_VERB'}{'8'} = '';
2432     $selected{'LOG_VERB'}{'9'} = '';
2433     $selected{'LOG_VERB'}{'10'} = '';
2434     $selected{'LOG_VERB'}{'11'} = '';
2435     $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
2436     $selected{'DAUTH'}{'whirlpool'} = '';
2437     $selected{'DAUTH'}{'SHA512'} = '';
2438     $selected{'DAUTH'}{'SHA384'} = '';
2439     $selected{'DAUTH'}{'SHA256'} = '';
2440     $selected{'DAUTH'}{'SHA1'} = '';
2441     $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
2442     $checked{'TLSAUTH'}{'off'} = '';
2443     $checked{'TLSAUTH'}{'on'} = '';
2444     $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
2445    
2446     &Header::showhttpheaders();
2447     &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
2448     &Header::openbigbox('100%', 'LEFT', '', $errormessage);    
2449     if ($errormessage) {
2450         &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2451         print "<class name='base'>$errormessage\n";
2452         print "&nbsp;</class>\n";
2453         &Header::closebox();
2454     }
2455     &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
2456     print <<END;
2457     <form method='post' enctype='multipart/form-data'>
2458 <table width='100%' border=0>
2459         <tr>
2460                 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
2461     </tr>
2462     <tr>
2463                 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
2464     </tr>       
2465     <tr>                
2466                 <td class='base'>Domain</td>
2467         <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30'  /></td>
2468     </tr>
2469     <tr>        
2470                 <td class='base'>DNS</td>
2471                 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
2472     </tr>       
2473     <tr>        
2474                 <td class='base'>WINS</td>
2475                 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2476         </tr>
2477     <tr>
2478                 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
2479     </tr>
2480     <tr>        
2481                 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2482                 <td colspan='2'>
2483                 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
2484 END
2485 ;
2486
2487 if ($cgiparams{'ROUTES_PUSH'} ne '')
2488 {
2489         print $cgiparams{'ROUTES_PUSH'};
2490 }
2491
2492 print <<END;
2493 </textarea></td>
2494 </tr>
2495     </tr>
2496 </table>
2497 <hr size='1'>
2498 <table width='100%'>
2499     <tr>
2500                 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
2501     </tr>
2502     <tr>
2503                 <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
2504     </tr>
2505     <tr>
2506                 <td class='base'>Client-To-Client</td>
2507                 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
2508     </tr>
2509     <tr>        
2510                 <td class='base'>Redirect-Gateway def1</td>
2511                 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
2512     </tr>
2513     <tr>        
2514         <td class='base'>Max-Clients</td>
2515         <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2516     </tr>       
2517         <tr>
2518           <td class='base'>Keepalive <br />
2519             (ping/ping-restart)</td>
2520           <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2521           <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2522     </tr>
2523         <tr>
2524           <td class='base'>fragment <br></td>
2525           <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2526       </tr>
2527         <tr>
2528           <td class='base'>mssfix</td>
2529           <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2530           <td>$Lang::tr{'openvpn default'}: off</td>
2531           </tr>
2532
2533         <tr>
2534                 <td class='base'>$Lang::tr{'ovpn mtu-disc'}</td>
2535                 <td><input type='radio' name='PMTU_DISCOVERY' value='yes' $checked{'PMTU_DISCOVERY'}{'yes'} /> $Lang::tr{'ovpn mtu-disc yes'}</td>
2536                 <td><input type='radio' name='PMTU_DISCOVERY' value='maybe' $checked{'PMTU_DISCOVERY'}{'maybe'} /> $Lang::tr{'ovpn mtu-disc maybe'}</td>
2537                 <td><input type='radio' name='PMTU_DISCOVERY' value='no' $checked{'PMTU_DISCOVERY'}{'no'} /> $Lang::tr{'ovpn mtu-disc no'}</td>
2538                 <td><input type='radio' name='PMTU_DISCOVERY' value='off' $checked{'PMTU_DISCOVERY'}{'off'} /> $Lang::tr{'ovpn mtu-disc off'}</td>
2539         </tr>
2540 </table>
2541
2542 <hr size='1'>
2543 <table width='100%'>
2544     <tr>
2545         <td class'base'><b>$Lang::tr{'log-options'}</b></td>
2546     </tr>
2547     <tr>
2548         <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
2549     </tr>
2550
2551     <tr><td class='base'>VERB</td>
2552         <td><select name='LOG_VERB'>
2553                         <option value='0'  $selected{'LOG_VERB'}{'0'}>0</option>
2554                         <option value='1'  $selected{'LOG_VERB'}{'1'}>1</option>
2555                         <option value='2'  $selected{'LOG_VERB'}{'2'}>2</option>
2556                         <option value='3'  $selected{'LOG_VERB'}{'3'}>3</option>
2557                         <option value='4'  $selected{'LOG_VERB'}{'4'}>4</option>
2558                         <option value='5'  $selected{'LOG_VERB'}{'5'}>5</option>
2559                         <option value='6'  $selected{'LOG_VERB'}{'6'}>6</option>
2560                         <option value='7'  $selected{'LOG_VERB'}{'7'}>7</option>
2561                         <option value='8'  $selected{'LOG_VERB'}{'8'}>8</option>
2562                         <option value='9'  $selected{'LOG_VERB'}{'9'}>9</option>
2563                         <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2564                         <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2565         </td></select>
2566     </table>
2567
2568 <hr size='1'>
2569 <table width='100%'>
2570     <tr>
2571                 <td class'base'><b>$Lang::tr{'ovpn crypt options'}</b></td>
2572         </tr>
2573         <tr>
2574                 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
2575     </tr>       
2576     <tr><td class='base'>$Lang::tr{'ovpn ha'}</td>
2577                 <td><select name='DAUTH'>
2578                                 <option value='whirlpool'               $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
2579                                 <option value='SHA512'                  $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
2580                                 <option value='SHA384'                  $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
2581                                 <option value='SHA256'                  $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
2582                                 <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
2583                         </select>
2584                 </td>
2585                 <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
2586     </tr>
2587 </table>
2588
2589 <table width='100%'>
2590     <tr>
2591         <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
2592     </tr>
2593
2594     <tr>
2595         <td class='base'>HMAC tls-auth</td>
2596         <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
2597     </tr>
2598     </table><hr>
2599 END
2600
2601 if ( -e "/var/run/openvpn.pid"){
2602 print"  <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2603                 $Lang::tr{'server restart'}<br><br>
2604                 <hr>";
2605         print<<END;
2606 <table width='100%'>
2607 <tr>
2608     <td>&nbsp;</td>
2609     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2610     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2611     <td>&nbsp;</td>    
2612 </tr>
2613 </table>    
2614 </form>
2615 END
2616 ;               
2617                 
2618                 
2619 }else{
2620
2621         print<<END;
2622 <table width='100%'>
2623 <tr>
2624     <td>&nbsp;</td>
2625     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2626     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2627     <td>&nbsp;</td>    
2628 </tr>
2629 </table>    
2630 </form>
2631 END
2632 ;                                  
2633 }
2634     &Header::closebox();
2635 #    print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2636     &Header::closebigbox();
2637     &Header::closepage();
2638     exit(0);
2639         
2640
2641 # A.Marx CCD   Add,delete or edit CCD net
2642
2643 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} || 
2644                 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||  
2645                 $cgiparams{'ACTION'} eq "kill" || 
2646                 $cgiparams{'ACTION'} eq "edit" ||
2647                 $cgiparams{'ACTION'} eq 'editsave'){
2648         &Header::showhttpheaders();
2649         &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2650         &Header::openbigbox('100%', 'LEFT', '', '');
2651
2652         if ($cgiparams{'ACTION'} eq "kill"){
2653                 &delccdnet($cgiparams{'net'});
2654         }
2655         
2656         if ($cgiparams{'ACTION'} eq 'editsave'){
2657                 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
2658                 if ( $a ne $b){ &modccdnet($a,$b);}
2659                 $cgiparams{'ccdname'}='';
2660                 $cgiparams{'ccdsubnet'}='';
2661         }
2662         
2663         if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
2664                 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
2665         }
2666         if ($errormessage) {
2667             &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2668             print "<class name='base'>$errormessage";
2669             print "&nbsp;</class>";
2670             &Header::closebox();                
2671         }
2672 if ($cgiparams{'ACTION'} eq "edit"){
2673         
2674         &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
2675
2676         print <<END;
2677     <table width='100%' border='0'>
2678     <tr><form method='post'>
2679         <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
2680         <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
2681         <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
2682         <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
2683         </td></tr>
2684         </table></form>
2685 END
2686 ;
2687         &Header::closebox();
2688
2689         &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
2690         print <<END;
2691     <table width='100%' border='0'  cellpadding='0' cellspacing='1'>
2692     <tr>
2693         <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
2694 END
2695 ;
2696 }
2697 else{
2698         if (! -e "/var/run/openvpn.pid"){
2699         &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
2700         print <<END;
2701             <table width='100%' border='0'>
2702             <tr><form method='post'>
2703                 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
2704                 <tr>
2705                 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
2706                 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
2707                 <tr><td colspan=4><hr /></td></tr><tr>
2708                 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
2709                 </table></form>
2710 END
2711         
2712         &Header::closebox();
2713 }
2714         &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
2715         if ( -e "/var/run/openvpn.pid"){
2716                 print "<b>$Lang::tr{'attention'}:</b><br>";
2717                 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
2718         }
2719         
2720     print <<END;
2721     <table width='100%' cellpadding='0' cellspacing='1'>
2722     <tr>
2723         <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
2724 END
2725 ;
2726 }
2727         my %ccdconfhash=();     
2728         &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);     
2729         my @ccdconf=();
2730         my $count=0;
2731         foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
2732                 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
2733                 $count++;
2734                 my $ccdhosts = &hostsinnet($ccdconf[0]);
2735                 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
2736                 else{            print" <tr bgcolor='$color{'color20'}'>";}
2737                 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
2738         print <<END;
2739                 <form method='post' />
2740                 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
2741                 <input type='hidden' name='ACTION' value='edit'/>
2742                 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
2743                 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
2744                 </form></td>
2745                 <form method='post' />
2746                 <td><input type='hidden' name='ACTION' value='kill'/>
2747                 <input type='hidden' name='number' value='$count' />
2748                 <input type='hidden' name='net' value='$ccdconf[0]' />
2749                 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
2750 END
2751 ;
2752         }       
2753         print "</table></form>";
2754         &Header::closebox();
2755         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2756         &Header::closebigbox();
2757         &Header::closepage();
2758         exit(0);
2759         
2760 #END CCD
2761
2762 ###
2763 ### Openvpn Connections Statistics
2764 ###
2765 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
2766         &Header::showhttpheaders();
2767         &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
2768         &Header::openbigbox('100%', 'LEFT', '', '');
2769     &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
2770
2771 #
2772 #       <td><b>$Lang::tr{'protocol'}</b></td>
2773 # protocol temp removed 
2774     print <<END;
2775     <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
2776     <tr>
2777         <th><b>$Lang::tr{'common name'}</b></th>
2778         <th><b>$Lang::tr{'real address'}</b></th>
2779         <th><b>$Lang::tr{'virtual address'}</b></th>
2780         <th><b>$Lang::tr{'loged in at'}</b></th>
2781         <th><b>$Lang::tr{'bytes sent'}</b></th>
2782         <th><b>$Lang::tr{'bytes received'}</b></th>
2783         <th><b>$Lang::tr{'last activity'}</b></th>
2784     </tr>
2785 END
2786 ;
2787         my $filename = "/var/log/ovpnserver.log";
2788         open(FILE, $filename) or die 'Unable to open config file.';
2789         my @current = <FILE>;
2790         close(FILE);
2791         my @users =();
2792         my $status;
2793         my $uid = 0;
2794         my $cn;
2795         my @match = ();
2796         my $proto = "udp";
2797         my $address;
2798         my %userlookup = ();
2799         foreach my $line (@current)
2800         {
2801             chomp($line);
2802             if ( $line =~ /^Updated,(.+)/){
2803                 @match = split( /^Updated,(.+)/, $line); 
2804                 $status = $match[1];
2805             }
2806 #gian       
2807             if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
2808                 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
2809                 if ($match[1] ne "Common Name") {
2810                     $cn = $match[1];
2811                     $userlookup{$match[2]} = $uid;
2812                     $users[$uid]{'CommonName'} = $match[1];
2813                     $users[$uid]{'RealAddress'} = $match[2];
2814                     $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
2815                     $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
2816                     $users[$uid]{'Since'} = $match[5];
2817                     $users[$uid]{'Proto'} = $proto;
2818                     $uid++;
2819                 }    
2820             }
2821             if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
2822                 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
2823                 if ($match[1] ne "Virtual Address") {
2824                     $address = $match[3];
2825                     #find the uid in the lookup table
2826                     $uid = $userlookup{$address};
2827                     $users[$uid]{'VirtualAddress'} = $match[1];
2828                     $users[$uid]{'LastRef'} = $match[4];
2829                 }
2830             }
2831         }
2832         my $user2 = @users;
2833         if ($user2 >= 1){
2834                 for (my $idx = 1; $idx <= $user2; $idx++){
2835                                                 if ($idx % 2) {
2836                                                         print "<tr>";
2837                                                         $col="bgcolor='$color{'color22'}'";
2838                                                 } else {
2839                                                         print "<tr>";
2840                                                         $col="bgcolor='$color{'color20'}'";
2841                                                 }
2842                                                 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
2843                                                 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
2844                                                 print "<td align='left' $col>$users[$idx-1]{'VirtualAddress'}</td>";
2845                                                 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
2846                                                 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
2847                                                 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
2848                                                 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
2849                         }
2850         }
2851         
2852         print "</table>";
2853         print <<END;
2854         <table width='100%' border='0' cellpadding='2' cellspacing='0'>
2855         <tr><td></td></tr>
2856         <tr><td></td></tr>
2857         <tr><td></td></tr>
2858         <tr><td></td></tr>
2859         <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
2860         </table>
2861 END
2862 ;       
2863         &Header::closebox();
2864         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2865         &Header::closebigbox();
2866         &Header::closepage();
2867         exit(0);
2868
2869 ###
2870 ### Download Certificate
2871 ###
2872 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
2873     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2874
2875     if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
2876         print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
2877         print "Content-Type: application/octet-stream\r\n\r\n";
2878         print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
2879         exit (0);
2880     }
2881
2882 ###
2883 ### Enable/Disable connection
2884 ###
2885
2886 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
2887     
2888     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2889     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2890
2891     if ($confighash{$cgiparams{'KEY'}}) {
2892            if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2893             $confighash{$cgiparams{'KEY'}}[0] = 'on';
2894             &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2895             #&writeserverconf();
2896 #           if ($vpnsettings{'ENABLED'} eq 'on' ||
2897 #               $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2898 #               system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2899 #           }
2900         } else {
2901             $confighash{$cgiparams{'KEY'}}[0] = 'off';
2902 #           if ($vpnsettings{'ENABLED'} eq 'on' ||
2903 #               $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2904 #               system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
2905 #           }
2906             &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2907             #&writeserverconf();
2908         }
2909     } else {
2910         $errormessage = $Lang::tr{'invalid key'};
2911     }
2912
2913 ###
2914 ### Restart connection
2915 ###
2916 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
2917     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2918     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2919
2920     if ($confighash{$cgiparams{'KEY'}}) {
2921 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
2922 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2923 #           system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2924 #       }
2925     } else {
2926         $errormessage = $Lang::tr{'invalid key'};
2927     }
2928
2929 ###
2930 ### Remove connection
2931 ###
2932 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
2933     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2934     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2935
2936     if ($confighash{$cgiparams{'KEY'}}) {
2937 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
2938 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2939 #           system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
2940 #       }
2941         unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2942         unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2943         delete $confighash{$cgiparams{'KEY'}};
2944         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2945         #&writeserverconf();
2946     } else {
2947         $errormessage = $Lang::tr{'invalid key'};
2948     }
2949 #test33
2950
2951 ###
2952 ### Choose between adding a host-net or net-net connection
2953 ###
2954
2955 ###
2956 # m.a.d net2net
2957 ###
2958
2959 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
2960         &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2961         &Header::showhttpheaders();
2962         &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2963         &Header::openbigbox('100%', 'LEFT', '', '');
2964         &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
2965
2966 if ( -s "${General::swroot}/ovpn/settings") {
2967
2968         print <<END;
2969             <b>$Lang::tr{'connection type'}:</b><br />
2970             <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
2971             <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
2972                 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
2973             <tr><td><input type='radio' name='TYPE' value='net' /></td>
2974                 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
2975                 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>         
2976                 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
2977           <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
2978           <tr><td>&nbsp;</td><td>Import Connection Name <img src='/blob.gif' /></td></tr>
2979     <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
2980           <tr><td colspan='3'><hr /></td></tr>
2981     <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
2982           <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
2983             </form></table>
2984 END
2985         ;
2986         
2987
2988 } else {
2989         print <<END;
2990                     <b>$Lang::tr{'connection type'}:</b><br />
2991             <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
2992             <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
2993             <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
2994             </form></table>
2995 END
2996         ;
2997
2998 }
2999
3000         &Header::closebox();
3001         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3002         &Header::closebigbox();
3003         &Header::closepage();
3004         exit (0);
3005
3006 ###
3007 # m.a.d net2net
3008 ###
3009
3010 }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3011
3012         my @firen2nconf;
3013         my @confdetails;
3014         my $uplconffilename ='';
3015         my $uplconffilename2 ='';
3016         my $uplp12name = '';
3017         my $uplp12name2 = '';
3018         my @rem_subnet;
3019         my @rem_subnet2;
3020         my @tmposupnet3;        
3021         my $key;
3022         my @n2nname;
3023
3024         &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);    
3025
3026 # Check if a file is uploaded
3027
3028         if (ref ($cgiparams{'FH'}) ne 'Fh') {
3029                 $errormessage = $Lang::tr{'there was no file upload'};
3030                 goto N2N_ERROR;
3031     }
3032
3033 # Move uploaded IPfire n2n package to temporary file
3034
3035     (my $fh, my $filename) = tempfile( );
3036     if (copy ($cgiparams{'FH'}, $fh) != 1) {
3037                 $errormessage = $!;
3038                 goto N2N_ERROR;
3039     }
3040
3041         my $zip = Archive::Zip->new();
3042         my $zipName = $filename;
3043         my $status = $zip->read( $zipName );
3044         if ($status != AZ_OK) {   
3045                 $errormessage = "Read of $zipName failed\n";
3046                 goto N2N_ERROR;
3047         }
3048
3049         my $tempdir = tempdir( CLEANUP => 1 );
3050         my @files = $zip->memberNames();
3051         for(@files) {
3052         $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3053         }
3054         my $countfiles = @files;
3055
3056 # Check if we have not more then 2 files
3057
3058         if ( $countfiles == 2){
3059                 foreach (@files){
3060                         if ( $_ =~ /.conf$/){
3061                                 $uplconffilename = $_;
3062                         }
3063                         if ( $_ =~ /.p12$/){
3064                                 $uplp12name = $_;
3065                         }                       
3066                 }
3067                 if (($uplconffilename eq '') || ($uplp12name eq '')){
3068                         $errormessage = "Either no *.conf or no *.p12 file found\n";
3069                         goto N2N_ERROR;
3070                 }
3071
3072                 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3073                 @firen2nconf = <FILE>;
3074                 close (FILE);
3075                 chomp(@firen2nconf);
3076
3077         } else {
3078
3079                 $errormessage = "Filecount does not match only 2 files are allowed\n";
3080                 goto N2N_ERROR;
3081         }
3082
3083 ###
3084 # m.a.d net2net
3085 ###
3086   
3087  if ($cgiparams{'n2nname'} ne ''){
3088
3089   $uplconffilename2 = "$cgiparams{'n2nname'}.conf"; 
3090   $uplp12name2 = "$cgiparams{'n2nname'}.p12"; 
3091   $n2nname[0] = $cgiparams{'n2nname'};
3092   my @n2nname2 = split(/\./,$uplconffilename);
3093   $n2nname2[0] =~ s/\n|\r//g;
3094   my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3095         my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3096         my $input2 = "$n2nname2[0]n2n";
3097   my $output2 = "$n2nname[0]n2n";
3098   my $filename = "$tempdir/$uplconffilename";
3099   open(FILE, "< $filename") or die 'Unable to open config file.';
3100         my @current = <FILE>;
3101         close(FILE);
3102         foreach (@current) {s/$input1/$output1/g;}
3103         foreach (@current) {s/$input2/$output2/g;}
3104   open (OUT, "> $filename") || die 'Unable to open config file.';
3105   print OUT @current;
3106   close OUT;
3107
3108     }else{
3109     $uplconffilename2 =  $uplconffilename;
3110     $uplp12name2 = $uplp12name;
3111     @n2nname = split(/\./,$uplconffilename);
3112     $n2nname[0] =~ s/\n|\r//g;
3113    } 
3114     unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
3115     unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}   
3116
3117         move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
3118
3119         if ($? ne 0) {
3120             $errormessage = "*.conf move failed: $!";
3121             unlink ($filename);
3122             goto N2N_ERROR;
3123         }
3124         
3125         move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2");
3126         chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
3127         
3128         if ($? ne 0) {
3129             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3130             unlink ($filename);
3131             goto N2N_ERROR;
3132         }       
3133         
3134 my $complzoactive;
3135 my $mssfixactive;
3136 my $authactive;
3137 my $n2nfragment;
3138 my $authactive;
3139 my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
3140 my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
3141 my @n2nproto = split(/-/, $n2nproto2[1]);
3142 my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3143 my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3144 my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
3145 if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}        
3146 my @n2nmssfix  = grep { /^mssfix/ } @firen2nconf;
3147 if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
3148 #my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
3149 my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
3150 my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3151 my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3152 my @n2novpnsub =  split(/\./,$n2novpnsuball[1]);
3153 my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
3154 my @n2nmgmt =  split(/ /, (grep { /^management/ } @firen2nconf)[0]);
3155 my @n2nlocalsub  = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
3156 my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
3157 my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
3158
3159 ###
3160 # m.a.d delete CR and LF from arrays for this chomp doesnt work
3161 ###
3162
3163 $n2nremote[1] =~ s/\n|\r//g;
3164 $n2novpnsub[0] =~ s/\n|\r//g;
3165 $n2novpnsub[1] =~ s/\n|\r//g;
3166 $n2novpnsub[2] =~ s/\n|\r//g;
3167 $n2nproto[0] =~ s/\n|\r//g;
3168 $n2nport[1] =~ s/\n|\r//g;
3169 $n2ntunmtu[1] =~ s/\n|\r//g;
3170 $n2nremsub[1] =~ s/\n|\r//g;
3171 $n2nremsub[2] =~ s/\n|\r//g;
3172 $n2nlocalsub[2] =~ s/\n|\r//g;
3173 $n2nfragment[1] =~ s/\n|\r//g;
3174 $n2nmgmt[2] =~ s/\n|\r//g;
3175 $n2nmtudisc[1] =~ s/\n|\r//g;
3176 $n2ncipher[1] =~ s/\n|\r//g;
3177 $n2nauth[1] =~ s/\n|\r//g;
3178 chomp ($complzoactive);
3179 chomp ($mssfixactive);
3180
3181 ###
3182 # m.a.d net2net
3183 ###
3184
3185 ###
3186 # Check if there is no other entry with this name
3187 ###
3188
3189         foreach my $dkey (keys %confighash) {
3190                 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3191                         $errormessage = $Lang::tr{'a connection with this name already exists'};
3192                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3193             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3194       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
3195                         goto N2N_ERROR;                 
3196                 }
3197         }
3198
3199 ###
3200 # Check if OpenVPN Subnet is valid
3201 ###
3202
3203 foreach my $dkey (keys %confighash) {
3204                 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3205                         $errormessage = 'The OpenVPN Subnet is already in use';
3206                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3207             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3208       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
3209                         goto N2N_ERROR;                 
3210                 }
3211         }
3212
3213 ###
3214 # Check if Dest Port is vaild
3215 ###
3216
3217 foreach my $dkey (keys %confighash) {
3218                 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3219                         $errormessage = 'The OpenVPN Port is already in use';
3220                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3221             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3222       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
3223                         goto N2N_ERROR;                 
3224                 }
3225         }
3226         
3227         
3228         
3229   $key = &General::findhasharraykey (\%confighash);
3230
3231         foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
3232
3233         $confighash{$key}[0] = 'off';
3234         $confighash{$key}[1] = $n2nname[0];
3235         $confighash{$key}[2] = $n2nname[0];     
3236         $confighash{$key}[3] = 'net';
3237         $confighash{$key}[4] = 'cert';  
3238         $confighash{$key}[6] = 'client';                
3239         $confighash{$key}[8] =  $n2nlocalsub[2];
3240         $confighash{$key}[10] = $n2nremote[1];
3241         $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";          
3242         $confighash{$key}[22] = $n2nmgmt[2];
3243         $confighash{$key}[23] = $mssfixactive;
3244         $confighash{$key}[24] = $n2nfragment[1];
3245         $confighash{$key}[25] = 'IPFire n2n Client';
3246         $confighash{$key}[26] = 'red';
3247         $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3248         $confighash{$key}[28] = $n2nproto[0];
3249         $confighash{$key}[29] = $n2nport[1];
3250         $confighash{$key}[30] = $complzoactive;
3251         $confighash{$key}[31] = $n2ntunmtu[1];
3252         $confighash{$key}[38] = $n2nmtudisc[1];
3253         $confighash{$key}[39] = $n2nauth[1];
3254         $confighash{$key}[40] = $n2ncipher[1];
3255         $confighash{$key}[41] = 'disabled';
3256
3257   &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3258  
3259   N2N_ERROR:
3260                 
3261         &Header::showhttpheaders();
3262         &Header::openpage('Validate imported configuration', 1, '');
3263         &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3264         if ($errormessage) {
3265             &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3266             print "<class name='base'>$errormessage";
3267             print "&nbsp;</class>";
3268             &Header::closebox();                
3269
3270         } else 
3271   {             
3272                 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3273         }
3274         if ($errormessage eq ''){
3275         print <<END;
3276                 <!-- ipfire net2net config gui -->
3277                 <table width='100%'>
3278                 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3279     <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
3280     <tr><td>&nbsp;</td><td>&nbsp;</td></tr>     
3281                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>                                                              
3282                 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3283                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
3284                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
3285                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3286                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3287                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3288                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
3289                 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3290                 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
3291                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
3292                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
3293                 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
3294                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
3295                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
3296                 <tr><td>&nbsp;</td><td>&nbsp;</td></tr> 
3297     </table>
3298 END
3299 ;       
3300                 &Header::closebox();
3301         }
3302
3303         if ($errormessage) {
3304                 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3305         } else {        
3306                 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";           
3307                 print "<input type='hidden' name='TYPE' value='net2netakn' />";
3308                 print "<input type='hidden' name='KEY' value='$key' />";                        
3309                 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
3310         }       
3311         &Header::closebigbox();
3312         &Header::closepage();
3313         exit(0);
3314
3315
3316 ##
3317 ### Accept IPFire n2n Package Settings
3318 ###
3319
3320   }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3321
3322 ###
3323 ### Discard and Rollback IPFire n2n Package Settings
3324 ###
3325
3326   }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3327      
3328      &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3329
3330 if ($confighash{$cgiparams{'KEY'}}) {
3331
3332      my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3333      my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3334      unlink ($certfile) or die "Removing $certfile fail: $!";
3335      unlink ($conffile) or die "Removing $conffile fail: $!";
3336      rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3337      delete $confighash{$cgiparams{'KEY'}};
3338     &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);       
3339
3340      } else {
3341                 $errormessage = $Lang::tr{'invalid key'};
3342    }    
3343     
3344
3345 ###
3346 # m.a.d net2net
3347 ###
3348
3349
3350 ###
3351 ### Adding a new connection
3352 ###
3353 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3354          ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3355          ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
3356             
3357     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3358     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3359     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3360
3361     if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
3362                 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3363                     $errormessage = $Lang::tr{'invalid key'};
3364                     goto VPNCONF_END;
3365                 }
3366                 $cgiparams{'ENABLED'}           = $confighash{$cgiparams{'KEY'}}[0];
3367                 $cgiparams{'NAME'}              = $confighash{$cgiparams{'KEY'}}[1];
3368                 $cgiparams{'TYPE'}              = $confighash{$cgiparams{'KEY'}}[3];
3369                 $cgiparams{'AUTH'}              = $confighash{$cgiparams{'KEY'}}[4];
3370                 $cgiparams{'PSK'}               = $confighash{$cgiparams{'KEY'}}[5];
3371                 $cgiparams{'SIDE'}              = $confighash{$cgiparams{'KEY'}}[6];
3372                 $cgiparams{'LOCAL_SUBNET'}      = $confighash{$cgiparams{'KEY'}}[8];
3373                 $cgiparams{'REMOTE'}            = $confighash{$cgiparams{'KEY'}}[10];
3374                 $cgiparams{'REMOTE_SUBNET'}     = $confighash{$cgiparams{'KEY'}}[11];
3375                 $cgiparams{'OVPN_MGMT'}         = $confighash{$cgiparams{'KEY'}}[22];
3376                 $cgiparams{'MSSFIX'}            = $confighash{$cgiparams{'KEY'}}[23];
3377                 $cgiparams{'FRAGMENT'}          = $confighash{$cgiparams{'KEY'}}[24];
3378                 $cgiparams{'REMARK'}            = $confighash{$cgiparams{'KEY'}}[25];
3379                 $cgiparams{'INTERFACE'}         = $confighash{$cgiparams{'KEY'}}[26];
3380                 $cgiparams{'OVPN_SUBNET'}       = $confighash{$cgiparams{'KEY'}}[27];
3381                 $cgiparams{'PROTOCOL'}          = $confighash{$cgiparams{'KEY'}}[28];
3382                 $cgiparams{'DEST_PORT'}         = $confighash{$cgiparams{'KEY'}}[29];
3383                 $cgiparams{'COMPLZO'}           = $confighash{$cgiparams{'KEY'}}[30];
3384                 $cgiparams{'MTU'}               = $confighash{$cgiparams{'KEY'}}[31];
3385                 $cgiparams{'CHECK1'}            = $confighash{$cgiparams{'KEY'}}[32];
3386                 $name=$cgiparams{'CHECK1'}      ;
3387                 $cgiparams{$name}               = $confighash{$cgiparams{'KEY'}}[33];
3388                 $cgiparams{'RG'}                = $confighash{$cgiparams{'KEY'}}[34];
3389                 $cgiparams{'CCD_DNS1'}          = $confighash{$cgiparams{'KEY'}}[35];
3390                 $cgiparams{'CCD_DNS2'}          = $confighash{$cgiparams{'KEY'}}[36];
3391                 $cgiparams{'CCD_WINS'}          = $confighash{$cgiparams{'KEY'}}[37];
3392                 $cgiparams{'PMTU_DISCOVERY'}    = $confighash{$cgiparams{'KEY'}}[38];
3393                 $cgiparams{'DAUTH'}             = $confighash{$cgiparams{'KEY'}}[39];
3394                 $cgiparams{'DCIPHER'}           = $confighash{$cgiparams{'KEY'}}[40];
3395                 $cgiparams{'TLSAUTH'}           = $confighash{$cgiparams{'KEY'}}[41];
3396         } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
3397         $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
3398         
3399 #A.Marx CCD check iroute field and convert it to decimal
3400 if ($cgiparams{'TYPE'} eq 'host') {
3401         my @temp=();
3402         my %ccdroutehash=();
3403         my $keypoint=0;
3404         my $ip;
3405         my $cidr;
3406         if ($cgiparams{'IR'} ne ''){
3407                 @temp = split("\n",$cgiparams{'IR'});
3408                 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3409                 #find key to use
3410                 foreach my $key (keys %ccdroutehash) {
3411                         if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3412                                 $keypoint=$key;
3413                                 delete $ccdroutehash{$key};
3414                         }else{
3415                                 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3416                         }
3417                 }
3418                 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3419                 my $i=1;
3420                 my $val=0;
3421                 foreach $val (@temp){
3422                         chomp($val);
3423                         $val=~s/\s*$//g; 
3424                         #check if iroute exists in ccdroute or if new iroute is part of an existing one
3425                         foreach my $key (keys %ccdroutehash) {
3426                                 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
3427                                                 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3428                                                         $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3429                                                         goto VPNCONF_ERROR;
3430                                                 }
3431                                                 my ($ip1,$cidr1) = split (/\//, $val);
3432                                                 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
3433                                                 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3434                                                 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3435                                                         $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3436                                                         goto VPNCONF_ERROR;
3437                                                 } 
3438                                                                         
3439                                 }
3440                         }
3441                         if (!&General::validipandmask($val)){
3442                                 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3443                                 goto VPNCONF_ERROR;
3444                         }else{
3445                                 ($ip,$cidr) = split(/\//,$val);
3446                                 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3447                                 $cidr=&General::iporsubtodec($cidr);
3448                                 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3449                         
3450                         }
3451                                                                                                                                         
3452                         #check for existing network IP's
3453                         if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3454                         {
3455                                 $errormessage=$Lang::tr{'ccd err green'};
3456                                 goto VPNCONF_ERROR;
3457                         }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3458                         {
3459                                 $errormessage=$Lang::tr{'ccd err red'};
3460                                 goto VPNCONF_ERROR;
3461                         }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3462                         {
3463                                 $errormessage=$Lang::tr{'ccd err blue'};
3464                                 goto VPNCONF_ERROR;
3465                         }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3466                         {
3467                                 $errormessage=$Lang::tr{'ccd err orange'};
3468                                 goto VPNCONF_ERROR;
3469                         }
3470                                                 
3471                         if (&General::validipandmask($val)){
3472                                 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3473                         }else{
3474                                 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3475                                 goto VPNCONF_ERROR;
3476                         }
3477                         $i++;
3478                 }
3479                 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3480                 &writeserverconf;
3481         }else{
3482                 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3483                 foreach my $key (keys %ccdroutehash) {
3484                         if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3485                                 delete $ccdroutehash{$key};
3486                                 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3487                                 &writeserverconf;
3488                         }
3489                 }       
3490         }
3491         undef @temp;
3492         #check route field and convert it to decimal
3493         my $val=0;
3494         my $i=1;
3495         &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3496         #find key to use
3497         foreach my $key (keys %ccdroute2hash) {
3498                 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3499                         $keypoint=$key;
3500                         delete $ccdroute2hash{$key};
3501                 }else{
3502                         $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3503                         &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3504                         &writeserverconf;
3505                 }
3506         }
3507         $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3508         if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3509         @temp = split(/\|/,$cgiparams{'IFROUTE'});
3510         my %ownnet=();
3511         &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3512         foreach $val (@temp){
3513                 chomp($val);
3514                 $val=~s/\s*$//g; 
3515                 if ($val eq $Lang::tr{'green'})
3516                 {
3517                         $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3518                 }
3519                 if ($val eq $Lang::tr{'blue'})
3520                 {
3521                         $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3522                 }
3523                 if ($val eq $Lang::tr{'orange'})
3524                 {
3525                         $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3526                 }
3527                 my ($ip,$cidr) = split (/\//, $val);
3528                 
3529                 if ($val ne $Lang::tr{'ccd none'})
3530                 {       
3531                         if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3532                         if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3533                         if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3534                         if (&General::validipandmask($val)){
3535                                 $val=$ip."/".&General::iporsubtodec($cidr);
3536                                 $ccdroute2hash{$keypoint}[$i] = $val;
3537                         }else{
3538                                 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3539                                 goto VPNCONF_ERROR;
3540                         }
3541                 }else{
3542                         $ccdroute2hash{$keypoint}[$i]='';
3543                 }
3544                 $i++;
3545         }       
3546         &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3547
3548         #check dns1 ip
3549         if ($cgiparams{'CCD_DNS1'} ne '' &&  ! &General::validip($cgiparams{'CCD_DNS1'})) {
3550                         $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3551                         goto VPNCONF_ERROR;
3552         }
3553         #check dns2 ip
3554         if ($cgiparams{'CCD_DNS2'} ne '' &&  ! &General::validip($cgiparams{'CCD_DNS2'})) {
3555                         $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3556                         goto VPNCONF_ERROR;
3557         }
3558         #check wins ip
3559         if ($cgiparams{'CCD_WINS'} ne '' &&  ! &General::validip($cgiparams{'CCD_WINS'})) {
3560                         $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3561                         goto VPNCONF_ERROR;
3562         }
3563 }
3564
3565 #CCD End
3566
3567         
3568  if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3569             $errormessage = $Lang::tr{'connection type is invalid'};
3570             if ($cgiparams{'TYPE'} eq 'net') {
3571       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3572             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3573       }
3574             goto VPNCONF_ERROR;
3575         }
3576
3577
3578         if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
3579             $errormessage = $Lang::tr{'name must only contain characters'};
3580       if ($cgiparams{'TYPE'} eq 'net') {
3581       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3582             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3583       }
3584       goto VPNCONF_ERROR;
3585   }
3586
3587         if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
3588             $errormessage = $Lang::tr{'name is invalid'};
3589             if ($cgiparams{'TYPE'} eq 'net') {
3590       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3591             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3592       }
3593             goto VPNCONF_ERROR;
3594         }
3595
3596         if (length($cgiparams{'NAME'}) >60) {
3597             $errormessage = $Lang::tr{'name too long'};
3598             if ($cgiparams{'TYPE'} eq 'net') {
3599       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3600             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3601       }
3602             goto VPNCONF_ERROR;
3603         }
3604
3605 ###
3606 # m.a.d net2net
3607 ###
3608
3609 if ($cgiparams{'TYPE'} eq 'net') {
3610         if ($cgiparams{'DEST_PORT'} eq  $vpnsettings{'DDEST_PORT'}) {
3611                         $errormessage = $Lang::tr{'openvpn destination port used'};
3612                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3613             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3614       goto VPNCONF_ERROR;                       
3615                 }
3616     #Bugfix 10357
3617     foreach my $key (sort keys %confighash){
3618                 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
3619                         $errormessage = $Lang::tr{'openvpn destination port used'};
3620                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3621             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3622       goto VPNCONF_ERROR;       
3623                 }
3624         }
3625     if ($cgiparams{'DEST_PORT'} eq  '') {
3626                         $errormessage = $Lang::tr{'invalid port'};
3627                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3628             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3629       goto VPNCONF_ERROR;                       
3630                 }
3631
3632     # Check if the input for the transfer net is valid.
3633     if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3634                         $errormessage = $Lang::tr{'ccd err invalidnet'};
3635                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3636             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3637                         goto VPNCONF_ERROR;
3638                 }
3639
3640     if ($cgiparams{'OVPN_SUBNET'} eq  $vpnsettings{'DOVPN_SUBNET'}) {
3641                         $errormessage = $Lang::tr{'openvpn subnet is used'};
3642                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3643             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3644                         goto VPNCONF_ERROR;                     
3645                 }
3646
3647           if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
3648             $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
3649             unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3650             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3651             goto VPNCONF_ERROR;
3652     }
3653      
3654     if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
3655             $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
3656             unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3657             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3658             goto VPNCONF_ERROR;
3659     }
3660
3661     if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') {
3662         if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) {
3663                 $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
3664                 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3665                 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3666                 goto VPNCONF_ERROR;
3667         }
3668     }
3669
3670     if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) {
3671         $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'};
3672         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3673         rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3674         goto VPNCONF_ERROR;
3675     }
3676
3677     if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'}))  {
3678                   $errormessage = $Lang::tr{'openvpn prefix local subnet'};
3679                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3680             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3681                   goto VPNCONF_ERROR;
3682                 } 
3683     
3684     if ( &validdotmask ($cgiparams{'OVPN_SUBNET'}))  {
3685                   $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
3686                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3687             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3688                   goto VPNCONF_ERROR;
3689                 } 
3690     
3691     if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'}))  {
3692                   $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
3693                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3694             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3695                   goto VPNCONF_ERROR;
3696                 }
3697         
3698         if ($cgiparams{'DEST_PORT'} <= 1023) {
3699                 $errormessage = $Lang::tr{'ovpn port in root range'};
3700                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3701             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3702                   goto VPNCONF_ERROR;
3703                 }
3704
3705         if ($cgiparams{'OVPN_MGMT'} eq '') {
3706                 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};              
3707                 }
3708         
3709         if ($cgiparams{'OVPN_MGMT'} <= 1023) {
3710                 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
3711                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3712             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3713                   goto VPNCONF_ERROR;
3714         }
3715         #Check if remote subnet is used elsewhere
3716         my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
3717         $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
3718         if ($warnmessage){
3719                 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
3720         }
3721 }
3722
3723 #       if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
3724 #           $errormessage = $Lang::tr{'ipfire side is invalid'};
3725 #           goto VPNCONF_ERROR;
3726 #       }
3727
3728         # Check if there is no other entry with this name
3729         if (! $cgiparams{'KEY'}) {
3730             foreach my $key (keys %confighash) {