Import VPN changes by the Special Interest Group.
[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 #                                                                             #
4 # IPFire.org - A linux based firewall                                         #
5 # Copyright (C) 2007-2011  IPFire Team  <info@ipfire.org>                     #
6 #                                                                             #
7 # This program is free software: you can redistribute it and/or modify        #
8 # it under the terms of the GNU General Public License as published by        #
9 # the Free Software Foundation, either version 3 of the License, or           #
10 # (at your option) any later version.                                         #
11 #                                                                             #
12 # This program is distributed in the hope that it will be useful,             #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
15 # GNU General Public License for more details.                                #
16 #                                                                             #
17 # You should have received a copy of the GNU General Public License           #
18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
19 #                                                                             #
20 ###############################################################################
21 ###
22 # Based on IPFireCore 55
23 ###
24 use CGI;
25 use CGI qw/:standard/;
26 use Net::DNS;
27 use Net::Ping;
28 use Net::Telnet;
29 use File::Copy;
30 use File::Temp qw/ tempfile tempdir /;
31 use strict;
32 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
33 require '/var/ipfire/general-functions.pl';
34 require "${General::swroot}/lang.pl";
35 require "${General::swroot}/header.pl";
36 require "${General::swroot}/countries.pl";
37
38 # enable only the following on debugging purpose
39 use warnings;
40 use CGI::Carp 'fatalsToBrowser';
41 #workaround to suppress a warning when a variable is used only once
42 my @dummy = ( ${Header::colourgreen} );
43 undef (@dummy);
44
45 my %color = ();
46 my %mainsettings = ();
47 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
48 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
49
50 ###
51 ### Initialize variables
52 ###
53 my %netsettings=();
54 my %cgiparams=();
55 my %vpnsettings=();
56 my %checked=();
57 my %confighash=();
58 my %cahash=();
59 my %selected=();
60 my $warnmessage = '';
61 my $errormessage = '';
62 my %settings=();
63 my $routes_push_file = '';
64 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
65 $cgiparams{'ENABLED'} = 'off';
66 $cgiparams{'ENABLED_BLUE'} = 'off';
67 $cgiparams{'ENABLED_ORANGE'} = 'off';
68 $cgiparams{'EDIT_ADVANCED'} = 'off';
69 $cgiparams{'NAT'} = 'off';
70 $cgiparams{'COMPRESSION'} = 'off';
71 $cgiparams{'ONLY_PROPOSED'} = 'off';
72 $cgiparams{'ACTION'} = '';
73 $cgiparams{'CA_NAME'} = '';
74 $cgiparams{'DHCP_DOMAIN'} = '';
75 $cgiparams{'DHCP_DNS'} = '';
76 $cgiparams{'DHCP_WINS'} = '';
77 $cgiparams{'ROUTES_PUSH'} = '';
78 $cgiparams{'DCOMPLZO'} = 'off';
79 $cgiparams{'MSSFIX'} = '';
80 $routes_push_file = "${General::swroot}/ovpn/routes_push";
81 unless (-e $routes_push_file)    { system("touch $routes_push_file"); }
82
83 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
84
85 # prepare openvpn config file
86 ###
87 ### Useful functions
88 ###
89 sub haveOrangeNet
90 {
91         if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
92         if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
93         return 0;
94 }
95
96 sub haveBlueNet
97 {
98         if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
99         if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
100         return 0;
101 }
102
103 sub sizeformat{
104     my $bytesize = shift;
105     my $i = 0;
106
107     while(abs($bytesize) >= 1024){
108         $bytesize=$bytesize/1024;
109         $i++;
110         last if($i==6);
111     }
112
113     my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
114     my $newsize=(int($bytesize*100 +0.5))/100;
115     return("$newsize $units[$i]");
116 }
117
118 sub valid_dns_host {
119         my $hostname = $_[0];
120         unless ($hostname) { return "No hostname"};
121         my $res = new Net::DNS::Resolver;
122         my $query = $res->search("$hostname");
123         if ($query) {
124                 foreach my $rr ($query->answer) {
125                         ## Potential bug - we are only looking at A records:
126                         return 0 if $rr->type eq "A";
127                 }
128         } else {
129                 return $res->errorstring;
130         }
131 }
132
133 sub cleanssldatabase
134 {
135     if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
136         print FILE "01";
137         close FILE;
138     }
139     if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
140         print FILE "";
141         close FILE;
142     }
143     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
144     unlink ("${General::swroot}/ovpn/certs/serial.old");
145     unlink ("${General::swroot}/ovpn/certs/01.pem");
146 }
147
148 sub newcleanssldatabase
149 {
150     if (! -s "${General::swroot}/ovpn/certs/serial" )  {
151         open(FILE, ">${General::swroot}(ovpn/certs/serial");
152         print FILE "01";
153         close FILE;
154     }
155     if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
156         system ("touch ${General::swroot}/ovpn/certs/index.txt");
157     }
158     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
159     unlink ("${General::swroot}/ovpn/certs/serial.old");
160 }
161
162 sub deletebackupcert
163 {
164         if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
165                 my $hexvalue = <FILE>;
166                 chomp $hexvalue;
167                 close FILE;
168                 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
169         }
170 }
171
172 sub checkportfw {
173     my $KEY2 = $_[0]; # key2
174     my $SRC_PORT = $_[1]; # src_port
175     my $PROTOCOL = $_[2]; # protocol
176     my $SRC_IP = $_[3]; # sourceip
177
178     my $pfwfilename = "${General::swroot}/portfw/config";
179     open(FILE, $pfwfilename) or die 'Unable to open config file.';
180     my @pfwcurrent = <FILE>;
181     close(FILE);
182     my $pfwkey1 = 0; # used for finding last sequence number used 
183     foreach my $pfwline (@pfwcurrent)
184     {
185         my @pfwtemp = split(/\,/,$pfwline);
186
187         chomp ($pfwtemp[8]);
188         if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
189                 if ( $SRC_PORT eq $pfwtemp[3] &&
190                         $PROTOCOL eq $pfwtemp[2] &&
191                         $SRC_IP eq $pfwtemp[7])
192                 {
193                          $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
194                 }
195                 # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
196                 if ( $pfwtemp[1] eq "0") {
197                         $pfwkey1=$pfwtemp[0];
198                 }
199                 # Darren Critchley - Duplicate or overlapping Port range check
200                 if ($pfwtemp[1] eq "0" && 
201                         $PROTOCOL eq $pfwtemp[2] &&
202                         $SRC_IP eq $pfwtemp[7] &&
203                         $errormessage eq '') 
204                 {
205                         &portchecks($SRC_PORT, $pfwtemp[5]);            
206 #                       &portchecks($pfwtemp[3], $pfwtemp[5]);
207 #                       &portchecks($pfwtemp[3], $SRC_IP);
208                 }
209         }
210     }
211 #    $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
212
213     return;
214 }
215
216 sub checkportoverlap
217 {
218         my $portrange1 = $_[0]; # New port range
219         my $portrange2 = $_[1]; # existing port range
220         my @tempr1 = split(/\:/,$portrange1);
221         my @tempr2 = split(/\:/,$portrange2);
222
223         unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
224         unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
225         
226         unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
227         unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
228
229         return 1; # Everything checks out!
230 }
231
232 # Darren Critchley - we want to make sure that a port entry is not within an already existing range
233 sub checkportinc
234 {
235         my $port1 = $_[0]; # Port
236         my $portrange2 = $_[1]; # Port range
237         my @tempr1 = split(/\:/,$portrange2);
238
239         if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
240                 return 1; 
241         } else {
242                 return 0; 
243         }
244 }
245 # Darren Critchley - Duplicate or overlapping Port range check
246 sub portchecks
247 {
248         my $p1 = $_[0]; # New port range
249         my $p2 = $_[1]; # existing port range
250 #       $_ = $_[0];
251         our ($prtrange1, $prtrange2);
252         $prtrange1 = 0;
253 #       if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
254 #               unless (&checkportoverlap($p1,$p2)) {
255 #                       $errormessage = "$Lang::tr{'source port overlaps'} $p1";
256 #               }
257 #       }
258         if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
259                 unless (&checkportinc($p2,$p1)) {
260                         $errormessage = "$Lang::tr{'srcprt within existing'} $p1";
261                 }
262         }
263         $prtrange1 = 1;
264         if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
265                 unless (&checkportinc($p1,$p2)) {
266                         $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
267                 }
268         }
269         return;
270 }
271
272 # Darren Critchley - certain ports are reserved for IPFire 
273 # TCP 67,68,81,222,445
274 # UDP 67,68
275 # Params passed in -> port, rangeyn, protocol
276 sub disallowreserved
277 {
278         # port 67 and 68 same for tcp and udp, don't bother putting in an array
279         my $msg = "";
280         my @tcp_reserved = (81,222,445);
281         my $prt = $_[0]; # the port or range
282         my $ryn = $_[1]; # tells us whether or not it is a port range
283         my $prot = $_[2]; # protocol
284         my $srcdst = $_[3]; # source or destination
285         if ($ryn) { # disect port range
286                 if ($srcdst eq "src") {
287                         $msg = "$Lang::tr{'rsvd src port overlap'}";
288                 } else {
289                         $msg = "$Lang::tr{'rsvd dst port overlap'}";
290                 }
291                 my @tmprng = split(/\:/,$prt);
292                 unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
293                 unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
294                 if ($prot eq "tcp") {
295                         foreach my $prange (@tcp_reserved) {
296                                 unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
297                         }
298                 }
299         } else {
300                 if ($srcdst eq "src") {
301                         $msg = "$Lang::tr{'reserved src port'}";
302                 } else {
303                         $msg = "$Lang::tr{'reserved dst port'}";
304                 }
305                 if ($prt == 67) { $errormessage="$msg 67"; return; }
306                 if ($prt == 68) { $errormessage="$msg 68"; return; }
307                 if ($prot eq "tcp") {
308                         foreach my $prange (@tcp_reserved) {
309                                 if ($prange == $prt) { $errormessage="$msg $prange"; return; }
310                         }
311                 }
312         }
313         return;
314 }
315
316
317 sub writeserverconf {
318     my %sovpnsettings = ();  
319     my @temp = ();  
320     &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
321     &read_routepushfile;
322     
323     open(CONF,    ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
324     flock CONF, 2;
325     print CONF "#OpenVPN Server conf\n";
326     print CONF "\n";
327     print CONF "daemon openvpnserver\n";
328     print CONF "writepid /var/run/openvpn.pid\n";
329     print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
330     print CONF ";local $sovpnsettings{'VPN_IP'}\n";
331     print CONF "dev $sovpnsettings{'DDEVICE'}\n";
332     print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n";
333     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
334     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
335     print CONF "script-security 3 system\n";
336     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
337     print CONF "tls-server\n";
338     print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
339     print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
340     print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
341     print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
342     my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
343     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
344     print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
345     
346     if ($vpnsettings{'ROUTES_PUSH'} ne '') {
347         @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
348         foreach (@temp)
349         {
350                 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
351                 print CONF "push \"route " . $tempovpnsubnet[0]. " " .  $tempovpnsubnet[1] . "\"\n";
352         }
353     }
354
355     if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
356         print CONF "client-to-client\n";
357     }
358     if ($sovpnsettings{MSSFIX} eq 'on') {
359         print CONF "mssfix\n";
360     }
361     if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
362         print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
363     }
364     if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {   
365         print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
366     }   
367     print CONF "status-version 1\n";
368     print CONF "status /var/log/ovpnserver.log 30\n";
369     print CONF "cipher $sovpnsettings{DCIPHER}\n";
370     if ($sovpnsettings{DCOMPLZO} eq 'on') {
371         print CONF "comp-lzo\n";
372     }
373     if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
374         print CONF "push \"redirect-gateway def1\"\n";
375     }
376     if ($sovpnsettings{DHCP_DOMAIN} ne '') {
377         print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
378     }
379
380     if ($sovpnsettings{DHCP_DNS} ne '') {
381         print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
382     }
383
384     if ($sovpnsettings{DHCP_WINS} ne '') {
385         print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
386     }
387     
388     if ($sovpnsettings{DHCP_WINS} eq '') {
389         print CONF "max-clients 100\n";
390     }
391     if ($sovpnsettings{DHCP_WINS} ne '') {
392         print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
393     }   
394     print CONF "tls-verify /var/ipfire/ovpn/verify\n";
395     print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
396     print CONF "user nobody\n";
397     print CONF "group nobody\n";
398     print CONF "persist-key\n";
399     print CONF "persist-tun\n";
400         if ($sovpnsettings{LOG_VERB} ne '') {
401                 print CONF "verb $sovpnsettings{LOG_VERB}\n";
402         } else {
403                 print CONF "verb 3\n";
404         }       
405     print CONF "\n";
406     
407     close(CONF);
408 }    
409 #
410 sub emptyserverlog{
411     if (open(FILE, ">/var/log/ovpnserver.log")) {
412         flock FILE, 2;
413         print FILE "";
414         close FILE;
415     }
416
417 }
418
419 ###
420 # m.a.d net2net
421 ###
422
423 sub validdotmask
424 {
425         my $ipdotmask = $_[0];
426         if (&General::validip($ipdotmask)) { return 0; }
427         if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) {  }
428         my $mask = $2;
429         if (($mask =~ /\./ )) { return 0; }     
430   return 1;
431 }
432
433 # -------------------------------------------------------------------
434
435 sub write_routepushfile
436 {
437         open(FILE, ">$routes_push_file");
438         flock(FILE, 2);
439         if ($vpnsettings{'ROUTES_PUSH'} ne '') {
440                 print FILE $vpnsettings{'ROUTES_PUSH'};
441         }
442         close(FILE); 
443 }
444
445 sub read_routepushfile
446 {
447         if (-e "$routes_push_file") {
448                 open(FILE,"$routes_push_file");
449                 delete $vpnsettings{'ROUTES_PUSH'};
450                 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
451                 close(FILE);
452                 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
453         }
454 }
455
456
457 #hier die refresh page
458 if ( -e "${General::swroot}/ovpn/gencanow") {
459     my $refresh = '';
460     $refresh = "<meta http-equiv='refresh' content='15;' />";
461     &Header::showhttpheaders();
462     &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
463     &Header::openbigbox('100%', 'center');
464     &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
465     print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
466     print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
467     &Header::closebox();
468     &Header::closebigbox();
469     &Header::closepage();
470     exit (0);
471 }
472 ##hier die refresh page
473
474
475 ###
476 ### OpenVPN Server Control
477 ###
478 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
479     $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
480     $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
481     #start openvpn server
482     if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
483         &emptyserverlog();
484         system('/usr/local/bin/openvpnctrl', '-s');
485     }   
486     #stop openvpn server
487     if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
488         system('/usr/local/bin/openvpnctrl', '-k');
489         &emptyserverlog();      
490     }   
491 #    #restart openvpn server
492     if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
493 #workarund, till SIGHUP also works when running as nobody    
494         system('/usr/local/bin/openvpnctrl', '-r');     
495         &emptyserverlog();      
496     }       
497 }
498
499 ###
500 ### Save Advanced options
501 ###
502
503 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
504     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
505     #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
506     #DAN this value has to leave.
507 #new settings for daemon
508     $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
509     $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
510     $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
511     $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
512     $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
513     $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
514     $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
515     $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
516     $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
517     $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
518     my @temp=();
519     
520     if ($cgiparams{'FRAGMENT'} eq '') {
521         delete $vpnsettings{'FRAGMENT'};
522     } else {
523         if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) { 
524             $errormessage = "Incorrect value, please insert only numbers.";
525         goto ADV_ERROR;
526                 } else {
527                         $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
528         }
529     }
530     if ($cgiparams{'MSSFIX'} ne 'on') {
531         delete $vpnsettings{'MSSFIX'};
532     } else {
533         $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
534     }
535     if ($cgiparams{'DHCP_DOMAIN'} ne ''){
536         unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
537                 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
538         goto ADV_ERROR;
539         }
540     }
541     if ($cgiparams{'DHCP_DNS'} ne ''){
542         unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
543                 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
544         goto ADV_ERROR;
545         }
546     }
547     if ($cgiparams{'DHCP_WINS'} ne ''){
548         unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
549                 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
550                 goto ADV_ERROR;
551         }
552     }
553     if ($cgiparams{'ROUTES_PUSH'} ne ''){
554         @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
555         undef $vpnsettings{'ROUTES_PUSH'};
556         foreach (@temp)
557         {
558                 s/^\s+//g; s/\s+$//g;
559                 if ($_)
560                 {
561                         unless (&General::validipandmask($_)) {
562                                 $errormessage = $Lang::tr{'ovpn errmsg invalid ip or mask'};
563                         goto ADV_ERROR;
564                         }
565                         my ($ip, $cidr) = split("\/",&General::ipcidr2msk($_));
566                         if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
567                                 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
568   goto ADV_ERROR;
569                         }
570                         $vpnsettings{'ROUTES_PUSH'} .= $_."\n";
571                 }
572         }
573         &write_routepushfile;
574         undef $vpnsettings{'ROUTES_PUSH'};
575     }
576     if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
577         $errormessage = $Lang::tr{'invalid input for max clients'};
578         goto ADV_ERROR;
579     }
580     if ($cgiparams{'KEEPALIVE_1'} ne '') {
581         if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) { 
582             $errormessage = $Lang::tr{'invalid input for keepalive 1'};
583         goto ADV_ERROR;
584         }
585     }
586     if ($cgiparams{'KEEPALIVE_2'} ne ''){
587         if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) { 
588             $errormessage = $Lang::tr{'invalid input for keepalive 2'};
589         goto ADV_ERROR;
590         }
591     }
592     if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
593         $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
594         goto ADV_ERROR; 
595     }
596     
597     &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
598     &writeserverconf();#hier ok
599 }
600
601 ###
602 # m.a.d net2net
603 ###
604
605 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
606 {
607
608 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
609 my @ovsubnettemp =  split(/\./,$cgiparams{'OVPN_SUBNET'});
610 my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
611 my $tunmtu =  '';
612
613 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
614 unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}   
615
616   open(SERVERCONF,    ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
617   
618   flock SERVERCONF, 2;
619   print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n"; 
620   print SERVERCONF "\n"; 
621   print SERVERCONF "# User Security\n";
622   print SERVERCONF "user nobody\n";
623   print SERVERCONF "group nobody\n";
624   print SERVERCONF "persist-tun\n";
625   print SERVERCONF "persist-key\n";
626   print SERVERCONF "script-security 2\n";
627   print SERVERCONF "# IP/DNS for remote Server Gateway\n"; 
628   print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
629   print SERVERCONF "float\n";
630   print SERVERCONF "# IP adresses of the VPN Subnet\n"; 
631   print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; 
632   print SERVERCONF "# Client Gateway Network\n"; 
633   print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
634   print SERVERCONF "# tun Device\n"; 
635   print SERVERCONF "dev tun\n"; 
636   print SERVERCONF "# Port and Protokol\n"; 
637   print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; 
638   
639   if ($cgiparams{'PROTOCOL'} eq 'tcp') {
640   print SERVERCONF "proto tcp-server\n";
641   print SERVERCONF "# Packet size\n";
642   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
643   print SERVERCONF "tun-mtu $tunmtu\n";
644   }
645   
646   if ($cgiparams{'PROTOCOL'} eq 'udp') {
647   print SERVERCONF "proto udp\n"; 
648   print SERVERCONF "# Paketsize\n";
649   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
650   print SERVERCONF "tun-mtu $tunmtu\n";
651   if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} 
652   if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; 
653   }
654   print SERVERCONF "# Auth. Server\n"; 
655   print SERVERCONF "tls-server\n"; 
656   print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; 
657   print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; 
658   print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; 
659   print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; 
660   print SERVERCONF "# Cipher\n"; 
661   print SERVERCONF "cipher AES-256-CBC\n"; 
662   if ($cgiparams{'COMPLZO'} eq 'on') {
663    print SERVERCONF "# Enable Compression\n";
664    print SERVERCONF "comp-lzo\r\n";
665      }
666   print SERVERCONF "# Debug Level\n"; 
667   print SERVERCONF "verb 3\n"; 
668   print SERVERCONF "# Tunnel check\n"; 
669   print SERVERCONF "keepalive 10 60\n"; 
670   print SERVERCONF "# Start as daemon\n"; 
671   print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n"; 
672   print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; 
673   print SERVERCONF "# Activate Management Interface and Port\n"; 
674   if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
675   else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
676   close(SERVERCONF);
677
678 }
679
680 ###
681 # m.a.d net2net
682 ###
683
684 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
685 {
686         my @ovsubnettemp =  split(/\./,$cgiparams{'OVPN_SUBNET'});
687         my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
688         my @remsubnet =  split(/\//,$cgiparams{'REMOTE_SUBNET'});
689         my $tunmtu =  '';
690                    
691 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
692 unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
693   
694   open(CLIENTCONF,    ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
695   
696   flock CLIENTCONF, 2;
697   print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
698   print CLIENTCONF "#\n"; 
699   print CLIENTCONF "# User Security\n";
700   print CLIENTCONF "user nobody\n";
701   print CLIENTCONF "group nobody\n";
702   print CLIENTCONF "persist-tun\n";
703   print CLIENTCONF "persist-key\n";
704   print CLIENTCONF "script-security 2\n";
705   print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; 
706   print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
707   print CLIENTCONF "float\n";
708   print CLIENTCONF "# IP adresses of the VPN Subnet\n"; 
709   print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
710   print CLIENTCONF "# Server Gateway Network\n"; 
711   print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; 
712   print CLIENTCONF "# tun Device\n"; 
713   print CLIENTCONF "dev tun\n"; 
714   print CLIENTCONF "# Port and Protokol\n"; 
715   print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; 
716
717   if ($cgiparams{'PROTOCOL'} eq 'tcp') {
718   print CLIENTCONF "proto tcp-client\n";
719   print CLIENTCONF "# Packet size\n";
720   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
721   print CLIENTCONF "tun-mtu $tunmtu\n";
722   }
723   
724   if ($cgiparams{'PROTOCOL'} eq 'udp') {
725   print CLIENTCONF "proto udp\n"; 
726   print CLIENTCONF "# Paketsize\n";
727   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
728   print CLIENTCONF "tun-mtu $tunmtu\n";
729   if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
730   if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; 
731   }
732  
733   print CLIENTCONF "ns-cert-type server\n";   
734   print CLIENTCONF "# Auth. Client\n"; 
735   print CLIENTCONF "tls-client\n"; 
736   print CLIENTCONF "# Cipher\n"; 
737   print CLIENTCONF "cipher AES-256-CBC\n"; 
738   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
739   if ($cgiparams{'COMPLZO'} eq 'on') {
740    print CLIENTCONF "# Enable Compression\n";
741    print CLIENTCONF "comp-lzo\r\n";
742      }
743   print CLIENTCONF "# Debug Level\n"; 
744   print CLIENTCONF "verb 3\n"; 
745   print CLIENTCONF "# Tunnel check\n"; 
746   print CLIENTCONF "keepalive 10 60\n"; 
747   print CLIENTCONF "# Start as daemon\n"; 
748   print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
749   print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; 
750   print CLIENTCONF "# Activate Management Interface and Port\n"; 
751   if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
752   else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
753   close(CLIENTCONF);
754
755 }
756   
757 ###
758 ### Save main settings
759 ###
760
761
762 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
763     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
764     #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
765     #DAN this value has to leave.
766     if ($cgiparams{'ENABLED'} eq 'on'){
767         unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
768                 $errormessage = $Lang::tr{'invalid input for hostname'};
769         goto SETTINGS_ERROR;
770         }
771     }
772     if ($cgiparams{'ENABLED'} eq 'on'){
773         &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest");
774     }   
775     if ($errormessage) { goto SETTINGS_ERROR; }
776     
777     
778     if ($cgiparams{'ENABLED'} eq 'on'){
779         &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
780     }
781         
782     if ($errormessage) { goto SETTINGS_ERROR; }
783     
784     if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
785             $errormessage = $Lang::tr{'ovpn subnet is invalid'};
786         goto SETTINGS_ERROR;
787     }
788     my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
789     
790     if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'}, 
791         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
792         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
793         goto SETTINGS_ERROR;
794     }
795     
796     if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'}, 
797         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
798         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
799         goto SETTINGS_ERROR;
800     }
801
802     if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'}, 
803         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
804         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
805         goto SETTINGS_ERROR;
806     }
807     
808     if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'}, 
809         $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
810         $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
811         goto SETTINGS_ERROR;
812     }
813     open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
814     while (<ALIASES>)
815     {
816         chomp($_);
817         my @tempalias = split(/\,/,$_);
818         if ($tempalias[1] eq 'on') {
819             if (&General::IpInSubnet ($tempalias[0] , 
820                 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
821                 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
822             }           
823         }
824     }
825     close(ALIASES);
826     if ($errormessage ne ''){
827         goto SETTINGS_ERROR;
828     }
829     if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
830         $errormessage = $Lang::tr{'invalid input'};
831         goto SETTINGS_ERROR;
832     }
833     if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
834         $errormessage = $Lang::tr{'invalid mtu input'};
835         goto SETTINGS_ERROR;
836     }
837     
838     unless (&General::validport($cgiparams{'DDEST_PORT'})) {
839         $errormessage = $Lang::tr{'invalid port'};
840         goto SETTINGS_ERROR;
841     }
842     $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
843     $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
844     $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
845     $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
846 #new settings for daemon
847     $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
848     $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
849     $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
850     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
851     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
852     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
853     $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
854 #wrtie enable
855
856   if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
857   if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");}
858   if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");}
859 #new settings for daemon    
860     &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
861     &writeserverconf();#hier ok
862 SETTINGS_ERROR:
863 ###
864 ### Reset all step 2
865 ###
866 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {
867     my $file = '';
868     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
869
870     foreach my $key (keys %confighash) {
871         if ($confighash{$key}[4] eq 'cert') {
872             delete $confighash{$cgiparams{'$key'}};
873         }
874     }
875     while ($file = glob("${General::swroot}/ovpn/ca/*")) {
876         unlink $file
877     }
878     while ($file = glob("${General::swroot}/ovpn/certs/*")) {
879         unlink $file
880     }
881     while ($file = glob("${General::swroot}/ovpn/crls/*")) {
882         unlink $file
883     }
884     &cleanssldatabase();
885     if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
886         print FILE "";
887         close FILE;
888     }
889     &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
890     #&writeserverconf();
891 ###
892 ### Reset all step 1
893 ###
894 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {
895     &Header::showhttpheaders();
896     &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
897     &Header::openbigbox('100%', 'LEFT', '', '');
898     &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
899     print <<END
900         <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
901             <tr><td align='center'>             
902                 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: 
903                 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
904             <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />
905                 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
906         </form></table>
907 END
908     ;
909     &Header::closebox();
910     &Header::closebigbox();
911     &Header::closepage();
912     exit (0);
913
914 ###
915 ### Upload CA Certificate
916 ###
917 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
918     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
919
920     if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
921         $errormessage = $Lang::tr{'name must only contain characters'};
922         goto UPLOADCA_ERROR;
923     }
924
925     if (length($cgiparams{'CA_NAME'}) >60) {
926         $errormessage = $Lang::tr{'name too long'};
927         goto VPNCONF_ERROR;
928     }
929
930     if ($cgiparams{'CA_NAME'} eq 'ca') {
931         $errormessage = $Lang::tr{'name is invalid'};
932         goto UPLOAD_CA_ERROR;
933     }
934
935     # Check if there is no other entry with this name
936     foreach my $key (keys %cahash) {
937         if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
938             $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
939             goto UPLOADCA_ERROR;
940         }
941     }
942
943     if (ref ($cgiparams{'FH'}) ne 'Fh') {
944         $errormessage = $Lang::tr{'there was no file upload'};
945         goto UPLOADCA_ERROR;
946     }
947     # Move uploaded ca to a temporary file
948     (my $fh, my $filename) = tempfile( );
949     if (copy ($cgiparams{'FH'}, $fh) != 1) {
950         $errormessage = $!;
951         goto UPLOADCA_ERROR;
952     }
953     my $temp = `/usr/bin/openssl x509 -text -in $filename`;
954     if ($temp !~ /CA:TRUE/i) {
955         $errormessage = $Lang::tr{'not a valid ca certificate'};
956         unlink ($filename);
957         goto UPLOADCA_ERROR;
958     } else {
959         move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
960         if ($? ne 0) {
961             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
962             unlink ($filename);
963             goto UPLOADCA_ERROR;
964         }
965     }
966
967     my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
968     $casubject    =~ /Subject: (.*)[\n]/;
969     $casubject    = $1;
970     $casubject    =~ s+/Email+, E+;
971     $casubject    =~ s/ ST=/ S=/;
972     $casubject    = &Header::cleanhtml($casubject);
973
974     my $key = &General::findhasharraykey (\%cahash);
975     $cahash{$key}[0] = $cgiparams{'CA_NAME'};
976     $cahash{$key}[1] = $casubject;
977     &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
978 #    system('/usr/local/bin/ipsecctrl', 'R');
979
980     UPLOADCA_ERROR:
981
982 ###
983 ### Display ca certificate
984 ###
985 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
986     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
987
988     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
989         &Header::showhttpheaders();
990         &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
991         &Header::openbigbox('100%', 'LEFT', '', $errormessage);
992         &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
993         my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
994         $output = &Header::cleanhtml($output,"y");
995         print "<pre>$output</pre>\n";
996         &Header::closebox();
997         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
998         &Header::closebigbox();
999         &Header::closepage();
1000         exit(0);
1001     } else {
1002         $errormessage = $Lang::tr{'invalid key'};
1003     }
1004
1005 ###
1006 ### Download ca certificate
1007 ###
1008 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1009     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1010
1011     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1012         print "Content-Type: application/octet-stream\r\n";
1013         print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
1014         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
1015         exit(0);
1016     } else {
1017         $errormessage = $Lang::tr{'invalid key'};
1018     }
1019
1020 ###
1021 ### Remove ca certificate (step 2)
1022 ###
1023 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1024     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1025     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1026
1027     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1028         foreach my $key (keys %confighash) {
1029             my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
1030             if ($test =~ /: OK/) {
1031                 # Delete connection
1032 #               if ($vpnsettings{'ENABLED'} eq 'on' ||
1033 #                   $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1034 #                   system('/usr/local/bin/ipsecctrl', 'D', $key);
1035 #               }
1036                 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1037                 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1038                 delete $confighash{$key};
1039                 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1040 #               &writeipsecfiles();
1041             }
1042         }
1043         unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1044         delete $cahash{$cgiparams{'KEY'}};
1045         &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1046 #       system('/usr/local/bin/ipsecctrl', 'R');
1047     } else {
1048         $errormessage = $Lang::tr{'invalid key'};
1049     }
1050 ###
1051 ### Remove ca certificate (step 1)
1052 ###
1053 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1054     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1055     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1056
1057     my $assignedcerts = 0;
1058     if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1059         foreach my $key (keys %confighash) {
1060             my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
1061             if ($test =~ /: OK/) {
1062                 $assignedcerts++;
1063             }
1064         }
1065         if ($assignedcerts) {
1066             &Header::showhttpheaders();
1067             &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1068             &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1069             &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
1070             print <<END
1071                 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1072                        <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1073                     <tr><td align='center'>
1074                         <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1075                         $Lang::tr{'connections are associated with this ca.  deleting the ca will delete these connections as well.'}
1076                     <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1077                         <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1078                 </form></table>
1079 END
1080             ;
1081             &Header::closebox();
1082             &Header::closebigbox();
1083             &Header::closepage();
1084             exit (0);
1085         } else {
1086             unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1087             delete $cahash{$cgiparams{'KEY'}};
1088             &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1089 #           system('/usr/local/bin/ipsecctrl', 'R');
1090         }
1091     } else {
1092         $errormessage = $Lang::tr{'invalid key'};
1093     }
1094
1095 ###
1096 ### Display root certificate
1097 ###
1098 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1099     $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
1100     my $output;
1101     &Header::showhttpheaders();
1102     &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1103     &Header::openbigbox('100%', 'LEFT', '', '');
1104     if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1105         &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
1106         $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
1107     } else {
1108         &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
1109         $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
1110     }
1111     $output = &Header::cleanhtml($output,"y");
1112     print "<pre>$output</pre>\n";
1113     &Header::closebox();
1114     print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1115     &Header::closebigbox();
1116     &Header::closepage();
1117     exit(0);
1118
1119 ###
1120 ### Download root certificate
1121 ###
1122 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1123     if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1124         print "Content-Type: application/octet-stream\r\n";
1125         print "Content-Disposition: filename=cacert.pem\r\n\r\n";
1126         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
1127         exit(0);
1128     }
1129     
1130 ###
1131 ### Download host certificate
1132 ###
1133 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1134     if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1135         print "Content-Type: application/octet-stream\r\n";
1136         print "Content-Disposition: filename=servercert.pem\r\n\r\n";
1137         print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
1138         exit(0);
1139     }
1140 ###
1141 ### Form for generating a root certificate
1142 ###
1143 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1144          $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1145
1146     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1147     if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1148         $errormessage = $Lang::tr{'valid root certificate already exists'};
1149         $cgiparams{'ACTION'} = '';
1150         goto ROOTCERT_ERROR;
1151     }
1152
1153     if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1154         if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1155             my $ipaddr = <IPADDR>;
1156             close IPADDR;
1157             chomp ($ipaddr);
1158             $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1159             if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1160                 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1161             }
1162         }
1163     } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1164
1165         if (ref ($cgiparams{'FH'}) ne 'Fh') {
1166             $errormessage = $Lang::tr{'there was no file upload'};
1167             goto ROOTCERT_ERROR;
1168         }
1169
1170         # Move uploaded certificate request to a temporary file
1171         (my $fh, my $filename) = tempfile( );
1172         if (copy ($cgiparams{'FH'}, $fh) != 1) {
1173             $errormessage = $!;
1174             goto ROOTCERT_ERROR;
1175         }
1176
1177         # Create a temporary dirctory
1178         my $tempdir = tempdir( CLEANUP => 1 );
1179
1180         # Extract the CA certificate from the file
1181         my $pid = open(OPENSSL, "|-");
1182         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1183         if ($pid) {     # parent
1184             if ($cgiparams{'P12_PASS'} ne '') {
1185                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1186             }
1187             close (OPENSSL);
1188             if ($?) {
1189                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1190                 unlink ($filename);
1191                 goto ROOTCERT_ERROR;
1192             }
1193         } else {        # child
1194             unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1195                     '-in', $filename,
1196                     '-out', "$tempdir/cacert.pem")) {
1197                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1198                 unlink ($filename);
1199                 goto ROOTCERT_ERROR;
1200             }
1201         }
1202
1203         # Extract the Host certificate from the file
1204         $pid = open(OPENSSL, "|-");
1205         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1206         if ($pid) {     # parent
1207             if ($cgiparams{'P12_PASS'} ne '') {
1208                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1209             }
1210             close (OPENSSL);
1211             if ($?) {
1212                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1213                 unlink ($filename);
1214                 goto ROOTCERT_ERROR;
1215             }
1216         } else {        # child
1217             unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1218                     '-in', $filename,
1219                     '-out', "$tempdir/hostcert.pem")) {
1220                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1221                 unlink ($filename);
1222                 goto ROOTCERT_ERROR;
1223             }
1224         }
1225
1226         # Extract the Host key from the file
1227         $pid = open(OPENSSL, "|-");
1228         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1229         if ($pid) {     # parent
1230             if ($cgiparams{'P12_PASS'} ne '') {
1231                 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1232             }
1233             close (OPENSSL);
1234             if ($?) {
1235                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1236                 unlink ($filename);
1237                 goto ROOTCERT_ERROR;
1238             }
1239         } else {        # child
1240             unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1241                     '-nodes',
1242                     '-in', $filename,
1243                     '-out', "$tempdir/serverkey.pem")) {
1244                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1245                 unlink ($filename);
1246                 goto ROOTCERT_ERROR;
1247             }
1248         }
1249
1250         move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
1251         if ($? ne 0) {
1252             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1253             unlink ($filename);
1254             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1255             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1256             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1257             goto ROOTCERT_ERROR;
1258         }
1259
1260         move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
1261         if ($? ne 0) {
1262             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1263             unlink ($filename);
1264             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1265             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1266             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1267             goto ROOTCERT_ERROR;
1268         }
1269
1270         move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
1271         if ($? ne 0) {
1272             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1273             unlink ($filename);
1274             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1275             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1276             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1277             goto ROOTCERT_ERROR;
1278         }
1279
1280         goto ROOTCERT_SUCCESS;
1281
1282     } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1283
1284         # Validate input since the form was submitted
1285         if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1286             $errormessage = $Lang::tr{'organization cant be empty'};
1287             goto ROOTCERT_ERROR;
1288         }
1289         if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1290             $errormessage = $Lang::tr{'organization too long'};
1291             goto ROOTCERT_ERROR;
1292         }
1293         if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1294             $errormessage = $Lang::tr{'invalid input for organization'};
1295             goto ROOTCERT_ERROR;
1296         }
1297         if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1298             $errormessage = $Lang::tr{'hostname cant be empty'};
1299             goto ROOTCERT_ERROR;
1300         }
1301         unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1302             $errormessage = $Lang::tr{'invalid input for hostname'};
1303             goto ROOTCERT_ERROR;
1304         }
1305         if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1306             $errormessage = $Lang::tr{'invalid input for e-mail address'};
1307             goto ROOTCERT_ERROR;
1308         }
1309         if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1310             $errormessage = $Lang::tr{'e-mail address too long'};
1311             goto ROOTCERT_ERROR;
1312         }
1313         if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1314             $errormessage = $Lang::tr{'invalid input for department'};
1315             goto ROOTCERT_ERROR;
1316         }
1317         if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1318             $errormessage = $Lang::tr{'invalid input for city'};
1319             goto ROOTCERT_ERROR;
1320         }
1321         if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1322             $errormessage = $Lang::tr{'invalid input for state or province'};
1323             goto ROOTCERT_ERROR;
1324         }
1325         if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1326             $errormessage = $Lang::tr{'invalid input for country'};
1327             goto ROOTCERT_ERROR;
1328         }
1329
1330         # Copy the cgisettings to vpnsettings and save the configfile
1331         $vpnsettings{'ROOTCERT_ORGANIZATION'}   = $cgiparams{'ROOTCERT_ORGANIZATION'};
1332         $vpnsettings{'ROOTCERT_HOSTNAME'}       = $cgiparams{'ROOTCERT_HOSTNAME'};
1333         $vpnsettings{'ROOTCERT_EMAIL'}          = $cgiparams{'ROOTCERT_EMAIL'};
1334         $vpnsettings{'ROOTCERT_OU'}             = $cgiparams{'ROOTCERT_OU'};
1335         $vpnsettings{'ROOTCERT_CITY'}           = $cgiparams{'ROOTCERT_CITY'};
1336         $vpnsettings{'ROOTCERT_STATE'}          = $cgiparams{'ROOTCERT_STATE'};
1337         $vpnsettings{'ROOTCERT_COUNTRY'}        = $cgiparams{'ROOTCERT_COUNTRY'};
1338         &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1339
1340         # Replace empty strings with a .
1341         (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1342         (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1343         (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1344
1345         # refresh
1346         #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
1347         
1348         # Create the CA certificate
1349         my $pid = open(OPENSSL, "|-");
1350         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1351         if ($pid) {     # parent
1352             print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1353             print OPENSSL "$state\n";
1354             print OPENSSL "$city\n";
1355             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1356             print OPENSSL "$ou\n";
1357             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1358             print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1359             close (OPENSSL);
1360             if ($?) {
1361                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1362                 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1363                 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1364                 goto ROOTCERT_ERROR;
1365             }
1366         } else {        # child
1367             unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1368                         '-days', '999999', '-newkey', 'rsa:2048',
1369                         '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1370                         '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1371                         '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1372                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1373                 goto ROOTCERT_ERROR;
1374             }
1375         }
1376
1377         # Create the Host certificate request
1378         $pid = open(OPENSSL, "|-");
1379         $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1380         if ($pid) {     # parent
1381             print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1382             print OPENSSL "$state\n";
1383             print OPENSSL "$city\n";
1384             print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1385             print OPENSSL "$ou\n";
1386             print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1387             print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1388             print OPENSSL ".\n";
1389             print OPENSSL ".\n";
1390             close (OPENSSL);
1391             if ($?) {
1392                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1393                 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1394                 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1395                 goto ROOTCERT_ERROR;
1396             }
1397         } else {        # child
1398             unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1399                         '-newkey', 'rsa:1024',
1400                         '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1401                         '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1402                         '-extensions', 'server',
1403                         '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1404                 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1405                 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1406                 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1407                 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1408                 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1409                 goto ROOTCERT_ERROR;
1410             }
1411         }
1412         
1413         # Sign the host certificate request
1414         system('/usr/bin/openssl', 'ca', '-days', '999999',
1415                 '-batch', '-notext',
1416                 '-in',  "${General::swroot}/ovpn/certs/serverreq.pem",
1417                 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1418                 '-extensions', 'server',
1419                 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1420         if ($?) {
1421             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1422             unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1423             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1424             unlink ("${General::swroot}/ovpn/serverkey.pem");
1425             unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1426             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1427             &newcleanssldatabase();
1428             goto ROOTCERT_ERROR;
1429         } else {
1430             unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1431             &deletebackupcert();
1432         }
1433
1434         # Create an empty CRL
1435         system('/usr/bin/openssl', 'ca', '-gencrl',
1436                 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1437                 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1438         if ($?) {
1439             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1440             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1441             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1442             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1443             unlink ("${General::swroot}/ovpn/crls/cacrl.pem");      
1444             &cleanssldatabase();
1445             goto ROOTCERT_ERROR;
1446 #       } else {
1447 #           &cleanssldatabase();
1448         }
1449         # Create Diffie Hellmann Parameter
1450         system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1451                '-out', "${General::swroot}/ovpn/ca/dh1024.pem",
1452                '1024' );
1453         if ($?) {
1454             $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1455             unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1456             unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1457             unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1458             unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1459             unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1460             &cleanssldatabase();
1461             goto ROOTCERT_ERROR;
1462 #       } else {
1463 #           &cleanssldatabase();
1464         }       
1465         goto ROOTCERT_SUCCESS;
1466     }
1467     ROOTCERT_ERROR:
1468     if ($cgiparams{'ACTION'} ne '') {
1469         &Header::showhttpheaders();
1470         &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1471         &Header::openbigbox('100%', 'LEFT', '', '');
1472         if ($errormessage) {
1473             &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1474             print "<class name='base'>$errormessage";
1475             print "&nbsp;</class>";
1476             &Header::closebox();
1477         }
1478         &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
1479         print <<END
1480         <form method='post' enctype='multipart/form-data'>
1481         <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1482         <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
1483             <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1484             <td width='35%' colspan='2'>&nbsp;</td></tr>
1485         <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
1486             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1487             <td colspan='2'>&nbsp;</td></tr>
1488         <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1489             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1490             <td colspan='2'>&nbsp;</td></tr>
1491         <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1492             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1493             <td colspan='2'>&nbsp;</td></tr>
1494         <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1495             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1496             <td colspan='2'>&nbsp;</td></tr>
1497         <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1498             <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1499             <td colspan='2'>&nbsp;</td></tr>
1500         <tr><td class='base'>$Lang::tr{'country'}:</td>
1501             <td class='base'><select name='ROOTCERT_COUNTRY'> 
1502
1503 END
1504         ;
1505         foreach my $country (sort keys %{Countries::countries}) {
1506             print "<option value='$Countries::countries{$country}'";
1507             if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1508                 print " selected='selected'";
1509             }
1510             print ">$country</option>";
1511         }
1512         print <<END
1513             </select></td>
1514             <td colspan='2'>&nbsp;</td></tr>
1515         <tr><td>&nbsp;</td>
1516             <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
1517             <td>&nbsp;</td><td>&nbsp;</td></tr> 
1518         <tr><td class='base' colspan='4' align='left'>
1519             <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1520         <tr><td class='base' colspan='4' align='left'>
1521             <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: 
1522             $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1523         </td></tr>
1524         <tr><td colspan='4' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
1525         <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1526             <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1527             <td colspan='2'>&nbsp;</td></tr>
1528         <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' ></td>
1529             <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1530             <td colspan='2'>&nbsp;</td></tr>
1531         <tr><td>&nbsp;</td>
1532             <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1533             <td colspan='2'>&nbsp;</td></tr>
1534         <tr><td class='base' colspan='4' align='left'>
1535             <img src='/blob.gif' valign='top' al='*' >&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1536         </form></table>
1537 END
1538         ;
1539         &Header::closebox();
1540
1541         &Header::closebigbox();
1542         &Header::closepage();
1543         exit(0)
1544     }
1545
1546     ROOTCERT_SUCCESS:
1547     system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
1548 #    if ($vpnsettings{'ENABLED'} eq 'on' ||
1549 #       $vpnsettings{'ENABLE_BLUE'} eq 'on') {
1550 #       system('/usr/local/bin/ipsecctrl', 'S');
1551 #    }
1552
1553 ###
1554 ### Enable/Disable connection
1555 ###
1556
1557 ###
1558 # m.a.d net2net
1559 ###
1560
1561 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1562     
1563     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1564     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1565 #    my $n2nactive = '';
1566     my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`;
1567     
1568     if ($confighash{$cgiparams{'KEY'}}) {
1569
1570
1571         if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1572             $confighash{$cgiparams{'KEY'}}[0] = 'on';
1573             &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1574
1575      if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
1576                  system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
1577           }
1578  
1579   } else {
1580
1581             $confighash{$cgiparams{'KEY'}}[0] = 'off';
1582       &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1583
1584           if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
1585                     if ($n2nactive ne ''){                              
1586                     system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
1587            }
1588  
1589           } else {
1590                   $errormessage = $Lang::tr{'invalid key'};
1591           }
1592       }
1593   }
1594
1595 ###
1596 ### Download OpenVPN client package
1597 ###
1598
1599
1600 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
1601     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1602     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1603     my $file = '';
1604     my $clientovpn = '';
1605     my @fileholder;
1606     my $tempdir = tempdir( CLEANUP => 1 );
1607     my $zippath = "$tempdir/";
1608
1609 ###
1610 # m.a.d net2net
1611 ###
1612
1613 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
1614         
1615         my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
1616         my $zippathname = "$zippath$zipname";
1617         $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";  
1618         my @ovsubnettemp =  split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
1619         my $ovsubnet =  "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
1620         my $tunmtu = ''; 
1621         my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
1622         my $n2nfragment = '';
1623         
1624     open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
1625     flock CLIENTCONF, 2;
1626     
1627     my $zip = Archive::Zip->new();
1628    print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
1629    print CLIENTCONF "# \n";
1630    print CLIENTCONF "# User Security\n";
1631    print CLIENTCONF "user nobody\n";
1632    print CLIENTCONF "group nobody\n";
1633    print CLIENTCONF "persist-tun\n";
1634    print CLIENTCONF "persist-key\n";
1635    print CLIENTCONF "script-security 2\n";
1636    print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; 
1637    print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
1638    print CLIENTCONF "float\n";
1639    print CLIENTCONF "# IP adresses of the VPN Subnet\n"; 
1640    print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
1641    print CLIENTCONF "# Server Gateway Network\n"; 
1642    print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
1643    print CLIENTCONF "# tun Device\n"; 
1644    print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; 
1645    print CLIENTCONF "# Port and Protokoll\n"; 
1646    print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; 
1647    
1648    if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
1649    print CLIENTCONF "proto tcp-client\n";
1650    print CLIENTCONF "# Packet size\n";
1651    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
1652    print CLIENTCONF "tun-mtu $tunmtu\n";
1653    }
1654   
1655    if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
1656    print CLIENTCONF "proto udp\n"; 
1657    print CLIENTCONF "# Paketsize\n";
1658    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
1659    print CLIENTCONF "tun-mtu $tunmtu\n";
1660    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
1661    if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
1662    }
1663    print CLIENTCONF "ns-cert-type server\n";   
1664    print CLIENTCONF "# Auth. Client\n"; 
1665    print CLIENTCONF "tls-client\n"; 
1666    print CLIENTCONF "# Cipher\n"; 
1667    print CLIENTCONF "cipher AES-256-CBC\n"; 
1668     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
1669          print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
1670      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
1671    } 
1672     if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
1673    print CLIENTCONF "# Enable Compression\n";
1674    print CLIENTCONF "comp-lzo\r\n";
1675      }
1676    print CLIENTCONF "# Debug Level\n"; 
1677    print CLIENTCONF "verb 3\n"; 
1678    print CLIENTCONF "# Tunnel check\n"; 
1679    print CLIENTCONF "keepalive 10 60\n"; 
1680    print CLIENTCONF "# Start as daemon\n"; 
1681    print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; 
1682    print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; 
1683    print CLIENTCONF "# Activate Management Interface and Port\n"; 
1684    if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
1685     else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
1686    print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
1687   
1688
1689     close(CLIENTCONF);
1690         
1691     $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
1692     my $status = $zip->writeToFileNamed($zippathname);
1693
1694     open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
1695     @fileholder = <DLFILE>;
1696     print "Content-Type:application/x-download\n";
1697     print "Content-Disposition:attachment;filename=$zipname\n\n";
1698     print @fileholder;
1699     exit (0);
1700 }
1701 else
1702 {
1703         my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
1704         my $zippathname = "$zippath$zipname";
1705         $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
1706
1707 ###
1708 # m.a.d net2net
1709 ###
1710   
1711     open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
1712     flock CLIENTCONF, 2;
1713     
1714     my $zip = Archive::Zip->new();
1715     
1716     print CLIENTCONF "#OpenVPN Server conf\r\n";
1717     print CLIENTCONF "tls-client\r\n";
1718     print CLIENTCONF "client\r\n";
1719     print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
1720     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
1721     print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n";
1722     if ( $vpnsettings{'ENABLED'} eq 'on'){
1723         print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
1724         if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ 
1725             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";     
1726             print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1727         }
1728         if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1729             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";           
1730             print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1731         }
1732     } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1733         print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1734         if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1735             print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";           
1736             print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1737         }
1738     } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1739         print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1740     }
1741                         
1742     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
1743         print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
1744         $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
1745     } else {
1746         print CLIENTCONF "ca cacert.pem\r\n";
1747         print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
1748         print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
1749         $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
1750         $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
1751     }
1752     print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
1753     if ($vpnsettings{DCOMPLZO} eq 'on') {
1754         print CLIENTCONF "comp-lzo\r\n";
1755     }
1756     print CLIENTCONF "verb 3\r\n";
1757     print CLIENTCONF "ns-cert-type server\r\n";
1758     print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; 
1759     if ($vpnsettings{MSSFIX} eq 'on') {
1760         print CLIENTCONF "mssfix\r\n";
1761     }
1762     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
1763         print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
1764     }
1765     close(CLIENTCONF);
1766         
1767     $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
1768     my $status = $zip->writeToFileNamed($zippathname);
1769
1770     open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
1771     @fileholder = <DLFILE>;
1772     print "Content-Type:application/x-download\n";
1773     print "Content-Disposition:attachment;filename=$zipname\n\n";
1774     print @fileholder;
1775     exit (0);
1776    }
1777    
1778    
1779    
1780 ###
1781 ### Remove connection
1782 ###
1783
1784
1785 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1786     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1787     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1788
1789     if ($confighash{$cgiparams{'KEY'}}) {
1790 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
1791 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1792 #           system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1793 #       }
1794 #
1795         my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1796
1797 ###
1798 # m.a.d net2net
1799 ###
1800
1801  if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1802
1803         my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
1804   my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1805   unlink ($certfile) or die "Removing $certfile fail: $!";
1806   unlink ($conffile) or die "Removing $conffile fail: $!";
1807   rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
1808   
1809 }
1810
1811   unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1812         unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1813         delete $confighash{$cgiparams{'KEY'}};
1814         my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1815         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1816         #&writeserverconf();
1817     } else {
1818         $errormessage = $Lang::tr{'invalid key'};
1819     }
1820
1821
1822 ###
1823 ### Download PKCS12 file
1824 ###
1825 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
1826     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1827
1828     print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
1829     print "Content-Type: application/octet-stream\r\n\r\n";
1830     print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1831     exit (0);
1832
1833 ###
1834 ### Display certificate
1835 ###
1836 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
1837     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1838
1839     if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1840         &Header::showhttpheaders();
1841         &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1842         &Header::openbigbox('100%', 'LEFT', '', '');
1843         &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
1844         my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1845         $output = &Header::cleanhtml($output,"y");
1846         print "<pre>$output</pre>\n";
1847         &Header::closebox();
1848         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1849         &Header::closebigbox();
1850         &Header::closepage();
1851         exit(0);
1852     }
1853 ###
1854 ### Display Certificate Revoke List
1855 ###
1856 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
1857 #    &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1858
1859     if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") {
1860         &Header::showhttpheaders();
1861         &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1862         &Header::openbigbox('100%', 'LEFT', '', '');
1863         &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
1864         my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
1865         $output = &Header::cleanhtml($output,"y");
1866         print "<pre>$output</pre>\n";
1867         &Header::closebox();
1868         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1869         &Header::closebigbox();
1870         &Header::closepage();
1871         exit(0);
1872     }
1873
1874 ###
1875 ### Advanced Server Settings
1876 ###
1877
1878 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
1879     %cgiparams = ();
1880     %cahash = ();
1881     %confighash = ();
1882     &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
1883     read_routepushfile;
1884
1885 #    if ($cgiparams{'CLIENT2CLIENT'} eq '') {
1886 #       $cgiparams{'CLIENT2CLIENT'} =  'on';     
1887 #    }
1888 ADV_ERROR:
1889     if ($cgiparams{'MAX_CLIENTS'} eq '') {
1890         $cgiparams{'MAX_CLIENTS'} =  '100';     
1891     }
1892     
1893     if ($cgiparams{'KEEPALIVE_1'} eq '') {
1894         $cgiparams{'KEEPALIVE_1'} =  '10';     
1895     }
1896     if ($cgiparams{'KEEPALIVE_2'} eq '') {
1897         $cgiparams{'KEEPALIVE_2'} =  '60';     
1898     }
1899     if ($cgiparams{'LOG_VERB'} eq '') {
1900         $cgiparams{'LOG_VERB'} =  '3';     
1901     }
1902     $checked{'CLIENT2CLIENT'}{'off'} = '';
1903     $checked{'CLIENT2CLIENT'}{'on'} = '';
1904     $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
1905     $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
1906     $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
1907     $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
1908     $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED';
1909     $checked{'MSSFIX'}{'off'} = '';
1910     $checked{'MSSFIX'}{'on'} = '';
1911     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
1912     $selected{'LOG_VERB'}{'1'} = '';
1913     $selected{'LOG_VERB'}{'2'} = '';
1914     $selected{'LOG_VERB'}{'3'} = '';
1915     $selected{'LOG_VERB'}{'4'} = '';
1916     $selected{'LOG_VERB'}{'5'} = '';
1917     $selected{'LOG_VERB'}{'6'} = '';
1918     $selected{'LOG_VERB'}{'7'} = '';
1919     $selected{'LOG_VERB'}{'8'} = '';
1920     $selected{'LOG_VERB'}{'9'} = '';
1921     $selected{'LOG_VERB'}{'10'} = '';
1922     $selected{'LOG_VERB'}{'11'} = '';
1923     $selected{'LOG_VERB'}{'0'} = '';
1924     $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
1925
1926
1927     
1928     &Header::showhttpheaders();
1929     &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
1930     &Header::openbigbox('100%', 'LEFT', '', $errormessage);    
1931     if ($errormessage) {
1932         &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1933         print "<class name='base'>$errormessage\n";
1934         print "&nbsp;</class>\n";
1935         &Header::closebox();
1936     }
1937     &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
1938     print <<END
1939     <form method='post' enctype='multipart/form-data'>
1940     <table width='100%'>
1941     <tr>
1942         <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
1943     </tr>
1944     <tr>
1945         <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1946     </tr>       
1947     <tr>                
1948         <td class='base'>Domain</td>
1949         <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
1950     </tr>
1951     <tr>        
1952         <td class='base'>DNS</td>
1953         <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
1954     </tr>       
1955     <tr>        
1956         <td class='base'>WINS</td>
1957         <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
1958        </tr>
1959     <tr>
1960         <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
1961     </tr>
1962     <tr>        
1963         <td class='base'>$Lang::tr{'ovpn routes push'}</td>
1964   <td colspan='2'>
1965        <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
1966 END
1967 ;
1968
1969 if ($cgiparams{'ROUTES_PUSH'} ne '')
1970 {
1971         print $cgiparams{'ROUTES_PUSH'};
1972 }
1973
1974 print <<END
1975 </textarea></td>
1976 </tr>
1977     </tr>
1978 </table>
1979 <hr size='1'>
1980     <table width='100%'>
1981     <tr>
1982         <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
1983     </tr>
1984     <tr>
1985         <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='50%'></td>
1986     </tr>
1987     <tr>
1988         <td class='base'>Client-To-Client</td>
1989         <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
1990     </tr>
1991     <tr>        
1992         <td class='base'>Redirect-Gateway def1</td>
1993         <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
1994     </tr>
1995     <tr>        
1996         <td class='base'>Max-Clients</td>
1997         <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
1998     </tr>       
1999         <tr>
2000           <td class='base'>Keppalive <br />
2001             (ping/ping-restart)</td>
2002           <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2003           <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2004     </tr>
2005         <tr>
2006           <td class='base'>fragment <br></td>
2007           <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2008         <td>Default: <span class="base">1300</span></td>
2009       </tr>
2010         <tr>
2011           <td class='base'>mssfix</td>
2012           <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2013           <td>Default: on</td>
2014           </tr> 
2015 </table>
2016
2017 <!--
2018 <hr size='1'>
2019     <table width='100%'>
2020     <tr>
2021  <td class'base'><b>Crypto-Engines</b></td>
2022     </tr>
2023     <tr>
2024         <td width='15%'></td> <td width='30%'> </td><td width='25%'> </td><td width='30%'></td>
2025     </tr>       
2026     <tr><td class='base'>Engines:</td>        
2027         <td><select name='ENGINES'><option value="none" $selected{'ENGINES'}{'none'}>none</option>
2028                                     <option value="cryptodev" $selected{'ENGINES'}{'cryptodev'}>cryptodev</option>
2029                                     <option value="padlock" $selected{'ENGINES'}{'padlock'}>padlock</option>
2030                         </select>
2031                 </td>   
2032 </table>
2033 -->
2034 <hr size='1'>
2035     <table width='100%'>
2036     <tr>
2037         <td class'base'><b>$Lang::tr{'log-options'}</b></td>
2038     </tr>
2039     <tr>
2040         <td width='15%'></td> <td width='30%'> </td><td width='25%'> </td><td width='30%'></td>
2041     </tr>       
2042         
2043     <tr><td class='base'>VERB</td>        
2044         <td><select name='LOG_VERB'><option value='1'  $selected{'LOG_VERB'}{'1'}>1</option>
2045                                     <option value='2'  $selected{'LOG_VERB'}{'2'}>2</option>
2046                                     <option value='3'  $selected{'LOG_VERB'}{'3'}>3</option>
2047                                     <option value='4'  $selected{'LOG_VERB'}{'4'}>4</option>
2048                                     <option value='5'  $selected{'LOG_VERB'}{'5'}>5</option>
2049                                     <option value='6'  $selected{'LOG_VERB'}{'6'}>6</option>                                                                
2050                                     <option value='7'  $selected{'LOG_VERB'}{'7'}>7</option>
2051                                     <option value='8'  $selected{'LOG_VERB'}{'8'}>8</option>
2052                                     <option value='9'  $selected{'LOG_VERB'}{'9'}>9</option>
2053                                     <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2054                                     <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2055                                     <option value='0'  $selected{'LOG_VERB'}{'0'}>0</option></select></td>      
2056 </table>
2057 <hr size='1'>
2058 <table width='100%'>
2059 <tr>
2060     <td>&nbsp;</td>
2061     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2062     <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2063     <td>&nbsp;</td>    
2064 </tr>
2065 </table>    
2066 </form>
2067 END
2068 ;                                  
2069
2070     &Header::closebox();
2071 #    print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2072     &Header::closebigbox();
2073     &Header::closepage();
2074     exit(0);
2075         
2076 ###
2077 ### Openvpn Connections Statistics
2078 ###
2079 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
2080         &Header::showhttpheaders();
2081         &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
2082         &Header::openbigbox('100%', 'LEFT', '', '');
2083     &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
2084
2085 #
2086 #       <td><b>$Lang::tr{'protocol'}</b></td>
2087 # protocol temp removed 
2088     print <<END
2089     <table width='100%' border='0' cellpadding='2' cellspacing='0'>
2090     <tr>
2091         <td><b>$Lang::tr{'common name'}</b></td>
2092         <td><b>$Lang::tr{'real address'}</b></td>
2093         <td><b>$Lang::tr{'virtual address'}</b></td>
2094         <td><b>$Lang::tr{'loged in at'}</b></td>
2095         <td><b>$Lang::tr{'bytes sent'}</b></td>
2096         <td><b>$Lang::tr{'bytes received'}</b></td>
2097         <td><b>$Lang::tr{'last activity'}</b></td>
2098     </tr>
2099 END
2100 ;
2101         my $filename = "/var/log/ovpnserver.log";
2102         open(FILE, $filename) or die 'Unable to open config file.';
2103         my @current = <FILE>;
2104         close(FILE);
2105         my @users =();
2106         my $status;
2107         my $uid = 0;
2108         my $cn;
2109         my @match = ();
2110         my $proto = "udp";
2111         my $address;
2112         my %userlookup = ();
2113         foreach my $line (@current)
2114         {
2115             chomp($line);
2116             if ( $line =~ /^Updated,(.+)/){
2117                 @match = split( /^Updated,(.+)/, $line); 
2118                 $status = $match[1];
2119             }
2120 #gian       
2121             if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
2122                 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
2123                 if ($match[1] ne "Common Name") {
2124                     $cn = $match[1];
2125                     $userlookup{$match[2]} = $uid;
2126                     $users[$uid]{'CommonName'} = $match[1];
2127                     $users[$uid]{'RealAddress'} = $match[2];
2128                     $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
2129                     $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
2130                     $users[$uid]{'Since'} = $match[5];
2131                     $users[$uid]{'Proto'} = $proto;
2132                     $uid++;
2133                 }    
2134             }
2135             if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
2136                 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
2137                 if ($match[1] ne "Virtual Address") {
2138                     $address = $match[3];
2139                     #find the uid in the lookup table
2140                     $uid = $userlookup{$address};
2141                     $users[$uid]{'VirtualAddress'} = $match[1];
2142                     $users[$uid]{'LastRef'} = $match[4];
2143                 }
2144             }
2145         }
2146         my $user2 = @users;
2147         if ($user2 >= 1){
2148             for (my $idx = 1; $idx <= $user2; $idx++){
2149                                                 if ($idx % 2) {
2150                                         print "<tr bgcolor='$color{'color20'}'>\n";
2151                                 } else {
2152                                         print "<tr bgcolor='$color{'color22'}'>\n";
2153                                                 }
2154                                                 print "<td align='left'>$users[$idx-1]{'CommonName'}</td>";
2155                                                 print "<td align='left'>$users[$idx-1]{'RealAddress'}</td>";
2156                                                 print "<td align='left'>$users[$idx-1]{'VirtualAddress'}</td>";
2157                                                 print "<td align='left'>$users[$idx-1]{'Since'}</td>";
2158                                                 print "<td align='left'>$users[$idx-1]{'BytesSent'}</td>";
2159                                                 print "<td align='left'>$users[$idx-1]{'BytesReceived'}</td>";
2160                                                 print "<td align='left'>$users[$idx-1]{'LastRef'}</td>";
2161 #                       print "<td align='left'>$users[$idx-1]{'Proto'}</td>";
2162             }
2163         }        
2164         
2165         print "</table>";
2166         print <<END
2167         <table width='100%' border='0' cellpadding='2' cellspacing='0'>
2168         <tr><td></td></tr>
2169         <tr><td></td></tr>
2170         <tr><td></td></tr>
2171         <tr><td></td></tr>
2172         <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
2173         </table>
2174 END
2175 ;       
2176         &Header::closebox();
2177         print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2178         &Header::closebigbox();
2179         &Header::closepage();
2180         exit(0);
2181
2182 ###
2183 ### Download Certificate
2184 ###
2185 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
2186     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2187
2188     if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
2189         print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
2190         print "Content-Type: application/octet-stream\r\n\r\n";
2191         print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
2192         exit (0);
2193     }
2194
2195 ###
2196 ### Enable/Disable connection
2197 ###
2198
2199 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
2200     
2201     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2202     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2203
2204     if ($confighash{$cgiparams{'KEY'}}) {
2205            if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2206             $confighash{$cgiparams{'KEY'}}[0] = 'on';
2207             &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2208             #&writeserverconf();
2209 #           if ($vpnsettings{'ENABLED'} eq 'on' ||
2210 #               $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2211 #               system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2212 #           }
2213         } else {
2214             $confighash{$cgiparams{'KEY'}}[0] = 'off';
2215 #           if ($vpnsettings{'ENABLED'} eq 'on' ||
2216 #               $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2217 #               system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
2218 #           }
2219             &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2220             #&writeserverconf();
2221         }
2222     } else {
2223         $errormessage = $Lang::tr{'invalid key'};
2224     }
2225
2226 ###
2227 ### Restart connection
2228 ###
2229 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
2230     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2231     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2232
2233     if ($confighash{$cgiparams{'KEY'}}) {
2234 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
2235 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2236 #           system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2237 #       }
2238     } else {
2239         $errormessage = $Lang::tr{'invalid key'};
2240     }
2241
2242 ###
2243 ### Remove connection
2244 ###
2245 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
2246     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2247     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2248
2249     if ($confighash{$cgiparams{'KEY'}}) {
2250 #       if ($vpnsettings{'ENABLED'} eq 'on' ||
2251 #           $vpnsettings{'ENABLED_BLUE'} eq 'on') {
2252 #           system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
2253 #       }
2254         unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2255         unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2256         delete $confighash{$cgiparams{'KEY'}};
2257         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2258         #&writeserverconf();
2259     } else {
2260         $errormessage = $Lang::tr{'invalid key'};
2261     }
2262 #test33
2263
2264 ###
2265 ### Choose between adding a host-net or net-net connection
2266 ###
2267
2268 ###
2269 # m.a.d net2net
2270 ###
2271
2272 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
2273         &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2274         &Header::showhttpheaders();
2275         &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
2276         &Header::openbigbox('100%', 'LEFT', '', '');
2277         &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
2278
2279 if ( -s "${General::swroot}/ovpn/settings") {
2280
2281         print <<END
2282             <b>$Lang::tr{'connection type'}:</b><br />
2283             <table><form method='post' ENCTYPE="multipart/form-data">
2284             <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
2285                 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
2286             <tr><td><input type='radio' name='TYPE' value='net' /></td>
2287                 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
2288                 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>         
2289                 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
2290           <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
2291           <tr><td>&nbsp;</td><td>Import Connection Name <img src='/blob.gif' /></td></tr>
2292     <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'><td class='base'>Default : Client Packagename</td></td></tr>
2293           <tr><td colspan='3'><hr /></td></tr>
2294     <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
2295           <tr><td>&nbsp;</td></tr>
2296           <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
2297             </form></table>
2298 END
2299         ;
2300
2301 } else {
2302         print <<END
2303                     <b>$Lang::tr{'connection type'}:</b><br />
2304             <table><form method='post' ENCTYPE="multipart/form-data">
2305             <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
2306             <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
2307             </form></table>
2308 END
2309         ;
2310
2311 }
2312
2313         &Header::closebox();
2314         &Header::closebigbox();
2315         &Header::closepage();
2316         exit (0);
2317
2318 ###
2319 # m.a.d net2net
2320 ###
2321
2322 }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
2323
2324         my @firen2nconf;
2325         my @confdetails;
2326         my $uplconffilename ='';
2327         my $uplconffilename2 ='';
2328         my $uplp12name = '';
2329         my $uplp12name2 = '';
2330         my @rem_subnet;
2331         my @rem_subnet2;
2332         my @tmposupnet3;        
2333         my $key;
2334         my @n2nname;
2335
2336         &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);    
2337
2338 # Check if a file is uploaded
2339
2340         if (ref ($cgiparams{'FH'}) ne 'Fh') {
2341                 $errormessage = $Lang::tr{'there was no file upload'};
2342                 goto N2N_ERROR;
2343     }
2344
2345 # Move uploaded IPfire n2n package to temporary file
2346
2347     (my $fh, my $filename) = tempfile( );
2348     if (copy ($cgiparams{'FH'}, $fh) != 1) {
2349                 $errormessage = $!;
2350                 goto N2N_ERROR;
2351     }
2352
2353         my $zip = Archive::Zip->new();
2354         my $zipName = $filename;
2355         my $status = $zip->read( $zipName );
2356         if ($status != AZ_OK) {   
2357                 $errormessage = "Read of $zipName failed\n";
2358                 goto N2N_ERROR;
2359         }
2360
2361         my $tempdir = tempdir( CLEANUP => 1 );
2362         my @files = $zip->memberNames();
2363         for(@files) {
2364         $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
2365         }
2366         my $countfiles = @files;
2367
2368 # Check if we have not more then 2 files
2369
2370         if ( $countfiles == 2){
2371                 foreach (@files){
2372                         if ( $_ =~ /.conf$/){
2373                                 $uplconffilename = $_;
2374                         }
2375                         if ( $_ =~ /.p12$/){
2376                                 $uplp12name = $_;
2377                         }                       
2378                 }
2379                 if (($uplconffilename eq '') || ($uplp12name eq '')){
2380                         $errormessage = "Either no *.conf or no *.p12 file found\n";
2381                         goto N2N_ERROR;
2382                 }
2383
2384                 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
2385                 @firen2nconf = <FILE>;
2386                 close (FILE);
2387                 chomp(@firen2nconf);
2388
2389         } else {
2390
2391                 $errormessage = "Filecount does not match only 2 files are allowed\n";
2392                 goto N2N_ERROR;
2393         }
2394
2395 ###
2396 # m.a.d net2net
2397 ###
2398   
2399  if ($cgiparams{'n2nname'} ne ''){
2400
2401   $uplconffilename2 = "$cgiparams{'n2nname'}.conf"; 
2402   $uplp12name2 = "$cgiparams{'n2nname'}.p12"; 
2403   $n2nname[0] = $cgiparams{'n2nname'};
2404   my @n2nname2 = split(/\./,$uplconffilename);
2405   $n2nname2[0] =~ s/\n|\r//g;
2406   my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
2407         my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
2408         my $input2 = "$n2nname2[0]n2n";
2409   my $output2 = "$n2nname[0]n2n";
2410   my $filename = "$tempdir/$uplconffilename";
2411   open(FILE, "< $filename") or die 'Unable to open config file.';
2412         my @current = <FILE>;
2413         close(FILE);
2414         foreach (@current) {s/$input1/$output1/g;}
2415         foreach (@current) {s/$input2/$output2/g;}
2416   open (OUT, "> $filename") || die 'Unable to open config file.';
2417   print OUT @current;
2418   close OUT;
2419
2420     }else{
2421     $uplconffilename2 =  $uplconffilename;
2422     $uplp12name2 = $uplp12name;
2423     @n2nname = split(/\./,$uplconffilename);
2424     $n2nname[0] =~ s/\n|\r//g;
2425    } 
2426     unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
2427     unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}   
2428
2429         move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
2430
2431         if ($? ne 0) {
2432             $errormessage = "*.conf move failed: $!";
2433             unlink ($filename);
2434             goto N2N_ERROR;
2435         }
2436         
2437         move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2");
2438         chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
2439         
2440         if ($? ne 0) {
2441             $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
2442             unlink ($filename);
2443             goto N2N_ERROR;
2444         }       
2445         
2446 my $complzoactive;
2447 my $mssfixactive;
2448 my $n2nfragment;
2449 my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
2450 my @n2nproto = split(/-/, $n2nproto2[1]);
2451 my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
2452 my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
2453 my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
2454 if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}        
2455 my @n2nmssfix  = grep { /^mssfix/ } @firen2nconf;
2456 if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
2457 #my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
2458 my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
2459 my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
2460 my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
2461 my @n2novpnsub =  split(/\./,$n2novpnsuball[1]);
2462 my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
2463 my @n2nmgmt =  split(/ /, (grep { /^management/ } @firen2nconf)[0]);
2464 my @n2nlocalsub  = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
2465
2466
2467 ###
2468 # m.a.d delete CR and LF from arrays for this chomp doesnt work
2469 ###
2470
2471 $n2nremote[1] =~ s/\n|\r//g;
2472 $n2novpnsub[0] =~ s/\n|\r//g;
2473 $n2novpnsub[1] =~ s/\n|\r//g;
2474 $n2novpnsub[2] =~ s/\n|\r//g;
2475 $n2nproto[0] =~ s/\n|\r//g;
2476 $n2nport[1] =~ s/\n|\r//g;
2477 $n2ntunmtu[1] =~ s/\n|\r//g;
2478 $n2nremsub[1] =~ s/\n|\r//g;
2479 $n2nremsub[2] =~ s/\n|\r//g;
2480 $n2nlocalsub[2] =~ s/\n|\r//g;
2481 $n2nfragment[1] =~ s/\n|\r//g;
2482 $n2nmgmt[2] =~ s/\n|\r//g;
2483 chomp ($complzoactive);
2484 chomp ($mssfixactive);
2485
2486 ###
2487 # m.a.d net2net
2488 ###
2489
2490 ###
2491 # Check if there is no other entry with this name
2492 ###
2493
2494         foreach my $dkey (keys %confighash) {
2495                 if ($confighash{$dkey}[1] eq $n2nname[0]) {
2496                         $errormessage = $Lang::tr{'a connection with this name already exists'};
2497                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
2498             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
2499       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
2500                         goto N2N_ERROR;                 
2501                 }
2502         }
2503
2504 ###
2505 # Check if OpenVPN Subnet is valid
2506 ###
2507
2508 foreach my $dkey (keys %confighash) {
2509                 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
2510                         $errormessage = 'The OpenVPN Subnet is already in use';
2511                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
2512             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
2513       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
2514                         goto N2N_ERROR;                 
2515                 }
2516         }
2517
2518 ###
2519 # Check im Dest Port is vaild
2520 ###
2521
2522 foreach my $dkey (keys %confighash) {
2523                 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
2524                         $errormessage = 'The OpenVPN Port is already in use';
2525                         unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
2526             unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
2527       rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
2528                         goto N2N_ERROR;                 
2529                 }
2530         }
2531         
2532         
2533         
2534   $key = &General::findhasharraykey (\%confighash);
2535
2536         foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
2537         $confighash{$key}[0] = 'off';
2538         $confighash{$key}[1] = $n2nname[0];
2539   $confighash{$key}[2] = $n2nname[0];   
2540         $confighash{$key}[3] = 'net';
2541         $confighash{$key}[4] = 'cert';  
2542         $confighash{$key}[6] = 'client';                
2543         $confighash{$key}[8] =  $n2nlocalsub[2];
2544   $confighash{$key}[10] = $n2nremote[1];
2545   $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";                
2546         $confighash{$key}[22] = $n2nmgmt[2];
2547   $confighash{$key}[23] = $mssfixactive;
2548         $confighash{$key}[24] = $n2nfragment[1];
2549   $confighash{$key}[25] = 'IPFire n2n Client';
2550         $confighash{$key}[26] = 'red';
2551   $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
2552   $confighash{$key}[28] = $n2nproto[0];
2553   $confighash{$key}[29] = $n2nport[1];
2554   $confighash{$key}[30] = $complzoactive;
2555   $confighash{$key}[31] = $n2ntunmtu[1];
2556
2557
2558   &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2559  
2560   N2N_ERROR:
2561                 
2562         &Header::showhttpheaders();
2563         &Header::openpage('Validate imported configuration', 1, '');
2564         &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2565         if ($errormessage) {
2566             &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2567             print "<class name='base'>$errormessage";
2568             print "&nbsp;</class>";
2569             &Header::closebox();                
2570
2571         } else 
2572   {             
2573                 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
2574         }
2575         if ($errormessage eq ''){
2576                 print <<END             
2577                 <!-- ipfire net2net config gui -->
2578                 <table width='100%'>
2579                 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
2580     <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
2581     <tr><td>&nbsp;</td><td>&nbsp;</td></tr>     
2582                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>                                                              
2583                 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
2584                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
2585                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td><td><b>$confighash{$key}[11]</b></td></tr>
2586                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
2587                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
2588                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
2589                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
2590                 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX </td><td><b>$confighash{$key}[23]</b></td></tr>
2591                 <tr><td class='boldbase' nowrap='nowrap'>Fragment </td><td><b>$confighash{$key}[24]</b></td></tr>
2592                 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
2593                 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
2594                 <tr><td>&nbsp;</td><td>&nbsp;</td></tr> 
2595     </table>
2596 END
2597 ;       
2598                 &Header::closebox();
2599         }
2600
2601         if ($errormessage) {
2602                 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2603         } else {        
2604                 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";           
2605                 print "<input type='hidden' name='TYPE' value='net2netakn' />";
2606                 print "<input type='hidden' name='KEY' value='$key' />";                        
2607                 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2608         }       
2609         &Header::closebigbox();
2610         &Header::closepage();
2611         exit(0);        
2612
2613
2614 ##
2615 ### Accept IPFire n2n Package Settings
2616 ###
2617
2618   }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
2619
2620 ###
2621 ### Discard and Rollback IPFire n2n Package Settings
2622 ###
2623
2624   }  elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
2625      
2626      &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2627
2628 if ($confighash{$cgiparams{'KEY'}}) {
2629
2630      my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2631      my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2632      unlink ($certfile) or die "Removing $certfile fail: $!";
2633      unlink ($conffile) or die "Removing $conffile fail: $!";
2634      rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2635      delete $confighash{$cgiparams{'KEY'}};
2636     &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);       
2637
2638      } else {
2639                 $errormessage = $Lang::tr{'invalid key'};
2640    }    
2641     
2642
2643 ###
2644 # m.a.d net2net
2645 ###
2646
2647
2648 ###
2649 ### Adding a new connection
2650 ###
2651 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
2652          ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
2653          ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
2654
2655     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2656     &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
2657     &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2658
2659     if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
2660         if (! $confighash{$cgiparams{'KEY'}}[0]) {
2661             $errormessage = $Lang::tr{'invalid key'};
2662             goto VPNCONF_END;
2663         }
2664         $cgiparams{'ENABLED'}   = $confighash{$cgiparams{'KEY'}}[0];
2665         $cgiparams{'NAME'}      = $confighash{$cgiparams{'KEY'}}[1];
2666         $cgiparams{'TYPE'}      = $confighash{$cgiparams{'KEY'}}[3];
2667         $cgiparams{'AUTH'}      = $confighash{$cgiparams{'KEY'}}[4];
2668         $cgiparams{'PSK'}       = $confighash{$cgiparams{'KEY'}}[5];
2669         $cgiparams{'SIDE'}      = $confighash{$cgiparams{'KEY'}}[6];
2670         $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
2671   $cgiparams{'REMOTE'}  = $confighash{$cgiparams{'KEY'}}[10];
2672   $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
2673 # n2n m.a.d new fields
2674   $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
2675   $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
2676   $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
2677         $cgiparams{'REMARK'}    = $confighash{$cgiparams{'KEY'}}[25];
2678         $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
2679 #new fields     
2680         $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
2681         $cgiparams{'PROTOCOL'}    = $confighash{$cgiparams{'KEY'}}[28];
2682         $cgiparams{'DEST_PORT'}   = $confighash{$cgiparams{'KEY'}}[29];
2683         $cgiparams{'COMPLZO'}     = $confighash{$cgiparams{'KEY'}}[30];
2684         $cgiparams{'MTU'}         = $confighash{$cgiparams{'KEY'}}[31];
2685
2686 #new fields
2687 #ab hiere error uebernehmen
2688
2689     } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
2690         $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
2691         
2692   if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
2693             $errormessage = $Lang::tr{'connection type is invalid'};
2694             if ($cgiparams{'TYPE'} eq 'net') {
2695       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2696             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2697       }
2698             goto VPNCONF_ERROR;
2699         }
2700
2701
2702         if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
2703             $errormessage = $Lang::tr{'name must only contain characters'};
2704       if ($cgiparams{'TYPE'} eq 'net') {
2705       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2706             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2707       }
2708       goto VPNCONF_ERROR;
2709   }
2710
2711         if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
2712             $errormessage = $Lang::tr{'name is invalid'};
2713             if ($cgiparams{'TYPE'} eq 'net') {
2714       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2715             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2716       }
2717             goto VPNCONF_ERROR;
2718         }
2719
2720         if (length($cgiparams{'NAME'}) >60) {
2721             $errormessage = $Lang::tr{'name too long'};
2722             if ($cgiparams{'TYPE'} eq 'net') {
2723       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2724             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2725       }
2726             goto VPNCONF_ERROR;
2727         }
2728
2729 ###
2730 # m.a.d net2net
2731 ###
2732
2733 if ($cgiparams{'TYPE'} eq 'net') {
2734                 
2735     if ($cgiparams{'DEST_PORT'} eq  $vpnsettings{'DDEST_PORT'}) {
2736                         $errormessage = $Lang::tr{'openvpn destination port used'};
2737                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2738             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2739       goto VPNCONF_ERROR;                       
2740                 }
2741     
2742     if ($cgiparams{'DEST_PORT'} eq  '') {
2743                         $errormessage = $Lang::tr{'openvpn destination port used'};
2744                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2745             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2746       goto VPNCONF_ERROR;                       
2747                 }
2748
2749     if ($cgiparams{'OVPN_SUBNET'} eq  $vpnsettings{'DOVPN_SUBNET'}) {
2750                         $errormessage = $Lang::tr{'openvpn subnet is used'};
2751                         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2752             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2753                         goto VPNCONF_ERROR;                     
2754                 }
2755
2756           if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
2757             $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
2758             unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2759             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2760             goto VPNCONF_ERROR;
2761     }
2762      
2763     if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
2764             $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
2765             unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2766             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2767             goto VPNCONF_ERROR;
2768     }
2769
2770     if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'}))  {
2771                   $errormessage = $Lang::tr{'openvpn prefix local subnet'};
2772                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2773             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2774                   goto VPNCONF_ERROR;
2775                 } 
2776     
2777     if ( &validdotmask ($cgiparams{'OVPN_SUBNET'}))  {
2778                   $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
2779                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2780             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2781                   goto VPNCONF_ERROR;
2782                 } 
2783     
2784     if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'}))  {
2785                   $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
2786                   unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2787             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2788                   goto VPNCONF_ERROR;
2789                 } 
2790
2791     if ($cgiparams{'OVPN_MGMT'} eq  '') {
2792                         $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};              
2793                 }
2794    
2795 }
2796
2797 #       if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
2798 #           $errormessage = $Lang::tr{'ipfire side is invalid'};
2799 #           goto VPNCONF_ERROR;
2800 #       }
2801
2802         # Check if there is no other entry with this name
2803         if (! $cgiparams{'KEY'}) {
2804             foreach my $key (keys %confighash) {
2805                 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
2806                     $errormessage = $Lang::tr{'a connection with this name already exists'};
2807                     if ($cgiparams{'TYPE'} eq 'net') {
2808         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2809               rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2810         }
2811                     goto VPNCONF_ERROR;
2812                 }
2813             }
2814         }
2815
2816         if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
2817             $errormessage = $Lang::tr{'invalid input for remote host/ip'};
2818             if ($cgiparams{'TYPE'} eq 'net') {
2819       unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2820             rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2821       }
2822             goto VPNCONF_ERROR;
2823         }
2824
2825         if ($cgiparams{'REMOTE'}) {
2826             if (! &General::validip($cgiparams{'REMOTE'})) {
2827                 if (! &General::validfqdn ($cgiparams{'REMOTE'}))  {
2828                     $errormessage = $Lang::tr{'invalid input for remote host/ip'};
2829                     if ($cgiparams{'TYPE'} eq 'net') {
2830         unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2831               rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2832         }
2833                     goto VPNCONF_ERROR;
2834                 } else {
2835                     if (&valid_dns_host($cgiparams{'REMOTE'})) {
2836                         $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
2837                         if ($cgiparams{'TYPE'} eq 'net') {
2838
2839       }
2840                     }
2841                 }
2842             }
2843         }
2844         if ($cgiparams{'TYPE'} ne 'host') {
2845             unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
2846                     $errormessage = $Lang::tr{'local subnet is invalid'}; 
2847                     if ($cgiparams{'TYPE'} eq 'net') {
2848               unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2849                     rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2850               }
2851                         goto VPNCONF_ERROR;}
2852         }
2853         # Check if there is no other entry without IP-address and PSK
2854         if ($cgiparams{'REMOTE'} eq '') {
2855             foreach my $key (keys %confighash) {
2856                 if(($cgiparams{'KEY'} ne $key) && 
2857                    ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && 
2858                     $confighash{$key}[10] eq '') {
2859                         $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
2860                         goto VPNCONF_ERROR;
2861                 }
2862             }
2863         }
2864         if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
2865                 $errormessage = $Lang::tr{'remote subnet is invalid'};
2866                 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
2867                       rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
2868                 goto VPNCONF_ERROR;
2869         }
2870
2871         if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
2872             $errormessage = $Lang::tr{'invalid input'};
2873             goto VPNCONF_ERROR;
2874         }
2875         if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
2876             $errormessage = $Lang::tr{'invalid input'};
2877             goto VPNCONF_ERROR;
2878         }
2879
2880 #fixplausi
2881         if ($cgiparams{'AUTH'} eq 'psk')  {
2882 #           if (! length($cgiparams{'PSK'}) ) {
2883 #               $errormessage = $Lang::tr{'pre-shared key is too short'};
2884 #               goto VPNCONF_ERROR;
2885 #           }
2886 #           if ($cgiparams{'PSK'} =~ /['",&]/) {
2887 #               $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
2888 #               goto VPNCONF_ERROR;
2889 #           }
2890         } elsif ($cgiparams{'AUTH'} eq 'certreq') {
2891             if ($cgiparams{'KEY'}) {
2892                 $errormessage = $Lang::tr{'cant change certificates'};
2893                 goto VPNCONF_ERROR;
2894             }
2895             if (ref ($cgiparams{'FH'}) ne 'Fh') {
2896                 $errormessage = $Lang::tr{'there was no file upload'};
2897                 goto VPNCONF_ERROR;
2898             }
2899
2900             # Move uploaded certificate request to a temporary file
2901             (my $fh, my $filename) = tempfile( );
2902             if (copy ($cgiparams{'FH'}, $fh) != 1) {
2903                 $errormessage = $!;
2904                 goto VPNCONF_ERROR;
2905             }
2906
2907             # Sign the certificate request and move it
2908             # Sign the host certificate request
2909             system('/usr/bin/openssl', 'ca', '-days', '999999',
2910                 '-batch', '-notext',
2911                 '-in', $filename,
2912                 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2913                 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
2914             if ($?) {
2915                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2916                 unlink ($filename);
2917                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2918                 &newcleanssldatabase();
2919                 goto VPNCONF_ERROR;
2920             } else {
2921                 unlink ($filename);
2922                 &deletebackupcert();
2923             }
2924
2925             my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
2926             $temp =~ /Subject:.*CN=(.*)[\n]/;
2927             $temp = $1;
2928             $temp =~ s+/Email+, E+;
2929             $temp =~ s/ ST=/ S=/;
2930             $cgiparams{'CERT_NAME'} = $temp;
2931             $cgiparams{'CERT_NAME'} =~ s/,//g;
2932             $cgiparams{'CERT_NAME'} =~ s/\'//g;
2933             if ($cgiparams{'CERT_NAME'} eq '') {
2934                 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2935                 goto VPNCONF_ERROR;
2936             }
2937         } elsif ($cgiparams{'AUTH'} eq 'certfile') {
2938             if ($cgiparams{'KEY'}) {
2939                 $errormessage = $Lang::tr{'cant change certificates'};
2940                 goto VPNCONF_ERROR;
2941             }
2942             if (ref ($cgiparams{'FH'}) ne 'Fh') {
2943                 $errormessage = $Lang::tr{'there was no file upload'};
2944                 goto VPNCONF_ERROR;
2945             }
2946             # Move uploaded certificate to a temporary file
2947             (my $fh, my $filename) = tempfile( );
2948             if (copy ($cgiparams{'FH'}, $fh) != 1) {
2949                 $errormessage = $!;
2950                 goto VPNCONF_ERROR;
2951             }
2952
2953             # Verify the certificate has a valid CA and move it
2954             my $validca = 0;
2955             my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
2956             if ($test =~ /: OK/) {
2957                 $validca = 1;
2958             } else {
2959                 foreach my $key (keys %cahash) {
2960                     $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
2961                     if ($test =~ /: OK/) {
2962                         $validca = 1;
2963                     }
2964                 }
2965             }
2966             if (! $validca) {
2967                 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
2968                 unlink ($filename);
2969                 goto VPNCONF_ERROR;
2970             } else {
2971                 move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2972                 if ($? ne 0) {
2973                     $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
2974                     unlink ($filename);
2975                     goto VPNCONF_ERROR;
2976                 }
2977             }
2978
2979             my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
2980             $temp =~ /Subject:.*CN=(.*)[\n]/;
2981             $temp = $1;
2982             $temp =~ s+/Email+, E+;
2983             $temp =~ s/ ST=/ S=/;
2984             $cgiparams{'CERT_NAME'} = $temp;
2985             $cgiparams{'CERT_NAME'} =~ s/,//g;
2986             $cgiparams{'CERT_NAME'} =~ s/\'//g;
2987             if ($cgiparams{'CERT_NAME'} eq '') {
2988                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2989                 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2990                 goto VPNCONF_ERROR;
2991             }
2992         } elsif ($cgiparams{'AUTH'} eq 'certgen') {
2993             if ($cgiparams{'KEY'}) {
2994                 $errormessage = $Lang::tr{'cant change certificates'};
2995                 goto VPNCONF_ERROR;
2996             }
2997             # Validate input since the form was submitted
2998             if (length($cgiparams{'CERT_NAME'}) >60) {
2999                 $errormessage = $Lang::tr{'name too long'};
3000                 goto VPNCONF_ERROR;
3001             }
3002             if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
3003                 $errormessage = $Lang::tr{'invalid input for name'};
3004                 goto VPNCONF_ERROR;
3005             }
3006             if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
3007                 $errormessage = $Lang::tr{'invalid input for e-mail address'};
3008                 goto VPNCONF_ERROR;
3009             }
3010             if (length($cgiparams{'CERT_EMAIL'}) > 40) {
3011                 $errormessage = $Lang::tr{'e-mail address too long'};
3012                 goto VPNCONF_ERROR;
3013             }
3014             if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
3015                 $errormessage = $Lang::tr{'invalid input for department'};
3016                 goto VPNCONF_ERROR;
3017             }
3018             if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
3019                 $errormessage = $Lang::tr{'organization too long'};
3020                 goto VPNCONF_ERROR;
3021             }
3022             if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
3023                 $errormessage = $Lang::tr{'invalid input for organization'};
3024                 goto VPNCONF_ERROR;
3025             }
3026             if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
3027                 $errormessage = $Lang::tr{'invalid input for city'};
3028                 goto VPNCONF_ERROR;
3029             }
3030             if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
3031                 $errormessage = $Lang::tr{'invalid input for state or province'};
3032                 goto VPNCONF_ERROR;
3033             }
3034             if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
3035                 $errormessage = $Lang::tr{'invalid input for country'};
3036                 goto VPNCONF_ERROR;
3037             }
3038             if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
3039                 if (length($cgiparams{'CERT_PASS1'}) < 5) {
3040                     $errormessage = $Lang::tr{'password too short'};
3041                     goto VPNCONF_ERROR;
3042                 }
3043             }   
3044             if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
3045                 $errormessage = $Lang::tr{'passwords do not match'};
3046                 goto VPNCONF_ERROR;
3047             }
3048
3049             # Replace empty strings with a .
3050             (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
3051             (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
3052             (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
3053
3054             # Create the Host certificate request client
3055             my $pid = open(OPENSSL, "|-");
3056             $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
3057             if ($pid) { # parent
3058                 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
3059                 print OPENSSL "$state\n";
3060                 print OPENSSL "$city\n";
3061                 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
3062                 print OPENSSL "$ou\n";
3063                 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
3064                 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
3065                 print OPENSSL ".\n";
3066                 print OPENSSL ".\n";
3067                 close (OPENSSL);
3068                 if ($?) {
3069                     $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
3070                     unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
3071                     unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
3072                     goto VPNCONF_ERROR;
3073                 }
3074             } else {    # child
3075                 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
3076                         '-newkey', 'rsa:1024',
3077                         '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
3078                         '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
3079                         '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
3080                     $errormessage = "$Lang::tr{'cant start openssl'}: $!";
3081                     unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
3082                     unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
3083                     goto VPNCONF_ERROR;
3084                 }
3085             }
3086         
3087             # Sign the host certificate request
3088             system('/usr/bin/openssl', 'ca', '-days', '999999',
3089                 '-batch', '-notext',
3090                 '-in',  "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
3091                 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
3092                 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
3093             if ($?) {
3094                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
3095                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
3096                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
3097                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
3098                 &newcleanssldatabase();
3099                 goto VPNCONF_ERROR;
3100             } else {
3101                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
3102                 &deletebackupcert();
3103             }
3104
3105             # Create the pkcs12 file
3106             system('/usr/bin/openssl', 'pkcs12', '-export', 
3107                 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
3108                 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
3109                 '-name', $cgiparams{'NAME'},
3110                 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
3111                 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", 
3112                 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
3113                 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
3114             if ($?) {
3115                 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
3116                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
3117                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
3118                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
3119                 goto VPNCONF_ERROR;
3120             } else {
3121                 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
3122             }
3123         } elsif ($cgiparams{'AUTH'} eq 'cert') {
3124             ;# Nothing, just editing
3125         } else {
3126             $errormessage = $Lang::tr{'invalid input for authentication method'};
3127             goto VPNCONF_ERROR;
3128         }
3129
3130         # Check if there is no other entry with this common name
3131         if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
3132             foreach my $key (keys %confighash) {
3133                 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
3134                     $errormessage = $Lang::tr{'a connection with this common name already exists'};
3135                     goto VPNCONF_ERROR;
3136                 }
3137             }
3138         }
3139
3140         # Save the config
3141         my $key = $cgiparams{'KEY'};
3142         if (! $key) {
3143             $key = &General::findhasharraykey (\%confighash);
3144             foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
3145         }
3146         $confighash{$key}[0] = $cgiparams{'ENABLED'};
3147         $confighash{$key}[1] = $cgiparams{'NAME'};
3148         if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
3149             $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
3150         }
3151         $confighash{$key}[3] = $cgiparams{'TYPE'};
3152         if ($cgiparams{'AUTH'} eq 'psk') {
3153             $confighash{$key}[4] = 'psk';
3154             $confighash{$key}[5] = $cgiparams{'PSK'};
3155         } else {
3156             $confighash{$key}[4] = 'cert';
3157         }
3158         if ($cgiparams{'TYPE'} eq 'net') {
3159             $confighash{$key}[6] = $cgiparams{'SIDE'};
3160             $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
3161         }
3162         $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
3163         $confighash{$key}[10] = $cgiparams{'REMOTE'};
3164   if ($cgiparams{'OVPN_MGMT'} eq '') {
3165   $confighash{$key}[22] = $confighash{$key}[29];
3166   } else {
3167   $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
3168   }
3169   $confighash{$key}[23] = $cgiparams{'MSSFIX'};
3170   $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
3171         $confighash{$key}[25] = $cgiparams{'REMARK'};
3172         $confighash{$key}[26] = $cgiparams{'INTERFACE'};
3173 # new fields    
3174         $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
3175         $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
3176         $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
3177         $confighash{$key}[30] = $cgiparams{'COMPLZO'};
3178         $confighash{$key}[31] = $cgiparams{'MTU'};
3179 # new fileds    
3180         &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3181
3182 ###
3183 # m.a.d n2n begin
3184 ###
3185         
3186         if ($cgiparams{'TYPE'} eq 'net') {
3187         
3188         if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
3189   system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
3190         
3191   &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3192         my $key = $cgiparams{'KEY'};
3193         if (! $key) {
3194             $key = &General::findhasharraykey (\%confighash);
3195             foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
3196             }
3197   $confighash{$key}[0] = 'on';
3198   &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3199   
3200   system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
3201          }          
3202   }
3203
3204 ###
3205 # m.a.d n2n end
3206 ###     
3207
3208         if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
3209             $cgiparams{'KEY'} = $key;
3210             $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
3211         }
3212         goto VPNCONF_END;
3213     } else {
3214         $cgiparams{'ENABLED'} = 'on';
3215 ###
3216 # m.a.d n2n begin
3217 ###     
3218         $cgiparams{'MSSFIX'} = 'on';
3219         $cgiparams{'FRAGMENT'} = '1300';
3220 ###
3221 # m.a.d n2n end
3222 ###     
3223         $cgiparams{'SIDE'} = 'left';
3224         if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
3225             $cgiparams{'AUTH'} = 'psk';
3226         } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
3227             $cgiparams{'AUTH'} = 'certfile';
3228         } else {
3229             $cgiparams{'AUTH'} = 'certgen';
3230         }
3231         $cgiparams{'LOCAL_SUBNET'}      ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
3232         $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
3233         $cgiparams{'CERT_CITY'}         = $vpnsettings{'ROOTCERT_CITY'};
3234         $cgiparams{'CERT_STATE'}        = $vpnsettings{'ROOTCERT_STATE'};
3235         $cgiparams{'CERT_COUNTRY'}      = $vpnsettings{'ROOTCERT_COUNTRY'};
3236     }
3237
3238     VPNCONF_ERROR:
3239     $checked{'ENABLED'}{'off'} = '';
3240     $checked{'ENABLED'}{'on'} = '';
3241     $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
3242     $checked{'ENABLED_BLUE'}{'off'} = '';
3243     $checked{'ENABLED_BLUE'}{'on'} = '';
3244     $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
3245     $checked{'ENABLED_ORANGE'}{'off'} = '';
3246     $checked{'ENABLED_ORANGE'}{'on'} = '';
3247     $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
3248
3249
3250     $checked{'EDIT_ADVANCED'}{'off'} = '';
3251     $checked{'EDIT_ADVANCED'}{'on'} = '';
3252     $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
3253
3254     $selected{'SIDE'}{'server'} = '';
3255     $selected{'SIDE'}{'client'} = '';
3256     $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
3257     
3258     $selected{'PROTOCOL'}{'udp'} = '';
3259     $selected{'PROTOCOL'}{'tcp'} = '';
3260     $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
3261
3262
3263     $checked{'AUTH'}{'psk'} = '';
3264     $checked{'AUTH'}{'certreq'} = '';
3265     $checked{'AUTH'}{'certgen'} = '';
3266     $checked{'AUTH'}{'certfile'} = '';
3267     $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
3268
3269     $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
3270     
3271     $checked{'COMPLZO'}{'off'} = '';
3272     $checked{'COMPLZO'}{'on'} = '';
3273     $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
3274
3275     $checked{'MSSFIX'}{'off'} = '';
3276     $checked{'MSSFIX'}{'on'} = '';
3277     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
3278
3279
3280     if (1) {
3281         &Header::showhttpheaders();