unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
}
}
-sub checkportfw {
- my $DPORT = shift;
- my $DPROT = shift;
- my %natconfig =();
- my $confignat = "${General::swroot}/firewall/config";
- $DPROT= uc ($DPROT);
- &General::readhasharray($confignat, \%natconfig);
- foreach my $key (sort keys %natconfig){
- my @portarray = split (/\|/,$natconfig{$key}[30]);
- foreach my $value (@portarray){
- if ($value =~ /:/i){
- my ($a,$b) = split (":",$value);
- if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }else{
- if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }
- }
- }
- return;
-}
-
-sub checkportoverlap
-{
- my $portrange1 = $_[0]; # New port range
- my $portrange2 = $_[1]; # existing port range
- my @tempr1 = split(/\:/,$portrange1);
- my @tempr2 = split(/\:/,$portrange2);
-
- unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
- unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
-
- unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
- unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
-
- return 1; # Everything checks out!
-}
-
-# Darren Critchley - we want to make sure that a port entry is not within an already existing range
-sub checkportinc
-{
- my $port1 = $_[0]; # Port
- my $portrange2 = $_[1]; # Port range
- my @tempr1 = split(/\:/,$portrange2);
-
- if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
- return 1;
- } else {
- return 0;
- }
-}
-
-# Darren Critchley - certain ports are reserved for IPFire
-# TCP 67,68,81,222,444
-# UDP 67,68
-# Params passed in -> port, rangeyn, protocol
-sub disallowreserved
-{
- # port 67 and 68 same for tcp and udp, don't bother putting in an array
- my $msg = "";
- my @tcp_reserved = (81,222,444);
- my $prt = $_[0]; # the port or range
- my $ryn = $_[1]; # tells us whether or not it is a port range
- my $prot = $_[2]; # protocol
- my $srcdst = $_[3]; # source or destination
- if ($ryn) { # disect port range
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'rsvd src port overlap'}";
- } else {
- $msg = "$Lang::tr{'rsvd dst port overlap'}";
- }
- my @tmprng = split(/\:/,$prt);
- unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
- unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
- }
- }
- } else {
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'reserved src port'}";
- } else {
- $msg = "$Lang::tr{'reserved dst port'}";
- }
- if ($prt == 67) { $errormessage="$msg 67"; return; }
- if ($prt == 68) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- if ($prange == $prt) { $errormessage="$msg $prange"; return; }
- }
- }
- }
- return;
-}
-
sub writeserverconf {
my %sovpnsettings = ();
print CONF "auth $sovpnsettings{'DAUTH'}\n";
}
if ($sovpnsettings{'TLSAUTH'} eq 'on') {
- print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n";
+ print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
}
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
my @iprange=();
my %ccdhash=();
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
- $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2;
+ $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
for (my $i=1;$i<=$count;$i++) {
my $tmpip=$iprange[$i-1];
my $stepper=$i*4;
$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/ca/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key")
- }
- }
-
if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
$errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
goto ADV_ERROR;
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ERROR;
+ }
+ }
+ }
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
}
}
if ($errormessage) { goto SETTINGS_ERROR; }
-
- if ($cgiparams{'ENABLED'} eq 'on'){
- &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'});
- }
- if ($errormessage) { goto SETTINGS_ERROR; }
if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
$errormessage = $Lang::tr{'ovpn subnet is invalid'};
goto ROOTCERT_ERROR;
# } else {
# &cleanssldatabase();
- }
+ }
+ # Create ta.key for tls-auth
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ }
goto ROOTCERT_SUCCESS;
}
ROOTCERT_ERROR:
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
}
if ($vpnsettings{'TLSAUTH'} eq 'on') {
- print CLIENTCONF "tls-auth ta.key 1\r\n";
- $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n";
+ print CLIENTCONF "tls-auth ta.key\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
if ($vpnsettings{DCOMPLZO} eq 'on') {
print CLIENTCONF "comp-lzo\r\n";
if ($cgiparams{'DAUTH'} eq '') {
$cgiparams{'DAUTH'} = 'SHA1';
}
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- if ($cgiparams{'ENGINES'} eq '') {
- $cgiparams{'ENGINES'} = 'disabled';
- }
if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
+ $cgiparams{'TLSAUTH'} = 'off';
}
$checked{'CLIENT2CLIENT'}{'off'} = '';
$checked{'CLIENT2CLIENT'}{'on'} = '';
<option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
</select>
</td>
- <td>Default: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
+ <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
</tr>
</table>
<table width='100%' border='0'>
<tr><form method='post'>
<td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
- <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly /></td></tr>
+ <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
<tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
<input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
</td></tr>
print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
print <<END;
<form method='post' />
- <input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
<input type='hidden' name='ACTION' value='edit'/>
<input type='hidden' name='ccdname' value='$ccdconf[0]' />
<input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
<td><input type='hidden' name='ACTION' value='kill'/>
<input type='hidden' name='number' value='$count' />
<input type='hidden' name='net' value='$ccdconf[0]' />
- <input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'remove'} title=$Lang::tr{'remove'} /></form></td></tr>
+ <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
END
;
}
<td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
<tr><td> </td><td class='base'><input type='file' name='FH' size='30'></td></tr>
<tr><td> </td><td>Import Connection Name <img src='/blob.gif' /></td></tr>
- <tr><td> </td><td class='base'><input type='text' name='n2nname' size='30'>Default : Client Packagename</td></tr>
+ <tr><td> </td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
<tr><td colspan='3'><hr /></td></tr>
<tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
<tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
<tr><td> </td>
<td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
<td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>
+ <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
<td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
<tr><td colspan='3'> </td></tr>
<tr><td colspan='3'><hr /></td></tr>
if ($cgiparams{'DAUTH'} eq '') {
$cgiparams{'DAUTH'} = 'SHA1';
}
- if ($cgiparams{'ENGINES'} eq '') {
- $cgiparams{'ENGINES'} = 'disabled';
- }
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
}
<td class='boldbase'>$Lang::tr{'destination port'}:</td>
<td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'} </td>
- <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}'size='5' /></td>
+ <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER'>
#EXITING -- A graceful exit is in progress.
####
- if ($tustate[1] eq 'CONNECTED') {
+ if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
$col1="bgcolor='${Header::colourgreen}'";
$active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
}else {