require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
require "${General::swroot}/countries.pl";
+require "${General::swroot}/geoip-functions.pl";
# enable only the following on debugging purpose
#use warnings;
my %selected=();
my $warnmessage = '';
my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
my %settings=();
my $routes_push_file = '';
my $confighost="${General::swroot}/fwhosts/customhosts";
my $customnet="${General::swroot}/fwhosts/customnetworks";
my $name;
my $col="";
+my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
+my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'ENABLED_BLUE'} = 'off';
$cgiparams{'DCOMPLZO'} = 'off';
$cgiparams{'MSSFIX'} = '';
$cgiparams{'number'} = '';
-$cgiparams{'PMTU_DISCOVERY'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
-unless (-e $routes_push_file) { system("touch $routes_push_file"); }
-unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); }
-unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); }
-unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); }
+# Perform crypto and configration test
+&pkiconfigcheck;
+
+# Add CCD files if not already presant
+unless (-e $routes_push_file) {
+ open(RPF, ">$routes_push_file");
+ close(RPF);
+}
+unless (-e "${General::swroot}/ovpn/ccd.conf") {
+ open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
+ close (CCDC);
+}
+unless (-e "${General::swroot}/ovpn/ccdroute") {
+ open(CCDR, ">${General::swroot}/ovpn/ccdroute");
+ close (CCDR);
+}
+unless (-e "${General::swroot}/ovpn/ccdroute2") {
+ open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
+ close (CCDRT);
+}
+# Add additional configs if not already presant
+unless (-e "$local_serverconf") {
+ open(LSC, ">$local_serverconf");
+ close (LSC);
+}
+unless (-e "$local_clientconf") {
+ open(LCC, ">$local_clientconf");
+ close (LCC);
+}
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
}
}
-sub checkportfw {
- my $DPORT = shift;
- my $DPROT = shift;
- my %natconfig =();
- my $confignat = "${General::swroot}/firewall/config";
- $DPROT= uc ($DPROT);
- &General::readhasharray($confignat, \%natconfig);
- foreach my $key (sort keys %natconfig){
- my @portarray = split (/\|/,$natconfig{$key}[30]);
- foreach my $value (@portarray){
- if ($value =~ /:/i){
- my ($a,$b) = split (":",$value);
- if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }else{
- if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){
- $errormessage= "$Lang::tr{'source port in use'} $DPORT";
- }
- }
- }
- }
- return;
-}
-
-sub checkportoverlap
-{
- my $portrange1 = $_[0]; # New port range
- my $portrange2 = $_[1]; # existing port range
- my @tempr1 = split(/\:/,$portrange1);
- my @tempr2 = split(/\:/,$portrange2);
- unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
- unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
-
- unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
- unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
-
- return 1; # Everything checks out!
-}
+###
+### Check for PKI and configure problems
+###
-# Darren Critchley - we want to make sure that a port entry is not within an already existing range
-sub checkportinc
+sub pkiconfigcheck
{
- my $port1 = $_[0]; # Port
- my $portrange2 = $_[1]; # Port range
- my @tempr1 = split(/\:/,$portrange2);
-
- if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
- return 1;
- } else {
- return 0;
+ # Warning if DH parameter is 1024 bit
+ if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+ my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+ my @dhbit = ($dhparameter =~ /(\d+)/);
+ if ($1 < 2048) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
}
-}
-# Darren Critchley - certain ports are reserved for IPFire
-# TCP 67,68,81,222,444
-# UDP 67,68
-# Params passed in -> port, rangeyn, protocol
-sub disallowreserved
-{
- # port 67 and 68 same for tcp and udp, don't bother putting in an array
- my $msg = "";
- my @tcp_reserved = (81,222,444);
- my $prt = $_[0]; # the port or range
- my $ryn = $_[1]; # tells us whether or not it is a port range
- my $prot = $_[2]; # protocol
- my $srcdst = $_[3]; # source or destination
- if ($ryn) { # disect port range
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'rsvd src port overlap'}";
- } else {
- $msg = "$Lang::tr{'rsvd dst port overlap'}";
+ # Warning if md5 is in usage
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($signature =~ /md5WithRSAEncryption/) {
+ $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+ goto CRYPTO_ERROR;
}
- my @tmprng = split(/\:/,$prt);
- unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
- unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
- }
- }
- } else {
- if ($srcdst eq "src") {
- $msg = "$Lang::tr{'reserved src port'}";
- } else {
- $msg = "$Lang::tr{'reserved dst port'}";
- }
- if ($prt == 67) { $errormessage="$msg 67"; return; }
- if ($prt == 68) { $errormessage="$msg 68"; return; }
- if ($prot eq "tcp") {
- foreach my $prange (@tcp_reserved) {
- if ($prange == $prt) { $errormessage="$msg $prange"; return; }
- }
+ }
+
+ CRYPTO_ERROR:
+
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
}
}
- return;
-}
+ CRYPTO_WARNING:
+}
sub writeserverconf {
my %sovpnsettings = ();
print CONF "writepid /var/run/openvpn.pid\n";
print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
print CONF ";local $sovpnsettings{'VPN_IP'}\n";
- print CONF "dev $sovpnsettings{'DDEVICE'}\n";
+ print CONF "dev tun\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
- print CONF "script-security 3 system\n";
+ print CONF "script-security 3\n";
print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
print CONF "tls-server\n";
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
- # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
+ # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
# If we doesn't use one of them, we can use the configured mtu value.
if ($sovpnsettings{'MSSFIX'} eq 'on')
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
+ { print CONF "tun-mtu 1500\n"; }
elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp')
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
- elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; }
+ { print CONF "tun-mtu 1500\n"; }
else
- { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; }
+ { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
if ($vpnsettings{'ROUTES_PUSH'} ne '') {
@temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
}
- # Check if a valid operating mode has been choosen and use it.
- if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
- print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n";
- }
-
if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
}
print CONF "status-version 1\n";
- print CONF "status /var/log/ovpnserver.log 30\n";
+ print CONF "status /var/run/ovpnserver.log 30\n";
+ print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
}
if ($sovpnsettings{'TLSAUTH'} eq 'on') {
- print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n";
+ print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
}
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
print CONF "verb $sovpnsettings{LOG_VERB}\n";
} else {
print CONF "verb 3\n";
- }
+ }
+ # Print server.conf.local if entries exist to server.conf
+ if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
+ open (LSC, "$local_serverconf");
+ print CONF "\n#---------------------------\n";
+ print CONF "# Start of custom directives\n";
+ print CONF "# from server.conf.local\n";
+ print CONF "#---------------------------\n\n";
+ while (<LSC>) {
+ print CONF $_;
+ }
+ print CONF "\n#-----------------------------\n";
+ print CONF "# End of custom directives\n";
+ print CONF "#-----------------------------\n";
+ close (LSC);
+ }
print CONF "\n";
close(CONF);
}
sub emptyserverlog{
- if (open(FILE, ">/var/log/ovpnserver.log")) {
+ if (open(FILE, ">/var/run/ovpnserver.log")) {
flock FILE, 2;
print FILE "";
close FILE;
}
}
+sub writecollectdconf {
+ my $vpncollectd;
+ my %ccdhash=();
+
+ open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
+ print COLLECTDVPN "Loadplugin openvpn\n";
+ print COLLECTDVPN "\n";
+ print COLLECTDVPN "<Plugin openvpn>\n";
+ print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
+
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
+ foreach my $key (keys %ccdhash) {
+ if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
+ print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
+ }
+ }
+
+ print COLLECTDVPN "</Plugin>\n";
+ close(COLLECTDVPN);
+
+ # Reload collectd afterwards
+ system("/usr/local/bin/collectdctrl restart &>/dev/null");
+}
#hier die refresh page
if ( -e "${General::swroot}/ovpn/gencanow") {
$vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
$vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
$vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
+ $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
$vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
- $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
my @temp=();
$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/ca/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key")
- }
- }
-
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
-
- if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
- goto ADV_ERROR;
- }
- }
-
if ($cgiparams{'DHCP_DOMAIN'} ne ''){
unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
$errormessage = $Lang::tr{'invalid input for dhcp domain'};
$errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
goto ADV_ERROR;
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ERROR;
+ }
+ }
+ }
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
print SERVERCONF "# Client Gateway Network\n";
print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
print SERVERCONF "# tun Device\n";
print SERVERCONF "dev tun\n";
+ print SERVERCONF "#Logfile for statistics\n";
+ print SERVERCONF "status-version 1\n";
+ print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print SERVERCONF "# Port and Protokol\n";
print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
-
+
if ($cgiparams{'PROTOCOL'} eq 'tcp') {
print SERVERCONF "proto tcp-server\n";
print SERVERCONF "# Packet size\n";
if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; };
}
- # Check if a valid operating mode has been choosen and use it.
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
- if($cgiparams{'MTU'} eq '1500') {
- print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
- }
- }
- }
print SERVERCONF "# Auth. Server\n";
print SERVERCONF "tls-server\n";
print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
print SERVERCONF "# Cipher\n";
print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- if ($cgiparams{'DAUTH'} eq '') {
- print SERVERCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ print SERVERCONF unless "# HMAC algorithm\n";
+ print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
- print SERVERCONF "# HMAC algorithm\n";
- print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
+ print SERVERCONF "# HMAC algorithm\n";
+ print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
}
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print SERVERCONF "# Enable Compression\n";
- print SERVERCONF "comp-lzo\r\n";
+ print SERVERCONF "comp-lzo\n";
}
print SERVERCONF "# Debug Level\n";
print SERVERCONF "verb 3\n";
print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
print CLIENTCONF "# Server Gateway Network\n";
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
+ print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
print CLIENTCONF "# tun Device\n";
print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokol\n";
print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; };
}
- # Check if a valid operating mode has been choosen and use it.
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
- if ($cgiparams{'MTU'} eq '1500') {
- print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
- }
- }
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
}
-
- print CLIENTCONF "ns-cert-type server\n";
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- if ($cgiparams{'DAUTH'} eq '') {
- print CLIENTCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+ ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+ print CLIENTCONF unless "# HMAC algorithm\n";
+ print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
} else {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
+ print CLIENTCONF "# HMAC algorithm\n";
+ print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
}
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print CLIENTCONF "# Enable Compression\n";
- print CLIENTCONF "comp-lzo\r\n";
+ print CLIENTCONF "comp-lzo\n";
}
print CLIENTCONF "# Debug Level\n";
print CLIENTCONF "verb 3\n";
close(CLIENTCONF);
}
-
+
###
### Save main settings
###
-
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
#DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
goto SETTINGS_ERROR;
}
}
- if ($errormessage) { goto SETTINGS_ERROR; }
- if ($cgiparams{'ENABLED'} eq 'on'){
- &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'});
- }
- if ($errormessage) { goto SETTINGS_ERROR; }
-
if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
$errormessage = $Lang::tr{'ovpn subnet is invalid'};
goto SETTINGS_ERROR;
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
#new settings for daemon
$vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
- $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
$vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
my $file = '';
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ # Kill all N2N connections
+ system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null");
+
foreach my $key (keys %confighash) {
+ my $name = $confighash{$cgiparams{'$key'}}[1];
+
if ($confighash{$key}[4] eq 'cert') {
delete $confighash{$cgiparams{'$key'}};
}
+
+ system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null");
}
while ($file = glob("${General::swroot}/ovpn/ca/*")) {
unlink $file;
while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
unlink $file
}
+ while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
+ unlink $file
+ }
if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
print FILE "";
close FILE;
system ("rm -rf $file");
}
+ # Remove everything from the collectd configuration
+ &writecollectdconf();
+
#&writeserverconf();
###
### Reset all step 1
unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
}
# Create Diffie Hellmann Parameter
- system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
- '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
+ system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
<select name='DHLENGHT'>
- <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
goto UPLOADCA_ERROR;
}
my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
- if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+ if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
$errormessage = $Lang::tr{'not a valid dh key'};
unlink ($filename);
goto UPLOADCA_ERROR;
print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
exit(0);
}
+
+###
+### Download tls-auth key
+###
+}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
+ if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=ta.key\r\n\r\n";
+ print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+ exit(0);
+ }
+
###
### Form for generating a root certificate
###
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
'-out', "${General::swroot}/ovpn/ca/cacert.pem",
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ unless (exec ('/usr/bin/openssl', 'req', '-nodes',
'-newkey', 'rsa:2048',
'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
# &cleanssldatabase();
}
# Create Diffie Hellmann Parameter
- system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
- '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
+ system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
goto ROOTCERT_ERROR;
# } else {
# &cleanssldatabase();
- }
+ }
+ # Create ta.key for tls-auth
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ }
goto ROOTCERT_SUCCESS;
}
ROOTCERT_ERROR:
print <<END;
<form method='post' enctype='multipart/form-data'>
<table width='100%' border='0' cellspacing='1' cellpadding='0'>
- <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
+ <tr><td width='30%' class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>
<td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
<td width='35%' colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
+ <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img src='/blob.gif' alt='*' /></td>
<td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
<td colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'your e-mail'}: <img src='/blob.gif' alt'*' /></td>
+ <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
<td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
<td colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'your department'}: <img src='/blob.gif' alt'*' /></td>
+ <tr><td class='base'>$Lang::tr{'your department'}:</td>
<td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
<td colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'city'}: <img src='/blob.gif' alt'*' /></td>
+ <tr><td class='base'>$Lang::tr{'city'}:</td>
<td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
<td colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' alt'*' /></td>
+ <tr><td class='base'>$Lang::tr{'state or province'}:</td>
<td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
<td colspan='2'> </td></tr>
<tr><td class='base'>$Lang::tr{'country'}:</td>
</select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
<td class='base'><select name='DHLENGHT'>
- <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
<td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
<td> </td><td> </td></tr>
<tr><td class='base' colspan='4' align='left'>
- <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
+ <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'required field'}</td></tr>
<tr><td colspan='2'><br></td></tr>
<table width='100%'>
<tr>
<table width='100%'>
<tr><td colspan='4'><hr></td></tr>
- <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
+ <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}: <img src='/blob.gif' alt='*' /></td>
<td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
<td colspan='2'> </td></tr>
- <tr><td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' ></td>
+ <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
<td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
<td colspan='2'> </td></tr>
<tr><td> </td>
<td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
<td colspan='2'> </td></tr>
<tr><td class='base' colspan='4' align='left'>
- <img src='/blob.gif' valign='top' al='*' > $Lang::tr{'this field may be blank'}</td>
+ <img src='/blob.gif' valign='top' alt='*' > $Lang::tr{'required field'}</td>
</tr>
</form></table>
END
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
- system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ &writecollectdconf();
}
} else {
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
- if ($n2nactive ne ''){
- system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
- }
+ if ($n2nactive ne '') {
+ system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ &writecollectdconf();
+ }
} else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage = $Lang::tr{'invalid key'};
}
- }
+ }
}
###
print CLIENTCONF "# Server Gateway Network\n";
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
print CLIENTCONF "# tun Device\n";
- print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n";
+ print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokoll\n";
print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
}
- if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
- if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
- if ($tunmtu eq '1500' ) {
- print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
- }
- }
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
}
- print CLIENTCONF "ns-cert-type server\n";
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
}
- if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ print CLIENTCONF unless "# HMAC algorithm\n";
+ print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
} else {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+ print CLIENTCONF "# HMAC algorithm\n";
+ print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
}
+
if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
print CLIENTCONF "# Enable Compression\n";
- print CLIENTCONF "comp-lzo\r\n";
+ print CLIENTCONF "comp-lzo\n";
}
print CLIENTCONF "# Debug Level\n";
print CLIENTCONF "verb 3\n";
print CLIENTCONF "tls-client\r\n";
print CLIENTCONF "client\r\n";
print CLIENTCONF "nobind\r\n";
- print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
+ print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
- # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+ # Check if we are using fragment, mssfix and set MTU to 1500
# or use configured value.
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
- { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
+ { print CLIENTCONF "tun-mtu 1500\r\n"; }
elsif ($vpnsettings{MSSFIX} eq 'on')
- { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
- elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; }
+ { print CLIENTCONF "tun-mtu 1500\r\n"; }
else
- { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; }
+ { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
if ( $vpnsettings{'ENABLED'} eq 'on'){
print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
}
+ my $file_crt = new File::Temp( UNLINK => 1 );
+ my $file_key = new File::Temp( UNLINK => 1 );
+ my $include_certs = 0;
+
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
- print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
- $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ $include_certs = 1;
+
+ # Add the CA
+ print CLIENTCONF ";ca cacert.pem\r\n";
+ $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
+
+ # Extract the certificate
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+ print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+ # Extract the key
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+ print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ } else {
+ print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ }
} else {
print CLIENTCONF "ca cacert.pem\r\n";
print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
}
if ($vpnsettings{'TLSAUTH'} eq 'on') {
- print CLIENTCONF "tls-auth ta.key 1\r\n";
- $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n";
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-auth ta.key\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
if ($vpnsettings{DCOMPLZO} eq 'on') {
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
- print CLIENTCONF "ns-cert-type server\r\n";
- print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }
+ print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
}
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
}
- # Check if a valid operating mode has been choosen and use it.
- if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) {
- print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
+ if ($include_certs) {
+ print CLIENTCONF "\r\n";
+
+ # CA
+ open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
+ print CLIENTCONF "<ca>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</ca>\r\n\r\n";
+ close(FILE);
+
+ # Cert
+ open(FILE, "<$file_crt");
+ print CLIENTCONF "<cert>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</cert>\r\n\r\n";
+ close(FILE);
+
+ # Key
+ open(FILE, "<$file_key");
+ print CLIENTCONF "<key>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</key>\r\n\r\n";
+ close(FILE);
+
+ # TLS auth
+ if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
+ print CLIENTCONF "<tls-auth>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</tls-auth>\r\n\r\n";
+ close(FILE);
}
}
+
+ # Print client.conf.local if entries exist to client.ovpn
+ if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
+ open (LCC, "$local_clientconf");
+ print CLIENTCONF "\n#---------------------------\n";
+ print CLIENTCONF "# Start of custom directives\n";
+ print CLIENTCONF "# from client.conf.local\n";
+ print CLIENTCONF "#---------------------------\n\n";
+ while (<LCC>) {
+ print CLIENTCONF $_;
+ }
+ print CLIENTCONF "\n#---------------------------\n";
+ print CLIENTCONF "# End of custom directives\n";
+ print CLIENTCONF "#---------------------------\n\n";
+ close (LCC);
+ }
close(CLIENTCONF);
$zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
- &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- if ($confighash{$cgiparams{'KEY'}}) {
-# if ($vpnsettings{'ENABLED'} eq 'on' ||
-# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
-# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
-# }
-#
- my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ if ($confighash{$cgiparams{'KEY'}}) {
+ # Revoke certificate if certificate was deleted and rewrite the CRL
+ my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
###
# m.a.d net2net
###
-if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
- my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
- my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
- unlink ($certfile);
- unlink ($conffile);
+ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
+ # Stop the N2N connection before it is removed
+ system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null");
- if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
- rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
- }
-}
+ my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
+ my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ unlink ($certfile);
+ unlink ($conffile);
- unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
- unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
+ rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
+ }
+ }
+
+ unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
# A.Marx CCD delete ccd files and routes
-
- if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
- {
- unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
- }
-
- &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
- foreach my $key (keys %ccdroutehash) {
- if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
- delete $ccdroutehash{$key};
+ if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
+ {
+ unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
}
- }
- &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
- &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
- foreach my $key (keys %ccdroute2hash) {
- if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
- delete $ccdroute2hash{$key};
+ &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
+ foreach my $key (keys %ccdroutehash) {
+ if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
+ delete $ccdroutehash{$key};
+ }
}
- }
- &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
- &writeserverconf;
-
+ &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
-# CCD end
+ &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
+ foreach my $key (keys %ccdroute2hash) {
+ if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
+ delete $ccdroute2hash{$key};
+ }
+ }
+ &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
+ &writeserverconf;
-
- delete $confighash{$cgiparams{'KEY'}};
- my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
- &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+# CCD end
+ # Update collectd configuration and delete all RRD files of the removed connection
+ &writecollectdconf();
+ system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]");
- #&writeserverconf();
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
+ delete $confighash{$cgiparams{'KEY'}};
+ my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
&General::firewall_reload();
###
exit(0);
}
+###
+### Display tls-auth key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
+
+ if (! -e "${General::swroot}/ovpn/certs/ta.key") {
+ $errormessage = $Lang::tr{'not present'};
+ } else {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
+ my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
+
###
### Display Certificate Revoke List
###
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- if ($cgiparams{'ENGINES'} eq '') {
- $cgiparams{'ENGINES'} = 'disabled';
- }
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
+ $cgiparams{'TLSAUTH'} = 'off';
}
$checked{'CLIENT2CLIENT'}{'off'} = '';
$checked{'CLIENT2CLIENT'}{'on'} = '';
$checked{'REDIRECT_GW_DEF1'}{'off'} = '';
$checked{'REDIRECT_GW_DEF1'}{'on'} = '';
$checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
+ $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
+ $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
+ $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
$checked{'MSSFIX'}{'off'} = '';
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
$selected{'LOG_VERB'}{'0'} = '';
$selected{'LOG_VERB'}{'1'} = '';
$selected{'LOG_VERB'}{'2'} = '';
</table>
<hr size='1'>
<table width='100%'>
- <tr>
+ <tr>
<td class'base'><b>$Lang::tr{'misc-options'}</b></td>
- </tr>
- <tr>
+ </tr>
+
+ <tr>
<td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
- </tr>
- <tr>
+ </tr>
+
+ <tr>
<td class='base'>Client-To-Client</td>
<td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
- </tr>
- <tr>
+ </tr>
+
+ <tr>
<td class='base'>Redirect-Gateway def1</td>
<td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
- </tr>
- <tr>
- <td class='base'>Max-Clients</td>
- <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
- </tr>
+ </tr>
+
<tr>
- <td class='base'>Keepalive <br />
- (ping/ping-restart)</td>
- <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
- <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
- </tr>
+ <td class='base'>$Lang::tr{'ovpn add conf'}</td>
+ <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
+ <td>$Lang::tr{'openvpn default'}: off</td>
+ </tr>
+
<tr>
- <td class='base'>fragment <br></td>
- <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
- </tr>
- <tr>
- <td class='base'>mssfix</td>
- <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
- <td>$Lang::tr{'openvpn default'}: off</td>
- </tr>
+ <td class='base'>mssfix</td>
+ <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
+ <td>$Lang::tr{'openvpn default'}: off</td>
+ </tr>
+
+ <tr>
+ <td class='base'>fragment <br></td>
+ <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
+ </tr>
+
+ <tr>
+ <td class='base'>Max-Clients</td>
+ <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
+ </tr>
<tr>
- <td class='base'>$Lang::tr{'ovpn mtu-disc'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='yes' $checked{'PMTU_DISCOVERY'}{'yes'} /> $Lang::tr{'ovpn mtu-disc yes'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='maybe' $checked{'PMTU_DISCOVERY'}{'maybe'} /> $Lang::tr{'ovpn mtu-disc maybe'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='no' $checked{'PMTU_DISCOVERY'}{'no'} /> $Lang::tr{'ovpn mtu-disc no'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='off' $checked{'PMTU_DISCOVERY'}{'off'} /> $Lang::tr{'ovpn mtu-disc off'}</td>
+ <td class='base'>Keepalive <br />
+ (ping/ping-restart)</td>
+ <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
+ <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
</tr>
</table>
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
<tr>
<th><b>$Lang::tr{'common name'}</b></th>
<th><b>$Lang::tr{'real address'}</b></th>
+ <th><b>$Lang::tr{'country'}</b></th>
<th><b>$Lang::tr{'virtual address'}</b></th>
<th><b>$Lang::tr{'loged in at'}</b></th>
<th><b>$Lang::tr{'bytes sent'}</b></th>
</tr>
END
;
- my $filename = "/var/log/ovpnserver.log";
+ my $filename = "/var/run/ovpnserver.log";
open(FILE, $filename) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
$users[$uid]{'BytesSent'} = &sizeformat($match[4]);
$users[$uid]{'Since'} = $match[5];
$users[$uid]{'Proto'} = $proto;
+
+ # get country code for "RealAddress"...
+ my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]);
+ my $flag_icon = &GeoIP::get_flag_icon($ccode);
+ $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
$uid++;
}
}
}
print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
- print "<td align='left' $col>$users[$idx-1]{'VirtualAddress'}</td>";
+ print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
+ print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
$errormessage = $Lang::tr{'invalid key'};
}
-###
-### Remove connection
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
- &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
-
- if ($confighash{$cgiparams{'KEY'}}) {
-# if ($vpnsettings{'ENABLED'} eq 'on' ||
-# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
-# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
-# }
- unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
- unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
- delete $confighash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- #&writeserverconf();
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
-#test33
-
-###
-### Choose between adding a host-net or net-net connection
-###
-
###
# m.a.d net2net
###
<tr><td><input type='radio' name='TYPE' value='net2net' /></td>
<td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
<tr><td> </td><td class='base'><input type='file' name='FH' size='30'></td></tr>
- <tr><td> </td><td>Import Connection Name <img src='/blob.gif' /></td></tr>
+ <tr><td> </td><td>Import Connection Name</td></tr>
<tr><td> </td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
<tr><td colspan='3'><hr /></td></tr>
<tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
- <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
</form></table>
END
;
@firen2nconf = <FILE>;
close (FILE);
chomp(@firen2nconf);
-
} else {
$errormessage = "Filecount does not match only 2 files are allowed\n";
unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
+ #Add collectd settings to configfile
+ open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
+ print FILE "# Logfile\n";
+ print FILE "status-version 1\n";
+ print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
+ close FILE;
+
move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2");
if ($? ne 0) {
my $mssfixactive;
my $authactive;
my $n2nfragment;
-my $authactive;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
my @n2nproto = split(/-/, $n2nproto2[1]);
my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
$n2nlocalsub[2] =~ s/\n|\r//g;
$n2nfragment[1] =~ s/\n|\r//g;
$n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
$n2ncipher[1] =~ s/\n|\r//g;
$n2nauth[1] =~ s/\n|\r//g;
chomp ($complzoactive);
$confighash{$key}[29] = $n2nport[1];
$confighash{$key}[30] = $complzoactive;
$confighash{$key}[31] = $n2ntunmtu[1];
- $confighash{$key}[38] = $n2nmtudisc[1];
$confighash{$key}[39] = $n2nauth[1];
$confighash{$key}[40] = $n2ncipher[1];
$confighash{$key}[41] = 'disabled';
<tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
$cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
$cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
$cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
- $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38];
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
$cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
goto VPNCONF_ERROR;
}
- if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') {
- if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
- }
-
- if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
-
if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
$errormessage = $Lang::tr{'openvpn prefix local subnet'};
unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
goto VPNCONF_ERROR;
}
+ # Check for N2N that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'net') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto VPNCONF_ERROR;
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
$errormessage = $Lang::tr{'name too long'};
goto VPNCONF_ERROR;
}
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
$errormessage = $Lang::tr{'invalid input for name'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
$errormessage = $Lang::tr{'passwords do not match'};
goto VPNCONF_ERROR;
}
+ if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Check for RW that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'host') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ # Check for RW if client name is already set
+ if ($cgiparams{'TYPE'} eq 'host') {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
# Replace empty strings with a .
(my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
goto VPNCONF_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ unless (exec ('/usr/bin/openssl', 'req', '-nodes',
'-newkey', 'rsa:2048',
'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
$confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
$confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
$confighash{$key}[37] = $cgiparams{'CCD_WINS'};
- $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'};
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+ $confighash{$key}[41] = "no-pass";
+ }
+
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($cgiparams{'CHECK1'} ){
###
$cgiparams{'MSSFIX'} = 'on';
$cgiparams{'FRAGMENT'} = '1300';
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
###
# m.a.d n2n end
###
$cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
$cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
$cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
+ $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
}
VPNCONF_ERROR:
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
-
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
&Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
print "<table width='100%' border='0'>\n";
- print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}: </td>";
+ print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' /></td>";
if ($cgiparams{'TYPE'} eq 'host') {
if ($cgiparams{'KEY'}) {
} else {
print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
}
+
+ # If GCM ciphers are in usage, HMAC menu is disabled
+ my $hmacdisabled;
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ $hmacdisabled = "disabled='disabled'";
+ };
+
print <<END;
<td width='25%'> </td>
<td width='25%'> </td></tr>
<td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
+ <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
<td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
+ <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'} <img src='/blob.gif' alt='*' /></td>
<td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td>
+ <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'} <img src='/blob.gif' alt='*' /></td>
<td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
</tr>
<tr>
- <td class='boldbase'>$Lang::tr{'destination port'}:</td>
+ <td class='boldbase'>$Lang::tr{'destination port'}: <img src='/blob.gif' alt='*' /></td>
<td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
- <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}): <img src='/blob.gif' /></td>
+ <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
<td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
</tr>
<td class'base'><b>$Lang::tr{'MTU settings'}</b></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'} <img src='/blob.gif' /></td>
+ <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
<td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
<td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>fragment <img src='/blob.gif' /></td>
+ <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
<td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
<td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>mssfix <img src='/blob.gif' /></td>
+ <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
<td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
<td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'} <img src='/blob.gif'</td>
+ <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
<td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td>
- <td colspan='3'>
- <input type='radio' name='PMTU_DISCOVERY' value='yes' $checked{'PMTU_DISCOVERY'}{'yes'} /> $Lang::tr{'ovpn mtu-disc yes'}
- <input type='radio' name='PMTU_DISCOVERY' value='maybe' $checked{'PMTU_DISCOVERY'}{'maybe'} /> $Lang::tr{'ovpn mtu-disc maybe'}
- <input type='radio' name='PMTU_DISCOVERY' value='no' $checked{'PMTU_DISCOVERY'}{'no'} /> $Lang::tr{'ovpn mtu-disc no'}
- <input type='radio' name='PMTU_DISCOVERY' value='off' $checked{'PMTU_DISCOVERY'}{'off'} /> $Lang::tr{'ovpn mtu-disc off'}
- </td>
- </tr>
-
<tr><td colspan=4><hr /></td></tr><tr>
<tr>
<td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
</tr>
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
- <td><select name='DCIPHER'>
+ <td><select name='DCIPHER' id="n2ncipher" required>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
- <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
+ <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
- <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+ <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
- <td><select name='DAUTH'>
+ <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
<option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
</tr>
END
;
}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
+print<<END;
+ <script>
+ var disable_options = false;
+ document.getElementById('n2ncipher').onchange = function () {
+ if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+ document.getElementById('n2nhmac').setAttribute('disabled', true);
+ } else {
+ document.getElementById('n2nhmac').removeAttribute('disabled');
+ }
+ }
+ </script>
+END
+
#jumper
- print "<tr><td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' /></td>";
+ print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
if ($cgiparams{'TYPE'} eq 'host') {
<tr><td colspan='3'><hr /></td></tr>
<tr><td colspan='3'> </td></tr>
<tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td> </td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users fullname or system hostname'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users email'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users department'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'city'}: <img src='/blob.gif'></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
<tr><td> </td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
END
;
<table width='100%' cellpadding='0' cellspacing='5' border='0'>
<tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td> </td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users fullname or system hostname'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users email'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'users department'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'city'}: <img src='/blob.gif'></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
<tr><td> </td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
if ($cgiparams{'TYPE'} eq 'host') {
print <<END;
- </select></td></tr>
-
- <td> </td><td class='base'>$Lang::tr{'valid till'} (days):</td>
- <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
+ </select></td></tr>
+ <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
<td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
<td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
+ <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
<td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
- <tr><td colspan='3'> </td></tr>
- <tr><td colspan='3'><hr /></td></tr>
- <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
- </table>
+ <tr><td colspan='3'> </td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr>
+ </table>
END
}else{
print <<END;
- </select></td></tr>
- <tr><td> </td><td> </td><td> </td></tr>
- <tr><td> </td><td> </td><td> </td></tr>
- <tr><td colspan='3'><hr /></td></tr>
- <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
+ </select></td></tr>
+ <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td> </td><td> </td></tr>
+ <tr><td> </td><td> </td><td> </td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr>
</table>
END
}
if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
}
+
+ my %vpnconfig = ();
+ &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+ foreach my $vpn (keys %vpnconfig) {
+ # Skip all disabled VPN connections
+ my $enabled = $vpnconfig{$vpn}[0];
+ next unless ($enabled eq "on");
+
+ my $name = $vpnconfig{$vpn}[1];
+
+ # Remote subnets
+ my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
+ foreach my $network (@networks) {
+ my $selected = "";
+
+ foreach my $key (keys %ccdroute2hash) {
+ if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
+ foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
+ if ($ccdroute2hash{$key}[$i] eq $network) {
+ $selected = "selected";
+ }
+ }
+ }
+ }
+
+ print "<option value=\"$network\" $selected>$name ($network)</option>\n";
+ }
+ }
+
#check if green,blue,orange are defined for client
foreach my $key (keys %ccdroute2hash) {
if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- my @status = `/bin/cat /var/log/ovpnserver.log`;
+ my @status = `/bin/cat /var/run/ovpnserver.log`;
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
$cgiparams{'MSSFIX'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
- if ($cgiparams{'ENGINES'} eq '') {
- $cgiparams{'ENGINES'} = 'disabled';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
$checked{'ENABLED_ORANGE'}{'off'} = '';
$checked{'ENABLED_ORANGE'}{'on'} = '';
$checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
- $selected{'DDEVICE'}{'tun'} = '';
- $selected{'DDEVICE'}{'tap'} = '';
- $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED';
$selected{'DPROTOCOL'}{'udp'} = '';
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
&Header::closebox();
}
+ if ($cryptoerror) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+ print "<class name='base'>$cryptoerror";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($cryptowarning) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+ print "<class name='base'>$cryptowarning";
+ print " </class>";
+ &Header::closebox();
+ }
+
if ($warnmessage) {
&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
print "$warnmessage<br>";
print <<END;
<tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
<td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn device'}</td>
- <td><select name='DDEVICE' ><option value='tun' $selected{'DDEVICE'}{'tun'}>TUN</option>
- <!-- this is still not working
- <option value='tap' $selected{'DDEVICE'}{'tap'}>TAP</option></select>--> </td>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
<td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
<option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER'>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
###
&Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
- print <<END;
-
-
- <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
-<tr>
- <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
- <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
- <th width='22%' class='boldbase' align='center'><b>$Lang::tr{'network'}</b></th>
- <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
- <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
-</tr>
-END
;
my $id = 0;
my $gif;
my $col1="";
- foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
+ my $lastnet;
+ foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
+ if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
+ if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
+ if($id == 0){
+ print"<b>$confighash{$key}[32]</b>";
+ print <<END;
+ <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
+<tr>
+ <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
+ <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
+ <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
+ <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
+</tr>
+END
+ }
+ if ($id > 0 && $lastnet ne $confighash{$key}[32]){
+ print "</table><br>";
+ print"<b>$confighash{$key}[32]</b>";
+ print <<END;
+ <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
+<tr>
+ <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
+ <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
+ <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
+ <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
+</tr>
+END
+ }
if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
if ($id % 2) {
print "<tr>";
my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
$cavalid =~ /Not After : (.*)[\n]/;
$cavalid = $1;
- if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";}
- if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";}
- print "<td align='center' $col>$confighash{$key}[32]</td>";
print "<td align='center' $col>$confighash{$key}[25]</td>";
$col1="bgcolor='${Header::colourred}'";
my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
</td></form>
END
;
+
+ if ($confighash{$key}[41] eq "no-pass") {
+ print <<END;
+ <form method='post' name='frm${key}g'><td align='center' $col>
+ <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+ alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+ <input type='hidden' name='MODE' value='insecure' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ } else {
+ print "<td $col> </td>";
+ }
+
if ($confighash{$key}[4] eq 'cert') {
print <<END;
<form method='post' name='frm${key}b'><td align='center' $col>
END
;
$id++;
+ $lastnet = $confighash{$key}[32];
}
+ print"</table>";
;
# If the config file contains entries, print Key to action icons
;
&Header::closebox();
}
+
+ # CA/key listing
&Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
print <<END;
<table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
END
;
my $col1="bgcolor='$color{'color22'}'";
- my $col2="bgcolor='$color{'color20'}'";
+ my $col2="bgcolor='$color{'color20'}'";
+ # DH parameter line
+ my $col3="bgcolor='$color{'color22'}'";
+ # ta.key line
+ my $col4="bgcolor='$color{'color20'}'";
+
if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
$casubject =~ /Subject: (.*)[\n]/;
<tr>
<td class='base' $col1>$Lang::tr{'root certificate'}</td>
<td class='base' $col1>$casubject</td>
- <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
+ <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
<input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
- </td></form>
- <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
+ </form>
+ <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
<input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
<input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
- </td></form>
- <td width='4%' $col1> </td></tr>
+ </form>
+ <td width='4%' $col1> </td>
+ </tr>
END
;
} else {
<tr>
<td class='base' $col1>$Lang::tr{'root certificate'}:</td>
<td class='base' $col1>$Lang::tr{'not present'}</td>
- <td colspan='3' $col1> </td></tr>
+ <td colspan='3' $col1> </td>
+ </tr>
END
;
}
<tr>
<td class='base' $col2>$Lang::tr{'host certificate'}</td>
<td class='base' $col2>$hostsubject</td>
- <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
+ <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
<input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
<input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
- </td></form>
- <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
+ </form>
+ <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
<input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
- </td></form>
- <td width='4%' $col2> </td></tr>
+ </td></form>
+ <td width='4%' $col2> </td>
+ </tr>
END
;
} else {
<tr>
<td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
<td class='base' $col2>$Lang::tr{'not present'}</td>
- </td><td colspan='3' $col2> </td></tr>
+ </td><td colspan='3' $col2> </td>
+ </tr>
+END
+ ;
+ }
+
+ # Adding DH parameter to chart
+ if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
+ my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
+ $dhsubject =~ / (.*)[\n]/;
+ $dhsubject = $1;
+
+
+ print <<END;
+ <tr>
+ <td class='base' $col3>$Lang::tr{'dh parameter'}</td>
+ <td class='base' $col3>$dhsubject</td>
+ <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
+ <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
+ </form>
+ <td width='4%' $col3> </td>
+ </tr>
+END
+ ;
+ } else {
+ # Nothing
+ print <<END;
+ <tr>
+ <td width='25%' class='base' $col3>$Lang::tr{'dh parameter'}:</td>
+ <td class='base' $col3>$Lang::tr{'not present'}</td>
+ </td><td colspan='3' $col3> </td>
+ </tr>
+END
+ ;
+ }
+
+ # Adding ta.key to chart
+ if (-f "${General::swroot}/ovpn/certs/ta.key") {
+ my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+ $tasubject =~ /# (.*)[\n]/;
+ $tasubject = $1;
+ print <<END;
+
+ <tr>
+ <td class='base' $col4>$Lang::tr{'ta key'}</td>
+ <td class='base' $col4>$tasubject</td>
+ <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
+ <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
+ </form>
+ <td width='4%' $col4> </td>
+ </tr>
+END
+ ;
+ } else {
+ # Nothing
+ print <<END;
+ <tr>
+ <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+ <td class='base' $col4>$Lang::tr{'not present'}</td>
+ <td colspan='3' $col4> </td>
+ </tr>
END
;
}
}
print <<END
- <hr size='1'>
+
+ <br><hr><br>
+
<form method='post' enctype='multipart/form-data'>
- <table width='100%' border='0'cellspacing='1' cellpadding='0'>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>
- <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'/></td>
- <td nowrap='nowrap'><input type='file' name='FH' size='25' />
- <td nowrap='nowrap' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
- </tr>
+ <table border='0' width='100%'>
+ <tr>
+ <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
+ </tr>
- <tr align='right'>
- <td colspan='4' align='right' width='80%'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
- </tr>
+ <tr>
+ <td width='10%'>$Lang::tr{'ca name'}:</td>
+ <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
+ <td width='30%'><input type='file' name='FH' size='25'>
+ <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
+ </tr>
- <tr><td colspan=4><hr /></td></tr><tr>
- <tr>
- <td class'base'><b>$Lang::tr{'ovpn dh parameters'}:</b></td>
- </tr>
+ <tr>
+ <td colspan='3'> </td>
+ <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
+ </tr>
+ </table>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'ovpn dh upload'}:</td>
- <td nowrap='nowrap'><size='15' align='left'/></td>
- <td nowrap='nowrap'><input type='file' name='FH' size='25' />
- <td colspan='4' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}' /></td>
- </tr>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'ovpn dh new key'}:</td>
- <td nowrap='nowrap'><size='15' align='left'/></td>
- <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
- </tr>
- <tr>
- <td colspan='4' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show dh'}' /></td>
- </tr>
- </table>
+ <br>
+
+ <table border='0' width='100%'>
+ <tr>
+ <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
+ </tr>
+
+ <tr>
+ <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
+ <td width='30%'><input type='file' name='FH' size='25'>
+ <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
+ </tr>
+
+ <tr>
+ <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
+ <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
+ </tr>
+ </table>
+ </form>
- <tr><td colspan=4><hr /></td></tr><tr>
+ <br><hr>
END
;
projects / ipfire-2.x.git / blobdiff