]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/ovpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
GeoIP: Add lookup function for convenience
[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 54237b9a3e0b969f4db7a9c3f1956a3a3a312715..ceb88c1569d07e6190a99f7fb0dcae67712163a2 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -926,7 +926,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; 
   print SERVERCONF "# Client Gateway Network\n"; 
   print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
-  print SERVERCONF "up /etc/init.d/static-routes start\n";
+  print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
   print SERVERCONF "# tun Device\n"; 
   print SERVERCONF "dev tun\n"; 
   print SERVERCONF "#Logfile for statistics\n";
@@ -1026,8 +1026,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; 
   print CLIENTCONF "# Server Gateway Network\n"; 
   print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; 
+  print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
   print CLIENTCONF "# tun Device\n"; 
   print CLIENTCONF "dev tun\n"; 
+  print CLIENTCONF "#Logfile for statistics\n";
+  print CLIENTCONF "status-version 1\n";
+  print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
   print CLIENTCONF "# Port and Protokol\n"; 
   print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; 
 
@@ -1057,8 +1061,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
                }
         }
   }
-  print CLIENTCONF "ns-cert-type server\n";   
+  # Check host certificate if X509 is RFC3280 compliant.
+  # If not, old --ns-cert-type directive will be used.
+  # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+  my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+  if ($hostcert !~ /TLS Web Server Authentication/) {
+       print CLIENTCONF "ns-cert-type server\n";
+  } else {
+       print CLIENTCONF "remote-cert-tls server\n";
+  }
   print CLIENTCONF "# Auth. Client\n"; 
   print CLIENTCONF "tls-client\n"; 
   print CLIENTCONF "# Cipher\n"; 
@@ -2139,6 +2150,9 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
    print CLIENTCONF "# tun Device\n"; 
    print CLIENTCONF "dev tun\n"; 
+   print CLIENTCONF "#Logfile for statistics\n";
+   print CLIENTCONF "status-version 1\n";
+   print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
    print CLIENTCONF "# Port and Protokoll\n"; 
    print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; 
    
@@ -2166,7 +2180,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
                }
        }
    }
-   print CLIENTCONF "ns-cert-type server\n";   
+   # Check host certificate if X509 is RFC3280 compliant.
+   # If not, old --ns-cert-type directive will be used.
+   # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+   my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+   if ($hostcert !~ /TLS Web Server Authentication/) {
+               print CLIENTCONF "ns-cert-type server\n";
+   } else {
+               print CLIENTCONF "remote-cert-tls server\n";
+   }
    print CLIENTCONF "# Auth. Client\n"; 
    print CLIENTCONF "tls-client\n"; 
    print CLIENTCONF "# Cipher\n";
@@ -2266,9 +2288,41 @@ else
        print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
     }
                        
+    my $file_crt = new File::Temp( UNLINK => 1 );
+    my $file_key = new File::Temp( UNLINK => 1 );
+    my $include_certs = 0;
+
     if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { 
-       print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
-       $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       if ($cgiparams{'MODE'} eq 'insecure') {
+               $include_certs = 1;
+
+               # Add the CA
+               print CLIENTCONF ";ca cacert.pem\r\n";
+               $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
+
+               # Extract the certificate
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+               print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+               # Extract the key
+               system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+                       '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+               if ($?) {
+                       die "openssl error: $?";
+               }
+
+               $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+               print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+       } else {
+               print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+               $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+       }
     } else {
        print CLIENTCONF "ca cacert.pem\r\n";
        print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -2283,6 +2337,9 @@ else
        print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
     }
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
+       if ($cgiparams{'MODE'} eq 'insecure') {
+               print CLIENTCONF ";";
+       }
        print CLIENTCONF "tls-auth ta.key\r\n";
        $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
@@ -2290,8 +2347,16 @@ else
         print CLIENTCONF "comp-lzo\r\n";
     }
     print CLIENTCONF "verb 3\r\n";
-    print CLIENTCONF "ns-cert-type server\r\n";
-    print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; 
+       # Check host certificate if X509 is RFC3280 compliant.
+       # If not, old --ns-cert-type directive will be used.
+       # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+       my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+       if ($hostcert !~ /TLS Web Server Authentication/) {
+               print CLIENTCONF "ns-cert-type server\r\n";
+       } else {
+               print CLIENTCONF "remote-cert-tls server\r\n";
+       }
+    print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
     if ($vpnsettings{MSSFIX} eq 'on') {
        print CLIENTCONF "mssfix\r\n";
     }
@@ -2307,6 +2372,53 @@ else
                print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
        }
     }
+
+    if ($include_certs) {
+       print CLIENTCONF "\r\n";
+
+       # CA
+       open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
+       print CLIENTCONF "<ca>\r\n";
+       while (<FILE>) {
+               chomp($_);
+               print CLIENTCONF "$_\r\n";
+       }
+       print CLIENTCONF "</ca>\r\n\r\n";
+       close(FILE);
+
+       # Cert
+       open(FILE, "<$file_crt");
+       print CLIENTCONF "<cert>\r\n";
+       while (<FILE>) {
+               chomp($_);
+               print CLIENTCONF "$_\r\n";
+       }
+       print CLIENTCONF "</cert>\r\n\r\n";
+       close(FILE);
+
+       # Key
+       open(FILE, "<$file_key");
+       print CLIENTCONF "<key>\r\n";
+       while (<FILE>) {
+               chomp($_);
+               print CLIENTCONF "$_\r\n";
+       }
+       print CLIENTCONF "</key>\r\n\r\n";
+       close(FILE);
+
+       # TLS auth
+       if ($vpnsettings{'TLSAUTH'} eq 'on') {
+               open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
+               print CLIENTCONF "<tls-auth>\r\n";
+               while (<FILE>) {
+                       chomp($_);
+                       print CLIENTCONF "$_\r\n";
+               }
+               print CLIENTCONF "</tls-auth>\r\n\r\n";
+               close(FILE);
+       }
+    }
+
     # Print client.conf.local if entries exist to client.ovpn
     if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
        open (LCC, "$local_clientconf");
@@ -2542,7 +2654,7 @@ ADV_ERROR:
                $cgiparams{'PMTU_DISCOVERY'} = 'off';
     }
     if ($cgiparams{'DAUTH'} eq '') {
-               $cgiparams{'DAUTH'} = 'SHA1';
+               $cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'TLSAUTH'} eq '') {
                $cgiparams{'TLSAUTH'} = 'off';
@@ -2732,7 +2844,7 @@ print <<END;
                                <option value='SHA512'                  $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
                                <option value='SHA384'                  $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
                                <option value='SHA256'                  $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
+                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
                <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
@@ -4252,6 +4364,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
        $confighash{$key}[39]           = $cgiparams{'DAUTH'};
        $confighash{$key}[40]           = $cgiparams{'DCIPHER'};
 
+       if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+               $confighash{$key}[41] = "no-pass";
+       }
+
        &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
        
        if ($cgiparams{'CHECK1'} ){
@@ -4361,7 +4477,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
         $cgiparams{'MSSFIX'} = 'on';
         $cgiparams{'FRAGMENT'} = '1300';
        $cgiparams{'PMTU_DISCOVERY'} = 'off';
-       $cgiparams{'DAUTH'} = 'SHA1';
+       $cgiparams{'DAUTH'} = 'SHA512';
 ###
 # m.a.d n2n end
 ###    
@@ -4612,7 +4728,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
                                <option value='SHA512'                  $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
                                <option value='SHA384'                  $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
                                <option value='SHA256'                  $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option>
+                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
        </tr>
@@ -4944,7 +5060,7 @@ END
                $cgiparams{'MSSFIX'} = 'off';
     }
        if ($cgiparams{'DAUTH'} eq '') {
-               $cgiparams{'DAUTH'} = 'SHA1';
+               $cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
                $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
@@ -5128,7 +5244,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5142,7 +5258,7 @@ END
        <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
        <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
        <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-       <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+       <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
 </tr>
 END
                }
@@ -5241,6 +5357,21 @@ END
        </td></form>
 END
        ;
+
+       if ($confighash{$key}[41] eq "no-pass") {
+               print <<END;
+                       <form method='post' name='frm${key}g'><td align='center' $col>
+                               <input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+                                       alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+                               <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+                               <input type='hidden' name='MODE' value='insecure' />
+                               <input type='hidden' name='KEY' value='$key' />
+                       </td></form>
+END
+       } else {
+               print "<td $col>&nbsp;</td>";
+       }
+
        if ($confighash{$key}[4] eq 'cert') {
            print <<END;
            <form method='post' name='frm${key}b'><td align='center' $col>
IPFire 2.x development tree