X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=0e8fad888573f8d8c2b2056062c040a09434abe2;hp=dac3e2ee29696354ada5253a471e893ee3a68319;hb=4be45949e9629cc141401957e291e1e5206adb39;hpb=b7d9509c3aebab95d559a3a7ad64f9d9655a3c07 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dac3e2ee29..0e8fad8885 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,7 +19,7 @@ # # ############################################################################### ### -# Based on IPFireCore 55 +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -69,6 +69,7 @@ my $confighost="${General::swroot}/fwhosts/customhosts"; my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; +my $col=""; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -79,6 +80,8 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; +$cgiparams{'DH_NAME'} = 'dh1024.pem'; +$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -87,6 +90,9 @@ $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; $cgiparams{'PMTU_DISCOVERY'} = ''; +$cgiparams{'DCIPHER'} = ''; +$cgiparams{'DAUTH'} = ''; +$cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -166,104 +172,6 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } -sub checkportfw { - my $DPORT = shift; - my $DPROT = shift; - my %natconfig =(); - my $confignat = "${General::swroot}/firewall/config"; - $DPROT= uc ($DPROT); - &General::readhasharray($confignat, \%natconfig); - foreach my $key (sort keys %natconfig){ - my @portarray = split (/\|/,$natconfig{$key}[30]); - foreach my $value (@portarray){ - if ($value =~ /:/i){ - my ($a,$b) = split (":",$value); - if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - }else{ - if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - } - } - } - return; -} - -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,445); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} sub writeserverconf { my %sovpnsettings = (); @@ -286,14 +194,14 @@ sub writeserverconf { print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; - print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; - print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; - print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; - print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; + print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; + print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - + # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') @@ -301,8 +209,8 @@ sub writeserverconf { elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } else { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } @@ -337,10 +245,10 @@ sub writeserverconf { print CONF "client-to-client\n"; } if ($sovpnsettings{MSSFIX} eq 'on') { - print CONF "mssfix\n"; + print CONF "mssfix\n"; } if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { - print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; + print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } # Check if a valid operating mode has been choosen and use it. @@ -356,6 +264,14 @@ sub writeserverconf { print CONF "status-version 1\n"; print CONF "status /var/log/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{'DAUTH'} eq '') { + print CONF ""; + } else { + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -552,7 +468,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -774,6 +690,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -786,6 +704,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { @@ -890,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -968,9 +897,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; - print SERVERCONF "cipher AES-256-CBC\n"; + print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -995,6 +930,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client') { + my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'}); my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'}); @@ -1057,12 +993,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; - } + } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; print CLIENTCONF "# Tunnel check\n"; @@ -1092,21 +1034,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($cgiparams{'ENABLED'} eq 'on'){ - &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); - } - if ($errormessage) { goto SETTINGS_ERROR; } - - - if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); - } - if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); @@ -1162,6 +1094,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $errormessage = $Lang::tr{'invalid port'}; goto SETTINGS_ERROR; } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1186,7 +1119,7 @@ SETTINGS_ERROR: ### ### Reset all step 2 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -1196,37 +1129,66 @@ SETTINGS_ERROR: } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } - &cleanssldatabase(); + &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + #&writeserverconf(); ### ### Reset all step 1 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
- - $Lang::tr{'capswarning'}: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} - - -
+ &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print < + + + + + + + +
+ + $Lang::tr{'capswarning'}: + $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+
+ END ; &Header::closebox(); @@ -1234,6 +1196,104 @@ END &Header::closepage(); exit (0); +### +### Generate DH key step 2 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + # Create Diffie Hellmann Parameter + system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); + } + +### +### Generate DH key step 1 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); + print < + + + + + $Lang::tr{'ovpn dh'}: + +
+ + + + +
+ + + + $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} + + + + + + + + + +
$Lang::tr{'dh key warn1'}

+ +END + ; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + +### +### Upload DH key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded dh key to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl dhparam -text -in $filename`; + if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + $errormessage = $Lang::tr{'not a valid dh key'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + ### ### Upload CA Certificate ### @@ -1252,7 +1312,7 @@ END if ($cgiparams{'CA_NAME'} eq 'ca') { $errormessage = $Lang::tr{'name is invalid'}; - goto UPLOAD_CA_ERROR; + goto UPLOADCA_ERROR; } # Check if there is no other entry with this name @@ -1310,7 +1370,7 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; @@ -1387,10 +1447,10 @@ END } if ($assignedcerts) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
@@ -1422,7 +1482,7 @@ END $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { my $output; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); @@ -1688,7 +1748,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:2048', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1719,7 +1779,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -1771,8 +1831,7 @@ END } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", - '1024' ); + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1784,13 +1843,20 @@ END goto ROOTCERT_ERROR; # } else { # &cleanssldatabase(); - } + } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: if ($cgiparams{'ACTION'} ne '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -1799,7 +1865,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:"); - print < @@ -1832,19 +1898,38 @@ END } print ">$country"; } - print < - + + + + - - + +
$Lang::tr{'organization name'}: 
$Lang::tr{'ovpn dh'}: +
    
* $Lang::tr{'this field may be blank'}
- $Lang::tr{'capswarning'}: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -

+ + $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} + + + + + + + +
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

+ + + @@ -1855,12 +1940,13 @@ END +  $Lang::tr{'this field may be blank'} +
$Lang::tr{'upload p12 file'}:  
 
-  $Lang::tr{'this field may be blank'}
END ; &Header::closebox(); - + print ""; &Header::closebigbox(); &Header::closepage(); exit(0) @@ -1992,13 +2078,20 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; - } - if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; } @@ -2093,6 +2186,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + if ($vpnsettings{'DAUTH'} eq '') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2201,7 +2303,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } else { $errormessage = $Lang::tr{'invalid key'}; } - + &General::firewall_reload(); ### ### Download PKCS12 file @@ -2222,7 +2324,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -2234,15 +2336,40 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { &Header::closepage(); exit(0); } + +### +### Display Diffie-Hellman key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { + + if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); + my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; @@ -2273,19 +2400,25 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { # } ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { - $cgiparams{'MAX_CLIENTS'} = '100'; + $cgiparams{'MAX_CLIENTS'} = '100'; } if ($cgiparams{'KEEPALIVE_1'} eq '') { - $cgiparams{'KEEPALIVE_1'} = '10'; + $cgiparams{'KEEPALIVE_1'} = '10'; } if ($cgiparams{'KEEPALIVE_2'} eq '') { - $cgiparams{'KEEPALIVE_2'} = '60'; + $cgiparams{'KEEPALIVE_2'} = '60'; } if ($cgiparams{'LOG_VERB'} eq '') { - $cgiparams{'LOG_VERB'} = '3'; + $cgiparams{'LOG_VERB'} = '3'; } if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; + $cgiparams{'PMTU_DISCOVERY'} = 'off'; + } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; @@ -2293,11 +2426,11 @@ ADV_ERROR: $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -2309,8 +2442,16 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} = ''; $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2322,34 +2463,34 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); - print < - - - +
$Lang::tr{'dhcp-options'}
+ + - + - + - - + + - - - + + + - + - -
$Lang::tr{'dhcp-options'}
DomainDomain
DNSDNS
WINS
WINS
$Lang::tr{'ovpn routes push options'}$Lang::tr{'ovpn routes push options'}
$Lang::tr{'ovpn routes push'} -