X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=0e8fad888573f8d8c2b2056062c040a09434abe2;hp=df5f9ece2a3a0732c8d21fe07ec471310028e6cc;hb=4be45949e9629cc141401957e291e1e5206adb39;hpb=d25b7c32bd420267d2604dfa34e6e3bfa7de9ed7 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index df5f9ece2a..0e8fad8885 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -19,6 +19,7 @@ # # ############################################################################### ### +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -92,7 +93,6 @@ $cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; -$cgiparams{'ENGINES'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -172,105 +172,6 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } -sub checkportfw { - my $DPORT = shift; - my $DPROT = shift; - my %natconfig =(); - my $confignat = "${General::swroot}/firewall/config"; - $DPROT= uc ($DPROT); - &General::readhasharray($confignat, \%natconfig); - foreach my $key (sort keys %natconfig){ - my @portarray = split (/\|/,$natconfig{$key}[30]); - foreach my $value (@portarray){ - if ($value =~ /:/i){ - my ($a,$b) = split (":",$value); - if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - }else{ - if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - } - } - } - return; -} - -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,444 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,444); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - sub writeserverconf { my %sovpnsettings = (); @@ -369,12 +270,7 @@ sub writeserverconf { print CONF "auth $sovpnsettings{'DAUTH'}\n"; } if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; - } - if ($sovpnsettings{ENGINES} eq 'disabled') { - print CONF ""; - } else { - print CONF "engine $sovpnsettings{ENGINES}\n"; + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; @@ -572,7 +468,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -796,7 +692,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; - $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -816,13 +711,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") - } - } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -921,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -1008,12 +906,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# HMAC algorithm\n"; print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } - if ($cgiparams{'ENGINES'} eq 'disabled') { - print SERVERCONF ""; - } else { - print SERVERCONF "# Crypto engine\n"; - print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; - } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1109,12 +1001,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# HMAC algorithm\n"; print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } - if ($cgiparams{'ENGINES'} eq 'disabled') { - print CLIENTCONF ""; - } else { - print CLIENTCONF "# Crypto engine\n"; - print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; - } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1149,11 +1035,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } } if ($errormessage) { goto SETTINGS_ERROR; } - - if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); - } - if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; @@ -1299,7 +1180,6 @@ SETTINGS_ERROR:
$Lang::tr{'ccd subnet'}: | ||||||
$ccdconf[0] | $ccdconf[1] | $ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)." | ";
print < | - | + END ; } @@ -3123,7 +2986,7 @@ if ( -s "${General::swroot}/ovpn/settings") {$Lang::tr{'net to net vpn'} (Upload Client Package) | |
Import Connection Name | ||||||
Default : Client Packagename | ||||||
$Lang::tr{'openvpn default'}: Client Packagename | ||||||
$Lang::tr{'this field may be blank'} | - - | |||||
$Lang::tr{'Act as'} | -- - | $Lang::tr{'remote host/ip'}: | -||||
$Lang::tr{'local subnet'} | -- - | $Lang::tr{'remote subnet'} | -+ | |||
$Lang::tr{'Act as'} | ++ | -|||||
$Lang::tr{'ovpn subnet'} | -$Lang::tr{'remote host/ip'}: | ++ - - | ||||
$Lang::tr{'protocol'} | -+ | |||||
$Lang::tr{'local subnet'} | +- | $Lang::tr{'destination port'}: | -- | $Lang::tr{'remote subnet'} | ++ - | |
$Lang::tr{'cipher'} | -- | - -$Lang::tr{'ovpn ha'}: | -- | -|||
$Lang::tr{'ovpn subnet'} | +- | |||||
$Lang::tr{'ovpn engines'} - | - | -$Lang::tr{'protocol'} | ++ + + | |||
$Lang::tr{'destination port'}: | +- | |||||
Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): | ++ | |||||
Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): | -- | |||||
$Lang::tr{'MTU settings'} | +||||||
$Lang::tr{'MTU'} | -- | $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 | -||||
$Lang::tr{'MTU'} | ++ | $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 | +||||
fragment | -- | $Lang::tr{'openvpn default'}: 1300 | -||||
fragment | ++ | $Lang::tr{'openvpn default'}: 1300 | +||||
mssfix | -- | $Lang::tr{'openvpn default'}: on | -||||
mssfix | ++ | $Lang::tr{'openvpn default'}: on | +||||
$Lang::tr{'comp-lzo'} - | - | |||||
$Lang::tr{'comp-lzo'} + | + | |||||
$Lang::tr{'ovpn mtu-disc'} | @@ -4650,6 +4459,41 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'ovpn mtu-disc off'} | |||||
$Lang::tr{'ovpn crypt options'}: | +||||||
$Lang::tr{'cipher'} | ++ | + +$Lang::tr{'ovpn ha'}: | ++ | +|||
$Lang::tr{'pkcs12 file password'}: | ||||||
$Lang::tr{'pkcs12 file password'}: ($Lang::tr{'confirmation'}) |
+ ||||||
$Lang::tr{'pkcs12 file password'}: ($Lang::tr{'confirmation'}) |
||||||
$Lang::tr{'destination port'}: | ||||||
$Lang::tr{'MTU'} | -+ | + | $Lang::tr{'cipher'} | |||
$Lang::tr{'comp-lzo'} | @@ -5240,7 +5068,7 @@ END #EXITING -- A graceful exit is in progress. #### - if ($tustate[1] eq 'CONNECTED') { + if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }else { @@ -5519,22 +5347,32 @@ END||||||
+ | ||||||
$Lang::tr{'ovpn dh parameters'}: | +||||||
$Lang::tr{'ovpn dh upload'}: | ||||||
$Lang::tr{'ovpn dh new key'}: | +- | |||||
+ | ||||||