X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=2d933041951a5f23977594c2558bcac238cb0b89;hp=16f691f75a6f6fd65c1abf78bca21e9293f5995b;hb=187590f791bc7b96da5d70469783dae4a5bd00df;hpb=53ce51761fb21c630ce547660cc0b2778835d210 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 16f691f75a..2d93304195 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -70,6 +70,9 @@ my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col=""; +my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; +my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; + &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -94,10 +97,33 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -unless (-e $routes_push_file) { system("touch $routes_push_file"); } -unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } -unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); } -unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); } + +# Add CCD files if not already presant +unless (-e $routes_push_file) { + open(RPF, ">$routes_push_file"); + close(RPF); +} +unless (-e "${General::swroot}/ovpn/ccd.conf") { + open(CCDC, ">${General::swroot}/ovpn/ccd.conf"); + close (CCDC); +} +unless (-e "${General::swroot}/ovpn/ccdroute") { + open(CCDR, ">${General::swroot}/ovpn/ccdroute"); + close (CCDR); +} +unless (-e "${General::swroot}/ovpn/ccdroute2") { + open(CCDRT, ">${General::swroot}/ovpn/ccdroute2"); + close (CCDRT); +} +# Add additional configs if not already presant +unless (-e "$local_serverconf") { + open(LSC, ">$local_serverconf"); + close (LSC); +} +unless (-e "$local_clientconf") { + open(LCC, ">$local_clientconf"); + close (LCC); +} &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -262,7 +288,7 @@ sub writeserverconf { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } print CONF "status-version 1\n"; - print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; @@ -270,7 +296,7 @@ sub writeserverconf { print CONF "auth $sovpnsettings{'DAUTH'}\n"; } if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; @@ -306,14 +332,29 @@ sub writeserverconf { print CONF "verb $sovpnsettings{LOG_VERB}\n"; } else { print CONF "verb 3\n"; - } + } + # Print server.conf.local if entries exist to server.conf + if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LSC, "$local_serverconf"); + print CONF "\n#---------------------------\n"; + print CONF "# Start of custom directives\n"; + print CONF "# from server.conf.local\n"; + print CONF "#---------------------------\n\n"; + while () { + print CONF $_; + } + print CONF "\n#-----------------------------\n"; + print CONF "# End of custom directives\n"; + print CONF "#-----------------------------\n"; + close (LSC); + } print CONF "\n"; close(CONF); } sub emptyserverlog{ - if (open(FILE, ">/var/log/ovpnserver.log")) { + if (open(FILE, ">/var/run/ovpnserver.log")) { flock FILE, 2; print FILE ""; close FILE; @@ -627,6 +668,29 @@ sub read_routepushfile } } +sub writecollectdconf { + my $vpncollectd; + my %ccdhash=(); + + open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!"; + print COLLECTDVPN "Loadplugin openvpn\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n"; + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') { + print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n"; + } + } + + print COLLECTDVPN "\n"; + close(COLLECTDVPN); + + # Reload collectd afterwards + system("/usr/local/bin/collectdctrl restart &>/dev/null"); +} #hier die refresh page if ( -e "${General::swroot}/ovpn/gencanow") { @@ -685,6 +749,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; @@ -711,13 +776,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") - } - } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -816,6 +874,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -860,9 +928,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; + print SERVERCONF "#Logfile for statistics\n"; + print SERVERCONF "status-version 1\n"; + print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print SERVERCONF "# Port and Protokol\n"; print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; - + if ($cgiparams{'PROTOCOL'} eq 'tcp') { print SERVERCONF "proto tcp-server\n"; print SERVERCONF "# Packet size\n"; @@ -905,7 +976,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; - print SERVERCONF "comp-lzo\r\n"; + print SERVERCONF "comp-lzo\n"; } print SERVERCONF "# Debug Level\n"; print SERVERCONF "verb 3\n"; @@ -1000,7 +1071,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -1020,7 +1091,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General ### Save main settings ### - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, @@ -1031,8 +1101,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($errormessage) { goto SETTINGS_ERROR; } - + if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; goto SETTINGS_ERROR; @@ -1121,9 +1190,13 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); foreach my $key (keys %confighash) { + my $name = $confighash{$cgiparams{'$key'}}[1]; + if ($confighash{$key}[4] eq 'cert') { delete $confighash{$cgiparams{'$key'}}; } + + system ("/usr/local/bin/openvpnctrl -drrd $name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1150,6 +1223,9 @@ SETTINGS_ERROR: while ($file = glob("${General::swroot}/ovpn/ccd/*")) { unlink $file } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { print FILE ""; close FILE; @@ -1162,6 +1238,9 @@ SETTINGS_ERROR: system ("rm -rf $file"); } + # Remove everything from the collectd configuration + &writecollectdconf(); + #&writeserverconf(); ### ### Reset all step 1 @@ -1202,8 +1281,7 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1517,6 +1595,18 @@ END print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; exit(0); } + +### +### Download tls-auth key +### +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { + if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); + } + ### ### Form for generating a root certificate ### @@ -1744,7 +1834,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", @@ -1775,7 +1865,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", @@ -1827,8 +1917,7 @@ END # &cleanssldatabase(); } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1840,7 +1929,14 @@ END goto ROOTCERT_ERROR; # } else { # &cleanssldatabase(); - } + } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -1970,7 +2066,8 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); } } else { @@ -1978,14 +2075,15 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + if ($n2nactive ne '') { + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); + } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } - } + } } ### @@ -2083,7 +2181,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -2182,8 +2280,8 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { - print CLIENTCONF "tls-auth ta.key 1\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; @@ -2206,6 +2304,21 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + # Print client.conf.local if entries exist to client.ovpn + if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LCC, "$local_clientconf"); + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# Start of custom directives\n"; + print CLIENTCONF "# from client.conf.local\n"; + print CLIENTCONF "#---------------------------\n\n"; + while () { + print CLIENTCONF $_; + } + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# End of custom directives\n"; + print CLIENTCONF "#---------------------------\n\n"; + close (LCC); + } close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; @@ -2227,72 +2340,66 @@ else } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } -# - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + if ($confighash{$cgiparams{'KEY'}}) { + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; ### # m.a.d net2net ### -if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); - my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - unlink ($certfile); - unlink ($conffile); + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { + my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile); + unlink ($conffile); - if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { - rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; - } -} + if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + } + } - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); # A.Marx CCD delete ccd files and routes - - if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") - { - unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; - } - - &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - foreach my $key (keys %ccdroutehash) { - if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroutehash{$key}; + if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") + { + unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - foreach my $key (keys %ccdroute2hash) { - if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroute2hash{$key}; + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroutehash{$key}; + } } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - &writeserverconf; - + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); -# CCD end + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroute2hash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + &writeserverconf; - - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# CCD end + # Update collectd configuration and delete all RRD files of the removed connection + &writecollectdconf(); + system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### @@ -2349,6 +2456,28 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { exit(0); } +### +### Display tls-auth key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) { + + if (! -e "${General::swroot}/ovpn/certs/ta.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### @@ -2416,6 +2545,9 @@ ADV_ERROR: $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $checked{'ADDITIONAL_CONFIGS'}{'off'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{'on'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; @@ -2496,39 +2628,52 @@ print <
- + - - + + + - - + + + - - + + + - - - - - + + - - - - + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + @@ -2784,7 +2929,7 @@ END END ; - my $filename = "/var/log/ovpnserver.log"; + my $filename = "/var/run/ovpnserver.log"; open(FILE, $filename) or die 'Unable to open config file.'; my @current = ; close(FILE); @@ -2926,32 +3071,6 @@ END $errormessage = $Lang::tr{'invalid key'}; } -### -### Remove connection -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } -#test33 - -### -### Choose between adding a host-net or net-net connection -### - ### # m.a.d net2net ### @@ -3135,7 +3254,6 @@ my $complzoactive; my $mssfixactive; my $authactive; my $n2nfragment; -my $authactive; my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); @@ -3927,10 +4045,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'name too long'}; goto VPNCONF_ERROR; } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { @@ -3975,6 +4091,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; } + if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; @@ -4002,7 +4122,7 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", @@ -4245,6 +4365,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'}; } VPNCONF_ERROR: @@ -4460,7 +4581,7 @@ if ($cgiparams{'TYPE'} eq 'net') { - + @@ -4606,27 +4727,28 @@ END if ($cgiparams{'TYPE'} eq 'host') { print < - - - - + + + + - + - - - -
$Lang::tr{'misc-options'}
Client-To-Client
Redirect-Gateway def1
Max-Clients
Keepalive
- (ping/ping-restart)
$Lang::tr{'ovpn add conf'}$Lang::tr{'openvpn default'}: off
fragment
mssfix$Lang::tr{'openvpn default'}: off
mssfix$Lang::tr{'openvpn default'}: off
fragment
Max-Clients
Keepalive
+ (ping/ping-restart)
$Lang::tr{'ovpn mtu-disc'}
 $Lang::tr{'valid till'} (days):
 
 $Lang::tr{'valid till'} (days):
  $Lang::tr{'pkcs12 file password'}:
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 
* $Lang::tr{'this field may be blank'}
+   +
+ * $Lang::tr{'this field may be blank'} + END }else{ print < -     -     -
- * $Lang::tr{'this field may be blank'} + +  $Lang::tr{'valid till'} (days): + +     +     +
+ * $Lang::tr{'this field may be blank'} END @@ -4781,7 +4903,7 @@ END &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my @status = `/bin/cat /var/log/ovpnserver.log`; + my @status = `/bin/cat /var/run/ovpnserver.log`; if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { @@ -4983,24 +5105,41 @@ END ### &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' }); - print < - - $Lang::tr{'name'} - $Lang::tr{'type'} - $Lang::tr{'network'} - $Lang::tr{'remark'} - $Lang::tr{'status'} - $Lang::tr{'action'} - -END ; my $id = 0; my $gif; my $col1=""; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + my $lastnet; + foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};} + if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};} + if($id == 0){ + print"$confighash{$key}[32]"; + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'remark'} + $Lang::tr{'status'} + $Lang::tr{'action'} + +END + } + if ($id > 0 && $lastnet ne $confighash{$key}[32]){ + print "
"; + print"$confighash{$key}[32]"; + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'remark'} + $Lang::tr{'status'} + $Lang::tr{'action'} + +END + } if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { print ""; @@ -5019,9 +5158,6 @@ END my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; $cavalid =~ /Not After : (.*)[\n]/; $cavalid = $1; - if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";} - if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";} - print "$confighash{$key}[32]"; print "$confighash{$key}[25]"; $col1="bgcolor='${Header::colourred}'"; my $active = "$Lang::tr{'capsclosed'}"; @@ -5150,7 +5286,9 @@ END END ; $id++; + $lastnet = $confighash{$key}[32]; } + print""; ; # If the config file contains entries, print Key to action icons @@ -5195,6 +5333,8 @@ END ; &Header::closebox(); } + + # CA/key listing &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); print < @@ -5206,7 +5346,12 @@ END END ; my $col1="bgcolor='$color{'color22'}'"; - my $col2="bgcolor='$color{'color20'}'"; + my $col2="bgcolor='$color{'color20'}'"; + # DH parameter line + my $col3="bgcolor='$color{'color22'}'"; + # ta.key line + my $col4="bgcolor='$color{'color20'}'"; + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; @@ -5217,15 +5362,16 @@ END $Lang::tr{'root certificate'} $casubject -
+ -
-
+
+
-
-   + +   + END ; } else { @@ -5234,7 +5380,8 @@ END $Lang::tr{'root certificate'}: $Lang::tr{'not present'} -   +   + END ; } @@ -5250,15 +5397,16 @@ END $Lang::tr{'host certificate'} $hostsubject -
+ -
-
+
+
-
-   + +   + END ; } else { @@ -5267,7 +5415,75 @@ END $Lang::tr{'host certificate'}: $Lang::tr{'not present'} -   +   + +END + ; + } + + # Adding DH parameter to chart + if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $dhsubject =~ / (.*)[\n]/; + $dhsubject = $1; + + + print < + $Lang::tr{'dh parameter'} + $dhsubject +
+ + +
+
+
+   + +END + ; + } else { + # Nothing + print < + $Lang::tr{'dh parameter'}: + $Lang::tr{'not present'} +   + +END + ; + } + + # Adding ta.key to chart + if (-f "${General::swroot}/ovpn/certs/ta.key") { + my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + $tasubject =~ /# (.*)[\n]/; + $tasubject = $1; + print < + $Lang::tr{'ta key'} + $tasubject +
+ + +
+
+ + +
+   + +END + ; + } else { + # Nothing + print < + $Lang::tr{'ta key'}: + $Lang::tr{'not present'} +   + END ; } @@ -5330,6 +5546,9 @@ END
+ + + @@ -5343,7 +5562,7 @@ END - + @@ -5357,9 +5576,6 @@ END - - -
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}:
$Lang::tr{'ovpn dh parameters'}:$Lang::tr{'ovpn dh parameters'}