X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=4fb2349956f538739767e689d3a79a01e783b3c8;hp=9550ca6736cd56bfb1687b19a460fa7064a9b743;hb=5b4464a94478059ceebf266bc31dee4a4ba18fac;hpb=1e499e90d76743efe0c9cf71c75636559f980fe3 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9550ca6736..4fb2349956 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -35,6 +35,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; +require "${General::swroot}/geoip-functions.pl"; # enable only the following on debugging purpose #use warnings; @@ -63,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -92,11 +95,12 @@ $cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; -$cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -170,7 +174,12 @@ sub cleanssldatabase print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); unlink ("${General::swroot}/ovpn/certs/01.pem"); } @@ -185,7 +194,11 @@ sub newcleanssldatabase if (! -s ">${General::swroot}/ovpn/certs/index.txt") { system ("touch ${General::swroot}/ovpn/certs/index.txt"); } + if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { + system ("touch ${General::swroot}/ovpn/certs/index.txt.attr"); + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); } @@ -199,6 +212,45 @@ sub deletebackupcert } } +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -213,10 +265,10 @@ sub writeserverconf { print CONF "writepid /var/run/openvpn.pid\n"; print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; print CONF ";local $sovpnsettings{'VPN_IP'}\n"; - print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -228,18 +280,14 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # Check if we are using mssfix, fragment and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } - elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } else - { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } + { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } if ($vpnsettings{'ROUTES_PUSH'} ne '') { @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); @@ -277,18 +325,12 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; - } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; @@ -754,7 +796,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -776,16 +817,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - - if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -926,6 +957,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; print SERVERCONF "# Client Gateway Network\n"; print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "up \"/etc/init.d/static-routes start\"\n"; print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; print SERVERCONF "#Logfile for statistics\n"; @@ -950,16 +982,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if($cgiparams{'MTU'} eq '1500') { - print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; @@ -968,12 +990,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - if ($cgiparams{'DAUTH'} eq '') { - print SERVERCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print SERVERCONF unless "# HMAC algorithm\n"; + print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1025,8 +1053,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n"; print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev tun\n"; + print CLIENTCONF "#Logfile for statistics\n"; + print CLIENTCONF "status-version 1\n"; + print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print CLIENTCONF "# Port and Protokol\n"; print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; @@ -1046,29 +1078,32 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if ($cgiparams{'MTU'} eq '1500') { - print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; } - - print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - if ($cgiparams{'DAUTH'} eq '') { - print CLIENTCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print CLIENTCONF unless "# HMAC algorithm\n"; + print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -1086,7 +1121,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + ### ### Save main settings ### @@ -1167,7 +1202,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; #new settings for daemon $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'}; - $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'}; $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'}; $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; @@ -1199,7 +1233,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name"); + system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1309,7 +1343,6 @@ END
END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <