X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=7048ca206cf0773c4f773b75ca6a7e81c2cdd0a5;hp=dec27b722c68587c2c96552391f352de09168119;hb=ffbe77c8bcf247a484b7791707e98fd3ab59fbdc;hpb=c2b5d12b3453c55afce7ef84451a65e130b0d80f diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dec27b722c..7048ca206c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,7 +19,7 @@ # # ############################################################################### ### -# Based on IPFireCore 76 +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -70,6 +70,9 @@ my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col=""; +my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; +my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; + &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -90,13 +93,37 @@ $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; $cgiparams{'PMTU_DISCOVERY'} = ''; -$cgiparams{'DAUTH'} = ''; $cgiparams{'DCIPHER'} = ''; +$cgiparams{'DAUTH'} = ''; +$cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -unless (-e $routes_push_file) { system("touch $routes_push_file"); } -unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } -unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); } -unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); } + +# Add CCD files if not already presant +unless (-e $routes_push_file) { + open(RPF, ">$routes_push_file"); + close(RPF); +} +unless (-e "${General::swroot}/ovpn/ccd.conf") { + open(CCDC, ">${General::swroot}/ovpn/ccd.conf"); + close (CCDC); +} +unless (-e "${General::swroot}/ovpn/ccdroute") { + open(CCDR, ">${General::swroot}/ovpn/ccdroute"); + close (CCDR); +} +unless (-e "${General::swroot}/ovpn/ccdroute2") { + open(CCDRT, ">${General::swroot}/ovpn/ccdroute2"); + close (CCDRT); +} +# Add additional configs if not already presant +unless (-e "$local_serverconf") { + open(LSC, ">$local_serverconf"); + close (LSC); +} +unless (-e "$local_clientconf") { + open(LCC, ">$local_clientconf"); + close (LCC); +} &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -171,61 +198,6 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } -sub checkportfw { - my $DPORT = shift; - my $DPROT = shift; - my %natconfig =(); - my $confignat = "${General::swroot}/firewall/config"; - $DPROT= uc ($DPROT); - &General::readhasharray($confignat, \%natconfig); - foreach my $key (sort keys %natconfig){ - my @portarray = split (/\|/,$natconfig{$key}[30]); - foreach my $value (@portarray){ - if ($value =~ /:/i){ - my ($a,$b) = split (":",$value); - if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - }else{ - if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - } - } - } - return; -} - -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - sub writeserverconf { my %sovpnsettings = (); @@ -251,7 +223,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -321,8 +293,11 @@ sub writeserverconf { if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; } else { - print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -357,7 +332,22 @@ sub writeserverconf { print CONF "verb $sovpnsettings{LOG_VERB}\n"; } else { print CONF "verb 3\n"; - } + } + # Print server.conf.local if entries exist to server.conf + if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LSC, "$local_serverconf"); + print CONF "\n#---------------------------\n"; + print CONF "# Start of custom directives\n"; + print CONF "# from server.conf.local\n"; + print CONF "#---------------------------\n\n"; + while () { + print CONF $_; + } + print CONF "\n#-----------------------------\n"; + print CONF "# End of custom directives\n"; + print CONF "#-----------------------------\n"; + close (LSC); + } print CONF "\n"; close(CONF); @@ -736,12 +726,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -754,6 +746,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { @@ -858,6 +851,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -936,14 +939,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; - print SERVERCONF "comp-lzo\r\n"; + print SERVERCONF "comp-lzo\n"; } print SERVERCONF "# Debug Level\n"; print SERVERCONF "verb 3\n"; @@ -1029,12 +1036,16 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -1054,7 +1065,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General ### Save main settings ### - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, @@ -1065,13 +1075,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($errormessage) { goto SETTINGS_ERROR; } - if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); - } - if ($errormessage) { goto SETTINGS_ERROR; } - if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; goto SETTINGS_ERROR; @@ -1165,41 +1169,43 @@ SETTINGS_ERROR: } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { - print FILE ""; - close FILE; - } - if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { - print FILE ""; - close FILE; - } - while ($file = glob("${General::swroot}/ovpn/ccd/*")) { - unlink $file - } - if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { - print FILE ""; - close FILE; - } - if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { - print FILE ""; - close FILE; - } - while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { - system ("rm -rf $file") - } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + + #&writeserverconf(); ### ### Reset all step 1 ### @@ -1214,7 +1220,7 @@ SETTINGS_ERROR: - $Lang::tr{'capswarning'}: + $Lang::tr{'capswarning'}: $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} @@ -1234,7 +1240,7 @@ END ### Generate DH key step 2 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { - # Delete if old key exists + # Delete if old key exists if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } @@ -1257,8 +1263,8 @@ END print < - - + + $Lang::tr{'ovpn dh'}: @@ -1276,10 +1282,12 @@ END - $Lang::tr{'capswarning'}: - $Lang::tr{'dh key warn'} - + $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} + + + + @@ -1298,21 +1306,17 @@ END ### Upload DH key ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - if ($cgiparams{'DH_NAME'} !~ /dh1024.pem/) { - $errormessage = $Lang::tr{'dh name is invalid'}; - goto UPLOADCA_ERROR; - } if (ref ($cgiparams{'FH'}) ne 'Fh') { $errormessage = $Lang::tr{'there was no file upload'}; goto UPLOADCA_ERROR; } - # Move uploaded dh key to a temporary file + # Move uploaded dh key to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { $errormessage = $!; - goto UPLOADCA_ERROR; + goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl dhparam -text -in $filename`; + my $temp = `/usr/bin/openssl dhparam -text -in $filename`; if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); @@ -1323,11 +1327,11 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } + if ($? ne 0) { + $errormessage = "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } } ### @@ -1556,6 +1560,18 @@ END print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; exit(0); } + +### +### Download tls-auth key +### +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { + if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); + } + ### ### Form for generating a root certificate ### @@ -1784,7 +1800,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:4096', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1879,7 +1895,14 @@ END goto ROOTCERT_ERROR; # } else { # &cleanssldatabase(); - } + } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -1894,7 +1917,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:"); - print <
$Lang::tr{'dh key warn1'}

@@ -1927,8 +1950,8 @@ END } print ">$country"; } - print < + print < - - + +
$Lang::tr{'organization name'}:
$Lang::tr{'ovpn dh'}:   
* $Lang::tr{'this field may be blank'}


- $Lang::tr{'capswarning'}: - $Lang::tr{'ovpn generating the root and host certificates'} -

+ + $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} + - + + + + +
$Lang::tr{'dh key warn'}
- $Lang::tr{'dh key warn'} -
$Lang::tr{'dh key warn1'}

+ @@ -2104,17 +2130,22 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; - } + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -2207,11 +2238,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { + if ($vpnsettings{'DAUTH'} eq '') { print CLIENTCONF ""; } else { - print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2233,6 +2268,21 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + # Print client.conf.local if entries exist to client.ovpn + if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { + open (LCC, "$local_clientconf"); + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# Start of custom directives\n"; + print CLIENTCONF "# from client.conf.local\n"; + print CLIENTCONF "#---------------------------\n\n"; + while () { + print CLIENTCONF $_; + } + print CLIENTCONF "\n#---------------------------\n"; + print CLIENTCONF "# End of custom directives\n"; + print CLIENTCONF "#---------------------------\n\n"; + close (LCC); + } close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; @@ -2320,8 +2370,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } else { $errormessage = $Lang::tr{'invalid key'}; } - - &General::firewall_reload(); + &General::firewall_reload(); ### ### Download PKCS12 file @@ -2361,7 +2410,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { - $errormessage = $Lang::tr{'not present'}; + $errormessage = $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -2377,27 +2426,49 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { exit(0); } +### +### Display tls-auth key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) { + + if (! -e "${General::swroot}/ovpn/certs/ta.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { - $errormessage = $Lang::tr{'not present'}; + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage = $Lang::tr{'not present'}; } else { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### @@ -2435,16 +2506,23 @@ ADV_ERROR: if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA1'; } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $checked{'ADDITIONAL_CONFIGS'}{'off'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{'on'} = ''; + $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -2456,16 +2534,17 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} = ''; $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'ecdsa-with-SHA1'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); @@ -2478,7 +2557,7 @@ ADV_ERROR: &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < -
$Lang::tr{'upload p12 file'}:
+
@@ -2519,39 +2598,53 @@ print <
$Lang::tr{'dhcp-options'}
- + - - + + + - - + + + - - + + + - - - - - + + - - - - + + + + + + + + + + + - - + + + + + + + + - - - + + + + @@ -2564,30 +2657,28 @@ print <
$Lang::tr{'misc-options'}
Client-To-Client
Redirect-Gateway def1
Max-Clients
Keepalive
- (ping/ping-restart)
$Lang::tr{'ovpn add conf'}$Lang::tr{'openvpn default'}: off
mssfix$Lang::tr{'openvpn default'}: off
fragment
fragment
Max-Clients
mssfix$Lang::tr{'openvpn default'}: onKeepalive
+ (ping/ping-restart)
$Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'}
- + - + - -
$Lang::tr{'log-options'}$Lang::tr{'log-options'}
VERB -
+ + + + + + + + + + + + + +
@@ -2599,24 +2690,34 @@ print < - -
$Lang::tr{'ovpn ha'} Default: SHA1 (160 $Lang::tr{'bit'})
+ $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) + + + + + + + + + + + +
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}

"; - print<   @@ -2632,7 +2733,7 @@ END }else{ -print<   @@ -2687,7 +2788,7 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); - print <
$Lang::tr{'ccd name'}: @@ -2701,7 +2802,7 @@ END &Header::closebox(); &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); - print < $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} @@ -2711,7 +2812,7 @@ END else{ if (! -e "/var/run/openvpn.pid"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); - print < $Lang::tr{'ccd hint'}

@@ -2864,7 +2965,7 @@ END } print ""; - print < @@ -2979,7 +3080,7 @@ END if ( -s "${General::swroot}/ovpn/settings") { - print <$Lang::tr{'connection type'}:
@@ -3000,7 +3101,7 @@ END } else { - print <$Lang::tr{'connection type'}:
@@ -3167,8 +3268,7 @@ my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); -my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]); - +my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);; ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -3242,7 +3342,7 @@ foreach my $dkey (keys %confighash) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 41) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} $confighash{$key}[0] = 'off'; $confighash{$key}[1] = $n2nname[0]; @@ -3263,9 +3363,10 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[38] = $n2nmtudisc[1]; $confighash{$key}[39] = $n2nauth[1]; $confighash{$key}[40] = $n2ncipher[1]; + $confighash{$key}[41] = 'disabled'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -3285,7 +3386,7 @@ foreach my $dkey (keys %confighash) { &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ - print <
$Lang::tr{'host to net vpn'}
@@ -3302,8 +3403,8 @@ foreach my $dkey (keys %confighash) { - - + + @@ -3405,6 +3506,7 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; + $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -3723,14 +3825,13 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; - } - #Check if remote subnet is used elsewhere - my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); - $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); - if ($warnmessage){ - $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; - } - + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; + } } # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { @@ -3940,10 +4041,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'name too long'}; goto VPNCONF_ERROR; } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { @@ -4085,7 +4184,7 @@ if ($cgiparams{'TYPE'} eq 'net') { if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 41) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -4240,8 +4339,8 @@ if ($cgiparams{'TYPE'} eq 'net') { ### $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'PMTU_DISCOVERY'} = 'off'; + $cgiparams{'DAUTH'} = 'SHA1'; ### # m.a.d n2n end ### @@ -4306,14 +4405,6 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'ecdsa-with-SHA1'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -4326,11 +4417,24 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; $selected{'DCIPHER'}{'CAST5-CBC'} = ''; $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-CBC'} = ''; $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + # If no cipher has been chossen yet, select + # the old default (AES-256-CBC) for compatiblity reasons. + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + # If no hash algorythm has been choosen yet, select + # the old default value (SHA1) for compatiblity reasons. + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; if (1) { &Header::showhttpheaders(); @@ -4386,95 +4490,111 @@ if ($cgiparams{'TYPE'} eq 'net') { } else { print ""; } - print <  - - - - - - - + + + - - + + + - - + + - - + + + - - + + - - + + + + + + + - - + + - - - - - - + + + + + - - - + + + + - - - + + + + - - - + + + + - + + - - - + + + + + + + + + + + + + + + + END ; @@ -4538,7 +4658,7 @@ if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'TYPE'} eq 'host') { - print < @@ -4563,7 +4683,7 @@ END } else { - print < @@ -4597,7 +4717,7 @@ END ### if ($cgiparams{'TYPE'} eq 'host') { - print < @@ -4613,7 +4733,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
  
MSSFIX:$confighash{$key}[23]
Fragment:$confighash{$key}[24]
$Lang::tr{'MTU'}$confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}:$confighash{$key}[38]
Management Port:$confighash{$key}[22]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:$confighash{$key}[39]
$Lang::tr{'cipher'}$confighash{$key}[40]
  
 
$Lang::tr{'Act as'}$Lang::tr{'remote host/ip'}:
 
$Lang::tr{'Act as'} +
$Lang::tr{'local subnet'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'remote subnet'}
$Lang::tr{'local subnet'}
$Lang::tr{'ovpn subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'destination port'}:
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'protocol'}
$Lang::tr{'destination port'}: Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):  
$Lang::tr{'cipher'} - $Lang::tr{'ovpn ha'}: -
$Lang::tr{'MTU settings'}
$Lang::tr{'MTU'}  $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
$Lang::tr{'MTU'} $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
fragment:  $Lang::tr{'openvpn default'}: 1300
fragment  $Lang::tr{'openvpn default'}: 1300
mssfix:  $Lang::tr{'openvpn default'}: on
mssfix  $Lang::tr{'openvpn default'}: on
$Lang::tr{'comp-lzo'}   -
$Lang::tr{'ovpn mtu-disc'}: - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} -
$Lang::tr{'ovpn mtu-disc'} + $Lang::tr{'ovpn mtu-disc yes'} + $Lang::tr{'ovpn mtu-disc maybe'} + $Lang::tr{'ovpn mtu-disc no'} + $Lang::tr{'ovpn mtu-disc off'} +
$Lang::tr{'ovpn crypt options'}:
$Lang::tr{'cipher'} + $Lang::tr{'ovpn ha'}: +
$Lang::tr{'upload a certificate request'}
$Lang::tr{'generate a certificate'} 
 $Lang::tr{'valid till'} (days):
END }else{ - print <         @@ -4741,7 +4861,7 @@ END if (&haveOrangeNet() && $selorange == '1'){ print"";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"";} if ($selgreen == '1' || $other == '0'){ print"";$set=0;}else{print"";}; - print<DNS1: DNS2: WINS:
@@ -4835,17 +4955,13 @@ END $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; $selected{'DCIPHER'}{'CAST5-CBC'} = ''; $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-CBC'} = ''; $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'ecdsa-with-SHA1'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; @@ -4869,15 +4985,15 @@ END &Header::closebox(); } - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); - print "$warnmessage
"; - print "$Lang::tr{'fwdfw warn1'}
"; - &Header::closebox(); - print"
"; - &Header::closepage(); - exit 0; - } + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } my $sactive = "
$Lang::tr{'stopped'}
"; my $srunning = "no"; @@ -4923,11 +5039,12 @@ END $Lang::tr{'destination port'}: $Lang::tr{'MTU'}  - + + $Lang::tr{'cipher'} $Lang::tr{'comp-lzo'} @@ -4982,24 +5095,41 @@ END ### &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' }); - print < - - $Lang::tr{'name'} - $Lang::tr{'type'} - $Lang::tr{'network'} - $Lang::tr{'remark'} - $Lang::tr{'status'} - $Lang::tr{'action'} - -END ; my $id = 0; my $gif; my $col1=""; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + my $lastnet; + foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};} + if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};} + if($id == 0){ + print"$confighash{$key}[32]"; + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'remark'} + $Lang::tr{'status'} + $Lang::tr{'action'} + +END + } + if ($id > 0 && $lastnet ne $confighash{$key}[32]){ + print "
"; + print"$confighash{$key}[32]"; + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'remark'} + $Lang::tr{'status'} + $Lang::tr{'action'} + +END + } if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { print ""; @@ -5018,9 +5148,6 @@ END my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; $cavalid =~ /Not After : (.*)[\n]/; $cavalid = $1; - if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";} - if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";} - print "$confighash{$key}[32]"; print "$confighash{$key}[25]"; $col1="bgcolor='${Header::colourred}'"; my $active = "$Lang::tr{'capsclosed'}"; @@ -5057,7 +5184,7 @@ END #EXITING -- A graceful exit is in progress. #### - if ($tustate[1] eq 'CONNECTED') { + if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }else { @@ -5149,7 +5276,9 @@ END END ; $id++; + $lastnet = $confighash{$key}[32]; } + print""; ; # If the config file contains entries, print Key to action icons @@ -5194,6 +5323,8 @@ END ; &Header::closebox(); } + + # CA/key listing &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); print < @@ -5205,7 +5336,12 @@ END END ; my $col1="bgcolor='$color{'color22'}'"; - my $col2="bgcolor='$color{'color20'}'"; + my $col2="bgcolor='$color{'color20'}'"; + # DH parameter line + my $col3="bgcolor='$color{'color22'}'"; + # ta.key line + my $col4="bgcolor='$color{'color20'}'"; + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; @@ -5216,15 +5352,16 @@ END $Lang::tr{'root certificate'} $casubject -
+ -
-
+
+
-
-   + +   + END ; } else { @@ -5233,7 +5370,8 @@ END $Lang::tr{'root certificate'}: $Lang::tr{'not present'} -   +   + END ; } @@ -5249,15 +5387,16 @@ END $Lang::tr{'host certificate'} $hostsubject -
+ -
-
+
+
-
-   + +   + END ; } else { @@ -5266,7 +5405,75 @@ END $Lang::tr{'host certificate'}: $Lang::tr{'not present'} -   +   + +END + ; + } + + # Adding DH parameter to chart + if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $dhsubject =~ / (.*)[\n]/; + $dhsubject = $1; + + + print < + $Lang::tr{'dh parameter'} + $dhsubject +
+ + +
+
+
+   + +END + ; + } else { + # Nothing + print < + $Lang::tr{'dh parameter'}: + $Lang::tr{'not present'} +   + +END + ; + } + + # Adding ta.key to chart + if (-f "${General::swroot}/ovpn/certs/ta.key") { + my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + $tasubject =~ /# (.*)[\n]/; + $tasubject = $1; + print < + $Lang::tr{'ta key'} + $tasubject +
+ + +
+
+ + +
+   + +END + ; + } else { + # Nothing + print < + $Lang::tr{'ta key'}: + $Lang::tr{'not present'} +   + END ; } @@ -5329,6 +5536,9 @@ END
+ + + @@ -5336,22 +5546,29 @@ END + + + + + + + + + - - + + + - + + - - - - -
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}:
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh name'}:$Lang::tr{'ovpn dh upload'}: -

$Lang::tr{'ovpn dh new key'}:
+ +
END ;