X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=976300fc72e77dd3e23e26bca243dc61faaa4606;hp=b43f91f6bbdb93d3cee910969313c0488e2d4128;hb=32405d88b0ac820ae74c0a15cc2f805cdcb63a6a;hpb=3a4459746774ddaabdf6c85414b7b91d75863740 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b43f91f6bb..976300fc72 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -35,6 +35,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; +require "${General::swroot}/geoip-functions.pl"; # enable only the following on debugging purpose #use warnings; @@ -63,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -92,11 +95,12 @@ $cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; -$cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -199,6 +203,45 @@ sub deletebackupcert } } +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -216,7 +259,7 @@ sub writeserverconf { print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -228,16 +271,12 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # Check if we are using mssfix, fragment and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "tun-mtu 1500\n"; } - elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "tun-mtu 1500\n"; } else { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } @@ -277,18 +316,12 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; - } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; @@ -754,7 +787,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); @@ -776,16 +808,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - - if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -951,16 +973,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if($cgiparams{'MTU'} eq '1500') { - print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; @@ -969,12 +981,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - if ($cgiparams{'DAUTH'} eq '') { - print SERVERCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print SERVERCONF unless "# HMAC algorithm\n"; + print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1051,16 +1069,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if ($cgiparams{'MTU'} eq '1500') { - print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. @@ -1075,12 +1083,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - if ($cgiparams{'DAUTH'} eq '') { - print CLIENTCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print CLIENTCONF unless "# HMAC algorithm\n"; + print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -1098,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + ### ### Save main settings ### @@ -1210,7 +1224,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name"); + system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1320,7 +1334,6 @@ END