- | $Lang::tr{'organization name'}: |
+
$Lang::tr{'organization name'}:  |
|
|
- | $Lang::tr{'ipfires hostname'}: |
+
| $Lang::tr{'ipfires hostname'}: |
|
|
- | $Lang::tr{'your e-mail'}: |
+
| $Lang::tr{'your e-mail'}: |
|
|
- | $Lang::tr{'your department'}: |
+
| $Lang::tr{'your department'}: |
|
|
- | $Lang::tr{'city'}: |
+
| $Lang::tr{'city'}: |
|
|
- | $Lang::tr{'state or province'}: |
+
| $Lang::tr{'state or province'}: |
|
|
| $Lang::tr{'country'}: |
@@ -1990,7 +2015,6 @@ END
| $Lang::tr{'ovpn dh'}: |
|
|
- $Lang::tr{'this field may be blank'} |
+ $Lang::tr{'required field'}
|
@@ -2018,17 +2042,17 @@ END
END
@@ -2138,6 +2162,9 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
print CLIENTCONF "# tun Device\n";
print CLIENTCONF "dev tun\n";
+ print CLIENTCONF "#Logfile for statistics\n";
+ print CLIENTCONF "status-version 1\n";
+ print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
print CLIENTCONF "# Port and Protokoll\n";
print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
@@ -2156,16 +2183,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
}
- if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
- if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
- if ($tunmtu eq '1500' ) {
- print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
- }
- }
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
}
- print CLIENTCONF "ns-cert-type server\n";
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
@@ -2174,13 +2200,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
}
- if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth SHA1\n";
+
+ # If GCM cipher is used, do not use --auth
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ print CLIENTCONF unless "# HMAC algorithm\n";
+ print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
} else {
- print CLIENTCONF "# HMAC algorithm\n";
- print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+ print CLIENTCONF "# HMAC algorithm\n";
+ print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
}
+
if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\n";
@@ -2232,16 +2263,12 @@ else
print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
- # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+ # Check if we are using fragment, mssfix and set MTU to 1500
# or use configured value.
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
elsif ($vpnsettings{MSSFIX} eq 'on')
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
- elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
else
{ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
@@ -2265,9 +2292,41 @@ else
print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
}
+ my $file_crt = new File::Temp( UNLINK => 1 );
+ my $file_key = new File::Temp( UNLINK => 1 );
+ my $include_certs = 0;
+
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
- print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
- $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ $include_certs = 1;
+
+ # Add the CA
+ print CLIENTCONF ";ca cacert.pem\r\n";
+ $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
+
+ # Extract the certificate
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+ print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+ # Extract the key
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+ print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ } else {
+ print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ }
} else {
print CLIENTCONF "ca cacert.pem\r\n";
print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -2282,6 +2341,9 @@ else
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
}
if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
print CLIENTCONF "tls-auth ta.key\r\n";
$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
@@ -2289,8 +2351,16 @@ else
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
- print CLIENTCONF "ns-cert-type server\r\n";
- print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }
+ print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
}
@@ -2298,14 +2368,52 @@ else
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
}
- # Check if a valid operating mode has been choosen and use it.
- if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) {
- print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
+ if ($include_certs) {
+ print CLIENTCONF "\r\n";
+
+ # CA
+ open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
+ print CLIENTCONF "\r\n";
+ while () {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "\r\n\r\n";
+ close(FILE);
+
+ # Cert
+ open(FILE, "<$file_crt");
+ print CLIENTCONF "\r\n";
+ while () {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "\r\n\r\n";
+ close(FILE);
+
+ # Key
+ open(FILE, "<$file_key");
+ print CLIENTCONF "\r\n";
+ while () {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "\r\n\r\n";
+ close(FILE);
+
+ # TLS auth
+ if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
+ print CLIENTCONF "\r\n";
+ while () {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "\r\n\r\n";
+ close(FILE);
}
}
+
# Print client.conf.local if entries exist to client.ovpn
if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
open (LCC, "$local_clientconf");
@@ -2537,11 +2645,8 @@ ADV_ERROR:
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'TLSAUTH'} eq '') {
$cgiparams{'TLSAUTH'} = 'off';
@@ -2558,7 +2663,6 @@ ADV_ERROR:
$checked{'MSSFIX'}{'off'} = '';
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
$selected{'LOG_VERB'}{'0'} = '';
$selected{'LOG_VERB'}{'1'} = '';
$selected{'LOG_VERB'}{'2'} = '';
@@ -2681,14 +2785,6 @@ print <
|
-
-
- | $Lang::tr{'ovpn mtu-disc'} |
- $Lang::tr{'ovpn mtu-disc yes'} |
- $Lang::tr{'ovpn mtu-disc maybe'} |
- $Lang::tr{'ovpn mtu-disc no'} |
- $Lang::tr{'ovpn mtu-disc off'} |
-
@@ -2731,7 +2827,7 @@ print <SHA2 (512 $Lang::tr{'bit'})
-
+
$Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) |
@@ -2928,6 +3024,7 @@ END
| $Lang::tr{'common name'} |
$Lang::tr{'real address'} |
+ $Lang::tr{'country'} |
$Lang::tr{'virtual address'} |
$Lang::tr{'loged in at'} |
$Lang::tr{'bytes sent'} |
@@ -2967,6 +3064,11 @@ END
$users[$uid]{'BytesSent'} = &sizeformat($match[4]);
$users[$uid]{'Since'} = $match[5];
$users[$uid]{'Proto'} = $proto;
+
+ # get country code for "RealAddress"...
+ my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]);
+ my $flag_icon = &GeoIP::get_flag_icon($ccode);
+ $users[$uid]{'Country'} = "
";
$uid++;
}
}
@@ -2993,7 +3095,8 @@ END
}
print "$users[$idx-1]{'CommonName'} | ";
print "$users[$idx-1]{'RealAddress'} | ";
- print "$users[$idx-1]{'VirtualAddress'} | ";
+ print "$users[$idx-1]{'Country'} | ";
+ print "$users[$idx-1]{'VirtualAddress'} | ";
print "$users[$idx-1]{'Since'} | ";
print "$users[$idx-1]{'BytesSent'} | ";
print "$users[$idx-1]{'BytesReceived'} | ";
@@ -3101,11 +3204,10 @@ if ( -s "${General::swroot}/ovpn/settings") {
|
$Lang::tr{'net to net vpn'} (Upload Client Package) |
| | |
- | | Import Connection Name |
+ | | Import Connection Name |
| | $Lang::tr{'openvpn default'}: Client Packagename |
|
|
- | $Lang::tr{'this field may be blank'} |
END
;
@@ -3267,7 +3369,6 @@ my $complzoactive;
my $mssfixactive;
my $authactive;
my $n2nfragment;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
my @n2nproto = split(/-/, $n2nproto2[1]);
my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
@@ -3303,7 +3404,6 @@ $n2nremsub[2] =~ s/\n|\r//g;
$n2nlocalsub[2] =~ s/\n|\r//g;
$n2nfragment[1] =~ s/\n|\r//g;
$n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
$n2ncipher[1] =~ s/\n|\r//g;
$n2nauth[1] =~ s/\n|\r//g;
chomp ($complzoactive);
@@ -3380,7 +3480,6 @@ foreach my $dkey (keys %confighash) {
$confighash{$key}[29] = $n2nport[1];
$confighash{$key}[30] = $complzoactive;
$confighash{$key}[31] = $n2ntunmtu[1];
- $confighash{$key}[38] = $n2nmtudisc[1];
$confighash{$key}[39] = $n2nauth[1];
$confighash{$key}[40] = $n2ncipher[1];
$confighash{$key}[41] = 'disabled';
@@ -3420,7 +3519,6 @@ foreach my $dkey (keys %confighash) {
| MSSFIX: | $confighash{$key}[23] |
| Fragment: | $confighash{$key}[24] |
| $Lang::tr{'MTU'} | $confighash{$key}[31] |
- | $Lang::tr{'ovpn mtu-disc'} | $confighash{$key}[38] |
| Management Port | $confighash{$key}[22] |
| $Lang::tr{'ovpn hmac'}: | $confighash{$key}[39] |
| $Lang::tr{'cipher'} | $confighash{$key}[40] |
@@ -3520,7 +3618,6 @@ if ($confighash{$cgiparams{'KEY'}}) {
$cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
$cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
$cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
- $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38];
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
$cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
@@ -3789,22 +3886,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
goto VPNCONF_ERROR;
}
- if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') {
- if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
- }
-
- if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
-
if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
$errormessage = $Lang::tr{'openvpn prefix local subnet'};
unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
@@ -3927,6 +4008,16 @@ if ($cgiparams{'TYPE'} eq 'net') {
goto VPNCONF_ERROR;
}
+ # Check for N2N that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'net') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto VPNCONF_ERROR;
@@ -3982,7 +4073,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
@@ -4036,7 +4127,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
@@ -4104,11 +4195,29 @@ if ($cgiparams{'TYPE'} eq 'net') {
$errormessage = $Lang::tr{'passwords do not match'};
goto VPNCONF_ERROR;
}
- if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
+ if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
$errormessage = $Lang::tr{'invalid input for valid till days'};
goto VPNCONF_ERROR;
}
+ # Check for RW that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'host') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ # Check for RW if client name is already set
+ if ($cgiparams{'TYPE'} eq 'host') {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
# Replace empty strings with a .
(my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
(my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
@@ -4248,10 +4357,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
$confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
$confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
$confighash{$key}[37] = $cgiparams{'CCD_WINS'};
- $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'};
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+ $confighash{$key}[41] = "no-pass";
+ }
+
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($cgiparams{'CHECK1'} ){
@@ -4360,8 +4472,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
###
$cgiparams{'MSSFIX'} = 'on';
$cgiparams{'FRAGMENT'} = '1300';
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
###
# m.a.d n2n end
###
@@ -4378,7 +4489,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
$cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
$cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
$cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
- $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'};
+ $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
}
VPNCONF_ERROR:
@@ -4422,11 +4533,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
-
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4487,7 +4596,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
print "\n";
- print "| $Lang::tr{'name'}: | ";
+ print "
| $Lang::tr{'name'}: | ";
if ($cgiparams{'TYPE'} eq 'host') {
if ($cgiparams{'KEY'}) {
@@ -4512,6 +4621,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
} else {
print " | ";
}
+
+ # If GCM ciphers are in usage, HMAC menu is disabled
+ my $hmacdisabled;
+ if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+ ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+ $hmacdisabled = "disabled='disabled'";
+ };
+
print <
|
@@ -4526,14 +4644,14 @@ if ($cgiparams{'TYPE'} eq 'net') {
|
- | $Lang::tr{'local subnet'} |
+
| $Lang::tr{'local subnet'} |
|
- $Lang::tr{'remote subnet'} |
+ $Lang::tr{'remote subnet'} |
|
- | $Lang::tr{'ovpn subnet'} |
+
| $Lang::tr{'ovpn subnet'} |
|
$Lang::tr{'protocol'} |
@@ -4543,10 +4661,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
- | $Lang::tr{'destination port'}: |
+ $Lang::tr{'destination port'}: |
|
- Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): |
+ Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}): |
|
@@ -4556,63 +4674,57 @@ if ($cgiparams{'TYPE'} eq 'net') {
$Lang::tr{'MTU settings'} |
- | $Lang::tr{'MTU'} |
+
| $Lang::tr{'MTU'} |
|
$Lang::tr{'openvpn default'}: udp/tcp 1500/1400 |
- | fragment |
+
| fragment: |
|
$Lang::tr{'openvpn default'}: 1300 |
- | mssfix |
+
| mssfix: |
|
$Lang::tr{'openvpn default'}: on |
- | $Lang::tr{'comp-lzo'}
+ |
| $Lang::tr{'comp-lzo'} |
|
- | $Lang::tr{'ovpn mtu-disc'} |
-
- $Lang::tr{'ovpn mtu-disc yes'}
- $Lang::tr{'ovpn mtu-disc maybe'}
- $Lang::tr{'ovpn mtu-disc no'}
- $Lang::tr{'ovpn mtu-disc off'}
- |
-
-
|
| $Lang::tr{'ovpn crypt options'}: |
| $Lang::tr{'cipher'} |
- |
@@ -4621,8 +4733,24 @@ if ($cgiparams{'TYPE'} eq 'net') {
END
;
}
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
+print<
+ var disable_options = false;
+ document.getElementById('n2ncipher').onchange = function () {
+ if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+ document.getElementById('n2nhmac').setAttribute('disabled', true);
+ } else {
+ document.getElementById('n2nhmac').removeAttribute('disabled');
+ }
+ }
+
+END
+
#jumper
- print "| $Lang::tr{'remark title'} | ";
+ print "
| $Lang::tr{'remark title'} | ";
print " |
";
if ($cgiparams{'TYPE'} eq 'host') {
@@ -4689,12 +4817,12 @@ if ($cgiparams{'TYPE'} eq 'host') {
|
| |
| $Lang::tr{'generate a certificate'} | |
- | | $Lang::tr{'users fullname or system hostname'}: | |
- | | $Lang::tr{'users email'}: | |
- | | $Lang::tr{'users department'}: | |
- | | $Lang::tr{'organization name'}: | |
- | | $Lang::tr{'city'}: | |
- | | $Lang::tr{'state or province'}: | |
+ | | $Lang::tr{'users fullname or system hostname'}: | |
+ | | $Lang::tr{'users email'}: | |
+ | | $Lang::tr{'users department'}: | |
+ | | $Lang::tr{'organization name'}: | |
+ | | $Lang::tr{'city'}: | |
+ | | $Lang::tr{'state or province'}: | |
| | $Lang::tr{'country'}: | |
- | $Lang::tr{'valid till'} (days): |
+ | $Lang::tr{'valid till'} (days):
| |
| | | |
| | | |
|
- | $Lang::tr{'this field may be blank'} |
+ | $Lang::tr{'required field'} |
END
@@ -4859,6 +4987,35 @@ END
}
if ($set == '1' && $#temp != -1){ print"";$set=0;}elsif($set == '0' && $#temp != -1){print"";}
}
+
+ my %vpnconfig = ();
+ &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+ foreach my $vpn (keys %vpnconfig) {
+ # Skip all disabled VPN connections
+ my $enabled = $vpnconfig{$vpn}[0];
+ next unless ($enabled eq "on");
+
+ my $name = $vpnconfig{$vpn}[1];
+
+ # Remote subnets
+ my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
+ foreach my $network (@networks) {
+ my $selected = "";
+
+ foreach my $key (keys %ccdroute2hash) {
+ if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
+ foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
+ if ($ccdroute2hash{$key}[$i] eq $network) {
+ $selected = "selected";
+ }
+ }
+ }
+ }
+
+ print "\n";
+ }
+ }
+
#check if green,blue,orange are defined for client
foreach my $key (keys %ccdroute2hash) {
if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
@@ -4944,7 +5101,7 @@ END
$cgiparams{'MSSFIX'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
@@ -4963,6 +5120,9 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5005,6 +5165,20 @@ END
&Header::closebox();
}
+ if ($cryptoerror) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+ print "$cryptoerror";
+ print " ";
+ &Header::closebox();
+ }
+
+ if ($cryptowarning) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+ print "$cryptowarning";
+ print " ";
+ &Header::closebox();
+ }
+
if ($warnmessage) {
&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
print "$warnmessage
";
@@ -5059,18 +5233,21 @@ END
$Lang::tr{'cipher'} |
|
| $Lang::tr{'comp-lzo'} |
@@ -5128,7 +5305,7 @@ END
$Lang::tr{'type'} |
$Lang::tr{'remark'} |
$Lang::tr{'status'} |
- $Lang::tr{'action'} |
+ $Lang::tr{'action'} |
|---|
END
}
@@ -5142,7 +5319,7 @@ END
$Lang::tr{'type'} |
$Lang::tr{'remark'} |
$Lang::tr{'status'} |
- $Lang::tr{'action'} |
+ $Lang::tr{'action'} |
END
}
@@ -5241,6 +5418,21 @@ END