openvpn: Changed directioning and added additional generation for ta.key.
authorErik Kapfer <erik.kapfer@ipfire.org>
Sat, 17 May 2014 19:59:45 +0000 (21:59 +0200)
committerErik Kapfer <erik.kapfer@ipfire.org>
Sun, 18 May 2014 07:35:26 +0000 (09:35 +0200)
Deleted the direction parameter 0 and 1 in ta.key directive for
compatibility purposes.
Added the ta.key generation also in PKI build process.
Replaced the ta.key to /certs instead of /ca and adapted the
apropriate paths.

html/cgi-bin/ovpnmain.cgi

index 16f691f..0e8fad8 100644 (file)
@@ -270,7 +270,7 @@ sub writeserverconf {
        print CONF "auth $sovpnsettings{'DAUTH'}\n";
     }
     if ($sovpnsettings{'TLSAUTH'} eq 'on') {
-       print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n";
+       print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
     }
     if ($sovpnsettings{DCOMPLZO} eq 'on') {
         print CONF "comp-lzo\n";
@@ -711,13 +711,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
        $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
     }
 
-   # Create ta.key for tls-auth if not presant
-   if ($cgiparams{'TLSAUTH'} eq 'on') {
-       if ( ! -e "${General::swroot}/ovpn/ca/ta.key") {
-               system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key")
-       }
-    }
-
     if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
         ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
         ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
@@ -816,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
         $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
         goto ADV_ERROR;        
     }
+    # Create ta.key for tls-auth if not presant
+    if ($cgiparams{'TLSAUTH'} eq 'on') {
+       if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+               system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+               if ($?) {
+               $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+        goto ADV_ERROR;
+               }
+       }
+    }
     
     &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
     &writeserverconf();#hier ok
@@ -1840,7 +1843,14 @@ END
            goto ROOTCERT_ERROR;
 #      } else {
 #          &cleanssldatabase();
-       }       
+       }
+       # Create ta.key for tls-auth
+       system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+       if ($?) {
+           $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+           &cleanssldatabase();
+           goto ROOTCERT_ERROR;
+       }
        goto ROOTCERT_SUCCESS;
     }
     ROOTCERT_ERROR:
@@ -2182,8 +2192,8 @@ else
        print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
     }
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
-       print CLIENTCONF "tls-auth ta.key 1\r\n";
-       $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key")  or die "Can't add file ta.key\n";
+       print CLIENTCONF "tls-auth ta.key\r\n";
+       $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
     if ($vpnsettings{DCOMPLZO} eq 'on') {
         print CLIENTCONF "comp-lzo\r\n";