From: Michael Tremer Date: Mon, 13 Apr 2015 09:28:57 +0000 (+0200) Subject: Merge remote-tracking branch 'amarx/BUG10797' into next X-Git-Tag: v2.17-core91~137 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=32a5fec71c317aa47ad27abecd3a63bda513972b;hp=39d435690fa0fa56886bc95a00f7eb01463b7b80 Merge remote-tracking branch 'amarx/BUG10797' into next --- diff --git a/config/backup/include b/config/backup/include index cc9546f8ef..d7a1d3a329 100644 --- a/config/backup/include +++ b/config/backup/include @@ -4,6 +4,7 @@ /var/ipfire/*/config /var/ipfire/*/enable /var/ipfire/*/*enable* +/var/ipfire/ovpn/collectd.vpn /etc/passwd /etc/shadow /etc/group diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 5e6fddbf6e..40c1bc87eb 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -664,32 +664,32 @@ sub updatevpnn2ngraph { "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j", - "AREA:incoming#00dd00:".sprintf("%-20s",$Lang::tr{'incoming traffic in bytes per second'}), + "AREA:incoming#00dd00:".sprintf("%-23s",$Lang::tr{'incoming traffic in bytes per second'}), "GPRINT:incoming:MAX:%8.1lf %sBps", "GPRINT:incoming:AVERAGE:%8.1lf %sBps", "GPRINT:incoming:MIN:%8.1lf %sBps", "GPRINT:incoming:LAST:%8.1lf %sBps\\j", - "STACK:overhead_in#116B11:".sprintf("%-20s",$Lang::tr{'incoming overhead in bytes per second'}), + "STACK:overhead_in#116B11:".sprintf("%-23s",$Lang::tr{'incoming overhead in bytes per second'}), "GPRINT:overhead_in:MAX:%8.1lf %sBps", "GPRINT:overhead_in:AVERAGE:%8.1lf %sBps", "GPRINT:overhead_in:MIN:%8.1lf %sBps", "GPRINT:overhead_in:LAST:%8.1lf %sBps\\j", - "LINE1:compression_in#ff00ff:".sprintf("%-20s",$Lang::tr{'incoming compression in bytes per second'}), + "LINE1:compression_in#ff00ff:".sprintf("%-23s",$Lang::tr{'incoming compression in bytes per second'}), "GPRINT:compression_in:MAX:%8.1lf %sBps", "GPRINT:compression_in:AVERAGE:%8.1lf %sBps", "GPRINT:compression_in:MIN:%8.1lf %sBps", "GPRINT:compression_in:LAST:%8.1lf %sBps\\j", - "AREA:outgoingn#dd0000:".sprintf("%-20s",$Lang::tr{'outgoing traffic in bytes per second'}), + "AREA:outgoingn#dd0000:".sprintf("%-23s",$Lang::tr{'outgoing traffic in bytes per second'}), "GPRINT:outgoing:MAX:%8.1lf %sBps", "GPRINT:outgoing:AVERAGE:%8.1lf %sBps", "GPRINT:outgoing:MIN:%8.1lf %sBps", "GPRINT:outgoing:LAST:%8.1lf %sBps\\j", - "STACK:overhead_outn#870C0C:".sprintf("%-20s",$Lang::tr{'outgoing overhead in bytes per second'}), + "STACK:overhead_outn#870C0C:".sprintf("%-23s",$Lang::tr{'outgoing overhead in bytes per second'}), "GPRINT:overhead_out:MAX:%8.1lf %sBps", "GPRINT:overhead_out:AVERAGE:%8.1lf %sBps", "GPRINT:overhead_out:MIN:%8.1lf %sBps", "GPRINT:overhead_out:LAST:%8.1lf %sBps\\j", - "LINE1:compression_outn#000000:".sprintf("%-20s",$Lang::tr{'outgoing compression in bytes per second'}), + "LINE1:compression_outn#000000:".sprintf("%-23s",$Lang::tr{'outgoing compression in bytes per second'}), "GPRINT:compression_out:MAX:%8.1lf %sBps", "GPRINT:compression_out:AVERAGE:%8.1lf %sBps", "GPRINT:compression_out:MIN:%8.1lf %sBps", diff --git a/config/hostapd/config b/config/hostapd/config index 1cd76765a9..c3672c5242 100644 --- a/config/hostapd/config +++ b/config/hostapd/config @@ -15,10 +15,6 @@ CONFIG_DRIVER_HOSTAP=y # Driver interface for wired authenticator #CONFIG_DRIVER_WIRED=y -# Driver interface for madwifi driver -#CONFIG_DRIVER_MADWIFI=y -#CFLAGS += -I../../madwifi # change to the madwifi source directory - # Driver interface for Prism54 driver CONFIG_DRIVER_PRISM54=y @@ -49,14 +45,14 @@ CONFIG_RSN_PREAUTH=y CONFIG_PEERKEY=y # IEEE 802.11w (management frame protection) -# This version is an experimental implementation based on IEEE 802.11w/D1.0 -# draft and is subject to change since the standard has not yet been finalized. -# Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y +CONFIG_IEEE80211W=y # Integrated EAP server CONFIG_EAP=y +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + # EAP-MD5 for the integrated EAP server CONFIG_EAP_MD5=y @@ -91,6 +87,9 @@ CONFIG_EAP_TTLS=y # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) #CONFIG_EAP_PSK=y +# EAP-pwd for the integrated EAP server (secure authentication with a password) +#CONFIG_EAP_PWD=y + # EAP-SAKE for the integrated EAP server #CONFIG_EAP_SAKE=y @@ -110,6 +109,8 @@ CONFIG_EAP_TTLS=y CONFIG_WPS=y # Enable UPnP support for external WPS Registrars CONFIG_WPS_UPNP=y +# Enable WPS support with NFC config method +#CONFIG_WPS_NFC=y # EAP-IKEv2 CONFIG_EAP_IKEV2=y @@ -117,6 +118,9 @@ CONFIG_EAP_IKEV2=y # Trusted Network Connect (EAP-TNC) CONFIG_EAP_TNC=y +# EAP-EKE for the integrated EAP server +#CONFIG_EAP_EKE=y + # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y @@ -138,14 +142,171 @@ CONFIG_IEEE80211R=y # IEEE 802.11n (High Throughput) support CONFIG_IEEE80211N=y +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +#CONFIG_WNM=y + +# IEEE 802.11ac (Very High Throughput) support +CONFIG_IEEE80211AC=y + # Remove debugging code that is printing out debug messages to stdout. # This can be used to reduce the size of the hostapd considerably if debugging # code is not needed. CONFIG_NO_STDOUT_DEBUG=y -# IEEE 802.11ac (Very High Throughput) support -CONFIG_IEEE80211AC=y -# Enable AUTO_CHANNEL_SELECTION -# This is needed for dfs (radar detection) channels +# Add support for writing debug log to a file: -f /tmp/hostapd.log +# Disabled by default. +#CONFIG_DEBUG_FILE=y + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Remove support for RADIUS accounting +#CONFIG_NO_ACCOUNTING=y + +# Remove support for RADIUS +#CONFIG_NO_RADIUS=y + +# Remove support for VLANs +#CONFIG_NO_VLAN=y + +# Enable support for fully dynamic VLANs. This enables hostapd to +# automatically create bridge and VLAN interfaces if necessary. +#CONFIG_FULL_DYNAMIC_VLAN=y + +# Use netlink-based kernel API for VLAN operations instead of ioctl() +# Note: This requires libnl 3.1 or newer. +#CONFIG_VLAN_NETLINK=y + +# Remove support for dumping internal state through control interface commands +# This can be used to reduce binary size at the cost of disabling a debugging +# option. +#CONFIG_NO_DUMP_STATE=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, comment out these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, comment out these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# hostapd depends on strong random number generation being available from the +# operating system. os_get_random() function is used to fetch random data when +# needed, e.g., for key generation. On Linux and BSD systems, this works by +# reading /dev/urandom. It should be noted that the OS entropy pool needs to be +# properly initialized before hostapd is started. This is important especially +# on embedded devices that do not have a hardware random number generator and +# may by default start up with minimal entropy available for random number +# generation. +# +# As a safety net, hostapd is by default trying to internally collect +# additional entropy for generating random data to mix in with the data +# fetched from the OS. This by itself is not considered to be very strong, but +# it may help in cases where the system pool is not initialized properly. +# However, it is very strongly recommended that the system pool is initialized +# with enough entropy either by using hardware assisted random number +# generator or by storing state over device reboots. +# +# hostapd can be configured to maintain its own entropy store over restarts to +# enhance random number generation. This is not perfect, but it is much more +# secure than using the same sequence of random numbers after every reboot. +# This can be enabled with -e command line option. The specified +# file needs to be readable and writable by hostapd. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal hostapd random pool can be disabled. +# This will save some in binary size and CPU use. However, this should only be +# considered for builds that are known to be used on devices that meet the +# requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# none = Empty template +#CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. +#CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +#CONFIG_TLSV12=y + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks. +#CONFIG_INTERWORKING=y + +# Hotspot 2.0 +#CONFIG_HS20=y + +# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file +#CONFIG_SQLITE=y + +# Testing options +# This can be used to enable some testing options (see also the example +# configuration file) that are really useful only for testing clients that +# connect to this hostapd. These options allow, for example, to drop a +# certain percentage of probe requests or auth/(re)assoc frames. +# +#CONFIG_TESTING_OPTIONS=y + +# Automatic Channel Selection +# This will allow hostapd to pick the channel automatically when channel is set +# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# You can customize the ACS survey algorithm with the hostapd.conf variable +# acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +# CONFIG_ACS=y diff --git a/config/rootfiles/common/collectd b/config/rootfiles/common/collectd index 72b2dee033..273249434d 100644 --- a/config/rootfiles/common/collectd +++ b/config/rootfiles/common/collectd @@ -243,3 +243,4 @@ usr/share/collectd/types.db #usr/share/man/man5/collectd.conf.5 #usr/share/man/man5/types.db.5 #var/lib/collectd +var/ipfire/ovpn/collectd.vpn diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 1ab4dec5f1..f33d08c61a 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -2,6 +2,7 @@ usr/local/bin/addonctrl #usr/local/bin/applejuicectrl usr/local/bin/backupctrl #usr/local/bin/clamavctrl +usr/local/bin/collectdctrl usr/local/bin/dhcpctrl usr/local/bin/dnsmasqctrl usr/local/bin/extrahdctrl diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 44f24b4369..f506dafac8 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -124,6 +124,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert +usr/sbin/ovpn-collectd-convert #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/config/rootfiles/core/89/filelists/files b/config/rootfiles/core/89/filelists/files index 5ed7194495..70c5f3d9b1 100644 --- a/config/rootfiles/core/89/filelists/files +++ b/config/rootfiles/core/89/filelists/files @@ -11,6 +11,10 @@ srv/web/ipfire/cgi-bin/netovpnrw.cgi srv/web/ipfire/cgi-bin/netovpnsrv.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/local/bin/collectdctrl +usr/local/bin/openvpnctrl +usr/sbin/ovpn-collectd-convert +usr/sbin/setup var/ipfire/backup/bin/backup.pl var/ipfire/graphs.pl var/ipfire/langs diff --git a/config/rootfiles/core/89/update.sh b/config/rootfiles/core/89/update.sh index f3de863ec5..832feaad63 100644 --- a/config/rootfiles/core/89/update.sh +++ b/config/rootfiles/core/89/update.sh @@ -35,10 +35,22 @@ done /etc/init.d/ipsec stop # Remove old files +rm -f /usr/local/sbin/setup # Extract files extract_files +# Update /etc/sysconfig/createfiles +cat <> /etc/sysconfig/createfiles +/var/run/ovpnserver.log file 644 nobody nobody +/var/run/openvpn dir 644 nobody nobody +EOF + +# Update /etc/collectd.conf +if ! grep -q "collectd.vpn" /etc/collectd.conf; then + echo "include \"/etc/collectd.vpn\"" >> /etc/collectd.conf +fi + # Generate ddns configuration file sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi @@ -56,6 +68,10 @@ rm -f \ /opt/pakfire/db/*/meta-sqlite \ /opt/pakfire/db/rootfiles/sqlite +# Update OpenVPN/collectd configuration +/usr/sbin/ovpn-collectd-convert +chown nobody.nobody /var/ipfire/ovpn/collectd.vpn + # Fix #10625 mkdir -p /etc/logrotate.d diff --git a/html/cgi-bin/netovpnrw.cgi b/html/cgi-bin/netovpnrw.cgi index f775b23dcc..e0b114884a 100755 --- a/html/cgi-bin/netovpnrw.cgi +++ b/html/cgi-bin/netovpnrw.cgi @@ -47,10 +47,10 @@ if ( $querry[0] ne "" && $querry[0] ne "UNDEF"){ &Graphs::updatevpngraph($querry[0],$querry[1]); }else{ &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'host to net vpn'}, 1, ''); + &Header::openpage($Lang::tr{'vpn statistic rw'}, 1, ''); &Header::openbigbox('100%', 'left'); - my @vpngraphs = `find /var/log/rrd/collectd/localhost/openvpn-*/ -not -path *openvpn-UNDEF* -not -path *openvpn-*n2n* -name *.rrd|sort`; + my @vpngraphs = `find /var/log/rrd/collectd/localhost/openvpn-*/ -not -path *openvpn-UNDEF* -not -path *openvpn-*n2n* -name *.rrd 2>/dev/null|sort`; foreach (@vpngraphs){ if($_ =~ /(.*)\/openvpn-(.*)\/if_octets_derive.rrd/){ push(@vpns,$2); diff --git a/html/cgi-bin/netovpnsrv.cgi b/html/cgi-bin/netovpnsrv.cgi index 0ec9c679d5..f843462db7 100755 --- a/html/cgi-bin/netovpnsrv.cgi +++ b/html/cgi-bin/netovpnsrv.cgi @@ -47,10 +47,10 @@ if ( $querry[0] ne ""){ &Graphs::updatevpnn2ngraph($querry[0],$querry[1]); }else{ &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'openvpn server'}, 1, ''); + &Header::openpage($Lang::tr{'vpn statistic n2n'}, 1, ''); &Header::openbigbox('100%', 'left'); - my @vpngraphs = `find /var/log/rrd/collectd/localhost/openvpn-*-n2n/ -not -path *openvpn-UNDEF* -name *traffic.rrd|sort`; + my @vpngraphs = `find /var/log/rrd/collectd/localhost/openvpn-*-n2n/ -not -path *openvpn-UNDEF* -name *traffic.rrd 2>/dev/null|sort`; foreach (@vpngraphs){ if($_ =~ /(.*)\/openvpn-(.*)\/if_octets_derive-traffic.rrd/){ push(@vpns,$2); diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 1e074928f2..d36a49ecd4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -213,7 +213,7 @@ sub writeserverconf { print CONF "writepid /var/run/openvpn.pid\n"; print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; print CONF ";local $sovpnsettings{'VPN_IP'}\n"; - print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; print CONF "script-security 3 system\n"; @@ -231,15 +231,15 @@ sub writeserverconf { # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + { print CONF "tun-mtu 1500\n"; } else - { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } + { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } if ($vpnsettings{'ROUTES_PUSH'} ne '') { @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); @@ -668,6 +668,29 @@ sub read_routepushfile } } +sub writecollectdconf { + my $vpncollectd; + my %ccdhash=(); + + open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!"; + print COLLECTDVPN "Loadplugin openvpn\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "\n"; + print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n"; + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') { + print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n"; + } + } + + print COLLECTDVPN "\n"; + close(COLLECTDVPN); + + # Reload collectd afterwards + system("/usr/local/bin/collectdctrl restart &>/dev/null"); +} #hier die refresh page if ( -e "${General::swroot}/ovpn/gencanow") { @@ -1144,7 +1167,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; #new settings for daemon $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'}; - $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'}; $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'}; $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; @@ -1166,10 +1188,17 @@ SETTINGS_ERROR: my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + # Kill all N2N connections + system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null"); + foreach my $key (keys %confighash) { + my $name = $confighash{$cgiparams{'$key'}}[1]; + if ($confighash{$key}[4] eq 'cert') { delete $confighash{$cgiparams{'$key'}}; } + + system ("/usr/local/bin/openvpnctrl -drrd $name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1196,11 +1225,6 @@ SETTINGS_ERROR: while ($file = glob("${General::swroot}/ovpn/ccd/*")) { unlink $file } -# Delete all RRD files for Roadwarrior connections - chdir('/var/ipfire/ovpn/ccd'); - while ($file = glob("*")) { - system ("/usr/local/bin/openvpnctrl -drrd $file"); - } while ($file = glob("${General::swroot}/ovpn/ccd/*")) { unlink $file } @@ -1216,6 +1240,9 @@ SETTINGS_ERROR: system ("rm -rf $file"); } + # Remove everything from the collectd configuration + &writecollectdconf(); + #&writeserverconf(); ### ### Reset all step 1 @@ -2041,7 +2068,8 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); } } else { @@ -2049,14 +2077,15 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + if ($n2nactive ne '') { + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &writecollectdconf(); + } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } - } + } } ### @@ -2108,7 +2137,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; print CLIENTCONF "# tun Device\n"; - print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; + print CLIENTCONF "dev tun\n"; print CLIENTCONF "# Port and Protokoll\n"; print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; @@ -2200,21 +2229,21 @@ else print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; print CLIENTCONF "nobind\r\n"; - print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n"; + print CLIENTCONF "dev tun\r\n"; print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500 # or use configured value. if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif ($vpnsettings{MSSFIX} eq 'on') - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + { print CLIENTCONF "tun-mtu 1500\r\n"; } else - { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; } + { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; @@ -2313,75 +2342,69 @@ else } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } -# - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + if ($confighash{$cgiparams{'KEY'}}) { + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; ### # m.a.d net2net ### -if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); - my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - unlink ($certfile); - unlink ($conffile); + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { + # Stop the N2N connection before it is removed + system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null"); - if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { - rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; - } -} + my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile); + unlink ($conffile); + + if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + } + } - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); # A.Marx CCD delete ccd files and routes - - if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") - { - unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; - } - - &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - foreach my $key (keys %ccdroutehash) { - if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroutehash{$key}; + if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") + { + unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - foreach my $key (keys %ccdroute2hash) { - if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ - delete $ccdroute2hash{$key}; + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroutehash{$key}; + } } - } - &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); - &writeserverconf; - + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); -# CCD end + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroute2hash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + &writeserverconf; -### -### Delete all RRD's for client -### - system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# CCD end + # Update collectd configuration and delete all RRD files of the removed connection + &writecollectdconf(); + system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### @@ -3053,32 +3076,6 @@ END $errormessage = $Lang::tr{'invalid key'}; } -### -### Remove connection -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } -#test33 - -### -### Choose between adding a host-net or net-net connection -### - ### # m.a.d net2net ### @@ -4953,9 +4950,6 @@ END $checked{'ENABLED_ORANGE'}{'off'} = ''; $checked{'ENABLED_ORANGE'}{'on'} = ''; $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; - $selected{'DDEVICE'}{'tun'} = ''; - $selected{'DDEVICE'}{'tap'} = ''; - $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; $selected{'DPROTOCOL'}{'udp'} = ''; $selected{'DPROTOCOL'}{'tcp'} = ''; @@ -5047,10 +5041,6 @@ END print <$Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
- $Lang::tr{'ovpn device'} - @@ -5551,42 +5541,49 @@ END } print < + +

+
- - - - - - - - - +
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}: -
+ + + - - - + + + + + - - - - + + + + +
$Lang::tr{'upload ca certificate'}
$Lang::tr{'ca name'}: +
$Lang::tr{'ovpn dh parameters'}
 
- - $Lang::tr{'ovpn dh upload'}: - - - - - - $Lang::tr{'ovpn dh new key'}: - - - - +
+ + + + + + + + + + + + + + + +
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh upload'}: +
$Lang::tr{'ovpn dh new key'}:
+ -
+
END ; diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index ec9022ddfa..844c395e2f 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -71,7 +71,7 @@ $wlanapsettings{'HW_MODE'} = 'g'; $wlanapsettings{'PWD'} = 'IPFire-2.x'; $wlanapsettings{'SYSLOGLEVEL'} = '0'; $wlanapsettings{'DEBUG'} = '4'; -$wlanapsettings{'DRIVER'} = 'MADWIFI'; +$wlanapsettings{'DRIVER'} = 'NL80211'; $wlanapsettings{'HTCAPS'} = ''; &General::readhash("/var/ipfire/wlanap/settings", \%wlanapsettings); @@ -265,7 +265,7 @@ if ( $wlanapsettings{'DRIVER'} eq 'NL80211' ){ my $wiphy = `iw dev $wlanapsettings{'INTERFACE'} info | grep wiphy | cut -d" " -f2`; chomp $wiphy; -@channellist_cmd = `iw phy phy$wiphy info | grep " MHz \\\[" | grep -v "(disabled)" | grep -v "no IBSS" | grep -v "passive scanning" 2>/dev/null`; +@channellist_cmd = `iw phy phy$wiphy info | grep " MHz \\\[" | grep -v "(disabled)" | grep -v "no IBSS" | grep -v "no IR" | grep -v "passive scanning" 2>/dev/null`; # get available channels my @temp; @@ -306,15 +306,6 @@ if ( $wlanapsettings{'DRIVER'} eq 'NL80211' ){ } # get available power -my @temp; -foreach (@txpower_cmd){ -$_ =~ /(\s)(\d+)(\s)dBm(\s)(.*)(\W)(\d+)(.*)/; -$txpower = $7;chomp $txpower; -if ( $txpower =~ /\d+/ ){push(@temp,$txpower."mW");} -} -my @txpower = @temp; -push(@txpower,"auto"); - $selected{'SYSLOGLEVEL'}{$wlanapsettings{'SYSLOGLEVEL'}} = "selected='selected'"; $selected{'DEBUG'}{$wlanapsettings{'DEBUG'}} = "selected='selected'"; @@ -437,20 +428,7 @@ END ; print <HT Caps:  -Tx Power:  -END -; - -if ( $wlanapsettings{'DRIVER'} eq 'MADWIFI' ){ - print ""; -} else { - print "" -} -print <Tx Power:  Loglevel (hostapd):