# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
- if ($sovpnsettings{'TLSAUTH'} eq 'on') {
- print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
- }
+ # TLS control channel authentication
+ if ($sovpnsettings{'TLSAUTH'} ne 'off') {
+ if ($sovpnsettings{'TLSAUTH'} eq 'on') {
+ print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
+ }
+ if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+ print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n";
+ }
+ if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n";
+ }
+ }
+
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
}
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
+ $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
+ # Create tc.key for tls-crypt if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') {
+ if ( ! -e "${General::swroot}/ovpn/certs/tc.key") {
+ system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
+ # Create tc-v2-server.key for tls-crypt-v2 server if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') {
+ if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto ADV_ENC_ERROR;
+ }
+ }
+ }
+
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();
}
goto SETTINGS_ERROR;
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
- # This system call is safe, because all arguements are passed as an array.
- system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- goto SETTINGS_ERROR;
- }
- }
- }
-
$vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
$vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
### Download tls-auth key
###
}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
- if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
- print "Content-Type: application/octet-stream\r\n";
- print "Content-Disposition: filename=ta.key\r\n\r\n";
+ if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=ta.key\r\n\r\n";
- open(FILE, "${General::swroot}/ovpn/certs/ta.key");
- my @tmp = <FILE>;
- close(FILE);
+ open(FILE, "${General::swroot}/ovpn/certs/ta.key");
+ my @tmp = <FILE>;
+ close(FILE);
- print @tmp;
+ print @tmp;
- exit(0);
- }
+ exit(0);
+ }
+
+###
+### Download tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) {
+ if ( -f "${General::swroot}/ovpn/certs/tc.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=tc.key\r\n\r\n";
+
+ open(FILE, "${General::swroot}/ovpn/certs/tc.key");
+ my @tmp = <FILE>;
+ close(FILE);
+
+ print @tmp;
+
+
+ exit(0);
+ }
+
+###
+### Download tls-crypt-v2 key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) {
+ if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n";
+
+ open(FILE, "${General::swroot}/ovpn/certs/tc-v2-server.key");
+ my @tmp = <FILE>;
+ close(FILE);
+
+ print @tmp;
+
+
+ exit(0);
+ }
###
### Form for generating a root certificate
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
- if ($vpnsettings{'TLSAUTH'} eq 'on') {
- if ($cgiparams{'MODE'} eq 'insecure') {
- print CLIENTCONF ";";
- }
- print CLIENTCONF "tls-auth ta.key\r\n";
- $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
+ # Comment TLS-Auth directive if 'insecure' mode has been choosen
+ if ($vpnsettings{'TLSAUTH'} eq 'on') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-auth ta.key\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
}
+
+ # Comment TLS-Crypt directive if 'insecure' mode has been choosen
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-crypt tc.key\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "Can't add file tc.key\n";
+ }
+
+ # Comment TLS-Crypt-v2 directive if 'insecure' mode has been choosen and generate individual key
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ print CLIENTCONF ";";
+ }
+ print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ # Generate individual tls-crypt-v2 client key
+ my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+ system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+ # Add individual tls-crypt-v2 client key to client package
+ $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n";
+ }
+
if ($vpnsettings{DCOMPLZO} eq 'on') {
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "</key>\r\n\r\n";
close(FILE);
- # TLS auth
+ # Create individual tls-crypt-v2 client key and print it to client.conf if 'insecure' has been selected
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+ my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+ system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+ open(FILE, "<$cryptfile");
+ print CLIENTCONF "<tls-crypt-v2>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</tls-crypt-v2>\r\n\r\n";
+ close(FILE);
+ }
+
+ # Print TLS-Crypt key to client.ovpn if 'insecure' has been selected
+ if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+ open(FILE, "<${General::swroot}/ovpn/certs/tc.key");
+ print CLIENTCONF "<tls-crypt>\r\n";
+ while (<FILE>) {
+ chomp($_);
+ print CLIENTCONF "$_\r\n";
+ }
+ print CLIENTCONF "</tls-crypt>\r\n\r\n";
+ close(FILE);
+ }
+
+ # Print TLS-Auth key to client.ovpn if 'insecure' has been selected
if ($vpnsettings{'TLSAUTH'} eq 'on') {
open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
print CLIENTCONF "<tls-auth>\r\n";
&Header::closepage();
exit(0);
}
+
+###
+### Display tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) {
+
+ if (! -e "${General::swroot}/ovpn/certs/tc.key") {
+ $errormessage = $Lang::tr{'not present'};
+ } else {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}");
+ my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
+
+###
+### Display tls-crypt-v2 server key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) {
+
+ if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ $errormessage = $Lang::tr{'not present'};
+ } else {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ovpn'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}");
+ my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
###
### Display Certificate Revoke List
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
$checked{'CLIENT2CLIENT'}{'off'} = '';
$checked{'CLIENT2CLIENT'}{'on'} = '';
$checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
}
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$key}[41] = $cgiparams{'TLSAUTH'};
$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
@temp = split('\|', $cgiparams{'DAUTH'});
foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+ # Set default for TLS control authentication
+ if ($cgiparams{'TLSAUTH'} eq '') {
+ $cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41]
+ }
+ $checked{'TLSAUTH'}{'on'} = '';
+ $checked{'TLSAUTH'}{'off'} = '';
+ $checked{'TLSAUTH'}{'tls-crypt'} = '';
+ $checked{'TLSAUTH'}{'tls-crypt-v2'} = '';
+ @temp = split('\|', $cgiparams{'TLSAUTH'});
+ foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; }
+
# Set default for data-cipher-fallback (the old --cipher directive)
if ($cgiparams{'DCIPHER'} eq '') {
$cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40]
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
$confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+ $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'};
$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
} else {
$cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+ $cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'};
$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
<tr>
<th width="15%"></th>
<th>$Lang::tr{'ovpn ha'}</th>
+ <th>$Lang::tr{'ovpn tls auth'}</th>
</tr>
</thead>
<tbody>
<option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
<option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
</select>
+
+ <td class='boldbase'>
+ <select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+ <option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option>
+ <option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option>
+ <option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option>
+ <option value='off' $checked{'TLSAUTH'}{'off'}>Off</option>
+ </select>
</td>
</tr>
</tbody>
$cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
- $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
$cgiparams{'OTP_STATE'} = $confighash{$cgiparams{'KEY'}}[43];
# Index from [39] to [44] has been reserved by advanced encryption
$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $checked{'TLSAUTH'}{'off'} = '';
- $checked{'TLSAUTH'}{'on'} = '';
- $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
if (1) {
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
if ($cgiparams{'MSSFIX'} eq '') {
$cgiparams{'MSSFIX'} = 'off';
}
- if ($cgiparams{'TLSAUTH'} eq '') {
- $cgiparams{'TLSAUTH'} = 'off';
- }
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
}
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $checked{'TLSAUTH'}{'off'} = '';
- $checked{'TLSAUTH'}{'on'} = '';
- $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
$checked{'DCOMPLZO'}{'off'} = '';
$checked{'DCOMPLZO'}{'on'} = '';
$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
<td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
</tr>
- <tr><td colspan='4'><br></td></tr>
- <tr>
- <td class='base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
- </tr>
- <tr><td colspan='1'><br></td></tr>
-
- <tr>
- <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
- <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
- </tr>
-
<tr><td colspan='4'><br><br></td></tr>
END
;
my $col3="bgcolor='$color{'color22'}'";
# ta.key line
my $col4="bgcolor='$color{'color20'}'";
+ # tc-v2.key line
+ my $col5="bgcolor='$color{'color22'}'";
+ # tc.key
+ my $col6="bgcolor='$color{'color20'}'";
if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
# Nothing
print <<END;
<tr>
- <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+ <td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td>
<td class='base' $col4>$Lang::tr{'not present'}</td>
<td colspan='3' $col4> </td>
</tr>
;
}
+ # Adding tc-v2.key to chart
+ if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+ my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+ $tcvsubject =~ /-----BEGIN (.*)-----[\n]/;
+ $tcvsubject = $1;
+ print <<END;
+
+ <tr>
+ <td class='base' $col5>$Lang::tr{'tc v2 key'}</td>
+ <td class='base' $col5>$tcvsubject</td>
+ <form method='post' name='frmtcv2key'><td width='3%' align='center' $col5>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col5>
+ <td width='4%' $col5> </td>
+ </tr>
+END
+;
+ }
+
+ # Adding tc.key to chart
+ if (-f "${General::swroot}/ovpn/certs/tc.key") {
+ my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+ $tcsubject =~ /# (.*)[\n]/;
+ $tcsubject = $1;
+ print <<END;
+
+ <tr>
+ <td class='base' $col6>$Lang::tr{'tc key'}</td>
+ <td class='base' $col6>$tcsubject</td>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' />
+ </form>
+ <form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+ <input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' />
+ </form>
+ <td width='4%' $col6> </td>
+ </tr>
+END
+;
+ }
+
if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
print "<tr><td colspan='5' align='center'><form method='post'>";
print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";