]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Core Update 172: Ship wirelessctrl
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
CommitLineData
6e13d0a5 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
49abe7af 5# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
54fd0535 21###
f527e53f 22# Based on IPFireCore 77
54fd0535 23###
6e13d0a5
MT		 24use CGI;
25use CGI qw/:standard/;
c63a54f0
MT		 26use Imager::QRCode;
27use MIME::Base32;
28use MIME::Base64;
3740b7ad 29use URI::Encode qw(uri_encode uri_decode);;
6e13d0a5 30use Net::DNS;
ce9abb66 31use Net::Ping;
54fd0535 32use Net::Telnet;
6e13d0a5
MT		 33use File::Copy;
34use File::Temp qw/ tempfile tempdir /;
35use strict;
36use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
eff2dbf8 37use Sort::Naturally;
6e13d0a5 38require '/var/ipfire/general-functions.pl';
6e13d0a5
MT		 39require "${General::swroot}/lang.pl";
40require "${General::swroot}/header.pl";
41require "${General::swroot}/countries.pl";
e2e270e1 42require "${General::swroot}/location-functions.pl";
6e13d0a5
MT		 43
44# enable only the following on debugging purpose
2050be20
MT		 45#use warnings;
46#use CGI::Carp 'fatalsToBrowser';
47
6e13d0a5 48#workaround to suppress a warning when a variable is used only once
8c877a82 49my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
6e13d0a5
MT		 50undef (@dummy);
51
f2fdd0c1
CS		 52my %color = ();
53my %mainsettings = ();
54&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 55&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
6e13d0a5
MT		 56
57###
58### Initialize variables
59###
e81be1e1
AM		 60my %ccdconfhash=();
61my %ccdroutehash=();
62my %ccdroute2hash=();
6e13d0a5
MT		 63my %netsettings=();
64my %cgiparams=();
65my %vpnsettings=();
66my %checked=();
67my %confighash=();
68my %cahash=();
69my %selected=();
70my $warnmessage = '';
71my $errormessage = '';
400c8afd
EK		 72my $cryptoerror = '';
73my $cryptowarning = '';
6e13d0a5 74my %settings=();
54fd0535 75my $routes_push_file = '';
df9b48b7
AM		 76my $confighost="${General::swroot}/fwhosts/customhosts";
77my $configgrp="${General::swroot}/fwhosts/customgroups";
78my $customnet="${General::swroot}/fwhosts/customnetworks";
79my $name;
99bfa85c 80my $col="";
ffbe77c8
EK		 81my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
82my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
83
6e13d0a5
MT		 84&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
85$cgiparams{'ENABLED'} = 'off';
86$cgiparams{'ENABLED_BLUE'} = 'off';
87$cgiparams{'ENABLED_ORANGE'} = 'off';
88$cgiparams{'EDIT_ADVANCED'} = 'off';
89$cgiparams{'NAT'} = 'off';
90$cgiparams{'COMPRESSION'} = 'off';
91$cgiparams{'ONLY_PROPOSED'} = 'off';
92$cgiparams{'ACTION'} = '';
93$cgiparams{'CA_NAME'} = '';
4c962356
EK		 94$cgiparams{'DH_NAME'} = 'dh1024.pem';
95$cgiparams{'DHLENGHT'} = '';
6e13d0a5
MT		 96$cgiparams{'DHCP_DOMAIN'} = '';
97$cgiparams{'DHCP_DNS'} = '';
98$cgiparams{'DHCP_WINS'} = '';
54fd0535 99$cgiparams{'ROUTES_PUSH'} = '';
6e13d0a5 100$cgiparams{'DCOMPLZO'} = 'off';
a79fa1d6 101$cgiparams{'MSSFIX'} = '';
8c877a82 102$cgiparams{'number'} = '';
4c962356 103$cgiparams{'DCIPHER'} = '';
49abe7af
EK		 104$cgiparams{'DAUTH'} = '';
105$cgiparams{'TLSAUTH'} = '';
54fd0535 106$routes_push_file = "${General::swroot}/ovpn/routes_push";
400c8afd
EK		 107# Perform crypto and configration test
108&pkiconfigcheck;
ffbe77c8
EK		 109
110# Add CCD files if not already presant
111unless (-e $routes_push_file) {
112 open(RPF, ">$routes_push_file");
113 close(RPF);
114}
115unless (-e "${General::swroot}/ovpn/ccd.conf") {
116 open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
117 close (CCDC);
118}
119unless (-e "${General::swroot}/ovpn/ccdroute") {
120 open(CCDR, ">${General::swroot}/ovpn/ccdroute");
121 close (CCDR);
122}
123unless (-e "${General::swroot}/ovpn/ccdroute2") {
124 open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
125 close (CCDRT);
126}
127# Add additional configs if not already presant
128unless (-e "$local_serverconf") {
129 open(LSC, ">$local_serverconf");
130 close (LSC);
131}
132unless (-e "$local_clientconf") {
133 open(LCC, ">$local_clientconf");
134 close (LCC);
135}
ce9abb66 136
6e13d0a5
MT		 137&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
138
139# prepare openvpn config file
140###
141### Useful functions
142###
c6c9630e
MT		 143sub haveOrangeNet
144{
13211b21
CS		 145 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
146 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 147 return 0;
148}
149
150sub haveBlueNet
151{
13211b21 152 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
c6c9630e 153 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 154 return 0;
155}
156
157sub sizeformat{
158 my $bytesize = shift;
159 my $i = 0;
160
161 while(abs($bytesize) >= 1024){
162 $bytesize=$bytesize/1024;
163 $i++;
164 last if($i==6);
165 }
166
167 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
168 my $newsize=(int($bytesize*100 +0.5))/100;
169 return("$newsize $units[$i]");
170}
171
c6c9630e
MT		 172sub cleanssldatabase
173{
174 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
175 print FILE "01";
176 close FILE;
177 }
178 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
179 print FILE "";
180 close FILE;
181 }
e6f7f8e7
EK		 182 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
183 print FILE "";
184 close FILE;
185 }
c6c9630e 186 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 187 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 188 unlink ("${General::swroot}/ovpn/certs/serial.old");
189 unlink ("${General::swroot}/ovpn/certs/01.pem");
190}
191
192sub newcleanssldatabase
193{
194 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
195 open(FILE, ">${General::swroot}(ovpn/certs/serial");
196 print FILE "01";
197 close FILE;
198 }
199 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
2feacd98 200 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
c6c9630e 201 }
e6f7f8e7 202 if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
2feacd98 203 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
e6f7f8e7 204 }
c6c9630e 205 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 206 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 207 unlink ("${General::swroot}/ovpn/certs/serial.old");
208}
209
210sub deletebackupcert
211{
212 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
213 my $hexvalue = <FILE>;
214 chomp $hexvalue;
215 close FILE;
216 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
217 }
218}
4c962356 219
400c8afd
EK		 220###
221### Check for PKI and configure problems
222###
223
224sub pkiconfigcheck
225{
226 # Warning if DH parameter is 1024 bit
227 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
2feacd98 228 my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
f5604080 229 my $dhbit;
2feacd98 230
f5604080 231 # Loop through the output and search for the DH bit lenght.
2feacd98 232 foreach my $line (@dhparameter) {
f5604080
SS		 233 if ($line =~ (/(\d+)/)) {
234 # Assign match to dhbit value.
235 $dhbit = $1;
236
237 last;
2feacd98 238 }
400c8afd 239 }
f5604080
SS		 240
241 # Check if the used key lenght is at least 2048 bit.
242 if ($dhbit < 2048) {
243 $cryptoerror = "$Lang::tr{'ovpn error dh'}";
244 goto CRYPTO_ERROR;
245 }
400c8afd
EK		 246 }
247
248 # Warning if md5 is in usage
249 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 250 my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
251 if (grep(/md5WithRSAEncryption/, @signature) ) {
400c8afd
EK		 252 $cryptoerror = "$Lang::tr{'ovpn error md5'}";
253 goto CRYPTO_ERROR;
254 }
255 }
256
257 CRYPTO_ERROR:
258
259 # Warning if certificate is not compliant to RFC3280 TLS rules
260 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 261 my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
262 if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
400c8afd
EK		 263 $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
264 goto CRYPTO_WARNING;
265 }
266 }
267
268 CRYPTO_WARNING:
269}
270
c6c9630e 271sub writeserverconf {
66c36198
PM		 272 my %sovpnsettings = ();
273 my @temp = ();
c6c9630e 274 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
54fd0535 275 &read_routepushfile;
66c36198 276
c6c9630e
MT		 277 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
278 flock CONF, 2;
279 print CONF "#OpenVPN Server conf\n";
280 print CONF "\n";
281 print CONF "daemon openvpnserver\n";
282 print CONF "writepid /var/run/openvpn.pid\n";
afabe9f7 283 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
c6c9630e 284 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
79e7688b 285 print CONF "dev tun\n";
c6c9630e
MT		 286 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
287 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
a4fd2325 288 print CONF "script-security 3\n";
07675dc3 289 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
6140e7e0 290 print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
c6c9630e 291 print CONF "tls-server\n";
4c962356
EK		 292 print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
293 print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
294 print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 295 print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
c6c9630e
MT		 296 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
297 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
8c877a82 298 #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
4c962356 299
d6989b4b 300 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
2ee746be 301
54fd0535 302 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
8c877a82
AM		 303 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
304 foreach (@temp)
305 {
306 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
307 print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n";
308 }
54fd0535 309 }
8c877a82
AM		 310# a.marx ccd
311 my %ccdconfhash=();
312 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
313 foreach my $key (keys %ccdconfhash) {
314 my $a=$ccdconfhash{$key}[1];
315 my ($b,$c) = split (/\//, $a);
316 print CONF "route $b ".&General::cidrtosub($c)."\n";
317 }
318 my %ccdroutehash=();
319 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
320 foreach my $key (keys %ccdroutehash) {
321 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
322 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
323 print CONF "route $a $b\n";
324 }
325 }
326# ccd end
54fd0535 327
8c877a82 328 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
c6c9630e
MT		 329 print CONF "client-to-client\n";
330 }
1de5c945 331 if ($sovpnsettings{MSSFIX} eq 'on') {
4c962356 332 print CONF "mssfix\n";
d6989b4b
MT		 333 } else {
334 print CONF "mssfix 0\n";
1de5c945
EK		 335 }
336 if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
4c962356 337 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
a79fa1d6 338 }
2ee746be 339
66c36198 340 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
c6c9630e 341 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
66c36198 342 }
c6c9630e 343 print CONF "status-version 1\n";
87fe47e9 344 print CONF "status /var/run/ovpnserver.log 30\n";
a4fd2325 345 print CONF "ncp-disable\n";
c6c9630e 346 print CONF "cipher $sovpnsettings{DCIPHER}\n";
49abe7af 347 print CONF "auth $sovpnsettings{'DAUTH'}\n";
942446b5
EK		 348 # Set TLSv2 as minimum
349 print CONF "tls-version-min 1.2\n";
86308adb 350
49abe7af 351 if ($sovpnsettings{'TLSAUTH'} eq 'on') {
4be45949 352 print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
49abe7af 353 }
c6c9630e
MT		 354 if ($sovpnsettings{DCOMPLZO} eq 'on') {
355 print CONF "comp-lzo\n";
356 }
357 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
358 print CONF "push \"redirect-gateway def1\"\n";
359 }
360 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
361 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
362 }
363
364 if ($sovpnsettings{DHCP_DNS} ne '') {
365 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
366 }
367
368 if ($sovpnsettings{DHCP_WINS} ne '') {
369 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
370 }
66c36198 371
fa527476 372 if ($sovpnsettings{MAX_CLIENTS} eq '') {
c6c9630e 373 print CONF "max-clients 100\n";
a79fa1d6 374 }
fa527476 375 if ($sovpnsettings{MAX_CLIENTS} ne '') {
c6c9630e 376 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
66c36198 377 }
1d0a260a 378 print CONF "tls-verify /usr/lib/openvpn/verify\n";
c6c9630e 379 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
e1e10515
TE		 380 print CONF "auth-user-pass-optional\n";
381 print CONF "reneg-sec 86400\n";
c6c9630e
MT		 382 print CONF "user nobody\n";
383 print CONF "group nobody\n";
384 print CONF "persist-key\n";
385 print CONF "persist-tun\n";
386 if ($sovpnsettings{LOG_VERB} ne '') {
387 print CONF "verb $sovpnsettings{LOG_VERB}\n";
388 } else {
389 print CONF "verb 3\n";
ffbe77c8 390 }
708f2b73
MT		 391
392 print CONF "# Log clients connecting/disconnecting\n";
393 print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
394 print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
5111dc3d
MT		 395 print CONF "\n";
396
397 print CONF "# Enable Management Socket\n";
398 print CONF "management /var/run/openvpn.sock unix\n";
399 print CONF "management-client-auth\n";
708f2b73 400
ffbe77c8
EK		 401 # Print server.conf.local if entries exist to server.conf
402 if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
403 open (LSC, "$local_serverconf");
404 print CONF "\n#---------------------------\n";
405 print CONF "# Start of custom directives\n";
406 print CONF "# from server.conf.local\n";
407 print CONF "#---------------------------\n\n";
408 while (<LSC>) {
409 print CONF $_;
410 }
411 print CONF "\n#-----------------------------\n";
412 print CONF "# End of custom directives\n";
413 print CONF "#-----------------------------\n";
414 close (LSC);
415 }
c6c9630e 416 print CONF "\n";
66c36198 417
c6c9630e 418 close(CONF);
66c36198 419}
8c877a82 420
c6c9630e 421sub emptyserverlog{
87fe47e9 422 if (open(FILE, ">/var/run/ovpnserver.log")) {
c6c9630e
MT		 423 flock FILE, 2;
424 print FILE "";
425 close FILE;
426 }
427
428}
429
66c36198 430sub delccdnet
8c877a82
AM		 431{
432 my %ccdconfhash = ();
433 my %ccdhash = ();
434 my $ccdnetname=$_[0];
435 if (-f "${General::swroot}/ovpn/ovpnconfig"){
436 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
437 foreach my $key (keys %ccdhash) {
438 if ($ccdhash{$key}[32] eq $ccdnetname) {
439 $errormessage=$Lang::tr{'ccd err hostinnet'};
440 return;
441 }
442 }
443 }
444 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
445 foreach my $key (keys %ccdconfhash) {
446 if ($ccdconfhash{$key}[0] eq $ccdnetname){
447 delete $ccdconfhash{$key};
448 }
449 }
450 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
66c36198 451
8c877a82
AM		 452 &writeserverconf;
453 return 0;
454}
455
456sub addccdnet
457{
458 my %ccdconfhash=();
459 my @ccdconf=();
460 my $ccdname=$_[0];
461 my $ccdnet=$_[1];
8c877a82
AM		 462 my $subcidr;
463 my @ip2=();
464 my $checkup;
465 my $ccdip;
466 my $baseaddress;
66c36198
PM		 467
468
469 #check name
470 if ($ccdname eq '')
290007b3
AM		 471 {
472 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
473 return
474 }
66c36198 475
dcc2f7e0 476 if(!&General::validccdname($ccdname))
290007b3 477 {
8c877a82
AM		 478 $errormessage=$Lang::tr{'ccd err invalidname'};
479 return;
480 }
66c36198 481
290007b3
AM		 482 ($ccdip,$subcidr) = split (/\//,$ccdnet);
483 $subcidr=&General::iporsubtocidr($subcidr);
484 #check subnet
485 if ($subcidr > 30)
486 {
8c877a82
AM		 487 $errormessage=$Lang::tr{'ccd err invalidnet'};
488 return;
489 }
290007b3
AM		 490 #check ip
491 if (!&General::validipandmask($ccdnet)){
492 $errormessage=$Lang::tr{'ccd err invalidnet'};
493 return;
8c877a82 494 }
b6c60092 495
8c877a82
AM		 496 if (!$errormessage) {
497 my %ccdconfhash=();
498 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
499 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
500 my $key = &General::findhasharraykey (\%ccdconfhash);
501 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
502 $ccdconfhash{$key}[0] = $ccdname;
503 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
504 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
505 &writeserverconf;
506 $cgiparams{'ccdname'}='';
507 $cgiparams{'ccdsubnet'}='';
508 return 1;
509 }
510}
511
512sub modccdnet
513{
66c36198 514
8c877a82
AM		 515 my $newname=$_[0];
516 my $oldname=$_[1];
517 my %ccdconfhash=();
518 my %ccdhash=();
7ad653cc
SS		 519
520 # Check if the new name is valid.
521 if(!&General::validhostname($newname)) {
522 $errormessage=$Lang::tr{'ccd err invalidname'};
523 return;
524 }
525
8c877a82
AM		 526 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
527 foreach my $key (keys %ccdconfhash) {
528 if ($ccdconfhash{$key}[0] eq $oldname) {
529 foreach my $key1 (keys %ccdconfhash) {
530 if ($ccdconfhash{$key1}[0] eq $newname){
531 $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
532 return;
533 }else{
534 $ccdconfhash{$key}[0]= $newname;
535 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
536 last;
537 }
538 }
539 }
540 }
66c36198 541
8c877a82
AM		 542 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
543 foreach my $key (keys %ccdhash) {
544 if ($ccdhash{$key}[32] eq $oldname) {
545 $ccdhash{$key}[32]=$newname;
546 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
547 last;
548 }
549 }
66c36198 550
8c877a82
AM		 551 return 0;
552}
553sub ccdmaxclients
554{
555 my $ccdnetwork=$_[0];
556 my @octets=();
557 my @subnet=();
558 @octets=split("\/",$ccdnetwork);
559 @subnet= split /\./, &General::cidrtosub($octets[1]);
560 my ($a,$b,$c,$d,$e);
561 $a=256-$subnet[0];
562 $b=256-$subnet[1];
563 $c=256-$subnet[2];
564 $d=256-$subnet[3];
565 $e=($a*$b*$c*$d)/4;
566 return $e-1;
567}
568
66c36198 569sub getccdadresses
8c877a82
AM		 570{
571 my $ipin=$_[0];
572 my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin;
573 my $cidr=$_[1];
574 chomp($cidr);
575 my $count=$_[2];
576 my $hasip=$_[3];
577 chomp($hasip);
578 my @iprange=();
579 my %ccdhash=();
580 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
d9fe5693 581 $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
ac87f371 582 for (my $i=1;$i<=$count;$i++) {
8c877a82
AM		 583 my $tmpip=$iprange[$i-1];
584 my $stepper=$i*4;
585 $iprange[$i]= &General::getnextip($tmpip,4);
586 }
587 my $r=0;
588 foreach my $key (keys %ccdhash) {
589 $r=0;
590 foreach my $tmp (@iprange){
591 my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
592 if ($net eq $tmp) {
593 if ( $hasip ne $ccdhash{$key}[33] ){
594 splice (@iprange,$r,1);
595 }
596 }
597 $r++;
598 }
599 }
600 return @iprange;
601}
602
603sub fillselectbox
604{
605 my $boxname=$_[1];
66c36198 606 my ($ccdip,$subcidr) = split("/",$_[0]);
8c877a82
AM		 607 my $tz=$_[2];
608 my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
609 print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
610 foreach (@allccdips) {
611 my $ip=$_."/30";
612 chomp($ip);
613 print "<option value='$ip' ";
614 if ( $ip eq $cgiparams{$boxname} ){
615 print"selected";
616 }
617 print ">$ip</option>";
618 }
619 print "</select>";
620}
621
622sub hostsinnet
623{
624 my $name=$_[0];
625 my %ccdhash=();
626 my $i=0;
627 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
628 foreach my $key (keys %ccdhash) {
629 if ($ccdhash{$key}[32] eq $name){ $i++;}
630 }
631 return $i;
632}
633
634sub check_routes_push
635{
636 my $val=$_[0];
637 my ($ip,$cidr) = split (/\//, $val);
638 ##check for existing routes in routes_push
639 if (-e "${General::swroot}/ovpn/routes_push") {
640 open(FILE,"${General::swroot}/ovpn/routes_push");
641 while (<FILE>) {
642 $_=~s/\s*$//g;
66c36198 643
8c877a82
AM		 644 my ($ip2,$cidr2) = split (/\//,"$_");
645 my $val2=$ip2."/".&General::iporsubtodec($cidr2);
66c36198 646
8c877a82
AM		 647 if($val eq $val2){
648 return 0;
649 }
650 #subnetcheck
651 if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
652 return 0;
653 }
654 };
655 close(FILE);
656 }
657 return 1;
658}
659
660sub check_ccdroute
661{
662 my %ccdroutehash=();
663 my $val=$_[0];
664 my ($ip,$cidr) = split (/\//, $val);
665 #check for existing routes in ccdroute
666 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
667 foreach my $key (keys %ccdroutehash) {
668 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
669 if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
670 return 0;
671 }
672 my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
673 #subnetcheck
674 if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
675 return 0;
676 }
677 }
678 }
679 return 1;
680}
681sub check_ccdconf
682{
683 my %ccdconfhash=();
684 my $val=$_[0];
685 my ($ip,$cidr) = split (/\//, $val);
686 #check for existing routes in ccdroute
687 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
688 foreach my $key (keys %ccdconfhash) {
689 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
690 return 0;
691 }
692 my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
693 #subnetcheck
694 if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
695 return 0;
696 }
66c36198 697
8c877a82
AM		 698 }
699 return 1;
700}
701
7c1d9faf
AH		 702###
703# m.a.d net2net
704###
705
706sub validdotmask
707{
708 my $ipdotmask = $_[0];
709 if (&General::validip($ipdotmask)) { return 0; }
710 if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { }
711 my $mask = $2;
66c36198 712 if (($mask =~ /\./ )) { return 0; }
7c1d9faf
AH		 713 return 1;
714}
54fd0535
MT		 715
716# -------------------------------------------------------------------
717
718sub write_routepushfile
719{
720 open(FILE, ">$routes_push_file");
721 flock(FILE, 2);
722 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
723 print FILE $vpnsettings{'ROUTES_PUSH'};
724 }
66c36198 725 close(FILE);
54fd0535
MT		 726}
727
728sub read_routepushfile
729{
730 if (-e "$routes_push_file") {
731 open(FILE,"$routes_push_file");
732 delete $vpnsettings{'ROUTES_PUSH'};
733 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
734 close(FILE);
735 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
66c36198 736
54fd0535
MT		 737 }
738}
7c1d9faf 739
775b4494
AM		 740sub writecollectdconf {
741 my $vpncollectd;
742 my %ccdhash=();
743
744 open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
745 print COLLECTDVPN "Loadplugin openvpn\n";
746 print COLLECTDVPN "\n";
747 print COLLECTDVPN "<Plugin openvpn>\n";
748 print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
749
750 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
751 foreach my $key (keys %ccdhash) {
752 if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
753 print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
754 }
755 }
756
757 print COLLECTDVPN "</Plugin>\n";
758 close(COLLECTDVPN);
759
760 # Reload collectd afterwards
2feacd98 761 &General::system("/usr/local/bin/collectdctrl", "restart");
775b4494 762}
7c1d9faf 763
c6c9630e
MT		 764#hier die refresh page
765if ( -e "${General::swroot}/ovpn/gencanow") {
766 my $refresh = '';
767 $refresh = "<meta http-equiv='refresh' content='15;' />";
768 &Header::showhttpheaders();
769 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
770 &Header::openbigbox('100%', 'center');
771 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
772 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
773 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
774 &Header::closebox();
775 &Header::closebigbox();
776 &Header::closepage();
777 exit (0);
778}
779##hier die refresh page
780
6e13d0a5
MT		 781
782###
783### OpenVPN Server Control
784###
785if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
786 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
787 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
6e13d0a5
MT		 788 #start openvpn server
789 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
c6c9630e 790 &emptyserverlog();
2feacd98 791 &General::system("/usr/local/bin/openvpnctrl", "-s");
66c36198 792 }
6e13d0a5
MT		 793 #stop openvpn server
794 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
2feacd98 795 &General::system("/usr/local/bin/openvpnctrl", "-k");
66c36198
PM		 796 &emptyserverlog();
797 }
6e13d0a5 798# #restart openvpn server
8c877a82 799# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
66c36198
PM		 800#workarund, till SIGHUP also works when running as nobody
801# system('/usr/local/bin/openvpnctrl', '-r');
802# &emptyserverlog();
803# }
6e13d0a5
MT		 804}
805
806###
807### Save Advanced options
808###
809
810if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
811 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
812 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
813 #DAN this value has to leave.
814#new settings for daemon
815 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
816 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
817 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
818 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
819 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
820 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
6a9d9ff4 821 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
ffbe77c8 822 $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
6e13d0a5
MT		 823 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
824 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
825 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
54fd0535
MT		 826 $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
827 my @temp=();
66c36198 828
a79fa1d6
JPT		 829 if ($cgiparams{'FRAGMENT'} eq '') {
830 delete $vpnsettings{'FRAGMENT'};
831 } else {
66c36198 832 if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
a79fa1d6
JPT		 833 $errormessage = "Incorrect value, please insert only numbers.";
834 goto ADV_ERROR;
835 } else {
836 $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
837 }
838 }
49abe7af 839
a79fa1d6 840 if ($cgiparams{'MSSFIX'} ne 'on') {
1de5c945 841 delete $vpnsettings{'MSSFIX'};
a79fa1d6
JPT		 842 } else {
843 $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
844 }
2ee746be 845
6e13d0a5 846 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
81da1b01 847 unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
6e13d0a5
MT		 848 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
849 goto ADV_ERROR;
850 }
851 }
852 if ($cgiparams{'DHCP_DNS'} ne ''){
853 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
854 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
855 goto ADV_ERROR;
856 }
857 }
858 if ($cgiparams{'DHCP_WINS'} ne ''){
859 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
860 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
54fd0535
MT		 861 goto ADV_ERROR;
862 }
863 }
864 if ($cgiparams{'ROUTES_PUSH'} ne ''){
865 @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
866 undef $vpnsettings{'ROUTES_PUSH'};
66c36198 867
8c877a82 868 foreach my $tmpip (@temp)
54fd0535
MT		 869 {
870 s/^\s+//g; s/\s+$//g;
66c36198 871
8c877a82 872 if ($tmpip)
54fd0535 873 {
66c36198 874 $tmpip=~s/\s*$//g;
8c877a82
AM		 875 unless (&General::validipandmask($tmpip)) {
876 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
877 goto ADV_ERROR;
54fd0535 878 }
8c877a82 879 my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
66c36198 880
54fd0535
MT		 881 if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
882 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
8c877a82
AM		 883 goto ADV_ERROR;
884 }
66c36198 885# a.marx ccd
8c877a82
AM		 886 my %ccdroutehash=();
887 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
888 foreach my $key (keys %ccdroutehash) {
66c36198 889 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
8c877a82
AM		 890 if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
891 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
892 goto ADV_ERROR;
893 }
894 my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
895 if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
896 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
897 goto ADV_ERROR;
898 }
899 }
54fd0535 900 }
66c36198 901
8c877a82 902# ccd end
66c36198 903
8c877a82 904 $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
54fd0535 905 }
8c877a82
AM		 906 }
907 &write_routepushfile;
54fd0535 908 undef $vpnsettings{'ROUTES_PUSH'};
8e148dc3
NP		 909 }
910 else {
911 undef $vpnsettings{'ROUTES_PUSH'};
912 &write_routepushfile;
6e13d0a5 913 }
ba50f66d 914 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
6e13d0a5
MT		 915 $errormessage = $Lang::tr{'invalid input for max clients'};
916 goto ADV_ERROR;
917 }
918 if ($cgiparams{'KEEPALIVE_1'} ne '') {
66c36198 919 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 920 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
921 goto ADV_ERROR;
922 }
923 }
924 if ($cgiparams{'KEEPALIVE_2'} ne ''){
66c36198 925 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 926 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
927 goto ADV_ERROR;
928 }
929 }
930 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
931 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
66c36198 932 goto ADV_ERROR;
6e13d0a5 933 }
6e13d0a5 934 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 935 &writeserverconf();#hier ok
6e13d0a5
MT		 936}
937
ce9abb66 938###
7c1d9faf 939# m.a.d net2net
ce9abb66
AH		 940###
941
942if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
943{
c6c9630e 944
ce9abb66
AH		 945my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
946my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 947my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
d96c89eb 948my $tunmtu = '';
531f0835
AH		 949
950unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 951unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 952
953 open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 954
ce9abb66 955 flock SERVERCONF, 2;
66c36198
PM		 956 print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n";
957 print SERVERCONF "\n";
b278daf3 958 print SERVERCONF "# User Security\n";
ce9abb66
AH		 959 print SERVERCONF "user nobody\n";
960 print SERVERCONF "group nobody\n";
961 print SERVERCONF "persist-tun\n";
962 print SERVERCONF "persist-key\n";
7c1d9faf 963 print SERVERCONF "script-security 2\n";
66c36198 964 print SERVERCONF "# IP/DNS for remote Server Gateway\n";
c125d8a2
SS		 965
966 if ($cgiparams{'REMOTE'} ne '') {
ce9abb66 967 print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
c125d8a2
SS		 968 }
969
b278daf3 970 print SERVERCONF "float\n";
66c36198
PM		 971 print SERVERCONF "# IP adresses of the VPN Subnet\n";
972 print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
973 print SERVERCONF "# Client Gateway Network\n";
54fd0535 974 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
2913185a 975 print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 976 print SERVERCONF "# tun Device\n";
977 print SERVERCONF "dev tun\n";
5795fc1b
AM		 978 print SERVERCONF "#Logfile for statistics\n";
979 print SERVERCONF "status-version 1\n";
87fe47e9 980 print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 981 print SERVERCONF "# Port and Protokol\n";
982 print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
5795fc1b 983
60f396d7 984 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 985 print SERVERCONF "proto tcp4-server\n";
60f396d7 986 print SERVERCONF "# Packet size\n";
d96c89eb 987 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 988 print SERVERCONF "tun-mtu $tunmtu\n";
d96c89eb 989 }
66c36198 990
60f396d7 991 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 992 print SERVERCONF "proto udp4\n";
60f396d7
AH		 993 print SERVERCONF "# Paketsize\n";
994 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
995 print SERVERCONF "tun-mtu $tunmtu\n";
66c36198 996 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 997 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
d96c89eb 998 }
1647059d 999
66c36198
PM		 1000 print SERVERCONF "# Auth. Server\n";
1001 print SERVERCONF "tls-server\n";
1002 print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
1003 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
1004 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 1005 print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
66c36198 1006 print SERVERCONF "# Cipher\n";
4c962356 1007 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
52f61e49
EKD		 1008
1009 # If GCM cipher is used, do not use --auth
1010 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1011 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1012 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1013 print SERVERCONF unless "# HMAC algorithm\n";
1014 print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1015 } else {
52f61e49
EKD		 1016 print SERVERCONF "# HMAC algorithm\n";
1017 print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1018 }
52f61e49 1019
942446b5
EK		 1020 # Set TLSv1.2 as minimum
1021 print SERVERCONF "tls-version-min 1.2\n";
1022
ce9abb66 1023 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1024 print SERVERCONF "# Enable Compression\n";
66298ef2 1025 print SERVERCONF "comp-lzo\n";
b278daf3 1026 }
66c36198
PM		 1027 print SERVERCONF "# Debug Level\n";
1028 print SERVERCONF "verb 3\n";
1029 print SERVERCONF "# Tunnel check\n";
1030 print SERVERCONF "keepalive 10 60\n";
1031 print SERVERCONF "# Start as daemon\n";
1032 print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n";
1033 print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1034 print SERVERCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1035 if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1036 else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66
AH		 1037 close(SERVERCONF);
1038
1039}
1040
1041###
7c1d9faf 1042# m.a.d net2net
ce9abb66 1043###
7c1d9faf 1044
ce9abb66
AH		 1045if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
1046{
4c962356 1047
ce9abb66 1048 my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 1049 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 1050 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
d96c89eb 1051 my $tunmtu = '';
66c36198 1052
531f0835
AH		 1053unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
1054unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
66c36198 1055
ce9abb66 1056 open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 1057
ce9abb66 1058 flock CLIENTCONF, 2;
7c1d9faf 1059 print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
66c36198 1060 print CLIENTCONF "#\n";
b278daf3 1061 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 1062 print CLIENTCONF "user nobody\n";
1063 print CLIENTCONF "group nobody\n";
1064 print CLIENTCONF "persist-tun\n";
1065 print CLIENTCONF "persist-key\n";
7c1d9faf 1066 print CLIENTCONF "script-security 2\n";
66c36198 1067 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
ce9abb66 1068 print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
b278daf3 1069 print CLIENTCONF "float\n";
66c36198
PM		 1070 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
1071 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
1072 print CLIENTCONF "# Server Gateway Network\n";
1073 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
ebcecb4b 1074 print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 1075 print CLIENTCONF "# tun Device\n";
1076 print CLIENTCONF "dev tun\n";
35a21a25
AM		 1077 print CLIENTCONF "#Logfile for statistics\n";
1078 print CLIENTCONF "status-version 1\n";
1079 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 1080 print CLIENTCONF "# Port and Protokol\n";
1081 print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
60f396d7
AH		 1082
1083 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 1084 print CLIENTCONF "proto tcp4-client\n";
60f396d7 1085 print CLIENTCONF "# Packet size\n";
d96c89eb 1086 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 1087 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 1088 }
66c36198 1089
60f396d7 1090 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 1091 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 1092 print CLIENTCONF "# Paketsize\n";
1093 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
1094 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 1095 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 1096 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
d96c89eb 1097 }
1647059d 1098
b66b02ab
EK		 1099 # Check host certificate if X509 is RFC3280 compliant.
1100 # If not, old --ns-cert-type directive will be used.
1101 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 1102 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1103 if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 1104 print CLIENTCONF "ns-cert-type server\n";
1105 } else {
1106 print CLIENTCONF "remote-cert-tls server\n";
1107 }
66c36198
PM		 1108 print CLIENTCONF "# Auth. Client\n";
1109 print CLIENTCONF "tls-client\n";
1110 print CLIENTCONF "# Cipher\n";
4c962356 1111 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
ce9abb66 1112 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
52f61e49
EKD		 1113
1114 # If GCM cipher is used, do not use --auth
1115 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1116 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1117 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1118 print CLIENTCONF unless "# HMAC algorithm\n";
1119 print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1120 } else {
52f61e49
EKD		 1121 print CLIENTCONF "# HMAC algorithm\n";
1122 print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1123 }
52f61e49 1124
942446b5
EK		 1125 # Set TLSv1.2 as minimum
1126 print CLIENTCONF "tls-version-min 1.2\n";
1127
ce9abb66 1128 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1129 print CLIENTCONF "# Enable Compression\n";
66298ef2 1130 print CLIENTCONF "comp-lzo\n";
4c962356 1131 }
66c36198
PM		 1132 print CLIENTCONF "# Debug Level\n";
1133 print CLIENTCONF "verb 3\n";
1134 print CLIENTCONF "# Tunnel check\n";
1135 print CLIENTCONF "keepalive 10 60\n";
1136 print CLIENTCONF "# Start as daemon\n";
ce9abb66 1137 print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
66c36198
PM		 1138 print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1139 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1140 if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1141 else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66 1142 close(CLIENTCONF);
c6c9630e 1143
ce9abb66 1144}
400c8afd 1145
6e13d0a5
MT		 1146###
1147### Save main settings
1148###
ce9abb66 1149
6e13d0a5
MT		 1150if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1151 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5
MT		 1152 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1153 #DAN this value has to leave.
1154 if ($cgiparams{'ENABLED'} eq 'on'){
1155 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1156 $errormessage = $Lang::tr{'invalid input for hostname'};
c6c9630e 1157 goto SETTINGS_ERROR;
6e13d0a5
MT		 1158 }
1159 }
f7fb5bc5 1160
6e13d0a5 1161 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
c6c9630e 1162 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
4c962356 1163 goto SETTINGS_ERROR;
c6c9630e
MT		 1164 }
1165 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
66c36198
PM		 1166
1167 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
c6c9630e
MT		 1168 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1169 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1170 goto SETTINGS_ERROR;
1171 }
66c36198
PM		 1172
1173 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
c6c9630e
MT		 1174 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1175 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1176 goto SETTINGS_ERROR;
1177 }
1178
66c36198 1179 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
c6c9630e
MT		 1180 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1181 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1182 goto SETTINGS_ERROR;
1183 }
66c36198
PM		 1184
1185 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
c6c9630e
MT		 1186 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1187 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1188 goto SETTINGS_ERROR;
1189 }
1190 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1191 while (<ALIASES>)
1192 {
1193 chomp($_);
1194 my @tempalias = split(/\,/,$_);
1195 if ($tempalias[1] eq 'on') {
66c36198 1196 if (&General::IpInSubnet ($tempalias[0] ,
c6c9630e
MT		 1197 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1198 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
66c36198 1199 }
c6c9630e
MT		 1200 }
1201 }
1202 close(ALIASES);
6e13d0a5 1203 if ($errormessage ne ''){
c6c9630e 1204 goto SETTINGS_ERROR;
6e13d0a5
MT		 1205 }
1206 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1207 $errormessage = $Lang::tr{'invalid input'};
1208 goto SETTINGS_ERROR;
1209 }
1210 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1211 $errormessage = $Lang::tr{'invalid mtu input'};
1212 goto SETTINGS_ERROR;
1213 }
66c36198 1214
6e13d0a5 1215 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
c6c9630e
MT		 1216 $errormessage = $Lang::tr{'invalid port'};
1217 goto SETTINGS_ERROR;
6e13d0a5 1218 }
8c252e6a 1219
b21a6319
EK		 1220 # Create ta.key for tls-auth if not presant
1221 if ($cgiparams{'TLSAUTH'} eq 'on') {
1222 if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
2feacd98 1223 # This system call is safe, because all arguements are passed as an array.
acbd6ff4 1224 system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
b21a6319
EK		 1225 if ($?) {
1226 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1227 goto SETTINGS_ERROR;
1228 }
1229 }
1230 }
1231
6e13d0a5
MT		 1232 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1233 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1234 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1235 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1236#new settings for daemon
1237 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
6e13d0a5
MT		 1238 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1239 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1240 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1241 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1242 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
86308adb 1243 $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
0c4ffc69 1244 $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
3ffee04b
CS		 1245#wrtie enable
1246
2feacd98
SS		 1247 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
1248 &General::system("touch", "${General::swroot}/ovpn/enable_blue");
1249 } else {
274ca65b 1250 unlink("${General::swroot}/ovpn/enable_blue");
2feacd98
SS		 1251 }
1252
1253 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
1254 &General::system("touch", "${General::swroot}/ovpn/enable_orange");
1255 } else {
1256 unlink("${General::swroot}/ovpn/enable_orange");
1257 }
1258
1259 if ( $vpnsettings{'ENABLED'} eq 'on' ) {
1260 &General::system("touch", "${General::swroot}/ovpn/enable");
1261 } else {
1262 unlink("${General::swroot}/ovpn/enable");
1263 }
1264
66c36198 1265#new settings for daemon
6e13d0a5 1266 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 1267 &writeserverconf();#hier ok
6e13d0a5
MT		 1268SETTINGS_ERROR:
1269###
1270### Reset all step 2
1271###
4c962356 1272}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
6e13d0a5
MT		 1273 my $file = '';
1274 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1275
1e499e90 1276 # Kill all N2N connections
2feacd98 1277 &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
1e499e90 1278
6e13d0a5 1279 foreach my $key (keys %confighash) {
2f36a7b4
MT		 1280 my $name = $confighash{$cgiparams{'$key'}}[1];
1281
c6c9630e
MT		 1282 if ($confighash{$key}[4] eq 'cert') {
1283 delete $confighash{$cgiparams{'$key'}};
1284 }
2f36a7b4 1285
2feacd98 1286 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
6e13d0a5
MT		 1287 }
1288 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
49abe7af 1289 unlink $file;
6e13d0a5
MT		 1290 }
1291 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
49abe7af 1292 unlink $file;
6e13d0a5
MT		 1293 }
1294 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
49abe7af 1295 unlink $file;
6e13d0a5 1296 }
4c962356 1297 &cleanssldatabase();
6e13d0a5
MT		 1298 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1299 print FILE "";
1300 close FILE;
1301 }
49abe7af
EK		 1302 if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1303 print FILE "";
1304 close FILE;
1305 }
1306 if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1307 print FILE "";
1308 close FILE;
1309 }
1310 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1311 unlink $file
1312 }
5795fc1b
AM		 1313 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1314 unlink $file
1315 }
49abe7af
EK		 1316 if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1317 print FILE "";
1318 close FILE;
1319 }
1320 if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1321 print FILE "";
1322 close FILE;
1323 }
1324 while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
2feacd98 1325 unlink($file);
49abe7af
EK		 1326 }
1327
2f36a7b4
MT		 1328 # Remove everything from the collectd configuration
1329 &writecollectdconf();
1330
c6c9630e 1331 #&writeserverconf();
6e13d0a5
MT		 1332###
1333### Reset all step 1
1334###
4c962356 1335}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
6e13d0a5 1336 &Header::showhttpheaders();
4c962356
EK		 1337 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1338 &Header::openbigbox('100%', 'left', '', '');
1339 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1340 print <<END;
1341 <form method='post'>
1342 <table width='100%'>
1343 <tr>
1344 <td align='center'>
1345 <input type='hidden' name='AREUSURE' value='yes' />
49abe7af 1346 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
4c962356
EK		 1347 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1348 </tr>
1349 <tr>
1350 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1351 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1352 </tr>
1353 </table>
1354 </form>
6e13d0a5
MT		 1355END
1356 ;
1357 &Header::closebox();
1358 &Header::closebigbox();
1359 &Header::closepage();
1360 exit (0);
1361
4c962356
EK		 1362###
1363### Generate DH key step 2
1364###
1365} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
49abe7af 1366 # Delete if old key exists
4c962356
EK		 1367 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1368 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1369 }
1370 # Create Diffie Hellmann Parameter
2feacd98
SS		 1371 # The system call is safe, because all arguments are passed as an array.
1372 system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
4c962356
EK		 1373 if ($?) {
1374 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1375 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1376 }
1377
1378###
1379### Generate DH key step 1
1380###
1381} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
1382 &Header::showhttpheaders();
1383 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1384 &Header::openbigbox('100%', 'LEFT', '', '');
1385 &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
1386 print <<END;
1387 <table width='100%'>
1388 <tr>
f527e53f 1389 <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
49abe7af 1390 </tr>
4c962356
EK		 1391 <tr>
1392 <td class='base'>$Lang::tr{'ovpn dh'}:</td>
1393 <td align='center'>
1394 <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1395 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1396 <select name='DHLENGHT'>
4c962356
EK		 1397 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1398 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1399 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1400 </select>
1401 </td>
1402 </tr>
1403 <tr><td colspan='4'><br></td></tr>
1404 </table>
1405 <table width='100%'>
1406 <tr>
49abe7af 1407 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
4c962356 1408 </tr>
49abe7af
EK		 1409 <tr>
1410 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1411 </tr>
1412 <tr><td colspan='2'><br></td></tr>
4c962356
EK		 1413 <tr>
1414 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
1415 </form>
1416 </tr>
1417 </table>
1418
1419END
1420 ;
1421 &Header::closebox();
1422 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1423 &Header::closebigbox();
1424 &Header::closepage();
1425 exit (0);
1426
1427###
1428### Upload DH key
1429###
1430} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
2ad1b18b 1431 unless (ref ($cgiparams{'FH'})) {
4c962356
EK		 1432 $errormessage = $Lang::tr{'there was no file upload'};
1433 goto UPLOADCA_ERROR;
1434 }
49abe7af 1435 # Move uploaded dh key to a temporary file
4c962356
EK		 1436 (my $fh, my $filename) = tempfile( );
1437 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1438 $errormessage = $!;
49abe7af 1439 goto UPLOADCA_ERROR;
4c962356 1440 }
2feacd98
SS		 1441 my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
1442 if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
4c962356
EK		 1443 $errormessage = $Lang::tr{'not a valid dh key'};
1444 unlink ($filename);
1445 goto UPLOADCA_ERROR;
1446 } else {
cc79d281
SS		 1447 # Delete if old key exists
1448 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1449 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
4c962356 1450 }
cc79d281
SS		 1451
1452 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
49abe7af
EK		 1453 $errormessage = "$Lang::tr{'dh key move failed'}: $!";
1454 unlink ($filename);
1455 goto UPLOADCA_ERROR;
cc79d281 1456 }
4c962356 1457 }
6e13d0a5
MT		 1458###
1459### Upload CA Certificate
1460###
1461} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1462 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1463
1464 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1465 $errormessage = $Lang::tr{'name must only contain characters'};
1466 goto UPLOADCA_ERROR;
1467 }
1468
1469 if (length($cgiparams{'CA_NAME'}) >60) {
1470 $errormessage = $Lang::tr{'name too long'};
1471 goto VPNCONF_ERROR;
1472 }
1473
1474 if ($cgiparams{'CA_NAME'} eq 'ca') {
1475 $errormessage = $Lang::tr{'name is invalid'};
4c962356 1476 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1477 }
1478
1479 # Check if there is no other entry with this name
1480 foreach my $key (keys %cahash) {
c6c9630e
MT		 1481 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1482 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1483 goto UPLOADCA_ERROR;
1484 }
6e13d0a5
MT		 1485 }
1486
2ad1b18b 1487 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 1488 $errormessage = $Lang::tr{'there was no file upload'};
1489 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1490 }
1491 # Move uploaded ca to a temporary file
1492 (my $fh, my $filename) = tempfile( );
1493 if (copy ($cgiparams{'FH'}, $fh) != 1) {
c6c9630e
MT		 1494 $errormessage = $!;
1495 goto UPLOADCA_ERROR;
6e13d0a5 1496 }
2feacd98
SS		 1497 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
1498 if ( ! grep(/CA:TRUE/i, @temp )) {
c6c9630e
MT		 1499 $errormessage = $Lang::tr{'not a valid ca certificate'};
1500 unlink ($filename);
1501 goto UPLOADCA_ERROR;
6e13d0a5 1502 } else {
cc79d281 1503 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem")) {
c6c9630e
MT		 1504 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1505 unlink ($filename);
1506 goto UPLOADCA_ERROR;
1507 }
6e13d0a5
MT		 1508 }
1509
274ca65b 1510 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
2feacd98
SS		 1511 my $casubject;
1512
1513 foreach my $line (@casubject) {
1514 if ($line =~ /Subject: (.*)[\n]/) {
1515 $casubject = $1;
1516 $casubject =~ s+/Email+, E+;
1517 $casubject =~ s/ ST=/ S=/;
1518
1519 last;
1520 }
1521 }
1522
6e13d0a5
MT		 1523 $casubject = &Header::cleanhtml($casubject);
1524
1525 my $key = &General::findhasharraykey (\%cahash);
1526 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1527 $cahash{$key}[1] = $casubject;
1528 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e
MT		 1529# system('/usr/local/bin/ipsecctrl', 'R');
1530
6e13d0a5
MT		 1531 UPLOADCA_ERROR:
1532
1533###
1534### Display ca certificate
1535###
1536} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
c6c9630e
MT		 1537 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1538
1539 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1540 &Header::showhttpheaders();
4c962356 1541 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1542 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1543 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
2feacd98 1544 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
8c946d1c
MT		 1545 my $output = &Header::cleanhtml(join("", @output),"y");
1546 print "<pre>$output</pre>\n";
c6c9630e
MT		 1547 &Header::closebox();
1548 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1549 &Header::closebigbox();
1550 &Header::closepage();
1551 exit(0);
1552 } else {
1553 $errormessage = $Lang::tr{'invalid key'};
1554 }
1555
6e13d0a5
MT		 1556###
1557### Download ca certificate
1558###
1559} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1560 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1561
1562 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1563 print "Content-Type: application/octet-stream\r\n";
1564 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
2feacd98
SS		 1565
1566 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
f158e71e 1567 print @tmp;
2feacd98 1568
6e13d0a5
MT		 1569 exit(0);
1570 } else {
1571 $errormessage = $Lang::tr{'invalid key'};
1572 }
1573
1574###
1575### Remove ca certificate (step 2)
1576###
1577} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1578 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1579 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1580
1581 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1582 foreach my $key (keys %confighash) {
2feacd98
SS		 1583 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1584 if (grep(/: OK/, @test)) {
c6c9630e
MT		 1585 # Delete connection
1586# if ($vpnsettings{'ENABLED'} eq 'on' ||
1587# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1588# system('/usr/local/bin/ipsecctrl', 'D', $key);
1589# }
6e13d0a5
MT		 1590 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1591 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1592 delete $confighash{$key};
1593 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 1594# &writeipsecfiles();
6e13d0a5
MT		 1595 }
1596 }
1597 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1598 delete $cahash{$cgiparams{'KEY'}};
1599 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e 1600# system('/usr/local/bin/ipsecctrl', 'R');
6e13d0a5
MT		 1601 } else {
1602 $errormessage = $Lang::tr{'invalid key'};
1603 }
1604###
1605### Remove ca certificate (step 1)
1606###
1607} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1608 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1609 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1610
1611 my $assignedcerts = 0;
1612 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1613 foreach my $key (keys %confighash) {
2feacd98
SS		 1614 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1615 if (grep(/: OK/, @test)) {
6e13d0a5
MT		 1616 $assignedcerts++;
1617 }
1618 }
1619 if ($assignedcerts) {
1620 &Header::showhttpheaders();
4c962356 1621 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1622 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1623 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
4c962356 1624 print <<END;
6e13d0a5
MT		 1625 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1626 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1627 <tr><td align='center'>
1628 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1629 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
1630 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1631 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1632 </form></table>
1633END
1634 ;
1635 &Header::closebox();
1636 &Header::closebigbox();
1637 &Header::closepage();
1638 exit (0);
1639 } else {
1640 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1641 delete $cahash{$cgiparams{'KEY'}};
1642 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1643# system('/usr/local/bin/ipsecctrl', 'R');
1644 }
1645 } else {
1646 $errormessage = $Lang::tr{'invalid key'};
1647 }
1648
1649###
1650### Display root certificate
1651###
c6c9630e
MT		 1652}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1653 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
2feacd98 1654 my @output;
c6c9630e 1655 &Header::showhttpheaders();
4c962356 1656 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1657 &Header::openbigbox('100%', 'LEFT', '', '');
1658 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1659 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
2feacd98 1660 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
c6c9630e
MT		 1661 } else {
1662 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
2feacd98 1663 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1664 }
8c946d1c
MT		 1665 my $output = &Header::cleanhtml(join("", @output), "y");
1666 print "<pre>$output</pre>\n";
c6c9630e
MT		 1667 &Header::closebox();
1668 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1669 &Header::closebigbox();
1670 &Header::closepage();
1671 exit(0);
1672
6e13d0a5
MT		 1673###
1674### Download root certificate
1675###
1676}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1677 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1678 print "Content-Type: application/octet-stream\r\n";
1679 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
2feacd98
SS		 1680
1681 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
f158e71e 1682 print @tmp;
2feacd98 1683
6e13d0a5
MT		 1684 exit(0);
1685 }
66c36198 1686
6e13d0a5
MT		 1687###
1688### Download host certificate
1689###
1690}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1691 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1692 print "Content-Type: application/octet-stream\r\n";
1693 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
2feacd98
SS		 1694
1695 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
f158e71e 1696 print @tmp;
2feacd98 1697
6e13d0a5
MT		 1698 exit(0);
1699 }
f7fb5bc5 1700
fd5ccb2d
EK		 1701###
1702### Download tls-auth key
1703###
1704}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
1705 if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
1706 print "Content-Type: application/octet-stream\r\n";
1707 print "Content-Disposition: filename=ta.key\r\n\r\n";
2feacd98
SS		 1708
1709 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
1710 my @tmp = <FILE>;
1711 close(FILE);
1712
f158e71e 1713 print @tmp;
2feacd98 1714
fd5ccb2d
EK		 1715 exit(0);
1716 }
1717
6e13d0a5
MT		 1718###
1719### Form for generating a root certificate
1720###
1721}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1722 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1723
1724 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1725 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1726 $errormessage = $Lang::tr{'valid root certificate already exists'};
1727 $cgiparams{'ACTION'} = '';
1728 goto ROOTCERT_ERROR;
1729 }
1730
1731 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1732 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1733 my $ipaddr = <IPADDR>;
1734 close IPADDR;
1735 chomp ($ipaddr);
1736 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1737 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1738 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1739 }
1740 }
1741 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
2ad1b18b 1742 unless (ref ($cgiparams{'FH'})) {
6e13d0a5
MT		 1743 $errormessage = $Lang::tr{'there was no file upload'};
1744 goto ROOTCERT_ERROR;
1745 }
1746
1747 # Move uploaded certificate request to a temporary file
1748 (my $fh, my $filename) = tempfile( );
1749 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1750 $errormessage = $!;
1751 goto ROOTCERT_ERROR;
1752 }
1753
1754 # Create a temporary dirctory
1755 my $tempdir = tempdir( CLEANUP => 1 );
1756
1757 # Extract the CA certificate from the file
1758 my $pid = open(OPENSSL, "|-");
1759 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1760 if ($pid) { # parent
1761 if ($cgiparams{'P12_PASS'} ne '') {
1762 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1763 }
1764 close (OPENSSL);
1765 if ($?) {
1766 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1767 unlink ($filename);
1768 goto ROOTCERT_ERROR;
1769 }
1770 } else { # child
1771 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1772 '-in', $filename,
1773 '-out', "$tempdir/cacert.pem")) {
1774 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1775 unlink ($filename);
1776 goto ROOTCERT_ERROR;
1777 }
1778 }
1779
1780 # Extract the Host certificate from the file
1781 $pid = open(OPENSSL, "|-");
1782 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1783 if ($pid) { # parent
1784 if ($cgiparams{'P12_PASS'} ne '') {
1785 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1786 }
1787 close (OPENSSL);
1788 if ($?) {
1789 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1790 unlink ($filename);
1791 goto ROOTCERT_ERROR;
1792 }
1793 } else { # child
1794 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1795 '-in', $filename,
1796 '-out', "$tempdir/hostcert.pem")) {
1797 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1798 unlink ($filename);
1799 goto ROOTCERT_ERROR;
1800 }
1801 }
1802
1803 # Extract the Host key from the file
1804 $pid = open(OPENSSL, "|-");
1805 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1806 if ($pid) { # parent
1807 if ($cgiparams{'P12_PASS'} ne '') {
1808 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1809 }
1810 close (OPENSSL);
1811 if ($?) {
1812 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1813 unlink ($filename);
1814 goto ROOTCERT_ERROR;
1815 }
1816 } else { # child
1817 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1818 '-nodes',
1819 '-in', $filename,
1820 '-out', "$tempdir/serverkey.pem")) {
1821 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1822 unlink ($filename);
1823 goto ROOTCERT_ERROR;
1824 }
1825 }
1826
cc79d281 1827 unless(move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem")) {
6e13d0a5
MT		 1828 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1829 unlink ($filename);
1830 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1831 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1832 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1833 goto ROOTCERT_ERROR;
1834 }
1835
cc79d281 1836 unless(move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem")) {
6e13d0a5
MT		 1837 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1838 unlink ($filename);
1839 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1840 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1841 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1842 goto ROOTCERT_ERROR;
1843 }
1844
cc79d281 1845 unless(move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem")) {
6e13d0a5
MT		 1846 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1847 unlink ($filename);
1848 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1849 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1850 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1851 goto ROOTCERT_ERROR;
1852 }
1853
1854 goto ROOTCERT_SUCCESS;
1855
1856 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1857
1858 # Validate input since the form was submitted
1859 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1860 $errormessage = $Lang::tr{'organization cant be empty'};
1861 goto ROOTCERT_ERROR;
1862 }
1863 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1864 $errormessage = $Lang::tr{'organization too long'};
1865 goto ROOTCERT_ERROR;
1866 }
1867 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1868 $errormessage = $Lang::tr{'invalid input for organization'};
1869 goto ROOTCERT_ERROR;
1870 }
1871 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1872 $errormessage = $Lang::tr{'hostname cant be empty'};
1873 goto ROOTCERT_ERROR;
1874 }
1875 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1876 $errormessage = $Lang::tr{'invalid input for hostname'};
1877 goto ROOTCERT_ERROR;
1878 }
1879 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1880 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1881 goto ROOTCERT_ERROR;
1882 }
1883 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1884 $errormessage = $Lang::tr{'e-mail address too long'};
1885 goto ROOTCERT_ERROR;
1886 }
1887 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1888 $errormessage = $Lang::tr{'invalid input for department'};
1889 goto ROOTCERT_ERROR;
1890 }
1891 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1892 $errormessage = $Lang::tr{'invalid input for city'};
1893 goto ROOTCERT_ERROR;
1894 }
1895 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1896 $errormessage = $Lang::tr{'invalid input for state or province'};
1897 goto ROOTCERT_ERROR;
1898 }
1899 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1900 $errormessage = $Lang::tr{'invalid input for country'};
1901 goto ROOTCERT_ERROR;
1902 }
1903
1904 # Copy the cgisettings to vpnsettings and save the configfile
1905 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1906 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1907 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1908 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1909 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1910 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1911 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1912 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1913
1914 # Replace empty strings with a .
1915 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1916 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1917 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1918
1919 # refresh
c6c9630e 1920 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
66c36198 1921
6e13d0a5
MT		 1922 # Create the CA certificate
1923 my $pid = open(OPENSSL, "|-");
1924 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1925 if ($pid) { # parent
1926 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1927 print OPENSSL "$state\n";
1928 print OPENSSL "$city\n";
1929 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1930 print OPENSSL "$ou\n";
1931 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1932 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1933 close (OPENSSL);
1934 if ($?) {
1935 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1936 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1937 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1938 goto ROOTCERT_ERROR;
1939 }
1940 } else { # child
badd8c1c 1941 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
49abe7af 1942 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
6e13d0a5
MT		 1943 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1944 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1945 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1946 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1947 goto ROOTCERT_ERROR;
1948 }
1949 }
1950
1951 # Create the Host certificate request
1952 $pid = open(OPENSSL, "|-");
1953 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1954 if ($pid) { # parent
1955 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1956 print OPENSSL "$state\n";
1957 print OPENSSL "$city\n";
1958 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1959 print OPENSSL "$ou\n";
1960 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1961 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1962 print OPENSSL ".\n";
1963 print OPENSSL ".\n";
1964 close (OPENSSL);
1965 if ($?) {
1966 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1967 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1968 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1969 goto ROOTCERT_ERROR;
1970 }
1971 } else { # child
badd8c1c 1972 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 1973 '-newkey', 'rsa:2048',
6e13d0a5
MT		 1974 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1975 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1976 '-extensions', 'server',
1977 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1978 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1979 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1980 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1981 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1982 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1983 goto ROOTCERT_ERROR;
1984 }
1985 }
66c36198 1986
6e13d0a5 1987 # Sign the host certificate request
2feacd98 1988 # This system call is safe, because all argeuments are passed as an array.
6e13d0a5
MT		 1989 system('/usr/bin/openssl', 'ca', '-days', '999999',
1990 '-batch', '-notext',
1991 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1992 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1993 '-extensions', 'server',
1994 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1995 if ($?) {
1996 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1997 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1998 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1999 unlink ("${General::swroot}/ovpn/serverkey.pem");
2000 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
2001 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 2002 &newcleanssldatabase();
6e13d0a5
MT		 2003 goto ROOTCERT_ERROR;
2004 } else {
2005 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
c6c9630e 2006 &deletebackupcert();
6e13d0a5
MT		 2007 }
2008
2009 # Create an empty CRL
2feacd98 2010 # System call is safe, because all arguments are passed as array.
6e13d0a5
MT		 2011 system('/usr/bin/openssl', 'ca', '-gencrl',
2012 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
2013 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
2014 if ($?) {
2015 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2016 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2017 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2018 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
66c36198 2019 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
c6c9630e 2020 &cleanssldatabase();
6e13d0a5 2021 goto ROOTCERT_ERROR;
c6c9630e
MT		 2022# } else {
2023# &cleanssldatabase();
6e13d0a5 2024 }
ae04d0a3 2025 # Create ta.key for tls-auth
2feacd98 2026 # This system call is safe, because all arguments are passed as an array.
acbd6ff4 2027 system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key");
ae04d0a3
EK		 2028 if ($?) {
2029 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2030 &cleanssldatabase();
2031 goto ROOTCERT_ERROR;
2032 }
6e13d0a5 2033 # Create Diffie Hellmann Parameter
2feacd98 2034 # The system call is safe, because all arguments are passed as an array.
badd8c1c 2035 system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
6e13d0a5
MT		 2036 if ($?) {
2037 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2038 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2039 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2040 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2041 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
2042 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
c6c9630e 2043 &cleanssldatabase();
6e13d0a5 2044 goto ROOTCERT_ERROR;
c6c9630e
MT		 2045# } else {
2046# &cleanssldatabase();
4be45949 2047 }
6e13d0a5
MT		 2048 goto ROOTCERT_SUCCESS;
2049 }
2050 ROOTCERT_ERROR:
2051 if ($cgiparams{'ACTION'} ne '') {
2052 &Header::showhttpheaders();
4c962356 2053 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 2054 &Header::openbigbox('100%', 'LEFT', '', '');
2055 if ($errormessage) {
2056 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2057 print "<class name='base'>$errormessage";
2058 print "&nbsp;</class>";
2059 &Header::closebox();
2060 }
2061 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
49abe7af 2062 print <<END;
6e13d0a5
MT		 2063 <form method='post' enctype='multipart/form-data'>
2064 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
e3edceeb 2065 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2066 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
2067 <td width='35%' colspan='2'>&nbsp;</td></tr>
e3edceeb 2068 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2069 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
2070 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2071 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
6e13d0a5
MT		 2072 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
2073 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2074 <tr><td class='base'>$Lang::tr{'your department'}:</td>
6e13d0a5
MT		 2075 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
2076 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2077 <tr><td class='base'>$Lang::tr{'city'}:</td>
6e13d0a5
MT		 2078 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
2079 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2080 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
6e13d0a5
MT		 2081 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
2082 <td colspan='2'>&nbsp;</td></tr>
2083 <tr><td class='base'>$Lang::tr{'country'}:</td>
66c36198 2084 <td class='base'><select name='ROOTCERT_COUNTRY'>
6e13d0a5
MT		 2085
2086END
2087 ;
2088 foreach my $country (sort keys %{Countries::countries}) {
2089 print "<option value='$Countries::countries{$country}'";
2090 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
2091 print " selected='selected'";
2092 }
2093 print ">$country</option>";
2094 }
49abe7af 2095 print <<END;
6e13d0a5 2096 </select></td>
4c962356
EK		 2097 <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
2098 <td class='base'><select name='DHLENGHT'>
4c962356
EK		 2099 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
2100 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
2101 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
2102 </select>
2103 </td>
2104 </tr>
2105
6e13d0a5
MT		 2106 <tr><td>&nbsp;</td>
2107 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
66c36198 2108 <td>&nbsp;</td><td>&nbsp;</td></tr>
6e13d0a5 2109 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2110 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
49abe7af
EK		 2111 <tr><td colspan='2'><br></td></tr>
2112 <table width='100%'>
2113 <tr>
2114 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
2115 <td class='base'>$Lang::tr{'dh key warn'}</td>
4c962356 2116 </tr>
49abe7af
EK		 2117 <tr>
2118 <td class='base'>$Lang::tr{'dh key warn1'}</td>
4c962356 2119 </tr>
49abe7af
EK		 2120 <tr><td colspan='2'><br></td></tr>
2121 <tr>
2122 </table>
4c962356 2123
49abe7af 2124 <table width='100%'>
4c962356 2125 <tr><td colspan='4'><hr></td></tr>
e3edceeb 2126 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2127 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
2128 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2129 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
6e13d0a5
MT		 2130 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
2131 <td colspan='2'>&nbsp;</td></tr>
2132 <tr><td>&nbsp;</td>
2133 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
2134 <td colspan='2'>&nbsp;</td></tr>
2135 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2136 <img src='/blob.gif' valign='top' alt='*' >&nbsp;$Lang::tr{'required field'}</td>
4c962356 2137 </tr>
6e13d0a5
MT		 2138 </form></table>
2139END
2140 ;
2141 &Header::closebox();
4c962356 2142 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2143 &Header::closebigbox();
2144 &Header::closepage();
2145 exit(0)
2146 }
2147
2148 ROOTCERT_SUCCESS:
2feacd98 2149 &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
c6c9630e
MT		 2150# if ($vpnsettings{'ENABLED'} eq 'on' ||
2151# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
2152# system('/usr/local/bin/ipsecctrl', 'S');
2153# }
6e13d0a5
MT		 2154
2155###
2156### Enable/Disable connection
2157###
ce9abb66
AH		 2158
2159###
7c1d9faf 2160# m.a.d net2net
ce9abb66
AH		 2161###
2162
6e13d0a5 2163}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 2164
c6c9630e 2165 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5 2166 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2feacd98
SS		 2167 my $n2nactive = '';
2168 my @ps = &General::system_output("/bin/ps", "ax");
2169
2170 if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
2171 $n2nactive = "1";
2172 }
66c36198 2173
6e13d0a5 2174 if ($confighash{$cgiparams{'KEY'}}) {
8c877a82
AM		 2175 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2176 $confighash{$cgiparams{'KEY'}}[0] = 'on';
2177 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2178
8c877a82 2179 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2feacd98 2180 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494 2181 &writecollectdconf();
8c877a82
AM		 2182 }
2183 } else {
ce9abb66 2184
8c877a82
AM		 2185 $confighash{$cgiparams{'KEY'}}[0] = 'off';
2186 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2187
8c877a82 2188 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
775b4494 2189 if ($n2nactive ne '') {
2feacd98 2190 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494
AM		 2191 &writecollectdconf();
2192 }
8c877a82 2193 }
775b4494 2194 }
ce9abb66 2195 }
6e13d0a5
MT		 2196
2197###
2198### Download OpenVPN client package
2199###
ce9abb66
AH		 2200
2201
6e13d0a5
MT		 2202} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
2203 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2204 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2205 my $file = '';
2206 my $clientovpn = '';
2207 my @fileholder;
2208 my $tempdir = tempdir( CLEANUP => 1 );
2209 my $zippath = "$tempdir/";
ce9abb66
AH		 2210
2211###
7c1d9faf
AH		 2212# m.a.d net2net
2213###
ce9abb66
AH		 2214
2215if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
66c36198 2216
ce9abb66
AH		 2217 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2218 my $zippathname = "$zippath$zipname";
66c36198 2219 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";
ce9abb66 2220 my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
54fd0535 2221 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
66c36198 2222 my $tunmtu = '';
7c1d9faf 2223 my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
54fd0535 2224 my $n2nfragment = '';
66c36198 2225
ce9abb66
AH		 2226 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2227 flock CLIENTCONF, 2;
66c36198 2228
ce9abb66 2229 my $zip = Archive::Zip->new();
7c1d9faf 2230 print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 2231 print CLIENTCONF "# \n";
b278daf3 2232 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 2233 print CLIENTCONF "user nobody\n";
2234 print CLIENTCONF "group nobody\n";
2235 print CLIENTCONF "persist-tun\n";
2236 print CLIENTCONF "persist-key\n";
7c1d9faf 2237 print CLIENTCONF "script-security 2\n";
66c36198 2238 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
531f0835 2239 print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
b278daf3 2240 print CLIENTCONF "float\n";
66c36198
PM		 2241 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
2242 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
2243 print CLIENTCONF "# Server Gateway Network\n";
7c1d9faf 2244 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
66c36198
PM		 2245 print CLIENTCONF "# tun Device\n";
2246 print CLIENTCONF "dev tun\n";
35a21a25
AM		 2247 print CLIENTCONF "#Logfile for statistics\n";
2248 print CLIENTCONF "status-version 1\n";
2249 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 2250 print CLIENTCONF "# Port and Protokoll\n";
2251 print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
2252
60f396d7 2253 if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
1580d3b1 2254 print CLIENTCONF "proto tcp4-client\n";
60f396d7 2255 print CLIENTCONF "# Packet size\n";
d96c89eb 2256 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
60f396d7 2257 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 2258 }
66c36198 2259
60f396d7 2260 if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
1580d3b1 2261 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 2262 print CLIENTCONF "# Paketsize\n";
2263 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2264 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 2265 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
d6989b4b 2266 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
d96c89eb 2267 }
b66b02ab
EK		 2268 # Check host certificate if X509 is RFC3280 compliant.
2269 # If not, old --ns-cert-type directive will be used.
2270 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2271 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2272 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2273 print CLIENTCONF "ns-cert-type server\n";
2274 } else {
2275 print CLIENTCONF "remote-cert-tls server\n";
2276 }
66c36198
PM		 2277 print CLIENTCONF "# Auth. Client\n";
2278 print CLIENTCONF "tls-client\n";
49abe7af 2279 print CLIENTCONF "# Cipher\n";
4c962356 2280 print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
66c36198 2281 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
ce9abb66
AH		 2282 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2283 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
49abe7af 2284 }
52f61e49
EKD		 2285
2286 # If GCM cipher is used, do not use --auth
2287 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
2288 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
2289 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
2290 print CLIENTCONF unless "# HMAC algorithm\n";
2291 print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2292 } else {
52f61e49
EKD		 2293 print CLIENTCONF "# HMAC algorithm\n";
2294 print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2295 }
52f61e49 2296
4c962356 2297 if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
b278daf3 2298 print CLIENTCONF "# Enable Compression\n";
66298ef2 2299 print CLIENTCONF "comp-lzo\n";
b278daf3 2300 }
66c36198
PM		 2301 print CLIENTCONF "# Debug Level\n";
2302 print CLIENTCONF "verb 3\n";
2303 print CLIENTCONF "# Tunnel check\n";
2304 print CLIENTCONF "keepalive 10 60\n";
2305 print CLIENTCONF "# Start as daemon\n";
2306 print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n";
2307 print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n";
2308 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 2309 if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2310 else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
ce9abb66 2311 print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
66c36198 2312
ce9abb66
AH		 2313
2314 close(CLIENTCONF);
66c36198 2315
ce9abb66
AH		 2316 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2317 my $status = $zip->writeToFileNamed($zippathname);
2318
2319 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2320 @fileholder = <DLFILE>;
2321 print "Content-Type:application/x-download\n";
2322 print "Content-Disposition:attachment;filename=$zipname\n\n";
2323 print @fileholder;
2324 exit (0);
2325}
2326else
2327{
2328 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2329 my $zippathname = "$zippath$zipname";
2330 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2331
2332###
7c1d9faf 2333# m.a.d net2net
ce9abb66 2334###
66c36198 2335
c6c9630e 2336 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
6e13d0a5 2337 flock CLIENTCONF, 2;
66c36198 2338
6e13d0a5 2339 my $zip = Archive::Zip->new();
66c36198 2340
8c877a82 2341 print CLIENTCONF "#OpenVPN Client conf\r\n";
6e13d0a5
MT		 2342 print CLIENTCONF "tls-client\r\n";
2343 print CLIENTCONF "client\r\n";
4f6e3ae3 2344 print CLIENTCONF "nobind\r\n";
79e7688b 2345 print CLIENTCONF "dev tun\r\n";
c6c9630e 2346 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
d6989b4b 2347 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
2ee746be 2348
6e13d0a5
MT		 2349 if ( $vpnsettings{'ENABLED'} eq 'on'){
2350 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
66c36198 2351 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
574f4538 2352 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Blue interface\r\n";
c6c9630e
MT		 2353 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2354 }
2355 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2356 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2357 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2358 }
2359 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2360 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2361 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2362 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2363 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2364 }
2365 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2366 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
6e13d0a5 2367 }
66c36198 2368
71af643c
MT		 2369 my $file_crt = new File::Temp( UNLINK => 1 );
2370 my $file_key = new File::Temp( UNLINK => 1 );
b22d8aaf 2371 my $include_certs = 0;
71af643c 2372
66c36198 2373 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
71af643c 2374 if ($cgiparams{'MODE'} eq 'insecure') {
b22d8aaf
MT		 2375 $include_certs = 1;
2376
71af643c 2377 # Add the CA
b22d8aaf 2378 print CLIENTCONF ";ca cacert.pem\r\n";
71af643c
MT		 2379 $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2380
2381 # Extract the certificate
2feacd98 2382 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2383 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2384 '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
2385 if ($?) {
2386 die "openssl error: $?";
2387 }
2388
2389 $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
b22d8aaf 2390 print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
71af643c
MT		 2391
2392 # Extract the key
2feacd98 2393 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2394 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2395 '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
2396 if ($?) {
2397 die "openssl error: $?";
2398 }
2399
2400 $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
b22d8aaf 2401 print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
71af643c
MT		 2402 } else {
2403 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2404 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2405 }
6e13d0a5 2406 } else {
c6c9630e
MT		 2407 print CLIENTCONF "ca cacert.pem\r\n";
2408 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2409 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2410 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
66c36198 2411 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
6e13d0a5
MT		 2412 }
2413 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
49abe7af 2414 print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
86308adb 2415
49abe7af 2416 if ($vpnsettings{'TLSAUTH'} eq 'on') {
b22d8aaf
MT		 2417 if ($cgiparams{'MODE'} eq 'insecure') {
2418 print CLIENTCONF ";";
2419 }
4be45949
EK		 2420 print CLIENTCONF "tls-auth ta.key\r\n";
2421 $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
49abe7af 2422 }
6e13d0a5
MT		 2423 if ($vpnsettings{DCOMPLZO} eq 'on') {
2424 print CLIENTCONF "comp-lzo\r\n";
2425 }
2426 print CLIENTCONF "verb 3\r\n";
b66b02ab
EK		 2427 # Check host certificate if X509 is RFC3280 compliant.
2428 # If not, old --ns-cert-type directive will be used.
2429 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2430 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2431 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2432 print CLIENTCONF "ns-cert-type server\r\n";
2433 } else {
2434 print CLIENTCONF "remote-cert-tls server\r\n";
2435 }
964700d4 2436 print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
a79fa1d6
JPT		 2437 if ($vpnsettings{MSSFIX} eq 'on') {
2438 print CLIENTCONF "mssfix\r\n";
d6989b4b
MT		 2439 } else {
2440 print CLIENTCONF "mssfix 0\r\n";
a79fa1d6 2441 }
74225cce 2442 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
a79fa1d6
JPT		 2443 print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2444 }
a9998867
MT		 2445
2446 # Disable storing any credentials in memory
2447 print CLIENTCONF "auth-nocache\r\n";
2448
2449 # Set a fake user name for authentication
2450 print CLIENTCONF "auth-token-user USER\r\n";
2451 print CLIENTCONF "auth-token TOTP\r\n";
2452
2453 # If the server is asking for TOTP this needs to happen interactively
2454 print CLIENTCONF "auth-retry interact\r\n";
1647059d 2455
b22d8aaf
MT		 2456 if ($include_certs) {
2457 print CLIENTCONF "\r\n";
2458
2459 # CA
2460 open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
2461 print CLIENTCONF "<ca>\r\n";
2462 while (<FILE>) {
2463 chomp($_);
2464 print CLIENTCONF "$_\r\n";
2465 }
2466 print CLIENTCONF "</ca>\r\n\r\n";
2467 close(FILE);
2468
2469 # Cert
2470 open(FILE, "<$file_crt");
2471 print CLIENTCONF "<cert>\r\n";
2472 while (<FILE>) {
2473 chomp($_);
2474 print CLIENTCONF "$_\r\n";
2475 }
2476 print CLIENTCONF "</cert>\r\n\r\n";
2477 close(FILE);
2478
2479 # Key
2480 open(FILE, "<$file_key");
2481 print CLIENTCONF "<key>\r\n";
2482 while (<FILE>) {
2483 chomp($_);
2484 print CLIENTCONF "$_\r\n";
2485 }
2486 print CLIENTCONF "</key>\r\n\r\n";
2487 close(FILE);
2488
2489 # TLS auth
2490 if ($vpnsettings{'TLSAUTH'} eq 'on') {
2491 open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
2492 print CLIENTCONF "<tls-auth>\r\n";
2493 while (<FILE>) {
2494 chomp($_);
2495 print CLIENTCONF "$_\r\n";
2496 }
2497 print CLIENTCONF "</tls-auth>\r\n\r\n";
2498 close(FILE);
2499 }
2500 }
2501
ffbe77c8
EK		 2502 # Print client.conf.local if entries exist to client.ovpn
2503 if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
2504 open (LCC, "$local_clientconf");
2505 print CLIENTCONF "\n#---------------------------\n";
2506 print CLIENTCONF "# Start of custom directives\n";
2507 print CLIENTCONF "# from client.conf.local\n";
2508 print CLIENTCONF "#---------------------------\n\n";
2509 while (<LCC>) {
2510 print CLIENTCONF $_;
2511 }
2512 print CLIENTCONF "\n#---------------------------\n";
2513 print CLIENTCONF "# End of custom directives\n";
2514 print CLIENTCONF "#---------------------------\n\n";
2515 close (LCC);
2516 }
6e13d0a5 2517 close(CLIENTCONF);
66c36198 2518
6e13d0a5
MT		 2519 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2520 my $status = $zip->writeToFileNamed($zippathname);
2521
2522 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2523 @fileholder = <DLFILE>;
2524 print "Content-Type:application/x-download\n";
2525 print "Content-Disposition:attachment;filename=$zipname\n\n";
2526 print @fileholder;
2527 exit (0);
ce9abb66 2528 }
66c36198
PM		 2529
2530
2531
6e13d0a5
MT		 2532###
2533### Remove connection
2534###
ce9abb66
AH		 2535
2536
6e13d0a5 2537} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
323be7c4
AM		 2538 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2539 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 2540
323be7c4 2541 if ($confighash{$cgiparams{'KEY'}}) {
fde9c9dd 2542 # Revoke certificate if certificate was deleted and rewrite the CRL
274ca65b 2543 &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
2feacd98 2544 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
ce9abb66
AH		 2545
2546###
7c1d9faf 2547# m.a.d net2net
ce9abb66 2548###
7c1d9faf 2549
323be7c4 2550 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1e499e90 2551 # Stop the N2N connection before it is removed
2feacd98 2552 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
1e499e90 2553
323be7c4
AM		 2554 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2555 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2556 unlink ($certfile);
2557 unlink ($conffile);
8e6a8fd5 2558
323be7c4
AM		 2559 if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2560 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2561 }
323be7c4 2562 }
ce9abb66 2563
323be7c4
AM		 2564 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2565 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
8c877a82
AM		 2566
2567# A.Marx CCD delete ccd files and routes
2568
323be7c4
AM		 2569 if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2570 {
2571 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
8c877a82 2572 }
66c36198 2573
323be7c4
AM		 2574 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2575 foreach my $key (keys %ccdroutehash) {
2576 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2577 delete $ccdroutehash{$key};
2578 }
8c877a82 2579 }
323be7c4 2580 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
66c36198 2581
323be7c4
AM		 2582 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2583 foreach my $key (keys %ccdroute2hash) {
2584 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2585 delete $ccdroute2hash{$key};
2586 }
2587 }
2588 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2589 &writeserverconf;
8c877a82 2590
323be7c4
AM		 2591# CCD end
2592 # Update collectd configuration and delete all RRD files of the removed connection
2593 &writecollectdconf();
2feacd98 2594 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
8c877a82 2595
323be7c4 2596 delete $confighash{$cgiparams{'KEY'}};
2feacd98 2597 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
323be7c4
AM		 2598 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2599
2600 } else {
2601 $errormessage = $Lang::tr{'invalid key'};
2602 }
b2e75449 2603 &General::firewall_reload();
ce9abb66 2604
6e13d0a5
MT		 2605###
2606### Download PKCS12 file
2607###
2608} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2609 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2610
2611 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2612 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 2613
2614 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2615 my @tmp = <FILE>;
2616 close(FILE);
2617
f158e71e 2618 print @tmp;
6e13d0a5
MT		 2619 exit (0);
2620
2621###
2622### Display certificate
2623###
2624} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2625 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2626
2627 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e 2628 &Header::showhttpheaders();
4c962356 2629 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 2630 &Header::openbigbox('100%', 'LEFT', '', '');
2631 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2feacd98 2632 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
8c946d1c
MT		 2633 my $output = &Header::cleanhtml(join("", @output), "y");
2634 print "<pre>$output</pre>\n";
c6c9630e
MT		 2635 &Header::closebox();
2636 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2637 &Header::closebigbox();
2638 &Header::closepage();
2639 exit(0);
6e13d0a5 2640 }
4c962356 2641
e1e10515
TE		 2642###
2643### Display OTP QRCode
2644###
2645} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show otp qrcode'}) {
2646 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2647
e1e10515
TE		 2648 my $qrcode = Imager::QRCode->new(
2649 size => 6,
2650 margin => 0,
2651 version => 0,
2652 level => 'M',
2653 mode => '8-bit',
2654 casesensitive => 1,
2655 lightcolor => Imager::Color->new(255, 255, 255),
2656 darkcolor => Imager::Color->new(0, 0, 0),
2657 );
3740b7ad 2658 my $cn = uri_encode($confighash{$cgiparams{'KEY'}}[2]);
10b32d38 2659 my $secret = encode_base32(pack('H*', $confighash{$cgiparams{'KEY'}}[44]));
3740b7ad 2660 my $issuer = uri_encode("$mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}");
e1e10515
TE		 2661 my $qrcodeimg = $qrcode->plot("otpauth://totp/$cn?secret=$secret&issuer=$issuer");
2662 my $qrcodeimgdata;
2663 $qrcodeimg->write(data => \$qrcodeimgdata, type=> 'png')
2664 or die $qrcodeimg->errstr;
2665 $qrcodeimgdata = encode_base64($qrcodeimgdata, '');
2666
2667 &Header::showhttpheaders();
2668 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2669 &Header::openbigbox('100%', 'LEFT', '', '');
2670 &Header::openbox('100%', 'LEFT', "$Lang::tr{'otp qrcode'}:");
2671 print <<END;
2672$Lang::tr{'secret'}:&nbsp;$secret</br></br>
2673<img alt="$Lang::tr{'otp qrcode'}" src="data:image/png;base64,$qrcodeimgdata">
2674END
2675 &Header::closebox();
2676 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2677 &Header::closebigbox();
2678 &Header::closepage();
2679 exit(0);
2680
4c962356
EK		 2681###
2682### Display Diffie-Hellman key
2683###
2684} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2685
2686 if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
49abe7af 2687 $errormessage = $Lang::tr{'not present'};
4c962356
EK		 2688 } else {
2689 &Header::showhttpheaders();
2690 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2691 &Header::openbigbox('100%', 'LEFT', '', '');
2692 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
2feacd98 2693 my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
8c946d1c
MT		 2694 my $output = &Header::cleanhtml(join("", @output) ,"y");
2695 print "<pre>$output</pre>\n";
4c962356
EK		 2696 &Header::closebox();
2697 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2698 &Header::closebigbox();
2699 &Header::closepage();
2700 exit(0);
2701 }
2702
fd5ccb2d
EK		 2703###
2704### Display tls-auth key
2705###
2706} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
2707
2708 if (! -e "${General::swroot}/ovpn/certs/ta.key") {
2709 $errormessage = $Lang::tr{'not present'};
2710 } else {
2711 &Header::showhttpheaders();
2712 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2713 &Header::openbigbox('100%', 'LEFT', '', '');
2714 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
2feacd98
SS		 2715
2716 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
2717 my @output = <FILE>;
2718 close(FILE);
2719
8c946d1c
MT		 2720 my $output = &Header::cleanhtml(join("", @output),"y");
2721 print "<pre>$output</pre>\n";
fd5ccb2d
EK		 2722 &Header::closebox();
2723 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2724 &Header::closebigbox();
2725 &Header::closepage();
2726 exit(0);
2727 }
2728
6e13d0a5
MT		 2729###
2730### Display Certificate Revoke List
2731###
2732} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
c6c9630e
MT		 2733# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2734
49abe7af
EK		 2735 if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2736 $errormessage = $Lang::tr{'not present'};
2737 } else {
b2e75449
MT		 2738 &Header::showhttpheaders();
2739 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2740 &Header::openbigbox('100%', 'LEFT', '', '');
2741 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2feacd98 2742 my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
8c946d1c
MT		 2743 my $output = &Header::cleanhtml(join("", @output), "y");
2744 print "<pre>$output</pre>\n";
b2e75449
MT		 2745 &Header::closebox();
2746 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2747 &Header::closebigbox();
2748 &Header::closepage();
2749 exit(0);
6e13d0a5
MT		 2750 }
2751
2752###
2753### Advanced Server Settings
2754###
2755
2756} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2757 %cgiparams = ();
2758 %cahash = ();
2759 %confighash = ();
8c877a82 2760 my $disabled;
6e13d0a5 2761 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
54fd0535 2762 read_routepushfile;
66c36198
PM		 2763
2764
c6c9630e 2765# if ($cgiparams{'CLIENT2CLIENT'} eq '') {
66c36198 2766# $cgiparams{'CLIENT2CLIENT'} = 'on';
c6c9630e 2767# }
6e13d0a5
MT		 2768ADV_ERROR:
2769 if ($cgiparams{'MAX_CLIENTS'} eq '') {
4c962356 2770 $cgiparams{'MAX_CLIENTS'} = '100';
6e13d0a5 2771 }
6e13d0a5 2772 if ($cgiparams{'KEEPALIVE_1'} eq '') {
4c962356 2773 $cgiparams{'KEEPALIVE_1'} = '10';
6e13d0a5
MT		 2774 }
2775 if ($cgiparams{'KEEPALIVE_2'} eq '') {
4c962356 2776 $cgiparams{'KEEPALIVE_2'} = '60';
6e13d0a5
MT		 2777 }
2778 if ($cgiparams{'LOG_VERB'} eq '') {
4c962356 2779 $cgiparams{'LOG_VERB'} = '3';
ae9f6139 2780 }
f527e53f 2781 if ($cgiparams{'TLSAUTH'} eq '') {
754066e6 2782 $cgiparams{'TLSAUTH'} = 'off';
f527e53f 2783 }
6e13d0a5
MT		 2784 $checked{'CLIENT2CLIENT'}{'off'} = '';
2785 $checked{'CLIENT2CLIENT'}{'on'} = '';
2786 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2787 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2788 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2789 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
13389777
EK		 2790 $checked{'DCOMPLZO'}{'off'} = '';
2791 $checked{'DCOMPLZO'}{'on'} = '';
2792 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
ffbe77c8
EK		 2793 $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
2794 $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
2795 $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
a79fa1d6
JPT		 2796 $checked{'MSSFIX'}{'off'} = '';
2797 $checked{'MSSFIX'}{'on'} = '';
2798 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
49abe7af 2799 $selected{'LOG_VERB'}{'0'} = '';
6e13d0a5
MT		 2800 $selected{'LOG_VERB'}{'1'} = '';
2801 $selected{'LOG_VERB'}{'2'} = '';
2802 $selected{'LOG_VERB'}{'3'} = '';
2803 $selected{'LOG_VERB'}{'4'} = '';
2804 $selected{'LOG_VERB'}{'5'} = '';
2805 $selected{'LOG_VERB'}{'6'} = '';
2806 $selected{'LOG_VERB'}{'7'} = '';
2807 $selected{'LOG_VERB'}{'8'} = '';
2808 $selected{'LOG_VERB'}{'9'} = '';
2809 $selected{'LOG_VERB'}{'10'} = '';
2810 $selected{'LOG_VERB'}{'11'} = '';
6e13d0a5 2811 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
66c36198 2812
6e13d0a5
MT		 2813 &Header::showhttpheaders();
2814 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
66c36198 2815 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 2816 if ($errormessage) {
c6c9630e
MT		 2817 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2818 print "<class name='base'>$errormessage\n";
2819 print "&nbsp;</class>\n";
2820 &Header::closebox();
6e13d0a5
MT		 2821 }
2822 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
4c962356 2823 print <<END;
b376fae4 2824 <form method='post' enctype='multipart/form-data'>
b2e75449 2825<table width='100%' border=0>
4c962356
EK		 2826 <tr>
2827 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
6e13d0a5
MT		 2828 </tr>
2829 <tr>
4c962356 2830 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
66c36198
PM		 2831 </tr>
2832 <tr>
4c962356 2833 <td class='base'>Domain</td>
8c877a82 2834 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
6e13d0a5 2835 </tr>
66c36198 2836 <tr>
4c962356
EK		 2837 <td class='base'>DNS</td>
2838 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
66c36198
PM		 2839 </tr>
2840 <tr>
4c962356
EK		 2841 <td class='base'>WINS</td>
2842 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2843 </tr>
54fd0535 2844 <tr>
4c962356 2845 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
54fd0535 2846 </tr>
66c36198 2847 <tr>
4c962356
EK		 2848 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2849 <td colspan='2'>
2850 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
54fd0535
MT		 2851END
2852;
2853
2854if ($cgiparams{'ROUTES_PUSH'} ne '')
2855{
2856 print $cgiparams{'ROUTES_PUSH'};
2857}
2858
8c877a82 2859print <<END;
54fd0535
MT		 2860</textarea></td>
2861</tr>
6e13d0a5
MT		 2862 </tr>
2863</table>
2864<hr size='1'>
4c962356 2865<table width='100%'>
ffbe77c8 2866 <tr>
4c962356 2867 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
ffbe77c8
EK		 2868 </tr>
2869
2870 <tr>
d2de0a00 2871 <td width='20%'></td> <td width='15%'> </td><td width='35%'> </td><td width='20%'></td><td width='35%'></td>
ffbe77c8
EK		 2872 </tr>
2873
2874 <tr>
4c962356
EK		 2875 <td class='base'>Client-To-Client</td>
2876 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
ffbe77c8
EK		 2877 </tr>
2878
2879 <tr>
4c962356
EK		 2880 <td class='base'>Redirect-Gateway def1</td>
2881 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
ffbe77c8
EK		 2882 </tr>
2883
13389777
EK		 2884 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2885 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2886 <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
2887 </tr>
2888
4c962356 2889 <tr>
ffbe77c8
EK		 2890 <td class='base'>$Lang::tr{'ovpn add conf'}</td>
2891 <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
2892 <td>$Lang::tr{'openvpn default'}: off</td>
2893 </tr>
2894
2895 <tr>
2896 <td class='base'>mssfix</td>
2897 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2898 <td>$Lang::tr{'openvpn default'}: off</td>
2899 </tr>
2900
4c962356 2901 <tr>
ffbe77c8
EK		 2902 <td class='base'>fragment <br></td>
2903 <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2904 </tr>
2905
2906
2907 <tr>
2908 <td class='base'>Max-Clients</td>
2909 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2910 </tr>
2911 <tr>
2912 <td class='base'>Keepalive <br />
2913 (ping/ping-restart)</td>
2914 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2915 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2916 </tr>
a79fa1d6
JPT		 2917</table>
2918
a79fa1d6 2919<hr size='1'>
4c962356 2920<table width='100%'>
a79fa1d6 2921 <tr>
49abe7af 2922 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
a79fa1d6
JPT		 2923 </tr>
2924 <tr>
49abe7af 2925 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
4c962356
EK		 2926 </tr>
2927
2928 <tr><td class='base'>VERB</td>
2929 <td><select name='LOG_VERB'>
49abe7af
EK		 2930 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option>
2931 <option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
2932 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
2933 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
2934 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
2935 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
2936 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
2937 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
2938 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
2939 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
2940 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2941 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2942 </td></select>
2943 </table>
4c962356 2944
6e13d0a5 2945<hr size='1'>
8c877a82
AM		 2946END
2947
2948if ( -e "/var/run/openvpn.pid"){
2949print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2950 $Lang::tr{'server restart'}<br><br>
2951 <hr>";
49abe7af 2952 print<<END;
52d08bcb
AM		 2953<table width='100%'>
2954<tr>
2955 <td>&nbsp;</td>
2956 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2957 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2958 <td>&nbsp;</td>
52d08bcb 2959</tr>
66c36198 2960</table>
52d08bcb
AM		 2961</form>
2962END
66c36198
PM		 2963;
2964
2965
52d08bcb 2966}else{
8c877a82 2967
49abe7af 2968 print<<END;
6e13d0a5
MT		 2969<table width='100%'>
2970<tr>
2971 <td>&nbsp;</td>
2972 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2973 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2974 <td>&nbsp;</td>
6e13d0a5 2975</tr>
66c36198 2976</table>
6e13d0a5
MT		 2977</form>
2978END
66c36198 2979;
52d08bcb 2980}
6e13d0a5 2981 &Header::closebox();
c6c9630e 2982# print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2983 &Header::closebigbox();
2984 &Header::closepage();
2985 exit(0);
66c36198 2986
8c877a82
AM		 2987
2988# A.Marx CCD Add,delete or edit CCD net
2989
66c36198
PM		 2990} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
2991 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||
2992 $cgiparams{'ACTION'} eq "kill" ||
8c877a82
AM		 2993 $cgiparams{'ACTION'} eq "edit" ||
2994 $cgiparams{'ACTION'} eq 'editsave'){
2995 &Header::showhttpheaders();
2996 &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2997 &Header::openbigbox('100%', 'LEFT', '', '');
2998
2999 if ($cgiparams{'ACTION'} eq "kill"){
3000 &delccdnet($cgiparams{'net'});
3001 }
66c36198 3002
8c877a82
AM		 3003 if ($cgiparams{'ACTION'} eq 'editsave'){
3004 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
3005 if ( $a ne $b){ &modccdnet($a,$b);}
5068ac38
AM		 3006 $cgiparams{'ccdname'}='';
3007 $cgiparams{'ccdsubnet'}='';
8c877a82 3008 }
66c36198 3009
8c877a82 3010 if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
e2429e8d 3011 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
8c877a82
AM		 3012 }
3013 if ($errormessage) {
3014 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3015 print "<class name='base'>$errormessage";
3016 print "&nbsp;</class>";
66c36198 3017 &Header::closebox();
8c877a82
AM		 3018 }
3019if ($cgiparams{'ACTION'} eq "edit"){
66c36198 3020
8c877a82
AM		 3021 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
3022
49abe7af 3023 print <<END;
631b67b7 3024 <table width='100%' border='0'>
8c877a82
AM		 3025 <tr><form method='post'>
3026 <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
a9fb14d0 3027 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
8c877a82
AM		 3028 <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
3029 <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
3030 </td></tr>
3031 </table></form>
3032END
3033;
3034 &Header::closebox();
3035
3036 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
49abe7af 3037 print <<END;
8c877a82
AM		 3038 <table width='100%' border='0' cellpadding='0' cellspacing='1'>
3039 <tr>
3040 <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
3041END
3042;
3043}
3044else{
3045 if (! -e "/var/run/openvpn.pid"){
3046 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
49abe7af 3047 print <<END;
8c877a82
AM		 3048 <table width='100%' border='0'>
3049 <tr><form method='post'>
3050 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
3051 <tr>
3052 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
3053 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
3054 <tr><td colspan=4><hr /></td></tr><tr>
3055 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
3056 </table></form>
3057END
66c36198 3058
8c877a82
AM		 3059 &Header::closebox();
3060}
3061 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
5068ac38
AM		 3062 if ( -e "/var/run/openvpn.pid"){
3063 print "<b>$Lang::tr{'attention'}:</b><br>";
3064 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
3065 }
66c36198 3066
4c962356 3067 print <<END;
99bfa85c 3068 <table width='100%' cellpadding='0' cellspacing='1'>
8c877a82
AM		 3069 <tr>
3070 <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
3071END
3072;
3073}
66c36198
PM		 3074 my %ccdconfhash=();
3075 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
8c877a82
AM		 3076 my @ccdconf=();
3077 my $count=0;
df9b48b7 3078 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 3079 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
3080 $count++;
3081 my $ccdhosts = &hostsinnet($ccdconf[0]);
3082 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
3083 else{ print" <tr bgcolor='$color{'color20'}'>";}
3084 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
4c962356 3085 print <<END;
8c877a82 3086 <form method='post' />
1638682b 3087 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
8c877a82
AM		 3088 <input type='hidden' name='ACTION' value='edit'/>
3089 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
3090 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
3091 </form></td>
3092 <form method='post' />
3093 <td><input type='hidden' name='ACTION' value='kill'/>
3094 <input type='hidden' name='number' value='$count' />
3095 <input type='hidden' name='net' value='$ccdconf[0]' />
1638682b 3096 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
8c877a82
AM		 3097END
3098;
66c36198 3099 }
8c877a82
AM		 3100 print "</table></form>";
3101 &Header::closebox();
3102 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3103 &Header::closebigbox();
3104 &Header::closepage();
3105 exit(0);
66c36198 3106
8c877a82
AM		 3107#END CCD
3108
6e13d0a5
MT		 3109###
3110### Openvpn Connections Statistics
3111###
3112} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
3113 &Header::showhttpheaders();
3114 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
3115 &Header::openbigbox('100%', 'LEFT', '', '');
3116 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
3117
3118#
3119# <td><b>$Lang::tr{'protocol'}</b></td>
66c36198 3120# protocol temp removed
4c962356 3121 print <<END;
99bfa85c 3122 <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
6e13d0a5 3123 <tr>
99bfa85c
AM		 3124 <th><b>$Lang::tr{'common name'}</b></th>
3125 <th><b>$Lang::tr{'real address'}</b></th>
d8ef6a95 3126 <th><b>$Lang::tr{'country'}</b></th>
99bfa85c
AM		 3127 <th><b>$Lang::tr{'virtual address'}</b></th>
3128 <th><b>$Lang::tr{'loged in at'}</b></th>
3129 <th><b>$Lang::tr{'bytes sent'}</b></th>
3130 <th><b>$Lang::tr{'bytes received'}</b></th>
3131 <th><b>$Lang::tr{'last activity'}</b></th>
6e13d0a5
MT		 3132 </tr>
3133END
3134;
87fe47e9 3135 my $filename = "/var/run/ovpnserver.log";
6e13d0a5
MT		 3136 open(FILE, $filename) or die 'Unable to open config file.';
3137 my @current = <FILE>;
3138 close(FILE);
3139 my @users =();
3140 my $status;
3141 my $uid = 0;
3142 my $cn;
3143 my @match = ();
3144 my $proto = "udp";
3145 my $address;
3146 my %userlookup = ();
3147 foreach my $line (@current)
3148 {
3149 chomp($line);
3150 if ( $line =~ /^Updated,(.+)/){
66c36198 3151 @match = split( /^Updated,(.+)/, $line);
6e13d0a5
MT		 3152 $status = $match[1];
3153 }
66c36198 3154#gian
6e13d0a5
MT		 3155 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
3156 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
3157 if ($match[1] ne "Common Name") {
3158 $cn = $match[1];
3159 $userlookup{$match[2]} = $uid;
3160 $users[$uid]{'CommonName'} = $match[1];
3161 $users[$uid]{'RealAddress'} = $match[2];
c6c9630e
MT		 3162 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
3163 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
6e13d0a5
MT		 3164 $users[$uid]{'Since'} = $match[5];
3165 $users[$uid]{'Proto'} = $proto;
d8ef6a95
PM		 3166
3167 # get country code for "RealAddress"...
07e42be9 3168 my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
e2e270e1 3169 my $flag_icon = &Location::Functions::get_flag_icon($ccode);
d8ef6a95 3170 $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
6e13d0a5 3171 $uid++;
66c36198 3172 }
6e13d0a5
MT		 3173 }
3174 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
3175 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
3176 if ($match[1] ne "Virtual Address") {
3177 $address = $match[3];
3178 #find the uid in the lookup table
3179 $uid = $userlookup{$address};
3180 $users[$uid]{'VirtualAddress'} = $match[1];
3181 $users[$uid]{'LastRef'} = $match[4];
3182 }
3183 }
3184 }
3185 my $user2 = @users;
3186 if ($user2 >= 1){
99bfa85c 3187 for (my $idx = 1; $idx <= $user2; $idx++){
6e13d0a5 3188 if ($idx % 2) {
99bfa85c
AM		 3189 print "<tr>";
3190 $col="bgcolor='$color{'color22'}'";
3191 } else {
3192 print "<tr>";
3193 $col="bgcolor='$color{'color20'}'";
6e13d0a5 3194 }
99bfa85c
AM		 3195 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
3196 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
d8ef6a95
PM		 3197 print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
3198 print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
99bfa85c
AM		 3199 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
3200 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
3201 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
3202 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
3203 }
3204 }
66c36198 3205
6e13d0a5 3206 print "</table>";
49abe7af 3207 print <<END;
6e13d0a5
MT		 3208 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
3209 <tr><td></td></tr>
3210 <tr><td></td></tr>
3211 <tr><td></td></tr>
3212 <tr><td></td></tr>
3213 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
3214 </table>
3215END
66c36198 3216;
6e13d0a5
MT		 3217 &Header::closebox();
3218 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3219 &Header::closebigbox();
3220 &Header::closepage();
3221 exit(0);
3222
3223###
3224### Download Certificate
3225###
3226} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
3227 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 3228
6e13d0a5 3229 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e
MT		 3230 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
3231 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 3232
3233 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
3234 my @tmp = <FILE>;
3235 close(FILE);
3236
f158e71e 3237 print @tmp;
c6c9630e
MT		 3238 exit (0);
3239 }
3240
3241###
3242### Enable/Disable connection
3243###
ce9abb66 3244
c6c9630e 3245} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 3246
c6c9630e
MT		 3247 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3248 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3249
3250 if ($confighash{$cgiparams{'KEY'}}) {
ce9abb66 3251 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
c6c9630e
MT		 3252 $confighash{$cgiparams{'KEY'}}[0] = 'on';
3253 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3254 #&writeserverconf();
3255# if ($vpnsettings{'ENABLED'} eq 'on' ||
3256# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3257# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3258# }
3259 } else {
3260 $confighash{$cgiparams{'KEY'}}[0] = 'off';
3261# if ($vpnsettings{'ENABLED'} eq 'on' ||
3262# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3263# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
3264# }
3265 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3266 #&writeserverconf();
3267 }
3268 } else {
3269 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3270 }
3271
3272###
3273### Restart connection
3274###
3275} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
3276 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3277 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3278
3279 if ($confighash{$cgiparams{'KEY'}}) {
c6c9630e
MT		 3280# if ($vpnsettings{'ENABLED'} eq 'on' ||
3281# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3282# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3283# }
6e13d0a5 3284 } else {
c6c9630e 3285 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3286 }
3287
ce9abb66 3288###
7c1d9faf 3289# m.a.d net2net
ce9abb66
AH		 3290###
3291
3292} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
3293 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3294 &Header::showhttpheaders();
4c962356 3295 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
ce9abb66
AH		 3296 &Header::openbigbox('100%', 'LEFT', '', '');
3297 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
b278daf3
AH		 3298
3299if ( -s "${General::swroot}/ovpn/settings") {
3300
49abe7af 3301 print <<END;
ce9abb66 3302 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3303 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
ce9abb66
AH		 3304 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
3305 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
3306 <tr><td><input type='radio' name='TYPE' value='net' /></td>
3307 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
66c36198 3308 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>
ce9abb66
AH		 3309 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
3310 <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
e3edceeb 3311 <tr><td>&nbsp;</td><td>Import Connection Name</td></tr>
040b8b0c 3312 <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
54fd0535 3313 <tr><td colspan='3'><hr /></td></tr>
8c877a82 3314 <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
ce9abb66
AH		 3315 </form></table>
3316END
3317 ;
66c36198 3318
ce9abb66 3319
b278daf3 3320} else {
49abe7af 3321 print <<END;
b278daf3 3322 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3323 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
b278daf3 3324 <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
8c877a82 3325 <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
b278daf3
AH		 3326 </form></table>
3327END
3328 ;
3329
3330}
3331
ce9abb66 3332 &Header::closebox();
4c962356 3333 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
ce9abb66
AH		 3334 &Header::closebigbox();
3335 &Header::closepage();
3336 exit (0);
3337
3338###
7c1d9faf 3339# m.a.d net2net
ce9abb66
AH		 3340###
3341
3342} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3343
3344 my @firen2nconf;
3345 my @confdetails;
3346 my $uplconffilename ='';
54fd0535 3347 my $uplconffilename2 ='';
ce9abb66 3348 my $uplp12name = '';
54fd0535 3349 my $uplp12name2 = '';
ce9abb66
AH		 3350 my @rem_subnet;
3351 my @rem_subnet2;
66c36198 3352 my @tmposupnet3;
ce9abb66 3353 my $key;
54fd0535 3354 my @n2nname;
ce9abb66 3355
66c36198 3356 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 3357
2ad1b18b
MT		 3358 # Check if a file is uploaded
3359 unless (ref ($cgiparams{'FH'})) {
ce9abb66
AH		 3360 $errormessage = $Lang::tr{'there was no file upload'};
3361 goto N2N_ERROR;
3362 }
3363
3364# Move uploaded IPfire n2n package to temporary file
3365
3366 (my $fh, my $filename) = tempfile( );
3367 if (copy ($cgiparams{'FH'}, $fh) != 1) {
3368 $errormessage = $!;
3369 goto N2N_ERROR;
3370 }
3371
3372 my $zip = Archive::Zip->new();
3373 my $zipName = $filename;
3374 my $status = $zip->read( $zipName );
66c36198 3375 if ($status != AZ_OK) {
ce9abb66
AH		 3376 $errormessage = "Read of $zipName failed\n";
3377 goto N2N_ERROR;
3378 }
3379
3380 my $tempdir = tempdir( CLEANUP => 1 );
3381 my @files = $zip->memberNames();
3382 for(@files) {
3383 $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3384 }
3385 my $countfiles = @files;
3386
3387# Check if we have not more then 2 files
3388
3389 if ( $countfiles == 2){
3390 foreach (@files){
3391 if ( $_ =~ /.conf$/){
3392 $uplconffilename = $_;
3393 }
3394 if ( $_ =~ /.p12$/){
3395 $uplp12name = $_;
66c36198 3396 }
ce9abb66
AH		 3397 }
3398 if (($uplconffilename eq '') || ($uplp12name eq '')){
3399 $errormessage = "Either no *.conf or no *.p12 file found\n";
3400 goto N2N_ERROR;
3401 }
3402
3403 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3404 @firen2nconf = <FILE>;
3405 close (FILE);
3406 chomp(@firen2nconf);
ce9abb66
AH		 3407 } else {
3408
3409 $errormessage = "Filecount does not match only 2 files are allowed\n";
3410 goto N2N_ERROR;
3411 }
3412
7c1d9faf
AH		 3413###
3414# m.a.d net2net
ce9abb66 3415###
66c36198 3416
54fd0535
MT		 3417 if ($cgiparams{'n2nname'} ne ''){
3418
66c36198
PM		 3419 $uplconffilename2 = "$cgiparams{'n2nname'}.conf";
3420 $uplp12name2 = "$cgiparams{'n2nname'}.p12";
54fd0535
MT		 3421 $n2nname[0] = $cgiparams{'n2nname'};
3422 my @n2nname2 = split(/\./,$uplconffilename);
3423 $n2nname2[0] =~ s/\n|\r//g;
3424 my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3425 my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3426 my $input2 = "$n2nname2[0]n2n";
3427 my $output2 = "$n2nname[0]n2n";
3428 my $filename = "$tempdir/$uplconffilename";
3429 open(FILE, "< $filename") or die 'Unable to open config file.';
3430 my @current = <FILE>;
3431 close(FILE);
3432 foreach (@current) {s/$input1/$output1/g;}
3433 foreach (@current) {s/$input2/$output2/g;}
3434 open (OUT, "> $filename") || die 'Unable to open config file.';
3435 print OUT @current;
3436 close OUT;
ce9abb66 3437
54fd0535
MT		 3438 }else{
3439 $uplconffilename2 = $uplconffilename;
3440 $uplp12name2 = $uplp12name;
3441 @n2nname = split(/\./,$uplconffilename);
ce9abb66 3442 $n2nname[0] =~ s/\n|\r//g;
66c36198 3443 }
7c1d9faf 3444 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 3445 unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
ce9abb66 3446
7dfcaef0
AM		 3447 #Add collectd settings to configfile
3448 open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
3449 print FILE "# Logfile\n";
3450 print FILE "status-version 1\n";
3451 print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
3452 close FILE;
3453
cc79d281 3454 unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
ce9abb66
AH		 3455 $errormessage = "*.conf move failed: $!";
3456 unlink ($filename);
3457 goto N2N_ERROR;
3458 }
66c36198 3459
cc79d281 3460 unless(move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2")) {
ce9abb66
AH		 3461 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3462 unlink ($filename);
3463 goto N2N_ERROR;
cc79d281
SS		 3464 }
3465
3466 chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
66c36198 3467
ce9abb66 3468my $complzoactive;
d96c89eb 3469my $mssfixactive;
4c962356 3470my $authactive;
d96c89eb 3471my $n2nfragment;
60f396d7 3472my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
54fd0535 3473my @n2nproto = split(/-/, $n2nproto2[1]);
ce9abb66
AH		 3474my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3475my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3476my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
66c36198 3477if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}
d96c89eb
AH		 3478my @n2nmssfix = grep { /^mssfix/ } @firen2nconf;
3479if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
54fd0535 3480#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
d96c89eb 3481my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
ce9abb66
AH		 3482my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3483my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3484my @n2novpnsub = split(/\./,$n2novpnsuball[1]);
3485my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
54fd0535 3486my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]);
ce9abb66 3487my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
4c962356 3488my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
f527e53f 3489my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
60f396d7 3490
ce9abb66
AH		 3491###
3492# m.a.d delete CR and LF from arrays for this chomp doesnt work
3493###
3494
ce9abb66 3495$n2nremote[1] =~ s/\n|\r//g;
ce9abb66
AH		 3496$n2novpnsub[0] =~ s/\n|\r//g;
3497$n2novpnsub[1] =~ s/\n|\r//g;
3498$n2novpnsub[2] =~ s/\n|\r//g;
60f396d7 3499$n2nproto[0] =~ s/\n|\r//g;
ce9abb66
AH		 3500$n2nport[1] =~ s/\n|\r//g;
3501$n2ntunmtu[1] =~ s/\n|\r//g;
3502$n2nremsub[1] =~ s/\n|\r//g;
b278daf3 3503$n2nremsub[2] =~ s/\n|\r//g;
ce9abb66 3504$n2nlocalsub[2] =~ s/\n|\r//g;
d96c89eb 3505$n2nfragment[1] =~ s/\n|\r//g;
54fd0535 3506$n2nmgmt[2] =~ s/\n|\r//g;
4c962356
EK		 3507$n2ncipher[1] =~ s/\n|\r//g;
3508$n2nauth[1] =~ s/\n|\r//g;
ce9abb66 3509chomp ($complzoactive);
d96c89eb 3510chomp ($mssfixactive);
ce9abb66
AH		 3511
3512###
7c1d9faf 3513# m.a.d net2net
ce9abb66
AH		 3514###
3515
3516###
3517# Check if there is no other entry with this name
3518###
3519
3520 foreach my $dkey (keys %confighash) {
3521 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3522 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3523 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3524 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3525 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3526 goto N2N_ERROR;
ce9abb66
AH		 3527 }
3528 }
3529
d96c89eb
AH		 3530###
3531# Check if OpenVPN Subnet is valid
3532###
3533
3534foreach my $dkey (keys %confighash) {
3535 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3536 $errormessage = 'The OpenVPN Subnet is already in use';
b278daf3
AH		 3537 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3538 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3539 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3540 goto N2N_ERROR;
d96c89eb
AH		 3541 }
3542 }
3543
3544###
4c962356 3545# Check if Dest Port is vaild
d96c89eb
AH		 3546###
3547
3548foreach my $dkey (keys %confighash) {
3549 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3550 $errormessage = 'The OpenVPN Port is already in use';
b278daf3
AH		 3551 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3552 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3553 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3554 goto N2N_ERROR;
d96c89eb
AH		 3555 }
3556 }
66c36198
PM		 3557
3558
3559
ce9abb66
AH		 3560 $key = &General::findhasharraykey (\%confighash);
3561
49abe7af 3562 foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
350f2980 3563
ce9abb66
AH		 3564 $confighash{$key}[0] = 'off';
3565 $confighash{$key}[1] = $n2nname[0];
66c36198 3566 $confighash{$key}[2] = $n2nname[0];
ce9abb66 3567 $confighash{$key}[3] = 'net';
66c36198
PM		 3568 $confighash{$key}[4] = 'cert';
3569 $confighash{$key}[6] = 'client';
ce9abb66 3570 $confighash{$key}[8] = $n2nlocalsub[2];
350f2980 3571 $confighash{$key}[10] = $n2nremote[1];
66c36198 3572 $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";
54fd0535 3573 $confighash{$key}[22] = $n2nmgmt[2];
350f2980 3574 $confighash{$key}[23] = $mssfixactive;
d96c89eb 3575 $confighash{$key}[24] = $n2nfragment[1];
350f2980 3576 $confighash{$key}[25] = 'IPFire n2n Client';
ce9abb66 3577 $confighash{$key}[26] = 'red';
350f2980
SS		 3578 $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3579 $confighash{$key}[28] = $n2nproto[0];
3580 $confighash{$key}[29] = $n2nport[1];
3581 $confighash{$key}[30] = $complzoactive;
3582 $confighash{$key}[31] = $n2ntunmtu[1];
4c962356
EK		 3583 $confighash{$key}[39] = $n2nauth[1];
3584 $confighash{$key}[40] = $n2ncipher[1];
49abe7af 3585 $confighash{$key}[41] = 'disabled';
ce9abb66
AH		 3586
3587 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 3588
ce9abb66 3589 N2N_ERROR:
66c36198 3590
ce9abb66
AH		 3591 &Header::showhttpheaders();
3592 &Header::openpage('Validate imported configuration', 1, '');
3593 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3594 if ($errormessage) {
3595 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3596 print "<class name='base'>$errormessage";
3597 print "&nbsp;</class>";
66c36198 3598 &Header::closebox();
ce9abb66 3599
66c36198
PM		 3600 } else
3601 {
ce9abb66
AH		 3602 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3603 }
3604 if ($errormessage eq ''){
49abe7af 3605 print <<END;
ce9abb66
AH		 3606 <!-- ipfire net2net config gui -->
3607 <table width='100%'>
3608 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3609 <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
66c36198
PM		 3610 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3611 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>
ce9abb66
AH		 3612 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3613 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
4c962356 3614 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
ce9abb66
AH		 3615 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3616 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3617 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3618 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
4c962356
EK		 3619 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3620 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
ce9abb66 3621 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
54fd0535 3622 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
0c4ffc69 3623 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn tls auth'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
4c962356 3624 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
66c36198 3625 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
ce9abb66
AH		 3626 </table>
3627END
66c36198 3628;
ce9abb66
AH		 3629 &Header::closebox();
3630 }
3631
3632 if ($errormessage) {
3633 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
66c36198
PM		 3634 } else {
3635 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";
ce9abb66 3636 print "<input type='hidden' name='TYPE' value='net2netakn' />";
66c36198 3637 print "<input type='hidden' name='KEY' value='$key' />";
ce9abb66 3638 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
66c36198 3639 }
ce9abb66
AH		 3640 &Header::closebigbox();
3641 &Header::closepage();
4c962356 3642 exit(0);
ce9abb66
AH		 3643
3644
3645##
3646### Accept IPFire n2n Package Settings
3647###
3648
3649 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3650
3651###
3652### Discard and Rollback IPFire n2n Package Settings
3653###
3654
3655 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
66c36198 3656
ce9abb66
AH		 3657 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3658
3659if ($confighash{$cgiparams{'KEY'}}) {
3660
3661 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3662 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3663 unlink ($certfile) or die "Removing $certfile fail: $!";
3664 unlink ($conffile) or die "Removing $conffile fail: $!";
3665 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3666 delete $confighash{$cgiparams{'KEY'}};
66c36198 3667 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66
AH		 3668
3669 } else {
3670 $errormessage = $Lang::tr{'invalid key'};
66c36198
PM		 3671 }
3672
ce9abb66
AH		 3673
3674###
7c1d9faf 3675# m.a.d net2net
ce9abb66
AH		 3676###
3677
3678
3679###
3680### Adding a new connection
3681###
6e13d0a5
MT		 3682} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3683 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3684 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
66c36198 3685
6e13d0a5
MT		 3686 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3687 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3688 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3689
3690 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
8c877a82
AM		 3691 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3692 $errormessage = $Lang::tr{'invalid key'};
3693 goto VPNCONF_END;
3694 }
4c962356
EK		 3695 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
3696 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
3697 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
3698 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
3699 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
3700 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
3701 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
3702 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
8c877a82 3703 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
4c962356
EK		 3704 $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
3705 $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
3706 $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
3707 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
3708 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
3709 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
3710 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
3711 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
3712 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
3713 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
3714 $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32];
df9b48b7 3715 $name=$cgiparams{'CHECK1'} ;
4c962356
EK		 3716 $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33];
3717 $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34];
3718 $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
3719 $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
3720 $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
4c962356
EK		 3721 $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
3722 $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
49abe7af 3723 $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
e1e10515 3724 $cgiparams{'OTP_STATE'} = $confighash{$cgiparams{'KEY'}}[43];
8c877a82 3725 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
c6c9630e 3726 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
66c36198 3727
8c877a82 3728#A.Marx CCD check iroute field and convert it to decimal
52d08bcb 3729if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 3730 my @temp=();
3731 my %ccdroutehash=();
3732 my $keypoint=0;
5068ac38
AM		 3733 my $ip;
3734 my $cidr;
8c877a82
AM		 3735 if ($cgiparams{'IR'} ne ''){
3736 @temp = split("\n",$cgiparams{'IR'});
3737 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3738 #find key to use
3739 foreach my $key (keys %ccdroutehash) {
3740 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3741 $keypoint=$key;
3742 delete $ccdroutehash{$key};
3743 }else{
3744 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3745 }
3746 }
3747 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3748 my $i=1;
3749 my $val=0;
3750 foreach $val (@temp){
3751 chomp($val);
66c36198 3752 $val=~s/\s*$//g;
5068ac38 3753 #check if iroute exists in ccdroute or if new iroute is part of an existing one
8c877a82
AM		 3754 foreach my $key (keys %ccdroutehash) {
3755 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
5068ac38
AM		 3756 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3757 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3758 goto VPNCONF_ERROR;
3759 }
3760 my ($ip1,$cidr1) = split (/\//, $val);
82c809c7 3761 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
5068ac38
AM		 3762 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3763 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3764 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3765 goto VPNCONF_ERROR;
66c36198
PM		 3766 }
3767
8c877a82
AM		 3768 }
3769 }
5068ac38
AM		 3770 if (!&General::validipandmask($val)){
3771 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3772 goto VPNCONF_ERROR;
3773 }else{
3774 ($ip,$cidr) = split(/\//,$val);
3775 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3776 $cidr=&General::iporsubtodec($cidr);
3777 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
66c36198 3778
5068ac38 3779 }
66c36198 3780
8c877a82 3781 #check for existing network IP's
52d08bcb
AM		 3782 if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3783 {
3784 $errormessage=$Lang::tr{'ccd err green'};
3785 goto VPNCONF_ERROR;
3786 }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3787 {
3788 $errormessage=$Lang::tr{'ccd err red'};
3789 goto VPNCONF_ERROR;
3790 }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3791 {
3792 $errormessage=$Lang::tr{'ccd err blue'};
3793 goto VPNCONF_ERROR;
3794 }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3795 {
3796 $errormessage=$Lang::tr{'ccd err orange'};
8c877a82
AM		 3797 goto VPNCONF_ERROR;
3798 }
66c36198 3799
8c877a82
AM		 3800 if (&General::validipandmask($val)){
3801 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3802 }else{
3803 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3804 goto VPNCONF_ERROR;
3805 }
3806 $i++;
3807 }
3808 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3809 &writeserverconf;
3810 }else{
3811 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3812 foreach my $key (keys %ccdroutehash) {
3813 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3814 delete $ccdroutehash{$key};
3815 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3816 &writeserverconf;
3817 }
66c36198 3818 }
8c877a82
AM		 3819 }
3820 undef @temp;
3821 #check route field and convert it to decimal
8c877a82
AM		 3822 my $val=0;
3823 my $i=1;
8c877a82 3824 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
52d08bcb
AM		 3825 #find key to use
3826 foreach my $key (keys %ccdroute2hash) {
3827 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3828 $keypoint=$key;
3829 delete $ccdroute2hash{$key};
3830 }else{
3831 $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3832 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3833 &writeserverconf;
8c877a82 3834 }
52d08bcb
AM		 3835 }
3836 $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3837 if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3838 @temp = split(/\|/,$cgiparams{'IFROUTE'});
3839 my %ownnet=();
3840 &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3841 foreach $val (@temp){
3842 chomp($val);
66c36198 3843 $val=~s/\s*$//g;
52d08bcb
AM		 3844 if ($val eq $Lang::tr{'green'})
3845 {
3846 $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3847 }
3848 if ($val eq $Lang::tr{'blue'})
3849 {
3850 $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3851 }
3852 if ($val eq $Lang::tr{'orange'})
3853 {
3854 $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3855 }
3856 my ($ip,$cidr) = split (/\//, $val);
66c36198 3857
52d08bcb 3858 if ($val ne $Lang::tr{'ccd none'})
66c36198 3859 {
8c877a82
AM		 3860 if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3861 if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3862 if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3863 if (&General::validipandmask($val)){
3864 $val=$ip."/".&General::iporsubtodec($cidr);
3865 $ccdroute2hash{$keypoint}[$i] = $val;
3866 }else{
3867 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3868 goto VPNCONF_ERROR;
3869 }
52d08bcb
AM		 3870 }else{
3871 $ccdroute2hash{$keypoint}[$i]='';
3872 }
3873 $i++;
66c36198 3874 }
52d08bcb
AM		 3875 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3876
8c877a82
AM		 3877 #check dns1 ip
3878 if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) {
3879 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3880 goto VPNCONF_ERROR;
3881 }
3882 #check dns2 ip
3883 if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) {
3884 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3885 goto VPNCONF_ERROR;
3886 }
3887 #check wins ip
3888 if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) {
3889 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3890 goto VPNCONF_ERROR;
3891 }
52d08bcb 3892}
8c877a82
AM		 3893
3894#CCD End
52d08bcb 3895
66c36198 3896
73735ad9
EK		 3897 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3898 $errormessage = $Lang::tr{'connection type is invalid'};
3899 if ($cgiparams{'TYPE'} eq 'net') {
3900 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3901 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3902 goto VPNCONF_ERROR;
3903 }
3904 goto VPNCONF_ERROR;
c6c9630e
MT		 3905 }
3906
c6c9630e 3907 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
73735ad9
EK		 3908 $errormessage = $Lang::tr{'name must only contain characters'};
3909 if ($cgiparams{'TYPE'} eq 'net') {
3910 goto VPNCONF_ERROR;
3911 }
3912 goto VPNCONF_ERROR;
3913 }
c6c9630e
MT		 3914
3915 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
73735ad9
EK		 3916 $errormessage = $Lang::tr{'name is invalid'};
3917 if ($cgiparams{'TYPE'} eq 'net') {
3918 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3919 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3920 goto VPNCONF_ERROR;
3921 }
3922 goto VPNCONF_ERROR;
c6c9630e
MT		 3923 }
3924
3925 if (length($cgiparams{'NAME'}) >60) {
73735ad9
EK		 3926 $errormessage = $Lang::tr{'name too long'};
3927 if ($cgiparams{'TYPE'} eq 'net') {
3928 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3929 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3930 goto VPNCONF_ERROR;
3931 }
3932 goto VPNCONF_ERROR;
c6c9630e
MT		 3933 }
3934
d96c89eb 3935###
7c1d9faf 3936# m.a.d net2net
d96c89eb
AH		 3937###
3938
7c1d9faf 3939if ($cgiparams{'TYPE'} eq 'net') {
ab4cf06c 3940 if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) {
cd0c0a0d 3941 $errormessage = $Lang::tr{'openvpn destination port used'};
b278daf3
AH		 3942 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3943 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3944 goto VPNCONF_ERROR;
d96c89eb 3945 }
ab4cf06c
AM		 3946 #Bugfix 10357
3947 foreach my $key (sort keys %confighash){
3948 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
54fd0535
MT		 3949 $errormessage = $Lang::tr{'openvpn destination port used'};
3950 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3951 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3952 goto VPNCONF_ERROR;
ab4cf06c
AM		 3953 }
3954 }
3955 if ($cgiparams{'DEST_PORT'} eq '') {
3956 $errormessage = $Lang::tr{'invalid port'};
3957 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3958 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3959 goto VPNCONF_ERROR;
54fd0535 3960 }
d96c89eb 3961
f48074ba
SS		 3962 # Check if the input for the transfer net is valid.
3963 if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3964 $errormessage = $Lang::tr{'ccd err invalidnet'};
3965 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3966 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3967 goto VPNCONF_ERROR;
3968 }
3969
d96c89eb 3970 if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) {
cd0c0a0d 3971 $errormessage = $Lang::tr{'openvpn subnet is used'};
b278daf3
AH		 3972 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3973 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3974 goto VPNCONF_ERROR;
d96c89eb
AH		 3975 }
3976
3977 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
cd0c0a0d 3978 $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
b278daf3
AH		 3979 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3980 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3981 goto VPNCONF_ERROR;
3982 }
66c36198 3983
d96c89eb 3984 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
cd0c0a0d 3985 $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
b278daf3
AH		 3986 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3987 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3988 goto VPNCONF_ERROR;
3989 }
d96c89eb 3990
7c1d9faf 3991 if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
cd0c0a0d 3992 $errormessage = $Lang::tr{'openvpn prefix local subnet'};
b278daf3
AH		 3993 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3994 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3995 goto VPNCONF_ERROR;
66c36198
PM		 3996 }
3997
7c1d9faf 3998 if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) {
cd0c0a0d 3999 $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
b278daf3
AH		 4000 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4001 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4002 goto VPNCONF_ERROR;
66c36198
PM		 4003 }
4004
7c1d9faf 4005 if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) {
cd0c0a0d 4006 $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
b278daf3
AH		 4007 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4008 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4009 goto VPNCONF_ERROR;
8c252e6a 4010 }
66c36198 4011
8c252e6a
EK		 4012 if ($cgiparams{'DEST_PORT'} <= 1023) {
4013 $errormessage = $Lang::tr{'ovpn port in root range'};
4014 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4015 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4016 goto VPNCONF_ERROR;
4017 }
54fd0535 4018
4c962356 4019 if ($cgiparams{'OVPN_MGMT'} eq '') {
66c36198 4020 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};
8c252e6a 4021 }
66c36198 4022
8c252e6a
EK		 4023 if ($cgiparams{'OVPN_MGMT'} <= 1023) {
4024 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
4025 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4026 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4027 goto VPNCONF_ERROR;
b2e75449
MT		 4028 }
4029 #Check if remote subnet is used elsewhere
4030 my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
4031 $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
4032 if ($warnmessage){
4033 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
4034 }
7c1d9faf 4035}
d96c89eb 4036
ce9abb66
AH		 4037# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
4038# $errormessage = $Lang::tr{'ipfire side is invalid'};
4039# goto VPNCONF_ERROR;
4040# }
4041
c6c9630e
MT		 4042 # Check if there is no other entry with this name
4043 if (! $cgiparams{'KEY'}) {
4044 foreach my $key (keys %confighash) {
4045 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4046 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 4047 if ($cgiparams{'TYPE'} eq 'net') {
4048 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4049 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4050 }
c6c9630e 4051 goto VPNCONF_ERROR;
6e13d0a5 4052 }
c6c9630e
MT		 4053 }
4054 }
4055
c125d8a2 4056 # Check if a remote host/IP has been set for the client.
86228a56
MT		 4057 if ($cgiparams{'TYPE'} eq 'net') {
4058 if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') {
4059 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4060
86228a56
MT		 4061 # Check if this is a N2N connection and drop temporary config.
4062 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4063 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ce9abb66 4064
86228a56
MT		 4065 goto VPNCONF_ERROR;
4066 }
c125d8a2 4067
86228a56
MT		 4068 # Check if a remote host/IP has been configured - the field can be empty on the server side.
4069 if ($cgiparams{'REMOTE'} ne '') {
4070 # Check if the given IP is valid - otherwise check if it is a valid domain.
4071 if (! &General::validip($cgiparams{'REMOTE'})) {
4072 # Check for a valid domain.
4073 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
4074 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4075
86228a56
MT		 4076 # Check if this is a N2N connection and drop temporary config.
4077 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4078 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
c125d8a2 4079
86228a56
MT		 4080 goto VPNCONF_ERROR;
4081 }
4082 }
6e13d0a5 4083 }
c6c9630e 4084 }
c125d8a2 4085
c6c9630e
MT		 4086 if ($cgiparams{'TYPE'} ne 'host') {
4087 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
66c36198 4088 $errormessage = $Lang::tr{'local subnet is invalid'};
b278daf3
AH		 4089 if ($cgiparams{'TYPE'} eq 'net') {
4090 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4091 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4092 }
c6c9630e
MT		 4093 goto VPNCONF_ERROR;}
4094 }
4095 # Check if there is no other entry without IP-address and PSK
4096 if ($cgiparams{'REMOTE'} eq '') {
4097 foreach my $key (keys %confighash) {
66c36198
PM		 4098 if(($cgiparams{'KEY'} ne $key) &&
4099 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
c6c9630e
MT		 4100 $confighash{$key}[10] eq '') {
4101 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
4102 goto VPNCONF_ERROR;
6e13d0a5 4103 }
c6c9630e
MT		 4104 }
4105 }
ce9abb66
AH		 4106 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
4107 $errormessage = $Lang::tr{'remote subnet is invalid'};
b278daf3
AH		 4108 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4109 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4110 goto VPNCONF_ERROR;
ce9abb66 4111 }
c6c9630e 4112
425465ed
EK		 4113 # Check for N2N that OpenSSL maximum of valid days will not be exceeded
4114 if ($cgiparams{'TYPE'} eq 'net') {
4115 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4116 $errormessage = $Lang::tr{'invalid input for valid till days'};
4117 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4118 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4119 goto VPNCONF_ERROR;
4120 }
4121 }
4122
c6c9630e
MT		 4123 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
4124 $errormessage = $Lang::tr{'invalid input'};
4125 goto VPNCONF_ERROR;
4126 }
4127 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
4128 $errormessage = $Lang::tr{'invalid input'};
4129 goto VPNCONF_ERROR;
4130 }
4131
4132#fixplausi
4133 if ($cgiparams{'AUTH'} eq 'psk') {
4134# if (! length($cgiparams{'PSK'}) ) {
4135# $errormessage = $Lang::tr{'pre-shared key is too short'};
4136# goto VPNCONF_ERROR;
4137# }
4138# if ($cgiparams{'PSK'} =~ /['",&]/) {
4139# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
4140# goto VPNCONF_ERROR;
4141# }
4142 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
4143 if ($cgiparams{'KEY'}) {
4144 $errormessage = $Lang::tr{'cant change certificates'};
4145 goto VPNCONF_ERROR;
4146 }
2ad1b18b 4147 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4148 $errormessage = $Lang::tr{'there was no file upload'};
4149 goto VPNCONF_ERROR;
4150 }
4151
4152 # Move uploaded certificate request to a temporary file
4153 (my $fh, my $filename) = tempfile( );
4154 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4155 $errormessage = $!;
4156 goto VPNCONF_ERROR;
4157 }
6e13d0a5 4158
c6c9630e
MT		 4159 # Sign the certificate request and move it
4160 # Sign the host certificate request
2feacd98 4161 # The system call is safe, because all arguments are passed as an array.
f6e12093 4162 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4163 '-batch', '-notext',
4164 '-in', $filename,
4165 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4166 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4167 if ($?) {
4168 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4169 unlink ($filename);
4170 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4171 &newcleanssldatabase();
4172 goto VPNCONF_ERROR;
4173 } else {
4174 unlink ($filename);
4175 &deletebackupcert();
4176 }
4177
2feacd98
SS		 4178 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4179 my $temp;
4180
4181 foreach my $line (@temp) {
4182 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4183 $temp = $1;
4184 $temp =~ s+/Email+, E+;
4185 $temp =~ s/ ST=/ S=/;
4186
4187 last;
4188 }
4189 }
66c36198 4190
c6c9630e
MT		 4191 $cgiparams{'CERT_NAME'} = $temp;
4192 $cgiparams{'CERT_NAME'} =~ s/,//g;
4193 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4194 if ($cgiparams{'CERT_NAME'} eq '') {
4195 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4196 goto VPNCONF_ERROR;
4197 }
4198 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
4199 if ($cgiparams{'KEY'}) {
4200 $errormessage = $Lang::tr{'cant change certificates'};
4201 goto VPNCONF_ERROR;
4202 }
2ad1b18b 4203 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4204 $errormessage = $Lang::tr{'there was no file upload'};
4205 goto VPNCONF_ERROR;
4206 }
4207 # Move uploaded certificate to a temporary file
4208 (my $fh, my $filename) = tempfile( );
4209 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4210 $errormessage = $!;
4211 goto VPNCONF_ERROR;
4212 }
4213
4214 # Verify the certificate has a valid CA and move it
4215 my $validca = 0;
2feacd98
SS		 4216 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
4217 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4218 $validca = 1;
4219 } else {
4220 foreach my $key (keys %cahash) {
2feacd98
SS		 4221 @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
4222 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4223 $validca = 1;
4224 }
6e13d0a5 4225 }
c6c9630e
MT		 4226 }
4227 if (! $validca) {
4228 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
4229 unlink ($filename);
4230 goto VPNCONF_ERROR;
4231 } else {
cc79d281 4232 unless(move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem")) {
c6c9630e
MT		 4233 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
4234 unlink ($filename);
4235 goto VPNCONF_ERROR;
6e13d0a5 4236 }
c6c9630e
MT		 4237 }
4238
2feacd98
SS		 4239 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4240 my $temp;
4241
4242 foreach my $line (@temp) {
4243 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4244 $temp = $1;
4245 $temp =~ s+/Email+, E+;
4246 $temp =~ s/ ST=/ S=/;
4247
4248 last;
4249 }
4250 }
4251
c6c9630e
MT		 4252 $cgiparams{'CERT_NAME'} = $temp;
4253 $cgiparams{'CERT_NAME'} =~ s/,//g;
4254 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4255 if ($cgiparams{'CERT_NAME'} eq '') {
4256 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4257 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4258 goto VPNCONF_ERROR;
4259 }
4260 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
4261 if ($cgiparams{'KEY'}) {
4262 $errormessage = $Lang::tr{'cant change certificates'};
4263 goto VPNCONF_ERROR;
4264 }
4265 # Validate input since the form was submitted
4266 if (length($cgiparams{'CERT_NAME'}) >60) {
4267 $errormessage = $Lang::tr{'name too long'};
4268 goto VPNCONF_ERROR;
4269 }
194314b2 4270 if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
c6c9630e
MT		 4271 $errormessage = $Lang::tr{'invalid input for name'};
4272 goto VPNCONF_ERROR;
4273 }
4274 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
4275 $errormessage = $Lang::tr{'invalid input for e-mail address'};
4276 goto VPNCONF_ERROR;
4277 }
4278 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
4279 $errormessage = $Lang::tr{'e-mail address too long'};
4280 goto VPNCONF_ERROR;
4281 }
4282 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4283 $errormessage = $Lang::tr{'invalid input for department'};
4284 goto VPNCONF_ERROR;
4285 }
4286 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
4287 $errormessage = $Lang::tr{'organization too long'};
4288 goto VPNCONF_ERROR;
4289 }
4290 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
4291 $errormessage = $Lang::tr{'invalid input for organization'};
4292 goto VPNCONF_ERROR;
4293 }
4294 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4295 $errormessage = $Lang::tr{'invalid input for city'};
4296 goto VPNCONF_ERROR;
4297 }
4298 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4299 $errormessage = $Lang::tr{'invalid input for state or province'};
4300 goto VPNCONF_ERROR;
4301 }
4302 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
4303 $errormessage = $Lang::tr{'invalid input for country'};
4304 goto VPNCONF_ERROR;
4305 }
4306 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
4307 if (length($cgiparams{'CERT_PASS1'}) < 5) {
4308 $errormessage = $Lang::tr{'password too short'};
4309 goto VPNCONF_ERROR;
6e13d0a5 4310 }
66c36198 4311 }
c6c9630e
MT		 4312 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
4313 $errormessage = $Lang::tr{'passwords do not match'};
4314 goto VPNCONF_ERROR;
4315 }
425465ed 4316 if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
f4fbb935
EK		 4317 $errormessage = $Lang::tr{'invalid input for valid till days'};
4318 goto VPNCONF_ERROR;
4319 }
c6c9630e 4320
425465ed
EK		 4321 # Check for RW that OpenSSL maximum of valid days will not be exceeded
4322 if ($cgiparams{'TYPE'} eq 'host') {
4323 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4324 $errormessage = $Lang::tr{'invalid input for valid till days'};
4325 goto VPNCONF_ERROR;
4326 }
4327 }
4328
beac479f
EK		 4329 # Check for RW if client name is already set
4330 if ($cgiparams{'TYPE'} eq 'host') {
4331 foreach my $key (keys %confighash) {
4332 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4333 $errormessage = $Lang::tr{'a connection with this name already exists'};
4334 goto VPNCONF_ERROR;
4335 }
4336 }
4337 }
4338
c6c9630e
MT		 4339 # Replace empty strings with a .
4340 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
4341 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
4342 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
4343
4344 # Create the Host certificate request client
4345 my $pid = open(OPENSSL, "|-");
4346 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
4347 if ($pid) { # parent
4348 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
4349 print OPENSSL "$state\n";
4350 print OPENSSL "$city\n";
4351 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
4352 print OPENSSL "$ou\n";
4353 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
4354 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
4355 print OPENSSL ".\n";
4356 print OPENSSL ".\n";
4357 close (OPENSSL);
4358 if ($?) {
4359 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4360 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
4361 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
4362 goto VPNCONF_ERROR;
6e13d0a5 4363 }
c6c9630e 4364 } else { # child
badd8c1c 4365 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 4366 '-newkey', 'rsa:2048',
c6c9630e
MT		 4367 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4368 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4369 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
4370 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
4371 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4372 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4373 goto VPNCONF_ERROR;
6e13d0a5 4374 }
c6c9630e 4375 }
66c36198 4376
c6c9630e 4377 # Sign the host certificate request
2feacd98 4378 # The system call is safe, because all arguments are passed as an array.
f6e12093 4379 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4380 '-batch', '-notext',
4381 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4382 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4383 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4384 if ($?) {
4385 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4386 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4387 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4388 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4389 &newcleanssldatabase();
4390 goto VPNCONF_ERROR;
4391 } else {
4392 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4393 &deletebackupcert();
4394 }
4395
4396 # Create the pkcs12 file
2feacd98 4397 # The system call is safe, because all arguments are passed as an array.
66c36198 4398 system('/usr/bin/openssl', 'pkcs12', '-export',
c6c9630e
MT		 4399 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4400 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4401 '-name', $cgiparams{'NAME'},
4402 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
66c36198 4403 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
c6c9630e
MT		 4404 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
4405 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4406 if ($?) {
4407 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4408 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4409 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4410 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4411 goto VPNCONF_ERROR;
4412 } else {
4413 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4414 }
4415 } elsif ($cgiparams{'AUTH'} eq 'cert') {
4416 ;# Nothing, just editing
4417 } else {
4418 $errormessage = $Lang::tr{'invalid input for authentication method'};
4419 goto VPNCONF_ERROR;
4420 }
4421
4422 # Check if there is no other entry with this common name
4423 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
4424 foreach my $key (keys %confighash) {
4425 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
4426 $errormessage = $Lang::tr{'a connection with this common name already exists'};
4427 goto VPNCONF_ERROR;
6e13d0a5 4428 }
c6c9630e
MT		 4429 }
4430 }
4431
ab4cf06c 4432 # Save the config
c6c9630e 4433 my $key = $cgiparams{'KEY'};
66c36198 4434
c6c9630e
MT		 4435 if (! $key) {
4436 $key = &General::findhasharraykey (\%confighash);
49abe7af 4437 foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";}
c6c9630e 4438 }
8c877a82
AM		 4439 $confighash{$key}[0] = $cgiparams{'ENABLED'};
4440 $confighash{$key}[1] = $cgiparams{'NAME'};
c6c9630e 4441 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
8c877a82 4442 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
c6c9630e 4443 }
66c36198 4444
8c877a82 4445 $confighash{$key}[3] = $cgiparams{'TYPE'};
c6c9630e 4446 if ($cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4447 $confighash{$key}[4] = 'psk';
4448 $confighash{$key}[5] = $cgiparams{'PSK'};
c6c9630e 4449 } else {
8c877a82 4450 $confighash{$key}[4] = 'cert';
c6c9630e 4451 }
ce9abb66 4452 if ($cgiparams{'TYPE'} eq 'net') {
8c877a82
AM		 4453 $confighash{$key}[6] = $cgiparams{'SIDE'};
4454 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
ce9abb66 4455 }
4c962356 4456 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
8c877a82 4457 $confighash{$key}[10] = $cgiparams{'REMOTE'};
4c962356 4458 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c877a82 4459 $confighash{$key}[22] = $confighash{$key}[29];
4c962356 4460 } else {
8c877a82 4461 $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
4c962356 4462 }
8c877a82
AM		 4463 $confighash{$key}[23] = $cgiparams{'MSSFIX'};
4464 $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
4465 $confighash{$key}[25] = $cgiparams{'REMARK'};
4466 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
66c36198 4467# new fields
8c877a82
AM		 4468 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
4469 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
4470 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
4471 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
4472 $confighash{$key}[31] = $cgiparams{'MTU'};
4473 $confighash{$key}[32] = $cgiparams{'CHECK1'};
df9b48b7 4474 $name=$cgiparams{'CHECK1'};
8c877a82
AM		 4475 $confighash{$key}[33] = $cgiparams{$name};
4476 $confighash{$key}[34] = $cgiparams{'RG'};
4477 $confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
4478 $confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
4479 $confighash{$key}[37] = $cgiparams{'CCD_WINS'};
4c962356
EK		 4480 $confighash{$key}[39] = $cgiparams{'DAUTH'};
4481 $confighash{$key}[40] = $cgiparams{'DCIPHER'};
350f2980 4482
71af643c
MT		 4483 if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
4484 $confighash{$key}[41] = "no-pass";
4485 }
4486
e1e10515
TE		 4487 $confighash{$key}[42] = 'HOTP/T30/6';
4488 $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
16d4a5c2 4489 if (($confighash{$key}[43] eq 'on') && ($confighash{$key}[44] eq '')) {
e1e10515 4490 my @otp_secret = &General::system_output("/usr/bin/openssl", "rand", "-hex", "20");
209d62f0 4491 chomp($otp_secret[0]);
e1e10515 4492 $confighash{$key}[44] = $otp_secret[0];
16d4a5c2 4493 } elsif ($confighash{$key}[43] eq '') {
e1e10515
TE		 4494 $confighash{$key}[44] = '';
4495 }
4496
c6c9630e 4497 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4498
8c877a82 4499 if ($cgiparams{'CHECK1'} ){
66c36198 4500
8c877a82
AM		 4501 my ($ccdip,$ccdsub)=split "/",$cgiparams{$name};
4502 my ($a,$b,$c,$d) = split (/\./,$ccdip);
df9b48b7
AM		 4503 if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){
4504 unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";
4505 }
8c877a82 4506 open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!";
82c809c7 4507 print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n";
8c877a82
AM		 4508 if($cgiparams{'CHECK1'} eq 'dynamic'){
4509 print CCDRWCONF "#This client uses the dynamic pool\n";
4510 }else{
82c809c7 4511 print CCDRWCONF "#Ip address client and server\n";
8c877a82
AM		 4512 print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n";
4513 }
4514 if ($confighash{$key}[34] eq 'on'){
4515 print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n";
4516 print CCDRWCONF "push redirect-gateway\n";
4517 }
52d08bcb 4518 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 4519 if ($cgiparams{'IR'} ne ''){
82c809c7 4520 print CCDRWCONF "\n#Client routes these networks (behind Client)\n";
8c877a82
AM		 4521 foreach my $key (keys %ccdroutehash){
4522 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){
4523 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
4524 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
4525 print CCDRWCONF "iroute $a $b\n";
4526 }
4527 }
4528 }
4529 }
52d08bcb 4530 if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';}
8c877a82 4531 if ($cgiparams{'IFROUTE'} ne ''){
82c809c7 4532 print CCDRWCONF "\n#Client gets routes to these networks (behind IPFire)\n";
8c877a82
AM		 4533 foreach my $key (keys %ccdroute2hash){
4534 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4535 foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){
4536 if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){
4537 my %blue=();
4538 &General::readhash("${General::swroot}/ethernet/settings", \%blue);
52d08bcb 4539 print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n";
8c877a82
AM		 4540 }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){
4541 my %orange=();
4542 &General::readhash("${General::swroot}/ethernet/settings", \%orange);
4543 print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n";
4544 }else{
4545 my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]);
4546 print CCDRWCONF "push \"route $a $b\"\n";
4547 }
4548 }
4549 }
4550 }
4551 }
4552 if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';}
4553 if($cgiparams{'CCD_DNS1'} ne ''){
82c809c7 4554 print CCDRWCONF "\n#Client gets these nameservers\n";
8c877a82
AM		 4555 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n";
4556 }
4557 if($cgiparams{'CCD_DNS2'} ne ''){
4558 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n";
4559 }
4560 if($cgiparams{'CCD_WINS'} ne ''){
4561 print CCDRWCONF "\n#Client gets this WINS server\n";
4562 print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n";
4563 }
4564 close CCDRWCONF;
4565 }
18837a6a
AH		 4566
4567###
4568# m.a.d n2n begin
4569###
66c36198 4570
18837a6a 4571 if ($cgiparams{'TYPE'} eq 'net') {
66c36198 4572
2feacd98
SS		 4573 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
4574 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
66c36198 4575
2feacd98
SS		 4576 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
4577 my $key = $cgiparams{'KEY'};
4578 if (! $key) {
4579 $key = &General::findhasharraykey (\%confighash);
4580 foreach my $i (0 .. 31) {
4581 $confighash{$key}[$i] = "";
4582 }
4583 }
4584
4585 $confighash{$key}[0] = 'on';
4586 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4587
2feacd98
SS		 4588 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
4589 }
4590 }
18837a6a
AH		 4591
4592###
4593# m.a.d n2n end
66c36198 4594###
18837a6a 4595
c6c9630e
MT		 4596 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
4597 $cgiparams{'KEY'} = $key;
4598 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
4599 }
4600 goto VPNCONF_END;
6e13d0a5 4601 } else {
c6c9630e 4602 $cgiparams{'ENABLED'} = 'on';
54fd0535
MT		 4603###
4604# m.a.d n2n begin
66c36198 4605###
54fd0535
MT		 4606 $cgiparams{'MSSFIX'} = 'on';
4607 $cgiparams{'FRAGMENT'} = '1300';
70900745 4608 $cgiparams{'DAUTH'} = 'SHA512';
54fd0535
MT		 4609###
4610# m.a.d n2n end
66c36198 4611###
4c962356 4612 $cgiparams{'SIDE'} = 'left';
c6c9630e
MT		 4613 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
4614 $cgiparams{'AUTH'} = 'psk';
4615 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
4616 $cgiparams{'AUTH'} = 'certfile';
4617 } else {
6e13d0a5 4618 $cgiparams{'AUTH'} = 'certgen';
c6c9630e
MT		 4619 }
4620 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
4621 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
4622 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
4623 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
4624 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
c0a7c9b2 4625 $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
6e13d0a5 4626 }
c6c9630e 4627
6e13d0a5 4628 VPNCONF_ERROR:
6e13d0a5
MT		 4629 $checked{'ENABLED'}{'off'} = '';
4630 $checked{'ENABLED'}{'on'} = '';
4631 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
4632 $checked{'ENABLED_BLUE'}{'off'} = '';
4633 $checked{'ENABLED_BLUE'}{'on'} = '';
4634 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
4635 $checked{'ENABLED_ORANGE'}{'off'} = '';
4636 $checked{'ENABLED_ORANGE'}{'on'} = '';
4637 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 4638
4639
6e13d0a5
MT		 4640 $checked{'EDIT_ADVANCED'}{'off'} = '';
4641 $checked{'EDIT_ADVANCED'}{'on'} = '';
4642 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
c6c9630e 4643
6e13d0a5
MT		 4644 $selected{'SIDE'}{'server'} = '';
4645 $selected{'SIDE'}{'client'} = '';
4646 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
66c36198 4647
d96c89eb
AH		 4648 $selected{'PROTOCOL'}{'udp'} = '';
4649 $selected{'PROTOCOL'}{'tcp'} = '';
4650 $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
4651
c6c9630e 4652
6e13d0a5
MT		 4653 $checked{'AUTH'}{'psk'} = '';
4654 $checked{'AUTH'}{'certreq'} = '';
4655 $checked{'AUTH'}{'certgen'} = '';
4656 $checked{'AUTH'}{'certfile'} = '';
4657 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
c6c9630e 4658
6e13d0a5 4659 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
66c36198 4660
6e13d0a5
MT		 4661 $checked{'COMPLZO'}{'off'} = '';
4662 $checked{'COMPLZO'}{'on'} = '';
4663 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
c6c9630e 4664
d96c89eb
AH		 4665 $checked{'MSSFIX'}{'off'} = '';
4666 $checked{'MSSFIX'}{'on'} = '';
4667 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
4668
52f61e49
EKD		 4669 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
4670 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
4671 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 4672 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
4673 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
4674 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
4675 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
4676 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
4677 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
4678 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4679 $selected{'DCIPHER'}{'SEED-CBC'} = '';
4680 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
4681 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
4682 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
4683 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 4684 $selected{'DCIPHER'}{'DES-CBC'} = '';
49abe7af
EK		 4685 # If no cipher has been chossen yet, select
4686 # the old default (AES-256-CBC) for compatiblity reasons.
4687 if ($cgiparams{'DCIPHER'} eq '') {
4688 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
4689 }
4c962356 4690 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
49abe7af
EK		 4691 $selected{'DAUTH'}{'whirlpool'} = '';
4692 $selected{'DAUTH'}{'SHA512'} = '';
4693 $selected{'DAUTH'}{'SHA384'} = '';
4694 $selected{'DAUTH'}{'SHA256'} = '';
4695 $selected{'DAUTH'}{'SHA1'} = '';
49abe7af 4696 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
0c4ffc69
EK		 4697 $checked{'TLSAUTH'}{'off'} = '';
4698 $checked{'TLSAUTH'}{'on'} = '';
4699 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
49abe7af 4700
6e13d0a5
MT		 4701 if (1) {
4702 &Header::showhttpheaders();
4c962356 4703 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 4704 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
4705 if ($errormessage) {
4706 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
4707 print "<class name='base'>$errormessage";
4708 print "&nbsp;</class>";
4709 &Header::closebox();
4710 }
c6c9630e 4711
6e13d0a5
MT		 4712 if ($warnmessage) {
4713 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
4714 print "<class name='base'>$warnmessage";
4715 print "&nbsp;</class>";
4716 &Header::closebox();
4717 }
c6c9630e 4718
6e13d0a5 4719 print "<form method='post' enctype='multipart/form-data'>";
ce9abb66 4720 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
c6c9630e 4721
6e13d0a5
MT		 4722 if ($cgiparams{'KEY'}) {
4723 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
4724 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
6e13d0a5 4725 }
c6c9630e 4726
6e13d0a5 4727 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
8c877a82 4728 print "<table width='100%' border='0'>\n";
4c962356 4729
e3edceeb 4730 print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>";
66c36198 4731
ce9abb66 4732 if ($cgiparams{'TYPE'} eq 'host') {
6e13d0a5 4733 if ($cgiparams{'KEY'}) {
8c877a82 4734 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
6e13d0a5
MT		 4735 } else {
4736 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
4737 }
c6c9630e
MT		 4738# print "<tr><td>$Lang::tr{'interface'}</td>";
4739# print "<td><select name='INTERFACE'>";
4740# print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
4c962356
EK		 4741# if ($netsettings{'BLUE_DEV'} ne '') {
4742# print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
4743# }
4744# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
4745# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
4746# print "</select></td></tr>";
4747# print <<END;
ce9abb66
AH		 4748 } else {
4749 print "<input type='hidden' name='INTERFACE' value='red' />";
4750 if ($cgiparams{'KEY'}) {
4751 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
4752 } else {
4753 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
4754 }
52f61e49
EKD		 4755
4756 # If GCM ciphers are in usage, HMAC menu is disabled
4757 my $hmacdisabled;
4758 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
4759 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
4760 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
4761 $hmacdisabled = "disabled='disabled'";
4762 };
4763
4c962356 4764 print <<END;
ce9abb66 4765 <td width='25%'>&nbsp;</td>
66c36198 4766 <td width='25%'>&nbsp;</td></tr>
f527e53f
EK		 4767 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
4768 <td><select name='SIDE'>
4769 <option value='server' $selected{'SIDE'}{'server'}>$Lang::tr{'openvpn server'}</option>
4770 <option value='client' $selected{'SIDE'}{'client'}>$Lang::tr{'openvpn client'}</option>
4771 </select>
4772 </td>
4c962356 4773
f527e53f
EK		 4774 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
4775 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
4776 </tr>
4c962356 4777
e3edceeb 4778 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4779 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
4c962356 4780
e3edceeb 4781 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f
EK		 4782 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
4783 </tr>
4c962356 4784
e3edceeb 4785 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4786 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
49abe7af 4787
f527e53f
EK		 4788 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
4789 <td><select name='PROTOCOL'>
4790 <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
4791 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
4792 </tr>
66c36198 4793
f527e53f 4794 <tr>
e3edceeb 4795 <td class='boldbase'>$Lang::tr{'destination port'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4796 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
4c962356 4797
e3edceeb 4798 <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
f527e53f
EK		 4799 <td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
4800 </tr>
49abe7af 4801
f527e53f 4802 <tr><td colspan=4><hr /></td></tr><tr>
66c36198 4803
f527e53f
EK		 4804 <tr>
4805 <td class'base'><b>$Lang::tr{'MTU settings'}</b></td>
4806 </tr>
49abe7af 4807
e3edceeb 4808 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
f527e53f
EK		 4809 <td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
4810 <td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
4811 </tr>
4c962356 4812
e3edceeb 4813 <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
f527e53f
EK		 4814 <td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
4815 <td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
4816 </tr>
4c962356 4817
e3edceeb 4818 <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
f527e53f
EK		 4819 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
4820 <td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
4821 </tr>
4c962356 4822
e3edceeb 4823 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
f527e53f
EK		 4824 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
4825 </tr>
2ee746be 4826
f527e53f
EK		 4827<tr><td colspan=4><hr /></td></tr><tr>
4828 <tr>
4829 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
4830 </tr>
4831
4832 <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
52f61e49
EKD		 4833 <td><select name='DCIPHER' id="n2ncipher" required>
4834 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
4835 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
4836 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
f527e53f
EK		 4837 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
4838 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4839 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
f7fb5bc5 4840 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
f527e53f
EK		 4841 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
4842 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 4843 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
4844 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4845 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4846 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4847 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4848 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4849 </select>
4850 </td>
4851
4852 <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
52f61e49 4853 <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
f527e53f
EK		 4854 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
4855 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
4856 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
4857 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
f3dfb261 4858 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4859 </select>
4860 </td>
4861 </tr>
4862 <tr><td colspan=4><hr /></td></tr><tr>
4863
ce9abb66 4864END
8c877a82 4865;
ce9abb66 4866 }
52f61e49
EKD		 4867
4868#### JAVA SCRIPT ####
4869# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
4870print<<END;
4871 <script>
4872 var disable_options = false;
4873 document.getElementById('n2ncipher').onchange = function () {
4874 if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
4875 document.getElementById('n2nhmac').setAttribute('disabled', true);
4876 } else {
4877 document.getElementById('n2nhmac').removeAttribute('disabled');
4878 }
4879 }
4880 </script>
4881END
4882
2ee746be 4883#jumper
e3edceeb 4884 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
8c877a82 4885 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
66c36198 4886
ce9abb66 4887 if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4888 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>";
66c36198 4889 }
ce9abb66 4890
8c877a82 4891 print"</tr></table><br><br>";
66c36198
PM		 4892#A.Marx CCD new client
4893if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4894 print "<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td colspan='3'><hr><br><b>$Lang::tr{'ccd choose net'}</td></tr><tr><td height='20' colspan='3'></td></tr>";
8c877a82
AM		 4895 my %vpnnet=();
4896 my $vpnip;
4897 &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet);
4898 $vpnip=$vpnnet{'DOVPN_SUBNET'};
4899 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
4900 my @ccdconf=();
4901 my $count=0;
4902 my $checked;
4903 $checked{'check1'}{'off'} = '';
4904 $checked{'check1'}{'on'} = '';
4905 $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED';
4906 print"<tr><td align='center' width='1%' valign='top'><input type='radio' name='CHECK1' value='dynamic' checked /></td><td align='left' valign='top' width='35%'>$Lang::tr{'ccd dynrange'} ($vpnip)</td><td width='30%'>";
4907 print"</td></tr></table><br><br>";
4908 my $name=$cgiparams{'CHECK1'};
4909 $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
e1e10515 4910 $checked{'OTP_STATE'}{$cgiparams{'OTP_STATE'}} = 'CHECKED';
66c36198
PM		 4911
4912 if (! -z "${General::swroot}/ovpn/ccd.conf"){
8c877a82 4913 print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
df9b48b7 4914 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 4915 $count++;
4916 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
4917 if ($count % 2){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
4918 print"<td align='center' width='1%'><input type='radio' name='CHECK1' value='$ccdconf[0]' $checked{'check1'}{$ccdconf[0]}/></td><td>$ccdconf[0]</td><td width='40%' align='center'>$ccdconf[1]</td><td align='left' width='10%'>";
4919 &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name});
4920 print"</td></tr>";
4921 }
4922 print "</table><br><br><hr><br><br>";
4923 }
e81be1e1 4924}
8c877a82 4925# ccd end
6e13d0a5
MT		 4926 &Header::closebox();
4927 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
66c36198 4928
8c877a82 4929 } elsif (! $cgiparams{'KEY'}) {
66c36198
PM		 4930
4931
6e13d0a5
MT		 4932 my $disabled='';
4933 my $cakeydisabled='';
4934 my $cacrtdisabled='';
4935 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
4936 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
66c36198 4937
6e13d0a5 4938 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
66c36198
PM		 4939
4940
ce9abb66
AH		 4941 if ($cgiparams{'TYPE'} eq 'host') {
4942
49abe7af 4943 print <<END;
6e13d0a5 4944 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4945
ce9abb66
AH		 4946 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td><td class='base'>$Lang::tr{'upload a certificate request'}</td><td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
4947 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td><td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
54fd0535
MT		 4948 <tr><td colspan='3'>&nbsp;</td></tr>
4949 <tr><td colspan='3'><hr /></td></tr>
4950 <tr><td colspan='3'>&nbsp;</td></tr>
ce9abb66 4951 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4952 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4953 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4954 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4955 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4956 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4957 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4958 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
6e13d0a5 4959END
ce9abb66
AH		 4960;
4961
4962###
7c1d9faf 4963# m.a.d net2net
ce9abb66
AH		 4964###
4965
4966} else {
4967
49abe7af 4968 print <<END;
ce9abb66 4969 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4970
ce9abb66 4971 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4972 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4973 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4974 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4975 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4976 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4977 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4978 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
66c36198
PM		 4979
4980
ce9abb66
AH		 4981END
4982;
4983
4984}
4985
4986###
7c1d9faf 4987# m.a.d net2net
ce9abb66 4988###
c6c9630e 4989
6e13d0a5
MT		 4990 foreach my $country (sort keys %{Countries::countries}) {
4991 print "<option value='$Countries::countries{$country}'";
4992 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
4993 print " selected='selected'";
4994 }
4995 print ">$country</option>";
4996 }
ce9abb66 4997###
7c1d9faf 4998# m.a.d net2net
ce9abb66
AH		 4999###
5000
5001if ($cgiparams{'TYPE'} eq 'host') {
49abe7af 5002 print <<END;
f4fbb935 5003 </select></td></tr>
425465ed 5004 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 5005 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
5006 <tr><td>&nbsp;</td>
6e13d0a5
MT		 5007 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
5008 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
f4fbb935 5009 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
6e13d0a5 5010 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
f4fbb935
EK		 5011 <tr><td colspan='3'>&nbsp;</td></tr>
5012 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 5013 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
f4fbb935 5014 </table>
ce9abb66
AH		 5015END
5016}else{
49abe7af 5017 print <<END;
f4fbb935 5018 </select></td></tr>
425465ed 5019 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 5020 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
5021 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
5022 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
5023 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 5024 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
ce9abb66 5025 </table>
66c36198 5026
c6c9630e 5027END
ce9abb66
AH		 5028}
5029
5030###
7c1d9faf 5031# m.a.d net2net
ce9abb66 5032###
c6c9630e
MT		 5033 ;
5034 &Header::closebox();
66c36198 5035
8c877a82 5036 }
e81be1e1 5037
66c36198 5038#A.Marx CCD new client
e81be1e1 5039if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 5040 print"<br><br>";
5041 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:");
5042
66c36198 5043
8c877a82
AM		 5044 print <<END;
5045 <table border='0' width='100%'>
e1e10515 5046 <tr><td width='20%'>$Lang::tr{'enable otp'}:</td><td colspan='3'><input type='checkbox' name='OTP_STATE' $checked{'OTP_STATE'}{'on'} /></td></tr>
8c877a82
AM		 5047 <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
5048 <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
5049 <tr><td colspan='4'>&nbsp</td></tr>
5050 <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
5051END
66c36198 5052
8c877a82
AM		 5053 if ($cgiparams{'IR'} ne ''){
5054 print $cgiparams{'IR'};
5055 }else{
5056 &General::readhasharray ("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
5057 foreach my $key (keys %ccdroutehash) {
5058 if( $cgiparams{'NAME'} eq $ccdroutehash{$key}[0]){
5059 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
5060 if ($ccdroutehash{$key}[$i] ne ''){
5061 print $ccdroutehash{$key}[$i]."\n";
5062 }
5063 $cgiparams{'IR'} .= $ccdroutehash{$key}[$i];
5064 }
5065 }
5066 }
c6c9630e 5067 }
66c36198 5068
8c877a82
AM		 5069 print <<END;
5070</textarea></td><td valign='top' colspan='2'>$Lang::tr{'ccd iroutehint'}</td></tr>
5071 <tr><td colspan='4'><br></td></tr>
5072 <tr><td valign='top' rowspan='3'>$Lang::tr{'ccd iroute2'}</td><td align='left' valign='top' rowspan='3'><select name='IFROUTE' style="width: 205px"; size='6' multiple>
5073END
66c36198 5074
52d08bcb
AM		 5075 my $set=0;
5076 my $selorange=0;
5077 my $selblue=0;
5078 my $selgreen=0;
5079 my $helpblue=0;
5080 my $helporange=0;
5081 my $other=0;
df9b48b7 5082 my $none=0;
52d08bcb 5083 my @temp=();
66c36198 5084
8c877a82 5085 our @current = ();
52d08bcb
AM		 5086 open(FILE, "${General::swroot}/main/routing") ;
5087 @current = <FILE>;
5088 close (FILE);
66c36198 5089 &General::readhasharray ("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
df9b48b7
AM		 5090 #check for "none"
5091 foreach my $key (keys %ccdroute2hash) {
5092 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5093 if ($ccdroute2hash{$key}[1] eq ''){
5094 $none=1;
5095 last;
5096 }
5097 }
5098 }
5099 if ($none ne '1'){
5100 print"<option>$Lang::tr{'ccd none'}</option>";
5101 }else{
5102 print"<option selected>$Lang::tr{'ccd none'}</option>";
5103 }
52d08bcb
AM		 5104 #check if static routes are defined for client
5105 foreach my $line (@current) {
66c36198 5106 chomp($line);
52d08bcb
AM		 5107 $line=~s/\s*$//g; # remove newline
5108 @temp=split(/\,/,$line);
5109 $temp[1] = '' unless defined $temp[1]; # not always populated
5110 my ($a,$b) = split(/\//,$temp[1]);
5111 $temp[1] = $a."/".&General::iporsubtocidr($b);
5112 foreach my $key (keys %ccdroute2hash) {
5113 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5114 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5115 if($ccdroute2hash{$key}[$i] eq $a."/".&General::iporsubtodec($b)){
5116 $set=1;
8c877a82
AM		 5117 }
5118 }
8c877a82 5119 }
52d08bcb
AM		 5120 }
5121 if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
66c36198 5122 }
3a445974
MT		 5123
5124 my %vpnconfig = ();
5125 &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
5126 foreach my $vpn (keys %vpnconfig) {
5127 # Skip all disabled VPN connections
5128 my $enabled = $vpnconfig{$vpn}[0];
5129 next unless ($enabled eq "on");
5130
5131 my $name = $vpnconfig{$vpn}[1];
5132
5133 # Remote subnets
5134 my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
5135 foreach my $network (@networks) {
5136 my $selected = "";
5137
5138 foreach my $key (keys %ccdroute2hash) {
5139 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
5140 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5141 if ($ccdroute2hash{$key}[$i] eq $network) {
5142 $selected = "selected";
5143 }
5144 }
5145 }
5146 }
5147
5148 print "<option value=\"$network\" $selected>$name ($network)</option>\n";
5149 }
5150 }
5151
52d08bcb
AM		 5152 #check if green,blue,orange are defined for client
5153 foreach my $key (keys %ccdroute2hash) {
5154 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5155 $other=1;
5156 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5157 if ($ccdroute2hash{$key}[$i] eq $netsettings{'GREEN_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'GREEN_NETMASK'})){
5158 $selgreen=1;
5159 }
5160 if (&haveBlueNet()){
5161 if( $ccdroute2hash{$key}[$i] eq $netsettings{'BLUE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'BLUE_NETMASK'})) {
5162 $selblue=1;
5163 }
5164 }
5165 if (&haveOrangeNet()){
5166 if( $ccdroute2hash{$key}[$i] eq $netsettings{'ORANGE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'ORANGE_NETMASK'}) ) {
5167 $selorange=1;
5168 }
5169 }
5170 }
5171 }
5172 }
5173 if (&haveBlueNet() && $selblue == '1'){ print"<option selected>$Lang::tr{'blue'}</option>";$selblue=0;}elsif(&haveBlueNet() && $selblue == '0'){print"<option>$Lang::tr{'blue'}</option>";}
66c36198 5174 if (&haveOrangeNet() && $selorange == '1'){ print"<option selected>$Lang::tr{'orange'}</option>";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"<option>$Lang::tr{'orange'}</option>";}
52d08bcb 5175 if ($selgreen == '1' || $other == '0'){ print"<option selected>$Lang::tr{'green'}</option>";$set=0;}else{print"<option>$Lang::tr{'green'}</option>";};
66c36198 5176
49abe7af 5177 print<<END;
8c877a82
AM		 5178 </select></td><td valign='top'>DNS1:</td><td valign='top'><input type='TEXT' name='CCD_DNS1' value='$cgiparams{'CCD_DNS1'}' size='30' /></td></tr>
5179 <tr valign='top'><td>DNS2:</td><td><input type='TEXT' name='CCD_DNS2' value='$cgiparams{'CCD_DNS2'}' size='30' /></td></tr>
5180 <tr valign='top'><td valign='top'>WINS:</td><td><input type='TEXT' name='CCD_WINS' value='$cgiparams{'CCD_WINS'}' size='30' /></td></tr></table><br><hr>
66c36198 5181
8c877a82
AM		 5182END
5183;
5184 &Header::closebox();
e81be1e1 5185}
c6c9630e
MT		 5186 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5187 if ($cgiparams{'KEY'}) {
5188# print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
5189 }
5190 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
5191 &Header::closebigbox();
5192 &Header::closepage();
5193 exit (0);
6e13d0a5 5194 }
c6c9630e 5195 VPNCONF_END:
6e13d0a5 5196}
c6c9630e
MT		 5197
5198# SETTINGS_ERROR:
6e13d0a5
MT		 5199###
5200### Default status page
5201###
c6c9630e
MT		 5202 %cgiparams = ();
5203 %cahash = ();
5204 %confighash = ();
5205 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
5206 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
5207 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
5208
2feacd98
SS		 5209 open(FILE, "/var/run/ovpnserver.log");
5210 my @status = <FILE>;
5211 close(FILE);
c6c9630e
MT		 5212
5213 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
8c877a82
AM		 5214 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
5215 my $ipaddr = <IPADDR>;
5216 close IPADDR;
5217 chomp ($ipaddr);
5218 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
5219 if ($cgiparams{'VPN_IP'} eq '') {
5220 $cgiparams{'VPN_IP'} = $ipaddr;
5221 }
5222 }
c6c9630e 5223 }
66c36198 5224
6e13d0a5 5225#default setzen
c6c9630e 5226 if ($cgiparams{'DCIPHER'} eq '') {
4c962356 5227 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
c6c9630e 5228 }
c6c9630e 5229 if ($cgiparams{'DDEST_PORT'} eq '') {
4c962356 5230 $cgiparams{'DDEST_PORT'} = '1194';
c6c9630e
MT		 5231 }
5232 if ($cgiparams{'DMTU'} eq '') {
4c962356
EK		 5233 $cgiparams{'DMTU'} = '1400';
5234 }
5235 if ($cgiparams{'MSSFIX'} eq '') {
5236 $cgiparams{'MSSFIX'} = 'off';
5237 }
5238 if ($cgiparams{'DAUTH'} eq '') {
86308adb
EK		 5239 if (-z "${General::swroot}/ovpn/ovpnconfig") {
5240 $cgiparams{'DAUTH'} = 'SHA512';
5241 }
5242 foreach my $key (keys %confighash) {
5243 if ($confighash{$key}[3] ne 'host') {
5244 $cgiparams{'DAUTH'} = 'SHA512';
5245 } else {
5246 $cgiparams{'DAUTH'} = 'SHA1';
5247 }
5248 }
5249 }
0c4ffc69
EK		 5250 if ($cgiparams{'TLSAUTH'} eq '') {
5251 $cgiparams{'TLSAUTH'} = 'off';
5252 }
c6c9630e 5253 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
4c962356 5254 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
c6c9630e 5255 }
4c962356 5256 $checked{'ENABLED'}{'off'} = '';
c6c9630e
MT		 5257 $checked{'ENABLED'}{'on'} = '';
5258 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
5259 $checked{'ENABLED_BLUE'}{'off'} = '';
5260 $checked{'ENABLED_BLUE'}{'on'} = '';
5261 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
5262 $checked{'ENABLED_ORANGE'}{'off'} = '';
5263 $checked{'ENABLED_ORANGE'}{'on'} = '';
5264 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 5265
5266 $selected{'DPROTOCOL'}{'udp'} = '';
5267 $selected{'DPROTOCOL'}{'tcp'} = '';
5268 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
4c962356 5269
52f61e49
EKD		 5270 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
5271 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
5272 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 5273 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
5274 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
5275 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
5276 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
5277 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
5278 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
c6c9630e
MT		 5279 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
5280 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4c962356
EK		 5281 $selected{'DCIPHER'}{'SEED-CBC'} = '';
5282 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
5283 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
5284 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 5285 $selected{'DCIPHER'}{'DES-CBC'} = '';
c6c9630e 5286 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
4c962356
EK		 5287
5288 $selected{'DAUTH'}{'whirlpool'} = '';
5289 $selected{'DAUTH'}{'SHA512'} = '';
5290 $selected{'DAUTH'}{'SHA384'} = '';
5291 $selected{'DAUTH'}{'SHA256'} = '';
4c962356
EK		 5292 $selected{'DAUTH'}{'SHA1'} = '';
5293 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
5294
0c4ffc69
EK		 5295 $checked{'TLSAUTH'}{'off'} = '';
5296 $checked{'TLSAUTH'}{'on'} = '';
5297 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
5298
c6c9630e
MT		 5299 $checked{'DCOMPLZO'}{'off'} = '';
5300 $checked{'DCOMPLZO'}{'on'} = '';
5301 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
4c962356 5302
d96c89eb
AH		 5303# m.a.d
5304 $checked{'MSSFIX'}{'off'} = '';
5305 $checked{'MSSFIX'}{'on'} = '';
5306 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
6e13d0a5 5307#new settings
c6c9630e
MT		 5308 &Header::showhttpheaders();
5309 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
5310 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 5311
c6c9630e 5312 if ($errormessage) {
6e13d0a5
MT		 5313 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
5314 print "<class name='base'>$errormessage\n";
5315 print "&nbsp;</class>\n";
5316 &Header::closebox();
c6c9630e 5317 }
6e13d0a5 5318
400c8afd
EK		 5319 if ($cryptoerror) {
5320 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
5321 print "<class name='base'>$cryptoerror";
5322 print "&nbsp;</class>";
5323 &Header::closebox();
5324 }
5325
5326 if ($cryptowarning) {
5327 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
5328 print "<class name='base'>$cryptowarning";
5329 print "&nbsp;</class>";
5330 &Header::closebox();
5331 }
5332
b2e75449
MT		 5333 if ($warnmessage) {
5334 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
5335 print "$warnmessage<br>";
5336 print "$Lang::tr{'fwdfw warn1'}<br>";
5337 &Header::closebox();
5338 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
5339 &Header::closepage();
5340 exit 0;
5341 }
4d81e0f3 5342
c6c9630e
MT		 5343 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
5344 my $srunning = "no";
5345 my $activeonrun = "";
5346 if ( -e "/var/run/openvpn.pid"){
6e13d0a5
MT		 5347 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
5348 $srunning ="yes";
5349 $activeonrun = "";
c6c9630e 5350 } else {
6e13d0a5 5351 $activeonrun = "disabled='disabled'";
66c36198
PM		 5352 }
5353 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
4c962356 5354 print <<END;
631b67b7 5355 <table width='100%' border='0'>
c6c9630e
MT		 5356 <form method='post'>
5357 <td width='25%'>&nbsp;</td>
5358 <td width='25%'>&nbsp;</td>
5359 <td width='25%'>&nbsp;</td></tr>
5360 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
5361 <td align='left'>$sactive</td>
5362 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
8c877a82 5363 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
c6c9630e
MT		 5364END
5365;
5366 if (&haveBlueNet()) {
5367 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
5368 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
5369 }
66c36198 5370 if (&haveOrangeNet()) {
c6c9630e
MT		 5371 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
5372 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
86308adb
EK		 5373 }
5374
5375 print <<END;
5376
5377 <tr><td colspan='4'><br></td></tr>
5378 <tr>
5379 <td class'base'><b>$Lang::tr{'net config'}:</b></td>
5380 </tr>
5381 <tr><td colspan='1'><br></td></tr>
5382
4e17adad
CS		 5383 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
5384 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
c6c9630e
MT		 5385 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
5386 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
66c36198 5387 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
c6c9630e
MT		 5388 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
5389 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
5390 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
bc2b3e94 5391 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
86308adb
EK		 5392 </tr>
5393
5394 <tr><td colspan='4'><br></td></tr>
5395 <tr>
5396 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
5397 </tr>
5398 <tr><td colspan='1'><br></td></tr>
5399
5400 <tr>
5401 <td class='base'>$Lang::tr{'ovpn ha'}</td>
5402 <td><select name='DAUTH'>
5403 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
5404 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
5405 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
5406 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
5407 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5408 </select>
5409 </td>
f527e53f 5410
4c962356
EK		 5411 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
5412 <td><select name='DCIPHER'>
52f61e49
EKD		 5413 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
5414 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
5415 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
4c962356 5416 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
f527e53f 5417 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4c962356
EK		 5418 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
5419 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
5420 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
5421 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
4c962356 5422 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 5423 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5424 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5425 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5426 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5427 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4c962356
EK		 5428 </select>
5429 </td>
4c962356 5430 </tr>
0c4ffc69
EK		 5431
5432 <tr><td colspan='4'><br></td></tr>
5433 <tr>
5434 <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
5435 <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
5436 </tr>
5437
f7edf97a 5438 <tr><td colspan='4'><br><br></td></tr>
c6c9630e 5439END
66c36198
PM		 5440;
5441
c6c9630e 5442 if ( $srunning eq "yes" ) {
8c877a82
AM		 5443 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
5444 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
66c36198 5445 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
8c877a82 5446 print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
c6c9630e 5447 } else{
8c877a82
AM		 5448 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5449 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5450 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
c6c9630e
MT		 5451 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
5452 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
5453 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
5454 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
66c36198 5455 (( $cgiparams{'ENABLED'} eq 'on') ||
c6c9630e
MT		 5456 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
5457 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
8c877a82 5458 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td></tr>";
c6c9630e 5459 } else {
66c36198
PM		 5460 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td></tr>";
5461 }
c6c9630e
MT		 5462 }
5463 print "</form></table>";
5464 &Header::closebox();
6e13d0a5 5465
c6c9630e 5466 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
ce9abb66 5467###
7c1d9faf 5468# m.a.d net2net
54fd0535 5469#<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
ce9abb66
AH		 5470###
5471
4c962356 5472 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
c6c9630e 5473 ;
99bfa85c
AM		 5474 my $id = 0;
5475 my $gif;
f7edf97a 5476 my $col1="";
5b942f7f 5477 my $lastnet;
c8b51e28 5478 foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
5b942f7f
AM		 5479 if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
5480 if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
5481 if($id == 0){
5482 print"<b>$confighash{$key}[32]</b>";
5483 print <<END;
5484 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5485<tr>
5486 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5487 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5488 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5489 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5490 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5491</tr>
5492END
5493 }
5494 if ($id > 0 && $lastnet ne $confighash{$key}[32]){
5495 print "</table><br>";
5496 print"<b>$confighash{$key}[32]</b>";
5497 print <<END;
5498 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5499<tr>
5500 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5501 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5502 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5503 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5504 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5505</tr>
5506END
5507 }
eff2dbf8 5508 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
c6c9630e 5509 if ($id % 2) {
99bfa85c
AM		 5510 print "<tr>";
5511 $col="bgcolor='$color{'color20'}'";
bb89e92a 5512 } else {
99bfa85c
AM		 5513 print "<tr>";
5514 $col="bgcolor='$color{'color22'}'";
c6c9630e 5515 }
99bfa85c
AM		 5516 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
5517 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
8c877a82
AM		 5518 #if ($confighash{$key}[4] eq 'cert') {
5519 #print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
5520 #} else {
5521 #print "<td align='left'>&nbsp;</td>";
5522 #}
2feacd98
SS		 5523 my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
5524 my $cavalid;
5525
5526 foreach my $line (@cavalid) {
5527 if ($line =~ /Not After : (.*)[\n]/) {
5528 $cavalid = $1;
5529
5530 last;
5531 }
5532 }
5533
99bfa85c 5534 print "<td align='center' $col>$confighash{$key}[25]</td>";
f7edf97a
AM		 5535 $col1="bgcolor='${Header::colourred}'";
5536 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
ce9abb66 5537
c6c9630e 5538 if ($confighash{$key}[0] eq 'off') {
f7edf97a
AM		 5539 $col1="bgcolor='${Header::colourblue}'";
5540 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
c6c9630e 5541 } else {
ce9abb66
AH		 5542
5543###
7c1d9faf 5544# m.a.d net2net
f7edf97a
AM		 5545###
5546
b278daf3 5547 if ($confighash{$key}[3] eq 'net') {
54fd0535
MT		 5548
5549 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
5550 my @output = "";
5551 my @tustate = "";
5552 my $tport = $confighash{$key}[22];
66c36198 5553 my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport);
54fd0535
MT		 5554 if ($tport ne '') {
5555 $tnet->open('127.0.0.1');
5556 @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/');
5557 @tustate = split(/\,/, $output[1]);
5558###
5559#CONNECTING -- OpenVPN's initial state.
5560#WAIT -- (Client only) Waiting for initial response from server.
5561#AUTH -- (Client only) Authenticating with server.
5562#GET_CONFIG -- (Client only) Downloading configuration options from server.
5563#ASSIGN_IP -- Assigning IP address to virtual network interface.
5564#ADD_ROUTES -- Adding routes to system.
5565#CONNECTED -- Initialization Sequence Completed.
5566#RECONNECTING -- A restart has occurred.
5567#EXITING -- A graceful exit is in progress.
5568####
5569
ed4b4c19 5570 if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
f7edf97a
AM		 5571 $col1="bgcolor='${Header::colourgreen}'";
5572 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5573 }else {
5574 $col1="bgcolor='${Header::colourred}'";
5575 $active = "<b><font color='#FFFFFF'>$tustate[1]</font></b>";
5576 }
54fd0535 5577 }
54fd0535 5578 }
f7edf97a
AM		 5579 }else {
5580
5581 my $cn;
5582 my @match = ();
5583 foreach my $line (@status) {
5584 chomp($line);
5585 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
5586 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
5587 if ($match[1] ne "Common Name") {
5588 $cn = $match[1];
5589 }
5590 $cn =~ s/[_]/ /g;
5591 if ($cn eq "$confighash{$key}[2]") {
5592 $col1="bgcolor='${Header::colourgreen}'";
5593 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5594 }
5595 }
5596 }
c6c9630e 5597 }
7c1d9faf 5598}
ce9abb66
AH		 5599
5600
4c962356 5601 print <<END;
f7edf97a 5602 <td align='center' $col1>$active</td>
66c36198 5603
99bfa85c 5604 <form method='post' name='frm${key}a'><td align='center' $col>
96096995
AM		 5605 <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
5606 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5607 <input type='hidden' name='KEY' value='$key' />
c6c9630e
MT		 5608 </td></form>
5609END
5610 ;
71af643c
MT		 5611
5612 if ($confighash{$key}[41] eq "no-pass") {
5613 print <<END;
5614 <form method='post' name='frm${key}g'><td align='center' $col>
5615 <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
5616 alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
5617 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5618 <input type='hidden' name='MODE' value='insecure' />
5619 <input type='hidden' name='KEY' value='$key' />
5620 </td></form>
5621END
5622 } else {
5623 print "<td $col>&nbsp;</td>";
5624 }
5625
c6c9630e 5626 if ($confighash{$key}[4] eq 'cert') {
4c962356 5627 print <<END;
99bfa85c 5628 <form method='post' name='frm${key}b'><td align='center' $col>
c6c9630e
MT		 5629 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
5630 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
5631 <input type='hidden' name='KEY' value='$key' />
5632 </td></form>
5633END
5634 ; } else {
5635 print "<td>&nbsp;</td>";
5636 }
e1e10515
TE		 5637
5638 if ($confighash{$key}[43] eq 'on') {
5639 print <<END;
5640<form method='post' name='frm${key}o'><td align='center' $col>
5641<input type='image' name='$Lang::tr{'show otp qrcode'}' src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}' title='$Lang::tr{'show otp qrcode'}' border='0' />
5642<input type='hidden' name='ACTION' value='$Lang::tr{'show otp qrcode'}' />
5643<input type='hidden' name='KEY' value='$key' />
5644</td></form>
5645END
5646; } else {
5647 print "<td $col>&nbsp;</td>";
5648 }
5649
66c36198 5650 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
4c962356 5651 print <<END;
99bfa85c 5652 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5653 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
c6c9630e
MT		 5654 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
5655 <input type='hidden' name='KEY' value='$key' />
5656 </td></form>
5657END
5658 ; } elsif ($confighash{$key}[4] eq 'cert') {
4c962356 5659 print <<END;
99bfa85c 5660 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5661 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
c6c9630e
MT		 5662 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
5663 <input type='hidden' name='KEY' value='$key' />
5664 </td></form>
5665END
5666 ; } else {
5667 print "<td>&nbsp;</td>";
5668 }
5669 print <<END
99bfa85c 5670 <form method='post' name='frm${key}d'><td align='center' $col>
c6c9630e
MT		 5671 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
5672 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
5673 <input type='hidden' name='KEY' value='$key' />
5674 </td></form>
5675
99bfa85c 5676 <form method='post' name='frm${key}e'><td align='center' $col>
c6c9630e
MT		 5677 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
5678 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
5679 <input type='hidden' name='KEY' value='$key' />
5680 </td></form>
99bfa85c 5681 <form method='post' name='frm${key}f'><td align='center' $col>
c6c9630e
MT		 5682 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
5683 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
5684 <input type='hidden' name='KEY' value='$key' />
5685 </td></form>
5686 </tr>
5687END
5688 ;
5689 $id++;
5b942f7f 5690 $lastnet = $confighash{$key}[32];
c6c9630e 5691 }
5b942f7f 5692 print"</table>";
c6c9630e
MT		 5693 ;
5694
5695 # If the config file contains entries, print Key to action icons
5696 if ( $id ) {
4c962356 5697 print <<END;
8c877a82 5698 <table border='0'>
c6c9630e 5699 <tr>
4c962356
EK		 5700 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5701 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
5702 <td class='base'>$Lang::tr{'click to disable'}</td>
5703 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5704 <td class='base'>$Lang::tr{'show certificate'}</td>
5705 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
5706 <td class='base'>$Lang::tr{'edit'}</td>
5707 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
5708 <td class='base'>$Lang::tr{'remove'}</td>
c6c9630e
MT		 5709 </tr>
5710 <tr>
4c962356
EK		 5711 <td>&nbsp; </td>
5712 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
5713 <td class='base'>$Lang::tr{'click to enable'}</td>
5714 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
5715 <td class='base'>$Lang::tr{'download certificate'}</td>
5716 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
5717 <td class='base'>$Lang::tr{'dl client arch'}</td>
e1e10515
TE		 5718 <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
5719 <td class='base'>$Lang::tr{'show otp qrcode'}</td>
4c962356 5720 </tr>
f7edf97a 5721 </table><br>
c6c9630e
MT		 5722END
5723 ;
5724 }
5725
4c962356 5726 print <<END;
c6c9630e
MT		 5727 <table width='100%'>
5728 <form method='post'>
4c962356
EK		 5729 <tr><td align='right'>
5730 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
5731 <input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td>
5732 </tr>
c6c9630e
MT		 5733 </form>
5734 </table>
5735END
4c962356
EK		 5736 ;
5737 &Header::closebox();
5738 }
fd5ccb2d
EK		 5739
5740 # CA/key listing
4c962356
EK		 5741 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
5742 print <<END;
5743 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5744 <tr>
5745 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5746 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
5747 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
5748 </tr>
5749END
5750 ;
5751 my $col1="bgcolor='$color{'color22'}'";
f7fb5bc5 5752 my $col2="bgcolor='$color{'color20'}'";
c8f50356 5753 # DH parameter line
f7fb5bc5 5754 my $col3="bgcolor='$color{'color22'}'";
fd5ccb2d
EK		 5755 # ta.key line
5756 my $col4="bgcolor='$color{'color20'}'";
f7fb5bc5 5757
4c962356 5758 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2feacd98
SS		 5759 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
5760 my $casubject;
5761
5762 foreach my $line (@casubject) {
5763 if ($line =~ /Subject: (.*)[\n]/) {
5764 $casubject = $1;
5765 $casubject =~ s+/Email+, E+;
5766 $casubject =~ s/ ST=/ S=/;
5767
5768 last;
5769 }
5770 }
5771
4c962356
EK		 5772 print <<END;
5773 <tr>
5774 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
5775 <td class='base' $col1>$casubject</td>
c8f50356 5776 <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
4c962356
EK		 5777 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
5778 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5779 </form>
5780 <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
4c962356
EK		 5781 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
5782 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
c8f50356
EK		 5783 </form>
5784 <td width='4%' $col1>&nbsp;</td>
5785 </tr>
4c962356
EK		 5786END
5787 ;
5788 } else {
5789 # display rootcert generation buttons
5790 print <<END;
5791 <tr>
5792 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
5793 <td class='base' $col1>$Lang::tr{'not present'}</td>
c8f50356
EK		 5794 <td colspan='3' $col1>&nbsp;</td>
5795 </tr>
4c962356
EK		 5796END
5797 ;
5798 }
5799
5800 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 5801 my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
5802 my $hostsubject;
5803
5804 foreach my $line (@hostsubject) {
5805 if ($line =~ /Subject: (.*)[\n]/) {
5806 $hostsubject = $1;
5807 $hostsubject =~ s+/Email+, E+;
5808 $hostsubject =~ s/ ST=/ S=/;
5809
5810 last;
5811 }
5812 }
4c962356
EK		 5813
5814 print <<END;
5815 <tr>
5816 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
5817 <td class='base' $col2>$hostsubject</td>
c8f50356 5818 <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
4c962356
EK		 5819 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
5820 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5821 </form>
5822 <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
4c962356
EK		 5823 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
5824 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
c8f50356
EK		 5825 </td></form>
5826 <td width='4%' $col2>&nbsp;</td>
5827 </tr>
4c962356
EK		 5828END
5829 ;
5830 } else {
5831 # Nothing
5832 print <<END;
5833 <tr>
5834 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
5835 <td class='base' $col2>$Lang::tr{'not present'}</td>
c8f50356
EK		 5836 </td><td colspan='3' $col2>&nbsp;</td>
5837 </tr>
4c962356
EK		 5838END
5839 ;
5840 }
ce9abb66 5841
f7fb5bc5
EK		 5842 # Adding DH parameter to chart
5843 if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
b959b9f5 5844 my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
2feacd98 5845 my $dhsubject;
f7fb5bc5 5846
2feacd98
SS		 5847 foreach my $line (@dhsubject) {
5848 if ($line =~ / (.*)[\n]/) {
5849 $dhsubject = $1;
5850
5851 last;
5852 }
5853 }
f7fb5bc5
EK		 5854
5855 print <<END;
5856 <tr>
5857 <td class='base' $col3>$Lang::tr{'dh parameter'}</td>
5858 <td class='base' $col3>$dhsubject</td>
c8f50356 5859 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
f7fb5bc5
EK		 5860 <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
5861 <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
c8f50356
EK		 5862 </form>
5863 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
c8f50356
EK		 5864 </form>
5865 <td width='4%' $col3>&nbsp;</td>
5866 </tr>
f7fb5bc5
EK		 5867END
5868 ;
5869 } else {
5870 # Nothing
5871 print <<END;
5872 <tr>
5873 <td width='25%' class='base' $col3>$Lang::tr{'dh parameter'}:</td>
5874 <td class='base' $col3>$Lang::tr{'not present'}</td>
c8f50356
EK		 5875 </td><td colspan='3' $col3>&nbsp;</td>
5876 </tr>
f7fb5bc5
EK		 5877END
5878 ;
5879 }
5880
fd5ccb2d
EK		 5881 # Adding ta.key to chart
5882 if (-f "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 5883 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
5884 my @tasubject = <FILE>;
5885 close(FILE);
5886
5887 my $tasubject;
5888 foreach my $line (@tasubject) {
5889 if($line =~ /# (.*)[\n]/) {
5890 $tasubject = $1;
5891
5892 last;
5893 }
5894 }
5895
fd5ccb2d
EK		 5896 print <<END;
5897
5898 <tr>
5899 <td class='base' $col4>$Lang::tr{'ta key'}</td>
5900 <td class='base' $col4>$tasubject</td>
5901 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5902 <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
5903 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
5904 </form>
5905 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5906 <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
5907 <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
5908 </form>
5909 <td width='4%' $col4>&nbsp;</td>
5910 </tr>
5911END
5912 ;
5913 } else {
5914 # Nothing
5915 print <<END;
5916 <tr>
5917 <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
5918 <td class='base' $col4>$Lang::tr{'not present'}</td>
5919 <td colspan='3' $col4>&nbsp;</td>
5920 </tr>
5921END
5922 ;
5923 }
5924
4c962356
EK		 5925 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
5926 print "<tr><td colspan='5' align='center'><form method='post'>";
5927 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
5928 print "</form></td></tr>\n";
5929 }
5930
5931 if (keys %cahash > 0) {
5932 foreach my $key (keys %cahash) {
5933 if (($key + 1) % 2) {
5934 print "<tr bgcolor='$color{'color20'}'>\n";
5935 } else {
5936 print "<tr bgcolor='$color{'color22'}'>\n";
5937 }
5938 print "<td class='base'>$cahash{$key}[0]</td>\n";
5939 print "<td class='base'>$cahash{$key}[1]</td>\n";
5940 print <<END;
5941 <form method='post' name='cafrm${key}a'><td align='center'>
5942 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
5943 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
5944 <input type='hidden' name='KEY' value='$key' />
5945 </td></form>
5946 <form method='post' name='cafrm${key}b'><td align='center'>
5947 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
5948 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
5949 <input type='hidden' name='KEY' value='$key' />
5950 </td></form>
5951 <form method='post' name='cafrm${key}c'><td align='center'>
5952 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
5953 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
5954 <input type='hidden' name='KEY' value='$key' />
5955 </td></form></tr>
5956END
5957 ;
5958 }
5959 }
5960
5961 print "</table>";
5962
5963 # If the file contains entries, print Key to action icons
5964 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
5965 print <<END;
5966 <table>
5967 <tr>
5968 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5969 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5970 <td class='base'>$Lang::tr{'show certificate'}</td>
5971 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
5972 <td class='base'>$Lang::tr{'download certificate'}</td>
5973 </tr>
5974 </table>
5975END
5976 ;
5977 }
ce9abb66 5978
4c962356 5979 print <<END
578f23c8
SS		 5980
5981 <br><hr><br>
5982
4c962356 5983 <form method='post' enctype='multipart/form-data'>
578f23c8
SS		 5984 <table border='0' width='100%'>
5985 <tr>
5986 <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
5987 </tr>
4c962356 5988
578f23c8
SS		 5989 <tr>
5990 <td width='10%'>$Lang::tr{'ca name'}:</td>
5991 <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
5992 <td width='30%'><input type='file' name='FH' size='25'>
5993 <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
5994 </tr>
f527e53f 5995
578f23c8
SS		 5996 <tr>
5997 <td colspan='3'>&nbsp;</td>
5998 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
5999 </tr>
6000 </table>
f527e53f 6001
578f23c8
SS		 6002 <br>
6003
6004 <table border='0' width='100%'>
6005 <tr>
6006 <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
6007 </tr>
6008
6009 <tr>
6010 <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
6011 <td width='30%'><input type='file' name='FH' size='25'>
6012 <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
6013 </tr>
6014
6015 <tr>
6016 <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
6017 <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
6018 </tr>
6019 </table>
6020 </form>
66c36198 6021
578f23c8 6022 <br><hr>
4c962356
EK		 6023END
6024 ;
6025
6026 if ( $srunning eq "yes" ) {
6027 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' disabled='disabled' /></div></form>\n";
6028 } else {
6029 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></div></form>\n";
6030 }
6031 &Header::closebox();
6032END
6033 ;
6034
6035&Header::closepage();
ce9abb66 6036
Peter's tree of IPFire 2.x