]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
clamav 0.105.1: New package to resolve several CVEs
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
CommitLineData
6e13d0a5 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
818dde8e 5# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
818dde8e 21
6e13d0a5
MT		 22use CGI;
23use CGI qw/:standard/;
c63a54f0
MT		 24use Imager::QRCode;
25use MIME::Base32;
26use MIME::Base64;
3740b7ad 27use URI::Encode qw(uri_encode uri_decode);;
6e13d0a5 28use Net::DNS;
ce9abb66 29use Net::Ping;
54fd0535 30use Net::Telnet;
6e13d0a5
MT		 31use File::Copy;
32use File::Temp qw/ tempfile tempdir /;
33use strict;
34use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
eff2dbf8 35use Sort::Naturally;
6e13d0a5 36require '/var/ipfire/general-functions.pl';
6e13d0a5
MT		 37require "${General::swroot}/lang.pl";
38require "${General::swroot}/header.pl";
39require "${General::swroot}/countries.pl";
e2e270e1 40require "${General::swroot}/location-functions.pl";
6e13d0a5
MT		 41
42# enable only the following on debugging purpose
2050be20
MT		 43#use warnings;
44#use CGI::Carp 'fatalsToBrowser';
45
6e13d0a5 46#workaround to suppress a warning when a variable is used only once
8c877a82 47my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
6e13d0a5
MT		 48undef (@dummy);
49
f2fdd0c1
CS		 50my %color = ();
51my %mainsettings = ();
52&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 53&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
6e13d0a5
MT		 54
55###
56### Initialize variables
57###
e81be1e1
AM		 58my %ccdconfhash=();
59my %ccdroutehash=();
60my %ccdroute2hash=();
6e13d0a5
MT		 61my %netsettings=();
62my %cgiparams=();
63my %vpnsettings=();
64my %checked=();
65my %confighash=();
66my %cahash=();
67my %selected=();
68my $warnmessage = '';
69my $errormessage = '';
400c8afd
EK		 70my $cryptoerror = '';
71my $cryptowarning = '';
6e13d0a5 72my %settings=();
54fd0535 73my $routes_push_file = '';
df9b48b7
AM		 74my $confighost="${General::swroot}/fwhosts/customhosts";
75my $configgrp="${General::swroot}/fwhosts/customgroups";
76my $customnet="${General::swroot}/fwhosts/customnetworks";
77my $name;
99bfa85c 78my $col="";
ffbe77c8
EK		 79my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
80my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
81
6e13d0a5
MT		 82&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
83$cgiparams{'ENABLED'} = 'off';
84$cgiparams{'ENABLED_BLUE'} = 'off';
85$cgiparams{'ENABLED_ORANGE'} = 'off';
86$cgiparams{'EDIT_ADVANCED'} = 'off';
87$cgiparams{'NAT'} = 'off';
88$cgiparams{'COMPRESSION'} = 'off';
89$cgiparams{'ONLY_PROPOSED'} = 'off';
90$cgiparams{'ACTION'} = '';
91$cgiparams{'CA_NAME'} = '';
4c962356
EK		 92$cgiparams{'DH_NAME'} = 'dh1024.pem';
93$cgiparams{'DHLENGHT'} = '';
6e13d0a5
MT		 94$cgiparams{'DHCP_DOMAIN'} = '';
95$cgiparams{'DHCP_DNS'} = '';
96$cgiparams{'DHCP_WINS'} = '';
54fd0535 97$cgiparams{'ROUTES_PUSH'} = '';
6e13d0a5 98$cgiparams{'DCOMPLZO'} = 'off';
a79fa1d6 99$cgiparams{'MSSFIX'} = '';
8c877a82 100$cgiparams{'number'} = '';
4c962356 101$cgiparams{'DCIPHER'} = '';
49abe7af
EK		 102$cgiparams{'DAUTH'} = '';
103$cgiparams{'TLSAUTH'} = '';
54fd0535 104$routes_push_file = "${General::swroot}/ovpn/routes_push";
400c8afd
EK		 105# Perform crypto and configration test
106&pkiconfigcheck;
ffbe77c8
EK		 107
108# Add CCD files if not already presant
109unless (-e $routes_push_file) {
110 open(RPF, ">$routes_push_file");
111 close(RPF);
112}
113unless (-e "${General::swroot}/ovpn/ccd.conf") {
114 open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
115 close (CCDC);
116}
117unless (-e "${General::swroot}/ovpn/ccdroute") {
118 open(CCDR, ">${General::swroot}/ovpn/ccdroute");
119 close (CCDR);
120}
121unless (-e "${General::swroot}/ovpn/ccdroute2") {
122 open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
123 close (CCDRT);
124}
125# Add additional configs if not already presant
126unless (-e "$local_serverconf") {
127 open(LSC, ">$local_serverconf");
128 close (LSC);
129}
130unless (-e "$local_clientconf") {
131 open(LCC, ">$local_clientconf");
132 close (LCC);
133}
ce9abb66 134
6e13d0a5
MT		 135&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
136
137# prepare openvpn config file
138###
139### Useful functions
140###
c6c9630e
MT		 141sub haveOrangeNet
142{
13211b21
CS		 143 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
144 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 145 return 0;
146}
147
148sub haveBlueNet
149{
13211b21 150 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
c6c9630e 151 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 152 return 0;
153}
154
155sub sizeformat{
156 my $bytesize = shift;
157 my $i = 0;
158
159 while(abs($bytesize) >= 1024){
160 $bytesize=$bytesize/1024;
161 $i++;
162 last if($i==6);
163 }
164
165 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
166 my $newsize=(int($bytesize*100 +0.5))/100;
167 return("$newsize $units[$i]");
168}
169
c6c9630e
MT		 170sub cleanssldatabase
171{
172 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
173 print FILE "01";
174 close FILE;
175 }
176 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
177 print FILE "";
178 close FILE;
179 }
e6f7f8e7
EK		 180 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
181 print FILE "";
182 close FILE;
183 }
c6c9630e 184 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 185 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 186 unlink ("${General::swroot}/ovpn/certs/serial.old");
187 unlink ("${General::swroot}/ovpn/certs/01.pem");
188}
189
190sub newcleanssldatabase
191{
192 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
193 open(FILE, ">${General::swroot}(ovpn/certs/serial");
194 print FILE "01";
195 close FILE;
196 }
197 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
2feacd98 198 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
c6c9630e 199 }
e6f7f8e7 200 if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
2feacd98 201 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
e6f7f8e7 202 }
c6c9630e 203 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 204 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 205 unlink ("${General::swroot}/ovpn/certs/serial.old");
206}
207
208sub deletebackupcert
209{
210 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
211 my $hexvalue = <FILE>;
212 chomp $hexvalue;
213 close FILE;
214 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
215 }
216}
4c962356 217
400c8afd
EK		 218###
219### Check for PKI and configure problems
220###
221
222sub pkiconfigcheck
223{
224 # Warning if DH parameter is 1024 bit
225 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
2feacd98 226 my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
f5604080 227 my $dhbit;
2feacd98 228
f5604080 229 # Loop through the output and search for the DH bit lenght.
2feacd98 230 foreach my $line (@dhparameter) {
f5604080
SS		 231 if ($line =~ (/(\d+)/)) {
232 # Assign match to dhbit value.
233 $dhbit = $1;
234
235 last;
2feacd98 236 }
400c8afd 237 }
f5604080
SS		 238
239 # Check if the used key lenght is at least 2048 bit.
240 if ($dhbit < 2048) {
241 $cryptoerror = "$Lang::tr{'ovpn error dh'}";
242 goto CRYPTO_ERROR;
243 }
400c8afd
EK		 244 }
245
246 # Warning if md5 is in usage
247 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 248 my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
249 if (grep(/md5WithRSAEncryption/, @signature) ) {
400c8afd
EK		 250 $cryptoerror = "$Lang::tr{'ovpn error md5'}";
251 goto CRYPTO_ERROR;
252 }
253 }
254
255 CRYPTO_ERROR:
256
257 # Warning if certificate is not compliant to RFC3280 TLS rules
258 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 259 my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
260 if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
400c8afd
EK		 261 $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
262 goto CRYPTO_WARNING;
263 }
264 }
265
266 CRYPTO_WARNING:
267}
268
c6c9630e 269sub writeserverconf {
66c36198
PM		 270 my %sovpnsettings = ();
271 my @temp = ();
c6c9630e 272 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
54fd0535 273 &read_routepushfile;
66c36198 274
c6c9630e
MT		 275 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
276 flock CONF, 2;
277 print CONF "#OpenVPN Server conf\n";
278 print CONF "\n";
279 print CONF "daemon openvpnserver\n";
280 print CONF "writepid /var/run/openvpn.pid\n";
afabe9f7 281 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
c6c9630e 282 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
79e7688b 283 print CONF "dev tun\n";
c6c9630e
MT		 284 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
285 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
a4fd2325 286 print CONF "script-security 3\n";
07675dc3 287 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
6140e7e0 288 print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
c6c9630e 289 print CONF "tls-server\n";
4c962356
EK		 290 print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
291 print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
292 print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 293 print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
c6c9630e
MT		 294 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
295 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
8c877a82 296 #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
4c962356 297
d6989b4b 298 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
2ee746be 299
54fd0535 300 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
8c877a82
AM		 301 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
302 foreach (@temp)
303 {
304 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
305 print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n";
306 }
54fd0535 307 }
8c877a82
AM		 308# a.marx ccd
309 my %ccdconfhash=();
310 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
311 foreach my $key (keys %ccdconfhash) {
312 my $a=$ccdconfhash{$key}[1];
313 my ($b,$c) = split (/\//, $a);
314 print CONF "route $b ".&General::cidrtosub($c)."\n";
315 }
316 my %ccdroutehash=();
317 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
318 foreach my $key (keys %ccdroutehash) {
319 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
320 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
321 print CONF "route $a $b\n";
322 }
323 }
324# ccd end
54fd0535 325
8c877a82 326 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
c6c9630e
MT		 327 print CONF "client-to-client\n";
328 }
1de5c945 329 if ($sovpnsettings{MSSFIX} eq 'on') {
4c962356 330 print CONF "mssfix\n";
d6989b4b
MT		 331 } else {
332 print CONF "mssfix 0\n";
1de5c945
EK		 333 }
334 if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
4c962356 335 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
a79fa1d6 336 }
2ee746be 337
66c36198 338 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
c6c9630e 339 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
66c36198 340 }
c6c9630e 341 print CONF "status-version 1\n";
87fe47e9 342 print CONF "status /var/run/ovpnserver.log 30\n";
a4fd2325 343 print CONF "ncp-disable\n";
c6c9630e 344 print CONF "cipher $sovpnsettings{DCIPHER}\n";
49abe7af 345 print CONF "auth $sovpnsettings{'DAUTH'}\n";
942446b5
EK		 346 # Set TLSv2 as minimum
347 print CONF "tls-version-min 1.2\n";
86308adb 348
49abe7af 349 if ($sovpnsettings{'TLSAUTH'} eq 'on') {
4be45949 350 print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
49abe7af 351 }
c6c9630e
MT		 352 if ($sovpnsettings{DCOMPLZO} eq 'on') {
353 print CONF "comp-lzo\n";
354 }
355 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
356 print CONF "push \"redirect-gateway def1\"\n";
357 }
358 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
359 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
360 }
361
362 if ($sovpnsettings{DHCP_DNS} ne '') {
363 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
364 }
365
366 if ($sovpnsettings{DHCP_WINS} ne '') {
367 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
368 }
66c36198 369
fa527476 370 if ($sovpnsettings{MAX_CLIENTS} eq '') {
c6c9630e 371 print CONF "max-clients 100\n";
a79fa1d6 372 }
fa527476 373 if ($sovpnsettings{MAX_CLIENTS} ne '') {
c6c9630e 374 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
66c36198 375 }
1d0a260a 376 print CONF "tls-verify /usr/lib/openvpn/verify\n";
c6c9630e 377 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
e1e10515
TE		 378 print CONF "auth-user-pass-optional\n";
379 print CONF "reneg-sec 86400\n";
c6c9630e
MT		 380 print CONF "user nobody\n";
381 print CONF "group nobody\n";
382 print CONF "persist-key\n";
383 print CONF "persist-tun\n";
384 if ($sovpnsettings{LOG_VERB} ne '') {
385 print CONF "verb $sovpnsettings{LOG_VERB}\n";
386 } else {
387 print CONF "verb 3\n";
ffbe77c8 388 }
708f2b73
MT		 389
390 print CONF "# Log clients connecting/disconnecting\n";
391 print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
392 print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
5111dc3d
MT		 393 print CONF "\n";
394
395 print CONF "# Enable Management Socket\n";
396 print CONF "management /var/run/openvpn.sock unix\n";
397 print CONF "management-client-auth\n";
708f2b73 398
ffbe77c8
EK		 399 # Print server.conf.local if entries exist to server.conf
400 if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
401 open (LSC, "$local_serverconf");
402 print CONF "\n#---------------------------\n";
403 print CONF "# Start of custom directives\n";
404 print CONF "# from server.conf.local\n";
405 print CONF "#---------------------------\n\n";
406 while (<LSC>) {
407 print CONF $_;
408 }
409 print CONF "\n#-----------------------------\n";
410 print CONF "# End of custom directives\n";
411 print CONF "#-----------------------------\n";
412 close (LSC);
413 }
c6c9630e 414 print CONF "\n";
66c36198 415
c6c9630e 416 close(CONF);
66c36198 417}
8c877a82 418
c6c9630e 419sub emptyserverlog{
87fe47e9 420 if (open(FILE, ">/var/run/ovpnserver.log")) {
c6c9630e
MT		 421 flock FILE, 2;
422 print FILE "";
423 close FILE;
424 }
425
426}
427
66c36198 428sub delccdnet
8c877a82
AM		 429{
430 my %ccdconfhash = ();
431 my %ccdhash = ();
432 my $ccdnetname=$_[0];
433 if (-f "${General::swroot}/ovpn/ovpnconfig"){
434 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
435 foreach my $key (keys %ccdhash) {
436 if ($ccdhash{$key}[32] eq $ccdnetname) {
437 $errormessage=$Lang::tr{'ccd err hostinnet'};
438 return;
439 }
440 }
441 }
442 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
443 foreach my $key (keys %ccdconfhash) {
444 if ($ccdconfhash{$key}[0] eq $ccdnetname){
445 delete $ccdconfhash{$key};
446 }
447 }
448 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
66c36198 449
8c877a82
AM		 450 &writeserverconf;
451 return 0;
452}
453
454sub addccdnet
455{
456 my %ccdconfhash=();
457 my @ccdconf=();
458 my $ccdname=$_[0];
459 my $ccdnet=$_[1];
8c877a82
AM		 460 my $subcidr;
461 my @ip2=();
462 my $checkup;
463 my $ccdip;
464 my $baseaddress;
66c36198
PM		 465
466
467 #check name
468 if ($ccdname eq '')
290007b3
AM		 469 {
470 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
471 return
472 }
66c36198 473
dcc2f7e0 474 if(!&General::validccdname($ccdname))
290007b3 475 {
8c877a82
AM		 476 $errormessage=$Lang::tr{'ccd err invalidname'};
477 return;
478 }
66c36198 479
290007b3
AM		 480 ($ccdip,$subcidr) = split (/\//,$ccdnet);
481 $subcidr=&General::iporsubtocidr($subcidr);
482 #check subnet
483 if ($subcidr > 30)
484 {
8c877a82
AM		 485 $errormessage=$Lang::tr{'ccd err invalidnet'};
486 return;
487 }
290007b3
AM		 488 #check ip
489 if (!&General::validipandmask($ccdnet)){
490 $errormessage=$Lang::tr{'ccd err invalidnet'};
491 return;
8c877a82 492 }
b6c60092 493
8c877a82
AM		 494 if (!$errormessage) {
495 my %ccdconfhash=();
496 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
497 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
498 my $key = &General::findhasharraykey (\%ccdconfhash);
499 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
500 $ccdconfhash{$key}[0] = $ccdname;
501 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
502 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
503 &writeserverconf;
504 $cgiparams{'ccdname'}='';
505 $cgiparams{'ccdsubnet'}='';
506 return 1;
507 }
508}
509
510sub modccdnet
511{
66c36198 512
8c877a82
AM		 513 my $newname=$_[0];
514 my $oldname=$_[1];
515 my %ccdconfhash=();
516 my %ccdhash=();
7ad653cc
SS		 517
518 # Check if the new name is valid.
519 if(!&General::validhostname($newname)) {
520 $errormessage=$Lang::tr{'ccd err invalidname'};
521 return;
522 }
523
8c877a82
AM		 524 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
525 foreach my $key (keys %ccdconfhash) {
526 if ($ccdconfhash{$key}[0] eq $oldname) {
527 foreach my $key1 (keys %ccdconfhash) {
528 if ($ccdconfhash{$key1}[0] eq $newname){
529 $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
530 return;
531 }else{
532 $ccdconfhash{$key}[0]= $newname;
533 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
534 last;
535 }
536 }
537 }
538 }
66c36198 539
8c877a82
AM		 540 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
541 foreach my $key (keys %ccdhash) {
542 if ($ccdhash{$key}[32] eq $oldname) {
543 $ccdhash{$key}[32]=$newname;
544 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
545 last;
546 }
547 }
66c36198 548
8c877a82
AM		 549 return 0;
550}
551sub ccdmaxclients
552{
553 my $ccdnetwork=$_[0];
554 my @octets=();
555 my @subnet=();
556 @octets=split("\/",$ccdnetwork);
557 @subnet= split /\./, &General::cidrtosub($octets[1]);
558 my ($a,$b,$c,$d,$e);
559 $a=256-$subnet[0];
560 $b=256-$subnet[1];
561 $c=256-$subnet[2];
562 $d=256-$subnet[3];
563 $e=($a*$b*$c*$d)/4;
564 return $e-1;
565}
566
66c36198 567sub getccdadresses
8c877a82
AM		 568{
569 my $ipin=$_[0];
570 my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin;
571 my $cidr=$_[1];
572 chomp($cidr);
573 my $count=$_[2];
574 my $hasip=$_[3];
575 chomp($hasip);
576 my @iprange=();
577 my %ccdhash=();
578 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
d9fe5693 579 $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
ac87f371 580 for (my $i=1;$i<=$count;$i++) {
8c877a82
AM		 581 my $tmpip=$iprange[$i-1];
582 my $stepper=$i*4;
583 $iprange[$i]= &General::getnextip($tmpip,4);
584 }
585 my $r=0;
586 foreach my $key (keys %ccdhash) {
587 $r=0;
588 foreach my $tmp (@iprange){
589 my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
590 if ($net eq $tmp) {
591 if ( $hasip ne $ccdhash{$key}[33] ){
592 splice (@iprange,$r,1);
593 }
594 }
595 $r++;
596 }
597 }
598 return @iprange;
599}
600
601sub fillselectbox
602{
603 my $boxname=$_[1];
66c36198 604 my ($ccdip,$subcidr) = split("/",$_[0]);
8c877a82
AM		 605 my $tz=$_[2];
606 my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
607 print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
608 foreach (@allccdips) {
609 my $ip=$_."/30";
610 chomp($ip);
611 print "<option value='$ip' ";
612 if ( $ip eq $cgiparams{$boxname} ){
613 print"selected";
614 }
615 print ">$ip</option>";
616 }
617 print "</select>";
618}
619
620sub hostsinnet
621{
622 my $name=$_[0];
623 my %ccdhash=();
624 my $i=0;
625 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
626 foreach my $key (keys %ccdhash) {
627 if ($ccdhash{$key}[32] eq $name){ $i++;}
628 }
629 return $i;
630}
631
632sub check_routes_push
633{
634 my $val=$_[0];
635 my ($ip,$cidr) = split (/\//, $val);
636 ##check for existing routes in routes_push
637 if (-e "${General::swroot}/ovpn/routes_push") {
638 open(FILE,"${General::swroot}/ovpn/routes_push");
639 while (<FILE>) {
640 $_=~s/\s*$//g;
66c36198 641
8c877a82
AM		 642 my ($ip2,$cidr2) = split (/\//,"$_");
643 my $val2=$ip2."/".&General::iporsubtodec($cidr2);
66c36198 644
8c877a82
AM		 645 if($val eq $val2){
646 return 0;
647 }
648 #subnetcheck
649 if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
650 return 0;
651 }
652 };
653 close(FILE);
654 }
655 return 1;
656}
657
658sub check_ccdroute
659{
660 my %ccdroutehash=();
661 my $val=$_[0];
662 my ($ip,$cidr) = split (/\//, $val);
663 #check for existing routes in ccdroute
664 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
665 foreach my $key (keys %ccdroutehash) {
666 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
667 if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
668 return 0;
669 }
670 my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
671 #subnetcheck
672 if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
673 return 0;
674 }
675 }
676 }
677 return 1;
678}
679sub check_ccdconf
680{
681 my %ccdconfhash=();
682 my $val=$_[0];
683 my ($ip,$cidr) = split (/\//, $val);
684 #check for existing routes in ccdroute
685 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
686 foreach my $key (keys %ccdconfhash) {
687 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
688 return 0;
689 }
690 my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
691 #subnetcheck
692 if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
693 return 0;
694 }
66c36198 695
8c877a82
AM		 696 }
697 return 1;
698}
699
7c1d9faf
AH		 700###
701# m.a.d net2net
702###
703
704sub validdotmask
705{
706 my $ipdotmask = $_[0];
707 if (&General::validip($ipdotmask)) { return 0; }
708 if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { }
709 my $mask = $2;
66c36198 710 if (($mask =~ /\./ )) { return 0; }
7c1d9faf
AH		 711 return 1;
712}
54fd0535
MT		 713
714# -------------------------------------------------------------------
715
716sub write_routepushfile
717{
718 open(FILE, ">$routes_push_file");
719 flock(FILE, 2);
720 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
721 print FILE $vpnsettings{'ROUTES_PUSH'};
722 }
66c36198 723 close(FILE);
54fd0535
MT		 724}
725
726sub read_routepushfile
727{
728 if (-e "$routes_push_file") {
729 open(FILE,"$routes_push_file");
730 delete $vpnsettings{'ROUTES_PUSH'};
731 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
732 close(FILE);
733 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
66c36198 734
54fd0535
MT		 735 }
736}
7c1d9faf 737
775b4494
AM		 738sub writecollectdconf {
739 my $vpncollectd;
740 my %ccdhash=();
741
742 open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
743 print COLLECTDVPN "Loadplugin openvpn\n";
744 print COLLECTDVPN "\n";
745 print COLLECTDVPN "<Plugin openvpn>\n";
746 print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
747
748 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
749 foreach my $key (keys %ccdhash) {
750 if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
751 print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
752 }
753 }
754
755 print COLLECTDVPN "</Plugin>\n";
756 close(COLLECTDVPN);
757
758 # Reload collectd afterwards
2feacd98 759 &General::system("/usr/local/bin/collectdctrl", "restart");
775b4494 760}
7c1d9faf 761
c6c9630e
MT		 762#hier die refresh page
763if ( -e "${General::swroot}/ovpn/gencanow") {
764 my $refresh = '';
765 $refresh = "<meta http-equiv='refresh' content='15;' />";
766 &Header::showhttpheaders();
767 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
768 &Header::openbigbox('100%', 'center');
769 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
770 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
771 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
772 &Header::closebox();
773 &Header::closebigbox();
774 &Header::closepage();
775 exit (0);
776}
777##hier die refresh page
778
6e13d0a5
MT		 779
780###
781### OpenVPN Server Control
782###
783if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
784 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
785 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
6e13d0a5
MT		 786 #start openvpn server
787 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
c6c9630e 788 &emptyserverlog();
2feacd98 789 &General::system("/usr/local/bin/openvpnctrl", "-s");
66c36198 790 }
6e13d0a5
MT		 791 #stop openvpn server
792 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
2feacd98 793 &General::system("/usr/local/bin/openvpnctrl", "-k");
66c36198
PM		 794 &emptyserverlog();
795 }
6e13d0a5 796# #restart openvpn server
8c877a82 797# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
66c36198
PM		 798#workarund, till SIGHUP also works when running as nobody
799# system('/usr/local/bin/openvpnctrl', '-r');
800# &emptyserverlog();
801# }
6e13d0a5
MT		 802}
803
804###
805### Save Advanced options
806###
807
808if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
809 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
810 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
811 #DAN this value has to leave.
812#new settings for daemon
813 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
814 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
815 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
816 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
817 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
818 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
6a9d9ff4 819 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
ffbe77c8 820 $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
6e13d0a5
MT		 821 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
822 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
823 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
54fd0535
MT		 824 $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
825 my @temp=();
66c36198 826
a79fa1d6
JPT		 827 if ($cgiparams{'FRAGMENT'} eq '') {
828 delete $vpnsettings{'FRAGMENT'};
829 } else {
66c36198 830 if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
a79fa1d6
JPT		 831 $errormessage = "Incorrect value, please insert only numbers.";
832 goto ADV_ERROR;
833 } else {
834 $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
835 }
836 }
49abe7af 837
a79fa1d6 838 if ($cgiparams{'MSSFIX'} ne 'on') {
1de5c945 839 delete $vpnsettings{'MSSFIX'};
a79fa1d6
JPT		 840 } else {
841 $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
842 }
2ee746be 843
6e13d0a5 844 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
81da1b01 845 unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
6e13d0a5
MT		 846 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
847 goto ADV_ERROR;
848 }
849 }
850 if ($cgiparams{'DHCP_DNS'} ne ''){
851 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
852 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
853 goto ADV_ERROR;
854 }
855 }
856 if ($cgiparams{'DHCP_WINS'} ne ''){
857 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
858 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
54fd0535
MT		 859 goto ADV_ERROR;
860 }
861 }
862 if ($cgiparams{'ROUTES_PUSH'} ne ''){
863 @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
864 undef $vpnsettings{'ROUTES_PUSH'};
66c36198 865
8c877a82 866 foreach my $tmpip (@temp)
54fd0535
MT		 867 {
868 s/^\s+//g; s/\s+$//g;
66c36198 869
8c877a82 870 if ($tmpip)
54fd0535 871 {
66c36198 872 $tmpip=~s/\s*$//g;
8c877a82
AM		 873 unless (&General::validipandmask($tmpip)) {
874 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
875 goto ADV_ERROR;
54fd0535 876 }
8c877a82 877 my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
66c36198 878
54fd0535
MT		 879 if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
880 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
8c877a82
AM		 881 goto ADV_ERROR;
882 }
66c36198 883# a.marx ccd
8c877a82
AM		 884 my %ccdroutehash=();
885 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
886 foreach my $key (keys %ccdroutehash) {
66c36198 887 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
8c877a82
AM		 888 if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
889 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
890 goto ADV_ERROR;
891 }
892 my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
893 if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
894 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
895 goto ADV_ERROR;
896 }
897 }
54fd0535 898 }
66c36198 899
8c877a82 900# ccd end
66c36198 901
8c877a82 902 $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
54fd0535 903 }
8c877a82
AM		 904 }
905 &write_routepushfile;
54fd0535 906 undef $vpnsettings{'ROUTES_PUSH'};
8e148dc3
NP		 907 }
908 else {
909 undef $vpnsettings{'ROUTES_PUSH'};
910 &write_routepushfile;
6e13d0a5 911 }
ba50f66d 912 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
6e13d0a5
MT		 913 $errormessage = $Lang::tr{'invalid input for max clients'};
914 goto ADV_ERROR;
915 }
916 if ($cgiparams{'KEEPALIVE_1'} ne '') {
66c36198 917 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 918 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
919 goto ADV_ERROR;
920 }
921 }
922 if ($cgiparams{'KEEPALIVE_2'} ne ''){
66c36198 923 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
6e13d0a5
MT		 924 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
925 goto ADV_ERROR;
926 }
927 }
928 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
929 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
66c36198 930 goto ADV_ERROR;
6e13d0a5 931 }
6e13d0a5 932 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 933 &writeserverconf();#hier ok
6e13d0a5
MT		 934}
935
ce9abb66 936###
7c1d9faf 937# m.a.d net2net
ce9abb66
AH		 938###
939
940if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
941{
c6c9630e 942
ce9abb66
AH		 943my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
944my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 945my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
d96c89eb 946my $tunmtu = '';
531f0835
AH		 947
948unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 949unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 950
951 open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 952
ce9abb66 953 flock SERVERCONF, 2;
66c36198
PM		 954 print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n";
955 print SERVERCONF "\n";
b278daf3 956 print SERVERCONF "# User Security\n";
ce9abb66
AH		 957 print SERVERCONF "user nobody\n";
958 print SERVERCONF "group nobody\n";
959 print SERVERCONF "persist-tun\n";
960 print SERVERCONF "persist-key\n";
7c1d9faf 961 print SERVERCONF "script-security 2\n";
66c36198 962 print SERVERCONF "# IP/DNS for remote Server Gateway\n";
c125d8a2
SS		 963
964 if ($cgiparams{'REMOTE'} ne '') {
ce9abb66 965 print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
c125d8a2
SS		 966 }
967
b278daf3 968 print SERVERCONF "float\n";
66c36198
PM		 969 print SERVERCONF "# IP adresses of the VPN Subnet\n";
970 print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
971 print SERVERCONF "# Client Gateway Network\n";
54fd0535 972 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
2913185a 973 print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 974 print SERVERCONF "# tun Device\n";
975 print SERVERCONF "dev tun\n";
5795fc1b
AM		 976 print SERVERCONF "#Logfile for statistics\n";
977 print SERVERCONF "status-version 1\n";
87fe47e9 978 print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 979 print SERVERCONF "# Port and Protokol\n";
980 print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
5795fc1b 981
60f396d7 982 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 983 print SERVERCONF "proto tcp4-server\n";
60f396d7 984 print SERVERCONF "# Packet size\n";
d96c89eb 985 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 986 print SERVERCONF "tun-mtu $tunmtu\n";
d96c89eb 987 }
66c36198 988
60f396d7 989 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 990 print SERVERCONF "proto udp4\n";
60f396d7
AH		 991 print SERVERCONF "# Paketsize\n";
992 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
993 print SERVERCONF "tun-mtu $tunmtu\n";
66c36198 994 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 995 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
d96c89eb 996 }
1647059d 997
66c36198
PM		 998 print SERVERCONF "# Auth. Server\n";
999 print SERVERCONF "tls-server\n";
1000 print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
1001 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
1002 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 1003 print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
66c36198 1004 print SERVERCONF "# Cipher\n";
4c962356 1005 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
52f61e49
EKD		 1006
1007 # If GCM cipher is used, do not use --auth
1008 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1009 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1010 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1011 print SERVERCONF unless "# HMAC algorithm\n";
1012 print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1013 } else {
52f61e49
EKD		 1014 print SERVERCONF "# HMAC algorithm\n";
1015 print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1016 }
52f61e49 1017
942446b5
EK		 1018 # Set TLSv1.2 as minimum
1019 print SERVERCONF "tls-version-min 1.2\n";
1020
ce9abb66 1021 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1022 print SERVERCONF "# Enable Compression\n";
66298ef2 1023 print SERVERCONF "comp-lzo\n";
b278daf3 1024 }
66c36198
PM		 1025 print SERVERCONF "# Debug Level\n";
1026 print SERVERCONF "verb 3\n";
1027 print SERVERCONF "# Tunnel check\n";
1028 print SERVERCONF "keepalive 10 60\n";
1029 print SERVERCONF "# Start as daemon\n";
1030 print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n";
1031 print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1032 print SERVERCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1033 if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1034 else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66
AH		 1035 close(SERVERCONF);
1036
1037}
1038
1039###
7c1d9faf 1040# m.a.d net2net
ce9abb66 1041###
7c1d9faf 1042
ce9abb66
AH		 1043if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
1044{
4c962356 1045
ce9abb66 1046 my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 1047 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 1048 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
d96c89eb 1049 my $tunmtu = '';
66c36198 1050
531f0835
AH		 1051unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
1052unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
66c36198 1053
ce9abb66 1054 open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
66c36198 1055
ce9abb66 1056 flock CLIENTCONF, 2;
7c1d9faf 1057 print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
66c36198 1058 print CLIENTCONF "#\n";
b278daf3 1059 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 1060 print CLIENTCONF "user nobody\n";
1061 print CLIENTCONF "group nobody\n";
1062 print CLIENTCONF "persist-tun\n";
1063 print CLIENTCONF "persist-key\n";
7c1d9faf 1064 print CLIENTCONF "script-security 2\n";
66c36198 1065 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
ce9abb66 1066 print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
b278daf3 1067 print CLIENTCONF "float\n";
66c36198
PM		 1068 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
1069 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
1070 print CLIENTCONF "# Server Gateway Network\n";
1071 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
ebcecb4b 1072 print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
66c36198
PM		 1073 print CLIENTCONF "# tun Device\n";
1074 print CLIENTCONF "dev tun\n";
35a21a25
AM		 1075 print CLIENTCONF "#Logfile for statistics\n";
1076 print CLIENTCONF "status-version 1\n";
1077 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 1078 print CLIENTCONF "# Port and Protokol\n";
1079 print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
60f396d7
AH		 1080
1081 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1580d3b1 1082 print CLIENTCONF "proto tcp4-client\n";
60f396d7 1083 print CLIENTCONF "# Packet size\n";
d96c89eb 1084 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 1085 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 1086 }
66c36198 1087
60f396d7 1088 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1580d3b1 1089 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 1090 print CLIENTCONF "# Paketsize\n";
1091 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
1092 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 1093 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 1094 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
d96c89eb 1095 }
1647059d 1096
b66b02ab
EK		 1097 # Check host certificate if X509 is RFC3280 compliant.
1098 # If not, old --ns-cert-type directive will be used.
1099 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 1100 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1101 if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 1102 print CLIENTCONF "ns-cert-type server\n";
1103 } else {
1104 print CLIENTCONF "remote-cert-tls server\n";
1105 }
66c36198
PM		 1106 print CLIENTCONF "# Auth. Client\n";
1107 print CLIENTCONF "tls-client\n";
1108 print CLIENTCONF "# Cipher\n";
4c962356 1109 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
ce9abb66 1110 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
52f61e49
EKD		 1111
1112 # If GCM cipher is used, do not use --auth
1113 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1114 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1115 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1116 print CLIENTCONF unless "# HMAC algorithm\n";
1117 print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1118 } else {
52f61e49
EKD		 1119 print CLIENTCONF "# HMAC algorithm\n";
1120 print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1121 }
52f61e49 1122
942446b5
EK		 1123 # Set TLSv1.2 as minimum
1124 print CLIENTCONF "tls-version-min 1.2\n";
1125
ce9abb66 1126 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1127 print CLIENTCONF "# Enable Compression\n";
66298ef2 1128 print CLIENTCONF "comp-lzo\n";
4c962356 1129 }
66c36198
PM		 1130 print CLIENTCONF "# Debug Level\n";
1131 print CLIENTCONF "verb 3\n";
1132 print CLIENTCONF "# Tunnel check\n";
1133 print CLIENTCONF "keepalive 10 60\n";
1134 print CLIENTCONF "# Start as daemon\n";
ce9abb66 1135 print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
66c36198
PM		 1136 print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
1137 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1138 if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1139 else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66 1140 close(CLIENTCONF);
c6c9630e 1141
ce9abb66 1142}
400c8afd 1143
6e13d0a5
MT		 1144###
1145### Save main settings
1146###
ce9abb66 1147
6e13d0a5
MT		 1148if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1149 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5
MT		 1150 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1151 #DAN this value has to leave.
1152 if ($cgiparams{'ENABLED'} eq 'on'){
1153 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1154 $errormessage = $Lang::tr{'invalid input for hostname'};
c6c9630e 1155 goto SETTINGS_ERROR;
6e13d0a5
MT		 1156 }
1157 }
f7fb5bc5 1158
6e13d0a5 1159 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
c6c9630e 1160 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
4c962356 1161 goto SETTINGS_ERROR;
c6c9630e
MT		 1162 }
1163 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
66c36198
PM		 1164
1165 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
c6c9630e
MT		 1166 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1167 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1168 goto SETTINGS_ERROR;
1169 }
66c36198
PM		 1170
1171 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
c6c9630e
MT		 1172 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1173 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1174 goto SETTINGS_ERROR;
1175 }
1176
66c36198 1177 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
c6c9630e
MT		 1178 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1179 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1180 goto SETTINGS_ERROR;
1181 }
66c36198
PM		 1182
1183 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
c6c9630e
MT		 1184 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1185 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1186 goto SETTINGS_ERROR;
1187 }
1188 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1189 while (<ALIASES>)
1190 {
1191 chomp($_);
1192 my @tempalias = split(/\,/,$_);
1193 if ($tempalias[1] eq 'on') {
66c36198 1194 if (&General::IpInSubnet ($tempalias[0] ,
c6c9630e
MT		 1195 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1196 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
66c36198 1197 }
c6c9630e
MT		 1198 }
1199 }
1200 close(ALIASES);
6e13d0a5 1201 if ($errormessage ne ''){
c6c9630e 1202 goto SETTINGS_ERROR;
6e13d0a5
MT		 1203 }
1204 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1205 $errormessage = $Lang::tr{'invalid input'};
1206 goto SETTINGS_ERROR;
1207 }
1208 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1209 $errormessage = $Lang::tr{'invalid mtu input'};
1210 goto SETTINGS_ERROR;
1211 }
66c36198 1212
6e13d0a5 1213 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
c6c9630e
MT		 1214 $errormessage = $Lang::tr{'invalid port'};
1215 goto SETTINGS_ERROR;
6e13d0a5 1216 }
8c252e6a 1217
b21a6319
EK		 1218 # Create ta.key for tls-auth if not presant
1219 if ($cgiparams{'TLSAUTH'} eq 'on') {
1220 if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
2feacd98 1221 # This system call is safe, because all arguements are passed as an array.
acbd6ff4 1222 system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
b21a6319
EK		 1223 if ($?) {
1224 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1225 goto SETTINGS_ERROR;
1226 }
1227 }
1228 }
1229
6e13d0a5
MT		 1230 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1231 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1232 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1233 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1234#new settings for daemon
1235 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
6e13d0a5
MT		 1236 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1237 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1238 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1239 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1240 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
86308adb 1241 $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
0c4ffc69 1242 $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
3ffee04b
CS		 1243#wrtie enable
1244
2feacd98
SS		 1245 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
1246 &General::system("touch", "${General::swroot}/ovpn/enable_blue");
1247 } else {
274ca65b 1248 unlink("${General::swroot}/ovpn/enable_blue");
2feacd98
SS		 1249 }
1250
1251 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
1252 &General::system("touch", "${General::swroot}/ovpn/enable_orange");
1253 } else {
1254 unlink("${General::swroot}/ovpn/enable_orange");
1255 }
1256
1257 if ( $vpnsettings{'ENABLED'} eq 'on' ) {
1258 &General::system("touch", "${General::swroot}/ovpn/enable");
1259 } else {
1260 unlink("${General::swroot}/ovpn/enable");
1261 }
1262
66c36198 1263#new settings for daemon
6e13d0a5 1264 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 1265 &writeserverconf();#hier ok
6e13d0a5
MT		 1266SETTINGS_ERROR:
1267###
1268### Reset all step 2
1269###
4c962356 1270}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
6e13d0a5
MT		 1271 my $file = '';
1272 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1273
1e499e90 1274 # Kill all N2N connections
2feacd98 1275 &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
1e499e90 1276
6e13d0a5 1277 foreach my $key (keys %confighash) {
2f36a7b4
MT		 1278 my $name = $confighash{$cgiparams{'$key'}}[1];
1279
c6c9630e
MT		 1280 if ($confighash{$key}[4] eq 'cert') {
1281 delete $confighash{$cgiparams{'$key'}};
1282 }
2f36a7b4 1283
2feacd98 1284 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
6e13d0a5
MT		 1285 }
1286 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
49abe7af 1287 unlink $file;
6e13d0a5
MT		 1288 }
1289 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
49abe7af 1290 unlink $file;
6e13d0a5
MT		 1291 }
1292 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
49abe7af 1293 unlink $file;
6e13d0a5 1294 }
4c962356 1295 &cleanssldatabase();
6e13d0a5
MT		 1296 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1297 print FILE "";
1298 close FILE;
1299 }
49abe7af
EK		 1300 if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1301 print FILE "";
1302 close FILE;
1303 }
1304 if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1305 print FILE "";
1306 close FILE;
1307 }
1308 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1309 unlink $file
1310 }
5795fc1b
AM		 1311 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1312 unlink $file
1313 }
49abe7af
EK		 1314 if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1315 print FILE "";
1316 close FILE;
1317 }
1318 if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1319 print FILE "";
1320 close FILE;
1321 }
1322 while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
2feacd98 1323 unlink($file);
49abe7af
EK		 1324 }
1325
2f36a7b4
MT		 1326 # Remove everything from the collectd configuration
1327 &writecollectdconf();
1328
c6c9630e 1329 #&writeserverconf();
6e13d0a5
MT		 1330###
1331### Reset all step 1
1332###
4c962356 1333}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
6e13d0a5 1334 &Header::showhttpheaders();
4c962356
EK		 1335 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1336 &Header::openbigbox('100%', 'left', '', '');
1337 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1338 print <<END;
1339 <form method='post'>
1340 <table width='100%'>
1341 <tr>
1342 <td align='center'>
1343 <input type='hidden' name='AREUSURE' value='yes' />
49abe7af 1344 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
4c962356
EK		 1345 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1346 </tr>
1347 <tr>
1348 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1349 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1350 </tr>
1351 </table>
1352 </form>
6e13d0a5
MT		 1353END
1354 ;
1355 &Header::closebox();
1356 &Header::closebigbox();
1357 &Header::closepage();
1358 exit (0);
1359
4c962356
EK		 1360###
1361### Generate DH key step 2
1362###
1363} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
49abe7af 1364 # Delete if old key exists
4c962356
EK		 1365 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1366 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1367 }
1368 # Create Diffie Hellmann Parameter
2feacd98
SS		 1369 # The system call is safe, because all arguments are passed as an array.
1370 system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
4c962356
EK		 1371 if ($?) {
1372 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1373 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1374 }
1375
1376###
1377### Generate DH key step 1
1378###
1379} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
1380 &Header::showhttpheaders();
1381 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1382 &Header::openbigbox('100%', 'LEFT', '', '');
1383 &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
1384 print <<END;
1385 <table width='100%'>
1386 <tr>
f527e53f 1387 <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
49abe7af 1388 </tr>
4c962356
EK		 1389 <tr>
1390 <td class='base'>$Lang::tr{'ovpn dh'}:</td>
1391 <td align='center'>
1392 <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1393 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1394 <select name='DHLENGHT'>
4c962356
EK		 1395 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1396 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1397 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1398 </select>
1399 </td>
1400 </tr>
1401 <tr><td colspan='4'><br></td></tr>
1402 </table>
1403 <table width='100%'>
1404 <tr>
49abe7af 1405 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
4c962356 1406 </tr>
49abe7af
EK		 1407 <tr>
1408 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1409 </tr>
1410 <tr><td colspan='2'><br></td></tr>
4c962356
EK		 1411 <tr>
1412 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
1413 </form>
1414 </tr>
1415 </table>
1416
1417END
1418 ;
1419 &Header::closebox();
1420 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1421 &Header::closebigbox();
1422 &Header::closepage();
1423 exit (0);
1424
1425###
1426### Upload DH key
1427###
1428} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
2ad1b18b 1429 unless (ref ($cgiparams{'FH'})) {
4c962356
EK		 1430 $errormessage = $Lang::tr{'there was no file upload'};
1431 goto UPLOADCA_ERROR;
1432 }
49abe7af 1433 # Move uploaded dh key to a temporary file
4c962356
EK		 1434 (my $fh, my $filename) = tempfile( );
1435 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1436 $errormessage = $!;
49abe7af 1437 goto UPLOADCA_ERROR;
4c962356 1438 }
2feacd98
SS		 1439 my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
1440 if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
4c962356
EK		 1441 $errormessage = $Lang::tr{'not a valid dh key'};
1442 unlink ($filename);
1443 goto UPLOADCA_ERROR;
1444 } else {
cc79d281
SS		 1445 # Delete if old key exists
1446 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1447 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
4c962356 1448 }
cc79d281
SS		 1449
1450 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
49abe7af
EK		 1451 $errormessage = "$Lang::tr{'dh key move failed'}: $!";
1452 unlink ($filename);
1453 goto UPLOADCA_ERROR;
cc79d281 1454 }
4c962356 1455 }
6e13d0a5
MT		 1456###
1457### Upload CA Certificate
1458###
1459} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1460 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1461
1462 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1463 $errormessage = $Lang::tr{'name must only contain characters'};
1464 goto UPLOADCA_ERROR;
1465 }
1466
1467 if (length($cgiparams{'CA_NAME'}) >60) {
1468 $errormessage = $Lang::tr{'name too long'};
1469 goto VPNCONF_ERROR;
1470 }
1471
1472 if ($cgiparams{'CA_NAME'} eq 'ca') {
1473 $errormessage = $Lang::tr{'name is invalid'};
4c962356 1474 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1475 }
1476
1477 # Check if there is no other entry with this name
1478 foreach my $key (keys %cahash) {
c6c9630e
MT		 1479 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1480 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1481 goto UPLOADCA_ERROR;
1482 }
6e13d0a5
MT		 1483 }
1484
2ad1b18b 1485 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 1486 $errormessage = $Lang::tr{'there was no file upload'};
1487 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1488 }
1489 # Move uploaded ca to a temporary file
1490 (my $fh, my $filename) = tempfile( );
1491 if (copy ($cgiparams{'FH'}, $fh) != 1) {
c6c9630e
MT		 1492 $errormessage = $!;
1493 goto UPLOADCA_ERROR;
6e13d0a5 1494 }
2feacd98
SS		 1495 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
1496 if ( ! grep(/CA:TRUE/i, @temp )) {
c6c9630e
MT		 1497 $errormessage = $Lang::tr{'not a valid ca certificate'};
1498 unlink ($filename);
1499 goto UPLOADCA_ERROR;
6e13d0a5 1500 } else {
cc79d281 1501 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem")) {
c6c9630e
MT		 1502 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1503 unlink ($filename);
1504 goto UPLOADCA_ERROR;
1505 }
6e13d0a5
MT		 1506 }
1507
274ca65b 1508 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
2feacd98
SS		 1509 my $casubject;
1510
1511 foreach my $line (@casubject) {
1512 if ($line =~ /Subject: (.*)[\n]/) {
1513 $casubject = $1;
1514 $casubject =~ s+/Email+, E+;
1515 $casubject =~ s/ ST=/ S=/;
1516
1517 last;
1518 }
1519 }
1520
6e13d0a5
MT		 1521 $casubject = &Header::cleanhtml($casubject);
1522
1523 my $key = &General::findhasharraykey (\%cahash);
1524 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1525 $cahash{$key}[1] = $casubject;
1526 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e
MT		 1527# system('/usr/local/bin/ipsecctrl', 'R');
1528
6e13d0a5
MT		 1529 UPLOADCA_ERROR:
1530
1531###
1532### Display ca certificate
1533###
1534} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
c6c9630e
MT		 1535 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1536
1537 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1538 &Header::showhttpheaders();
4c962356 1539 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1540 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1541 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
2feacd98 1542 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
8c946d1c
MT		 1543 my $output = &Header::cleanhtml(join("", @output),"y");
1544 print "<pre>$output</pre>\n";
c6c9630e
MT		 1545 &Header::closebox();
1546 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1547 &Header::closebigbox();
1548 &Header::closepage();
1549 exit(0);
1550 } else {
1551 $errormessage = $Lang::tr{'invalid key'};
1552 }
1553
6e13d0a5
MT		 1554###
1555### Download ca certificate
1556###
1557} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1558 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1559
1560 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1561 print "Content-Type: application/octet-stream\r\n";
1562 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
2feacd98
SS		 1563
1564 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
f158e71e 1565 print @tmp;
2feacd98 1566
6e13d0a5
MT		 1567 exit(0);
1568 } else {
1569 $errormessage = $Lang::tr{'invalid key'};
1570 }
1571
1572###
1573### Remove ca certificate (step 2)
1574###
1575} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1576 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1577 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1578
1579 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1580 foreach my $key (keys %confighash) {
2feacd98
SS		 1581 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1582 if (grep(/: OK/, @test)) {
c6c9630e
MT		 1583 # Delete connection
1584# if ($vpnsettings{'ENABLED'} eq 'on' ||
1585# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1586# system('/usr/local/bin/ipsecctrl', 'D', $key);
1587# }
6e13d0a5
MT		 1588 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1589 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1590 delete $confighash{$key};
1591 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 1592# &writeipsecfiles();
6e13d0a5
MT		 1593 }
1594 }
1595 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1596 delete $cahash{$cgiparams{'KEY'}};
1597 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e 1598# system('/usr/local/bin/ipsecctrl', 'R');
6e13d0a5
MT		 1599 } else {
1600 $errormessage = $Lang::tr{'invalid key'};
1601 }
1602###
1603### Remove ca certificate (step 1)
1604###
1605} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1606 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1607 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1608
1609 my $assignedcerts = 0;
1610 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1611 foreach my $key (keys %confighash) {
2feacd98
SS		 1612 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1613 if (grep(/: OK/, @test)) {
6e13d0a5
MT		 1614 $assignedcerts++;
1615 }
1616 }
1617 if ($assignedcerts) {
1618 &Header::showhttpheaders();
4c962356 1619 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1620 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1621 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
4c962356 1622 print <<END;
6e13d0a5
MT		 1623 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1624 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1625 <tr><td align='center'>
1626 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1627 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
1628 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1629 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1630 </form></table>
1631END
1632 ;
1633 &Header::closebox();
1634 &Header::closebigbox();
1635 &Header::closepage();
1636 exit (0);
1637 } else {
1638 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1639 delete $cahash{$cgiparams{'KEY'}};
1640 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1641# system('/usr/local/bin/ipsecctrl', 'R');
1642 }
1643 } else {
1644 $errormessage = $Lang::tr{'invalid key'};
1645 }
1646
1647###
1648### Display root certificate
1649###
c6c9630e
MT		 1650}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1651 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
2feacd98 1652 my @output;
c6c9630e 1653 &Header::showhttpheaders();
4c962356 1654 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1655 &Header::openbigbox('100%', 'LEFT', '', '');
1656 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1657 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
2feacd98 1658 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
c6c9630e
MT		 1659 } else {
1660 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
2feacd98 1661 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1662 }
8c946d1c
MT		 1663 my $output = &Header::cleanhtml(join("", @output), "y");
1664 print "<pre>$output</pre>\n";
c6c9630e
MT		 1665 &Header::closebox();
1666 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1667 &Header::closebigbox();
1668 &Header::closepage();
1669 exit(0);
1670
6e13d0a5
MT		 1671###
1672### Download root certificate
1673###
1674}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1675 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1676 print "Content-Type: application/octet-stream\r\n";
1677 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
2feacd98
SS		 1678
1679 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
f158e71e 1680 print @tmp;
2feacd98 1681
6e13d0a5
MT		 1682 exit(0);
1683 }
66c36198 1684
6e13d0a5
MT		 1685###
1686### Download host certificate
1687###
1688}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1689 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1690 print "Content-Type: application/octet-stream\r\n";
1691 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
2feacd98
SS		 1692
1693 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
f158e71e 1694 print @tmp;
2feacd98 1695
6e13d0a5
MT		 1696 exit(0);
1697 }
f7fb5bc5 1698
fd5ccb2d
EK		 1699###
1700### Download tls-auth key
1701###
1702}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
1703 if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
1704 print "Content-Type: application/octet-stream\r\n";
1705 print "Content-Disposition: filename=ta.key\r\n\r\n";
2feacd98
SS		 1706
1707 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
1708 my @tmp = <FILE>;
1709 close(FILE);
1710
f158e71e 1711 print @tmp;
2feacd98 1712
fd5ccb2d
EK		 1713 exit(0);
1714 }
1715
6e13d0a5
MT		 1716###
1717### Form for generating a root certificate
1718###
1719}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1720 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1721
1722 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1723 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1724 $errormessage = $Lang::tr{'valid root certificate already exists'};
1725 $cgiparams{'ACTION'} = '';
1726 goto ROOTCERT_ERROR;
1727 }
1728
1729 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1730 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1731 my $ipaddr = <IPADDR>;
1732 close IPADDR;
1733 chomp ($ipaddr);
1734 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1735 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1736 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1737 }
1738 }
1739 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
2ad1b18b 1740 unless (ref ($cgiparams{'FH'})) {
6e13d0a5
MT		 1741 $errormessage = $Lang::tr{'there was no file upload'};
1742 goto ROOTCERT_ERROR;
1743 }
1744
1745 # Move uploaded certificate request to a temporary file
1746 (my $fh, my $filename) = tempfile( );
1747 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1748 $errormessage = $!;
1749 goto ROOTCERT_ERROR;
1750 }
1751
1752 # Create a temporary dirctory
1753 my $tempdir = tempdir( CLEANUP => 1 );
1754
1755 # Extract the CA certificate from the file
1756 my $pid = open(OPENSSL, "|-");
1757 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1758 if ($pid) { # parent
1759 if ($cgiparams{'P12_PASS'} ne '') {
1760 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1761 }
1762 close (OPENSSL);
1763 if ($?) {
1764 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1765 unlink ($filename);
1766 goto ROOTCERT_ERROR;
1767 }
1768 } else { # child
1769 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1770 '-in', $filename,
1771 '-out', "$tempdir/cacert.pem")) {
1772 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1773 unlink ($filename);
1774 goto ROOTCERT_ERROR;
1775 }
1776 }
1777
1778 # Extract the Host certificate from the file
1779 $pid = open(OPENSSL, "|-");
1780 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1781 if ($pid) { # parent
1782 if ($cgiparams{'P12_PASS'} ne '') {
1783 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1784 }
1785 close (OPENSSL);
1786 if ($?) {
1787 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1788 unlink ($filename);
1789 goto ROOTCERT_ERROR;
1790 }
1791 } else { # child
1792 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1793 '-in', $filename,
1794 '-out', "$tempdir/hostcert.pem")) {
1795 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1796 unlink ($filename);
1797 goto ROOTCERT_ERROR;
1798 }
1799 }
1800
1801 # Extract the Host key from the file
1802 $pid = open(OPENSSL, "|-");
1803 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1804 if ($pid) { # parent
1805 if ($cgiparams{'P12_PASS'} ne '') {
1806 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1807 }
1808 close (OPENSSL);
1809 if ($?) {
1810 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1811 unlink ($filename);
1812 goto ROOTCERT_ERROR;
1813 }
1814 } else { # child
1815 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1816 '-nodes',
1817 '-in', $filename,
1818 '-out', "$tempdir/serverkey.pem")) {
1819 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1820 unlink ($filename);
1821 goto ROOTCERT_ERROR;
1822 }
1823 }
1824
cc79d281 1825 unless(move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem")) {
6e13d0a5
MT		 1826 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1827 unlink ($filename);
1828 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1829 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1830 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1831 goto ROOTCERT_ERROR;
1832 }
1833
cc79d281 1834 unless(move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem")) {
6e13d0a5
MT		 1835 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1836 unlink ($filename);
1837 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1838 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1839 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1840 goto ROOTCERT_ERROR;
1841 }
1842
cc79d281 1843 unless(move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem")) {
6e13d0a5
MT		 1844 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1845 unlink ($filename);
1846 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1847 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1848 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1849 goto ROOTCERT_ERROR;
1850 }
1851
1852 goto ROOTCERT_SUCCESS;
1853
1854 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1855
1856 # Validate input since the form was submitted
1857 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1858 $errormessage = $Lang::tr{'organization cant be empty'};
1859 goto ROOTCERT_ERROR;
1860 }
1861 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1862 $errormessage = $Lang::tr{'organization too long'};
1863 goto ROOTCERT_ERROR;
1864 }
1865 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1866 $errormessage = $Lang::tr{'invalid input for organization'};
1867 goto ROOTCERT_ERROR;
1868 }
1869 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1870 $errormessage = $Lang::tr{'hostname cant be empty'};
1871 goto ROOTCERT_ERROR;
1872 }
1873 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1874 $errormessage = $Lang::tr{'invalid input for hostname'};
1875 goto ROOTCERT_ERROR;
1876 }
1877 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1878 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1879 goto ROOTCERT_ERROR;
1880 }
1881 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1882 $errormessage = $Lang::tr{'e-mail address too long'};
1883 goto ROOTCERT_ERROR;
1884 }
1885 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1886 $errormessage = $Lang::tr{'invalid input for department'};
1887 goto ROOTCERT_ERROR;
1888 }
1889 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1890 $errormessage = $Lang::tr{'invalid input for city'};
1891 goto ROOTCERT_ERROR;
1892 }
1893 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1894 $errormessage = $Lang::tr{'invalid input for state or province'};
1895 goto ROOTCERT_ERROR;
1896 }
1897 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1898 $errormessage = $Lang::tr{'invalid input for country'};
1899 goto ROOTCERT_ERROR;
1900 }
1901
1902 # Copy the cgisettings to vpnsettings and save the configfile
1903 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1904 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1905 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1906 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1907 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1908 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1909 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1910 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1911
1912 # Replace empty strings with a .
1913 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1914 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1915 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1916
1917 # refresh
c6c9630e 1918 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
66c36198 1919
6e13d0a5
MT		 1920 # Create the CA certificate
1921 my $pid = open(OPENSSL, "|-");
1922 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1923 if ($pid) { # parent
1924 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1925 print OPENSSL "$state\n";
1926 print OPENSSL "$city\n";
1927 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1928 print OPENSSL "$ou\n";
1929 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1930 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1931 close (OPENSSL);
1932 if ($?) {
1933 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1934 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1935 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1936 goto ROOTCERT_ERROR;
1937 }
1938 } else { # child
badd8c1c 1939 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
49abe7af 1940 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
6e13d0a5
MT		 1941 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1942 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1943 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1944 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1945 goto ROOTCERT_ERROR;
1946 }
1947 }
1948
1949 # Create the Host certificate request
1950 $pid = open(OPENSSL, "|-");
1951 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1952 if ($pid) { # parent
1953 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1954 print OPENSSL "$state\n";
1955 print OPENSSL "$city\n";
1956 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1957 print OPENSSL "$ou\n";
1958 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1959 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1960 print OPENSSL ".\n";
1961 print OPENSSL ".\n";
1962 close (OPENSSL);
1963 if ($?) {
1964 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1965 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1966 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1967 goto ROOTCERT_ERROR;
1968 }
1969 } else { # child
badd8c1c 1970 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
818dde8e 1971 '-newkey', 'rsa:4096',
6e13d0a5
MT		 1972 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1973 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1974 '-extensions', 'server',
1975 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1976 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1977 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1978 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1979 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1980 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1981 goto ROOTCERT_ERROR;
1982 }
1983 }
66c36198 1984
6e13d0a5 1985 # Sign the host certificate request
2feacd98 1986 # This system call is safe, because all argeuments are passed as an array.
6e13d0a5
MT		 1987 system('/usr/bin/openssl', 'ca', '-days', '999999',
1988 '-batch', '-notext',
1989 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1990 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1991 '-extensions', 'server',
1992 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1993 if ($?) {
1994 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1995 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1996 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1997 unlink ("${General::swroot}/ovpn/serverkey.pem");
1998 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1999 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 2000 &newcleanssldatabase();
6e13d0a5
MT		 2001 goto ROOTCERT_ERROR;
2002 } else {
2003 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
c6c9630e 2004 &deletebackupcert();
6e13d0a5
MT		 2005 }
2006
2007 # Create an empty CRL
2feacd98 2008 # System call is safe, because all arguments are passed as array.
6e13d0a5
MT		 2009 system('/usr/bin/openssl', 'ca', '-gencrl',
2010 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
2011 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
2012 if ($?) {
2013 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2014 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2015 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2016 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
66c36198 2017 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
c6c9630e 2018 &cleanssldatabase();
6e13d0a5 2019 goto ROOTCERT_ERROR;
c6c9630e
MT		 2020# } else {
2021# &cleanssldatabase();
6e13d0a5 2022 }
ae04d0a3 2023 # Create ta.key for tls-auth
2feacd98 2024 # This system call is safe, because all arguments are passed as an array.
acbd6ff4 2025 system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key");
ae04d0a3
EK		 2026 if ($?) {
2027 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2028 &cleanssldatabase();
2029 goto ROOTCERT_ERROR;
2030 }
6e13d0a5 2031 # Create Diffie Hellmann Parameter
2feacd98 2032 # The system call is safe, because all arguments are passed as an array.
badd8c1c 2033 system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
6e13d0a5
MT		 2034 if ($?) {
2035 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2036 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2037 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2038 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2039 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
2040 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
c6c9630e 2041 &cleanssldatabase();
6e13d0a5 2042 goto ROOTCERT_ERROR;
c6c9630e
MT		 2043# } else {
2044# &cleanssldatabase();
4be45949 2045 }
6e13d0a5
MT		 2046 goto ROOTCERT_SUCCESS;
2047 }
2048 ROOTCERT_ERROR:
2049 if ($cgiparams{'ACTION'} ne '') {
2050 &Header::showhttpheaders();
4c962356 2051 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 2052 &Header::openbigbox('100%', 'LEFT', '', '');
2053 if ($errormessage) {
2054 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2055 print "<class name='base'>$errormessage";
2056 print "&nbsp;</class>";
2057 &Header::closebox();
2058 }
2059 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
49abe7af 2060 print <<END;
6e13d0a5
MT		 2061 <form method='post' enctype='multipart/form-data'>
2062 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
e3edceeb 2063 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2064 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
2065 <td width='35%' colspan='2'>&nbsp;</td></tr>
e3edceeb 2066 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2067 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
2068 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2069 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
6e13d0a5
MT		 2070 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
2071 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2072 <tr><td class='base'>$Lang::tr{'your department'}:</td>
6e13d0a5
MT		 2073 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
2074 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2075 <tr><td class='base'>$Lang::tr{'city'}:</td>
6e13d0a5
MT		 2076 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
2077 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2078 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
6e13d0a5
MT		 2079 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
2080 <td colspan='2'>&nbsp;</td></tr>
2081 <tr><td class='base'>$Lang::tr{'country'}:</td>
66c36198 2082 <td class='base'><select name='ROOTCERT_COUNTRY'>
6e13d0a5
MT		 2083
2084END
2085 ;
2086 foreach my $country (sort keys %{Countries::countries}) {
2087 print "<option value='$Countries::countries{$country}'";
2088 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
2089 print " selected='selected'";
2090 }
2091 print ">$country</option>";
2092 }
49abe7af 2093 print <<END;
6e13d0a5 2094 </select></td>
4c962356
EK		 2095 <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
2096 <td class='base'><select name='DHLENGHT'>
4c962356
EK		 2097 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
2098 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
2099 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
2100 </select>
2101 </td>
2102 </tr>
2103
6e13d0a5
MT		 2104 <tr><td>&nbsp;</td>
2105 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
66c36198 2106 <td>&nbsp;</td><td>&nbsp;</td></tr>
6e13d0a5 2107 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2108 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
49abe7af
EK		 2109 <tr><td colspan='2'><br></td></tr>
2110 <table width='100%'>
2111 <tr>
2112 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
2113 <td class='base'>$Lang::tr{'dh key warn'}</td>
4c962356 2114 </tr>
49abe7af
EK		 2115 <tr>
2116 <td class='base'>$Lang::tr{'dh key warn1'}</td>
4c962356 2117 </tr>
49abe7af
EK		 2118 <tr><td colspan='2'><br></td></tr>
2119 <tr>
2120 </table>
4c962356 2121
49abe7af 2122 <table width='100%'>
4c962356 2123 <tr><td colspan='4'><hr></td></tr>
e3edceeb 2124 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2125 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
2126 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2127 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
6e13d0a5
MT		 2128 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
2129 <td colspan='2'>&nbsp;</td></tr>
2130 <tr><td>&nbsp;</td>
2131 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
2132 <td colspan='2'>&nbsp;</td></tr>
2133 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2134 <img src='/blob.gif' valign='top' alt='*' >&nbsp;$Lang::tr{'required field'}</td>
4c962356 2135 </tr>
6e13d0a5
MT		 2136 </form></table>
2137END
2138 ;
2139 &Header::closebox();
4c962356 2140 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2141 &Header::closebigbox();
2142 &Header::closepage();
2143 exit(0)
2144 }
2145
2146 ROOTCERT_SUCCESS:
2feacd98 2147 &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
c6c9630e
MT		 2148# if ($vpnsettings{'ENABLED'} eq 'on' ||
2149# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
2150# system('/usr/local/bin/ipsecctrl', 'S');
2151# }
6e13d0a5
MT		 2152
2153###
2154### Enable/Disable connection
2155###
ce9abb66
AH		 2156
2157###
7c1d9faf 2158# m.a.d net2net
ce9abb66
AH		 2159###
2160
6e13d0a5 2161}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 2162
c6c9630e 2163 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5 2164 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2feacd98
SS		 2165 my $n2nactive = '';
2166 my @ps = &General::system_output("/bin/ps", "ax");
2167
2168 if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
2169 $n2nactive = "1";
2170 }
66c36198 2171
6e13d0a5 2172 if ($confighash{$cgiparams{'KEY'}}) {
8c877a82
AM		 2173 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2174 $confighash{$cgiparams{'KEY'}}[0] = 'on';
2175 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2176
8c877a82 2177 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2feacd98 2178 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494 2179 &writecollectdconf();
8c877a82
AM		 2180 }
2181 } else {
ce9abb66 2182
8c877a82
AM		 2183 $confighash{$cgiparams{'KEY'}}[0] = 'off';
2184 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2185
8c877a82 2186 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
775b4494 2187 if ($n2nactive ne '') {
2feacd98 2188 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494
AM		 2189 &writecollectdconf();
2190 }
8c877a82 2191 }
775b4494 2192 }
ce9abb66 2193 }
6e13d0a5
MT		 2194
2195###
2196### Download OpenVPN client package
2197###
ce9abb66
AH		 2198
2199
6e13d0a5
MT		 2200} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
2201 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2202 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2203 my $file = '';
2204 my $clientovpn = '';
2205 my @fileholder;
2206 my $tempdir = tempdir( CLEANUP => 1 );
2207 my $zippath = "$tempdir/";
ce9abb66
AH		 2208
2209###
7c1d9faf
AH		 2210# m.a.d net2net
2211###
ce9abb66
AH		 2212
2213if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
66c36198 2214
ce9abb66
AH		 2215 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2216 my $zippathname = "$zippath$zipname";
66c36198 2217 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";
ce9abb66 2218 my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
54fd0535 2219 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
66c36198 2220 my $tunmtu = '';
7c1d9faf 2221 my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
54fd0535 2222 my $n2nfragment = '';
66c36198 2223
ce9abb66
AH		 2224 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2225 flock CLIENTCONF, 2;
66c36198 2226
ce9abb66 2227 my $zip = Archive::Zip->new();
7c1d9faf 2228 print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 2229 print CLIENTCONF "# \n";
b278daf3 2230 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 2231 print CLIENTCONF "user nobody\n";
2232 print CLIENTCONF "group nobody\n";
2233 print CLIENTCONF "persist-tun\n";
2234 print CLIENTCONF "persist-key\n";
7c1d9faf 2235 print CLIENTCONF "script-security 2\n";
66c36198 2236 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
531f0835 2237 print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
b278daf3 2238 print CLIENTCONF "float\n";
66c36198
PM		 2239 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
2240 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
2241 print CLIENTCONF "# Server Gateway Network\n";
7c1d9faf 2242 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
66c36198
PM		 2243 print CLIENTCONF "# tun Device\n";
2244 print CLIENTCONF "dev tun\n";
35a21a25
AM		 2245 print CLIENTCONF "#Logfile for statistics\n";
2246 print CLIENTCONF "status-version 1\n";
2247 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
66c36198
PM		 2248 print CLIENTCONF "# Port and Protokoll\n";
2249 print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
2250
60f396d7 2251 if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
1580d3b1 2252 print CLIENTCONF "proto tcp4-client\n";
60f396d7 2253 print CLIENTCONF "# Packet size\n";
d96c89eb 2254 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
60f396d7 2255 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 2256 }
66c36198 2257
60f396d7 2258 if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
1580d3b1 2259 print CLIENTCONF "proto udp4\n";
60f396d7
AH		 2260 print CLIENTCONF "# Paketsize\n";
2261 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2262 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 2263 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
d6989b4b 2264 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
d96c89eb 2265 }
b66b02ab
EK		 2266 # Check host certificate if X509 is RFC3280 compliant.
2267 # If not, old --ns-cert-type directive will be used.
2268 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2269 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2270 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2271 print CLIENTCONF "ns-cert-type server\n";
2272 } else {
2273 print CLIENTCONF "remote-cert-tls server\n";
2274 }
66c36198
PM		 2275 print CLIENTCONF "# Auth. Client\n";
2276 print CLIENTCONF "tls-client\n";
49abe7af 2277 print CLIENTCONF "# Cipher\n";
4c962356 2278 print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
66c36198 2279 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
ce9abb66
AH		 2280 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2281 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
49abe7af 2282 }
52f61e49
EKD		 2283
2284 # If GCM cipher is used, do not use --auth
2285 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
2286 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
2287 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
2288 print CLIENTCONF unless "# HMAC algorithm\n";
2289 print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2290 } else {
52f61e49
EKD		 2291 print CLIENTCONF "# HMAC algorithm\n";
2292 print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2293 }
52f61e49 2294
4c962356 2295 if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
b278daf3 2296 print CLIENTCONF "# Enable Compression\n";
66298ef2 2297 print CLIENTCONF "comp-lzo\n";
b278daf3 2298 }
66c36198
PM		 2299 print CLIENTCONF "# Debug Level\n";
2300 print CLIENTCONF "verb 3\n";
2301 print CLIENTCONF "# Tunnel check\n";
2302 print CLIENTCONF "keepalive 10 60\n";
2303 print CLIENTCONF "# Start as daemon\n";
2304 print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n";
2305 print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n";
2306 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 2307 if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2308 else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
ce9abb66 2309 print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
66c36198 2310
ce9abb66
AH		 2311
2312 close(CLIENTCONF);
66c36198 2313
ce9abb66
AH		 2314 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2315 my $status = $zip->writeToFileNamed($zippathname);
2316
2317 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2318 @fileholder = <DLFILE>;
2319 print "Content-Type:application/x-download\n";
2320 print "Content-Disposition:attachment;filename=$zipname\n\n";
2321 print @fileholder;
2322 exit (0);
2323}
2324else
2325{
2326 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2327 my $zippathname = "$zippath$zipname";
2328 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2329
2330###
7c1d9faf 2331# m.a.d net2net
ce9abb66 2332###
66c36198 2333
c6c9630e 2334 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
6e13d0a5 2335 flock CLIENTCONF, 2;
66c36198 2336
6e13d0a5 2337 my $zip = Archive::Zip->new();
66c36198 2338
8c877a82 2339 print CLIENTCONF "#OpenVPN Client conf\r\n";
6e13d0a5
MT		 2340 print CLIENTCONF "tls-client\r\n";
2341 print CLIENTCONF "client\r\n";
4f6e3ae3 2342 print CLIENTCONF "nobind\r\n";
79e7688b 2343 print CLIENTCONF "dev tun\r\n";
c6c9630e 2344 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
d6989b4b 2345 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
2ee746be 2346
6e13d0a5
MT		 2347 if ( $vpnsettings{'ENABLED'} eq 'on'){
2348 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
66c36198 2349 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
574f4538 2350 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Blue interface\r\n";
c6c9630e
MT		 2351 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2352 }
2353 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2354 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2355 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2356 }
2357 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2358 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2359 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
574f4538 2360 print CLIENTCONF "#comment the above line and uncomment the next line, if you want to connect on the Orange interface\r\n";
c6c9630e
MT		 2361 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2362 }
2363 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2364 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
6e13d0a5 2365 }
66c36198 2366
71af643c
MT		 2367 my $file_crt = new File::Temp( UNLINK => 1 );
2368 my $file_key = new File::Temp( UNLINK => 1 );
b22d8aaf 2369 my $include_certs = 0;
71af643c 2370
66c36198 2371 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
71af643c 2372 if ($cgiparams{'MODE'} eq 'insecure') {
b22d8aaf
MT		 2373 $include_certs = 1;
2374
71af643c 2375 # Add the CA
b22d8aaf 2376 print CLIENTCONF ";ca cacert.pem\r\n";
71af643c
MT		 2377 $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2378
2379 # Extract the certificate
2feacd98 2380 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2381 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2382 '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
2383 if ($?) {
2384 die "openssl error: $?";
2385 }
2386
2387 $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
b22d8aaf 2388 print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
71af643c
MT		 2389
2390 # Extract the key
2feacd98 2391 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2392 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2393 '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
2394 if ($?) {
2395 die "openssl error: $?";
2396 }
2397
2398 $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
b22d8aaf 2399 print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
71af643c
MT		 2400 } else {
2401 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2402 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2403 }
6e13d0a5 2404 } else {
c6c9630e
MT		 2405 print CLIENTCONF "ca cacert.pem\r\n";
2406 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2407 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2408 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
66c36198 2409 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
6e13d0a5
MT		 2410 }
2411 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
49abe7af 2412 print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
86308adb 2413
49abe7af 2414 if ($vpnsettings{'TLSAUTH'} eq 'on') {
b22d8aaf
MT		 2415 if ($cgiparams{'MODE'} eq 'insecure') {
2416 print CLIENTCONF ";";
2417 }
4be45949
EK		 2418 print CLIENTCONF "tls-auth ta.key\r\n";
2419 $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
49abe7af 2420 }
6e13d0a5
MT		 2421 if ($vpnsettings{DCOMPLZO} eq 'on') {
2422 print CLIENTCONF "comp-lzo\r\n";
2423 }
2424 print CLIENTCONF "verb 3\r\n";
b66b02ab
EK		 2425 # Check host certificate if X509 is RFC3280 compliant.
2426 # If not, old --ns-cert-type directive will be used.
2427 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2428 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2429 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2430 print CLIENTCONF "ns-cert-type server\r\n";
2431 } else {
2432 print CLIENTCONF "remote-cert-tls server\r\n";
2433 }
964700d4 2434 print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
a79fa1d6
JPT		 2435 if ($vpnsettings{MSSFIX} eq 'on') {
2436 print CLIENTCONF "mssfix\r\n";
d6989b4b
MT		 2437 } else {
2438 print CLIENTCONF "mssfix 0\r\n";
a79fa1d6 2439 }
74225cce 2440 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
a79fa1d6
JPT		 2441 print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2442 }
a9998867
MT		 2443
2444 # Disable storing any credentials in memory
2445 print CLIENTCONF "auth-nocache\r\n";
2446
2447 # Set a fake user name for authentication
2448 print CLIENTCONF "auth-token-user USER\r\n";
2449 print CLIENTCONF "auth-token TOTP\r\n";
2450
2451 # If the server is asking for TOTP this needs to happen interactively
2452 print CLIENTCONF "auth-retry interact\r\n";
1647059d 2453
b22d8aaf
MT		 2454 if ($include_certs) {
2455 print CLIENTCONF "\r\n";
2456
2457 # CA
2458 open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
2459 print CLIENTCONF "<ca>\r\n";
2460 while (<FILE>) {
2461 chomp($_);
2462 print CLIENTCONF "$_\r\n";
2463 }
2464 print CLIENTCONF "</ca>\r\n\r\n";
2465 close(FILE);
2466
2467 # Cert
2468 open(FILE, "<$file_crt");
2469 print CLIENTCONF "<cert>\r\n";
2470 while (<FILE>) {
2471 chomp($_);
2472 print CLIENTCONF "$_\r\n";
2473 }
2474 print CLIENTCONF "</cert>\r\n\r\n";
2475 close(FILE);
2476
2477 # Key
2478 open(FILE, "<$file_key");
2479 print CLIENTCONF "<key>\r\n";
2480 while (<FILE>) {
2481 chomp($_);
2482 print CLIENTCONF "$_\r\n";
2483 }
2484 print CLIENTCONF "</key>\r\n\r\n";
2485 close(FILE);
2486
2487 # TLS auth
2488 if ($vpnsettings{'TLSAUTH'} eq 'on') {
2489 open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
2490 print CLIENTCONF "<tls-auth>\r\n";
2491 while (<FILE>) {
2492 chomp($_);
2493 print CLIENTCONF "$_\r\n";
2494 }
2495 print CLIENTCONF "</tls-auth>\r\n\r\n";
2496 close(FILE);
2497 }
2498 }
2499
ffbe77c8
EK		 2500 # Print client.conf.local if entries exist to client.ovpn
2501 if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
2502 open (LCC, "$local_clientconf");
2503 print CLIENTCONF "\n#---------------------------\n";
2504 print CLIENTCONF "# Start of custom directives\n";
2505 print CLIENTCONF "# from client.conf.local\n";
2506 print CLIENTCONF "#---------------------------\n\n";
2507 while (<LCC>) {
2508 print CLIENTCONF $_;
2509 }
2510 print CLIENTCONF "\n#---------------------------\n";
2511 print CLIENTCONF "# End of custom directives\n";
2512 print CLIENTCONF "#---------------------------\n\n";
2513 close (LCC);
2514 }
6e13d0a5 2515 close(CLIENTCONF);
66c36198 2516
6e13d0a5
MT		 2517 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2518 my $status = $zip->writeToFileNamed($zippathname);
2519
2520 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2521 @fileholder = <DLFILE>;
2522 print "Content-Type:application/x-download\n";
2523 print "Content-Disposition:attachment;filename=$zipname\n\n";
2524 print @fileholder;
2525 exit (0);
ce9abb66 2526 }
66c36198
PM		 2527
2528
2529
6e13d0a5
MT		 2530###
2531### Remove connection
2532###
ce9abb66
AH		 2533
2534
6e13d0a5 2535} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
323be7c4
AM		 2536 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2537 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 2538
323be7c4 2539 if ($confighash{$cgiparams{'KEY'}}) {
fde9c9dd 2540 # Revoke certificate if certificate was deleted and rewrite the CRL
274ca65b 2541 &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
2feacd98 2542 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
ce9abb66
AH		 2543
2544###
7c1d9faf 2545# m.a.d net2net
ce9abb66 2546###
7c1d9faf 2547
323be7c4 2548 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1e499e90 2549 # Stop the N2N connection before it is removed
2feacd98 2550 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
1e499e90 2551
323be7c4
AM		 2552 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2553 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2554 unlink ($certfile);
2555 unlink ($conffile);
8e6a8fd5 2556
323be7c4
AM		 2557 if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2558 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2559 }
323be7c4 2560 }
ce9abb66 2561
323be7c4
AM		 2562 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2563 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
8c877a82
AM		 2564
2565# A.Marx CCD delete ccd files and routes
2566
323be7c4
AM		 2567 if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2568 {
2569 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
8c877a82 2570 }
66c36198 2571
323be7c4
AM		 2572 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2573 foreach my $key (keys %ccdroutehash) {
2574 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2575 delete $ccdroutehash{$key};
2576 }
8c877a82 2577 }
323be7c4 2578 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
66c36198 2579
323be7c4
AM		 2580 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2581 foreach my $key (keys %ccdroute2hash) {
2582 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2583 delete $ccdroute2hash{$key};
2584 }
2585 }
2586 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2587 &writeserverconf;
8c877a82 2588
323be7c4
AM		 2589# CCD end
2590 # Update collectd configuration and delete all RRD files of the removed connection
2591 &writecollectdconf();
2feacd98 2592 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
8c877a82 2593
323be7c4 2594 delete $confighash{$cgiparams{'KEY'}};
2feacd98 2595 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
323be7c4
AM		 2596 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2597
2598 } else {
2599 $errormessage = $Lang::tr{'invalid key'};
2600 }
b2e75449 2601 &General::firewall_reload();
ce9abb66 2602
6e13d0a5
MT		 2603###
2604### Download PKCS12 file
2605###
2606} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2607 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2608
2609 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2610 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 2611
2612 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2613 my @tmp = <FILE>;
2614 close(FILE);
2615
f158e71e 2616 print @tmp;
6e13d0a5
MT		 2617 exit (0);
2618
2619###
2620### Display certificate
2621###
2622} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2623 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2624
2625 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e 2626 &Header::showhttpheaders();
4c962356 2627 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 2628 &Header::openbigbox('100%', 'LEFT', '', '');
2629 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2feacd98 2630 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
8c946d1c
MT		 2631 my $output = &Header::cleanhtml(join("", @output), "y");
2632 print "<pre>$output</pre>\n";
c6c9630e
MT		 2633 &Header::closebox();
2634 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2635 &Header::closebigbox();
2636 &Header::closepage();
2637 exit(0);
6e13d0a5 2638 }
4c962356 2639
e1e10515
TE		 2640###
2641### Display OTP QRCode
2642###
2643} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show otp qrcode'}) {
2644 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2645
e1e10515
TE		 2646 my $qrcode = Imager::QRCode->new(
2647 size => 6,
2648 margin => 0,
2649 version => 0,
2650 level => 'M',
2651 mode => '8-bit',
2652 casesensitive => 1,
2653 lightcolor => Imager::Color->new(255, 255, 255),
2654 darkcolor => Imager::Color->new(0, 0, 0),
2655 );
3740b7ad 2656 my $cn = uri_encode($confighash{$cgiparams{'KEY'}}[2]);
10b32d38 2657 my $secret = encode_base32(pack('H*', $confighash{$cgiparams{'KEY'}}[44]));
3740b7ad 2658 my $issuer = uri_encode("$mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}");
e1e10515
TE		 2659 my $qrcodeimg = $qrcode->plot("otpauth://totp/$cn?secret=$secret&issuer=$issuer");
2660 my $qrcodeimgdata;
2661 $qrcodeimg->write(data => \$qrcodeimgdata, type=> 'png')
2662 or die $qrcodeimg->errstr;
2663 $qrcodeimgdata = encode_base64($qrcodeimgdata, '');
2664
2665 &Header::showhttpheaders();
2666 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2667 &Header::openbigbox('100%', 'LEFT', '', '');
2668 &Header::openbox('100%', 'LEFT', "$Lang::tr{'otp qrcode'}:");
2669 print <<END;
2670$Lang::tr{'secret'}:&nbsp;$secret</br></br>
2671<img alt="$Lang::tr{'otp qrcode'}" src="data:image/png;base64,$qrcodeimgdata">
2672END
2673 &Header::closebox();
2674 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2675 &Header::closebigbox();
2676 &Header::closepage();
2677 exit(0);
2678
4c962356
EK		 2679###
2680### Display Diffie-Hellman key
2681###
2682} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2683
2684 if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
49abe7af 2685 $errormessage = $Lang::tr{'not present'};
4c962356
EK		 2686 } else {
2687 &Header::showhttpheaders();
2688 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2689 &Header::openbigbox('100%', 'LEFT', '', '');
2690 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
2feacd98 2691 my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
8c946d1c
MT		 2692 my $output = &Header::cleanhtml(join("", @output) ,"y");
2693 print "<pre>$output</pre>\n";
4c962356
EK		 2694 &Header::closebox();
2695 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2696 &Header::closebigbox();
2697 &Header::closepage();
2698 exit(0);
2699 }
2700
fd5ccb2d
EK		 2701###
2702### Display tls-auth key
2703###
2704} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
2705
2706 if (! -e "${General::swroot}/ovpn/certs/ta.key") {
2707 $errormessage = $Lang::tr{'not present'};
2708 } else {
2709 &Header::showhttpheaders();
2710 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2711 &Header::openbigbox('100%', 'LEFT', '', '');
2712 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
2feacd98
SS		 2713
2714 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
2715 my @output = <FILE>;
2716 close(FILE);
2717
8c946d1c
MT		 2718 my $output = &Header::cleanhtml(join("", @output),"y");
2719 print "<pre>$output</pre>\n";
fd5ccb2d
EK		 2720 &Header::closebox();
2721 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2722 &Header::closebigbox();
2723 &Header::closepage();
2724 exit(0);
2725 }
2726
6e13d0a5
MT		 2727###
2728### Display Certificate Revoke List
2729###
2730} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
c6c9630e
MT		 2731# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2732
49abe7af
EK		 2733 if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2734 $errormessage = $Lang::tr{'not present'};
2735 } else {
b2e75449
MT		 2736 &Header::showhttpheaders();
2737 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2738 &Header::openbigbox('100%', 'LEFT', '', '');
2739 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2feacd98 2740 my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
8c946d1c
MT		 2741 my $output = &Header::cleanhtml(join("", @output), "y");
2742 print "<pre>$output</pre>\n";
b2e75449
MT		 2743 &Header::closebox();
2744 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2745 &Header::closebigbox();
2746 &Header::closepage();
2747 exit(0);
6e13d0a5
MT		 2748 }
2749
2750###
2751### Advanced Server Settings
2752###
2753
2754} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2755 %cgiparams = ();
2756 %cahash = ();
2757 %confighash = ();
8c877a82 2758 my $disabled;
6e13d0a5 2759 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
54fd0535 2760 read_routepushfile;
66c36198
PM		 2761
2762
c6c9630e 2763# if ($cgiparams{'CLIENT2CLIENT'} eq '') {
66c36198 2764# $cgiparams{'CLIENT2CLIENT'} = 'on';
c6c9630e 2765# }
6e13d0a5
MT		 2766ADV_ERROR:
2767 if ($cgiparams{'MAX_CLIENTS'} eq '') {
4c962356 2768 $cgiparams{'MAX_CLIENTS'} = '100';
6e13d0a5 2769 }
6e13d0a5 2770 if ($cgiparams{'KEEPALIVE_1'} eq '') {
4c962356 2771 $cgiparams{'KEEPALIVE_1'} = '10';
6e13d0a5
MT		 2772 }
2773 if ($cgiparams{'KEEPALIVE_2'} eq '') {
4c962356 2774 $cgiparams{'KEEPALIVE_2'} = '60';
6e13d0a5
MT		 2775 }
2776 if ($cgiparams{'LOG_VERB'} eq '') {
4c962356 2777 $cgiparams{'LOG_VERB'} = '3';
ae9f6139 2778 }
f527e53f 2779 if ($cgiparams{'TLSAUTH'} eq '') {
754066e6 2780 $cgiparams{'TLSAUTH'} = 'off';
f527e53f 2781 }
6e13d0a5
MT		 2782 $checked{'CLIENT2CLIENT'}{'off'} = '';
2783 $checked{'CLIENT2CLIENT'}{'on'} = '';
2784 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2785 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2786 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2787 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
13389777
EK		 2788 $checked{'DCOMPLZO'}{'off'} = '';
2789 $checked{'DCOMPLZO'}{'on'} = '';
2790 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
ffbe77c8
EK		 2791 $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
2792 $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
2793 $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
a79fa1d6
JPT		 2794 $checked{'MSSFIX'}{'off'} = '';
2795 $checked{'MSSFIX'}{'on'} = '';
2796 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
49abe7af 2797 $selected{'LOG_VERB'}{'0'} = '';
6e13d0a5
MT		 2798 $selected{'LOG_VERB'}{'1'} = '';
2799 $selected{'LOG_VERB'}{'2'} = '';
2800 $selected{'LOG_VERB'}{'3'} = '';
2801 $selected{'LOG_VERB'}{'4'} = '';
2802 $selected{'LOG_VERB'}{'5'} = '';
2803 $selected{'LOG_VERB'}{'6'} = '';
2804 $selected{'LOG_VERB'}{'7'} = '';
2805 $selected{'LOG_VERB'}{'8'} = '';
2806 $selected{'LOG_VERB'}{'9'} = '';
2807 $selected{'LOG_VERB'}{'10'} = '';
2808 $selected{'LOG_VERB'}{'11'} = '';
6e13d0a5 2809 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
66c36198 2810
6e13d0a5
MT		 2811 &Header::showhttpheaders();
2812 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
66c36198 2813 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 2814 if ($errormessage) {
c6c9630e
MT		 2815 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2816 print "<class name='base'>$errormessage\n";
2817 print "&nbsp;</class>\n";
2818 &Header::closebox();
6e13d0a5
MT		 2819 }
2820 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
4c962356 2821 print <<END;
b376fae4 2822 <form method='post' enctype='multipart/form-data'>
b2e75449 2823<table width='100%' border=0>
4c962356
EK		 2824 <tr>
2825 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
6e13d0a5
MT		 2826 </tr>
2827 <tr>
4c962356 2828 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
66c36198
PM		 2829 </tr>
2830 <tr>
4c962356 2831 <td class='base'>Domain</td>
8c877a82 2832 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
6e13d0a5 2833 </tr>
66c36198 2834 <tr>
4c962356
EK		 2835 <td class='base'>DNS</td>
2836 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
66c36198
PM		 2837 </tr>
2838 <tr>
4c962356
EK		 2839 <td class='base'>WINS</td>
2840 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2841 </tr>
54fd0535 2842 <tr>
4c962356 2843 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
54fd0535 2844 </tr>
66c36198 2845 <tr>
4c962356
EK		 2846 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2847 <td colspan='2'>
2848 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
54fd0535
MT		 2849END
2850;
2851
2852if ($cgiparams{'ROUTES_PUSH'} ne '')
2853{
2854 print $cgiparams{'ROUTES_PUSH'};
2855}
2856
8c877a82 2857print <<END;
54fd0535
MT		 2858</textarea></td>
2859</tr>
6e13d0a5
MT		 2860 </tr>
2861</table>
2862<hr size='1'>
4c962356 2863<table width='100%'>
ffbe77c8 2864 <tr>
4c962356 2865 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
ffbe77c8
EK		 2866 </tr>
2867
2868 <tr>
d2de0a00 2869 <td width='20%'></td> <td width='15%'> </td><td width='35%'> </td><td width='20%'></td><td width='35%'></td>
ffbe77c8
EK		 2870 </tr>
2871
2872 <tr>
4c962356
EK		 2873 <td class='base'>Client-To-Client</td>
2874 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
ffbe77c8
EK		 2875 </tr>
2876
2877 <tr>
4c962356
EK		 2878 <td class='base'>Redirect-Gateway def1</td>
2879 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
ffbe77c8
EK		 2880 </tr>
2881
13389777
EK		 2882 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2883 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2884 <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
2885 </tr>
2886
4c962356 2887 <tr>
ffbe77c8
EK		 2888 <td class='base'>$Lang::tr{'ovpn add conf'}</td>
2889 <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
2890 <td>$Lang::tr{'openvpn default'}: off</td>
2891 </tr>
2892
2893 <tr>
2894 <td class='base'>mssfix</td>
2895 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2896 <td>$Lang::tr{'openvpn default'}: off</td>
2897 </tr>
2898
4c962356 2899 <tr>
ffbe77c8
EK		 2900 <td class='base'>fragment <br></td>
2901 <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2902 </tr>
2903
2904
2905 <tr>
2906 <td class='base'>Max-Clients</td>
2907 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2908 </tr>
2909 <tr>
2910 <td class='base'>Keepalive <br />
2911 (ping/ping-restart)</td>
2912 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2913 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2914 </tr>
a79fa1d6
JPT		 2915</table>
2916
a79fa1d6 2917<hr size='1'>
4c962356 2918<table width='100%'>
a79fa1d6 2919 <tr>
49abe7af 2920 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
a79fa1d6
JPT		 2921 </tr>
2922 <tr>
49abe7af 2923 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
4c962356
EK		 2924 </tr>
2925
2926 <tr><td class='base'>VERB</td>
2927 <td><select name='LOG_VERB'>
49abe7af
EK		 2928 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option>
2929 <option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
2930 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
2931 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
2932 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
2933 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
2934 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
2935 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
2936 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
2937 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
2938 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2939 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2940 </td></select>
2941 </table>
4c962356 2942
6e13d0a5 2943<hr size='1'>
8c877a82
AM		 2944END
2945
2946if ( -e "/var/run/openvpn.pid"){
2947print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2948 $Lang::tr{'server restart'}<br><br>
2949 <hr>";
49abe7af 2950 print<<END;
52d08bcb
AM		 2951<table width='100%'>
2952<tr>
2953 <td>&nbsp;</td>
2954 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2955 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2956 <td>&nbsp;</td>
52d08bcb 2957</tr>
66c36198 2958</table>
52d08bcb
AM		 2959</form>
2960END
66c36198
PM		 2961;
2962
2963
52d08bcb 2964}else{
8c877a82 2965
49abe7af 2966 print<<END;
6e13d0a5
MT		 2967<table width='100%'>
2968<tr>
2969 <td>&nbsp;</td>
2970 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2971 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
66c36198 2972 <td>&nbsp;</td>
6e13d0a5 2973</tr>
66c36198 2974</table>
6e13d0a5
MT		 2975</form>
2976END
66c36198 2977;
52d08bcb 2978}
6e13d0a5 2979 &Header::closebox();
c6c9630e 2980# print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2981 &Header::closebigbox();
2982 &Header::closepage();
2983 exit(0);
66c36198 2984
8c877a82
AM		 2985
2986# A.Marx CCD Add,delete or edit CCD net
2987
66c36198
PM		 2988} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
2989 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||
2990 $cgiparams{'ACTION'} eq "kill" ||
8c877a82
AM		 2991 $cgiparams{'ACTION'} eq "edit" ||
2992 $cgiparams{'ACTION'} eq 'editsave'){
2993 &Header::showhttpheaders();
2994 &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2995 &Header::openbigbox('100%', 'LEFT', '', '');
2996
2997 if ($cgiparams{'ACTION'} eq "kill"){
2998 &delccdnet($cgiparams{'net'});
2999 }
66c36198 3000
8c877a82
AM		 3001 if ($cgiparams{'ACTION'} eq 'editsave'){
3002 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
3003 if ( $a ne $b){ &modccdnet($a,$b);}
5068ac38
AM		 3004 $cgiparams{'ccdname'}='';
3005 $cgiparams{'ccdsubnet'}='';
8c877a82 3006 }
66c36198 3007
8c877a82 3008 if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
e2429e8d 3009 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
8c877a82
AM		 3010 }
3011 if ($errormessage) {
3012 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3013 print "<class name='base'>$errormessage";
3014 print "&nbsp;</class>";
66c36198 3015 &Header::closebox();
8c877a82
AM		 3016 }
3017if ($cgiparams{'ACTION'} eq "edit"){
66c36198 3018
8c877a82
AM		 3019 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
3020
49abe7af 3021 print <<END;
631b67b7 3022 <table width='100%' border='0'>
8c877a82
AM		 3023 <tr><form method='post'>
3024 <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
a9fb14d0 3025 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
8c877a82
AM		 3026 <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
3027 <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
3028 </td></tr>
3029 </table></form>
3030END
3031;
3032 &Header::closebox();
3033
3034 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
49abe7af 3035 print <<END;
8c877a82
AM		 3036 <table width='100%' border='0' cellpadding='0' cellspacing='1'>
3037 <tr>
3038 <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
3039END
3040;
3041}
3042else{
3043 if (! -e "/var/run/openvpn.pid"){
3044 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
49abe7af 3045 print <<END;
8c877a82
AM		 3046 <table width='100%' border='0'>
3047 <tr><form method='post'>
3048 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
3049 <tr>
3050 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
3051 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
3052 <tr><td colspan=4><hr /></td></tr><tr>
3053 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
3054 </table></form>
3055END
66c36198 3056
8c877a82
AM		 3057 &Header::closebox();
3058}
3059 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
5068ac38
AM		 3060 if ( -e "/var/run/openvpn.pid"){
3061 print "<b>$Lang::tr{'attention'}:</b><br>";
3062 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
3063 }
66c36198 3064
4c962356 3065 print <<END;
99bfa85c 3066 <table width='100%' cellpadding='0' cellspacing='1'>
8c877a82
AM		 3067 <tr>
3068 <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
3069END
3070;
3071}
66c36198
PM		 3072 my %ccdconfhash=();
3073 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
8c877a82
AM		 3074 my @ccdconf=();
3075 my $count=0;
df9b48b7 3076 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 3077 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
3078 $count++;
3079 my $ccdhosts = &hostsinnet($ccdconf[0]);
3080 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
3081 else{ print" <tr bgcolor='$color{'color20'}'>";}
3082 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
4c962356 3083 print <<END;
8c877a82 3084 <form method='post' />
1638682b 3085 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
8c877a82
AM		 3086 <input type='hidden' name='ACTION' value='edit'/>
3087 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
3088 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
3089 </form></td>
3090 <form method='post' />
3091 <td><input type='hidden' name='ACTION' value='kill'/>
3092 <input type='hidden' name='number' value='$count' />
3093 <input type='hidden' name='net' value='$ccdconf[0]' />
1638682b 3094 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
8c877a82
AM		 3095END
3096;
66c36198 3097 }
8c877a82
AM		 3098 print "</table></form>";
3099 &Header::closebox();
3100 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3101 &Header::closebigbox();
3102 &Header::closepage();
3103 exit(0);
66c36198 3104
8c877a82
AM		 3105#END CCD
3106
6e13d0a5
MT		 3107###
3108### Openvpn Connections Statistics
3109###
3110} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
3111 &Header::showhttpheaders();
3112 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
3113 &Header::openbigbox('100%', 'LEFT', '', '');
3114 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
3115
3116#
3117# <td><b>$Lang::tr{'protocol'}</b></td>
66c36198 3118# protocol temp removed
4c962356 3119 print <<END;
99bfa85c 3120 <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
6e13d0a5 3121 <tr>
99bfa85c
AM		 3122 <th><b>$Lang::tr{'common name'}</b></th>
3123 <th><b>$Lang::tr{'real address'}</b></th>
d8ef6a95 3124 <th><b>$Lang::tr{'country'}</b></th>
99bfa85c
AM		 3125 <th><b>$Lang::tr{'virtual address'}</b></th>
3126 <th><b>$Lang::tr{'loged in at'}</b></th>
3127 <th><b>$Lang::tr{'bytes sent'}</b></th>
3128 <th><b>$Lang::tr{'bytes received'}</b></th>
3129 <th><b>$Lang::tr{'last activity'}</b></th>
6e13d0a5
MT		 3130 </tr>
3131END
3132;
87fe47e9 3133 my $filename = "/var/run/ovpnserver.log";
6e13d0a5
MT		 3134 open(FILE, $filename) or die 'Unable to open config file.';
3135 my @current = <FILE>;
3136 close(FILE);
3137 my @users =();
3138 my $status;
3139 my $uid = 0;
3140 my $cn;
3141 my @match = ();
3142 my $proto = "udp";
3143 my $address;
3144 my %userlookup = ();
3145 foreach my $line (@current)
3146 {
3147 chomp($line);
3148 if ( $line =~ /^Updated,(.+)/){
66c36198 3149 @match = split( /^Updated,(.+)/, $line);
6e13d0a5
MT		 3150 $status = $match[1];
3151 }
66c36198 3152#gian
6e13d0a5
MT		 3153 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
3154 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
3155 if ($match[1] ne "Common Name") {
3156 $cn = $match[1];
3157 $userlookup{$match[2]} = $uid;
3158 $users[$uid]{'CommonName'} = $match[1];
3159 $users[$uid]{'RealAddress'} = $match[2];
c6c9630e
MT		 3160 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
3161 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
6e13d0a5
MT		 3162 $users[$uid]{'Since'} = $match[5];
3163 $users[$uid]{'Proto'} = $proto;
d8ef6a95
PM		 3164
3165 # get country code for "RealAddress"...
07e42be9 3166 my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
e2e270e1 3167 my $flag_icon = &Location::Functions::get_flag_icon($ccode);
d8ef6a95 3168 $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
6e13d0a5 3169 $uid++;
66c36198 3170 }
6e13d0a5
MT		 3171 }
3172 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
3173 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
3174 if ($match[1] ne "Virtual Address") {
3175 $address = $match[3];
3176 #find the uid in the lookup table
3177 $uid = $userlookup{$address};
3178 $users[$uid]{'VirtualAddress'} = $match[1];
3179 $users[$uid]{'LastRef'} = $match[4];
3180 }
3181 }
3182 }
3183 my $user2 = @users;
3184 if ($user2 >= 1){
99bfa85c 3185 for (my $idx = 1; $idx <= $user2; $idx++){
6e13d0a5 3186 if ($idx % 2) {
99bfa85c
AM		 3187 print "<tr>";
3188 $col="bgcolor='$color{'color22'}'";
3189 } else {
3190 print "<tr>";
3191 $col="bgcolor='$color{'color20'}'";
6e13d0a5 3192 }
99bfa85c
AM		 3193 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
3194 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
d8ef6a95
PM		 3195 print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
3196 print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
99bfa85c
AM		 3197 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
3198 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
3199 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
3200 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
3201 }
3202 }
66c36198 3203
6e13d0a5 3204 print "</table>";
49abe7af 3205 print <<END;
6e13d0a5
MT		 3206 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
3207 <tr><td></td></tr>
3208 <tr><td></td></tr>
3209 <tr><td></td></tr>
3210 <tr><td></td></tr>
3211 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
3212 </table>
3213END
66c36198 3214;
6e13d0a5
MT		 3215 &Header::closebox();
3216 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3217 &Header::closebigbox();
3218 &Header::closepage();
3219 exit(0);
3220
3221###
3222### Download Certificate
3223###
3224} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
3225 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 3226
6e13d0a5 3227 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e
MT		 3228 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
3229 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 3230
3231 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
3232 my @tmp = <FILE>;
3233 close(FILE);
3234
f158e71e 3235 print @tmp;
c6c9630e
MT		 3236 exit (0);
3237 }
3238
3239###
3240### Enable/Disable connection
3241###
ce9abb66 3242
c6c9630e 3243} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
66c36198 3244
c6c9630e
MT		 3245 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3246 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3247
3248 if ($confighash{$cgiparams{'KEY'}}) {
ce9abb66 3249 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
c6c9630e
MT		 3250 $confighash{$cgiparams{'KEY'}}[0] = 'on';
3251 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3252 #&writeserverconf();
3253# if ($vpnsettings{'ENABLED'} eq 'on' ||
3254# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3255# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3256# }
3257 } else {
3258 $confighash{$cgiparams{'KEY'}}[0] = 'off';
3259# if ($vpnsettings{'ENABLED'} eq 'on' ||
3260# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3261# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
3262# }
3263 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3264 #&writeserverconf();
3265 }
3266 } else {
3267 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3268 }
3269
3270###
3271### Restart connection
3272###
3273} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
3274 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3275 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3276
3277 if ($confighash{$cgiparams{'KEY'}}) {
c6c9630e
MT		 3278# if ($vpnsettings{'ENABLED'} eq 'on' ||
3279# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3280# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3281# }
6e13d0a5 3282 } else {
c6c9630e 3283 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3284 }
3285
ce9abb66 3286###
7c1d9faf 3287# m.a.d net2net
ce9abb66
AH		 3288###
3289
3290} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
3291 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3292 &Header::showhttpheaders();
4c962356 3293 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
ce9abb66
AH		 3294 &Header::openbigbox('100%', 'LEFT', '', '');
3295 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
b278daf3
AH		 3296
3297if ( -s "${General::swroot}/ovpn/settings") {
3298
49abe7af 3299 print <<END;
ce9abb66 3300 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3301 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
ce9abb66
AH		 3302 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
3303 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
3304 <tr><td><input type='radio' name='TYPE' value='net' /></td>
3305 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
66c36198 3306 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>
ce9abb66
AH		 3307 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
3308 <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
e3edceeb 3309 <tr><td>&nbsp;</td><td>Import Connection Name</td></tr>
040b8b0c 3310 <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
54fd0535 3311 <tr><td colspan='3'><hr /></td></tr>
8c877a82 3312 <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
ce9abb66
AH		 3313 </form></table>
3314END
3315 ;
66c36198 3316
ce9abb66 3317
b278daf3 3318} else {
49abe7af 3319 print <<END;
b278daf3 3320 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3321 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
b278daf3 3322 <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
8c877a82 3323 <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
b278daf3
AH		 3324 </form></table>
3325END
3326 ;
3327
3328}
3329
ce9abb66 3330 &Header::closebox();
4c962356 3331 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
ce9abb66
AH		 3332 &Header::closebigbox();
3333 &Header::closepage();
3334 exit (0);
3335
3336###
7c1d9faf 3337# m.a.d net2net
ce9abb66
AH		 3338###
3339
3340} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3341
3342 my @firen2nconf;
3343 my @confdetails;
3344 my $uplconffilename ='';
54fd0535 3345 my $uplconffilename2 ='';
ce9abb66 3346 my $uplp12name = '';
54fd0535 3347 my $uplp12name2 = '';
ce9abb66
AH		 3348 my @rem_subnet;
3349 my @rem_subnet2;
66c36198 3350 my @tmposupnet3;
ce9abb66 3351 my $key;
54fd0535 3352 my @n2nname;
ce9abb66 3353
66c36198 3354 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 3355
2ad1b18b
MT		 3356 # Check if a file is uploaded
3357 unless (ref ($cgiparams{'FH'})) {
ce9abb66
AH		 3358 $errormessage = $Lang::tr{'there was no file upload'};
3359 goto N2N_ERROR;
3360 }
3361
3362# Move uploaded IPfire n2n package to temporary file
3363
3364 (my $fh, my $filename) = tempfile( );
3365 if (copy ($cgiparams{'FH'}, $fh) != 1) {
3366 $errormessage = $!;
3367 goto N2N_ERROR;
3368 }
3369
3370 my $zip = Archive::Zip->new();
3371 my $zipName = $filename;
3372 my $status = $zip->read( $zipName );
66c36198 3373 if ($status != AZ_OK) {
ce9abb66
AH		 3374 $errormessage = "Read of $zipName failed\n";
3375 goto N2N_ERROR;
3376 }
3377
3378 my $tempdir = tempdir( CLEANUP => 1 );
3379 my @files = $zip->memberNames();
3380 for(@files) {
3381 $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3382 }
3383 my $countfiles = @files;
3384
3385# Check if we have not more then 2 files
3386
3387 if ( $countfiles == 2){
3388 foreach (@files){
3389 if ( $_ =~ /.conf$/){
3390 $uplconffilename = $_;
3391 }
3392 if ( $_ =~ /.p12$/){
3393 $uplp12name = $_;
66c36198 3394 }
ce9abb66
AH		 3395 }
3396 if (($uplconffilename eq '') || ($uplp12name eq '')){
3397 $errormessage = "Either no *.conf or no *.p12 file found\n";
3398 goto N2N_ERROR;
3399 }
3400
3401 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3402 @firen2nconf = <FILE>;
3403 close (FILE);
3404 chomp(@firen2nconf);
ce9abb66
AH		 3405 } else {
3406
3407 $errormessage = "Filecount does not match only 2 files are allowed\n";
3408 goto N2N_ERROR;
3409 }
3410
7c1d9faf
AH		 3411###
3412# m.a.d net2net
ce9abb66 3413###
66c36198 3414
54fd0535
MT		 3415 if ($cgiparams{'n2nname'} ne ''){
3416
66c36198
PM		 3417 $uplconffilename2 = "$cgiparams{'n2nname'}.conf";
3418 $uplp12name2 = "$cgiparams{'n2nname'}.p12";
54fd0535
MT		 3419 $n2nname[0] = $cgiparams{'n2nname'};
3420 my @n2nname2 = split(/\./,$uplconffilename);
3421 $n2nname2[0] =~ s/\n|\r//g;
3422 my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3423 my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3424 my $input2 = "$n2nname2[0]n2n";
3425 my $output2 = "$n2nname[0]n2n";
3426 my $filename = "$tempdir/$uplconffilename";
3427 open(FILE, "< $filename") or die 'Unable to open config file.';
3428 my @current = <FILE>;
3429 close(FILE);
3430 foreach (@current) {s/$input1/$output1/g;}
3431 foreach (@current) {s/$input2/$output2/g;}
3432 open (OUT, "> $filename") || die 'Unable to open config file.';
3433 print OUT @current;
3434 close OUT;
ce9abb66 3435
54fd0535
MT		 3436 }else{
3437 $uplconffilename2 = $uplconffilename;
3438 $uplp12name2 = $uplp12name;
3439 @n2nname = split(/\./,$uplconffilename);
ce9abb66 3440 $n2nname[0] =~ s/\n|\r//g;
66c36198 3441 }
7c1d9faf 3442 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
66c36198 3443 unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
ce9abb66 3444
7dfcaef0
AM		 3445 #Add collectd settings to configfile
3446 open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
3447 print FILE "# Logfile\n";
3448 print FILE "status-version 1\n";
3449 print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
3450 close FILE;
3451
cc79d281 3452 unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
ce9abb66
AH		 3453 $errormessage = "*.conf move failed: $!";
3454 unlink ($filename);
3455 goto N2N_ERROR;
3456 }
66c36198 3457
cc79d281 3458 unless(move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2")) {
ce9abb66
AH		 3459 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3460 unlink ($filename);
3461 goto N2N_ERROR;
cc79d281
SS		 3462 }
3463
3464 chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
66c36198 3465
ce9abb66 3466my $complzoactive;
d96c89eb 3467my $mssfixactive;
4c962356 3468my $authactive;
d96c89eb 3469my $n2nfragment;
60f396d7 3470my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
54fd0535 3471my @n2nproto = split(/-/, $n2nproto2[1]);
ce9abb66
AH		 3472my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3473my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3474my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
66c36198 3475if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}
d96c89eb
AH		 3476my @n2nmssfix = grep { /^mssfix/ } @firen2nconf;
3477if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
54fd0535 3478#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
d96c89eb 3479my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
ce9abb66
AH		 3480my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3481my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3482my @n2novpnsub = split(/\./,$n2novpnsuball[1]);
3483my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
54fd0535 3484my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]);
ce9abb66 3485my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
4c962356 3486my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
f527e53f 3487my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
60f396d7 3488
ce9abb66
AH		 3489###
3490# m.a.d delete CR and LF from arrays for this chomp doesnt work
3491###
3492
ce9abb66 3493$n2nremote[1] =~ s/\n|\r//g;
ce9abb66
AH		 3494$n2novpnsub[0] =~ s/\n|\r//g;
3495$n2novpnsub[1] =~ s/\n|\r//g;
3496$n2novpnsub[2] =~ s/\n|\r//g;
60f396d7 3497$n2nproto[0] =~ s/\n|\r//g;
ce9abb66
AH		 3498$n2nport[1] =~ s/\n|\r//g;
3499$n2ntunmtu[1] =~ s/\n|\r//g;
3500$n2nremsub[1] =~ s/\n|\r//g;
b278daf3 3501$n2nremsub[2] =~ s/\n|\r//g;
ce9abb66 3502$n2nlocalsub[2] =~ s/\n|\r//g;
d96c89eb 3503$n2nfragment[1] =~ s/\n|\r//g;
54fd0535 3504$n2nmgmt[2] =~ s/\n|\r//g;
4c962356
EK		 3505$n2ncipher[1] =~ s/\n|\r//g;
3506$n2nauth[1] =~ s/\n|\r//g;
ce9abb66 3507chomp ($complzoactive);
d96c89eb 3508chomp ($mssfixactive);
ce9abb66
AH		 3509
3510###
7c1d9faf 3511# m.a.d net2net
ce9abb66
AH		 3512###
3513
3514###
3515# Check if there is no other entry with this name
3516###
3517
3518 foreach my $dkey (keys %confighash) {
3519 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3520 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3521 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3522 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3523 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3524 goto N2N_ERROR;
ce9abb66
AH		 3525 }
3526 }
3527
d96c89eb
AH		 3528###
3529# Check if OpenVPN Subnet is valid
3530###
3531
3532foreach my $dkey (keys %confighash) {
3533 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3534 $errormessage = 'The OpenVPN Subnet is already in use';
b278daf3
AH		 3535 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3536 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3537 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3538 goto N2N_ERROR;
d96c89eb
AH		 3539 }
3540 }
3541
3542###
4c962356 3543# Check if Dest Port is vaild
d96c89eb
AH		 3544###
3545
3546foreach my $dkey (keys %confighash) {
3547 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3548 $errormessage = 'The OpenVPN Port is already in use';
b278daf3
AH		 3549 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3550 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3551 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
66c36198 3552 goto N2N_ERROR;
d96c89eb
AH		 3553 }
3554 }
66c36198
PM		 3555
3556
3557
ce9abb66
AH		 3558 $key = &General::findhasharraykey (\%confighash);
3559
49abe7af 3560 foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
350f2980 3561
ce9abb66
AH		 3562 $confighash{$key}[0] = 'off';
3563 $confighash{$key}[1] = $n2nname[0];
66c36198 3564 $confighash{$key}[2] = $n2nname[0];
ce9abb66 3565 $confighash{$key}[3] = 'net';
66c36198
PM		 3566 $confighash{$key}[4] = 'cert';
3567 $confighash{$key}[6] = 'client';
ce9abb66 3568 $confighash{$key}[8] = $n2nlocalsub[2];
350f2980 3569 $confighash{$key}[10] = $n2nremote[1];
66c36198 3570 $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";
54fd0535 3571 $confighash{$key}[22] = $n2nmgmt[2];
350f2980 3572 $confighash{$key}[23] = $mssfixactive;
d96c89eb 3573 $confighash{$key}[24] = $n2nfragment[1];
350f2980 3574 $confighash{$key}[25] = 'IPFire n2n Client';
ce9abb66 3575 $confighash{$key}[26] = 'red';
350f2980
SS		 3576 $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3577 $confighash{$key}[28] = $n2nproto[0];
3578 $confighash{$key}[29] = $n2nport[1];
3579 $confighash{$key}[30] = $complzoactive;
3580 $confighash{$key}[31] = $n2ntunmtu[1];
4c962356
EK		 3581 $confighash{$key}[39] = $n2nauth[1];
3582 $confighash{$key}[40] = $n2ncipher[1];
49abe7af 3583 $confighash{$key}[41] = 'disabled';
ce9abb66
AH		 3584
3585 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 3586
ce9abb66 3587 N2N_ERROR:
66c36198 3588
ce9abb66
AH		 3589 &Header::showhttpheaders();
3590 &Header::openpage('Validate imported configuration', 1, '');
3591 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3592 if ($errormessage) {
3593 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3594 print "<class name='base'>$errormessage";
3595 print "&nbsp;</class>";
66c36198 3596 &Header::closebox();
ce9abb66 3597
66c36198
PM		 3598 } else
3599 {
ce9abb66
AH		 3600 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3601 }
3602 if ($errormessage eq ''){
49abe7af 3603 print <<END;
ce9abb66
AH		 3604 <!-- ipfire net2net config gui -->
3605 <table width='100%'>
3606 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3607 <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
66c36198
PM		 3608 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3609 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>
ce9abb66
AH		 3610 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3611 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
4c962356 3612 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
ce9abb66
AH		 3613 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3614 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3615 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3616 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
4c962356
EK		 3617 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3618 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
ce9abb66 3619 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
54fd0535 3620 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
0c4ffc69 3621 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn tls auth'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
4c962356 3622 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
66c36198 3623 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
ce9abb66
AH		 3624 </table>
3625END
66c36198 3626;
ce9abb66
AH		 3627 &Header::closebox();
3628 }
3629
3630 if ($errormessage) {
3631 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
66c36198
PM		 3632 } else {
3633 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";
ce9abb66 3634 print "<input type='hidden' name='TYPE' value='net2netakn' />";
66c36198 3635 print "<input type='hidden' name='KEY' value='$key' />";
ce9abb66 3636 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
66c36198 3637 }
ce9abb66
AH		 3638 &Header::closebigbox();
3639 &Header::closepage();
4c962356 3640 exit(0);
ce9abb66
AH		 3641
3642
3643##
3644### Accept IPFire n2n Package Settings
3645###
3646
3647 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3648
3649###
3650### Discard and Rollback IPFire n2n Package Settings
3651###
3652
3653 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
66c36198 3654
ce9abb66
AH		 3655 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3656
3657if ($confighash{$cgiparams{'KEY'}}) {
3658
3659 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3660 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3661 unlink ($certfile) or die "Removing $certfile fail: $!";
3662 unlink ($conffile) or die "Removing $conffile fail: $!";
3663 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3664 delete $confighash{$cgiparams{'KEY'}};
66c36198 3665 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66
AH		 3666
3667 } else {
3668 $errormessage = $Lang::tr{'invalid key'};
66c36198
PM		 3669 }
3670
ce9abb66
AH		 3671
3672###
7c1d9faf 3673# m.a.d net2net
ce9abb66
AH		 3674###
3675
3676
3677###
3678### Adding a new connection
3679###
6e13d0a5
MT		 3680} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3681 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3682 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
66c36198 3683
6e13d0a5
MT		 3684 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3685 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3686 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3687
3688 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
8c877a82
AM		 3689 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3690 $errormessage = $Lang::tr{'invalid key'};
3691 goto VPNCONF_END;
3692 }
4c962356
EK		 3693 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
3694 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
3695 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
3696 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
3697 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
3698 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
3699 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
3700 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
8c877a82 3701 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
4c962356
EK		 3702 $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
3703 $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
3704 $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
3705 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
3706 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
3707 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
3708 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
3709 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
3710 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
3711 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
3712 $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32];
df9b48b7 3713 $name=$cgiparams{'CHECK1'} ;
4c962356
EK		 3714 $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33];
3715 $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34];
3716 $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
3717 $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
3718 $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
4c962356
EK		 3719 $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
3720 $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
49abe7af 3721 $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
e1e10515 3722 $cgiparams{'OTP_STATE'} = $confighash{$cgiparams{'KEY'}}[43];
8c877a82 3723 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
c6c9630e 3724 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
66c36198 3725
8c877a82 3726#A.Marx CCD check iroute field and convert it to decimal
52d08bcb 3727if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 3728 my @temp=();
3729 my %ccdroutehash=();
3730 my $keypoint=0;
5068ac38
AM		 3731 my $ip;
3732 my $cidr;
8c877a82
AM		 3733 if ($cgiparams{'IR'} ne ''){
3734 @temp = split("\n",$cgiparams{'IR'});
3735 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3736 #find key to use
3737 foreach my $key (keys %ccdroutehash) {
3738 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3739 $keypoint=$key;
3740 delete $ccdroutehash{$key};
3741 }else{
3742 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3743 }
3744 }
3745 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3746 my $i=1;
3747 my $val=0;
3748 foreach $val (@temp){
3749 chomp($val);
66c36198 3750 $val=~s/\s*$//g;
5068ac38 3751 #check if iroute exists in ccdroute or if new iroute is part of an existing one
8c877a82
AM		 3752 foreach my $key (keys %ccdroutehash) {
3753 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
5068ac38
AM		 3754 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3755 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3756 goto VPNCONF_ERROR;
3757 }
3758 my ($ip1,$cidr1) = split (/\//, $val);
82c809c7 3759 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
5068ac38
AM		 3760 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3761 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3762 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3763 goto VPNCONF_ERROR;
66c36198
PM		 3764 }
3765
8c877a82
AM		 3766 }
3767 }
5068ac38
AM		 3768 if (!&General::validipandmask($val)){
3769 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3770 goto VPNCONF_ERROR;
3771 }else{
3772 ($ip,$cidr) = split(/\//,$val);
3773 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3774 $cidr=&General::iporsubtodec($cidr);
3775 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
66c36198 3776
5068ac38 3777 }
66c36198 3778
8c877a82 3779 #check for existing network IP's
52d08bcb
AM		 3780 if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3781 {
3782 $errormessage=$Lang::tr{'ccd err green'};
3783 goto VPNCONF_ERROR;
3784 }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3785 {
3786 $errormessage=$Lang::tr{'ccd err red'};
3787 goto VPNCONF_ERROR;
3788 }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3789 {
3790 $errormessage=$Lang::tr{'ccd err blue'};
3791 goto VPNCONF_ERROR;
3792 }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3793 {
3794 $errormessage=$Lang::tr{'ccd err orange'};
8c877a82
AM		 3795 goto VPNCONF_ERROR;
3796 }
66c36198 3797
8c877a82
AM		 3798 if (&General::validipandmask($val)){
3799 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3800 }else{
3801 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3802 goto VPNCONF_ERROR;
3803 }
3804 $i++;
3805 }
3806 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3807 &writeserverconf;
3808 }else{
3809 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3810 foreach my $key (keys %ccdroutehash) {
3811 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3812 delete $ccdroutehash{$key};
3813 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3814 &writeserverconf;
3815 }
66c36198 3816 }
8c877a82
AM		 3817 }
3818 undef @temp;
3819 #check route field and convert it to decimal
8c877a82
AM		 3820 my $val=0;
3821 my $i=1;
8c877a82 3822 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
52d08bcb
AM		 3823 #find key to use
3824 foreach my $key (keys %ccdroute2hash) {
3825 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3826 $keypoint=$key;
3827 delete $ccdroute2hash{$key};
3828 }else{
3829 $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3830 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3831 &writeserverconf;
8c877a82 3832 }
52d08bcb
AM		 3833 }
3834 $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3835 if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3836 @temp = split(/\|/,$cgiparams{'IFROUTE'});
3837 my %ownnet=();
3838 &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3839 foreach $val (@temp){
3840 chomp($val);
66c36198 3841 $val=~s/\s*$//g;
52d08bcb
AM		 3842 if ($val eq $Lang::tr{'green'})
3843 {
3844 $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3845 }
3846 if ($val eq $Lang::tr{'blue'})
3847 {
3848 $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3849 }
3850 if ($val eq $Lang::tr{'orange'})
3851 {
3852 $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3853 }
3854 my ($ip,$cidr) = split (/\//, $val);
66c36198 3855
52d08bcb 3856 if ($val ne $Lang::tr{'ccd none'})
66c36198 3857 {
8c877a82
AM		 3858 if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3859 if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3860 if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3861 if (&General::validipandmask($val)){
3862 $val=$ip."/".&General::iporsubtodec($cidr);
3863 $ccdroute2hash{$keypoint}[$i] = $val;
3864 }else{
3865 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3866 goto VPNCONF_ERROR;
3867 }
52d08bcb
AM		 3868 }else{
3869 $ccdroute2hash{$keypoint}[$i]='';
3870 }
3871 $i++;
66c36198 3872 }
52d08bcb
AM		 3873 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3874
8c877a82
AM		 3875 #check dns1 ip
3876 if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) {
3877 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3878 goto VPNCONF_ERROR;
3879 }
3880 #check dns2 ip
3881 if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) {
3882 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3883 goto VPNCONF_ERROR;
3884 }
3885 #check wins ip
3886 if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) {
3887 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3888 goto VPNCONF_ERROR;
3889 }
52d08bcb 3890}
8c877a82
AM		 3891
3892#CCD End
52d08bcb 3893
66c36198 3894
73735ad9
EK		 3895 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3896 $errormessage = $Lang::tr{'connection type is invalid'};
3897 if ($cgiparams{'TYPE'} eq 'net') {
3898 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3899 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3900 goto VPNCONF_ERROR;
3901 }
3902 goto VPNCONF_ERROR;
c6c9630e
MT		 3903 }
3904
c6c9630e 3905 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
73735ad9
EK		 3906 $errormessage = $Lang::tr{'name must only contain characters'};
3907 if ($cgiparams{'TYPE'} eq 'net') {
3908 goto VPNCONF_ERROR;
3909 }
3910 goto VPNCONF_ERROR;
3911 }
c6c9630e
MT		 3912
3913 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
73735ad9
EK		 3914 $errormessage = $Lang::tr{'name is invalid'};
3915 if ($cgiparams{'TYPE'} eq 'net') {
3916 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3917 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3918 goto VPNCONF_ERROR;
3919 }
3920 goto VPNCONF_ERROR;
c6c9630e
MT		 3921 }
3922
3923 if (length($cgiparams{'NAME'}) >60) {
73735ad9
EK		 3924 $errormessage = $Lang::tr{'name too long'};
3925 if ($cgiparams{'TYPE'} eq 'net') {
3926 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3927 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3928 goto VPNCONF_ERROR;
3929 }
3930 goto VPNCONF_ERROR;
c6c9630e
MT		 3931 }
3932
d96c89eb 3933###
7c1d9faf 3934# m.a.d net2net
d96c89eb
AH		 3935###
3936
7c1d9faf 3937if ($cgiparams{'TYPE'} eq 'net') {
ab4cf06c 3938 if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) {
cd0c0a0d 3939 $errormessage = $Lang::tr{'openvpn destination port used'};
b278daf3
AH		 3940 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3941 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3942 goto VPNCONF_ERROR;
d96c89eb 3943 }
ab4cf06c
AM		 3944 #Bugfix 10357
3945 foreach my $key (sort keys %confighash){
3946 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
54fd0535
MT		 3947 $errormessage = $Lang::tr{'openvpn destination port used'};
3948 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3949 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3950 goto VPNCONF_ERROR;
ab4cf06c
AM		 3951 }
3952 }
3953 if ($cgiparams{'DEST_PORT'} eq '') {
3954 $errormessage = $Lang::tr{'invalid port'};
3955 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3956 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3957 goto VPNCONF_ERROR;
54fd0535 3958 }
d96c89eb 3959
f48074ba
SS		 3960 # Check if the input for the transfer net is valid.
3961 if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3962 $errormessage = $Lang::tr{'ccd err invalidnet'};
3963 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3964 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3965 goto VPNCONF_ERROR;
3966 }
3967
d96c89eb 3968 if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) {
cd0c0a0d 3969 $errormessage = $Lang::tr{'openvpn subnet is used'};
b278daf3
AH		 3970 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3971 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
66c36198 3972 goto VPNCONF_ERROR;
d96c89eb
AH		 3973 }
3974
3975 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
cd0c0a0d 3976 $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
b278daf3
AH		 3977 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3978 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3979 goto VPNCONF_ERROR;
3980 }
66c36198 3981
d96c89eb 3982 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
cd0c0a0d 3983 $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
b278daf3
AH		 3984 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3985 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3986 goto VPNCONF_ERROR;
3987 }
d96c89eb 3988
7c1d9faf 3989 if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
cd0c0a0d 3990 $errormessage = $Lang::tr{'openvpn prefix local subnet'};
b278daf3
AH		 3991 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3992 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3993 goto VPNCONF_ERROR;
66c36198
PM		 3994 }
3995
7c1d9faf 3996 if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) {
cd0c0a0d 3997 $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
b278daf3
AH		 3998 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3999 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4000 goto VPNCONF_ERROR;
66c36198
PM		 4001 }
4002
7c1d9faf 4003 if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) {
cd0c0a0d 4004 $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
b278daf3
AH		 4005 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4006 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4007 goto VPNCONF_ERROR;
8c252e6a 4008 }
66c36198 4009
8c252e6a
EK		 4010 if ($cgiparams{'DEST_PORT'} <= 1023) {
4011 $errormessage = $Lang::tr{'ovpn port in root range'};
4012 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4013 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4014 goto VPNCONF_ERROR;
4015 }
54fd0535 4016
4c962356 4017 if ($cgiparams{'OVPN_MGMT'} eq '') {
66c36198 4018 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};
8c252e6a 4019 }
66c36198 4020
8c252e6a
EK		 4021 if ($cgiparams{'OVPN_MGMT'} <= 1023) {
4022 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
4023 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4024 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4025 goto VPNCONF_ERROR;
b2e75449
MT		 4026 }
4027 #Check if remote subnet is used elsewhere
4028 my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
4029 $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
4030 if ($warnmessage){
4031 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
4032 }
7c1d9faf 4033}
d96c89eb 4034
ce9abb66
AH		 4035# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
4036# $errormessage = $Lang::tr{'ipfire side is invalid'};
4037# goto VPNCONF_ERROR;
4038# }
4039
c6c9630e
MT		 4040 # Check if there is no other entry with this name
4041 if (! $cgiparams{'KEY'}) {
4042 foreach my $key (keys %confighash) {
4043 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4044 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 4045 if ($cgiparams{'TYPE'} eq 'net') {
4046 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4047 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4048 }
c6c9630e 4049 goto VPNCONF_ERROR;
6e13d0a5 4050 }
c6c9630e
MT		 4051 }
4052 }
4053
c125d8a2 4054 # Check if a remote host/IP has been set for the client.
86228a56
MT		 4055 if ($cgiparams{'TYPE'} eq 'net') {
4056 if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') {
4057 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4058
86228a56
MT		 4059 # Check if this is a N2N connection and drop temporary config.
4060 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4061 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ce9abb66 4062
86228a56
MT		 4063 goto VPNCONF_ERROR;
4064 }
c125d8a2 4065
86228a56
MT		 4066 # Check if a remote host/IP has been configured - the field can be empty on the server side.
4067 if ($cgiparams{'REMOTE'} ne '') {
4068 # Check if the given IP is valid - otherwise check if it is a valid domain.
4069 if (! &General::validip($cgiparams{'REMOTE'})) {
4070 # Check for a valid domain.
4071 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
4072 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4073
86228a56
MT		 4074 # Check if this is a N2N connection and drop temporary config.
4075 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4076 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
c125d8a2 4077
86228a56
MT		 4078 goto VPNCONF_ERROR;
4079 }
4080 }
6e13d0a5 4081 }
c6c9630e 4082 }
c125d8a2 4083
c6c9630e
MT		 4084 if ($cgiparams{'TYPE'} ne 'host') {
4085 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
66c36198 4086 $errormessage = $Lang::tr{'local subnet is invalid'};
b278daf3
AH		 4087 if ($cgiparams{'TYPE'} eq 'net') {
4088 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4089 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4090 }
c6c9630e
MT		 4091 goto VPNCONF_ERROR;}
4092 }
4093 # Check if there is no other entry without IP-address and PSK
4094 if ($cgiparams{'REMOTE'} eq '') {
4095 foreach my $key (keys %confighash) {
66c36198
PM		 4096 if(($cgiparams{'KEY'} ne $key) &&
4097 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
c6c9630e
MT		 4098 $confighash{$key}[10] eq '') {
4099 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
4100 goto VPNCONF_ERROR;
6e13d0a5 4101 }
c6c9630e
MT		 4102 }
4103 }
ce9abb66
AH		 4104 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
4105 $errormessage = $Lang::tr{'remote subnet is invalid'};
b278daf3
AH		 4106 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4107 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4108 goto VPNCONF_ERROR;
ce9abb66 4109 }
c6c9630e 4110
425465ed
EK		 4111 # Check for N2N that OpenSSL maximum of valid days will not be exceeded
4112 if ($cgiparams{'TYPE'} eq 'net') {
4113 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4114 $errormessage = $Lang::tr{'invalid input for valid till days'};
4115 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4116 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4117 goto VPNCONF_ERROR;
4118 }
4119 }
4120
c6c9630e
MT		 4121 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
4122 $errormessage = $Lang::tr{'invalid input'};
4123 goto VPNCONF_ERROR;
4124 }
4125 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
4126 $errormessage = $Lang::tr{'invalid input'};
4127 goto VPNCONF_ERROR;
4128 }
4129
4130#fixplausi
4131 if ($cgiparams{'AUTH'} eq 'psk') {
4132# if (! length($cgiparams{'PSK'}) ) {
4133# $errormessage = $Lang::tr{'pre-shared key is too short'};
4134# goto VPNCONF_ERROR;
4135# }
4136# if ($cgiparams{'PSK'} =~ /['",&]/) {
4137# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
4138# goto VPNCONF_ERROR;
4139# }
4140 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
4141 if ($cgiparams{'KEY'}) {
4142 $errormessage = $Lang::tr{'cant change certificates'};
4143 goto VPNCONF_ERROR;
4144 }
2ad1b18b 4145 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4146 $errormessage = $Lang::tr{'there was no file upload'};
4147 goto VPNCONF_ERROR;
4148 }
4149
4150 # Move uploaded certificate request to a temporary file
4151 (my $fh, my $filename) = tempfile( );
4152 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4153 $errormessage = $!;
4154 goto VPNCONF_ERROR;
4155 }
6e13d0a5 4156
c6c9630e
MT		 4157 # Sign the certificate request and move it
4158 # Sign the host certificate request
2feacd98 4159 # The system call is safe, because all arguments are passed as an array.
f6e12093 4160 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4161 '-batch', '-notext',
4162 '-in', $filename,
4163 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4164 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4165 if ($?) {
4166 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4167 unlink ($filename);
4168 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4169 &newcleanssldatabase();
4170 goto VPNCONF_ERROR;
4171 } else {
4172 unlink ($filename);
4173 &deletebackupcert();
4174 }
4175
2feacd98
SS		 4176 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4177 my $temp;
4178
4179 foreach my $line (@temp) {
4180 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4181 $temp = $1;
4182 $temp =~ s+/Email+, E+;
4183 $temp =~ s/ ST=/ S=/;
4184
4185 last;
4186 }
4187 }
66c36198 4188
c6c9630e
MT		 4189 $cgiparams{'CERT_NAME'} = $temp;
4190 $cgiparams{'CERT_NAME'} =~ s/,//g;
4191 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4192 if ($cgiparams{'CERT_NAME'} eq '') {
4193 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4194 goto VPNCONF_ERROR;
4195 }
4196 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
4197 if ($cgiparams{'KEY'}) {
4198 $errormessage = $Lang::tr{'cant change certificates'};
4199 goto VPNCONF_ERROR;
4200 }
2ad1b18b 4201 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4202 $errormessage = $Lang::tr{'there was no file upload'};
4203 goto VPNCONF_ERROR;
4204 }
4205 # Move uploaded certificate to a temporary file
4206 (my $fh, my $filename) = tempfile( );
4207 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4208 $errormessage = $!;
4209 goto VPNCONF_ERROR;
4210 }
4211
4212 # Verify the certificate has a valid CA and move it
4213 my $validca = 0;
2feacd98
SS		 4214 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
4215 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4216 $validca = 1;
4217 } else {
4218 foreach my $key (keys %cahash) {
2feacd98
SS		 4219 @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
4220 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4221 $validca = 1;
4222 }
6e13d0a5 4223 }
c6c9630e
MT		 4224 }
4225 if (! $validca) {
4226 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
4227 unlink ($filename);
4228 goto VPNCONF_ERROR;
4229 } else {
cc79d281 4230 unless(move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem")) {
c6c9630e
MT		 4231 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
4232 unlink ($filename);
4233 goto VPNCONF_ERROR;
6e13d0a5 4234 }
c6c9630e
MT		 4235 }
4236
2feacd98
SS		 4237 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4238 my $temp;
4239
4240 foreach my $line (@temp) {
4241 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4242 $temp = $1;
4243 $temp =~ s+/Email+, E+;
4244 $temp =~ s/ ST=/ S=/;
4245
4246 last;
4247 }
4248 }
4249
c6c9630e
MT		 4250 $cgiparams{'CERT_NAME'} = $temp;
4251 $cgiparams{'CERT_NAME'} =~ s/,//g;
4252 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4253 if ($cgiparams{'CERT_NAME'} eq '') {
4254 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4255 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4256 goto VPNCONF_ERROR;
4257 }
4258 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
4259 if ($cgiparams{'KEY'}) {
4260 $errormessage = $Lang::tr{'cant change certificates'};
4261 goto VPNCONF_ERROR;
4262 }
4263 # Validate input since the form was submitted
4264 if (length($cgiparams{'CERT_NAME'}) >60) {
4265 $errormessage = $Lang::tr{'name too long'};
4266 goto VPNCONF_ERROR;
4267 }
194314b2 4268 if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
c6c9630e
MT		 4269 $errormessage = $Lang::tr{'invalid input for name'};
4270 goto VPNCONF_ERROR;
4271 }
4272 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
4273 $errormessage = $Lang::tr{'invalid input for e-mail address'};
4274 goto VPNCONF_ERROR;
4275 }
4276 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
4277 $errormessage = $Lang::tr{'e-mail address too long'};
4278 goto VPNCONF_ERROR;
4279 }
4280 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4281 $errormessage = $Lang::tr{'invalid input for department'};
4282 goto VPNCONF_ERROR;
4283 }
4284 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
4285 $errormessage = $Lang::tr{'organization too long'};
4286 goto VPNCONF_ERROR;
4287 }
4288 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
4289 $errormessage = $Lang::tr{'invalid input for organization'};
4290 goto VPNCONF_ERROR;
4291 }
4292 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4293 $errormessage = $Lang::tr{'invalid input for city'};
4294 goto VPNCONF_ERROR;
4295 }
4296 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4297 $errormessage = $Lang::tr{'invalid input for state or province'};
4298 goto VPNCONF_ERROR;
4299 }
4300 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
4301 $errormessage = $Lang::tr{'invalid input for country'};
4302 goto VPNCONF_ERROR;
4303 }
4304 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
4305 if (length($cgiparams{'CERT_PASS1'}) < 5) {
4306 $errormessage = $Lang::tr{'password too short'};
4307 goto VPNCONF_ERROR;
6e13d0a5 4308 }
66c36198 4309 }
c6c9630e
MT		 4310 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
4311 $errormessage = $Lang::tr{'passwords do not match'};
4312 goto VPNCONF_ERROR;
4313 }
425465ed 4314 if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
f4fbb935
EK		 4315 $errormessage = $Lang::tr{'invalid input for valid till days'};
4316 goto VPNCONF_ERROR;
4317 }
c6c9630e 4318
425465ed
EK		 4319 # Check for RW that OpenSSL maximum of valid days will not be exceeded
4320 if ($cgiparams{'TYPE'} eq 'host') {
4321 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4322 $errormessage = $Lang::tr{'invalid input for valid till days'};
4323 goto VPNCONF_ERROR;
4324 }
4325 }
4326
beac479f
EK		 4327 # Check for RW if client name is already set
4328 if ($cgiparams{'TYPE'} eq 'host') {
4329 foreach my $key (keys %confighash) {
4330 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4331 $errormessage = $Lang::tr{'a connection with this name already exists'};
4332 goto VPNCONF_ERROR;
4333 }
4334 }
4335 }
4336
c6c9630e
MT		 4337 # Replace empty strings with a .
4338 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
4339 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
4340 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
4341
4342 # Create the Host certificate request client
4343 my $pid = open(OPENSSL, "|-");
4344 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
4345 if ($pid) { # parent
4346 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
4347 print OPENSSL "$state\n";
4348 print OPENSSL "$city\n";
4349 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
4350 print OPENSSL "$ou\n";
4351 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
4352 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
4353 print OPENSSL ".\n";
4354 print OPENSSL ".\n";
4355 close (OPENSSL);
4356 if ($?) {
4357 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4358 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
4359 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
4360 goto VPNCONF_ERROR;
6e13d0a5 4361 }
c6c9630e 4362 } else { # child
badd8c1c 4363 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
818dde8e 4364 '-newkey', 'rsa:4096',
c6c9630e
MT		 4365 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4366 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4367 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
4368 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
4369 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4370 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4371 goto VPNCONF_ERROR;
6e13d0a5 4372 }
c6c9630e 4373 }
66c36198 4374
c6c9630e 4375 # Sign the host certificate request
2feacd98 4376 # The system call is safe, because all arguments are passed as an array.
f6e12093 4377 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4378 '-batch', '-notext',
4379 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4380 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4381 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4382 if ($?) {
4383 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4384 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4385 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4386 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4387 &newcleanssldatabase();
4388 goto VPNCONF_ERROR;
4389 } else {
4390 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4391 &deletebackupcert();
4392 }
4393
4394 # Create the pkcs12 file
2feacd98 4395 # The system call is safe, because all arguments are passed as an array.
66c36198 4396 system('/usr/bin/openssl', 'pkcs12', '-export',
c6c9630e
MT		 4397 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4398 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4399 '-name', $cgiparams{'NAME'},
4400 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
66c36198 4401 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
c6c9630e
MT		 4402 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
4403 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4404 if ($?) {
4405 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4406 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4407 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4408 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4409 goto VPNCONF_ERROR;
4410 } else {
4411 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4412 }
4413 } elsif ($cgiparams{'AUTH'} eq 'cert') {
4414 ;# Nothing, just editing
4415 } else {
4416 $errormessage = $Lang::tr{'invalid input for authentication method'};
4417 goto VPNCONF_ERROR;
4418 }
4419
4420 # Check if there is no other entry with this common name
4421 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
4422 foreach my $key (keys %confighash) {
4423 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
4424 $errormessage = $Lang::tr{'a connection with this common name already exists'};
4425 goto VPNCONF_ERROR;
6e13d0a5 4426 }
c6c9630e
MT		 4427 }
4428 }
4429
ab4cf06c 4430 # Save the config
c6c9630e 4431 my $key = $cgiparams{'KEY'};
66c36198 4432
c6c9630e
MT		 4433 if (! $key) {
4434 $key = &General::findhasharraykey (\%confighash);
49abe7af 4435 foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";}
c6c9630e 4436 }
8c877a82
AM		 4437 $confighash{$key}[0] = $cgiparams{'ENABLED'};
4438 $confighash{$key}[1] = $cgiparams{'NAME'};
c6c9630e 4439 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
8c877a82 4440 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
c6c9630e 4441 }
66c36198 4442
8c877a82 4443 $confighash{$key}[3] = $cgiparams{'TYPE'};
c6c9630e 4444 if ($cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4445 $confighash{$key}[4] = 'psk';
4446 $confighash{$key}[5] = $cgiparams{'PSK'};
c6c9630e 4447 } else {
8c877a82 4448 $confighash{$key}[4] = 'cert';
c6c9630e 4449 }
ce9abb66 4450 if ($cgiparams{'TYPE'} eq 'net') {
8c877a82
AM		 4451 $confighash{$key}[6] = $cgiparams{'SIDE'};
4452 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
ce9abb66 4453 }
4c962356 4454 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
8c877a82 4455 $confighash{$key}[10] = $cgiparams{'REMOTE'};
4c962356 4456 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c877a82 4457 $confighash{$key}[22] = $confighash{$key}[29];
4c962356 4458 } else {
8c877a82 4459 $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
4c962356 4460 }
8c877a82
AM		 4461 $confighash{$key}[23] = $cgiparams{'MSSFIX'};
4462 $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
4463 $confighash{$key}[25] = $cgiparams{'REMARK'};
4464 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
66c36198 4465# new fields
8c877a82
AM		 4466 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
4467 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
4468 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
4469 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
4470 $confighash{$key}[31] = $cgiparams{'MTU'};
4471 $confighash{$key}[32] = $cgiparams{'CHECK1'};
df9b48b7 4472 $name=$cgiparams{'CHECK1'};
8c877a82
AM		 4473 $confighash{$key}[33] = $cgiparams{$name};
4474 $confighash{$key}[34] = $cgiparams{'RG'};
4475 $confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
4476 $confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
4477 $confighash{$key}[37] = $cgiparams{'CCD_WINS'};
4c962356
EK		 4478 $confighash{$key}[39] = $cgiparams{'DAUTH'};
4479 $confighash{$key}[40] = $cgiparams{'DCIPHER'};
350f2980 4480
71af643c
MT		 4481 if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
4482 $confighash{$key}[41] = "no-pass";
4483 }
4484
e1e10515
TE		 4485 $confighash{$key}[42] = 'HOTP/T30/6';
4486 $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
16d4a5c2 4487 if (($confighash{$key}[43] eq 'on') && ($confighash{$key}[44] eq '')) {
e1e10515 4488 my @otp_secret = &General::system_output("/usr/bin/openssl", "rand", "-hex", "20");
209d62f0 4489 chomp($otp_secret[0]);
e1e10515 4490 $confighash{$key}[44] = $otp_secret[0];
16d4a5c2 4491 } elsif ($confighash{$key}[43] eq '') {
e1e10515
TE		 4492 $confighash{$key}[44] = '';
4493 }
4494
c6c9630e 4495 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4496
8c877a82 4497 if ($cgiparams{'CHECK1'} ){
66c36198 4498
8c877a82
AM		 4499 my ($ccdip,$ccdsub)=split "/",$cgiparams{$name};
4500 my ($a,$b,$c,$d) = split (/\./,$ccdip);
df9b48b7
AM		 4501 if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){
4502 unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";
4503 }
8c877a82 4504 open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!";
82c809c7 4505 print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n";
8c877a82
AM		 4506 if($cgiparams{'CHECK1'} eq 'dynamic'){
4507 print CCDRWCONF "#This client uses the dynamic pool\n";
4508 }else{
82c809c7 4509 print CCDRWCONF "#Ip address client and server\n";
8c877a82
AM		 4510 print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n";
4511 }
4512 if ($confighash{$key}[34] eq 'on'){
4513 print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n";
4514 print CCDRWCONF "push redirect-gateway\n";
4515 }
52d08bcb 4516 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 4517 if ($cgiparams{'IR'} ne ''){
82c809c7 4518 print CCDRWCONF "\n#Client routes these networks (behind Client)\n";
8c877a82
AM		 4519 foreach my $key (keys %ccdroutehash){
4520 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){
4521 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
4522 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
4523 print CCDRWCONF "iroute $a $b\n";
4524 }
4525 }
4526 }
4527 }
52d08bcb 4528 if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';}
8c877a82 4529 if ($cgiparams{'IFROUTE'} ne ''){
82c809c7 4530 print CCDRWCONF "\n#Client gets routes to these networks (behind IPFire)\n";
8c877a82
AM		 4531 foreach my $key (keys %ccdroute2hash){
4532 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4533 foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){
4534 if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){
4535 my %blue=();
4536 &General::readhash("${General::swroot}/ethernet/settings", \%blue);
52d08bcb 4537 print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n";
8c877a82
AM		 4538 }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){
4539 my %orange=();
4540 &General::readhash("${General::swroot}/ethernet/settings", \%orange);
4541 print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n";
4542 }else{
4543 my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]);
4544 print CCDRWCONF "push \"route $a $b\"\n";
4545 }
4546 }
4547 }
4548 }
4549 }
4550 if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';}
4551 if($cgiparams{'CCD_DNS1'} ne ''){
82c809c7 4552 print CCDRWCONF "\n#Client gets these nameservers\n";
8c877a82
AM		 4553 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n";
4554 }
4555 if($cgiparams{'CCD_DNS2'} ne ''){
4556 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n";
4557 }
4558 if($cgiparams{'CCD_WINS'} ne ''){
4559 print CCDRWCONF "\n#Client gets this WINS server\n";
4560 print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n";
4561 }
4562 close CCDRWCONF;
4563 }
18837a6a
AH		 4564
4565###
4566# m.a.d n2n begin
4567###
66c36198 4568
18837a6a 4569 if ($cgiparams{'TYPE'} eq 'net') {
66c36198 4570
2feacd98
SS		 4571 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
4572 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
66c36198 4573
2feacd98
SS		 4574 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
4575 my $key = $cgiparams{'KEY'};
4576 if (! $key) {
4577 $key = &General::findhasharraykey (\%confighash);
4578 foreach my $i (0 .. 31) {
4579 $confighash{$key}[$i] = "";
4580 }
4581 }
4582
4583 $confighash{$key}[0] = 'on';
4584 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
66c36198 4585
2feacd98
SS		 4586 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
4587 }
4588 }
18837a6a
AH		 4589
4590###
4591# m.a.d n2n end
66c36198 4592###
18837a6a 4593
c6c9630e
MT		 4594 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
4595 $cgiparams{'KEY'} = $key;
4596 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
4597 }
4598 goto VPNCONF_END;
6e13d0a5 4599 } else {
c6c9630e 4600 $cgiparams{'ENABLED'} = 'on';
54fd0535
MT		 4601###
4602# m.a.d n2n begin
66c36198 4603###
54fd0535
MT		 4604 $cgiparams{'MSSFIX'} = 'on';
4605 $cgiparams{'FRAGMENT'} = '1300';
70900745 4606 $cgiparams{'DAUTH'} = 'SHA512';
54fd0535
MT		 4607###
4608# m.a.d n2n end
66c36198 4609###
4c962356 4610 $cgiparams{'SIDE'} = 'left';
c6c9630e
MT		 4611 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
4612 $cgiparams{'AUTH'} = 'psk';
4613 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
4614 $cgiparams{'AUTH'} = 'certfile';
4615 } else {
6e13d0a5 4616 $cgiparams{'AUTH'} = 'certgen';
c6c9630e
MT		 4617 }
4618 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
4619 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
4620 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
4621 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
4622 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
c0a7c9b2 4623 $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
6e13d0a5 4624 }
c6c9630e 4625
6e13d0a5 4626 VPNCONF_ERROR:
6e13d0a5
MT		 4627 $checked{'ENABLED'}{'off'} = '';
4628 $checked{'ENABLED'}{'on'} = '';
4629 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
4630 $checked{'ENABLED_BLUE'}{'off'} = '';
4631 $checked{'ENABLED_BLUE'}{'on'} = '';
4632 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
4633 $checked{'ENABLED_ORANGE'}{'off'} = '';
4634 $checked{'ENABLED_ORANGE'}{'on'} = '';
4635 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 4636
4637
6e13d0a5
MT		 4638 $checked{'EDIT_ADVANCED'}{'off'} = '';
4639 $checked{'EDIT_ADVANCED'}{'on'} = '';
4640 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
c6c9630e 4641
6e13d0a5
MT		 4642 $selected{'SIDE'}{'server'} = '';
4643 $selected{'SIDE'}{'client'} = '';
4644 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
66c36198 4645
d96c89eb
AH		 4646 $selected{'PROTOCOL'}{'udp'} = '';
4647 $selected{'PROTOCOL'}{'tcp'} = '';
4648 $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
4649
c6c9630e 4650
6e13d0a5
MT		 4651 $checked{'AUTH'}{'psk'} = '';
4652 $checked{'AUTH'}{'certreq'} = '';
4653 $checked{'AUTH'}{'certgen'} = '';
4654 $checked{'AUTH'}{'certfile'} = '';
4655 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
c6c9630e 4656
6e13d0a5 4657 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
66c36198 4658
6e13d0a5
MT		 4659 $checked{'COMPLZO'}{'off'} = '';
4660 $checked{'COMPLZO'}{'on'} = '';
4661 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
c6c9630e 4662
d96c89eb
AH		 4663 $checked{'MSSFIX'}{'off'} = '';
4664 $checked{'MSSFIX'}{'on'} = '';
4665 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
4666
52f61e49
EKD		 4667 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
4668 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
4669 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 4670 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
4671 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
4672 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
4673 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
4674 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
4675 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
4676 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4677 $selected{'DCIPHER'}{'SEED-CBC'} = '';
4678 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
4679 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
4680 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
4681 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 4682 $selected{'DCIPHER'}{'DES-CBC'} = '';
49abe7af
EK		 4683 # If no cipher has been chossen yet, select
4684 # the old default (AES-256-CBC) for compatiblity reasons.
4685 if ($cgiparams{'DCIPHER'} eq '') {
4686 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
4687 }
4c962356 4688 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
49abe7af
EK		 4689 $selected{'DAUTH'}{'whirlpool'} = '';
4690 $selected{'DAUTH'}{'SHA512'} = '';
4691 $selected{'DAUTH'}{'SHA384'} = '';
4692 $selected{'DAUTH'}{'SHA256'} = '';
4693 $selected{'DAUTH'}{'SHA1'} = '';
49abe7af 4694 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
0c4ffc69
EK		 4695 $checked{'TLSAUTH'}{'off'} = '';
4696 $checked{'TLSAUTH'}{'on'} = '';
4697 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
49abe7af 4698
6e13d0a5
MT		 4699 if (1) {
4700 &Header::showhttpheaders();
4c962356 4701 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 4702 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
4703 if ($errormessage) {
4704 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
4705 print "<class name='base'>$errormessage";
4706 print "&nbsp;</class>";
4707 &Header::closebox();
4708 }
c6c9630e 4709
6e13d0a5
MT		 4710 if ($warnmessage) {
4711 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
4712 print "<class name='base'>$warnmessage";
4713 print "&nbsp;</class>";
4714 &Header::closebox();
4715 }
c6c9630e 4716
6e13d0a5 4717 print "<form method='post' enctype='multipart/form-data'>";
ce9abb66 4718 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
c6c9630e 4719
6e13d0a5
MT		 4720 if ($cgiparams{'KEY'}) {
4721 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
4722 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
6e13d0a5 4723 }
c6c9630e 4724
6e13d0a5 4725 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
8c877a82 4726 print "<table width='100%' border='0'>\n";
4c962356 4727
e3edceeb 4728 print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>";
66c36198 4729
ce9abb66 4730 if ($cgiparams{'TYPE'} eq 'host') {
6e13d0a5 4731 if ($cgiparams{'KEY'}) {
8c877a82 4732 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
6e13d0a5
MT		 4733 } else {
4734 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
4735 }
c6c9630e
MT		 4736# print "<tr><td>$Lang::tr{'interface'}</td>";
4737# print "<td><select name='INTERFACE'>";
4738# print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
4c962356
EK		 4739# if ($netsettings{'BLUE_DEV'} ne '') {
4740# print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
4741# }
4742# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
4743# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
4744# print "</select></td></tr>";
4745# print <<END;
ce9abb66
AH		 4746 } else {
4747 print "<input type='hidden' name='INTERFACE' value='red' />";
4748 if ($cgiparams{'KEY'}) {
4749 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
4750 } else {
4751 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
4752 }
52f61e49
EKD		 4753
4754 # If GCM ciphers are in usage, HMAC menu is disabled
4755 my $hmacdisabled;
4756 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
4757 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
4758 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
4759 $hmacdisabled = "disabled='disabled'";
4760 };
4761
4c962356 4762 print <<END;
ce9abb66 4763 <td width='25%'>&nbsp;</td>
66c36198 4764 <td width='25%'>&nbsp;</td></tr>
f527e53f
EK		 4765 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
4766 <td><select name='SIDE'>
4767 <option value='server' $selected{'SIDE'}{'server'}>$Lang::tr{'openvpn server'}</option>
4768 <option value='client' $selected{'SIDE'}{'client'}>$Lang::tr{'openvpn client'}</option>
4769 </select>
4770 </td>
4c962356 4771
f527e53f
EK		 4772 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
4773 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
4774 </tr>
4c962356 4775
e3edceeb 4776 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4777 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
4c962356 4778
e3edceeb 4779 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f
EK		 4780 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
4781 </tr>
4c962356 4782
e3edceeb 4783 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4784 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
49abe7af 4785
f527e53f
EK		 4786 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
4787 <td><select name='PROTOCOL'>
4788 <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
4789 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
4790 </tr>
66c36198 4791
f527e53f 4792 <tr>
e3edceeb 4793 <td class='boldbase'>$Lang::tr{'destination port'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4794 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
4c962356 4795
e3edceeb 4796 <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
f527e53f
EK		 4797 <td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
4798 </tr>
49abe7af 4799
f527e53f 4800 <tr><td colspan=4><hr /></td></tr><tr>
66c36198 4801
f527e53f
EK		 4802 <tr>
4803 <td class'base'><b>$Lang::tr{'MTU settings'}</b></td>
4804 </tr>
49abe7af 4805
e3edceeb 4806 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
f527e53f
EK		 4807 <td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
4808 <td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
4809 </tr>
4c962356 4810
e3edceeb 4811 <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
f527e53f
EK		 4812 <td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
4813 <td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
4814 </tr>
4c962356 4815
e3edceeb 4816 <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
f527e53f
EK		 4817 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
4818 <td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
4819 </tr>
4c962356 4820
e3edceeb 4821 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
f527e53f
EK		 4822 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
4823 </tr>
2ee746be 4824
f527e53f
EK		 4825<tr><td colspan=4><hr /></td></tr><tr>
4826 <tr>
4827 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
4828 </tr>
4829
4830 <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
52f61e49
EKD		 4831 <td><select name='DCIPHER' id="n2ncipher" required>
4832 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
4833 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
4834 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
f527e53f
EK		 4835 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
4836 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4837 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
f7fb5bc5 4838 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
f527e53f
EK		 4839 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
4840 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 4841 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
4842 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4843 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4844 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4845 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4846 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4847 </select>
4848 </td>
4849
4850 <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
52f61e49 4851 <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
f527e53f
EK		 4852 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
4853 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
4854 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
4855 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
f3dfb261 4856 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4857 </select>
4858 </td>
4859 </tr>
4860 <tr><td colspan=4><hr /></td></tr><tr>
4861
ce9abb66 4862END
8c877a82 4863;
ce9abb66 4864 }
52f61e49
EKD		 4865
4866#### JAVA SCRIPT ####
4867# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
4868print<<END;
4869 <script>
4870 var disable_options = false;
4871 document.getElementById('n2ncipher').onchange = function () {
4872 if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
4873 document.getElementById('n2nhmac').setAttribute('disabled', true);
4874 } else {
4875 document.getElementById('n2nhmac').removeAttribute('disabled');
4876 }
4877 }
4878 </script>
4879END
4880
2ee746be 4881#jumper
e3edceeb 4882 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
8c877a82 4883 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
66c36198 4884
ce9abb66 4885 if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4886 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>";
66c36198 4887 }
ce9abb66 4888
8c877a82 4889 print"</tr></table><br><br>";
66c36198
PM		 4890#A.Marx CCD new client
4891if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4892 print "<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td colspan='3'><hr><br><b>$Lang::tr{'ccd choose net'}</td></tr><tr><td height='20' colspan='3'></td></tr>";
8c877a82
AM		 4893 my %vpnnet=();
4894 my $vpnip;
4895 &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet);
4896 $vpnip=$vpnnet{'DOVPN_SUBNET'};
4897 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
4898 my @ccdconf=();
4899 my $count=0;
4900 my $checked;
4901 $checked{'check1'}{'off'} = '';
4902 $checked{'check1'}{'on'} = '';
4903 $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED';
4904 print"<tr><td align='center' width='1%' valign='top'><input type='radio' name='CHECK1' value='dynamic' checked /></td><td align='left' valign='top' width='35%'>$Lang::tr{'ccd dynrange'} ($vpnip)</td><td width='30%'>";
4905 print"</td></tr></table><br><br>";
4906 my $name=$cgiparams{'CHECK1'};
4907 $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
e1e10515 4908 $checked{'OTP_STATE'}{$cgiparams{'OTP_STATE'}} = 'CHECKED';
66c36198
PM		 4909
4910 if (! -z "${General::swroot}/ovpn/ccd.conf"){
8c877a82 4911 print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
df9b48b7 4912 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 4913 $count++;
4914 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
4915 if ($count % 2){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
4916 print"<td align='center' width='1%'><input type='radio' name='CHECK1' value='$ccdconf[0]' $checked{'check1'}{$ccdconf[0]}/></td><td>$ccdconf[0]</td><td width='40%' align='center'>$ccdconf[1]</td><td align='left' width='10%'>";
4917 &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name});
4918 print"</td></tr>";
4919 }
4920 print "</table><br><br><hr><br><br>";
4921 }
e81be1e1 4922}
8c877a82 4923# ccd end
6e13d0a5
MT		 4924 &Header::closebox();
4925 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
66c36198 4926
8c877a82 4927 } elsif (! $cgiparams{'KEY'}) {
66c36198
PM		 4928
4929
6e13d0a5
MT		 4930 my $disabled='';
4931 my $cakeydisabled='';
4932 my $cacrtdisabled='';
4933 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
4934 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
66c36198 4935
6e13d0a5 4936 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
66c36198
PM		 4937
4938
ce9abb66
AH		 4939 if ($cgiparams{'TYPE'} eq 'host') {
4940
49abe7af 4941 print <<END;
6e13d0a5 4942 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4943
ce9abb66
AH		 4944 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td><td class='base'>$Lang::tr{'upload a certificate request'}</td><td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
4945 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td><td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
54fd0535
MT		 4946 <tr><td colspan='3'>&nbsp;</td></tr>
4947 <tr><td colspan='3'><hr /></td></tr>
4948 <tr><td colspan='3'>&nbsp;</td></tr>
ce9abb66 4949 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4950 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4951 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4952 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4953 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4954 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4955 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4956 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
6e13d0a5 4957END
ce9abb66
AH		 4958;
4959
4960###
7c1d9faf 4961# m.a.d net2net
ce9abb66
AH		 4962###
4963
4964} else {
4965
49abe7af 4966 print <<END;
ce9abb66 4967 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
66c36198 4968
ce9abb66 4969 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4970 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4971 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4972 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4973 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4974 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4975 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4976 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
66c36198
PM		 4977
4978
ce9abb66
AH		 4979END
4980;
4981
4982}
4983
4984###
7c1d9faf 4985# m.a.d net2net
ce9abb66 4986###
c6c9630e 4987
6e13d0a5
MT		 4988 foreach my $country (sort keys %{Countries::countries}) {
4989 print "<option value='$Countries::countries{$country}'";
4990 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
4991 print " selected='selected'";
4992 }
4993 print ">$country</option>";
4994 }
ce9abb66 4995###
7c1d9faf 4996# m.a.d net2net
ce9abb66
AH		 4997###
4998
4999if ($cgiparams{'TYPE'} eq 'host') {
49abe7af 5000 print <<END;
f4fbb935 5001 </select></td></tr>
425465ed 5002 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 5003 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
5004 <tr><td>&nbsp;</td>
6e13d0a5
MT		 5005 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
5006 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
f4fbb935 5007 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
6e13d0a5 5008 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
f4fbb935
EK		 5009 <tr><td colspan='3'>&nbsp;</td></tr>
5010 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 5011 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
f4fbb935 5012 </table>
ce9abb66
AH		 5013END
5014}else{
49abe7af 5015 print <<END;
f4fbb935 5016 </select></td></tr>
425465ed 5017 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 5018 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
5019 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
5020 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
5021 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 5022 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
ce9abb66 5023 </table>
66c36198 5024
c6c9630e 5025END
ce9abb66
AH		 5026}
5027
5028###
7c1d9faf 5029# m.a.d net2net
ce9abb66 5030###
c6c9630e
MT		 5031 ;
5032 &Header::closebox();
66c36198 5033
8c877a82 5034 }
e81be1e1 5035
66c36198 5036#A.Marx CCD new client
e81be1e1 5037if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 5038 print"<br><br>";
5039 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:");
5040
66c36198 5041
8c877a82
AM		 5042 print <<END;
5043 <table border='0' width='100%'>
e1e10515 5044 <tr><td width='20%'>$Lang::tr{'enable otp'}:</td><td colspan='3'><input type='checkbox' name='OTP_STATE' $checked{'OTP_STATE'}{'on'} /></td></tr>
8c877a82
AM		 5045 <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
5046 <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
5047 <tr><td colspan='4'>&nbsp</td></tr>
5048 <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
5049END
66c36198 5050
8c877a82
AM		 5051 if ($cgiparams{'IR'} ne ''){
5052 print $cgiparams{'IR'};
5053 }else{
5054 &General::readhasharray ("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
5055 foreach my $key (keys %ccdroutehash) {
5056 if( $cgiparams{'NAME'} eq $ccdroutehash{$key}[0]){
5057 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
5058 if ($ccdroutehash{$key}[$i] ne ''){
5059 print $ccdroutehash{$key}[$i]."\n";
5060 }
5061 $cgiparams{'IR'} .= $ccdroutehash{$key}[$i];
5062 }
5063 }
5064 }
c6c9630e 5065 }
66c36198 5066
8c877a82
AM		 5067 print <<END;
5068</textarea></td><td valign='top' colspan='2'>$Lang::tr{'ccd iroutehint'}</td></tr>
5069 <tr><td colspan='4'><br></td></tr>
5070 <tr><td valign='top' rowspan='3'>$Lang::tr{'ccd iroute2'}</td><td align='left' valign='top' rowspan='3'><select name='IFROUTE' style="width: 205px"; size='6' multiple>
5071END
66c36198 5072
52d08bcb
AM		 5073 my $set=0;
5074 my $selorange=0;
5075 my $selblue=0;
5076 my $selgreen=0;
5077 my $helpblue=0;
5078 my $helporange=0;
5079 my $other=0;
df9b48b7 5080 my $none=0;
52d08bcb 5081 my @temp=();
66c36198 5082
8c877a82 5083 our @current = ();
52d08bcb
AM		 5084 open(FILE, "${General::swroot}/main/routing") ;
5085 @current = <FILE>;
5086 close (FILE);
66c36198 5087 &General::readhasharray ("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
df9b48b7
AM		 5088 #check for "none"
5089 foreach my $key (keys %ccdroute2hash) {
5090 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5091 if ($ccdroute2hash{$key}[1] eq ''){
5092 $none=1;
5093 last;
5094 }
5095 }
5096 }
5097 if ($none ne '1'){
5098 print"<option>$Lang::tr{'ccd none'}</option>";
5099 }else{
5100 print"<option selected>$Lang::tr{'ccd none'}</option>";
5101 }
52d08bcb
AM		 5102 #check if static routes are defined for client
5103 foreach my $line (@current) {
66c36198 5104 chomp($line);
52d08bcb
AM		 5105 $line=~s/\s*$//g; # remove newline
5106 @temp=split(/\,/,$line);
5107 $temp[1] = '' unless defined $temp[1]; # not always populated
5108 my ($a,$b) = split(/\//,$temp[1]);
5109 $temp[1] = $a."/".&General::iporsubtocidr($b);
5110 foreach my $key (keys %ccdroute2hash) {
5111 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5112 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5113 if($ccdroute2hash{$key}[$i] eq $a."/".&General::iporsubtodec($b)){
5114 $set=1;
8c877a82
AM		 5115 }
5116 }
8c877a82 5117 }
52d08bcb
AM		 5118 }
5119 if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
66c36198 5120 }
3a445974
MT		 5121
5122 my %vpnconfig = ();
5123 &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
5124 foreach my $vpn (keys %vpnconfig) {
5125 # Skip all disabled VPN connections
5126 my $enabled = $vpnconfig{$vpn}[0];
5127 next unless ($enabled eq "on");
5128
5129 my $name = $vpnconfig{$vpn}[1];
5130
5131 # Remote subnets
5132 my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
5133 foreach my $network (@networks) {
5134 my $selected = "";
5135
5136 foreach my $key (keys %ccdroute2hash) {
5137 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
5138 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5139 if ($ccdroute2hash{$key}[$i] eq $network) {
5140 $selected = "selected";
5141 }
5142 }
5143 }
5144 }
5145
5146 print "<option value=\"$network\" $selected>$name ($network)</option>\n";
5147 }
5148 }
5149
52d08bcb
AM		 5150 #check if green,blue,orange are defined for client
5151 foreach my $key (keys %ccdroute2hash) {
5152 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5153 $other=1;
5154 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5155 if ($ccdroute2hash{$key}[$i] eq $netsettings{'GREEN_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'GREEN_NETMASK'})){
5156 $selgreen=1;
5157 }
5158 if (&haveBlueNet()){
5159 if( $ccdroute2hash{$key}[$i] eq $netsettings{'BLUE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'BLUE_NETMASK'})) {
5160 $selblue=1;
5161 }
5162 }
5163 if (&haveOrangeNet()){
5164 if( $ccdroute2hash{$key}[$i] eq $netsettings{'ORANGE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'ORANGE_NETMASK'}) ) {
5165 $selorange=1;
5166 }
5167 }
5168 }
5169 }
5170 }
5171 if (&haveBlueNet() && $selblue == '1'){ print"<option selected>$Lang::tr{'blue'}</option>";$selblue=0;}elsif(&haveBlueNet() && $selblue == '0'){print"<option>$Lang::tr{'blue'}</option>";}
66c36198 5172 if (&haveOrangeNet() && $selorange == '1'){ print"<option selected>$Lang::tr{'orange'}</option>";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"<option>$Lang::tr{'orange'}</option>";}
52d08bcb 5173 if ($selgreen == '1' || $other == '0'){ print"<option selected>$Lang::tr{'green'}</option>";$set=0;}else{print"<option>$Lang::tr{'green'}</option>";};
66c36198 5174
49abe7af 5175 print<<END;
8c877a82
AM		 5176 </select></td><td valign='top'>DNS1:</td><td valign='top'><input type='TEXT' name='CCD_DNS1' value='$cgiparams{'CCD_DNS1'}' size='30' /></td></tr>
5177 <tr valign='top'><td>DNS2:</td><td><input type='TEXT' name='CCD_DNS2' value='$cgiparams{'CCD_DNS2'}' size='30' /></td></tr>
5178 <tr valign='top'><td valign='top'>WINS:</td><td><input type='TEXT' name='CCD_WINS' value='$cgiparams{'CCD_WINS'}' size='30' /></td></tr></table><br><hr>
66c36198 5179
8c877a82
AM		 5180END
5181;
5182 &Header::closebox();
e81be1e1 5183}
c6c9630e
MT		 5184 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5185 if ($cgiparams{'KEY'}) {
5186# print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
5187 }
5188 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
5189 &Header::closebigbox();
5190 &Header::closepage();
5191 exit (0);
6e13d0a5 5192 }
c6c9630e 5193 VPNCONF_END:
6e13d0a5 5194}
c6c9630e
MT		 5195
5196# SETTINGS_ERROR:
6e13d0a5
MT		 5197###
5198### Default status page
5199###
c6c9630e
MT		 5200 %cgiparams = ();
5201 %cahash = ();
5202 %confighash = ();
5203 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
5204 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
5205 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
5206
2feacd98
SS		 5207 open(FILE, "/var/run/ovpnserver.log");
5208 my @status = <FILE>;
5209 close(FILE);
c6c9630e
MT		 5210
5211 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
8c877a82
AM		 5212 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
5213 my $ipaddr = <IPADDR>;
5214 close IPADDR;
5215 chomp ($ipaddr);
5216 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
5217 if ($cgiparams{'VPN_IP'} eq '') {
5218 $cgiparams{'VPN_IP'} = $ipaddr;
5219 }
5220 }
c6c9630e 5221 }
66c36198 5222
6e13d0a5 5223#default setzen
c6c9630e 5224 if ($cgiparams{'DCIPHER'} eq '') {
4c962356 5225 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
c6c9630e 5226 }
c6c9630e 5227 if ($cgiparams{'DDEST_PORT'} eq '') {
4c962356 5228 $cgiparams{'DDEST_PORT'} = '1194';
c6c9630e
MT		 5229 }
5230 if ($cgiparams{'DMTU'} eq '') {
4c962356
EK		 5231 $cgiparams{'DMTU'} = '1400';
5232 }
5233 if ($cgiparams{'MSSFIX'} eq '') {
5234 $cgiparams{'MSSFIX'} = 'off';
5235 }
5236 if ($cgiparams{'DAUTH'} eq '') {
86308adb
EK		 5237 if (-z "${General::swroot}/ovpn/ovpnconfig") {
5238 $cgiparams{'DAUTH'} = 'SHA512';
5239 }
5240 foreach my $key (keys %confighash) {
5241 if ($confighash{$key}[3] ne 'host') {
5242 $cgiparams{'DAUTH'} = 'SHA512';
5243 } else {
5244 $cgiparams{'DAUTH'} = 'SHA1';
5245 }
5246 }
5247 }
0c4ffc69
EK		 5248 if ($cgiparams{'TLSAUTH'} eq '') {
5249 $cgiparams{'TLSAUTH'} = 'off';
5250 }
c6c9630e 5251 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
4c962356 5252 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
c6c9630e 5253 }
4c962356 5254 $checked{'ENABLED'}{'off'} = '';
c6c9630e
MT		 5255 $checked{'ENABLED'}{'on'} = '';
5256 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
5257 $checked{'ENABLED_BLUE'}{'off'} = '';
5258 $checked{'ENABLED_BLUE'}{'on'} = '';
5259 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
5260 $checked{'ENABLED_ORANGE'}{'off'} = '';
5261 $checked{'ENABLED_ORANGE'}{'on'} = '';
5262 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 5263
5264 $selected{'DPROTOCOL'}{'udp'} = '';
5265 $selected{'DPROTOCOL'}{'tcp'} = '';
5266 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
4c962356 5267
52f61e49
EKD		 5268 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
5269 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
5270 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 5271 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
5272 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
5273 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
5274 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
5275 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
5276 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
c6c9630e
MT		 5277 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
5278 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4c962356
EK		 5279 $selected{'DCIPHER'}{'SEED-CBC'} = '';
5280 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
5281 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
5282 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 5283 $selected{'DCIPHER'}{'DES-CBC'} = '';
c6c9630e 5284 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
4c962356
EK		 5285
5286 $selected{'DAUTH'}{'whirlpool'} = '';
5287 $selected{'DAUTH'}{'SHA512'} = '';
5288 $selected{'DAUTH'}{'SHA384'} = '';
5289 $selected{'DAUTH'}{'SHA256'} = '';
4c962356
EK		 5290 $selected{'DAUTH'}{'SHA1'} = '';
5291 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
5292
0c4ffc69
EK		 5293 $checked{'TLSAUTH'}{'off'} = '';
5294 $checked{'TLSAUTH'}{'on'} = '';
5295 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
5296
c6c9630e
MT		 5297 $checked{'DCOMPLZO'}{'off'} = '';
5298 $checked{'DCOMPLZO'}{'on'} = '';
5299 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
4c962356 5300
d96c89eb
AH		 5301# m.a.d
5302 $checked{'MSSFIX'}{'off'} = '';
5303 $checked{'MSSFIX'}{'on'} = '';
5304 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
6e13d0a5 5305#new settings
c6c9630e
MT		 5306 &Header::showhttpheaders();
5307 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
5308 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 5309
c6c9630e 5310 if ($errormessage) {
6e13d0a5
MT		 5311 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
5312 print "<class name='base'>$errormessage\n";
5313 print "&nbsp;</class>\n";
5314 &Header::closebox();
c6c9630e 5315 }
6e13d0a5 5316
400c8afd
EK		 5317 if ($cryptoerror) {
5318 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
5319 print "<class name='base'>$cryptoerror";
5320 print "&nbsp;</class>";
5321 &Header::closebox();
5322 }
5323
5324 if ($cryptowarning) {
5325 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
5326 print "<class name='base'>$cryptowarning";
5327 print "&nbsp;</class>";
5328 &Header::closebox();
5329 }
5330
b2e75449
MT		 5331 if ($warnmessage) {
5332 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
5333 print "$warnmessage<br>";
5334 print "$Lang::tr{'fwdfw warn1'}<br>";
5335 &Header::closebox();
5336 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
5337 &Header::closepage();
5338 exit 0;
5339 }
4d81e0f3 5340
c6c9630e
MT		 5341 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
5342 my $srunning = "no";
5343 my $activeonrun = "";
5344 if ( -e "/var/run/openvpn.pid"){
6e13d0a5
MT		 5345 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
5346 $srunning ="yes";
5347 $activeonrun = "";
c6c9630e 5348 } else {
6e13d0a5 5349 $activeonrun = "disabled='disabled'";
66c36198
PM		 5350 }
5351 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
4c962356 5352 print <<END;
631b67b7 5353 <table width='100%' border='0'>
c6c9630e
MT		 5354 <form method='post'>
5355 <td width='25%'>&nbsp;</td>
5356 <td width='25%'>&nbsp;</td>
5357 <td width='25%'>&nbsp;</td></tr>
5358 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
5359 <td align='left'>$sactive</td>
5360 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
8c877a82 5361 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
c6c9630e
MT		 5362END
5363;
5364 if (&haveBlueNet()) {
5365 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
5366 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
5367 }
66c36198 5368 if (&haveOrangeNet()) {
c6c9630e
MT		 5369 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
5370 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
86308adb
EK		 5371 }
5372
5373 print <<END;
5374
5375 <tr><td colspan='4'><br></td></tr>
5376 <tr>
5377 <td class'base'><b>$Lang::tr{'net config'}:</b></td>
5378 </tr>
5379 <tr><td colspan='1'><br></td></tr>
5380
4e17adad
CS		 5381 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
5382 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
c6c9630e
MT		 5383 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
5384 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
66c36198 5385 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
c6c9630e
MT		 5386 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
5387 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
5388 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
bc2b3e94 5389 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
86308adb
EK		 5390 </tr>
5391
5392 <tr><td colspan='4'><br></td></tr>
5393 <tr>
5394 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
5395 </tr>
5396 <tr><td colspan='1'><br></td></tr>
5397
5398 <tr>
5399 <td class='base'>$Lang::tr{'ovpn ha'}</td>
5400 <td><select name='DAUTH'>
5401 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
5402 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
5403 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
5404 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
5405 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5406 </select>
5407 </td>
f527e53f 5408
4c962356
EK		 5409 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
5410 <td><select name='DCIPHER'>
52f61e49
EKD		 5411 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
5412 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
5413 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
4c962356 5414 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
f527e53f 5415 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4c962356
EK		 5416 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
5417 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
5418 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
5419 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
4c962356 5420 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 5421 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5422 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5423 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5424 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5425 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4c962356
EK		 5426 </select>
5427 </td>
4c962356 5428 </tr>
0c4ffc69
EK		 5429
5430 <tr><td colspan='4'><br></td></tr>
5431 <tr>
5432 <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
5433 <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
5434 </tr>
5435
f7edf97a 5436 <tr><td colspan='4'><br><br></td></tr>
c6c9630e 5437END
66c36198
PM		 5438;
5439
c6c9630e 5440 if ( $srunning eq "yes" ) {
8c877a82
AM		 5441 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
5442 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
66c36198 5443 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
8c877a82 5444 print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
c6c9630e 5445 } else{
8c877a82
AM		 5446 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5447 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5448 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
c6c9630e
MT		 5449 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
5450 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
5451 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
5452 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
66c36198 5453 (( $cgiparams{'ENABLED'} eq 'on') ||
c6c9630e
MT		 5454 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
5455 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
8c877a82 5456 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td></tr>";
c6c9630e 5457 } else {
66c36198
PM		 5458 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td></tr>";
5459 }
c6c9630e
MT		 5460 }
5461 print "</form></table>";
5462 &Header::closebox();
6e13d0a5 5463
c6c9630e 5464 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
ce9abb66 5465###
7c1d9faf 5466# m.a.d net2net
54fd0535 5467#<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
ce9abb66
AH		 5468###
5469
4c962356 5470 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
c6c9630e 5471 ;
99bfa85c
AM		 5472 my $id = 0;
5473 my $gif;
f7edf97a 5474 my $col1="";
5b942f7f 5475 my $lastnet;
c8b51e28 5476 foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
5b942f7f
AM		 5477 if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
5478 if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
5479 if($id == 0){
5480 print"<b>$confighash{$key}[32]</b>";
5481 print <<END;
5482 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5483<tr>
5484 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5485 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5486 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5487 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5488 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5489</tr>
5490END
5491 }
5492 if ($id > 0 && $lastnet ne $confighash{$key}[32]){
5493 print "</table><br>";
5494 print"<b>$confighash{$key}[32]</b>";
5495 print <<END;
5496 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5497<tr>
5498 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5499 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5500 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5501 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
e1e10515 5502 <th width='5%' class='boldbase' colspan='8' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5503</tr>
5504END
5505 }
eff2dbf8 5506 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
c6c9630e 5507 if ($id % 2) {
99bfa85c
AM		 5508 print "<tr>";
5509 $col="bgcolor='$color{'color20'}'";
bb89e92a 5510 } else {
99bfa85c
AM		 5511 print "<tr>";
5512 $col="bgcolor='$color{'color22'}'";
c6c9630e 5513 }
99bfa85c
AM		 5514 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
5515 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
8c877a82
AM		 5516 #if ($confighash{$key}[4] eq 'cert') {
5517 #print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
5518 #} else {
5519 #print "<td align='left'>&nbsp;</td>";
5520 #}
2feacd98
SS		 5521 my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
5522 my $cavalid;
5523
5524 foreach my $line (@cavalid) {
5525 if ($line =~ /Not After : (.*)[\n]/) {
5526 $cavalid = $1;
5527
5528 last;
5529 }
5530 }
5531
99bfa85c 5532 print "<td align='center' $col>$confighash{$key}[25]</td>";
f7edf97a
AM		 5533 $col1="bgcolor='${Header::colourred}'";
5534 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
ce9abb66 5535
c6c9630e 5536 if ($confighash{$key}[0] eq 'off') {
f7edf97a
AM		 5537 $col1="bgcolor='${Header::colourblue}'";
5538 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
c6c9630e 5539 } else {
ce9abb66
AH		 5540
5541###
7c1d9faf 5542# m.a.d net2net
f7edf97a
AM		 5543###
5544
b278daf3 5545 if ($confighash{$key}[3] eq 'net') {
54fd0535
MT		 5546
5547 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
5548 my @output = "";
5549 my @tustate = "";
5550 my $tport = $confighash{$key}[22];
66c36198 5551 my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport);
54fd0535
MT		 5552 if ($tport ne '') {
5553 $tnet->open('127.0.0.1');
5554 @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/');
5555 @tustate = split(/\,/, $output[1]);
5556###
5557#CONNECTING -- OpenVPN's initial state.
5558#WAIT -- (Client only) Waiting for initial response from server.
5559#AUTH -- (Client only) Authenticating with server.
5560#GET_CONFIG -- (Client only) Downloading configuration options from server.
5561#ASSIGN_IP -- Assigning IP address to virtual network interface.
5562#ADD_ROUTES -- Adding routes to system.
5563#CONNECTED -- Initialization Sequence Completed.
5564#RECONNECTING -- A restart has occurred.
5565#EXITING -- A graceful exit is in progress.
5566####
5567
ed4b4c19 5568 if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
f7edf97a
AM		 5569 $col1="bgcolor='${Header::colourgreen}'";
5570 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5571 }else {
5572 $col1="bgcolor='${Header::colourred}'";
5573 $active = "<b><font color='#FFFFFF'>$tustate[1]</font></b>";
5574 }
54fd0535 5575 }
54fd0535 5576 }
f7edf97a
AM		 5577 }else {
5578
5579 my $cn;
5580 my @match = ();
5581 foreach my $line (@status) {
5582 chomp($line);
5583 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
5584 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
5585 if ($match[1] ne "Common Name") {
5586 $cn = $match[1];
5587 }
5588 $cn =~ s/[_]/ /g;
5589 if ($cn eq "$confighash{$key}[2]") {
5590 $col1="bgcolor='${Header::colourgreen}'";
5591 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5592 }
5593 }
5594 }
c6c9630e 5595 }
7c1d9faf 5596}
ce9abb66
AH		 5597
5598
4c962356 5599 print <<END;
f7edf97a 5600 <td align='center' $col1>$active</td>
66c36198 5601
99bfa85c 5602 <form method='post' name='frm${key}a'><td align='center' $col>
96096995
AM		 5603 <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
5604 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5605 <input type='hidden' name='KEY' value='$key' />
c6c9630e
MT		 5606 </td></form>
5607END
5608 ;
71af643c
MT		 5609
5610 if ($confighash{$key}[41] eq "no-pass") {
5611 print <<END;
5612 <form method='post' name='frm${key}g'><td align='center' $col>
5613 <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
5614 alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
5615 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5616 <input type='hidden' name='MODE' value='insecure' />
5617 <input type='hidden' name='KEY' value='$key' />
5618 </td></form>
5619END
5620 } else {
5621 print "<td $col>&nbsp;</td>";
5622 }
5623
c6c9630e 5624 if ($confighash{$key}[4] eq 'cert') {
4c962356 5625 print <<END;
99bfa85c 5626 <form method='post' name='frm${key}b'><td align='center' $col>
c6c9630e
MT		 5627 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
5628 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
5629 <input type='hidden' name='KEY' value='$key' />
5630 </td></form>
5631END
5632 ; } else {
5633 print "<td>&nbsp;</td>";
5634 }
e1e10515
TE		 5635
5636 if ($confighash{$key}[43] eq 'on') {
5637 print <<END;
5638<form method='post' name='frm${key}o'><td align='center' $col>
5639<input type='image' name='$Lang::tr{'show otp qrcode'}' src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}' title='$Lang::tr{'show otp qrcode'}' border='0' />
5640<input type='hidden' name='ACTION' value='$Lang::tr{'show otp qrcode'}' />
5641<input type='hidden' name='KEY' value='$key' />
5642</td></form>
5643END
5644; } else {
5645 print "<td $col>&nbsp;</td>";
5646 }
5647
66c36198 5648 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
4c962356 5649 print <<END;
99bfa85c 5650 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5651 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
c6c9630e
MT		 5652 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
5653 <input type='hidden' name='KEY' value='$key' />
5654 </td></form>
5655END
5656 ; } elsif ($confighash{$key}[4] eq 'cert') {
4c962356 5657 print <<END;
99bfa85c 5658 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5659 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
c6c9630e
MT		 5660 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
5661 <input type='hidden' name='KEY' value='$key' />
5662 </td></form>
5663END
5664 ; } else {
5665 print "<td>&nbsp;</td>";
5666 }
5667 print <<END
99bfa85c 5668 <form method='post' name='frm${key}d'><td align='center' $col>
c6c9630e
MT		 5669 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
5670 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
5671 <input type='hidden' name='KEY' value='$key' />
5672 </td></form>
5673
99bfa85c 5674 <form method='post' name='frm${key}e'><td align='center' $col>
c6c9630e
MT		 5675 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
5676 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
5677 <input type='hidden' name='KEY' value='$key' />
5678 </td></form>
99bfa85c 5679 <form method='post' name='frm${key}f'><td align='center' $col>
c6c9630e
MT		 5680 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
5681 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
5682 <input type='hidden' name='KEY' value='$key' />
5683 </td></form>
5684 </tr>
5685END
5686 ;
5687 $id++;
5b942f7f 5688 $lastnet = $confighash{$key}[32];
c6c9630e 5689 }
5b942f7f 5690 print"</table>";
c6c9630e
MT		 5691 ;
5692
5693 # If the config file contains entries, print Key to action icons
5694 if ( $id ) {
4c962356 5695 print <<END;
8c877a82 5696 <table border='0'>
c6c9630e 5697 <tr>
4c962356
EK		 5698 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5699 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
5700 <td class='base'>$Lang::tr{'click to disable'}</td>
5701 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5702 <td class='base'>$Lang::tr{'show certificate'}</td>
5703 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
5704 <td class='base'>$Lang::tr{'edit'}</td>
5705 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
5706 <td class='base'>$Lang::tr{'remove'}</td>
c6c9630e
MT		 5707 </tr>
5708 <tr>
4c962356
EK		 5709 <td>&nbsp; </td>
5710 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
5711 <td class='base'>$Lang::tr{'click to enable'}</td>
5712 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
5713 <td class='base'>$Lang::tr{'download certificate'}</td>
5714 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
5715 <td class='base'>$Lang::tr{'dl client arch'}</td>
e1e10515
TE		 5716 <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
5717 <td class='base'>$Lang::tr{'show otp qrcode'}</td>
4c962356 5718 </tr>
f7edf97a 5719 </table><br>
c6c9630e
MT		 5720END
5721 ;
5722 }
5723
4c962356 5724 print <<END;
c6c9630e
MT		 5725 <table width='100%'>
5726 <form method='post'>
4c962356
EK		 5727 <tr><td align='right'>
5728 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
5729 <input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td>
5730 </tr>
c6c9630e
MT		 5731 </form>
5732 </table>
5733END
4c962356
EK		 5734 ;
5735 &Header::closebox();
5736 }
fd5ccb2d
EK		 5737
5738 # CA/key listing
4c962356
EK		 5739 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
5740 print <<END;
5741 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5742 <tr>
5743 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5744 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
5745 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
5746 </tr>
5747END
5748 ;
5749 my $col1="bgcolor='$color{'color22'}'";
f7fb5bc5 5750 my $col2="bgcolor='$color{'color20'}'";
c8f50356 5751 # DH parameter line
f7fb5bc5 5752 my $col3="bgcolor='$color{'color22'}'";
fd5ccb2d
EK		 5753 # ta.key line
5754 my $col4="bgcolor='$color{'color20'}'";
f7fb5bc5 5755
4c962356 5756 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2feacd98
SS		 5757 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
5758 my $casubject;
5759
5760 foreach my $line (@casubject) {
5761 if ($line =~ /Subject: (.*)[\n]/) {
5762 $casubject = $1;
5763 $casubject =~ s+/Email+, E+;
5764 $casubject =~ s/ ST=/ S=/;
5765
5766 last;
5767 }
5768 }
5769
4c962356
EK		 5770 print <<END;
5771 <tr>
5772 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
5773 <td class='base' $col1>$casubject</td>
c8f50356 5774 <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
4c962356
EK		 5775 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
5776 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5777 </form>
5778 <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
4c962356
EK		 5779 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
5780 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
c8f50356
EK		 5781 </form>
5782 <td width='4%' $col1>&nbsp;</td>
5783 </tr>
4c962356
EK		 5784END
5785 ;
5786 } else {
5787 # display rootcert generation buttons
5788 print <<END;
5789 <tr>
5790 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
5791 <td class='base' $col1>$Lang::tr{'not present'}</td>
c8f50356
EK		 5792 <td colspan='3' $col1>&nbsp;</td>
5793 </tr>
4c962356
EK		 5794END
5795 ;
5796 }
5797
5798 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 5799 my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
5800 my $hostsubject;
5801
5802 foreach my $line (@hostsubject) {
5803 if ($line =~ /Subject: (.*)[\n]/) {
5804 $hostsubject = $1;
5805 $hostsubject =~ s+/Email+, E+;
5806 $hostsubject =~ s/ ST=/ S=/;
5807
5808 last;
5809 }
5810 }
4c962356
EK		 5811
5812 print <<END;
5813 <tr>
5814 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
5815 <td class='base' $col2>$hostsubject</td>
c8f50356 5816 <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
4c962356
EK		 5817 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
5818 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5819 </form>
5820 <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
4c962356
EK		 5821 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
5822 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
c8f50356
EK		 5823 </td></form>
5824 <td width='4%' $col2>&nbsp;</td>
5825 </tr>
4c962356
EK		 5826END
5827 ;
5828 } else {
5829 # Nothing
5830 print <<END;
5831 <tr>
5832 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
5833 <td class='base' $col2>$Lang::tr{'not present'}</td>
c8f50356
EK		 5834 </td><td colspan='3' $col2>&nbsp;</td>
5835 </tr>
4c962356
EK		 5836END
5837 ;
5838 }
ce9abb66 5839
f7fb5bc5
EK		 5840 # Adding DH parameter to chart
5841 if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
b959b9f5 5842 my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
2feacd98 5843 my $dhsubject;
f7fb5bc5 5844
2feacd98
SS		 5845 foreach my $line (@dhsubject) {
5846 if ($line =~ / (.*)[\n]/) {
5847 $dhsubject = $1;
5848
5849 last;
5850 }
5851 }
f7fb5bc5
EK		 5852
5853 print <<END;
5854 <tr>
5855 <td class='base' $col3>$Lang::tr{'dh parameter'}</td>
5856 <td class='base' $col3>$dhsubject</td>
c8f50356 5857 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
f7fb5bc5
EK		 5858 <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
5859 <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
c8f50356
EK		 5860 </form>
5861 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
c8f50356
EK		 5862 </form>
5863 <td width='4%' $col3>&nbsp;</td>
5864 </tr>
f7fb5bc5
EK		 5865END
5866 ;
5867 } else {
5868 # Nothing
5869 print <<END;
5870 <tr>
5871 <td width='25%' class='base' $col3>$Lang::tr{'dh parameter'}:</td>
5872 <td class='base' $col3>$Lang::tr{'not present'}</td>
c8f50356
EK		 5873 </td><td colspan='3' $col3>&nbsp;</td>
5874 </tr>
f7fb5bc5
EK		 5875END
5876 ;
5877 }
5878
fd5ccb2d
EK		 5879 # Adding ta.key to chart
5880 if (-f "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 5881 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
5882 my @tasubject = <FILE>;
5883 close(FILE);
5884
5885 my $tasubject;
5886 foreach my $line (@tasubject) {
5887 if($line =~ /# (.*)[\n]/) {
5888 $tasubject = $1;
5889
5890 last;
5891 }
5892 }
5893
fd5ccb2d
EK		 5894 print <<END;
5895
5896 <tr>
5897 <td class='base' $col4>$Lang::tr{'ta key'}</td>
5898 <td class='base' $col4>$tasubject</td>
5899 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5900 <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
5901 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
5902 </form>
5903 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5904 <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
5905 <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
5906 </form>
5907 <td width='4%' $col4>&nbsp;</td>
5908 </tr>
5909END
5910 ;
5911 } else {
5912 # Nothing
5913 print <<END;
5914 <tr>
5915 <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
5916 <td class='base' $col4>$Lang::tr{'not present'}</td>
5917 <td colspan='3' $col4>&nbsp;</td>
5918 </tr>
5919END
5920 ;
5921 }
5922
4c962356
EK		 5923 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
5924 print "<tr><td colspan='5' align='center'><form method='post'>";
5925 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
5926 print "</form></td></tr>\n";
5927 }
5928
5929 if (keys %cahash > 0) {
5930 foreach my $key (keys %cahash) {
5931 if (($key + 1) % 2) {
5932 print "<tr bgcolor='$color{'color20'}'>\n";
5933 } else {
5934 print "<tr bgcolor='$color{'color22'}'>\n";
5935 }
5936 print "<td class='base'>$cahash{$key}[0]</td>\n";
5937 print "<td class='base'>$cahash{$key}[1]</td>\n";
5938 print <<END;
5939 <form method='post' name='cafrm${key}a'><td align='center'>
5940 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
5941 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
5942 <input type='hidden' name='KEY' value='$key' />
5943 </td></form>
5944 <form method='post' name='cafrm${key}b'><td align='center'>
5945 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
5946 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
5947 <input type='hidden' name='KEY' value='$key' />
5948 </td></form>
5949 <form method='post' name='cafrm${key}c'><td align='center'>
5950 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
5951 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
5952 <input type='hidden' name='KEY' value='$key' />
5953 </td></form></tr>
5954END
5955 ;
5956 }
5957 }
5958
5959 print "</table>";
5960
5961 # If the file contains entries, print Key to action icons
5962 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
5963 print <<END;
5964 <table>
5965 <tr>
5966 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5967 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5968 <td class='base'>$Lang::tr{'show certificate'}</td>
5969 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
5970 <td class='base'>$Lang::tr{'download certificate'}</td>
5971 </tr>
5972 </table>
5973END
5974 ;
5975 }
ce9abb66 5976
4c962356 5977 print <<END
578f23c8
SS		 5978
5979 <br><hr><br>
5980
4c962356 5981 <form method='post' enctype='multipart/form-data'>
578f23c8
SS		 5982 <table border='0' width='100%'>
5983 <tr>
5984 <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
5985 </tr>
4c962356 5986
578f23c8
SS		 5987 <tr>
5988 <td width='10%'>$Lang::tr{'ca name'}:</td>
5989 <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
5990 <td width='30%'><input type='file' name='FH' size='25'>
5991 <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
5992 </tr>
f527e53f 5993
578f23c8
SS		 5994 <tr>
5995 <td colspan='3'>&nbsp;</td>
5996 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
5997 </tr>
5998 </table>
f527e53f 5999
578f23c8
SS		 6000 <br>
6001
6002 <table border='0' width='100%'>
6003 <tr>
6004 <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
6005 </tr>
6006
6007 <tr>
6008 <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
6009 <td width='30%'><input type='file' name='FH' size='25'>
6010 <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
6011 </tr>
6012
6013 <tr>
6014 <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
6015 <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
6016 </tr>
6017 </table>
6018 </form>
66c36198 6019
578f23c8 6020 <br><hr>
4c962356
EK		 6021END
6022 ;
6023
6024 if ( $srunning eq "yes" ) {
6025 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' disabled='disabled' /></div></form>\n";
6026 } else {
6027 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></div></form>\n";
6028 }
6029 &Header::closebox();
6030END
6031 ;
6032
6033&Header::closepage();
ce9abb66 6034
Peter's tree of IPFire 2.x